Wednesday, 5 April 2023

CryptoClippy: New Clipper Malware Targeting Portuguese Cryptocurrency Users

 Portuguese users are being targeted by a new malware codenamed CryptoClippy that's capable of stealing cryptocurrency as part of a malvertising campaign.

The activity leverages SEO poisoning techniques to entice users searching for "WhatsApp web" to rogue domains hosting the malware, Palo Alto Networks Unit 42 said in a new report published today.

CryptoClippy, a C-based executable, is a type of cryware known as clipper malware that monitors a victim's clipboard for content matching cryptocurrency addresses and substituting them with a wallet address under the threat actor's control.

"The clipper malware uses regular expressions (regexes) to identify what type of cryptocurrency the address pertains to," Unit 42 researchers said.

"It then replaces the clipboard entry with a visually similar but adversary-controlled wallet address for the appropriate cryptocurrency. Later, when the victim pastes the address from the clipboard to conduct a transaction, they actually are sending cryptocurrency directly to the threat actor."


The illicit scheme is estimated to have netted its operators about $983 so far, with victims found across manufacturing, IT services, and real estate industries.

It's worth noting that the use of poisoned search results to deliver malware has been adopted by threat actors associated with the GootLoader malware.

Another approach used to determine suitable targets is a traffic direction system (TDS), which checks if the preferred browser language is Portuguese, and if so, takes the user to a rogue landing page.

Users who do not meet the requisite criteria are redirected to the legitimate WhatsApp Web domain without any further malicious activity, thereby avoiding detection.

The findings arrive days after SecurityScorecard detailed an information stealer called Lumma that's capable of harvesting data from web browsers, cryptocurrency wallets, and a variety of apps such as AnyDesk, FileZilla, KeePass, Steam, and Telegram.



Tuesday, 4 April 2023

Sorting Through Haystacks to Find CTI Needles

Clouded vision

CTI systems are confronted with some major issues ranging from the size of the collection networks to their diversity, which ultimately influence the degree of confidence they can put on their signals. Are they fresh enough and sufficiently reliable to avoid any false positives or any poisoning? Do I risk acting on outdated data? This difference is major since a piece of information is just a decision helper, whereas a piece of actionable information can directly be weaponized against an aggressor. If raw data are the hayfields, information is the haystacks, and needles are the actionable signal.

To illustrate the collection networks' size & variety point, without naming anyone in particular, let's imagine a large CDN provider. Your role is to deliver, on a massive scale, content over HTTP(s). This attracts a lot of "attention" and signals, but only on the HTTP layer. Also, any smart attacker will probably avoid probing your IP ranges (which are public and known in your AS). Hence, you only receive the indiscriminate "Gatling guns" scanners or direct attacks over an HTTP layer. This is a very narrow focus.

Now if you are a large EDR/XDR or whatever glorified antivirus, you also can argue that you have a huge detection network spanning million of devices… Of wealthy enterprises. Because let's face it, not every non-profit, public hospital or local library can afford to pay for those tools. Hence you potentially only see threats targeted at sophisticated actors, and mostly the ones carried by malware on LAN machines.

On the honeypot front, there is no silver bullet either. The "Gatling guns scanners" represent the background radioactivity of the Internet. A sort of static noise which is constantly present in the surroundings of any Internet-connected device. Here, the problem is rather that no decent cyber criminal group will use any meaningful resources to target a honeypot machine. What's the point of investing some DDoS resources in knocking down a straw dummy? Would you use any meaningful exploit or tool, let alone burn your IP, on a "potential" target? Honeypots collect "intentions", automated exploitation, something along the lines of "this IP wants to know if you're (still) vulnerable to log4j".

It can be interesting to a certain extent but it is limited to low-hanging fruits. Also, your diversity is limited by your capacity to spread in many different places. If all your probes (honeypots) are sitting over ten or worse, just 3 or 4 different clouds, you can't see everything, and you can be "dodged", meaning criminals can voluntarily skip your IP ranges to avoid detection. You also need to organize your deployment system for every platform, and yet you'll only see the IP not dodging GCP, AWS, or whatever cloud you're working with. And since those providers are no NGOs, your network size is also limited by…money. If a fully automated HP running on XYZ cloud costs you $20 monthly, your pocket must be deep to run thousands of them.


