Select Page
AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection

AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection

Cybersecurity researchers have disclosed a new variant of the AvosLocker ransomware that disables antivirus solutions to evade detection after breaching target networks by taking advantage of unpatched security flaws.

“This is the first sample we observed from the U.S. with the capability to disable a defence solution using a legitimate Avast Anti-Rootkit Driver file (asWarPot.sys),” Trend Micro researchers, Christoper Ordonez and Alvin Nieto, said in a Monday analysis.

“In addition, the ransomware is also capable of scanning multiple endpoints for the Log4j vulnerability (Log4shell) using Nmap NSE script.”

AvosLocker, one of the newer ransomware families to fill the vacuum left by REvil, has been linked to a number of attacks that targeted critical infrastructure in the U.S., including financial services and government facilities.

A ransomware-as-a-service (RaaS) affiliate-based group first spotted in July 2021, AvosLocker goes beyond double extortion by auctioning data stolen from victims should the targeted entities refuse to pay the ransom.

images from Hacker News

Chinese Hackers Caught Exploiting Popular Antivirus Products to Target Telecom Sector

Chinese Hackers Caught Exploiting Popular Antivirus Products to Target Telecom Sector

A Chinese-aligned cyberespionage group has been observed striking the telecommunication sector in Central Asia with versions of malware such as ShadowPad and PlugX.

Cybersecurity firm SentinelOne tied the intrusions to an actor it tracks under the name “Moshen Dragon,” with tactical overlaps between the collective and another threat group referred to as Nomad Panda (aka RedFoxtrot).

“PlugX and ShadowPad have a well-established history of use among Chinese-speaking threat actors primarily for espionage activity,” SentinelOne’s Joey Chen said. “Those tools have flexible, modular functionality and are compiled via shellcode to easily bypass traditional endpoint protection products.”

ShadowPad, labelled a “masterpiece of privately sold malware in Chinese espionage,” emerged as a successor to PlugX in 2015, even as variants of the latter have continually popped up as part of different campaigns associated with Chinese threat actors.

Although known to be deployed by the government-sponsored hacking group dubbed Bronze Atlas (aka APT41, Barium, or Winnti) since at least 2017, an ever-increasing number of other China-linked threat actors have joined the fray.

images from Hacker News

Unpatched DNS Related Vulnerability Affects a Wide Range of IoT Devices

Unpatched DNS Related Vulnerability Affects a Wide Range of IoT Devices

Cybersecurity researchers have disclosed an unpatched security vulnerability that could pose a serious risk to IoT products.

The issue, which was originally reported in September 2021, affects the Domain Name System (DNS) implementation of two popular C libraries called uClibc and uClibc-ng that are used for developing embedded Linux systems.

uClibc is known to be used by major vendors such as Linksys, Netgear, and Axis, as well as Linux distributions like Embedded Gentoo, potentially exposing millions of IoT devices to security threats.

“The flaw is caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may allow attackers to perform DNS poisoning attacks against the target device,” Giannis Tsaraias and Andrea Palanca of Nozomi Networks said in a Monday write-up.

images from Hacker News

Chinese “Override Panda” Hackers Resurface With New Espionage Attacks

Chinese “Override Panda” Hackers Resurface With New Espionage Attacks

A Chinese state-sponsored espionage group known as Override Panda has resurfaced in recent weeks with a new phishing attack with the goal of stealing sensitive information.

“The Chinese APT used a spear-phishing email to deliver a beacon of a Red Team framework known as ‘Viper,'” Cluster25 said in a report published last week.

“The target of this attack is currently unknown but with high probability, given the previous history of the attack perpetrated by the group, it might be a government institution from a South Asian country.”

Override Panda, also called Naikon, Hellsing, and Bronze Geneva, is known to operate on behalf of Chinese interests since at least 2005 to conduct intelligence-gathering operations targeting ASEAN countries.

Attack chains unleashed by the threat actor have involved the use of decoy documents attached to spear-phishing emails that are designed to entice the intended victims to open and compromise themselves with malware.

images from Hacker News

Which Hole to Plug First? Solving Chronic Vulnerability Patching Overload

Which Hole to Plug First? Solving Chronic Vulnerability Patching Overload

According to folklore, witches were able to sail in a sieve, a strainer with holes in the bottom. Unfortunately, witches don’t work in cybersecurity – where networks generally have so many vulnerabilities that they resemble sieves.

For most of us, keeping the sieve of our networks afloat requires nightmarishly hard work and frequent compromises on which holes to plug first.

The reason? In 2010, just under 5000 CVEs were recorded in the MITRE vulnerabilities database. By 2021, the yearly total had skyrocketed to over 20,000. Today, software and network integrity are synonymous with business continuity. And this makes the issue of which vulnerabilities to address first mission-critical. Yet owing to the countless documented vulnerabilities lurking in a typical enterprise ecosystem – across thousands of laptops, servers, and internet-connected devices – less than one in ten actually needs to be patched. The question is: how can we know which patches will ensure that our sieve doesn’t sink?

This is why more and more companies are turning to Vulnerability Prioritization Technology (VPT). They seek solutions that filter out the flood of false positives generated by legacy tools and poorly-configured solutions and address only those vulnerabilities that directly affect their networks. They’re leaving traditional vulnerability management paradigms behind and shifting to the next generation of VPT solutions.

images from Hacker News