26Mar
    Honeypots: Turning the Tables on Hackers

    In the cat-and-mouse game of cybersecurity, defenders are constantly seeking innovative ways to outmaneuver malicious actors. One such ingenious tool in the cybersecurity arsenal is the honeypot—a deceptive trap designed to lure hackers into revealing their tactics, techniques, and intentions. While the concept of a honeypot might sound like something out of a spy thriller, its real-world applications are both fascinating and crucial in the ongoing battle against cyber threats.

    Unveiling the Honeypot

    Imagine a virtual trap, meticulously crafted to mimic a legitimate system or network component. This could be a fake server, a dummy database, or even an entire network segment designed to attract the attention of cybercriminals. The allure lies in the seeming vulnerability of the honeypot, enticing hackers to exploit it.

    How Honeypots Work

    Honeypots are intentionally designed with vulnerabilities or enticing data that would attract an attacker. They are placed strategically within a network or system, often in locations where real assets are located. Once a hacker takes the bait and interacts with the honeypot, its purpose is twofold:

    1. Gathering Threat Intelligence: Every action taken by the attacker within the honeypot is meticulously logged and analyzed. This includes attempted exploits, malware samples, command inputs, and even lateral movement within the decoy environment. By observing these activities, cybersecurity professionals gain valuable insights into the tools and tactics used by hackers.
    2. Diverting Attention: Honeypots serve as a distraction, diverting the attention of attackers away from critical assets. While hackers are occupied with the decoy system, defenders have the opportunity to fortify real systems, update defenses, and prepare countermeasures.

    Types of Honeypots

    Honeypots come in various forms, each with its unique characteristics and applications:

    1. Research Honeypots: These are designed primarily for gathering threat intelligence. They are often low-interaction, meaning they simulate only basic services to observe attacker behavior without risking the compromise of critical systems.
    2. Production Honeypots: Unlike research honeypots, production honeypots are deployed within a live environment alongside real assets. They closely mimic the behavior and vulnerabilities of legitimate systems, serving both as a diversion and as a means to detect and block attacks in real-time.
    3. High-Interaction Honeypots: These are fully-featured emulations of entire systems or networks. They allow attackers to interact deeply with the environment, providing a wealth of information to defenders. However, they also carry a higher risk, as sophisticated attackers might detect their true nature.

    Advantages of Honeypots

    • Early Threat Detection: Honeypots can detect threats at the reconnaissance stage, long before an attacker reaches critical systems.
    • Understanding Attack Techniques: By analyzing hacker interactions, cybersecurity professionals gain insights into new and emerging attack methods.
    • Enhanced Incident Response: Real-time alerts from honeypots allow for swift incident response, minimizing potential damage.
    • Legal and Ethical: Since honeypots are designed as traps, their use falls within legal and ethical boundaries when deployed within one’s own network.

    Challenges and Considerations

    While honeypots are powerful tools, their deployment requires careful planning and consideration:

    • Resource Intensive: Honeypots require dedicated resources for maintenance, monitoring, and analysis.
    • False Positives: Interactions with honeypots might sometimes be triggered by legitimate activities, requiring skilled analysts to differentiate between real threats and benign events.
    • Deception Maintenance: To remain effective, honeypots must stay updated to mimic current systems accurately.

    Conclusion: Turning the Tables

    In the ever-evolving landscape of cybersecurity, defenders are tasked with staying one step ahead of cyber threats. Honeypots offer a proactive and strategic approach, allowing organizations to gain valuable insights into the minds of attackers while bolstering their defenses.

    By turning the tables on hackers and enticing them into carefully crafted traps, cybersecurity professionals gather invaluable intelligence, fortify critical systems, and create a formidable line of defense against even the most sophisticated adversaries.

    In the intricate dance between defenders and attackers, honeypots stand as a testament to human ingenuity and the relentless pursuit of cybersecurity excellence. As organizations continue to embrace these deceptive tools, the balance of power in the cyber realm shifts, with defenders gaining a crucial edge in the ongoing battle for digital security.

