Cracked Games Origins

Every not-freeware program has its own license checking mechanism. Such a check may be performed exclusively on the user’s PC and using a PC and a server where all data about licenses is stored. But the code responsible for this operation is stored inside the program’s root directory. Hence, a hacker is able to find this code and modify it in a specific way: he creates a specific “jump” on the license checking stage, so the operation will be simply skipped, and the program will think it is activated¹.

Why are cracked programs dangerous?

• Exposed to a range of cyberattacks.
• Adware infections.
• Third-party crypto mining viruses.
• Phishing attacks.

After the described modification hacker can distribute his program for the wide pirate public. However, he will not have any profit in such a scenario. To solve this problem, hackers add several programs to the initial package. Which programs? Ones whose developers agreed to pay the pirate for this operation. And here goes the most interesting.

Many small developers distribute their programs as a part of the games bundle. It can be whatever – antiviruses (Segurazo, Santivirus, McAfee, Avast, et cetera), “fast and comfortable browsers”, different utilities with or without practical use, etc. Such apps are more annoying than harmful, but their usage may be dangerous because of wrong actions in tight places, like the registry or Group Policies.

But, besides free trash bag-like apps, computer pirates can add different malicious apps. And their type and severity depend only on the size of the reward promised to the hacker by malware developers. It may be something non-critical, like adware or browser hijacker. However, in most cases of malware injection through the cracked games, users get a full-house: trojan-stealer, trojan-backdoor, trojan-downloader, worm, virus, and, finally, ransomware. Because of modern trends through malware, you will get every malware mentioned earlier inside the single app. Bad perspective, isn’t it?

Breaking The Law With Cracked Games

Using cracked games is an outlaw action in all civilized countries. And if you use it on your home computer and do not create any commercial product with the pirated programs, you may keep calm – it is tough to detect that you use exactly unlicensed games. However, the executive authorities can check big companies and any other commercial organization. And in case cracked games usage is confirmed, the corporation will receive a large fine. The size of this fine is usually much bigger than the license cost for all games that has been used in its cracked version. So, think well before using cracked Spiderman Remastered or Call Of Duty.

Download games without any risks

There are various ways to download games without exposing yourself to any risk. Here are some tips on how to practice safe gaming:

• Download games from official stores only.
• Avoid buying games from bizarre locations like forums or random pages.
• Learn how to protect your accounts on Twitch, Discord, Origin, Battle.net, and Steam. Many of them offer two-factor authentication, allowing you to protect your device from unauthorized access even further.
• Check the security features on the platforms you use.
• Always try to download the platform’s official app.
• Use an antivirus for PC when going online and downloading anything.
• Use a reputable antivirus program on all your devices and never disable it.

If you’ve used cracked games in the past, it’s imperative to check your computer for viruses. One effective way to do this is by using a reliable security tool like Gridinsoft Anti-Malware. This software specializes in identifying and removing malware that might have sneaked in through unsecured downloads. By conducting a thorough scan, you can ensure that your system is clean and secure. Remember, proactive measures are key to maintaining the health of your computer and the safety of your personal information. Always prioritize security in your digital activities to avoid potential hazards.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

As you can see, cracked game usage carries many disadvantages that can cost you much more than the license for this program. Yes, in some cases, cracked game usage can be forced – for example, if you want to test the program before purchasing, being not sure if it can satisfy your needs. But even in such a situation – pirating with good intentions – you can become a victim of malware attacks.

The post Cracked Games appeared first on Gridinsoft Blog.

BianLian Exploits TeamCity vulnerabilities

Recent research uncovered a new trend in BianLian’s modus operandi. They revealed that threat actors behind the ransomware have been observed exploiting security flaws in JetBrains TeamCity software to conduct their attacks. Leveraging known vulnerabilities such as CVE-2024-27198 or CVE-2023-42793, attackers gained initial access to the environment, paving the way for further infiltration. By creating new users and executing malicious commands within the TeamCity infrastructure, threat actors orchestrated post-exploitation maneuvers and lateral movement, expanding their foothold in the victim’s network.

