'Karkoff' Is the New 'DNSpionage' With Selective Targeting Strategy

Karkoff DNSpionage malware

The cybercriminal group behind the infamous DNSpionage malware campaign has been found running a new sophisticated operation that infects selected victims with a new variant of the DNSpionage malware.

First uncovered in November last year, the DNSpionage attacks used compromised sites and crafted malicious documents to infect victims’ computers with DNSpionage—a custom remote administrative tool that uses HTTP and DNS communication to communicate with the attacker-controlled command and control server.

According to a new report published by Cisco’s Talos threat research team, the group has adopted some new tactics, techniques and procedures to improve the efficacy of their operations, making their cyber attacks more targeted, organised and sophisticated in nature.

Unlike previous campaigns, attackers have now started performing reconnaissance on its victims before infecting them with a new piece of malware, dubbed Karkoff, allowing them to selectively choose which targets to infect in order to remain undetected.

“We identified infrastructure overlaps in the DNSpionage and the Karkoff cases,” the researchers say.

During Reconnaissance phase, attackers gather system information related to the workstation environment, operating system, domain, and list of running processes on the victims’ machine.

“The malware searches for two specific anti-virus platforms: Avira and Avast. If one of these security products is installed on the system and identified during the reconnaissance phase, a specific flag will be set, and some options from the configuration file will be ignored,” the researchers say.

Developed in .NET, Karkoff allows attackers to execute arbitrary code on compromised hosts remotely from their C&C server. Cisco Talos identified Karkoff as undocumented malware earlier this month.

What’s interesting is that the Karkoff malware generates a log file on the victims’ systems which contains a list of all commands it has executed with a timestamp.

“This log file can be easily used to create a timeline of the command execution which can be extremely useful when responding to this type of threat,” the researchers explain.

“With this in mind, an organisation compromised with this malware would have the opportunity to review the log file and identify the commands carried out against them.”

Like the last DNSpionage campaign, the recently discovered attacks also target the Middle Eastern region, including Lebanon and the United Arab Emirates (UAE).

Besides disabling macros and using reliable antivirus software, you should most importantly stay vigilant and keep yourself informed about social engineering techniques in order to reduce the risk of becoming a victim of such attacks.

Due to several public reports of DNS hijacking attacks, the U.S. Department of Homeland Security (DHS) earlier this year issued an “emergency directive” to all federal agencies ordering IT staff to audit DNS records for their respective website domains, or other agency-managed domains.

Let’s block ads! (Why?)

Link to original source

Hackers Actively Exploiting Widely-Used Social Share Plugin for WordPress

wordpress plugin hacking

Hackers have been found exploiting a pair of critical security vulnerabilities in one of the popular social media sharing plugins to take control over WordPress websites that are still running a vulnerable version of the plugin.

The vulnerable plugin in question is Social Warfare which is a popular and widely deployed WordPress plugin with more than 900,000 downloads. It is used to add social share buttons to a WordPress website or blog.

Late last month, maintainers of Social Warfare for WordPress released an updated version 3.5.3 of their plugin to patch two security vulnerabilities—stored cross-site scripting (XSS) and remote code execution (RCE)—both tracked by a single identifier, i.e., CVE-2019-9978.

Hackers can exploit these vulnerabilities to run arbitrary PHP code and take complete control over websites and servers without authentication, and then use the compromised sites to perform digital coin mining or host malicious exploit code.

However, the same day when Social Warfare released the patched version of its plugin, an unnamed security researcher published a full disclosure and a proof-of-concept for the stored Cross-Site Scripting (XSS) vulnerability.

hacking wordpress website

Soon after the full disclosure and PoC release, attackers started attempting to exploit the vulnerability, but fortunately, it was only limited to the injected JavaScript redirect activity, with researchers finding no in-the-wild attempts to exploit the RCE vulnerability.

Now, Palo Alto Network Unit 42 researchers found several exploits taking advantage of these vulnerabilities in the wild, including an exploit for the RCE vulnerability which allows the attacker to control the affected website and an exploit for the XSS vulnerability which redirects victims to an ads site.

Though both flaws originated because of improper input handling, using a wrong, insufficient function eventually made it possible for remote attackers to exploit them without requiring any authentication.

“The root cause of each of these two vulnerabilities is the same: the misuse of the is_admin() function in WordPress,” the researchers say in a blog post. “Is_admin only checks if the requested page is part of admin interface and won’t prevent any unauthorized visit.”

At the time of writing, more than 37,000 WordPress websites out of 42,000 active sites, including education, finance, and news sites (some Alexa’s top ranking websites), are still using an outdated, vulnerable version of the Social Warfare plugin, leaving hundreds of millions of their visitors at the risk of hacking through various other vectors.

