Monday, January 10, 2022
(BADNEWS-Trojan) Patchwork APT Hackers Score Own Goal in Recent Malware Attacks
FROM THE MEDIA: Threat hunters have shed light on the tactics, techniques, and procedures embraced by an Indian-origin hacking group called Patchwork as part of a renewed campaign that commenced in late November 2021, targeting Pakistani government entities and individuals with a research focus on molecular medicine and biological science. "Ironically, all the information we gathered was possible thanks to the threat actor infecting themselves with their own [remote access trojan], resulting in captured keystrokes and screenshots of their own computer and virtual machines," Malwarebytes Threat Intelligence Team said in a report published on Friday. Prominent victims that were successfully infiltrated include Pakistan's Ministry of Defense, National Defense University of Islamabad, Faculty of Bio-Sciences at UVAS Lahore, International Center for Chemical and Biological Sciences (ICCBS), H.E.J. Research Institute of Chemistry, and the Salim Habib University (SBU). Believed to have been active since 2015, Patchwork APT is also tracked by the wider cybersecurity community under the monikers Dropping Elephant, Chinastrats (Kaspersky), Quilted Tiger (CrowdStrike), Monsoon (Forcepoint), Zinc Emerson, TG-4410 (SecureWorks), and APT-C-09 (Qihoo 360). The espionage group, primarily known for striking diplomatic and government agencies in Pakistan, China, U.S. think tanks, and other targets located in the Indian subcontinent via spear-phishing campaigns, gets its name from the fact that most of the code used for its malware tooling was copied and pasted from various sources publicly available on the web. "The code used by this threat actor is copy-pasted from various online forums, in a way that reminds us of a patchwork quilt," researchers from the now-defunct Israeli cybersecurity startup Cymmetria noted in its findings published in July 2016. Over the years, successive covert operations staged by the actor have attempted to drop and execute QuasarRAT as well as an implant named BADNEWS that acts as a backdoor for the attackers, providing them with full control over the victim machine. In January 2021, the threat group was also observed exploiting a remote code execution vulnerability in Microsoft Office (CVE-2017-0261) to deliver payloads on victim machines.
READ THE STORY: THN
ANALYST COMMENT: NSTR
US counterintelligence shares tips to block spyware attacks
FROM THE MEDIA: The US National Counterintelligence and Security Center (NCSC) and the Department of State have jointly published guidance on defending against attacks using commercial surveillance tools. Tips shared in the joint advisory are designed to help people at risk of being targeted by surveillance campaigns block attempts to track their location, record their conversations, and harvest their personal information and online activity using mercenary spyware deployed on their mobile devices. "Companies and individuals have been selling commercial surveillance tools to governments and other entities that have used them for malicious purposes," the two US government agencies said [PDF]. This advisory was published on the heels of news that US State Dept employees' phones have been hacked using Pegasus spyware developed by the Israeli surveillance firm NSO Group. The attacks hit at least 11 US officials based in or focused on matters concerning the East African country of Uganda and took place in the second half of last year. Reports of State Dept employees having their devices infected with spyware came after the US sanctioned NSO Group and three other companies from Israel, Russia, and Singapore for spyware development and selling hacking tools used by state-backed hacking groups. The Commerce Department's Bureau of Industry and Security (BIS) added NSO and Candiru to its Entity List for supplying the software used by state hackers to spy on government officials, journalists, and activists. In early November, Apple also filed a lawsuit against NSO for targeting and spying on Apple users after compromising their devices using the ForcedEntry exploit and Pegasus spyware as Citizen Lab revealed in August.
READ THE STORY: Bleeping Computer
ANALYST COMMENT: NSTR
New ZLoader malware campaign hit more than 2000 victims across 111 countries
FROM THE MEDIA: A malware campaign spreads ZLoader malware by exploiting a Windows vulnerability that was fixed in 2013 but in 2014 Microsoft revised the fix. Experts from Check Point Research uncovered a new ZLoader malware campaign in early November 2021. The malware campaign is still active and threat actors have already stolen data and credentials of more than 2000 victims across 111 countries as of 2 Jan 2022. Zloader is a banking malware that has been active at least since 2016, it borrows some functions from the notorious Zeus 2.0.8.9 banking Trojan and was used to spread Zeus-like banking trojan (i.e. Zeus OpenSSL). The infection chain starts with the installation of Atera software on the victim’s machine. Atera is a legitimate, enterprise remote monitoring and management software that can install an agent and assign the endpoint to a specific account using a unique .msi file that includes the owner’s email address. Attackers created this installer using a temporary email address: ‘Antik.Corp@mailto.plus’. Like previous Zloader campaigns, the file poses as a Java installation. Then the malware exploits Microsoft’s digital signature verification method to inject its payload into a signed system DLL in an attempt to evade detection. The threat actors exploit a vulnerability, tracked as CVE-2013-3900, that was discovered and fixed in 2013 but in 2014 Microsoft revised the fix. “A remote code execution vulnerability exists in the way that the WinVerifyTrust function handles Windows Authenticode signature verification for portable executable (PE) files. An anonymous attacker could exploit the vulnerability by modifying an existing signed executable file to leverage unverified portions of the file in such a way as to add malicious code to the file without invalidating the signature.” reads the advisory published by Microsoft.”An attacker who successfully exploited this vulnerability could take complete control of an affected system.”