Establishing a counter-offensive#

To curb the trajectory of mass cyber criminality, we need to act on a resource that is limited in essence, otherwise, you cannot organize a proper "shortage". The famous Conti-Leaks cast an interesting light upon the actual pain points of a large cybercrime group. Obviously (crypto) money laundering, recruitment, payrolls, the classical ones you'd expect. But interestingly enough, when you read the exchanges on their internal chat system, you can see IP, changing them, borrowing, renting, cleaning them, installing the tools, migrating the ops and C2, etc. is … costly. Both time & money-wise.

There are nearly infinite variations of hashes and SHA1 offers a space of 2^160 possibilities. So collecting them is one thing, but you're almost sure any new malware variation will have a different signature. As we speak, most of the CI/CD procedures of any decent cyber criminal group already include the modification of one byte before sending the payload to a target.

Aiming at domain names is fighting against an infinite space in size as well. You can book domain1, domain2, domain3, etc. There is technically no limit to the number of variations. There are smart systems out there, protecting your brand and checking if any domain names similar to yours have been booked lately. These pre-crime-style systems are very helpful to deal with an upcoming phishing attempt. You start to be proactive with this kind of stance & tools.

It's anyway useful to track & index malevolent binaries based on their Hashes or the C2 they try to contact or even indexing IP trying to auto-exploit known CVE, but doing so is a rather reactive stance. You don't strike back by knowing the position or tactic of the enemy, you do so by crippling its offensive capabilities, and this is where IP addresses are very interesting. The system is decades old and will still be there after us. It's

Now there is a resource that actually is in scarcity: IPV4. The historic IP space is limited to around 4 billion of them. Bringing the fight to this ground is efficient because if the resource is in scarcity, you can actually be proactive and burn IP addresses as fast as you are aware one is used by the enemy. Now, this landscape is an ever-evolving one. VPN providers, Tor, and Residential proxy apps offer a way for cybercriminals to borrow an IP address, let alone the fact that they can leverage some from already compromised servers on the dark web.

So if an IP address is used at é moment in time, it's possible that it isn't anymore the next hour and you then generate a false positive if you block it. The solution is to create a crowdsourcing tool protecting all sizes of businesses, across all types of places, geographies, clouds, homes, private corps DMZ, etc., and on all types of protocols. If the network is big enough, this IP rotation isn't a problem because if the network stops reporting an IP, you can release it, whereas the new one rising in number of reports needs to be integrated into a blocklist. The larger the network, the more real-time it becomes.

You can monitor almost any protocol except UDP-based ones, which must be excluded since it's easy to spoof packets over UDP. So by considering reports on a UDP-based protocol for banning an IP, you could easily be tricked. Other than that, every protocol is good to monitor. As well you can definitely look for CVE but, even better, for behavior. By doing so, you can catch business-oriented aggressions that may not only be CVE based. A simple example, beyond the classical L7 DDoS, scans, credential brute force, or stuffing is scalping. Scalping is the action of auto-buying a product with a bot on a website and reselling it for a benefit on eBay for example. It's a business layer issue, not really a security-related one. The open-source system CrowdSec was designed exactly to enable this strategy.

Finally, for the last two decades, we were told, "IPV6 is coming, be ready". Well… let's say we had time to prepare. But it's really here now and 5G deployment will only accelerate its usage exponentially. IPV6 changes the stage with a new IP addressable pool as big as 2^128. This is still limited in many ways, not the least because all V6 IP ranges are not fully used yet but also because everyone is getting many IPV6 addresses at once, not just one. Still, we speak about a vast amount of them now.

Let's couple AI & Crowdsourcing #

When data start to flow massively from a large crowd-sourced network and the resource you try to shrink is getting larger, AI sounds like a logical alley to explore.

