News Items

The Black Basta ransomware group is working with the QBot malware operation to spread laterally through compromised business systems. QBot, also known as QuakBot, is a Windows malware capable of stealing bank and domain passwords and distributing other malware payloads to infected systems. The most prevalent way for victims to become infected with QBot is through phishing attempts using malicious attachments. Despite its origins as a banking Trojan, it has worked with a number of other ransomware gangs, including MegaCortex, ProLock, DoppelPaymer, and Egregor. Black Basta is a relatively new ransomware operation that has made a solid start by compromising many businesses in a short amount of time while demanding large ransom payments. During the most recent incident response, analysts from the NCC Group discovered the new alliance between QBot and Black Basta and were able to determine the threat actor's actions. While most ransomware gangs utilize QBot to get initial access, the Black Basta gang exploited it to spread laterally throughout the network. The malware installs a temporary service on the target host and configures it to run its DLL using regsvr32.exe. When activated, QBot can infect network shares and disks, brute-force AD accounts, or spread via default admin shares using current user credentials through the SMB (Server Message Block) file-sharing protocol. This article continues to discuss findings surrounding the Black Basta ransomware gang's partnership with the QBot malware operation.

CyberIntelMag reports "QBot Now Distributes Black Basta Ransomware During Bot-Powered Attacks"

Paul Staat and Johannes Tobisch, Ph.D. students at RUB, are developing methods for protecting hardware against manipulation. Technical systems must be safeguarded not only from remote cyberattacks, but also from hardware modification. They are working on a technology capable of monitoring entire systems for manipulation inexpensively. Radio waves are used for this purpose. In the monitored system, they install two antennas (i.e., a transmitter and a receiver). The transmitter emits a special radio signal that spreads throughout the system and is reflected by the walls and computer components. All of these reflections result in a signal to the receiver that is as unique to the system as a fingerprint. This article continues to discuss the concept, development, testing, and potential application of the researchers' new technology aimed at monitoring entire systems for manipulation using radio waves.

RUB reports "IT Security: When the Hardware Traps Criminals"

There is a new wave of phishing campaigns attempting to spread SVCReady malware. This malware is known for the unusual way in which it is delivered to target PCs as it uses shellcode hidden in the properties of Microsoft Office documents. SVCReady is suspected to be in its early stage of development, with the malware being iteratively updated numerous times last month. The first signs of its activity appeared on April 22, 2022. SVCReady's infection chain entails delivering Microsoft Word document attachments with VBA macros to targets through email in order to activate the deployment of malicious payloads. The campaign stands apart because the macro runs shellcode stored in the document properties instead of employing PowerShell or MSHTA to retrieve next-stage executables from a remote server. In addition to maintaining persistence on the infected host via a scheduled process, the SVCReady can gather system information, capture screenshots, conduct shell commands, and download and execute arbitrary files. This article continues to discuss findings surrounding new phishing campaigns delivering SVCReady malware.

THN reports "Researchers Warn of Spam Campaign Targeting Victims with SVCReady Malware"

Guillaume Dupont, a Ph.D. student at the Eindhoven University of Technology (TU/e), investigated the 'safeness' risks in hospitals and modern automobiles, two critical cyber-physical domains. He developed three key requirements to provide efficient security monitoring of these areas. Digitalization continues to transform the economy and technology landscape, resulting in an unprecedented reliance on networked systems such as computers, smartphones, and Internet of Things (IoT) devices. Some of these environments can conduct physical activities, and in order to do so, they gather, process, and store vast amounts of personal data from users. Although these technologies and operations provide several benefits, they also pose new threats that might have a significant impact on the 'safeness' of users (i.e., their physical safety and digital privacy). Attacks on cyber-physical systems can impact machine behavior, leading to physical harm to users. Furthermore, cybercriminals who steal and abuse personal data can affect individuals by using their data to commit fraud or extortion. Dupont's work has made a number of contributions, including a device classification method that aids in identifying network devices, the discovery of vulnerabilities in hospital communication protocols, a classification of intrusion detection systems for automotive networks, and a framework for the evaluation of these systems. These results enabled the identification of three main requirements for applying network security monitoring in safeness-critical environments. First, technical information on the network-connected devices is required, such as their type and function. Second, there must be information about device communication, including transmission patterns and data types exchanged. Third, one must be able to examine and assess the performance of network security monitoring tools such as intrusion detection systems. This article continues to discuss Dupont's study on network security monitoring in environments where digital and physical safety is critical.