Backdoor Deployment via PowerShell

The original report from GuidePoint Security says that despite initial success, BianLian fell back to a PowerShell version of their backdoor. This happened due to the surprising detection from Microsoft Defender. At the same time, hackers managed to deploy the network reconnaissance tools and use them before going for a PS backdoor.

The PowerShell backdoor version, obfuscated to hinder analysis, exhibited a multi-layered encryption scheme. Still, it was possible to understand what was going on and analyze the adversaries’ actions. Malware established a tunnel connection to the command server, waving ready for further actions. And while using PS in cyberattacks is not something unusual, entire backdoors based on PS, that also incorporates high levels of obfuscation, is a new tactic.

Functionality and Capabilities of Backdoor

The PowerShell backdoor described above mainly aims at facilitating covert access and control over compromised systems. Research summary reveals several features of this malware to be aware of.

The backdoor incorporates functionality to resolve IP addresses based on provided parameters, establishing TCP sockets for communication with remote command-and-control (C2) servers. Also, this enables bidirectional data exchange between the compromised system and the attacker-controlled infrastructure. Here is the code recovered by analysts:

#Function to Resolve IP address
function cakest{
param($Cakes_Param_1)
IF ($Cakes_Param_1 -as [ipaddress]){
return $Cakes_Param_1
}else{
$Cakes_Resolved_IP = [System.Net.Dns]::GetHostAddresses($Cakes_Param_1)[0].IPAddressToString;
}
return $Cakes_Resolved_ IP
}

Leveraging asynchronous execution techniques, the backdoor optimizes performance and evades detection by utilizing Runspace Pools. This allows multiple PowerShell instances to run concurrently, enhancing operational efficiency during post-exploitation activities.

Also, to ensure secure communication, the backdoor establishes SSL streams between the compromised system and C2 servers, encrypting data exchanged over the network. By employing encryption, threat actors mitigate the risk of interception and detection by network monitoring tools. Overall, the C2 communication bears on this code:

function cookies{
param (
#Default IP in parameter = 127.0.0.1
[String]$Cookies_Param1 - "0x7F000001",
[Int]$Cookies_Param2 - 1080,
[Switch]$Cookies_Param3 - $false,
[String]$Cookies_Param4 - "",
[Int]$Cookies_Params - 200,
[Int]$Cookies_Param6 - 0
)

Mimicking tactics observed in advanced malware, the backdoor validates SSL certificates presented by C2 servers, verifying the authenticity of remote endpoints. This authentication mechanism enhances the resilience of the communication channel against potential interception or infiltration attempts.

How to stay safe?

The BianLian threat group continues to evolve, and in light of their recent attacks, it is important to take appropriate security measures. Fortunately, they are more or less the same even for protecting against high-profile cybercrime groups.

• First and foremost, it is recommended to regularly update and patch externally facing applications. This helps mitigate known vulnerabilities that threat actors may exploit to infiltrate your systems.
• Ensure your team is well-versed in incident response procedures. Every member of your team should have a thorough understanding of how to respond effectively to security incidents. Regular drills should be conducted to refine response strategies and minimize the impact of potential security breaches.
• Conduct penetration tests informed by threat intelligence to proactively identify and address weaknesses in your defenses. Penetration tests involve simulated attacks on your systems to uncover vulnerabilities that could be exploited by malicious actors. By using threat intelligence to inform these tests, you can focus on the most impactful threats facing your organization.

• Additionally use advanced security solutions. EDR and XDR are a must, when we talk about corporate-grade cybersecurity. They can cover large networks of computers, orchestrating the response and detecting even sophisticated attacks like the one I’ve described above.

The post BianLian Exploits TeamCity Vulnerability to Deploy Backdoors appeared first on Gridinsoft Blog.

What is a Bootkit?

A bootkit is a sophisticated type of malware that starts and operates even before the operating system starts – during the boot process. Unlike many other malware types that target software vulnerabilities or user actions, bootkits embed themselves in the system’s boot process, making them exceptionally challenging to detect and remove.