The network effect is already a good start on its own. An example here could be credential stuffing. If an IP uses several login/pass couples at your place, you'd call it a credential bruteforce. Now at the network scale, if you have the same IP knocking at different places using different login/pass, it's credential stuffing, someone trying to reuse stolen credentials in many places to see if they are valid. The fact that you see the same action, leveraging the same credentials from many different angles, gives you an extra indication of the purpose of the behavior itself.

Now, to be honest, you don't need AI to sort out Credential bruteforce from Credential Reuse or Credential stuffing, but there are places where it can excel though, specifically when teamed with a large network to get heaps of data.

Another example could be a massive internet scan, made using 1024 hosts. Each host could scan only one port and that would likely go unnoticed. Except if you see, in many different places, the same IP scanning the same port within a similar timeframe. Again, barely visible at the individual scale, obvious on a large one.

On the other hand, AI algorithms are good at identifying patterns that wouldn't be visible if you look only in one place at a time but blatant at the scale of a large network.

Representing the data into appropriate structures using graphs and embeddings can uncover complex degrees of interaction between IP addresses, ranges, or even AS (Autonomous Systems). This lead to identifying cohorts of machines working in unison toward the same goal. If several IP addresses are sequencing an attack in many steps like scanning, exploiting, installing a backdoor, and then using the target server to join a DDoS effort, those patterns can repeat in logs. So if the 1st IP of the cohort is visible at a given timestamp and the 2nd 10 minutes later and so on, and this pattern repeats with the same IPs in many places, you can safely tell everyone to ban the 4 IP addresses at once.

The synergy between AI and crowd-sourced signals allows us to address each other's limitations effectively. While crowd-sourced signals provide a wealth of real-time data on cyber threats, they might lack precision and context, eventually leading to false positives. AI algorithms, on the other hand, usually only become relevant after absorbing an enormous amount of data. In return, those models can help refine and analyze these signals, eliminating noise and unveiling hidden patterns.




Monday, 3 April 2023

Italian Watchdog Bans OpenAI's ChatGPT Over Data Protection Concerns

 The Italian data protection watchdog, Garante per la Protezione dei Dati Personali (aka Garante), has imposed a temporary ban on OpenAI's ChatGPT service in the country, citing data protection concerns.

To that end, it has ordered the company to stop processing users' data with immediate effect, stating it intends to investigate the company over whether it's unlawfully processing such data in violation of the E.U. General Data Protection Regulation (GDPR) laws.

"No information is provided to users and data subjects whose data are collected by Open AI," the Garante noted. "More importantly, there appears to be no legal basis underpinning the massive collection and processing of personal data in order to 'train' the algorithms on which the platform relies."

ChatGPT, which is estimated to have reached over 100 million monthly active users since its release late last year, has not disclosed what it used to train its latest large language model (LLM), GPT-4, or how it trained it.

That said, its predecessor GPT-3 utilizes text sourced from books, Wikipedia, and Common Crawl, the latter of which maintains an "open repository of web crawl data that can be accessed and analyzed by anyone."

The Garante also pointed to the lack of any age verification system to prevent minors from accessing the service, potentially exposing them to "inappropriate" responses. Google's own chatbot, called Bard, is only open to users over the age of 18.

Additionally, the regulator raised questions about the accuracy of the information surfaced by ChatGPT, while also highlighting a data breach the service suffered earlier this month that exposed some users' chat titles and payment-related information.

In response to the order, OpenAI has blocked its generative AI chatbot from being accessed by users with an Italian IP address. It also said it's issuing refunds to subscribers of ChatGPT Plus, in addition to pausing subscription renewals.

The San Francisco-based company further emphasized that it provides ChatGPT in compliance with GDPR and other privacy laws. ChatGPT is already blocked in China, Iran, North Korea, and Russia.

In a statement shared with Reuters, OpenAI said it actively works to "reduce personal data in training our AI systems like ChatGPT because we want our AI to learn about the world, not about private individuals."

OpenAI has 20 days to notify the Garante of the measures it has taken to bring it in compliance, or risk facing fines of up to €20 million or 4% of the total worldwide annual turnover, whichever is higher.

The ban, however, is not expected to impact applications from other companies that employ OpenAI's technology to augment their services, including Microsoft's Bing search engine and its Copilot offerings.

