CRITICAL VULNERABILITY IN WECHAT ALLOWS HACKERS TO RUN REMOTE CODE ON AFFECTED SYSTEMS

Posted on January 29, 2021

Cybersecurity specialists reported the finding of a critical vulnerability in WeChat, the messaging service, phone calls and social media platform developed by the China-based technology company Tencent. According to the report, successful exploitation of this flaw would allow threat actors to trigger remote code execution scenarios on vulnerable systems.

Below is a brief description of the reported flaw, in addition to its CVE tracking key and score set by the Common Vulnerability Scoring System (CVSS).

Tracked as CVE-2020-27874, this security flaw exists due to a boundary error within the WXAM decoder, which would allow remote threat actors to create a specially designed file, trick the victim into opening it to cause memory corruption and execute arbitrary code on the target system.

This is a high severity flaw that received a CVSS score of 7.7/10.

In their report, cybersecurity experts mention that successful exploitation of this flaw could lead to the total compromise of the vulnerable system.

The flaw lies in the following versions of WeChat: 7.0.0, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.9, 7.0.10, 7.0.12, 7.0.13, 7.0.14, 7.0.15, 7.0.16, 7.0.17 & 7.0.18.

While the vulnerability could be exploited by unauthenticated threat actors over the Internet, cybersecurity experts have not detected attempts at active exploitation or the existence of a malware variant associated with this attack. Fixes are now ready, so WeChat users are advised to upgrade to the latest available versions as soon as possible.

As any other mobile application developed by a company established in China, WeChat mentions to its users that the authorities can dispose of and store the information collected by the application for an indefinite period, so its market is mainly local and independent of the market in the West.

It is no surprise that the Chinese Communist Party requires national companies to allow access to their data centers, thus limiting the use of options such as WhatsApp or Telegram. In reality, this app operates virtually as the official communication channel in China, which poses a great risk to activists, political dissidents and even anyone unhappy with the restrictive measures prevailing in the Asian giant.

For more information on vulnerabilities, exploits, malware variants, cybersecurity risks and information security courses, feel free to access the International Cyber Security Institute (IICS) website.

NEW PHISHING TECHNIQUE USES ADVANCED OBFUSCATION AND TELEGRAM CHANNELS TO EVADE DETECTION. HACKERS CAN EASILY BYPASS YOUR FIREWALL

Posted on January 29, 2021

The specialized team FireEye Email Security has published a report on the detection of multiple phishing campaigns in which operators use source code obfuscation of compromised or malicious domains. Threat actors seek to extract confidential information, mainly victims’ banking details.

On the topic used in this campaign, threat actors are trying to take advantage of the increase in e-commerce derived from the pandemic by creating a fake DHL tracking page. This is not an inedited attack variant, although this method is more complex than previously detected ones. Operators employ Web Open Font Format (WOFF)-based replacement encryption, location-specific guidance, and multiple evasion techniques.

HOW THE ATTACK WORKS?

It all starts with an email supposedly sent by DHL. As we can see below, cybercriminals will try to trick users into clicking on an attachment link that redirects to the fraudulent site.

Once the user enters this website, they will be asked to enter their payment card details, so they will get a generic message in response while their financial information is sent to the threat actors in the background.

As mentioned above, something unusual about this campaign is the advanced obfuscation technique that threat actors use to hide the fraudulent origin of their website: “The page’s source code contains the appropriate strings, valid tags, and a well-crafted format, plus coded text when loading the page,” the report says. In general, decoding of such text is done by including script functions within the code; however, in this case the decoding functions are not included in the script.

Decoding is done using WOFF, which occurs when the page is loaded into a browser and will not be visible in the content of the page itself. The following screenshot shows the replacement encryption method and the WOFF font file. Cybercriminals seek to evade detection, as most security solutions use rules based on static forms.

Loading this custom font that decodes text is done in Cascading Style Sheets (CSS), a rare technique compared to using JavaScript to encrypt and decrypt HTML text.