One of the defining characteristics of a bootkit is its ability to load before the operating system (OS) itself. This gives the attacker a significant advantage, as they can intercept and manipulate the boot process, allowing them to gain control over the system even before the user logs in. Being integrated that close to the bare metal also opens the possibility of exploiting kernel-level vulnerabilities and hardware flaws.

Bootkits vs. Rootkits

While often confused, bootkits and rootkits operate at different levels of a system. Rootkits infect the OS after it loads, granting the max privileges possible to its master. At the same time bootkits are embedded in the system bootloader or even motherboard firmware. This, eventually, changes both the capabilities and the purpose of the bootkit. The two things in common between these two are both being advanced and high-severity threats.

Functionalities of Bootkits

Bootkits are versatile in their malicious functionalities. To understand and combat these malicious entities effectively, we must dissect the intricacies of their functionalities.

• Persistence. One of the primary functionalities of bootkits is their persistence. One of the primary functionalities of bootkits is their persistence. They can implant themselves in the GUID Partition Table (GPT), a more modern system architecture. This positioning allows bootkits to remain active and undetected through system reboots and even full operating system reinstalls, contributing to their prolonged presence and challenging removal from the infected system.
• Data Theft. Some bootkits are engineered to steal sensitive data from the compromised system. During the boot process, they may intercept and exfiltrate data such as login credentials, financial information, personal files, and any other valuable data they can access.
• Backdoor Access. Bootkits can create backdoors within the system, which provide unauthorized remote access to the compromised computer. Adversaries will be able to execute commands, upload additional malware, or manipulate the system as they see fit. It essentially grants them a persistent presence on the compromised device.
• Bypassing security measures. One of the key traits of bootkits is their ability to circumvent security measures. They load themselves into the system’s memory before any security software or antivirus programs have a chance to activate. As a result, they can operate undetected and unimpeded by security tools, allowing them to carry out their malicious activities without being stopped.

Can I detect and remove the bootkit?

Detecting a bootkit before it is injected into the firmware or the first partitions of the hard disk is the most effective way to prevent it from causing damage. However, detecting a bootkit infection is not an easy task, and even if it is detected, removing it can be even more challenging.

If the bootkit has been injected into the EFI partition, only a complete operating system reinstallation can remove the malicious bootkit code from the disk. However, this may not be enough if the malware managed to infect the firmware, which will result in a new system being compromised, too. In such cases, it is advisable to determine which bootkit has infected the system and use special LiveCD antivirus utilities to clean the system of any malicious code.

How to Prevent Bootkits

Preventing bootkit malware requires taking several measures to reduce the risk of infection. Here are some steps that can be taken:

1. Secure Boot and UEFI
   Secure Boot is a feature that is available in UEFI-enabled computers. Its purpose is to ensure that only trusted software is loaded during the boot process. UEFI itself is a more secure and modern technology that allows for a more firm control over the situation. This helps to prevent bootkit malware from infecting the computer. Still, recent developments have shown that the BlackLotus UEFI bootkit can bypass Secure Boot.
2. Update Your System
   Keeping your operating system and security software up-to-date can prevent bootkit malware from infecting your computer. Pay attention to firmware updates as well: although rare, UEFI/BIOS vulnerabilities exist, too, and may be exploited in different scenarios.
3. Use antivirus software
   While antivirus software can’t detect all bootkit malware, it can prevent such an infection in its early stage. Advanced control systems may also be useful for detecting the threats that integrate on such a low level.
4. Be cautious when downloading software
   It is crucial to download software from trusted sources only, especially when we talk about hardware control utilities and drivers. Those two integrate deep enough into the system to allow their exploitation for bootkit injection.
5. Use a hardware-based solution
   Hardware-based solutions, such as a Trusted Platform Module (TPM), can help prevent bootkit malware by ensuring that only trusted software is loaded during the boot process.

The post What is a Bootkit? Explanation & Protection Guide appeared first on Gridinsoft Blog.