TU/e reports "Protecting Our Physical and Digital Safety in Hospitals and Connected Cars"

Even though consumers won't see it for years, researchers worldwide are already laying the foundation for the next generation of wireless communications, 6G. Security researchers at the University of Texas at Austin have developed components that will allow future devices to achieve increased speeds necessary for such a technological jump. The researchers demonstrated new radio frequency switches that are responsible for keeping devices connected by jumping between networks and frequencies while receiving data. The researchers stated that, in contrast with the switches present in most electronics today, these new devices are made of two-dimensional materials that take significantly less energy to operate, which means more speed and better battery life for the device. The researchers noted that because of the increased demand for speed and power, 6G devices will probably have hundreds of switches in them, many more than the electronics currently on the market. To reach increased speeds, 6G devices will have to access higher frequency spectrum bands than today's electronics, and these switches are key to achieving that. Each wireless generation lasts about a decade, and the 5G rollout began in 2020. The researchers estimate that 6G deployment isn't likely to happen until around 2030. The researchers argue that the time is now to put all the necessary building blocks in place. The next step in this project is to integrate the switches with silicon chips and circuits. The researchers are looking at improving how well the switches can jump between frequencies, which would give devices better connections on the go. The researchers are pursuing collaborations with industry partners on developing the switches for commercial adoption.

UT News reports: "6G Component Provides Speed, Efficiency Needed for Next-Gen Network"

The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) has announced a collaborative effort with the industry to increase the adoption of Multi-Factor Authentication (MFA) as well as ensure widespread understanding of why MFA is one of the strongest tools to use in cyber intrusion prevention. CISA wants to raise widespread awareness and understanding of the benefits of MFA to ensure that every American is aware of the simple steps they can take to stay safe online. The cyber defense agency also wants to encourage technology companies to make MFA available as a default option. Throughout the month of June, CISA's "More Than a Password" campaign will include a newly created webpage with tools, how-to guides, and social media material. This article continues to discuss CISA's new social media campaign to get partners and the public to adopt and enable MFA.

CISA reports "CISA Challenges Partners and Public to Push for 'More Than a Password' in New Social Media Campaign"

The Cybersecurity and Infrastructure Security Agency (CISA) recently put out an advisory stating that vulnerabilities within some Dominion voting machines used in roughly a dozen states should be mitigated "as soon as possible." The technical flaws were found within the Dominion Voting Systems Democracy Suite ImageCast X, an in-person voting system that allows voters to mark their ballots. CISA has no evidence that these vulnerabilities have been exploited in any elections. CISA noted that adversaries looking to exploit the identified vulnerabilities would require physical access to individual ImageCast X devices, access to the Election Management System (EMS), or the ability to modify files before they are uploaded to the devices. CISA recommended a few mitigations such as ensuring software and firmware updates are made, physical protection of machines at all times, and ensuring that the machines are not connected to any external internet networks. A spokesperson from Dominion stated that its machines "are accurate and secure" and that "the issues raised in the advisory are limited to ballot marking devices, not vote tabulators."

CyberScoop reports: "CISA Issues Vulnerability Advisory For Select Dominion Voting Equipment, Urges Updates"

Recently, a prominent ransomware group claimed it had successfully attacked cybersecurity giant Mandiant and would release company files. The ransomware group posted a note slamming Mandiant's recent research linking it to a separate, sanctioned cybercrime group. LockBit 2.0 originally claimed on its dark web portal that it would release Mandiant files late Monday. A Mandiant spokesperson stated that the company was aware of the claims but saw no evidence to support them. The spokesperson noted that it appears that the ransomware group is trying to disprove Mandiant's June 2, 2022, research blog on UNC2165 and LockBit. On June 2, Mandiant published an analysis suggesting that affiliates of Evil Corp., a long-running cybercrime group that the U.S. government sanctioned in 2019, had turned to using LockBit 2.0 off-the-shelf ransomware to evade sanctions. A note posted to LockBit 2.0's website late Monday called Mandiant "not professional" and denied any connection with Evil Corp. Brett Callow, a threat analyst with cybersecurity firm Emsisoft who follows the ransomware ecosystem closely, said the group has "made a number of false claims in the past."