The development also comes as Europol warned that LLMs like ChatGPT are likely to help generate malicious code, facilitate fraud, and "offer criminals new opportunities, especially for crimes involving social engineering, given its abilities to respond to messages in context and adopt a specific writing style."

This is not the first time AI-focused companies have come under the radar. Last year, controversial facial recognition firm Clearview AI was fined by multiple European regulators for scraping users' publicly available photos without consent to train its identity-matching service.

It has also run afoul of privacy laws in Australia, Canada, and the U.S., with several countries ordering the company to delete all of the data it obtained in such a manner.

Clearview AI told BBC News last week that it has run nearly a million searches for U.S. law enforcement agencies, despite being permanently banned from selling its faceprint database within the country.










Western Digital Hit by Network Security Breach - Critical Services Disrupted

 Data storage devices maker Western Digital on Monday disclosed a "network security incident" that involved unauthorized access to its systems.

The breach is said to have occurred on March 26, 2023, enabling an unnamed third party to gain access to a "number of the company's systems."

Following the discovery of the hack, Western Digital said it has initiated incident response efforts and enlisted the help of cybersecurity and forensic experts to conduct an investigation.

It also said it's coordinating with law enforcement agencies on the matter, adding the probe is in its initial stages.

The company has taken several of its services offline, noting that the threat actor may have obtained "certain data from its systems" and that it's working on estimating the nature and scope of the data accessed.




Sunday, 2 April 2023

Chinese RedGolf Group Targeting Windows and Linux Systems with KEYPLUG Backdoor

 A Chinese state-sponsored threat activity group tracked as RedGolf has been attributed to the use of a custom Windows and Linux backdoor called KEYPLUG.

"RedGolf is a particularly prolific Chinese state-sponsored threat actor group that has likely been active for many years against a wide range of industries globally.

"The group has shown the ability to rapidly weaponize newly reported vulnerabilities (e.g. Log4Shell and ProxyLogon) and has a history of developing and using a large range of custom malware families."

The use of KEYPLUG by Chinese threat actors was first disclosed by Google-owned Manidant in March 2022 in attacks targeting multiple U.S. state government networks between May 2021 and February 2022.

Then in October 2022, Malwarebytes detailed a separate set of attacks targeting government entities in Sri Lanka in early August that leveraged a novel implant dubbed DBoxAgent to deploy KEYPLUG.

Both these campaigns were attributed to Winnti (aka APT41, Barium, Bronze Atlas, or Wicked Panda), which Recorded Future said "closely overlaps" with RedGolf.

"We have not observed specific victimology as part of the latest highlighted RedGolf activity," Recorded Future said. "However, we believe this activity is likely being conducted for intelligence purposes rather than financial gain due to the overlaps with previously reported cyber espionage campaigns."

The cybersecurity firm, in addition to detecting a cluster of KEYPLUG samples and operational infrastructure (codenamed GhostWolf) used by the hacking group from at least 2021 to 2023, noted its use of other tools like Cobalt Strike and PlugX.

The GhostWolf infrastructure, for its part, consists of 42 IP addresses that function as KEYPLUG command-and-control. The adversarial collective has also been observed utilizing a mixture of both traditionally registered domains and Dynamic DNS domains, often featuring a technology theme, to act as communication points for Cobalt Strike and PlugX.

"RedGolf will continue to demonstrate a high operational tempo and rapidly weaponize vulnerabilities in external-facing corporate appliances (VPNs, firewalls, mail servers, etc.) to gain initial access to target networks," the company said.

"Additionally, the group will likely continue to adopt new custom malware families to add to existing tooling such as KEYPLUG."

To defend against RedGolf attacks, organizations are recommended to apply patches regularly, monitor access to external facing network devices, track and block identified command-and-control infrastructure, and configure intrusion detection or prevention systems to monitor for malware detections.

The findings come as Trend Micro revealed that it discovered more than 200 victims of Mustang Panda (aka Earth Preta) attacks as part of a far-reaching cyber espionage effort orchestrated by various sub-groups associated with the threat actor since 2022.

