Wednesday, January 12, 2022
‘Fully Undetected’ SysJoker Backdoor Malware Targets Windows, Linux & macOS
FROM THE MEDIA: The malware establishes initial access on targeted machines, then waits for additional code to execute. A brand-new multiplatform malware, likely distributed via malicious npm packages, is spreading under the radar with Linux and Mac versions going fully undetected in VirusTotal, researchers warned. The Windows version, according to a Tuesday writeup from Intezer, has only six detections as of this writing. These were uploaded to VirusTotal with the suffix “.ts,” which is used for TypeScript files. Dubbed SysJoker by Intezer, the backdoor is used for establishing initial access on a target machine. Once installed, it can execute follow-on code as well as additional commands, through which malicious actors can carry out follow-on attacks or pivot to move further into a corporate network. This kind of initial access is also a hot commodity on underground cyberforums, where ransomware groups and others can purchase it.
READ THE STORY: Threatpost
A QUICK LOOK: SysJoker was first discovered during an active attack on a Linux-based web server of a leading educational institution. After further investigation, we found that SysJoker also has Mach-O and Windows PE versions. Based on Command and Control (C2) domain registration and samples found in VirusTotal, we estimate that the SysJoker attack was initiated during the second half of 2021. SysJoker masquerades as a system update and generates its C2 by decoding a string retrieved from a text file hosted on Google Drive. During our analysis the C2 changed three times, indicating the attacker is active and monitoring for infected machines. Based on victimology and malware’s behavior, we assess that SysJoker is after specific targets.
APT35 Executes Powershell-based Malware in LOG4J flaw attacks
FROM THE MEDIA: Researchers are warning of a number of attacks launched by Iran-linked threat actor APT35, which have exploited the well-known Log4j vulnerability in order to deploy modular, PowerShell-based malware. Like many other threat actors, APT35 began launching widespread scanning and exploitation attempts against the Log4j flaw (CVE-2021-44228) in publicly facing systems just four days after it was disclosed in December. As part of these attacks, the actors used a previously unobserved PowerShell-based framework, which researchers with Check Point Research called CharmPower, in order to establish persistence, gather data and execute commands. “In these attacks, the actors still used the same or similar infrastructure as in many of their previous attacks,” said researchers with Check Point Research in a Tuesday analysis. “However, judging by their ability to take advantage of the Log4j vulnerability and by the code pieces of the CharmPower backdoor, the actors are able to change gears rapidly and actively develop different implementations for each stage of their attacks.”
READ THE STORY: Decipher
A QUICK LOOK: Charming Kitten (other aliases include APT35 (by Mandiant), Phosphorus (by Microsoft),[1] Ajax Security (by FireEye),[2] NewsBeef (by Kaspersky,[3]))[4] is an Iranian government cyberwarfare group, described by several companies and government officials as an advanced persistent threat. On December 15, 2017 the group was designated by FireEye as a nation state-based advanced persistent threat, regardless of the lack of its sophistication. Research conducted by FireEye in 2018 suggested that APT35 may be expanding their malware capabilities and intrusion campaigns.[5] The group has since been known to use phishing to impersonate company websites,[6] as well as fake accounts and fake DNS domains to phish users' passwords.
Millions of Routers Exposed to RCE by USB Kernel Bug
FROM THE MEDIA: The high-severity RCE flaw is in the KCodes NetUSB kernel module, used by popular routers from Netgear, TP-Link, DLink, Western Digital, et al. Millions of popular end-user routers are at risk of remote code execution (RCE) due to a high-severity flaw in the KCodes NetUSB kernel module. The module enables remote devices to connect to routers over IP and access any USB devices (such as printers, speakers, webcams, flash drives and other peripherals) that are plugged into them. This is made possible using the proprietary NetUSB protocol and a Linux kernel driver that launches a server, which makes the USB devices available via the network. For remote users, it’s as if the USB devices are physically plugged into their local systems. According to a Tuesday writeup from SentinelOne vulnerability researcher Max Van Amerongen, attackers could remotely exploit the vulnerability to execute code in the kernel via a pre-authentication buffer overflow security vulnerability, allowing device takeover.
READ THE STORY: Threatpost
A QUICK LOOK:
Hackers take over diplomat's email, target Russian deputy minister
FROM THE MEDIA: Hackers believed to work for the North Korean government have compromised the email account of a staff member of Russia’s Ministry of Foreign Affairs (MID) and deployed spear-phishing attacks against the country’s diplomats in other regions. One of the targets was Sergey Alexeyevich Ryabko, the deputy foreign minister for the Russian Federation, among other things responsible for bilateral relations with North and South America. The phishing campaign started since at least October 19, 2021, deploying Konni malware, a remote administration tool (RAT) associated with the cyber activity from North Korean hackers known as APT37 (or StarCruft, Group123, Operation Erebus, and Operation Daybreak).
