Weekly Cybersecurity Roundup #11
"Companies spend millions of dollars on firewalls, encryption and secure access devices, and it's money wasted; none of these measures address the weakest link in the security chain." – Kevin Mitnick
Build Your Own Botnet - Web App
I made a web GUI for the BYOB (Build Your Own Botnet) project - what do you guys think?
You can check out a preview at https://buildyourownbotnet.com or get the code on GitHub at https://github.com/malwaredllc/byob.
BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool
In 2016, a sophisticated malware campaign targeting Pakistani nationals made headlines. Dubbed Bitter, the Advanced Persistent Threat group (also known as APT-C-08) has been active both in desktop and mobile malware campaigns for quite a long time, as their activity seems to date back to 2014.
The Bitter threat group initially started using RAT tools in their campaigns, as the first Bitter versions for Android (released in 2014) were based on the AndroRAT framework. Over time, they switched to a custom version that has been known as BitterRAT ever since.
79 Netgear router models risk full takeover due to unpatched bug
An unpatched zero-day vulnerability exists in 79 Netgear router models that allow an attacker to take full control over vulnerable devices remotely.
Discovered independently by both Adam Nichols of cybersecurity firm Grimm and d4rkn3ss from Vietnam's VNPT ISC (through Zero Day Initiative), the vulnerability lies in the HTTPD daemon used to manage the router.
While ZDI's report includes brief information about the vulnerability, Nichols has released a detailed explanation of the vulnerability, a PoC exploit, and scripts to find vulnerable routers.
Cognizant Confirms Data Breach After Ransomware Attack
IT services giant cognizant suffered a ransomware attack last April which cause service disruptions to its clients.
Cognizant is one of the IT giants that has more than 300,000 employees and it provides IT services, including digital, technology, consulting, and operations services.
Expert Insight On Massive Spying On Users Of Google’s Chrome Shows New Security Weakness
It has been reported that a newly discovered spyware effort attacked users through 32 million downloads of extensions to Google’s market-leading Chrome web browser, highlighting the tech industry’s failure to protect browsers as they are used more for email, payroll and other sensitive functions. Most of the free extensions purported to warn users about questionable websites or convert files from one format to another. Instead, they siphoned off browsing history and data that provided credentials for access to internal business tools. Based on the number of downloads, it was the most far-reaching malicious Chrome store campaign to date. Google declined to discuss how the latest spyware compared with prior campaigns, the breadth of the damage, or why it did not detect and remove the bad extensions on its own despite past promises to supervise offerings more closely. It is unclear who was behind the effort to distribute the malware. Awake said the developers supplied fake contact information when they submitted the extensions to Google.
Shlayer Mac Malware now has advanced capabilities
Spreading via poisoned Google search results, this new version of Mac’s No. 1 threat comes with added stealth.
A fresh variant of the Shlayer Mac OSX malware with advanced stealth capabilities has been spotted in the wild, actively using poisoned Google search results in order to find its victims.
According to researchers at Intego, the malware, like many malware samples before it, is purporting to be an Adobe Flash Player installer. However, it has its own unique characteristics: It takes a crafty road to infection once it’s downloaded, all in the name of evading detection.
To start with, the masquerading “installer” is downloaded as a .DMG disk image, according to Intego’s analysis.
Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature
On June 10, we found a malicious Word document disguised as a resume that uses template injection to drop a .Net Loader. This is the first part of a multi-stage attack that we believe is associated to an APT attack. In the last stage, the threat actors used Cobalt Strike’s Malleable C2 feature to download the final payload and perform C2 communications.
This attack is particularly clever for its evasion techniques. For instance, we observed an intentional delay in executing the payload from the malicious Word macro. The goal is not to compromise the victim right away, but instead to wait until they restart their machine. Additionally, by hiding shellcode within an innocuous JavaScript and loading it without touching the disk, this APT group can further thwart detection from security products.
Do cybercriminals play cyber games during quarantine?
Thanks to the coronavirus pandemic, the role of the Internet in our lives has undergone changes, including irreversible ones. Some of these changes are definitely for the better, some are not very good, but almost all of them in some way affect digital security issues.
We decided to take a closer look at the changes around us through the prism of information security, starting with the video game industry.
Maze Ransomware gang breached the US chipmaker MaxLinear
U.S. system-on-chip maker MaxLinear is the last victim of the Maze ransomware operators, the company revealed that the systems were infected last month, but the threat actors first compromised the company on April 15.
MaxLinear is an American hardware company that provides highly integrated radio-frequency (RF) analog and mixed-signal semiconductor solutions for broadband communications applications
The company already sent a data breach notification to the impacted individuals.
“On May 24, 2020, we discovered a security incident affecting some of our systems. We immediately took all systems offline, retained third-party cybersecurity experts to aid in our investigation, contacted law enforcement, and worked to safely restore systems in a manner that protected the security of information on our systems.” reads the data breach notification. “Our investigation to-date has identified evidence of unauthorized access to our systems from approximately April 15, 2020 until May 24, 2020. Our investigation has also identified evidence of unauthorized access to files containing personal information relating to you.”
InvisiMole Hackers Target High-Profile Military and Diplomatic Entities
Cybersecurity researchers today uncovered the modus operandi of an elusive threat group that hacks into the high-profile military and diplomatic entities in Eastern Europe for espionage.
The findings are part of a collaborative analysis by cybersecurity firm ESET and the impacted firms, resulting in an extensive look into InvisiMole's operations and the group's tactics, tools, and procedures (TTPs).
"ESET researchers conducted an investigation of these attacks in cooperation with the affected organizations and were able to uncover the extensive, sophisticated tool-sets used for delivery, lateral movement, and execution of InvisiMole's backdoors," the company said in a report shared with The Hacker News.