CyberScoop reports: "LockBit 2.0 Gang Claims Mandiant as Latest Victim; Mandiant Sees no Evidence of it"

A team of researchers at Carnegie Mellon University's CyLab developed a new privacy-sensitive architecture for developers building smart home apps. The architecture, which the team refers to as "Peekaboo," takes requests from developers to share certain pieces of data and ensures only the essential data pieces are shared with them to fulfill their request. Developers use the Peekaboo architecture to declare all of the data they intend to collect and under what conditions, where that data is being sent, and the granularity of the data itself. Then, an in-home hub acts as a bridge between all of the devices in the home and the outside Internet. The hub enforces sharing data only declared by the developer. The Peekaboo protocol will enable users to manage privacy preferences for all of their devices in a centralized way via the hub. This article continues to discuss the concept and goals of CyLab's new privacy-sensitive Peekaboo architecture.

CyLab reports "Peekaboo! Here's a System to Guarantee Smart Home Privacy"

In a new study, security researchers at Trend Micro polled over 6200 IT and business decision makers. They found that global organizations are still beset with cyber visibility and control challenges, with two-fifths (43%) admitting their digital attack surface is out of control as a result. The researchers also found that nearly three-quarters (73%) of respondents are concerned about the increasing size of their attack surface. Over a third (37%) said it is "constantly evolving and messy," and just half (51%) thought they were able to fully define its extent. The researchers stated that these visibility challenges are greatest in cloud environments, although problems persist across the board. The researchers highlighted complex supply chains, tool bloat, and home working-driven shadow IT as additional contributory factors. On average, respondents estimated having just 62% visibility of their attack surface. The researchers stated that the continued practice of manual (24%) and regional (29%) attack surface mapping is also hampering efforts. Over half (54%) of responding organizations said they don't believe their method of assessing risk exposure is sophisticated enough. The researchers noted that almost two-fifths (35%) of participants only review or update their risk exposure monthly or less frequently.

Infosecurity reports: "Cyberattack Surface 'Spiralling Out of Control'"

Data-driven innovation, whether in the form of tailored medicine, public services, or efficient industrial production, promises to significantly benefit people and the environment, and provide widespread access to data. However, aggressive data collection and analysis practices raise concerns about societal values and fundamental rights. Therefore, one of the most pressing challenges in unlocking the potential of data-driven technologies is ensuring the confidentiality of sensitive personal data while widening access to the data. A new paper from EPFL's Security and Privacy Engineering Lab (SPRING) in the School of Computer and Communication Sciences contends that the promise that any data use can be solved while maintaining both utility and privacy is akin to chasing rainbows. Assistant Professor Carmela Troncoso, head of the SPRING Lab and co-author of the paper, says there are two traditional approaches to preserving privacy. There is a path that involves using privacy-preserving cryptography, processing data in a decrypted domain, and obtaining a result. The limitation, however, is the need to design highly targeted algorithms rather than simply performing generic computations. The problem with this type of privacy-preserving technology, according to the paper, is that it does not address one of the most pressing issues for practitioners: how to share high-quality individual-level data in a way that preserves privacy while allowing analysts to extract the full value of a dataset in a highly flexible manner. The anonymization of data is the second avenue that attempts to solve this challenge, which involves removing names, locations, and postcodes but the paper argues that the problem is often the data itself. This article continues to discuss new research on why the search for a privacy-preserving data sharing mechanism is failing.

EPFL reports "Perfect Privacy Technology and Chasing Rainbows"

Security researchers at Shadow Server Foundation have discovered that more than 3.6 million MySQL servers are publicly exposed on the internet. During their research, the researchers simply issued a MySQL connection request on default port 3306 to see if a server responded with a MySQL Server Greeting, rather than intrusive requests that pentesters use to break into databases. The researchers found that 67% of all MySQL services are accessible from the internet. Out of 3,947,457 servers, 2,279,908 servers responded with a greeting on IPV4. Out of 1,421,010 servers, 1,343,993 servers responded with a greeting on IPV6. The countries with the most accessible servers on IPV4 are the United States (740,100), China (296,300), Poland (207,800), and Germany (174,900). The countries with the most accessible servers on IPV6 are the United States (460,800), the Netherlands (296,300), Singapore (218,200), and Germany (173,700). The researchers stated that most MySQL servers use default configurations and are thus prone to attacks, which can lead to serious incidents such as massive data breaches and thefts, stolen credentials, or lateral movement across networks. The researchers noted that the big problem is that default configurations use port 3306 and will likely expose more of the server than necessary. The researchers said that it is not a big deal if you install it on your local machine to make some tests, but on live production websites, it extends the attack surface with vulnerabilities. The researchers suggest that individuals change that port number, for example, to 3333, and disallow external connections from the internet if they don't need this feature, which represents most cases.