READ THE STORY: Security Affairs
ANALYST COMMENT: NSTR
Don’t toss the spyware with the NSO scandal bathwater, urges Israeli cyber guru
FROM THE MEDIA: Democracies need cybersurveillance tools to track criminals and terrorists. Just regulate the tech better, argues Prof. Isaac Ben-Israel. The technology developed by spyware firm NSO should be more strictly regulated but not discarded altogether, Israel’s cybersecurity guru said — though he acknowledged that the scandal surrounding the Herzliya-based firm was blackening Israel’s reputation. The NSO scandal “is spoiling our name,” Prof. Isaac Ben-Israel, who led the task force that set out Israel’s national cybersecurity policy, said in a recent interview with The Times of Israel from his office at Tel Aviv University. Ben-Israel was head of military research and development in the Israeli army and at the Defense Ministry from 1991 to 1997. In January 1998, he was promoted to major general and appointed director of the Defense R&D Directorate at the ministry. During his service, he twice received the Israeli Defense Award. Post-army, he was central to the establishment of Israel’s National Cyber Bureau and other authorities protecting national civilian and security infrastructure from cyberattacks. Ben-Israel said that of all exports of Israeli cybersecurity products and services — which accounts for some 10% of global market sales — offensive products like those developed by NSO and Candiru, two companies recently blacklisted by the US Department of Commerce, are just a “small percentage” of the total. Unfortunately, in the public eye this is irrelevant as people tend not to distinguish between defensive and offensive cybersecurity tools. As a result, the damage to Israel’s reputation is comprehensive, explained the 72-year-old Ben-Israel, who today heads the ICRC – Blavatnik Interdisciplinary Cyber Research Center at Tel Aviv University.
READ THE STORY: Times of Israel
ANALYST COMMENT: NSTR
DARPA SMOKE project seeks to model computer hackers behavior to help improve cyber security defenses
FROM THE MEDIA: U.S. military researchers are asking the computer industry to develop ways to detect, manage, and defeat typical cyber hackers behavior and make them part of the computer and design process. Officials of the U.S. Defense Advanced Research Projects Agency (DARPA) in Arlington, Va., issued a broad agency announcement on Tuesday (HR001122S0006) for the Signature Management Using Operational Knowledge and Environments (SMOKE) project. SMOKE seeks also to measure the risk of cyber threats in real-time; and find new ways for red team ethical hackers to maintain their evasiveness as they help train cyber security experts root-out malicious cyber behavior. Military computer networks are under persistent threat from malicious cyber hackers, so network security experts must be able to assess their cyber vulnerabilities and defenses by using red team ethical hackers and blue team cyber defenders. Red team exercises are designed to exceed simple penetration testing, and emulate cyber attacker behaviors as realistically as possible, to form a picture of network defense readiness. Towards the aim of realism, red teams use tactics that mimic advanced cyber threats to evade network defenders and assess how critical networks fare against a determined cyber attack. A core aspect of red team security assessments are procedures to build domain names, IP addresses, virtual servers, and other components to control red team tools. This infrastructure must exist openly on the public Internet and emits signals that, if detected too easily, can end the assessment quickly without much gain, but at considerable expense. Signatures are patterns of the way an organization performs cyber operations. Attribution is the ability to link a cyber attack to a likely hacker. Red team members don't want the blue team to attribute attacks to likely perpetrators too quickly, which can weaken a cyber security assessment. The ability to emulate sophisticated threats, evade detection, and reduce signatures requires a significant amount of time and expertise. Today, furthermore, the demand for network security assessments is greater than the supply. SMOKE seeks to develop tools to automate the deployment of automated cyber threats that will enable red teams to increase the effectiveness of cyber security assessments. these tools also could provide red teams with longer cyber security assessment because of their ability to remain hidden. DARPA researchers want industry to develop tools that enable automated and scalable emulated cyber threats. SMOKE will prototype components that enable red teams to plan, build, and deploy cyber infrastructure that is informed by machine-readable signatures of sophisticated cyber threats.
READ THE STORY: Military Aerospace
ANALYST COMMENT: NSTR
Exposed: Who were Russia's spies at NATO HQ?
