Select Page
New APT Hacking Group Targets Microsoft IIS Servers with ASP.NET Exploits

New APT Hacking Group Targets Microsoft IIS Servers with ASP.NET Exploits

A new highly capable and persistent threat actor has been targeting major high-profile public and private entities in the U.S. as part of a series of targeted cyber intrusion attacks by exploiting internet-facing Microsoft Internet Information Services (IIS) servers to infiltrate their networks.

Israeli cybersecurity firm Sygnia, which identified the campaign, is tracking the advanced, stealthy adversary under the moniker “Praying Mantis” or “TG2021.”

“TG1021 uses a custom-made malware framework, built around a common core, tailor-made for IIS servers. The toolset is completely volatile, reflectively loaded into an affected machine’s memory and leaves little-to-no trace on infected targets,” the researchers said. “The threat actor also uses an additional stealthy backdoor and several post-exploitations modules to perform network reconnaissance, elevate privileges, and move laterally within networks.”

images from Hacker News

PyPI Python Package Repository Patches Critical Supply Chain Flaw

PyPI Python Package Repository Patches Critical Supply Chain Flaw

The maintainers of Python Package Index (PyPI) last week issued fixes for three vulnerabilities, one among which could be abused to achieve arbitrary code execution and take full control of the official third-party software repository.

The security weaknesses were discovered and reported by Japanese security researcher RyotaK, who in the past has disclosed critical vulnerabilities in the Homebrew Cask repository and Cloudflare’s CDNJS library. He was awarded a total of $3,000 as part of the bug bounty program.

The list of three vulnerabilities is as follows –

  • Vulnerability in Legacy Document Deletion on PyPI – An exploitable vulnerability in the mechanisms for deleting legacy documentation hosting deployment tooling on PyPI, which would allow an attacker to remove documentation for projects not under their control.
  • Vulnerability in Role Deletion on PyPI – An exploitable vulnerability in the mechanisms for deleting roles on PyPI was discovered by a security researcher, which would allow an attacker to remove roles for projects not under their control.
  • Vulnerability in GitHub Actions workflow for PyPI – An exploitable vulnerability in a GitHub Actions workflow for PyPI’s source repository could allow an attacker to obtain write permissions against the pypa/warehouse repository.

images from Hacker News

Solarmarker InfoStealer Malware Once Again Making its Way Into the Wild

Solarmarker InfoStealer Malware Once Again Making its Way Into the Wild

Healthcare and education sectors are the frequent targets of a new surge in credential harvesting activity from what’s a “highly modular” .NET-based information stealer and keylogger, charting the course for the threat actor’s continued evolution while simultaneously remaining under the radar.

Dubbed “Solarmarker,” the malware campaign is believed to be active since September 2020, with telemetry data pointing to malicious actions as early as April 2020, according to Cisco Talos. “At its core, the Solarmarker campaign appears to be conducted by a fairly sophisticated actor largely focused on credential and residual information theft,” Talos researchers Andrew Windsor and Chris Neal said in a technical write-up published last week.

Infections consist of multiple moving parts, chief among them being a .NET assembly module that serves as a system profiler and staging ground on the victim host for command-and-control (C2) communications and further malicious actions, including the deployment of information-stealing components like Jupyter and Uran (likely a reference to Uranus).

While the former boasts of capabilities to steal personal data, credentials, and form submission values from the victim’s Firefox and Google Chrome browsers, the latter — a previously unreported payload — acts as a keylogger to capture the user’s keystrokes.

images from Hacker News

Experts Uncover Several C&C Servers Linked to WellMess Malware

Experts Uncover Several C&C Servers Linked to WellMess Malware

Cybersecurity researchers on Friday unmasked new command-and-control (C2) infrastructure belonging to the Russian threat actor tracked as APT29, aka Cozy Bear, that has been spotted actively serving WellMess malware as part of an ongoing attack campaign.

More than 30 C2 servers operated by the Russian foreign intelligence have been uncovered, Microsoft-owned cybersecurity subsidiary RiskIQ said in a report shared with The Hacker News.

APT29, the moniker assigned to government operatives working for Russia’s Foreign Intelligence Service (SVR), is believed to have been the mastermind behind the massive SolarWinds supply chain attack that came to light late last year, with the U.K. and U.S. governments formally pinning the intrusions on Russia earlier this April.

The activity is being tracked by the cybersecurity community under various codenames, including UNC2452 (FireEye), Nobelium (Microsoft), SolarStorm (Unit 42), StellarParticle (Crowdstrike), Dark Halo (Volexity), and Iron Ritual (Secureworks), citing differences in the tactics, techniques, and procedures (TTPs) employed by the adversary with that of known attacker profiles, counting APT29.

images from Hacker News

Several Malicious Typosquatted Python Libraries Found On PyPI Repository

Several Malicious Typosquatted Python Libraries Found On PyPI Repository

As many as eight Python packages that were downloaded more than 30,000 times have been removed from the PyPI portal for containing malicious code, once again highlighting how software package repositories are evolving into a popular target for supply chain attacks.

“Lack of moderation and automated security controls in public software repositories allow even inexperienced attackers to use them as a platform to spread malware, whether through typosquatting, dependency confusion, or simple social engineering attacks,” JFrog researchers Andrey Polkovnichenko, Omer Kaspi, and Shachar Menashe said Thursday.

PyPI, short for Python Package Index, is the official third-party software repository for Python, with package manager utilities like pip relying on it as the default source for packages and their dependencies.

The Python packages in question, which were found to be obfuscated using Base64 encoding, are listed below –

  • pytagora (uploaded by leonora123)
  • pytagora2 (uploaded by leonora123)
  • noblesse (uploaded by xin1111)
  • genesisbot (uploaded by xin1111)
  • are (uploaded by xin1111)
  • suffer (uploaded by suffer)
  • noblesse2 (uploaded by suffer)
  • noblessev2 (uploaded by suffer)

images from Hacker News

A New Wiper Malware Was Behind Recent Cyberattack On Iranian Train System

A New Wiper Malware Was Behind Recent Cyberattack On Iranian Train System

A cyber attack that derailed websites of Iran’s transport ministry and its national railway system earlier this month, causing widespread disruptions in train services, was the result of a never-before-seen reusable wiper malware called “Meteor.”

The campaign — dubbed “MeteorExpress” — has not been linked to any previously identified threat group or to additional attacks, making it the first incident involving the deployment of this malware, according to researchers from Iranian antivirus firm Amn Pardaz and SentinelOne. Meteor is believed to have been in the works over the past three years.

“Despite a lack of specific indicators of compromise, we were able to recover most of the attack components,” SentinelOne’s Principal Threat Researcher, Juan Andres Guerrero-Saade, noted. “Behind this outlandish tale of stopped trains and glib trolls, we found the fingerprints of an unfamiliar attacker,” adding the offensive is “designed to cripple the victim’s systems, leaving no recourse to simple remediation via domain administration or recovery of shadow copies.”

On July 9, the Iranian train system was left paralyzed in the wake of a major attack, with the hackers defacing electronic displays to instruct passengers to direct their complaints to the phone number of the Iranian Supreme Leader Ayatollah Ali Khamenei’s office. The incident is said to have reportedly caused “unprecedented chaos” at stations with hundreds of trains delayed or cancelled.

Now according to SentinelOne, the infection chain commenced with the abuse of Group Policy to deploy a toolkit that consisted of a combination of batch files orchestrating different components, which are extracted from multiple RAR archives and are chained together to facilitate the encryption of the filesystem, corruption of the master boot record (MBR), and locking of the system in question.

images from Hacker News