Cybercrime operates like a vast underground organization capable of collecting, manipulating, and threatening to use stolen data against individuals. This article explores the most prevalent cyber threats today, debunking common cybersecurity myths and providing a detailed list of these threats.

1. Denial-of-Service (DDoS) Attacks

A DDoS attack is a malicious attempt to disrupt normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. These can be exploited computers or other networked resources such as IoT devices. Here are several types of DDoS attacks:

• TCP SYN Flood: The attacker floods the target with TCP “SYN” packets, expecting the server to respond with a “SYN-ACK” response, and then the client will send an “ACK” back to open a connection. The flood of SYN requests causes the target’s system to exhaust resources, rendering it unresponsive to legitimate traffic.
• Teardrop Attack: This attack exploits a vulnerability in the way that operating systems handle packet reassembly from fragments. Maliciously crafted packets are sent in fragments; when the target system tries to reassemble them, it can crash.
• Smurf Attack: The attacker sends a large number of ICMP echo request (ping) packets to network broadcast addresses, all having a spoofed source address of a victim. Consequently, many hosts send echo replies to the victim, overwhelming its network.
• Ping of Death: The attacker sends malicious pings to a computer, typically oversized packets which the target can’t handle, potentially leading to system overload and denial-of-service.
• Botnets: A botnet is a network of computers infected with malicious software and controlled as a group without the owners’ knowledge, e.g., to send spam or participate in a DDoS attack ¹. Botnets can target and disable systems, making detection and response difficult.

DDoS Attack Examples:

Understanding these types of attacks and how they function is critical for protecting personal and organizational assets in the digital age. Awareness and proactive cybersecurity measures are essential in mitigating the impact of these threats.

2. Man-in-the-Middle (MitM) Attack

Man-in-the-middle (MitM) attacks intercept and possibly alter the communication between two parties who believe they are directly communicating with each other. One common way to identify if you’re at risk of a MitM attack is by checking the URL of the website you’re visiting. It should start with HTTPS, where the ‘S’ stands for secure, indicating that the data is encrypted. These attacks primarily aim to capture sensitive data during transmission. To protect against this, ensure your website has an SSL (Secure Sockets Layer) certificate, which many hosting providers offer to encrypt data transfers.

MitM Attack Examples:

3. Phishing and Spear-phishing Attacks

Phishing attacks leverage social engineering to deceive users into divulging personal information, such as bank account details and login credentials ². These attacks often occur via email, where attackers send messages that appear legitimate and relevant to the recipient. To protect yourself, always scrutinize the sender’s email address and the content of the message. If something seems off, it’s safer to mark the email as spam and not interact with it.

Phishing Attack Examples:

4. Drive-by Attack

A drive-by attack involves embedding malicious scripts into the code of websites, often through compromised HTTP or PHP. When a user visits such a site, malware is silently downloaded and installed on their device without the need for interaction. These attacks typically exploit vulnerabilities in outdated or insecure operating systems and browsers. To safeguard against drive-by attacks, it is crucial to keep your software up-to-date and to use robust security practices.

5. Password Cyber Attacks

Passwords are the most common form of authentication in information systems, making them a frequent target of cyber attacks. There are several methods by which attackers can acquire passwords, ranging from simple guessing to sophisticated database breaches. We’ll discuss two primary methods below.

• Brute Force Attacks: This method involves systematically guessing every possible combination of passwords until the correct one is found. Attackers often use knowledge about the target, such as personal interests or significant dates, to make educated guesses. To defend against brute force attacks, it’s crucial to use complex passwords that combine letters, numbers, and symbols, making them difficult to predict.
• Dictionary Attacks: Unlike brute force attacks, dictionary attacks use a list of common passwords and variations. Attackers apply these common passwords to different accounts hoping that one will match. To protect against dictionary attacks, avoid using simple or commonly used passwords. Implementing an account lockout policy that limits the number of failed login attempts can also deter attackers by blocking them after several unsuccessful attempts.

To further enhance security, consider using multifactor authentication (MFA), which requires more than one method of verification to gain account access, significantly reducing the risk of password-based attacks.

6. Adware Cyber Attacks

Adware, often considered merely annoying, can actually be part of a more malicious attack strategy. While adware primarily displays unwanted ads, it can also serve as a gateway for spyware and other malicious software that compromise security and privacy. Adware attacks typically exploit browser vulnerabilities to inject unwanted ads, which can redirect users to harmful sites or trick them into downloading malware.

7. Ransomware Cyber Attacks

Ransomware is a devastating type of cyber attack where malicious software encrypts the victim’s files or locks them out of their device, demanding a ransom to restore access. This attack follows a straightforward yet effective scheme: it encrypts critical data or systems, blocks user access, and demands payment, often with a timer to increase pressure. Protecting against ransomware involves robust backups, updated security patches, and awareness of phishing tactics which often serve as the entry point for these attacks.