FROM THE MEDIA: A lieutenant colonel with top-level Kremlin links, a spy-catcher, and a Big Data specialist - the identities of eight Russians recently expelled by NATO from Brussels give clues to why Moscow reacted so harshly and what its operatives were doing. The eight people who Russia said were "diplomats" at its embassy to the NATO HQ in Brussels were in fact "undeclared intelligence officers" conducting "activities not in line with their accreditation", NATO secretary general Jens Stoltenberg said while announcing the expulsions last October. NATO never publicly named them, meaning they could quietly go home and be posted to other, non-NATO state locations under diplomatic cover. Russia subsequently closed its whole NATO embassy. Its reaction was seen as an attempt to belittle the Western alliance, as Russia and NATO prepare to hold talks on Russia's threat of a new war against Ukraine later this week. The high-level connections of some of those whom Stoltenberg sent packing indicated the Kremlin's tantrum might have had a personal dimension. They showed the importance of NATO's HQ as a target in Russia's eyes. And their CVs shed light on the kind of people Russian spy services were sending to Belgium, where EU and Belgian institutions are also being targeted. The eight Russian diplomat-spies were Sergei Chesnokov, Oleg Demekhin, Vasily Epishkin, Dmitry Filippenok, Igor Kovalev, Nadezhda Obukhova, Alexander Smushko, and Stanislav Telegin, according to information obtained in a joint investigation by the Dossier Center, a London-based NGO, and EUobserver.
READ THE STORY: EUobserver
ANALYST COMMENT: NSTR
Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps
FROM THE MEDIA: Users of popular open-source libraries 'colors' and 'faker' were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking. Some surmised if the NPM libraries had been compromised, but it turns out there's much more to the story. The developer of these libraries intentionally introduced an infinite loop that bricked thousands of projects that depend on 'colors' and 'faker.' The colors library receives over 20 million weekly downloads on npm alone and has almost 19,000 projects relying on it. Whereas, faker receives over 2.8 million weekly downloads on npm, and has over 2,500 dependents. The developer behind popular open-source NPM libraries 'colors' (aka colors.js on GitHub) and 'faker' (aka 'faker.js' on GitHub) intentionally introduced mischievous commits in them that are impacting thousands of applications relying on these libraries. Yesterday, users of popular open-source projects, such as Amazon's Cloud Development Kit (aws-cdk) were left stunned on seeing their applications print gibberish messages on their console. Initially, users suspected that the libraries 'colors' and 'faker' used by these projects were compromised [1, 2, 3], similar to how coa, rc, and ua-parser-js libraries were hijacked last year by malicious actors. In fact, it was the dev behind colors and faker who appears to have intentionally committed the code responsible for the major blunder, as seen by BleepingComputer. The developer, named Marak Squires added a "new American flag module" to colors.js library yesterday in version v1.4.44-liberty-2 that he then pushed to GitHub and npm.
READ THE STORY: Bleeping Computer
ANALYST COMMENT: NSTR
Albuquerque impacted by ransomware attack
FROM THE MEDIA: A ransomware attack has impacted the Albuquerque Bernalillo County government offices. Bernalillo County is New Mexico’s most populous county with more than 676,000 residents, and its government provides a wide range of public services to residents who live in Albuquerque, Los Ranchos and Tijeras and the 111,000 residents who live outside the village and city limits in the unincorporated areas of the county. The county government buildings and public offices were closed on Wednesday across Albuquerque, Los Ranchos and Tijeras after the disruption occurred on January 5, county officials said in a press release. “Bernalillo County is continuing its assessment of suspected ransomware discovered on Bernalillo County systems. The county has taken affected systems offline and has severed network connections. The disruption likely occurred between Midnight and 5:30 a.m. on Jan. 5.,” the press release says. Bernalillo County says emergency and public safety are in full operation, and 911 is operational with the Sheriff’s Office and Fire and Rescue responding to calls. In addition, vendors for county systems have been notified of the ransomware and are working to solve the issue and restore the system functions. “Ransomware is getting easier and easier to orchestrate as an attacker,” says Sam Jones, VP of Product Management, Stellar Cyber. “Operational downtime to critical public services will be the gravest by-product of these attacks, especially as they become more rampant. State and local governments are unfortunately perfect targets for attackers.” Saryu Nayyar, CEO and Founder, Gurucul, says, “Despite widespread deployment of traditional SIEM, endpoint solutions and now Endpoint-based XDR, what has been lacking within most organizations that are victims of successful ransomware attacks is true behavioral-based modeling and detection within the infrastructure. The ability to characterize proper behaviors and user and application access with the right modeling and machine learning can lead to high-fidelity detection of deviations in “normal” behaviors and unusual access to systems that are often tell-tale signs of ransomware infections. The ability to bubble these types of alerts as high-priority when appropriate empowers security teams to investigate and detect ransomware much earlier to then respond and thwart a successful attack.”