Such suspicions arose after experts discovered hackers targeting misconfigured servers.

Aqua Security launched an investigation after discovering an attack on one of its lures. Subsequently, 4 images of malicious containers were discovered. However, given that some features of the code have remained unused, it appears that the campaign has not yet fully launched at this time.

TeamTNT is a cybercriminal group known for destructive attacks on cloud systems, especially Docker and Kubernetes environments. The group specializes in cryptomining.

We wrote that, for example, only within one month, two years ago, the group’s botnet infected more than 50,000 systems. However, in those good old days, mining botnets even attacked PostgreSQL databases. And also, if you remember, there was such a pretentious malware as KingMiner, which attacked MSSQL.

Although TeamTNT ceased operations at the end of 2021, Aqua Security linked the new campaign to TeamTNT based on the use of Tsunami malware, the dAPIpwn function, and a C2 server that responds in German.

Detected group activity begins when an attacker identifies a misconfigured Docker API or JupyterLab server and deploys a container or interacts with the Command Line Interface (CLI) to scan for additional victims.

Such a process is designed to spread malware to more servers. The secondary payload includes a cryptominer and a backdoor, with the backdoor using the Tsunami malware as an attack tool.

Aqua Security also published a list of recommendations to help organizations mitigate the threat.

The post TeamTNT Group Returns with Silent Bob Campaign appeared first on Gridinsoft Blog.

Symantec experts report that the Shuckworm hack group (aka Armageddon, Gamaredon, Iron Tilden, Primitive Bear, Trident Ursa, UNC530, Winterflounder, and so on) is attacking Ukrainian companies using the Pterodo backdoor distributed via USB drives.

The main targets of hackers are important organizations in the military and IT sectors.

According to experts, in some cases, the group managed to organize long-term attacks that lasted up to three months, which in the end could give attackers access to “significant amounts of confidential information.”

Let me remind you that we also reported that TrickBot Hack Group Systematically Attacks Ukraine, and also that Microsoft Accuses Russia of Cyberattacks against Ukraine’s Allies.

The media also wrote that Sandworm Targets Ukraine With Industroyer2 Malware.

Shuckworm activity in 2023 spiked between February and March 2023, and hackers continued to have a presence on some compromised machines until May 2023.

To launch attacks, Shuckworm typically uses phishing emails containing malicious attachments disguised as .docx, .rar, .sfx, lnk, and hta files. Topics such as armed conflict, criminal prosecution, crime control, and child protection are often used as bait in emails to trick targets into opening the message itself and malicious attachments.

The new Shuckworm campaign debuted a new malware, which is a PowerShell script that distributes the Pterodo backdoor. The script is activated when infected USB drives are connected to the target computers. It first copies itself to the target machine to create an rtf.lnk shortcut file (video_porn.rtf.lnk, do_not_delete.rtf.lnk and evidence.rtf.lnk). Such names are an attempt to induce targets to open files so that Pterodo can infiltrate their machines.

The script then examines all drives connected to the target computer and copies itself to all attached removable drives for further lateral movement and in the hope of infiltrating isolated devices that are intentionally not connected to the internet to prevent them from being hacked.

To cover its tracks, Shuckworm has created dozens of malware variants (more than 25 PowerShell script variants between January and April 2023), and is rapidly changing IP addresses and infrastructure used for control and management.

The group also uses legitimate services to manage, including Telegram and the Telegraph platform, to avoid detection.

The post Shuckworm Gang Attacks Ukrainian Companies Using Pterodo Backdoor and USB Drives appeared first on Gridinsoft Blog.

Recently, Twitter fulfilled a promise made by Elon Musk and published on GitHub the source code of its recommender algorithm, where a vulnerability was discovered that could send a user to a shadowban.

Numerous researchers immediately took up the study of the source code, and now one of the problems they discovered was assigned the CVE identifier. The vulnerability allows to achieve a “shadowban” of the victim, that is, someone else’s account will be hidden from others “without the right of recourse.”