eSecurity Planet reports: "Millions of MySQL Servers are Publicly Exposed"

According to a recent ReversingLabs study conducted by Dimensional Research, less than a third of companies today use Software Bills of Materials (SBoMs). Half of those said the process of creating and reviewing SBoMs involves manual steps, which is a time-consuming task when there could be thousands of lines of code in the mix. SBoMs, according to security experts, are foundational in understanding and managing software supply chain risks. Most software engineering teams have been pushed by modern development practices to avoid reinventing the wheel when building common functions into their software and instead use open source libraries and packages that the community has already developed. This speeds up their work and improves predictability, but if there is no governance or visibility into which components they use, the risk from vulnerabilities can quickly become unmanageable. SBoMs assist development teams in understanding what code is running under the hood of their applications and in determining when underlying components are vulnerable. Given the low prevalence of SBoMs reported by ReversingLabs survey participants, it is not surprising that almost half of them admitted to being unprepared to protect their software against supply chain attacks. This article continues to discuss the lack in the adoption of SBoMs as well as three different initiatives aimed at increasing the rate at which SBoMs are generated and improving the effectiveness in how organizations use them to protect their software.

Dark Reading reports "Gathering Momentum: 3 Steps Forward to Expand SBoM Use"

Last year, Apple says its App Store fraud prevention mechanisms stopped potentially fraudulent transactions totaling roughly $1.5 billion. Apple noted that throughout 2021, they prevented more than 3.3 million stolen credit cards from making purchases in the App Store and banned nearly 600,000 accounts from ever transacting again. The company also noted that in 2021 it rejected more than 1.6 million risky and vulnerable applications and app updates from the store, either for containing vulnerabilities that impeded functionality or for requiring various improvements. Of over 835,000 problematic new apps, 34,000 were apps containing hidden or undocumented features, 157,000 were spam, copycat, or otherwise misleading apps, and over 340,000 were privacy-violating apps. Furthermore, an additional 805,000 app updates were rejected or removed from the App Store as part of Apple's App Review process. In 2021 Apple helped more than 107,000 new developers publish applications in the App Store, terminated more than 802,000 fraudulent developer accounts, and prevented 153,000 developer enrollments over fraud concerns. Customer accounts were also deactivated for engaging in fraudulent and abusive activity: a total of 170 million of them. An additional 118 million account creation attempts were rejected due to suspicion of potential fraudulent and abusive activity.

SecurityWeek reports: "Apple Blocked 1.6 Million Risky, Vulnerable Apps in 2021"

Security researchers at NCC Group have discovered a critical vulnerability in the U-Boot boot loader. An open-source boot loader, U-Boot is used in various types of embedded systems, including ChromeOS and Android. It supports multiple architectures, including 68k, ARM, x86, MIPS, Nios, PPC, and more. The researchers stated that the IP defragmentation algorithm implemented in U-Boot is plagued by two vulnerabilities that can be exploited from the local network by crafting malformed packets. The first vulnerability, CVE-2022-30790 (CVSS score of 9.6), exposes the defragmentation algorithm to a hole descriptor overwrite attack, NCC's researchers say. The researchers stated that because of this security bug, the metadata and fragment can be forged to point to the same location, which leads to the metadata being overwritten with fragmented data. An adversary can trigger an arbitrary write by sending a second fragment, "whose offset and length only need to fit within the hole pointed to by the previously controlled metadata." The researchers noted that this bug is only exploitable from the local network as it requires crafting a malformed packet which would most likely be dropped during routing. However, the researchers say this can be effectively leveraged to root Linux-based embedded devices locally. The second vulnerability, CVE-2022-30552 (CVSS score of 7.1), is a buffer overflow that could lead to a denial of service (DoS). The second vulnerability can be exploited by crafting a malformed packet that has a specific value lower than the minimum accepted total length, which would result in the called function attempting to make a copy of a greater size than the buffer can withhold. The researchers informed the U-Boot maintainers of the vulnerabilities on May 18, and fixes are in the works.