8. Trojan Cyber Attacks

Trojans masquerade as legitimate software but perform malicious activities once installed. Unlike viruses, Trojans do not replicate but they pave the way for further infiltration by other malware or expose vulnerabilities. Trojan attacks can lead to data theft, unauthorized access to affected systems, and can act as a backdoor for additional malicious operations. Ensuring software authenticity and avoiding downloads from untrusted sources are key to preventing Trojan attacks.

9. Spyware Cyber Attacks

Spyware is designed to stealthily monitor and collect information from users without their knowledge. This malware type can capture keystrokes, access files, and harvest login credentials and financial information, leading to identity theft and financial fraud. Spyware often infiltrates systems through deceptive links, email attachments, or bundled software installations, emphasizing the need for caution when downloading and installing new software.

10. Cryptomining Cyber Attacks

Malignant cryptominers hijack system resources to mine cryptocurrency, significantly slowing down the infected device and increasing energy consumption. These attacks are typically carried out by embedding malicious scripts into websites or through Trojan downloads. Unlike legitimate mining software, these malicious tools operate without user consent and benefit only the attacker. Users can protect themselves by using web filters and updated antivirus solutions to detect and block cryptomining scripts.

Protection From Cyber Attacks Today

This article has explored a variety of cyber attacks and the forms of malware used to carry them out. Each type of cyber threat we’ve discussed seeks to compromise your device and personal information in some way. However, the goal here is not to deter you from using digital technology, but to arm you with knowledge and solutions to protect against these threats. Gridinsoft Anti-malware. Renowned as one of the best cybersecurity tools available, it offers comprehensive protection by monitoring network activities, encrypting data, and scanning all incoming files to your devices. For those on the fence, consider reading our article to better understand its benefits and capabilities. Equip yourself with a robust cybersecurity solution that is fast, efficient, and effective at maintaining your digital safety.

The post Common Types of Cyber Attacks appeared first on Gridinsoft Blog.

What is Whaling Phishing

Phishing is a malicious practice where attackers trick individuals into revealing sensitive information through fake emails that look legitimate. The victim willingly provides their credentials, which cannot be considered extortion or malware.

Phishing attacks, accounting for 39.6%, are the most common type of cyber attack and are frequently combined with other forms of malware such as HTML, URL, PDF, and executables.

Phishing techniques are diverse, and it is nearly impossible to list them all without missing some. Nevertheless, several methods are currently the most prevalent. These methods have always been widely used due to their simplicity and the high likelihood of successfully trapping the victim.

Various types of phishing attacks include spear phishing, whaling phishing, angler phishing, pharming, pop-up phishing, and others. Spear phishing targets regular employees while whaling phishing targets high-profile employees, such as C-level executives.

Whaling Phishing Attacks

The whale is often considered the ruler of the ocean, symbolizing high authority. In the realm of phishing, ‘whale’ refers to C-level executives. These executives hold significant power within an organization, and the metaphor draws parallels between these influential individuals and the ocean’s king.

Due to their power and authority, C-level executives are targets for whaling attacks, which aim to deceive and exploit them, leveraging their access to sensitive information and decision-making abilities. When a CEO requests an urgent task from an employee, it is usually prioritized and completed quickly.

Whaling phishing is not characterized by special types of spreading. It is distributed via email, SMS, and voice like any other phishing attack. Let’s explore them through real-world examples.

Examples of Whaling Attacks

At their core, the common thread in examples of past successful whaling campaigns isn’t too dissimilar from successful phishing campaigns: The messages are seemingly so urgent, so potentially disastrous that the recipient feels compelled to act quickly, putting normal security hygiene practices by the wayside. Scammers writing successful whaling emails know their audience won’t be compelled by just a deadline reminder or a stern email from a superior. Instead, they’ll prey upon other fears, such as legal action or being the subject of reputational harm.

In one example of a whaling attempt, several executives across industries fell for an attack. They laced with accurate details about them and their businesses that purported to be from a United States District Court with a subpoena to appear before a grand jury in a civil case. The email included a link to the subpoena. When recipients clicked the link to view it, they were infected with malware instead.

Phases of Whaling Phishing Attacks

Here three phases in the phishing attack also apply to the whaling attack:

1. When an attacker wants to access a system, the first step is to research the potential target. Learning about their position within the company and their relationship with other employees.
2. Once the attacker has gathered enough information, they will create a customized phishing email that looks legitimate. (This is how the HR and Finance departments from Seagate and FACC Cyber Heist were deceived)
3. The attacker will trick the target into clicking on a link or attachment. If the victim falls for the trick, the attacker must bypass security measures and inject a malicious payload. Then, they can steal data and sensitive information.

Defending Against Whaling Attacks

If you are an executive or someone who might be a target of whaling, you should remember the standard prevention advice for phishing attacks. It’s essential to be cautious of clicking on links or attachments in emails, as these attacks require the victim to take some action to be successful.

Implementing whaling-specific best practices can help organizations harden their defenses and educate potential targets.

It’s essential to be aware of the information public-facing employees share about executives. Whaling emails can seem more genuine if they include readily available online details. It can be birthdays, hometowns, favorite hobbies, or sports. Whaling emails can appear even more legitimate during major public events, like industry conferences or company events. Therefore, it’s essential to remind executives and spokespersons to exercise caution while checking their inboxes, particularly during high-publicity events when they are likely to be in the spotlight.