Let me remind you that we also wrote that Elon Musk confirmed that the Russian offered a Tesla employee a million dollars for hacking the company, and also that CERT launched Twitter bot that comes up with names for vulnerabilities.

Also the media wrote that Hacker George “GeoHot” Hotz Will Be a Twitter Intern and Promises to Fix a Search.

The issue was discovered by Federico Andres Lois while investigating the recommendation engine that powers the For You section of Twitter. According to the study, the coordinated efforts of other users can lead to a “shadow ban” of any account that is unlikely to be overcome.

In order for the victim to receive large-scale reputation penalties, it is enough to unsubscribe from him, enable mute for this account, block it or report violations.

According to Lois, Twitter’s current recommendation algorithm “allows for coordinated, non-recourse damage to [any] account’s reputation.” This issue has already been assigned CVE-2023-23218.

It turns out that any accounts that have undergone mass blocking and unsubscribing will receive a “shadowban” and will not be displayed in the recommendations of other people, while the owner of the affected account will not even know about the restrictions imposed on him. At the same time, the researcher notes that it seems that it is simply impossible to fix such a ban.

Lois writes that apps like Block Party, which allow Twitter users to filter accounts in bulk, are essentially tools that (intentionally or not) have a similar effect on users.

Many Twitter users have already started talking about the fact that the error can be used by numerous armies of bots on the platform. When a Twitter user suggested that Musk solve the problem by only allowing mute, blocking, and reporting for “blue tick” Twitter users, Musk replied that he wanted to know “who is behind these botnets”.

However, that would require Twitter to have a team of moderators, and they appear to have been fired en masse, along with other staff, when Musk took over the company last November.

Another obvious solution to the problem would be to use the entropy of time for negative signals, but according to Lois, the design of Twitter’s recommender algorithm makes it easy to overcome this. For example, by repeatedly following/unsubscribing from specific accounts every 90 days.

The post Vulnerability Found in Twitter Code That Provokes a “Shadowban” of the Victim appeared first on Gridinsoft Blog.

Users have found that Pixel smartphones powered by Google Tensor processors are rebooting when user is trying to watch a clip from the movie “Alien” on YouTube in 4K HDR.

Let me remind you that we also wrote that Janet Jackson Song Killed Hard Drives on Old Laptops, as well as Cellmate men’s chastity belts are vulnerable to attacks and dangerous for users.

Also the media wrote that Bypassing the Lock Screen on Pixel Smartphones Netted a Researcher $70,000.

A strange issue was reported by users on the Google Pixel subreddit. So, a person with the nickname OGPixel5 writes that when you try to watch this video on YouTube, Google Pixel 6, 6a and Pixel 7 smartphones instantly reboot. Something in this video has an extremely negative effect on the devices, as they go into reboot without having time to show their owner a single frame.

At the same time, other users note that after a reboot, for some reason, cellular communication does not work, and in order to activate it again, you will need to restart the device again, but manually.

The main theory of users is that something in the video format (it’s 4K HDR) is causing smartphones to crash. Similar errors have happened before, for example, in 2020 there was a lot of discussion about “cursed wallpapers” that crashed when set as a background (the problem was a color space error).

All phones affected by this bug use Tensor SoC from Google Exynos, so the problem does not appear on other devices. It is likely that Samsung Exynos-based devices can also experience crashes, but so far no one has reported such problems.

For the first time, information about the reboot-inducing YouTube video appeared on the network last weekend, and today ArsTechnica journalists reported that the developers seem to have already fixed this bug. The publication reported that yesterday, the Pixel 7 Pro available to the editors instantly turned off when trying to open a video, and today it plays it normally. Several users on the Pixel subreddit have also reported that the video is working fine now.

Although users and journalists did not find updates to the application and other signs of the release of any “patch”, the publication notes that Google may well remotely influence the operation of smartphones without actually installing updates.

The post YouTube Video Causes Pixel Smartphones to Reboot appeared first on Gridinsoft Blog.