Since it is likely the attackers will continue to exploit the vulnerabilities to target WordPress users, website administrators are highly recommended to update the Social Warfare plugin to 3.5.3 or newer version as soon as possible.

Let’s block ads! (Why?)

Link to original source

Source Code for CARBANAK Banking Malware Found On VirusTotal

carbanak source code

Security researchers have discovered the full source code of the Carbanak malware—yes, this time it’s for real.

Carbanak—sometimes referred as FIN7, Anunak or Cobalt—is one of the most full-featured, dangerous malware that belongs to an APT-style cybercriminal group involved in several attacks against banks, financial institutions, hospitals, and restaurants.

In July last year, there was a rumor that the source code of Carbanak was leaked to the public, but researchers at Kaspersky Lab later confirmed that the leaked code was not the Carbanak Trojan.

Now cybersecurity researchers from FireEye revealed that they found Carbanak’s source code, builders, and some previously unseen plugins in two RAR archives [1, 2] that were uploaded on the VirusTotal malware scanning engine two years ago from a Russian IP address.

“CARBANAK source code was 20MB comprising 755 files, with 39 binaries and 100,000 lines of code,” researchers say. “Our goal was to find threat intelligence we missed in our previous analyses.”

FireEye researchers have plans to release a 4-part series of articles detailing CARBANAK features and analysis based upon its source code and reverse engineering.

carbanak source code

First uncovered in 2014 by Kaspersky Lab, Carbanak is one of the most successful malware attacks in the world launched by a highly organized group that continually evolved its tactics to carry out cybercrime while avoiding detection by potential targets and the authorities.

The hacker group started its activities almost six years ago by launching a series of malware attacks using Anunak and Carbanak to compromise banks and ATM networks worldwide, and thereby stealing over a billion euros from more than 100 banks across the globe.

To compromise banks, hackers sent malicious spear-phishing emails to hundreds of employees at different banks, which infected computers with Carbanak malware if opened, allowing attackers to transfer money from affected banks to fake accounts or ATMs monitored by them.

According to the European authorities, the criminal group later developed a sophisticated heist-ready banking trojan called Cobalt, based on the Cobalt-Strike penetration testing software, which was in use until 2016.

The group was first exposed in 2015 as financially-motivated cybercriminals, and three suspects—Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kopakov, 30—all from Ukraine were arrested last year in Europe between January and June.

All the three suspects, one of which (Kopakov) is believed to be the alleged leader of the organised criminal group, were indicted and charged with a total of 26 felony counts in August 2018.

Let’s block ads! (Why?)

Link to original source

Hacker Breaks Into French Government's New Secure Messaging App

french Tchap secure messenger

A white-hat hacker found a way to get into the French government’s newly launched, secure encrypted messaging app that otherwise can only be accessed by officials and politicians with email accounts associated with the government identities.

Dubbed “Tchap,” the end-to-end encrypted, open source messaging app has been created by the French government with an aim to keep their officials, parliamentarians and ministers data on servers inside the country over concerns that foreign agencies could use other services to spy on their communications.

The Tchap app is built using the Riot client, an open source instant messaging software that implements self-hostable Matrix protocol for end-to-end encrypted communication.

Yes, it’s the same “Riot and Matrix” that was in the news earlier this week after an unknown hacker breaks into its servers and successfully stole unencrypted private messages, password hashes, access tokens, and GPG keys the project maintainers used for signing packages.

The cyber attack on Matrix was so serious that it eventually forced its maintainers to shut down the entire production infrastructure of the service for several hours and log all users out of Matrix.org.

Though the Tchap app is available on Google Play Store and can be downloaded by anyone, users who have a government-issued email account, for example, @gouv.fr or @elysee.fr, are the only one who can sign-up and access it.

However, Robert Baptiste, a French security researcher who is better known by his Twitter username Elliot Alderson, found a security loophole that could allow anyone to sign up an account with the Tchap app and access groups and channels without requiring an official email address.

In a blog post published today, Robert demonstrated how he was able to create an account with the service using a regular email ID by exploiting a potential email validation bug in the Tchap’s Android app.

“I modified email to fs0c131y@protonmail.com@presidence@elysee.fr. Bingo! I received an email from Tchap, I was able to validate my account!” Robert says.

“I am logged as an Elysée employee, and I had access to the public rooms.”

Robert notified his findings to the Matrix team, who quickly released a patch update to fix the issue, which according to the team, was specific only to the DINSIC matrix deployment.

Let’s block ads! (Why?)

Link to original source