The post Whaling Phishing appeared first on Gridinsoft Blog.

What is an IP Stresser?

IP stresser is a special tool that tests a network or server for stress tolerance. The administrator can run the stress test to check whether the current resources (bandwidth, CPU power, or so) are sufficient to handle the additional load. Testing your network or server is a legitimate use of a stress test. However, running a stress test against someone else’s network or server, resulting in a denial of service to their legitimate users, is illegal in most countries.

What are booter services?

Booters (also known as bootloaders) are on-demand DDoS (Distributed Denial of Service) attacks that cybercriminals offer to shut down networks and websites. Consequently, booters are illegal uses of IP stressers. Illegal IP stresses often conceal the identity of the attacker’s server by using proxy servers. The proxy redirects the attacker’s connection by masking the attacker’s IP address.

Booters are often available as SaaS (Software-as-a-Service) and are accompanied by email support and YouTube tutorials. Packages can offer one-time service, several attacks over some time, or even “lifetime” access. A basic one-month package costs a tiny sum. Payment methods can include credit cards, Skrill, PayPal, or bitcoins.

The difference between IP Stresser and botnets

In contrast to IP Stresser, the owners of computers that use botnets are unaware that their computers are infected with malware. Thus, they unwittingly become accomplices to Internet attacks. Booters are DDoS services for hire offered by enterprising hackers. Whereas in the past, you had to create your botnet to conduct a large-scale attack, now it is enough to pay a small amount of money.

Motivations DDoS attacks

The motives for such attacks can be varied: espionage¹ to sharpen skills, business competition, ideological differences, government-sponsored terrorism, or extortion. The preferred payment method is bitcoins, as it is impossible to uncover the wallet owner. However, it is harder to go in cash when you have your savings in cryptocurrency.

Amplification and reflection attacks

Reflection and amplification attacks use legitimate traffic to overwhelm the targeted network or server. IP spoofing involves the attacker spoofing the victim’s IP address and sending a message to a third party on behalf of the victim. The third party, in turn, cannot distinguish the victim’s IP address from the attacker’s one and replies directly to the victim. The victim, as well as the third-party server, cannot see the real IP address of the attacker. This process is called reflection. For example, take a situation where the attacker orders a dozen pizzas to the victim’s home on behalf of the victim. Now the victim has to pay the pizzeria money for the pizzas, which she didn’t even order.

Traffic amplification occurs when a hacker forces a third-party server to send responses to the victim with as much data as possible. The ratio between the size of the response and the request is the amplification factor. The greater this amplification, the more potential damage is done to the victim. In addition, because of the volume of spoofed requests that the third-party server has to handle, it is also disruptive for it. NTP Amplification is one example of such an attack.

Amplification and reflection IP Stresser explained

The most effective types of bootstrap attacks use both amplification and reflection. First, the attacker spoofs the target address, then sends a message to a third party. The receiver sends the response to the target’s address, which appears in a packet as the sender’s address. The response is much larger than the original message, which amplifies the attack’s size. The role of a single bot in such an attack is about the same as if a teenage attacker called a restaurant, ordered the entire menu, and asked for a callback to confirm each dish. But the number for the callback belongs to the victim. As a result, the victim gets a call from the restaurant about orders it didn’t make and has to hold a line for a long time.

The categories of denial-of-service attacks

There are dozens of possible variations of DDoS attacks, and some of them have multiple subspecies. Depending on the hackers’ targets and skills, the attack may simultaneously belong to several types. Let’s review each of them one by one.

Application-layer attacks target web applications and often use the most sophisticated techniques. These attacks exploit a vulnerability in the Layer 7 protocol stack. They connect to a target and drain server resources by monopolizing processes and transactions. Because of this, they are challenging to detect and mitigate. A typical example is the HTTP Flood attack.

Protocol-based attacks exploit weaknesses at layers 3 or 4 of the protocol stack. Such attacks consume the victim’s processing power or other essential resources (such as the firewall). This results in a service disruption. Examples of such attacks are Syn Flood and Ping of Death.

Volumetric Attacks send large volumes of traffic to fill the entire bandwidth of the victim. Attackers generate bulk attacks using simple amplification methods. This attack is the most common — for example, UDP Flood, TCP Flood, NTP Amplification, and DNS Amplification.