The screenshot above shows the CSS file used to load the WOFF font file. Researchers have also seen the same CSS file, style.css, hosted in other web domains such as:

• hxxps://www.lifepointecc.com/wp-content/sinin/style.css
• hxxps://candyman-shop.com/auth/DHL_HOME/style.css
• hxxps://mail.rsi-insure.com/vendor/ship/dhexpress/style.css
• hxxps://www.scriptarticle.com/thro/HOME/style.css

Researchers also analyzed these legitimate-looking domains, concluding that they do not host active phishing campaigns. Below are some of the more complex features of this campaign.

LOCATION

One of the things that most came to the attention of researchers is that the phishing website displays the local language depending on the location of the target user. Using a localization code, hackers can send messages in English, Spanish and Portuguese.

The backend contains PHP resource files for each supported language, which will be dynamically selected based on the user’s IP address.

EVASION

Operators employ a wide variety of techniques to evade detection, such as checking blocked IP addresses. The backend code provides users with an “HTTP/1.1 403 Forbidden” response header under the following conditions:

• IP has been viewed five times (AntiBomb_User)
• The IP host resolves its list of avoided hostnames (‘google’, ‘Altavista’, ‘Israel’, ‘M247’, ‘barracuda’, ‘niw.com.au’ and more) (AntiBomb_WordBoot func)
• The IP is in its own local block list csv (x.csv in the kit) (AntiBomb_Boot)
• IP has seen POSTING three times (AntiBomb_Block)

After looking at the list of blocked hosts, experts concluded that attackers were trying to block web crawlers.

DATA THEFT

The main objective of this campaign is data theft. The compromised information is sent to email addresses and Telegram channels controlled by threat actors. Using the Telegram Bot API, researchers were able to discover one of the Telegram channels to which this information is sent.

Although using the php mail() function to send stolen credentials is quite common, in the near past, encrypted instant messaging applications like Telegram are frequently used to send phishing information to C&C servers. The FireEye team managed to access one of the Telegram channels controlled by the attacker, as shown in the following screenshot. Information sent to the Telegram channel includes IP addresses and credit card details.

CONCLUSION

Phishing is one of the main cybersecurity threats, so users will always be exposed to this risk. Over this campaign, obfuscation gives attackers a clear advantage over any available security solution, as well as allowing them to get real-time user data.

To prevent this variant of attacks, cybersecurity experts recommend users ignore any suspicious-looking messages, as well as not sharing their personal and financial data with any unsafe-looking websites.

FOR THE FIRST TIME, MULTIMILLION-DOLLAR CRYPTOCURRENCY SCAMMER IS ORDERED TO RETURN STOLEN MONEY TO THE VICTIMS

Posted on January 29, 2021

A report from the U.S. Department of Justice (DOJ) reveals that Jerry Ji Guo has been convicted of his participation in a cryptocurrency fraud scheme. According to Craig D. Fair, Special Agent of the Federal Bureau of Investigation (FBI), the defendant must pay more than $4.3 million USD in compensation to affected users, in addition to serving a six-month prison sentence. Once his sentence has been served, Jerry Ji Gou must serve a three-year term in supervised release.

The 33-year-old defendant, living in San Francisco, California, pleaded guilty in mid-2019 to eight charges of electronic fraud, acknowledging that he represented himself as an initial cryptocurrency offering consultant and assuring his victims that he would conduct major marketing campaigns. However, Guo used the victims’ money for his own purposes and without making any investment in cryptocurrency.

Federal agents believe that cryptocurrency can pose a serious threat, as its use allows cybercriminal groups to hide their records, although these operations can be tracked using the right methods: “We collaborate with our partners in the private sector to locate the stolen assets from victims,” Special Agent Fair adds.

The DOJ mentions that, as part of its plea agreement, the defendant will work with government agencies to identify and return stolen property through forfeiture. In addition, the authorities obtained court orders to seize stolen cash and virtual assets and eventually restore them to their rightful owners in February 2020.

Court documents mention that the defendant would have defrauded cash and cryptocurrency for about $20 million USD today. The Money Laundering and Asset Recovery Section, a component of the Justice Department’s Criminal Division in Washington, D.C., will use the victim restoration process in the damage repair process.

