Select Page
InvisiMole Hackers Target High-Profile Military and Diplomatic Entities

InvisiMole Hackers Target High-Profile Military and Diplomatic Entities

Cybersecurity researchers today uncovered the modus operandi of an elusive threat group that hacks into the high-profile military and diplomatic entities in Eastern Europe for espionage.

The findings are part of a collaborative analysis by cybersecurity firm ESET and the impacted firms, resulting in an extensive look into InvisiMole’s operations and the group’s tactics, tools, and procedures (TTPs).

“ESET researchers conducted an investigation of these attacks in cooperation with the affected organisations and were able to uncover the extensive, sophisticated tool-sets used for delivery, lateral movement, and execution of InvisiMole’s backdoors,” the company said in a report shared with The Hacker News.

Cooperation with the Gamaredon Group

First discovered in 2018, InvisiMole has been active at least since 2013 in connection with targeted cyber-espionage operations in Ukraine and Russia. After slipping under the radar, the threat actor returned late last year with an updated toolset and previously unreported tactics to obfuscate malware.

“InvisiMole has a modular architecture, starting its journey with a wrapper DLL, and performing its activities using two other modules that are embedded in its resources,” ESET researchers had previously noted in a June 2018 report. “Both of the modules are feature-rich backdoors, which together give it the ability to gather as much information about the target as possible.”

The feature-rich spyware, dubbed RC2FM and RC2CL, was found to be capable of making system changes, scanning wireless networks to track the geolocation of victims, gathering user information, and even uploading sensitive files located in the compromised machine. But the exact mechanism of malware delivery remained unclear until now.

images from Hacker News

Hackers Target Military and Aerospace Staff by Posing as HRs Offering Jobs

Hackers Target Military and Aerospace Staff by Posing as HRs Offering Jobs

Cybersecurity researchers today took the wraps off a new sophisticated cyber-espionage campaign directed against aerospace and military organisations in Europe and the Middle East with an aim to spy on key employees of the targeted firms and, in some case, even to siphon money.

The campaign, dubbed “Operation In(ter)ception” because of a reference to “Inception” in the malware sample, took place between September to December 2019, according to a new report cybersecurity firm ESET shared with The Hacker News.

“The primary goal of the operation was espionage,” the researchers told The Hacker News. “However, in one of the cases we investigated, the attackers tried to monetise access to a victim’s email account through a business email compromise (BEC) attack as the final stage of the operation.”

The financial motivation behind the attacks, coupled with similarities in targeting and development environment, have led ESET to suspect Lazarus Group, a notorious hacking group that’s been attributed to working on behalf of the North Korean government to fund the country’s illicit weapon and missile programs.

Social Engineering via LinkedIn

Stating that the campaign was highly targeted, ESET said it relied on social engineering tricks to lure employees working for the chosen companies with fake job offers using LinkedIn’s messaging feature, posing as HR managers of well-known companies in the aerospace and defence industry, including Collins Aerospace and General Dynamics.

images from Hacker News

New Ripple20 Flaws Put Billions of Internet-Connected Devices at Risk of Hacking

New Ripple20 Flaws Put Billions of Internet-Connected Devices at Risk of Hacking

The Department of Homeland Security and CISA ICS-CERT today issued a critical security advisory warning about over a dozen newly discovered vulnerabilities affecting billions of Internet-connected devices manufactured by many vendors across the globe.

Dubbed “Ripple20,” the set of 19 vulnerabilities resides in a low-level TCP/IP software library developed by Treck, which, if weaponized, could let remote attackers gain complete control over targeted devices—without requiring any user interaction.

According to Israeli cybersecurity company JSOF—who discovered these flaws—the affected devices are in use across various industries, ranging from home/consumer devices to medical, healthcare, data centres, enterprises, telecom, oil, gas, nuclear, transportation, and many others across critical infrastructure.

“Just a few examples: data could be stolen off of a printer, an infusion pump behaviour changed, or industrial control devices could be made to malfunction. An attacker could hide malicious code within embedded devices for years,” the researchers said in a report shared with The Hacker News.

“One of the vulnerabilities could enable entry from outside into the network boundaries; this is only a small taste of the potential risks.”

There are four critical vulnerabilities in Treck TCP/IP stack, with CVSS scores over 9, which could let attackers execute arbitrary code on targeted devices remotely, and one critical bug affects the DNS protocol.

images from Hacker News

Oracle E-Business Suite Flaws Let Hackers Hijack Business Operations

Oracle E-Business Suite Flaws Let Hackers Hijack Business Operations

If your business operations and security of sensitive data rely on Oracle’s E-Business Suite (EBS), make sure you recently updated and are running the latest available version of the software.

In a report released by enterprise cybersecurity firm Onapsis and shared with The Hacker News, the firm today disclosed technical details for vulnerabilities it reported in Oracle’s E-Business Suite (EBS), an integrated group of applications designed to automate CRM, ERP, and SCM operations for organisations.

The two vulnerabilities, dubbed “BigDebIT” and rated a CVSS score of 9.9, were patched by Oracle in a critical patch update (CPU) pushed out earlier this January. But the company said an estimated 50 percent of Oracle EBS customers have not deployed the patches to date.

The security flaws could be exploited by bad actors to target accounting tools such as General Ledger in a bid to steal sensitive information and commit financial fraud.

According to the researchers, “an unauthenticated hacker could perform an automated exploit on the General Ledger module to extract assets from a company (such as cash) and modify accounting tables, without leaving a trace.”

images from Hacker News

WebAuthn Passwordless Authentication Now Available for Atlassian Products

WebAuthn Passwordless Authentication Now Available for Atlassian Products

Atlassian solutions are widely used in the software development industry. Many teams practising agile software development rely on these applications to manage their projects.

Issue-tracking application Jira, Git repository BitBucket, continuous integration and deployment server Bamboo, and team collaboration platform Confluence are all considered to be proven agile tools.

Considering how popular agile has become, it’s no wonder Atlassian now serves 83 percent of Fortune 500 companies and has over 10 million active users worldwide.

To help create a better experience for these users, Alpha Serve has developed WebAuthn add-ons to bring passwordless authentication to various Atlassian products. Having a more convenient and secure way to login to their Atlassian instances should be a welcome development for development teams.

How WebAuthn Works

WebAuthn is a browser-based security standard recommended by World Wide Web Consortium (W3C) that allows web apps to simplify and safeguard user authentication by utilising registered devices as factors.

It relies on public-key cryptography to prevent sophisticated phishing attacks. WebAuthn is part of the FIDO2 framework – various technologies that permit passwordless authentication among web browsers, servers, and authenticators.

This security standard is supported by Windows 10 and Android platforms and browsers such as Chrome, Edge, Safari, and Firefox.

images from Hacker News