Common denial-of-service attacks

The goal of DoS or DDoS attacks is to consume as many server or network resources as possible so that the system stops responding to legitimate requests:

• SYN Flood: A sequence of SYN requests is sent to the target system in an attempt to overload it. This attack exploits vulnerabilities in TCP connection sequences, also known as three-way handshakes.
• HTTP Flood: an attack in which HTTP GET or POST requests are used to attack a web server.
• UDP Flood: A kind of attack in which random target ports are flooded with IP packets containing UDP datagrams.
• Ping of Death: Attacks involve sending IP packets more significantly than the IP protocol allows. TCP/IP fragmentation works with large packets by breaking them into smaller ones. Legacy servers often fail if the full packets exceed the 65,536 bytes allowed. This has been fixed mainly in newer systems. However, Ping flooding is the modern incarnation of this attack.
• ICMP Protocol Attacks: Attacks on the ICMP protocol are based on the fact that the server must process each request before a response is sent back. The Smurf attack, ICMP flooding, and ping flooding exploit this by flooding the server with ICMP requests without waiting for a response.
• Slowloris: this is an attack invented by Robert “RSnake” Hansen. It tries to keep multiple connections to the target web server open as long as possible. Thus, additional connection attempts from clients will be rejected.
• DNS Flood: An intruder fills the DNS servers of a certain domain to disrupt DNS resolution for that domain.
• Smurf Attack: This attack uses malware called smurf. Using a broadcast IP address, large numbers of Internet Control Message Protocol (ICMP) packets are sent to the computer network with a fake IP address of the victim.
• SNMP reflection: An attacker spoofs the victim’s IP address and sends multiple SNMP requests to the devices. The volume of responses can overwhelm the victim.
• DNS amplification: this reflection-based attack turns legitimate requests to DNS (domain name system) servers into much larger ones, thus consuming server resources.

Less popular DDOS methods

• NTP Reinforcement: A high volume reflection-based DDoS attack in which the attacker exploits the Network Time Protocol (NTP) server functionality to overload the target network or server with increased UDP traffic.
• SSDP: SSDP (Simple Service Discovery Protocol) attack is a reflection-based DDoS attack. It uses Universal Plug and Play (UPnP) network protocols to send an amplified traffic volume to the target victim.
• Teardrop Attack: An attack consists of sending fragmented packets to the target device. An error in TCP/IP prevents the server from reassembling such packets, resulting from which the packets overlapping each other, thus incapacitating the target device.
• Fraggle attack: the attack is similar to smurf, except that it uses UDP rather than ICMP.

What to do in case of a DDoS attack?

• Inform your data center and ISP immediately;
• Do not consider ransom – payment often results in escalating ransom demands;
• Notify law enforcement authorities;
• Monitor network traffic.

How to mitigate attacks?

• Install firewalls on the servers;
• Keep security patches up to date;
• Run antivirus software on a schedule;
• Monitor system logs regularly;
• Prevent SMTP traffic from being distributed by unknown mail servers;
• Causes of difficulty tracking the booter service.

Since the person buying these criminal services uses an external site to pay and receive instructions, the connection to the backend initiating the attack cannot be identified. Therefore, criminal intent can be challenging to prove. However, one way to identify criminal organizations is to track payment traces.

The post IP Stresser & DDoS Booter appeared first on Gridinsoft Blog.

Cisco Reports Massive Brute Force Attack

The first observed attacks date back to March 18 of this year. Cisco announced the last warning of this campaign three weeks ago. At that time it was a “password spray” method targeting VPN access.

During the attacks, adversaries attempted hundreds of thousands or even millions of failed authentication attempts. Some login attempts ended with the error “Unable to complete connection. Cisco Secure Desktop not installed on the client” error. Specialists also record problems with hostscan token allocation<.

Attackers use a wide range of credentials, from commonly known usernames to organization-specific credentials. Researchers on GitHub list more than 2,000 usernames and nearly 100 passwords involved in the attacks, as well as approximately 4,000 IP addresses from which connections were made. The addresses listed come mostly from TOR exit nodes and other anonymizing tunnels and proxies. Experts note that the attacks are non-targeted and opportunistic in nature, not focused on any region or industry.

According to research, attackers target the following resources:

The following code displays a log entry where an unauthorized user attempted to access the Cisco VPN service, but their login was unsuccessful.

{"timestamp": "2023-01-0311:38:35. 000Z", "user": "unknown", "account": "*****", "result" : "FAILED_BAD_LOGIN" ,
"source_ip": "62.204.41.146", "service": "vpn", "geoip_country_code": "RU", "geoip_country_name": "Russia", "geoip_organization": "Horizon LLC", "source_data":"<166>Jan 03 2023 05:38:35 FW : %ASA-6-: Group User <*****> IP <62.204.41.146> Authentication: rejected, Session Type: WebVPN. "}
{"timestamp": "2023-01-06T11:03:59. 000Z", "user": "TestUser", "account" : "test", "result": "FAILED_BAD_LOGIN", "source_ip": "179.60.147.152", "service": "vpn", "geoip_city": "Moscow", "geoip_country_code" : "RU" , "geoip_country_name" : "Russia", "geoip_organization": "Flyservers S.A.", "geoip_region": "MOW", "source_data" : "<166>Jan 06 2023 05:03:59 FW-%ASA-6-: "}

Potential Risks

Penetrating corporate networks through VPNs or servers can give attackers access to sensitive information such as personal data. Also, through unauthorized access to VPNs, attackers can distribute malware within a company’s network, which can lead to infections of workstations and servers. Additionally, unauthorized access eventually leads to data leaks. This is unpleasant on it own, and also violates regulatory requirements such as GDPR or HIPAA, resulting in severe fines and legal consequences for the company. The number of such attacks has been increasing over time, and this trend is expected to continue.