Although this field escapes the financial regulation of the U.S. government, cryptocurrency-related fraud is investigated and prosecuted like any other variant of electronic fraud: “Many mistakenly believe that the law is completely removed from the world of cryptocurrencies; this case proves otherwise by filing criminal charges that allow the return of stolen money to victims,” Special Agent Fair concludes. 

For more information on cybercrime, malicious hacking, vulnerabilities, exploits, malware variants, cybersecurity risks and information security courses, feel free to access the International Cyber Security Institute (IICS) website.

AUTHORITIES SHUT DOWN NETWALKER OPERATIONS; MAIN OPERATOR OF THE RANSOMWARE IS ARRESTED

Posted on January 29, 2021

In a recent report, the U.S. Department of Justice (DOJ) publicly disclosed the shutdown of the Netwalker ransomware operation, as well as bringing charges against Canadian citizen Sebastien Vachon-Desjardins of Gatineau, pointed out as the main criminal operator. This arrest was made possible by the joint work of the U.S. and Bulgarian authorities, who seized Netwalker’s dark web sites, in which threat actors published the stolen information to infected organizations.

Active since late 2019, Netwalker operators have generated severe financial losses for hundreds of organizations worldwide. DOJ documents mention that this cybercriminal group made about $25 million USD over the past five months.

On the defendant, the authorities estimate that Desjardins made a net profit of more than $27 million USD. It should be mentioned that Desjardins began operating the cybercriminal infrastructure since mid-2020, so it was not involved in the development of this malware variant.

Netwalker operated as a ransomware-as-a-service (RaaS) platform, meaning developers were looking to do business with individuals like Desjardins, who are responsible for identifying potential victims and carrying out malicious activities that resulted in the compromise of affected systems. The gains made were shared between the attackers and the malware developers.

In an incident related to this investigation, the Federal Bureau of Investigation (FBI) managed to seize about $450,000 USD in cryptocurrencies, which were part of the profits made by these threat actors.

Among the most prominent victims of this ransomware operation are organizations such as Equinix, Enel Group, Argentina’s migration agency, the University of California San Francisco, as well as hundreds of small and medium-sized companies. Cybercriminals also attacked municipalities, hospitals, research agencies, emergency services, school districts, colleges, and universities throughout the U.S.

While this is a great achievement of the authorities in Bulgaria and the United States, it is too optimistic to think that this is the end of Netwalker’s operation. Detection of similar operations, the work done by developers, and the level of gains earned that authorities have been unable to track allow the DOJ to think that developers could re-operate a similar ransomware platform in the future.

For more information on vulnerabilities, exploits, malware variants, cybersecurity risks and information security courses, feel free to access the International Cyber Security Institute (IICS) website.

HOW STACK OVERFLOW WAS HACKED?

Posted on January 29, 2021

This week Stack Overflow developers released a security report related to the incident that compromised their systems in 2019. According to this report, the threat actor pretended to be one more user of the long-term Q&A platform in order to learn how to perform various hacking tasks on compromised systems.

The platform revealed the security breach in May 2019, later mentioning that this attack resulted in the leaking of some users’ personal information. In an exercise in transparency and accountability, Stack Overflow decided to publish a detailed timeline of each stage of the attack, which they believe would have begun in April 2019 and was detected until May 12, when administrators detected that a user increased their privileges without apparent explanation.

Threat actors reportedly managed to access the personal information of up to 184 users, including details such as full names, email addresses and IP addresses. Administrators believe that theft of personal information was not the attacker’s primary target, as stack overflow source code theft was also demonstrated.

As mentioned above, the attacker would have started using the platform with a non privileged elevated account, waiting patiently until they obtained the privileges necessary to access the platform’s source code.

The report emphasizes that the threat actor failed to access the platform’s public or private databases: “We also want to add that there is no evidence of direct access to our internal networks, so the perpetrator did not have access to data in products such as Teams, Talent or Enterprise,” the platform admins mentioned.

With no doubt, the most striking thing about this incident is the behavior of the hacker, who was frequently active on the forum in order to obtain information to carry out an effective attack: “In a certain way, the guidance the attacker obtained from other Stack Overflow users helped them to complete their goal,” the report says.