    2Feb
    DirtyMoe Malware Infects 2,000+ Ukrainian Computers for DDoS and Cryptojacking

    The Computer Emergency Response Team of Ukraine (CERT-UA) has warned that more than 2,000 computers in the country have been infected by a strain of malware called DirtyMoe.

    The agency attributed the campaign to a threat actor it calls UAC-0027.

    DirtyMoe, active since at least 2016, is capable of carrying out cryptojacking and distributed denial-of-service (DDoS) attacks. In March 2022, cybersecurity firm Avast revealed the malware’s ability to propagate in a worm-like fashion by taking advantage of known security flaws.

    The DDoS botnet is known to be delivered by means of another malware referred to as Purple Fox or via bogus MSI installer packages for popular software such as Telegram. Purple Fox is also equipped with a rootkit that allows the threat actors to hide the malware on the machine and make it difficult to detect and remove.

    The Computer Emergency Response Team of Ukraine (CERT-UA) has warned that more than 2,000 computers in the country have been infected by a strain of malware called DirtyMoe.The agency attributed the campaign to a threat actor it calls UAC-0027.DirtyMoe, active since at least 2016, is capable of carrying out cryptojacking and distributed denial-of-service (DDoS) attacks. In March 2022, cybersecurity firm Avast revealed the malware's ability to propagate in a worm-like fashion by taking advantage of known security flaws.The DDoS botnet is known to be delivered by means of another malware referred to as Purple Fox or via bogus MSI installer packages for popular software such as Telegram. Purple Fox is also equipped with a rootkit that allows the threat actors to hide the malware on the machine and make it difficult to detect and remove.

    The exact initial access vector used in the campaign targeting Ukraine is currently unknown. CERT-UA is recommending that organizations keep their systems up-to-date, enforce network segmentation, and monitor network traffic for any anomalous activity.

    The disclosure comes as Securonix detailed an ongoing phishing campaign known as STEADY#URSA targeting Ukrainian military personnel with the goal of delivering a bespoke PowerShell backdoor dubbed SUBTLE-PAWS.

    “The exploitation chain is relatively simple: it involves the target executing a malicious shortcut (.lnk) file which loads and executes a new PowerShell backdoor payload code (found inside another file contained within the same archive),” security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said.

    The attack is said to be related to a threat actor known as Shuckworm, which is also known as Aqua Blizzard (formerly Actinium), Armageddon, Gamaredon, Iron Tilden, Primitive Bear, Trident Ursa, UNC530, and Winterflounder. Active since at least 2013, it’s assessed to be part of Russia’s Federal Security Service (FSB).

    SUBTLE-PAWS, in addition to setting up persistence on the host, uses Telegram’s blogging platform called Telegraph to retrieve the command-and-control (C2) information, a technique previously identified as associated with the adversary since early 2023, and can propagate through removable attached drives.

    28Jan
    RAT Malware Targeting Mexican Firms with Financial Fraud Tricks

    Mexican financial institutions are under the radar of a new spear-phishing campaign that delivers a modified version of an open-source remote access trojan called AllaKore RAT.

    The BlackBerry Research and Intelligence Team attributed the activity to an unknown Latin American-based financially motivated threat actor. The campaign has been active since at least 2021.

    “Lures use Mexican Social Security Institute (IMSS) naming schemas and links to legitimate, benign documents during the installation process,” the Canadian company said in an analysis published earlier this week.

    “The AllaKore RAT payload is heavily modified to allow the threat actors to send stolen banking credentials and unique authentication information back to a command-and-control (C2) server for the purposes of financial fraud.”

    It seems that the attacks are specifically intended to target big businesses with annual sales of more than $100 million. Retail, agriculture, the public sector, manufacturing, transportation, commercial services, capital goods, and banking are among the industries targeted.