Cisco Protection Recommendations

Cisco has provided a series of recommendations to strengthen security and prevent successful cyberattacks. These suggestions are part of the described account hacking campaign. Here are the key recommendations for organizations to minimize risk and better protect their information systems:

• Detailed logging should be configured, with logs going specifically to a remote syslog server. This allows administrators to recognize and correlate attacks across different points in the network, which is critical for rapid incident response.
• It is recommended that default remote access accounts be sinkholed. Access to these accounts should be limited or completely denied if they use the DefaultRAGroup and DefaultWEBVPNGroup profiles.
• It is recommended to use blocking lists to prevent access to VPN services from IP addresses known to be malicious.
• Configuring interface-level access lists and control planes will help filter out unverified public IP addresses and prevent them from being able to initiate remote VPN sessions.
• The shun command in Cisco IOS allows the administrator to block malicious traffic from specific IP addresses, which prevents further attack attempts.

The post Cisco Talos Warns of a Massive Brute Force Wave appeared first on Gridinsoft Blog.

UnitedHealth Hacked, Department Leaks Huge Amounts of Data

In February 2024, UnitedHealth Group experienced a massive cyberattack that compromised the data security of Change Healthcare. This division of the corporation processes medical claims and payments. As a result, systems responsible for processing prescriptions, medical claims and electronic payments were affected. This caused major problems for healthcare providers, pharmacies and payment systems across the country.

UnitedHealth Group responded quickly to the incident. They announced their intention to work with law enforcement to investigate the attack and strengthen security measures to protect patient data. The company also began notifying affected customers and offered them free credit history monitoring and fraud protection services as a compensation.

On Wednesday, UnitedHealth Group announced that it has made significant progress in restoring various core systems that were hit in the attack. It in particular caused an outage during the company’s response and impacted more than 100 Change Healthcare IT products and services.

Government Response

Size of UnitedHealth and its importance for the national healthcare industry could not keep the government silent. The U.S. Department of Health and Human Services has opened an investigation into the incident for a violation of the Health Information Protection and Accountability Act (HIPAA). The investigation is aimed at determining whether a breach of patient protection occurred. It also seeks to ascertain whether the relevant legal requirements for confidentiality of information were met.

UnitedHealth Group’s response was quick. They announced their intention to work with law enforcement to investigate the attack. Additionally, they vowed to strengthen security measures to protect patient data. The company also began notifying affected customers and offered them free credit history monitoring and fraud protection services.

BlackCat/ALPHV Claims Responsibility

ALPHV/BlackCat ransomware gang claimed responsibility for this attack earlier this year. Hackers announced that it was able to expropriate 6 terabytes of “highly selective data” regarding Change Healthcare customers. This information covers a wide range of data, including Tricare, Medicare, CVS Caremark, MetLife, and other large companies. It highlights the potential scale of the damage.

According to their story, UnitedHealth Group paid a $22 million ransom for a decryption key and a promise not to distribute the stolen data. This is a forced measure where the company is forced to pay huge sums to regain access to its own data and prevent further dissemination of stolen information. However, questions remain open as to whether BlackCat actually held the full ransom amount as claimed. Additionally, there are concerns about what assurances there are that the data will not be distributed or used in the future.

At the end of 2023, BlackCat’s infrastructure was seized in a coordinated law enforcement action. This severely disrupted the group’s operations for a period. Though as you can see BlackCat’s continued operations in defiance of law enforcement efforts. Disruption definitely slowed them down, but did not stop the operation entirely.

What stopped though is an exit scam, that group admins managed to pull in early March 2024. Hackers defrauded their partners, quitting the business with all the money of their affiliates. The said UnitedHealth subdivision appears to be one of their last targets – at least under this name. I expect them to resurface in this form or another.

The post UnitedHealth Hack Leaks 6 TB of User Data appeared first on Gridinsoft Blog.

PyPI Malware Spreading Causes Registrations Halt

Python Package Index, commonly known as PyPI, closes the registration of new users due to the wave of malware spreading through the platform. Such trouble is nothing new, as similar infestations happened in the past. Each time in the past the platform was implementing changes targeted on prevention of malware uploading in future, but the protection likely failed this time. The research from CheckPoint uncovers the entire flow of the attack.

Under the latest attack course, cybercriminals uploaded not the final payload, but a malicious script that further loads the malware. Exact repositories with these scripts were generally uploaded on March 27, with user accounts created the day before. Overall, the research unveils 576 malignant repositories.

Another thing that unites all these uploads is the use of typosquatting in their naming. Frauds were purportedly aiming at spoofing the names of popular packages. They particularly used symbol-numeric substitution (request5 instead of requests), popular typos (requestss) and slight changes like -sdk or -v1 endings. While looking as obvious fakes, they may still work out when users are in haste or distracted.