READ THE STORY: Bleeping Computer
A QUICK LOOK:
VMware Horizon under attack as China-based ransomware group targets Log4j vulnerability
FROM THE MEDIA: A China-based ransomware operator has for the past week been actively exploiting the Log4j vulnerability in VMware Horizon, the desktop and app virtualization platform, Microsoft has warned. “Based on our analysis, the attackers are using command and control (CnC) servers that spoof legitimate domains,” said the software giant in a January 10 addition to its rolling ‘Log4Shell’ updates. When successful, the attacks – which began “as early as January 4” – result in the deployment of the NightSky ransomware. NightSky leverages the in-vogue ‘double extortion’ model and was identified by threat researchers from MalwareHunterTeam on January 1. Microsoft said the ransomware group directing the Horizon attacks, which it is tracking as ‘DEV-0401’, has previously deployed LockFile, AtomSilo, and Rook ransomware, as well as exploited CVE-2021-26084 in Atlassian Confluence and CVE-2021-34473 in on-premises Exchange servers.
READ THE STORY: Cyber Reports
A QUICK LOOK:
Who is the Network Access Broker ‘Wazawaka?’
FROM THE MEDIA: In a great many ransomware attacks, the criminals who pillage the victim’s network are not the same crooks who gained the initial access to the victim organization. More commonly, the infected PC or stolen VPN credentials the gang used to break in were purchased from a cybercriminal middleman known as an initial access broker. This post examines some of the clues left behind by “Wazawaka,” the hacker handle chosen by a major access broker in the Russian-speaking cybercrime scene. Wazawaka has been a highly active member of multiple cybercrime forums over the past decade, but his favorite is the Russian-language community Exploit. Wazawaka spent his early days on Exploit and other forums selling distributed denial-of-service (DDoS) attacks that could knock websites offline for about USD $80 a day. But in more recent years, Wazawaka has focused on peddling access to organizations and to databases stolen from hacked companies. “Come, rob, and get dough!,” reads a thread started by Wazawaka on Exploit in March 2020, in which he sold access to a Chinese company with more than $10 billion in annual revenues.
READ THE STORY: Krebs on Security
A QUICK LOOK:
Intelligence agencies release joint advisory on protecting against Russian hacking (CISA AA22-011A)
FROM THE MEDIA: The overview, published by the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation and the National Security Agency, aims to offer those operating critical infrastructure tips to “improve their functional resilience by reducing the risk of compromise or severe business degradation.” It comes after the United States saw a series of devastating cyber attacks in the last several years, many of which have been linked to Russian-sponsored sources. The agencies’ advice to cybersecurity companies is threefold: prepare in advance for a possible breach, enhance existing security procedures and increase organizational vigilance. Russian hackers tend to use “common but effective tactics,” the agencies added, meaning it is possible to predict when and where a breach might occur. Those techniques include spearphishing, brute force entries and exploiting known vulnerabilities. Since Russian-backed actors also tend to perform longer-term cyber operations, CISA, the NSA and the FBI are advising companies to implement “robust” logging and retention policies in order to pinpoint a potential threat actor.
READ THE STORY: Spectrum News
A QUICK LOOK:
How the Log4j Vulnerability is Forcing Change in Federal Cybersecurity Policy
FROM THE MEDIA: If there is a silver lining to all the hours cybersecurity personnel spent over the holiday break—and will continue to spend months into the future—working to secure their systems from log4j vulnerabilities, it could be in how the government approaches the remediation of such bugs going forward. “I just want to footstomp the unprecedented nature of how we’ve been handling this because there are so many products and being able to track all of this in one place, really with the help of crowdsourcing from vendors, from the research community, has helped to create some order in the chaos,” Cybersecurity and Infrastructure Security Agency Director Jen Easterly said. “We’re learning a lot of lessons about how to deal with something that is as widespread as this particular vulnerability.” Easterly and CISA Executive Assistant Director Eric Goldstein briefed reporters Monday on efforts to protect federal agencies and private-sector critical infrastructure from the exploitation of vulnerabilities in log4j, a library of open-source code used to log data such as computer performance and security issues.