Experts from Yuga Labs discovered vulnerabilities in mobile applications for Hyundai and Genesis vehicles.

In addition, the SiriusXM smart car platform, used in cars from other manufacturers (Acura, BMW, Honda, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru and Toyota), allowed to remotely unlock the car, start the engine and perform other actions.

Let me remind you that we also wrote that Ferrari Has So Far Denied If It Attacked by Ransomware, and also that Teen gets remote access to 25 Tesla cars.

Also the media reported that Bug in Honda cars allows remotely unlock and start a car.

Yuga Labs specialist Sam Curry has posted two long threads on Twitter (Hyundai, SiriusXM) about problems he and his colleagues have recently discovered in the software of many different vehicles.

The analysis began with applications for Hyundai and Genesis vehicles (MyHyundai and MyGenesis), which allow authenticated users to remotely start and stop the engine, and lock and unlock their vehicles.

By intercepting and studying the traffic generated by these applications, the researchers were able to extract API calls from it. They discovered that the validation of the car owner is based only on his email address, which is simply included in the body of the JSON POST requests. Then it turned out that MyHyundai, moreover, does not require confirmation of the email address during registration.

Based on the collected data, the experts created a new account using the target’s email address with an additional control character at the end. After that, they sent an HTTP request to the Hyundai endpoint. The request contained the experts’ email in the JSON token and the victim’s address in the JSON body, which allowed the validation to be bypassed.

To test their attack, the researchers tried to unlock the Hyundai car they had in their possession. The attack worked and the car was successfully unlocked. After that, a Python script was created to automate all stages of the attack, for which you only need to specify the victim’s email address. You can see the script in action in the video below.

The Yuga Labs analysts then switched to studying the products of SiriusXM, which, among other things, is a provider of telematics services for more than 15 major automakers. The company claims to operate services for approximately 12 million connected cars.Как выяснили эксперты, мобильные приложения Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru и Toyota используют SiriusXM для реализации функций удаленного управления автомобилем.

Examining network traffic from the Nissan app showed that it was possible to send fake HTTP requests to an endpoint knowing only the VIN number of a particular car. The response to such a request contains the victim’s name, phone number, address, and vehicle details. In addition to disclosing data, such requests could also contain commands to perform actions with the car. So, for cars manufactured after 2015, it was possible: remote start and stop, blocking, unlocking, headlight and horn control.

At the same time, experts emphasize that the VIN of almost any car can be found right in the parking lot (usually located at the bottom of the windshield) or on a specialized car sales website.

Hyundai representatives have already told the media that the vulnerabilities discovered by Yuga Labs were not used to attack car owners, and “customer accounts were not accessible to third parties.”

SiriusXM developers also stated that the bugs found by specialists did not affect any client and were eliminated 24 hours after receiving the report. In addition, the company reported that the vulnerabilities were closed as part of a bug bounty program that SiriusXM has had for a long time.

The post Application Bugs Allowed to Open and Start Cars Hyundai, Genesis and Others appeared first on Gridinsoft Blog.

Experts say vulnerabilities in this network technology, which is widely used in the space and aviation industries, could have catastrophic consequences for critical systems, including the disruption of NASA missions.

Let me remind you that we also wrote that NASA has faced 6000 cyberattacks in the past four years, and also that Malware Hides in Images from the James Webb Telescope.

TTEthernet turns ordinary Ethernet into a deterministic network with certain transfer times between nodes and significantly expands the use of the classic Ethernet standard. In such a mixed-criticality network, traffic with different timing and fault tolerance requirements can coexist.

In fact, TTEthernet allows time-critical traffic (from devices that send highly synchronized, scheduled messages according to a predetermined schedule) to use the same switches that handle non-critical traffic, such as passenger Wi-Fi on airplanes.

In addition, TTEthernet is compatible with the standard Ethernet used in conventional systems. TTEthernet isolates time-triggered traffic from so-called best-effort traffic, i.e., non-critical systems, by forwarding their messages around more important time-triggered traffic.