Package indexes for different programming languages are often a target of cybercriminals’ attention. Ones of the size of PyPI, which boasts of over 800,000 users, are literally Mekkas for hackers. By spreading malware in packages, they can infect both users and developers, potentially gaining a starting point for a cyberattack on a corporation, or even for a supply chain attack. Considering the wide use of Python in machine learning, this can also be leveraged for attacks on ML clusters. The latter appears to be a new point of interest for cybercriminals.

Malware in PyPI: How It Works?

Despite the scale of the attack, the way the attack works is nothing special. As I’ve said, malicious repositories contained not the exact malware, but an obfuscated loader script. The latter invoked the connection to the command server – funcaptcha[.]ru – and pulled the payload.

All the repos were spreading the same script, which deployed the same malware, regardless of the region. Those were an infostealer malware and a cryptojacker, both in a form of obfuscated code. None of them, however, belong to any of the known malware families, likely being developed for this specific attack campaign.

Infostealer targets passwords stored in browser files and session tokens of popular desktop applications. Additionally, it grabs browser cookies – another valuable source of user information. Cryptojacking malware modifies the desktop crypto wallets it detects, so they most likely change the recipient of all transactions to the frauds’ wallet. Following the action, both malware samples communicate the same C2 server as the loader script did.

Disclosure and Remediation

Shortly after uncovering the attack chain, PyPI administrators claimed the suspension of all new user registration. Consequently, they started searching for exact repositories and deleting them, which corresponds to the tactics they used before. Still, this does not solve the problem of exclusively reactive actions towards such threats.

Despite being well-known and trusted, all large package repositories suffer from the very same problem. It is too hard to track all the uploads, and strict premoderation will queue the new packages for weeks. The only variable here is which one will be the next to get the attention of adversaries. This eventually raises the question of self-defense from the developers who rely on these repos in daily tasks.

An obvious advice here is to double-check all the packages, regardless of their source. Malware receives more and more sophisticated disguises, becoming effective even against savvy and aware users. A good anti-malware software will be on hand as well: a proper one will easily detect and prevent the execution of a malicious script before it starts its mischievous job.

The post PyPI Malware Spreading Outbreak Exploits Typosquatting appeared first on Gridinsoft Blog.

Short About STRRAT and Vcurms

STRRAT is a Java-based RAT, notorious for its ability to steal information. It’s primarily used to gather credentials from browsers and email clients, log keystrokes, and provide backdoor access to infected systems. Same as other remote access trojans, STRRAT also relies on stealthiness of its operations and detection evasion.

Vcurms, is another Java-based RAT, but with distinct operational tactics. It communicates with its command-and-control server via a Proton Mail email address and executes commands received through specific email subject lines. This malware carries the functionality of infostealer, capable of extracting data from various applications like Discord and Steam. Aside from this, it can grab credentials, cookies, and autofill data from multiple web browsers. It shares similarities with another malware known as Rude Stealer.

Attack Overview

ANY.RUN researchers say the attack begins with a phishing email convincing recipients to click a button to verify payment information. This action leads to the download of a malicious JAR file masquerading as a payment receipt. The downloaded file then launches two additional JAR files that activate both Vcurms and STRRAT trojans.

Both malware samples try to remain stealthy, using detection and analysis evasion techniques. Researchers found them using these specific tricks:

• Using legitimate services and tools – when attackers can use legitimate cloud platforms such as AWS and GitHub to store or distribute malware. Such a trick also complicates filtering network requests of malicious origin.
• Code Obfuscation – in which the source code of a program is converted into a form that makes it difficult to read. This is used to hide malicious functions from antivirus scanners and analysts. (By the way, the first JAR file received via email is obfuscated and downloads malware using a PowerShell command).
• Packing – where malicious code is compressed or “packed” together with some type of unpacking mechanism. This makes it difficult to analyze the code without executing the malware.

This is not the first time malware actors abuse GitHub or other developer platforms. Unfortunately, there are not a lot of options to mitigate this proactively: it is easy to masquerade the code and make it look innocent. GitLab administrators reacted to user complaints and removed the malicious repository, but this does not guarantee that there won’t be a comeback.

Sandbox attack analysis

A phishing campaign begins by spreading the initial loader via phishing emails. The goal of these emails is to convince the user to download and run a malicious JAR file. This file acts as a primary loader that initiates a series of malicious actions on the infected machine.

Primary Loader

Once launched, the primary loader downloads a secondary malicious file from the aforementioned repository on GitHub. The file is launched using a command pointing to the Java file execution:

"C:\Program Files\Java\jre1.8.0_271\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\64e8cb522a3a4664791c27512d94a911bc2fbcbae09b625976ff8ac6809819d3.jar"

Persistence and disguise

Then, malware creates a copy of itself in the AppData\Roaming directory and registers a task in the Windows scheduler to automatically restart every 30 minutes. Interestingly enough, malware tries to mimic the Skype application, judging by the name of the task it creates. This ensures the permanence of the malware on the system.