SecurityWeek reports: "Critical U-Boot Vulnerability Allows Rooting of Embedded Systems"

Researchers at the anti-bot specialist firm Kasada have discovered the use of 'Solver Service' bots, an Application Programming Interface (API)-as-a-service tool designed to bypass most bot management systems. Solving a bot detection system's defense allows enterprising cybercriminals to now commercialize the Solver Service they deciphered and sell it for a profit. Buyers can successfully perform automated bot attacks without any technical skills and without worrying about what bot defenses are implemented into a site. Over the last year, there has been a more than 750 percent increase in the use of solver bots for login abuse/account takeover attacks in the eCommerce sector. This is especially appealing to fraudsters because it allows them to obtain hard-to-come-by items to resell for a profit, as well as scrape content, take over accounts, hoard inventory, and engage in other forms of automated fraud. In response to the discovery, Kasada is launching an enhanced platform that disrupts this growing supply chain of Solver Services and other innovative ways attackers circumvent detection. The company's approach to defeating bots adapts as fast as the attackers working against it, in contrast to older reactive bot management systems that rely on static and poorly obfuscated defense methods. This article continues to discuss Solver Service bots and the new tool developed to stop them.

BetaNews reports "New Tool Aims to Stop 'Solver Service' Bots"

Security researchers at SafetyDetectives discovered the personal information of more than 30,000 students on an improperly secured Elasticsearch server. The server was left connected to the internet and did not require a password to allow access to the data within. Thus, the researchers estimate that it exposed more than one million records representing the personally identifiable information (PII) of 30,000 to 40,000 students. The researchers noted that the exposed information included full names, email addresses, phone numbers, credit card information, transaction and purchased meals details, and login information stored in plain text. The researchers stated that the improperly secured server was being updated when it was discovered and found evidence of server logs showing student data being exposed. The researchers noted that the 5GB database appeared to contain the details of students who are Transact Campus account holders. The researchers stated that Transact Campus works with higher education institutions in the United States, which means the majority of impacted students are US individuals. Transact Campus provides an application that students can use with a unique personal account (called Campus ID) to make payments and purchases, and which can also be used for activities such as event access, class attendance monitoring, and more. The researchers could not determine whether malicious actors accessed the unprotected database before it was secured. The researchers contacted Transact Campus about the unprotected server in December 2021 but did not receive a reply until January 2022, after they had contacted US-CERT as well. The database had already been secured at that time, but Transact Campus denied being responsible for the breach. Transact Campus told the researchers that the server was set up by a third party for a demo and was never taken down. Transact Campus also stated that the dataset was filled with a fake data set and did not use any production data. However, when the researchers checked a sample of the data, the data seemed to belong to real people.

SecurityWeek reports: "Personal Information of Over 30,000 Students Exposed in Unprotected Database"

Security researchers at Trellix have surveyed 1,000 cybersecurity professionals globally and found that nearly a third of the cybersecurity workforce plans to leave the industry in the near future. Organizations are already facing cybersecurity skills shortages, with not enough people having the skills and qualifications required to keep IT systems secure from breaches and other security threats. Adding more fuel to the fire, organizations face a growing threat from cybercriminals and nation-state hackers, whose attacks are growing "in volume and sophistication." Most organizations (85%) report that a workforce shortage is impacting their ability to secure their IT systems and networks. The researchers stated that as for cybersecurity workers themselves, those who plan on leaving the profession are doing so because they feel underappreciated and unable to grow in their roles. A lack of a clear career path (35%), a lack of social recognition (31%), and limited support to develop their skills (25%) were cited as the top three frustrations pushing security workers to quit. Other reasons spurring a move away from cybersecurity were: professionals feeling they had accomplished all they had wanted from their roles, burnout, and not being satisfied with their salaries.

