Entities in Armenia have come under a cyber attack using an updated version of a backdoor called OxtaRAT that allows remote access and desktop surveillance.

“The tool capabilities include searching for and exfiltrating files from the infected machine, recording the video from the web camera and desktop, remotely controlling the compromised machine with TightVNC, installing a web shell, performing port scanning, and more,” Check Point Research said in a report.

The latest campaign is said to have commenced in November 2022 and marks the first time the threat actors behind the activity have expanded their focus beyond Azerbaijan.

“The threat actors behind these attacks have been targeting human rights organizations, dissidents, and independent media in Azerbaijan for several years,” the cybersecurity firm noted, calling the campaign Operation Silent Watch.

The late 2022 intrusions are significant, not least because of the changes in the infection chain, the steps taken to improve operational security, and equip the backdoor with more ammunition.

The starting point of the attack sequence is a self-extracting archive that mimics a PDF file and bears a PDF icon. Launching the purported “document” opens a decoy file while also stealthily executing malicious code hidden inside an image.

images from Hacker News

A new variant of the notorious Mirai botnet has been found leveraging several security vulnerabilities to propagate itself to Linux and IoT devices.

Observed during the second half of 2022, the new version has been dubbed V3G4 by Palo Alto Networks Unit 42, which identified three different campaigns likely conducted by the same threat actor.

“Once the vulnerable devices are compromised, they will be fully controlled by attackers and become a part of the botnet,” Unit 42 researchers said. “The threat actor has the capability to utilize those devices to conduct further attacks, such as distributed denial-of-service (DDoS) attacks.”

The attacks primarily single out exposed servers and networking devices running Linux, with the adversary weaponizing as many as 13 flaws that could lead to remote code execution (RCE).

Some of the notable flaws relate to critical flaws in Atlassian Confluence Server and Data Centre, DrayTek Vigour routers, Airspan AirSpot, and Geutebruck IP cameras, among others. The oldest flaw in the list is CVE-2012-4869, an RCE bug in FreePBX.

images from Hacker News

Cisco has rolled out security updates to address a critical flaw reported in the ClamAV open source antivirus engine that could lead to remote code execution on susceptible devices.

Tracked as CVE-2023-20032 (CVSS score: 9.8), the issue relates to a case of remote code execution residing in the HFS+ file parser component.

The flaw affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Google security engineer Simon Scannell has been credited with discovering and reporting the bug.

“This vulnerability is due to a missing buffer size check that may result in a heap buffer overflow write,” Cisco Talos said in an advisory. “An attacker could exploit this vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device.”

Successful exploitation of the weakness could enable an adversary to run arbitrary code with the same privileges as that of the ClamAV scanning process, or crash the process, resulting in a denial-of-service (DoS) condition.

images from Hacker News

A popular npm package with more than 3.5 million weekly downloads has been found vulnerable to an account takeover attack.

“The package can be taken over by recovering an expired domain name for one of its maintainers and resetting the password,” software supply chain security company Illustria said in a report.

While npm’s security protections limit users to have only one active email address per account, the Israeli firm said it was able to reset the GitHub password using the recovered domain.

The attack, in a nutshell, grants a threat actor access to the package’s associated GitHub account, effectively making it possible to publish trojanized versions to the npm registry that can be weaponized to conduct supply chain attacks at scale.

images from Hacker News

The prolific SideWinder group has been attributed as the nation-state actor behind attempted attacks against 61 entities in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka between June and November 2021.

Targets included government, military, law enforcement, banks, and other organizations, according to an exhaustive report published by Group-IB, which also found links between the adversary and two other intrusion sets tracked as Baby Elephant and DoNot Team.

SideWinder is also referred to as APT-C-17, Hardcore Nationalist (HN2), Rattlesnake, Razor Tiger, and T-APT4. It’s suspected to be of Indian origin, although Kaspersky in 2022 noted that the attribution is no longer deterministic.

The group has been linked to no less than 1,000 attacks against government organizations in the Asia-Pacific region since April 2020, according to a report from the Russian cybersecurity firm early last year.

Of the 61 potential targets compiled by Group-IB, 29 of them are located in Nepal, 13 in Afghanistan, 10 in Myanmar, six in Sri Lanka, and one is based out of Bhutan.

Typical attack chains mounted by the adversary start with spear-phishing emails containing an attachment or a booby-trapped URL that directs the victims to an intermediary payload that’s used to drop the final-stage malware.

images from Hacker News