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\admin\AppData\Roaming\64e8cb522a3a4664791c27512d94a911bc2fbcbae09b625976ff8ac6809819d3.jar"

Collecting information about the system

Next, the malware gathers information about the system, including a list of disks and the presence of installed security programs, using the following commands:

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"

One of the malware programs, in this case Vcurms, uses PowerShell command to dump the passwords kept in Windows, rather than in the third party tool. Obviously, it gathers data from browsers, too, but in a different manner – by accessing their data directly.

powershell.exe "[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ }"

I assume this command is related to Vcurms as STRRAT does not exhibit password stealing functionality.

Strengthening cybersecurity

This case shows vigilance and cooperation in cybersecurity. This phishing attack showed that even trusted platforms like GitHub can be used as a tool to spread malware. Cybersecurity experts offer the following tips to protect against such threats:

• Firstly, always verify the sender and avoid opening attachments or clicking on links in emails that seem suspicious or unexpected. If an email asks you to confirm payment details or personal information, it is better to contact the sender directly through another channel.
• Then, enable spam filters on your email to reduce the number of phishing and junk emails reaching your inbox.
• Make sure your antivirus software and all systems are updated to the latest versions. Regular updates help protect against known threats and vulnerabilities.
• Also, regularly monitor systems for suspicious activity and respond quickly to cybersecurity incidents. Use analytics and intelligent detection tools.
• And last, back up important data regularly and store it in a safe place. This will help you recover information in the event of a successful attack.

The post STRRAT and Vcurms Malware Abuse GitHub for Spreading appeared first on Gridinsoft Blog.

Fujitsu Hacked, Company Publishes Report

The first to discover Fujitsu hack was the company’s IT specialists who were performing the scanning. The first signs of compromised systems were noticed earlier in March 2023, which immediately raised concerns among the technical team. The company’s management was immediately notified of the possible threat, leading to an extensive internal investigation.

The said investigation is still ongoing, and is now targeted at determining the amount and types of leaked data. The company says it has not received any reports of personal information being misused as a result of the hack. However, the attack could have affected important databases containing customers’ personal data, including names, addresses, contact information and details of contractual relationships.

Initial steps taken by Fujitsu included isolating the infected systems to prevent the malware from spreading further. The company also engaged external cybersecurity experts to conduct a detailed analysis of the situation and determine the source of the attack.

Analysis of Malware

Preliminary analysis showed that the malware was specifically designed to steal sensitive information. Experts noted that it was not a “common” malware sample but a one crafted for this specific attack. The program acted selectively, targeting particularly sensitive data, such as employees’ personal data, financial information and details of internal company research.

Most interestingly, the attack targeted specific systems and used sophisticated methods to bypass standard security measures. It is a common tactic for attackers to use custom malware builds for targeted attacks on corporate networks, but it is not usual to see them using a yet unseen sample.

Fujitsu Was Hacked Before

In June 2023, Fujitsu Cloud Technologies, a subsidiary of Fujitsu Limited, received a public reprimand from Japan’s Ministry of Internal Affairs and Communications. The ministry demanded that both Fujitsu Cloud Technologies and Fujitsu Limited take immediate action to implement security measures to safeguard communications privacy and enhance cybersecurity. Fujitsu Limited is set to merge with its subsidiary in the near future.

In 2022, a breach affected Fujitsu Limited’s cloud-based internet service used by governments and large corporations. Attackers accessed the system and leaked sensitive information. Around the late 2022, the company uncovered the hack in one of their divisions, FENICS Internet.

This company was also implicated in the May 2021 supply chain attack. Its Fujitsu ProjectWEB project management suite was accessed by an unauthorized third party and the incident resulted in a data leak affecting several Japanese government agencies. The data was allegedly sold on the darknet. The company later discontinued the ProjectWEB portal/tool.

What then?

Well, despite best efforts, even technologically advanced companies like Fujitsu are not immune to cyberattacks and subsequent data breaches. Even with advanced defense systems, attackers are finding ways to bypass defenses, resulting in serious consequences for companies and their customers. Hopefully, the measures taken and lessons learned from this experience contribute to strengthening data protection.

The post Fujitsu Hacked, Warns of Data Leak Possibility appeared first on Gridinsoft Blog.

BianLian Exploits TeamCity vulnerabilities

Recent research uncovered a new trend in BianLian’s modus operandi. They revealed that threat actors behind the ransomware have been observed exploiting security flaws in JetBrains TeamCity software to conduct their attacks. Leveraging known vulnerabilities such as CVE-2024-27198 or CVE-2023-42793, attackers gained initial access to the environment, paving the way for further infiltration. By creating new users and executing malicious commands within the TeamCity infrastructure, threat actors orchestrated post-exploitation maneuvers and lateral movement, expanding their foothold in the victim’s network.

Backdoor Deployment via PowerShell

The original report from GuidePoint Security says that despite initial success, BianLian fell back to a PowerShell version of their backdoor. This happened due to the surprising detection from Microsoft Defender. At the same time, hackers managed to deploy the network reconnaissance tools and use them before going for a PS backdoor.