A majority of the cyber strikes have been detected in Asia, followed by Africa, Europe, the Middle East, Oceania, North America, and South America.

"There are strong indications of intertwined traditional intelligence tradecraft and cyber collection efforts, indicative of a highly coordinated and sophisticated cyber espionage operation," Trend Micro said.








Saturday, 1 April 2023

Hackers Exploiting WordPress Elementor Pro Vulnerability: Millions of Sites at Risk

 Unknown threat actors are actively exploiting a recently patched security vulnerability in the Elementor Pro website builder plugin for WordPress.

The flaw, described as a case of broken access control, impacts versions 3.11.6 and earlier. It was addressed by the plugin maintainers in version 3.11.7 released on March 22.

"Improved code security enforcement in WooCommerce components," the Tel Aviv-based company said in its release notes. The premium plugin is estimated to be used on over 12 million sites.

Successful exploitation of the high-severity flaw allows an authenticated attacker to complete a takeover of a WordPress site that has WooCommerce enabled.

"This makes it possible for a malicious user to turn on the registration page (if disabled) and set the default user role to the administrator so they can create an account that instantly has the administrator privileges," Patchstack said in an alert of March 30, 2023.

"After this, they are likely to either redirect the site to another malicious domain or upload a malicious plugin or backdoor to further exploit the site."

Credited with discovering and reporting the vulnerability on March 18, 2023, is NinTechNet security researcher Jerome Bruandet.

Patchstack further noted that the flaw is currently being abused in the wild by several IP addresses intending to upload arbitrary PHP and ZIP archive files.

Users of the Elementor Pro plugin are recommended to update to 3.11.7 or 3.12.0, which is the latest version, as soon as possible to mitigate potential threats.

The advisory comes over a year after the Essential Addons for Elementor plugin was found to contain a critical vulnerability that could result in the execution of arbitrary code on compromised websites.

Last week, WordPress issued auto-updates to remediate another critical bug in the WooCommerce Payments plugin that allowed unauthenticated attackers to gain administrator access to vulnerable sites.




Microsoft Fixes New Azure AD Vulnerability Impacting Bing Search and Major Apps

 Microsoft has patched a misconfiguration issue impacting the Azure Active Directory (AAD) identity and access management service that exposed several "high-impact" applications to unauthorized access.

"One of these apps is a content management system (CMS) that powers Bing.com and allowed us to not only modify search results but also launch high-impact XSS attacks on Bing users," cloud security firm Wiz said in a report. "Those attacks could compromise users' personal data, including Outlook emails and SharePoint documents."

The issues were reported to Microsoft in January and February 2022, following which the tech giant applied fixes and awarded Wiz a $40,000 bug bounty. Redmond said it found no evidence that the misconfigurations were exploited in the wild.

The crux of the vulnerability stems from what's called "Shared Responsibility confusion," wherein an Azure app can be incorrectly configured to allow users from any Microsoft tenant, leading to a potential case of unintended access.


Interestingly, a number of Microsoft's own internal apps were found to exhibit this behavior, thereby permitting external parties to obtain read and write to the affected applications.

This includes the Bing Trivia app, which the cybersecurity firm exploited to alter search results in Bing and even manipulate content on the homepage as part of an attack chain dubbed BingBang.

To make matters worse, the exploit could be weaponized to trigger a cross-site scripting (XSS) attack on Bing.com and extract a victim's Outlook emails, calendars, Teams messages, SharePoint documents, and OneDrive files.

A malicious actor with the same access could've hijacked the most popular search results with the same payload and leak sensitive data from millions of users," Wiz researcher Hillai Ben-Sasson noted.

Other apps that were found susceptible to the misconfiguration issue include Mag News, Central Notification Service (CNS), Contact Center, PoliCheck, Power Automate Blog, and COSMOS.

The development comes as enterprise penetration testing firm NetSPI revealed details of a cross-tenant vulnerability in Power Platform connectors that could be abused to gain access to sensitive data.




Microsoft Thwarts Chinese Cyber Attack Targeting Western European Governments

  Microsoft on Tuesday   revealed   that it repelled a cyber attack staged by a Chinese nation-state actor targeting two dozen organizations...