ZDNet reports: "Bad News: The Cybersecurity Skills Crisis is About to Get Even Worse"

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory to warn of critical vulnerabilities in Illumina genetic analysis devices that could allow a remote, unauthenticated attacker to take over an impacted product. The flaws affect Illumina Local Run Manager (LRM), which is used by sequencing instruments designed for clinical diagnostic use in the sequencing of a person's DNA, testing for various genetic conditions, as well as research. CISA is warning about four "critical severity" vulnerabilities and one " high severity" vulnerability that can be exploited to execute arbitrary code, to achieve directory traversal, upload arbitrary files, connect without authentication, and perform man-in-the-middle attacks. Tracked as CVE-2022-1517, CVE-2022-1518, and CVE-2022-1519, the most severe of these vulnerabilities feature a CVSS score of 10. These three vulnerabilities allow for remote code execution at operating system level (LRM runs with elevated privileges), the upload of data outside the intended directory structure, and the upload of arbitrary files. The fourth critical issue, CVE-2022-1521 (CVSS score of 9.1), exists because, by default, LRM does not feature authentication or authorization, which may allow an attacker to inject, intercept, or tamper with sensitive data. The fifth vulnerability is tracked as CVE-2022-1524 (CVSS score of 7.4), and it exists because TLS encryption is missing in LRM version 2.4 and lower, thus allowing a malicious actor to perform a man-in-the-middle attack and access in-transit sensitive data. CISA stated that the issues impact Illumina In Vitro Diagnostic (IVD) devices (NextSeq 550Dx and MiSeq Dx) and Researcher Use Only (ROU) instruments (NextSeq 500, NextSeq 550, MiSeq Instrument, iSeq 100, and MiniSeq Instrument) running different versions of LRM. Illumina issued updates to prevent the remote exploitation of these bugs and is working on delivering full patches for them.

SecurityWeek reports: "CISA Warns of Critical Vulnerabilities in Illumina Genetic Analysis Devices"

Researchers at the University of California, Irvine have discovered that autonomous vehicles can be tricked into an abrupt halt or other undesired driving behavior by placing an ordinary object on the side of the road. The researchers stated that a box, bicycle, or traffic cone might be all that is necessary to scare a driverless vehicle into coming to a dangerous stop in the middle of the street or on a freeway off-ramp, creating a hazard for other motorists and pedestrians. Autonomous vehicles cannot distinguish between objects present on the road by pure accident or those left intentionally as part of a physical denial-of-service attack. Both can cause erratic driving behavior. The researchers focused their investigation on security vulnerabilities specific to the planning module, a part of the software code that controls autonomous driving systems. This component oversees the vehicle's decision-making processes governing when to cruise, change lanes, slow down, and stop, among other functions. The researchers stated that the vehicle's planning module is designed with an abundance of caution, logically, because you don't want driverless vehicles rolling around out of control. However, their testing has found that the software can err on the side of being overly conservative, leading to a car becoming a traffic obstruction or worse.

UCI News reports: "UCI Researchers: Autonomous Vehicles Can be Tricked Into Dangerous Driving Behavior"

BT researchers are trialing a hyper-sensitive quantum Atomic Radio Frequency (RF) receiver to boost next-generation 5G & IoT networks in the UK. According to BT, the quantum antenna technology uses "excited atoms" and is predicted to deliver over 100x greater sensitivity than traditional receivers, with the potential to close the rural connectivity gap across the UK. the researchers noted that a quantum effect called "electromagnetically induced transparency" is utilized to form a highly sensitive electric field detector, which could boost the capability of next-gen 5G and IoT. If successful, the researchers noted that mobile network energy consumption might be reduced, enabling IoT devices to become more cost-efficient and longer lasting. It could also support lower-cost smart cities and smart agriculture. Theoretically, over 100x more sensitive than traditional receivers, the atomic RF Receiver can be positioned in traditionally hard-to-reach locations, potentially bringing mobile networks closer to achieving 100% coverage nationally. BT's trial represents the first time a digitally-encoded message has been received on a 3.6GHz (5G) carrier frequency. Previously, simple audio has been received using much higher frequencies, but this initiative provides an industrial demonstration using digital modulation within one of partner EE's main commercial 5G frequency ranges. In the future, BT researchers want the emerging infrastructure to form the basis of ultra-sensitive 5G receivers for use in very low-power passive mobile networks.