The PowerShell backdoor version, obfuscated to hinder analysis, exhibited a multi-layered encryption scheme. Still, it was possible to understand what was going on and analyze the adversaries’ actions. Malware established a tunnel connection to the command server, waving ready for further actions. And while using PS in cyberattacks is not something unusual, entire backdoors based on PS, that also incorporates high levels of obfuscation, is a new tactic.

Functionality and Capabilities of Backdoor

The PowerShell backdoor described above mainly aims at facilitating covert access and control over compromised systems. Research summary reveals several features of this malware to be aware of.

The backdoor incorporates functionality to resolve IP addresses based on provided parameters, establishing TCP sockets for communication with remote command-and-control (C2) servers. Also, this enables bidirectional data exchange between the compromised system and the attacker-controlled infrastructure. Here is the code recovered by analysts:

#Function to Resolve IP address
function cakest{
param($Cakes_Param_1)
IF ($Cakes_Param_1 -as [ipaddress]){
return $Cakes_Param_1
}else{
$Cakes_Resolved_IP = [System.Net.Dns]::GetHostAddresses($Cakes_Param_1)[0].IPAddressToString;
}
return $Cakes_Resolved_ IP
}

Leveraging asynchronous execution techniques, the backdoor optimizes performance and evades detection by utilizing Runspace Pools. This allows multiple PowerShell instances to run concurrently, enhancing operational efficiency during post-exploitation activities.

Also, to ensure secure communication, the backdoor establishes SSL streams between the compromised system and C2 servers, encrypting data exchanged over the network. By employing encryption, threat actors mitigate the risk of interception and detection by network monitoring tools. Overall, the C2 communication bears on this code:

function cookies{
param (
#Default IP in parameter = 127.0.0.1
[String]$Cookies_Param1 - "0x7F000001",
[Int]$Cookies_Param2 - 1080,
[Switch]$Cookies_Param3 - $false,
[String]$Cookies_Param4 - "",
[Int]$Cookies_Params - 200,
[Int]$Cookies_Param6 - 0
)

Mimicking tactics observed in advanced malware, the backdoor validates SSL certificates presented by C2 servers, verifying the authenticity of remote endpoints. This authentication mechanism enhances the resilience of the communication channel against potential interception or infiltration attempts.

How to stay safe?

The BianLian threat group continues to evolve, and in light of their recent attacks, it is important to take appropriate security measures. Fortunately, they are more or less the same even for protecting against high-profile cybercrime groups.

• First and foremost, it is recommended to regularly update and patch externally facing applications. This helps mitigate known vulnerabilities that threat actors may exploit to infiltrate your systems.
• Ensure your team is well-versed in incident response procedures. Every member of your team should have a thorough understanding of how to respond effectively to security incidents. Regular drills should be conducted to refine response strategies and minimize the impact of potential security breaches.
• Conduct penetration tests informed by threat intelligence to proactively identify and address weaknesses in your defenses. Penetration tests involve simulated attacks on your systems to uncover vulnerabilities that could be exploited by malicious actors. By using threat intelligence to inform these tests, you can focus on the most impactful threats facing your organization.

• Additionally use advanced security solutions. EDR and XDR are a must, when we talk about corporate-grade cybersecurity. They can cover large networks of computers, orchestrating the response and detecting even sophisticated attacks like the one I’ve described above.

The post BianLian Exploits TeamCity Vulnerability to Deploy Backdoors appeared first on Gridinsoft Blog.

MIT Hacked, Data Leaked in the Darknet

The post on infamous BreachForums discloses the recent data leak that happened in the #2 universities in the world. As the leak is exquisitely fresh, posted only 2 hours prior to this blog post being written, there is no reaction from MIT yet. Though it should be, as the fact of such a leak raises a lot of questions.

As I’ve mentioned in the introduction, the fact that it is posted “as is”, accessible to everyone without any pay, means that there are no really valuable things inside. But if so, maybe the hackers have got something valuable enough to just publish a lean dataset? Massachusetts university is one involved in different government-backed programs, including ones related to aerospace and defense. Hence, there is definitely enough valuable stuff to put the eye on.

Each row in the leaked database consists of 4 parts: faculty (or department), surname, name of a student, and email address. Occasionally, a “No Student” value is added, potentially meaning a graduate. Not much, sure, but already enough to arrange a phishing campaign – the typical way such data is used by frauds. As the total number of entries – 27,961 – exceeds the number of students currently studying in MIT, there could be either duplicates or data about the students from previous years.

Should Students be Worried?

If I were in the students’ hat, I would have my worries. Even though there are a lot of other ways to retrieve one’s personal information, especially things like email and name, the source is what matters here. Being a student of a certain university is a perfect identifier for further scam campaigns targeting. And be sure they will come: a free database like this pushes the margin for frauds even higher.

In the near future, I’d recommend the students present in the database to be exceptionally careful with any email messages. Even if this leak will not be used for spamming, precautions will not be excessive. Email phishing is too widespread nowadays to ignore such a threat.

The post MIT Hacked, Students’ Data Sold on the Darknet appeared first on Gridinsoft Blog.