READ THE STORY: Cyber Reports
ANALYST COMMENT: NSTR
New Mac Malware Samples Underscore Growing Threat
FROM THE MEDIA: For the sixth year in a row, security researcher Patrick Wardle has released a list of all the new Mac malware threats that emerged over the course of a year. For each malware sample, Wardle identified the malware’s infection vector, installation and persistence mechanisms, and other features, such as the purpose of the malware. Fifty-three percent reported that requests for Apple devices at grown at their organization over the same period. Wardle’s list is comprised of eight new malware samples that surfaced in 2021 and target macOS. Among them are ElectroRAT, a cross-platform remote access trojan that emerged last January; Silver Sparrow, a malware tool specifically targeted at Apple’s M1 chip launched last year; XLoader, a cross-platform password stealer; and OSX.CDDS or MacMa, a macOS implant likely developed by a nation-state actor. Different antivirus and security firms discovered each of the malware samples. Intezer, for instance, uncovered ElectroRAT when investigating a wide-ranging cryptocurrency operation in January 2020. At the time, the company described ElectroRAT as a rare example of a malware tool that had been developed from scratch and was used to target Windows, Linux, and macOS environments. Red Canary reported Silver Sparrow last February as a binary compiled specifically to run on Apple’s then-new M1 chips. The security vendor said some 29,139 Mac endpoints had been affected by the malware installer, which however, carried no payload. Researchers from Check Point who uncovered XLoader discovered it to be a version of a well-known information stealer called Formbook that had been rewritten for macOS. Members of Google’s threat analysis group discovered MacMa (OSX.CDDS) when investigating sophisticated watering hole attacks targeting visitors to the Hong Kong websites of a media outlet and a pro-democracy group. The researchers discovered the attackers exploiting a zero-day privilege escalation vulnerability (CVE-2021-30869) in macOS Catalina, to drop the MacMa backdoor. Based on the quality of the payload code, Google assessed the malware to be the work of a well-resourced and likely state-backed threat actor. The other malware samples Wardle listed in his round-up were XcodeSpy, which targeted Xcode developers with a backdoor called EggShell; ElectrumStealer, a cryptocurrency mining tool that Apple inadvertently signed digitally; WildPressure, a cross-platform Python backdoor that Kaspersky found targeting industrial companies in the Middle East; and ZuRu, a data-stealing malware tool that spread via sponsored search results on Baidu and installed the Cobalt Strike agent on compromised systems.
READ THE STORY: Cyber Reports
ANALYST COMMENT: NSTR
Victims of $200 million hack of BitMart crypto exchange still waiting to get their money back
FROM THE MEDIA: Cryptocurrency exchange BitMart promised a full reimbursement to the victims of the platform-wide $200 million hack, but some users still haven’t gotten their money back, according to a report from CNBC. Hackers made off with a variety of tokens on December 4th after using a stolen privacy key to gain access to one of BitMart’s hot wallets, otherwise known as a crypto wallet that’s connected to the internet. Shortly after the incident, BitMart announced that it would use its own funding “to cover the incident and compensate affected users.” However, as CNBC reports, there are still several frustrated users who have yet to see their funds returned. CNBC’s report details the experience of an Iranian refugee who says he stored $53,000 worth of SafeMoon on BitMart, $40,000 of which is from a loan. The outlet also got in touch with a Kansas-based investor who has $35,000 in limbo — he claims that he and 6,800 other investors may file a class-action lawsuit against BitMart if nothing’s done to resolve the situation. Of all the tokens stolen in the BitMart hack, data from blockchain security company, PeckShield, shows that SafeMoon was hit hardest. As pointed out by CNBC, SafeMoon holders are fighting back on Twitter, and have been flooding the site with the #WenBitMart hashtag to demand the return of their funds. This may be the only way users feel they can call attention to the issue, as CNBC reports some users are met with vague responses when contacting BitMart to check on the status of their lost funds. It remains unclear just how BitMart plans on reimbursing all affected users. CNBC notes that while the exchange could buy back all of the tokens lost, it may be doing so when those tokens are at a much higher value. Other users question whether BitMart will be using some form of insurance to pay users back. The Verge reached out to BitMart with a request for comment but didn’t immediately hear back.
READ THE STORY: The Verge
ANALYST COMMENT: NSTR
Paper of interest
Cicada 3301: the coders still working on the internet’s strangest mystery
FROM THE MEDIA: When a post appeared on a message board in 2012, it sent a small corner of the internet spiraling into a conspiracy of whistleblowers, dead man’s switches and NSA surveillance. Eight years on, and Cicada 3301 has become a story of obsession, paranoia and, most improbably, community.
READ THE STORY: The Face
ANALYST COMMENT: NSTR
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com