This allows to combine different devices in one network, mission-critical systems can work on cheaper network equipment, and the two types of traffic do not overlap.

The creators of PCspooF say that TTEthernet is essentially the “backbone of the network” in spacecraft, including NASA’s Orion spacecraft, the Lunar Gateway space station, and the Ariane 6 launch vehicle. contender” to replace the Controller Area Network bus and the FlexRay protocol.

According to the researchers, the PCspooF attack is the first attack in history that broke the isolation of different types of traffic from each other. The essence of the problem lies in the fact that PCspooF violates the synchronization system, called the Protocol control frame (PCF), whose messages cause devices to work on schedule and ensure their fast communication.

So, the researchers found that non-critical best-effort devices can display private information about the time-triggered part of the network. In addition, these devices can be used to create malicious sync messages. A malicious, non-critical device can violate the isolation guarantee on the TTEthernet network.

The compromised best-effort device can then create EMI in the switch, forcing it to send fake synchronization messages to other TTEthernet devices.

Once such an attack is launched, TTEthernet devices occasionally lose synchronization and reconnect. As a result, they lose synchronization (desynchronization can be up to a second), leading to the inability to send dozens of time-triggered messages and cause critical systems to fail. In the worst case, PCspooF provokes such failures simultaneously for all TTEthernet devices on the network, the researchers explain.

To test PCspooF, experts used NASA hardware and software components to simulate an asteroid redirection mission when Orion had to dock with an automated manned spacecraft. As a result, the PCspooF attack forced Orion to deviate from the course and completely fail the docking.

After successfully testing the attack, researchers reported the issue to organizations using TTEthernet, including NASA, the European Space Agency (ESA), Northrop Grumman Space Systems, and Airbus Defense and Space. Now, based on the data from the researchers, NASA is revising the protocols for onboard experiments and testing its off-the-shelf commercial equipment.

As protection against PCspooF and the consequences of such attacks, experts recommend using optical connectors or voltage stabilizers (to block electromagnetic interference); checking source MAC addresses to make sure they are authentic; hiding key PCF fields, using a link layer authentication protocol such as IEEE 802.1AE; increase the number of sync masters and disable dangerous state transitions.

Space technologies do not guarantee absolute protection: there are examples of authentic attacks. For example, the media wrote that DopplePaymer ransomware operators were hacked by NASA contractor.

The post PCspoF Attack Could Disable Orion Spacecraft appeared first on Gridinsoft Blog.

Let me remind you that we also wrote that Germans Interested in the Situation in Ukraine Are Attacked by the PowerShell RAT Malware.

The backdoor spreads through spear phishing, as part of malicious Word documents that are usually disguised as job offers. When such a document is opened, a macro is triggered within it that delivers the updater.vbs PowerShell script to the victim’s computer, which creates a scheduled task claiming to be part of a Windows update.

Bait from hacker’s letter

The VBS script executes two other PowerShell scripts (Script.ps1 and Temp.ps1), which are stored obfuscated inside the malicious document itself. When SafeBreach analysts first discovered these scripts, none of the products featured on VirusTotal identified them as malicious.

Script.ps1 connects to the C&C servers of the attackers, sends the victim ID to its operators, and then waits for further commands, which it receives in encrypted form (AES-256 CBC). Based on the count of such identifiers, the analysts could conclude that about 69 victims were registered on the attackers’ control servers, which probably corresponds to the approximate number of hacked computers.

The Temp.ps1 script, in turn, decodes the commands received from the server as a response, executes them, and then encrypts and uploads the result via a POST request to the control server.

The experts created a script that deciphered the commands of the malware operators, and found that two-thirds of them were intended to steal data, and the rest were used to compile lists of users, files, delete files and accounts, and also compile lists of RDP clients.

Researchers believe that this PowerShell backdoor seems to be created by some previously unknown attackers, and so far there is too little data to talk about the attribution of these attacks.

The post New PowerShell Backdoor Masquerades as a Windows Update appeared first on Gridinsoft Blog.