The investigation is still ongoing, so platform administrators are not in a position to share additional information about the attacker, merely mentioning that they’re talking about a certainly patient, skillful and determined individual. The report also includes information on the measures taken to manage the incident, in addition to the collaboration programs stacked by Stack Overflow with other platforms since then.

HACKERS TAKE CONTROL OF THE PERL PROGRAMMING LANGUAGE WEB DOMAIN

Posted on January 29, 2021

A recent security report indicates that the domain Perl.com, the official communication platform of the developers of the Perl programming language, would have been stolen. According to Brian Foy, a programming language expert, an unidentified threat actor took control over the platform this January 28.

As users may remember, Perl is a popular programming language designed by Larry Wall more than 30 years ago. Perl takes characteristics of the C language, the interpreted language bourne shell, AWK, thirst, Lisp and, to a lower degree, many other programming languages.  By using the platform Perl.com, enthusiasts of this programming language can interact with a whole community of experts to share information, resolve questions about the use of this tool and more.

Through Reddit, the specialist mentioned: “We are still trying to determine exactly what happened here. While we can’t provide any more details as the investigation is ongoing, we believe it’s an account hack incident and we don’t know how long it can be fixed.” The expert mentions that the perl.org and perl.com are not related to this incident, as they have different legitimate registrants.

About the compromised website, threat actors posted a message announcing the sale of the domain, as well as enlisting the registrar’s contact details. Although this suggests that registration has expired, domain owner Tom Christiansen mentions that Perl domain will remain in effect until at least 2030.

It is not yet known what method the malicious hacker used to compromise the security of this platform, although researchers believe this incident is related to a recent wave of cyberattacks against certain web domains. The cybersecurity community mentions that compromised websites include patterns.com, chip.com and neurologist.com, among others.

The expert tried to ask the cybersecurity community for help in trying to recover the compromised website, a request that is still waiting to be answered: “We are looking for people with experience handling security incidents in order to recover this website; if you have any idea how this attack happened, contact Perl’s security team,” Foy concludes. A Reddit forum has already been enabled to receive feedback.

For more information on security incidents, vulnerabilities, exploits, malware variants, cyberattacks and information security courses, feel free to access the International Cyber Security Institute (IICS) website.

CRITICAL VULNERABILITY IN SAP SOLUTION MANAGER PUTS THOUSANDS OF ORGANIZATIONS AT RISK

Posted on January 22, 2021

Relevant cybercriminal groups have been performing massive online scans to detect servers affected by a critical SAP vulnerability for which a fully functional exploit already exists. The flaw was tracked as CVE-2020-6207, and is a security error in SAP Solution Manager (SolMan) v7.2.

This flaw received a score of 10/10 on the Common Vulnerability Scoring System (CVSS) scale and exists due to the lack of an authentication check. On the vulnerable solution, SolMan is a centralized application for managing cloud computing systems.

The authentication problem lies in the End User Experience Monitoring (EEM) feature, which can be abused to deploy scripts on other systems and lead to hijacking of any tool connected to SolMan by remote code execution. Although SAP released a patch to fix this flaw, the risk increased with the release of a proof of concept (PoC) exploit.

A few days ago researcher Dmitry Chastuhin launched the PoC as part of a research project. Chastuhin mentions that the script verifies and exploits missing authentication checks in SAP EEM and a number of exploit cases and requests have already been detected in real-world scenarios.

These requests come from Europe and Asia, originating from a large number of IP addresses. The researcher adds that organizations that have already installed the security patch are protected from exploitation; however, the lack of updates on vulnerable systems exposes organizations to exploiting the flaw.

“The availability of a public exploit greatly increases the chances of a cyberattack, giving less knowledgeable hackers the ability to abuse a security flaw that could only be exploited by advanced hackers under other conditions,” the researcher adds. System administrators using vulnerable deployments are encouraged to install available updates as soon as possible to mitigate the risk of exploitation.

Members of the cybersecurity community have tried to reach the company, although SAP has not added further details on these reports.

For further reports on vulnerabilities, exploits, malware variants, cybersecurity risks and information security courses fell free to visit the International Institute of Cyber Security (IICS) websites, as well as the official platforms of technology companies.