Information Age reports: "Quantum Radio Receiver Being Trialled by BT to Boost 5G And IoT"

In late February, after Conti expressed support for Russia following its invasion of Ukraine, a Ukrainian hacker started leaking information stolen from the cybercrime group, including chat logs, credentials, email addresses, C&C server details, and malware source code. Researchers from Eclypsium analyzed the leaked information and stated that the information showed that the cybercrime gang operated just like a regular company, with contractors, employees, and HR problems. The researchers also found that the Conti group has been looking into firmware-based attacks, specifically ones targeting Intel ME. Intel ME provides various features for computers powered by Intel processors, including out-of-band management and anti-theft protection. According to the researchers, Conti developers have been fuzzing the ME interface in an attempt to find undocumented commands and flaws, and they were trying to generically bypass protections. The hackers were also looking into creating a System Management Mode (SMM) implant that would allow them to stealthily modify the kernel. The researchers also noted that the cybercriminals' conversations revealed that they were also analyzing research made public by major Russian cybersecurity companies. The researchers stated that no new or unmitigated vulnerabilities appear to have been discovered in Intel chipsets but warned that the main problem is related to organizations failing to update chipset firmware regularly. The researchers stated that once the attacker has gained access to the firmware, they could permanently brick the system. They could also use this access for persistence and evading security products and device protections, which can be highly valuable to a group like Conti. Obtaining firmware-based persistence can also be monetized by the cybercriminals by reselling access to other threat actors or by dropping more ransomware payloads at a later date.

SecurityWeek reports: "Leaks Show Conti Ransomware Group Working on Firmware Exploits"

Europol recently announced the takedown of FluBot, a piece of mobile malware targeting both Android and iOS devices that has been fast-spreading via SMS messages. FluBot is also referred to as Fedex Banker and Cabassous. The spyware has been around since late 2020, mainly focused on users in Europe, but with attacks also registered in the United States, Australia, Japan, New Zealand, and elsewhere. Europol noted that the threat spreads using a technique known as smishing, which involves SMS phishing messages that attempt to lure victims into clicking a link to download the malicious payload. Initially, FluBot only targeted Android devices, but recent campaigns were seen targeting iOS devices as well. Security researchers have reported seeing tens of thousands of SMS messages being sent hourly as part of these widespread attacks. Europol stated that the smishing messages masquerade as voicemails and messages from the mobile operator. It may also contain more traditional phishing lures, such as delivery notifications or claims that someone is sharing a photo album with the intended victim. Once FluBot has been installed on a device, the malware starts spamming text messages to the victim's contacts to infect their devices too. Furthermore, FluBot would steal user passwords, online banking information, and other sensitive data from the infected devices. Dutch Police were recently able to successfully disrupt the FluBot infrastructure as part of an operation involving law enforcement authorities in 11 countries. Europol stated that the FluBot infrastructure is now under the control of law enforcement, putting a stop to the destructive spiral. To hide its malicious intent, FluBot disguises itself as a legitimate application, but it won't let the user open the app or uninstall it. Resetting the device to factory settings should eliminate the threat. Europol noted that in March last year, members of the FluBot gang were arrested in Spain, but the malware continued to operate and expand.

SecurityWeek reports: "Europol Announces Takedown of FluBot Mobile Spyware"

Security researchers at SEC Consult discovered that Korenix JetPort industrial serial device servers have a backdoor account that malicious hackers could abuse in attacks aimed at industrial organizations. The existence of the backdoor account, tracked as CVE-2020-12501, was discovered in 2020, but it was only made public now after a lengthy disclosure process that ended with the vendor saying that the account will not be removed. The researchers stated that the account in question can be exploited by an attacker on the network to access the device's operating system and gain full control. The researchers noted that the attacker could reconfigure the device and possibly gain access to other systems attached to the server. The issue was identified in the Korenix JetPort 5601V3 product, which is designed for connectivity in industrial environments. The researchers also believe that other products, including Westermo and Comtrol branded industrial devices, may also be impacted. The researchers stated that the backdoor account has the same password on all devices as it is stored in the firmware. The password is not stored in clear text and needs to be cracked, but once an attacker has cracked the password, it can be used to attack all affected devices. Moreover, the password cannot be changed by the user. The vendor told SEC Consult the backdoor account is needed for customer support and argued that the password "can't be cracked in a reasonable amount of time."

SecurityWeek reports: "Vendor Refuses to Remove Backdoor Account That Can Facilitate Attacks on Industrial Firms"