READ THE STORY: Cyber Reports
A QUICK LOOK:
IP spoofing bug leaves Django REST applications open to DDoS, password-cracking attacks
FROM THE MEDIA: Politically motivated cyber-attacks, of course, have implications. Most developed countries are highly dependent on their information infrastructure; an attack of this nature could have devastating consequences and is taken incredibly seriously by governments. This was seen recently in France with President Emmanuel Macron pushing for an Israeli inquiry into NSO spyware, which was allegedly used to target him and 50,000 other dignitaries. According to newspaper reports, Macron expressed concern that his phone and those of most of his cabinet could have been infected with Pegasus, hacking software developed by the Israeli surveillance firm NSO Group, which enables operators of the tool to extract messages, photos and emails, record calls and secretly activate microphones from infected devices. Macron’s party was also subjected to a cyber-attack in 2017 when more than 20,000 emails belonging to his election campaign were published online.
READ THE STORY: The Daily Swing
A QUICK LOOK:
Preparing for the Inevitable Cyber Surprise
FROM THE MEDIA: The United States and its allies have constantly been surprised by major cyber operations from their adversaries. This shouldn’t happen with such frequency: Alert cyber defenders know that such attacks are possible, and after each one there have been experts who said something like, “Well, this shouldn’t be a surprise. I’ve been saying for years it was bound to happen.” Yet defenders have been routinely staggered, whether by the 2007 cyber attacks directed at Estonia by Russia, the first incident of major national-security significance that caught the United States and NATO totally off guard; brazen Russian disruptive attacks against the Olympics or intrusions to interfere with the 2016 U.S. presidential election; or the reckless disruptions caused by NotPetya or against the Colonial Pipeline, each of which cascaded globally into critical-infrastructures catastrophes. If Russia does attack Ukraine in the coming weeks, the opening salvo is likely to be with offensive cyber capabilities. If so, this can be at the same time both expected and surprising. Even defenders with warning or who can extrapolate from past trends can be caught out by the specifics: the who, when, where, how, and how bad. Surprise — both tactical and strategic — is threaded throughout every aspect of cyber conflict, even more so than for conflict in the air, on land, at sea, or in space. “The striking thing,” as Dick Betts wrote in his classic 1982 work on surprise attack, “is that in retrospect one can never quite understand” how such attacks ended up being quite so surprising. The attack at Pearl Harbor was hardly less of a surprise for being expected, and was presaged by Port Arthur in 1904 and Taranto in 1940. The Estonian defenders in 2007 knew weeks in advance that Russian nationalists were plotting and yet the attack still had the power to shock.
READ THE STORY: War on the Rocks
A QUICK LOOK: The below is a brief look at the impact of 2021 attacks.
Items of interest
Cyber Mutually Assured Destruction & Counterproliferation for the 21st Century: “How I stopped worrying and learned to love the software exploit.” (Paper)
FROM THE MEDIA: The growth of cyberspace has challenged existing frameworks for strategic competition. As a result, government, private, and academic planners seek to develop a novel framework for integrating cyberspace into diplomatic, military, and intelligence planning. This has been a difficult proposition and continues to be an area of vulnerability for the United States. To date, the United States has threatened nuclear retaliation for large scale cyber-attacks, but a comprehensive strategy has not been made publicly clear. However, this integration challenge has been encountered and solved previously. Nuclear weapons changed warfare in the twentieth century, but the United States used Mutual Assured Destruction (MAD) and Counterproliferation to adapt to the new warfront. This paper seeks to dissect the nuclear strategy, apply the extracted fundamental principles in creating a loose integration framework, and propose policy measures to implement that framework.
READ THE STORY: Liberty University
Meeting a Russian Hacker Who Was Hacking VICE | CYBERWAR (Video)
FROM THE MEDIA: Russian state-backed hackers are having greater success at breaching targets in the United States and elsewhere as they make government organizations the primary focus of their attacks. Government organizations accounted for more than half of the targets for Moscow-linked hacking groups for the year through June 2021, compared to just 3% the previous year, according to Microsoft. At the same time, the success rate of Russian intrusions into government and non-government targets has gone from 21% to 32% year over year, a technology giant said in a report focusing on state-backed and cybercriminal activity.
“ I want my hackers to A) Have an Eastern European/Russian accent B) Have weaponized autism C) A severe Vitamin D deficiency D) Have questionable nutritional habits (prefer to subsist purely on Hot Pockets and Mountain Dew E) Be extremely socially awkward F) Exhibit signs of little to no physical activity G) Optional - Have super uncool eyeglass frames that are the cheapest at the optometrist office.”
About this Product
These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com