JOE BIDEN’S INTERNET-CONNECTED BIKE: NEW CYBERSECURITY RISK FOR THE US GOVT?

Posted on January 22, 2021

After a few convulsed weeks resulting from a highly controversial electoral process, Joe Biden has finally begun to serve as president of the United States and, although there are no one doubts the Democrat veteran’s abilities to take the job, many people believe that the US government could do better to address some issues, including cybersecurity.

It has been made public that Biden is working out at his home using a stationary bicycle from manufacturer Peloton; this bike includes a phone and a camera, which in an undesirable scenario would expose the president to all kinds of cyberattack attempts, according to a specialized report.

“Any device equipped with an Internet connection could be available to threat actors, regardless of whether it has a firewall or any other security mechanism,” says Max Kilger, a researcher at the University of Texas in charge of the report. In addition to pointing out the security risks, Kilger mentions that the developers of Peloton bikes would have to use much less sophisticated software than the current one to prevent many of the attacks to which this machine is exposed: “Removing the camera and microphone is a good start; turning off bike streaming features is also recommended,” adds the expert.

Not just the newcomer President Biden could be exposed to the hacking of this gym equipment. The most recent reports indicate the detection of a large increase in demand for Peloton bikes since the beginning of the social distancing due to the coronavirus pandemic, as people now exercise at home. It should be noted that these bikes are not exactly accessible, since each one costs a little more than $2,000 USD.

Concern about these kinds of potential risks is not new to the United States. security agencies. In his recently released memoirs, former President Barack Obama reveals that the Secret Service provided him with a BlackBerry device specifically modified to only send emails, as its call or SMS features were disabled.

The work of these security teams increased considerably during the period of government of Donald Trump, who was obsessed with continuing to use his personal phone to make calls inside the White House, regardless of the constant warnings about the very high security risks involved in this practice. Let’s hope President Biden is more accessible about information security risks than the most routine activities in his life can present.

NEW DETAILS ABOUT THE SOLARWINDS ATTACK ARE DISCLOSED

Posted on January 22, 2021

While it is obvious to mention that the threat actors behind the attack on SolarWinds have advanced knowledge, the cybersecurity community had not been able to specifically define its methods of attack, at least until now. In a recent report, Microsoft security teams detailed some of the techniques used by these hackers to persist on affected systems without attracting the attention of some security tool, a key factor in the success of this campaign.

Although the Sunburst and Solorigate malware variants were detected in late 2020, in recent weeks it was revealed that operators of this attack injected Sunspot malware into compromised systems since September 2019, at which point it initiated the attack on SolarWinds networks.

Experts mention that Sunburst was injected into SolarWinds Orion monitoring software to implement a backdoor on the networks that used this tool. Many of these loads included custom loaders for the Cobalt Strike kit, which included Teardrop: “An undefined stage of attack was the passage from backdoor to Cobalt Strike loader. We found that hackers showed a special approach to making sure the components didn’t have apparent connections to avoid detection,” Microsoft’s report says.

Microsoft researchers mention that threat actors removed the Sunburst backdoor in June 2020 after distributing it during March 2020, starting testing in real-world environments between May and June 2020. The report also mentions that the attackers spent more than a month delimiting their potential victims, as well as preparing their C&C infrastructure: “Although the malware would have been injected into up to 18,000 corporate and government networks, the hackers’ practical activities were critical to the commitment of their main goals,” the report adds.

In addition, the attackers also attempted to separate the Cobalt Strike loader’s execution from the SolarWinds process to ensure a successful infection: “Hackers expected that, should Cobalt Strike be detected and eliminated, the compromised SolarWinds binary would remain active.”

Hackers prepared Cobalt Strike implants in a customized way for each machine, avoiding overlapping folder names, file names, HTTP requests, timestamps, among other compromise indicators, Microsoft concludes. The attack on SolarWinds continues to prove to be a highly sophisticated exploitation campaign, so specialists believe this is unlikely to be the latest report produced in this regard that contains new details. Experts anticipate that these reports will help you better understand this incident and prevent it from happening again in the future.

DATA BREACH AT CRYPTOCURRENCY EXCHANGE PLATFORM AFFECTS THOUSANDS OF INDIA-BASED USERS

Posted on January 22, 2021

During the last weeks the cybersecurity community has identified a new data breach outbreak related to the leaker known as ShinyHunters, who has been attacking multiple organizations worldwide. This time, the hacker assures to have leaked at least 6 GB of data belonging to the clients of Indian cryptocurrency exchange platform BuyUCoin. This platform supports over 50 cryptocurrencies, including Bitcoin and Ethereum.

The database is available for free in a well-known dark web forum. This dump contains up to 325,000 unique registers, which means almost every BuyUCoin user could have been affected by the breach.

The incident was first spotted by cybersecurity specialist Rajshekhar Rajaharia, who mentioned that the data was stored in a MongoDB implementation. Among the affected records he could find confidential data, including:

• Users’ full names
• Email addresses
• Phone numbers
• Bank account numbers
• Bank account type

BuyUCoin stores its clients’ banking details so they can easily perform cryptocurrency transactions. Rajaharia mentioned that ShinyHunters shared some screenshots fo the leaked records, revealing that the database also contains users’ transactions records. The expert, who happens to also be a BuyUCoin client, says that the compromised database is storing data until September 2020, so the incident is affecting completely active details.

On the potential attack vector, the expert mentions that the leaking could be the consequence of a breach at BuyUCoin servers, since the data was leaked as a dump. In this regard, a company’s spokesperson mentioned that there was no data breach: In mid-2020, we conducted a routine testing during which we faced a low impact security incident that compromised around 200 registers of dummy data; not even a single customer was affected”.

Nonetheless, a recently published report by Inc42 contradicts the BuyUCoin statement as the demonstrated the security incident referred by the exchange platform actually exposed users’ data. Affected users and researchers are still waiting for a new BuyUCoin statement.

This is not the only recent security incident involving the leaking of thousands of personal records. A few weeks ago, the payment processing platform Juspay acknowledged that over 100 million users’ records were breached, in what has became the biggest data leaking incident ever registered in India. Juspay operates payments for platforms like Uber, Amazon and Ola, so the leaking could have been a serious drawback for the company’s finances.

CYBERATTACK TARGETING GST NETWORK EXPOSES MILLIONS OF TAXPAYERS’ INFORMATION

Posted on January 22, 2021

Last Thursday the Goods and Service Tax Network (GSTN) posted a tweet mentioning that its security team detected “some activity in the cyberspace by unscrupulous elements”. According to the post, this activity could have led some technical difficulties for taxpayers trying to enter the platform. 

GSTN is a non-profit non-government company providing a shared IT infrastructure and service to both central and state governments including taxpayers and other stakeholders. The registration Front end services, Returns, and payments to all taxpayers are provided by GSTN. This message results both mysterious and concerning for millions of taxpayers, many of them being large companies. 

As per a source close to the incident, GSTN IT security management spotted the anomalous activity between last Wednesday and Thursday: “Experts detected suspicious traffic in one of GSTN eight security layers”. Nonetheless, the source anticipates the network maintainers won’t add incident updates at least until the investigation is completed.

So far, there are no indicators suggesting the incident could result in a data breach. However, Indian authorities ask users of this platform to be aware of any potentially malicious activity during the next few days: “The GSTN portal stores over 12 million taxpayers’ confidential information, so this breach could result in the deployment of further malicious campaigns”, a security alert mentioned.

When it comes to large companies, GSTN stores a lot of critical information, including sales, payroll, purchases, exportation and tax balances: “Given the nature of the stored information, GSTN has been a major target for threat actors from day one; if the store data has been compromised in any way, this could be a national security concern”, mentioned a cybersecurity specialist.

Indian Tax analysts also think that cyberattack attempts are something usual for such an organization, so they should be prepared with the best security mechanisms to prevent any compromise of taxpayers’ information. Such data is sold through dark web forums, so the main goal of the investigators of this incident is to prevent that the GSTN information makes it to this hacking platforms.

For more reports on vulnerabilities, exploits, malware variants, cybersecurity risks and information security courses fell free to visit the International Institute of Cyber Security (IICS) websites, as well as the official platforms of technology companies.