    The first step in the infection chain is the distribution of a ZIP file through phishing or drive-by compromise. This file contains an MSI installer file that launches a.NET downloader, which verifies the victim’s geolocation in Mexico and retrieves the modified AllaKore RAT, a Delphi-based RAT that was first discovered in 2015.

    “AllaKore RAT, although somewhat basic, has the potent capability to keylog, screen capture, upload/download files, and even take remote control of the victim’s machine,” BlackBerry stated.

    The threat actor has added new features to the malware, such as support for banking fraud-related commands, targeting cryptocurrency trading platforms and banks in Mexico, initiating a reverse shell, extracting content from the clipboard, and fetching and executing additional payloads.

    The campaign’s use of Mexico Starlink IPs and the addition of Spanish-language instructions to the modified RAT payload provide the threat actor with links to Latin America. Moreover, the lures used are only effective for businesses big enough to submit reports directly to the department of the Mexican Social Security Institute (IMSS).

    “This threat actor has been persistently targeting Mexican entities for the purposes of financial gain,” the business stated. “This activity has continued for over two years, and shows no signs of stopping.”

    The results coincide with the announcement from IOActive that it has discovered three vulnerabilities (CVE-2024-0175, CVE-2024-0176, and CVE-2024-0177) in the Lamassu Douro bitcoin ATMs that could provide physical access to an attacker the ability to take complete control of the machines and steal user data.

    The ATM’s software update mechanism and its capacity to scan QR codes are exploited by the attackers to supply their own malicious file and start the execution of arbitrary code, thereby enabling the attacks. In October 2023, the Swiss company resolved the issues.

    18Jan
    Update Chrome Now to Fix New Actively Exploited Vulnerability

    Google on Tuesday released updates to fix four security issues in its Chrome browser, including an actively exploited zero-day flaw.

    The issue, tracked as CVE-2024-0519, concerns an out-of-bounds memory access in the V8 JavaScript and WebAssembly engine, which can be weaponized by threat actors to trigger a crash.

    “By reading out-of-bounds memory, an attacker might be able to get secret values, such as memory addresses, which can be bypass protection mechanisms such as ASLR in order to improve the reliability and likelihood of exploiting a separate weakness to achieve code execution instead of just denial of service,” according to MITRE’s Common Weakness Enumeration (CWE).

    Additional details about the nature of the attacks and the threat actors that may be exploiting it have been withheld in an attempt to prevent further exploitation. The issue was reported anonymously on January 11, 2024.

    “Out-of-bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,” reads a description of the flaw on the NIST’s National Vulnerability Database (NVD).

    The development marks the first actively exploited zero-day to be patched by Google in Chrome in 2024. Last year, the tech giant resolved a total of 8 such actively exploited zero-days in the browser.

    Users are recommended to upgrade to Chrome version 120.0.6099.224/225 for Windows, 120.0.6099.234 for macOS, and 120.0.6099.224 for Linux to mitigate potential threats.

    Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

    15Jan
    DDoS Attacks on the Environmental Services Industry Surge by 61,839% in 2023

    The environmental services industry witnessed an “unprecedented surge” in HTTP-based distributed denial-of-service (DDoS) attacks, accounting for half of all its HTTP traffic.

    This marks a 61,839% increase in DDoS attack traffic year-over-year, web infrastructure and security company Cloudflare said in its DDoS threat report for 2023 Q4 published last week.

    “This surge in cyber attacks coincided with COP 28, which ran from November 30th to December 12th, 2023,” security researchers Omer Yoachimik and Jorge Pacheco said, describing it as a “disturbing trend in the cyber threat landscape.”

    The uptick in HTTP attacks targeting environmental services websites is part of a larger trend observed annually over the past few years, specifically during COP 26 and COP 27, as well as other United Nations environment-related resolutions or announcements.

    “This recurring pattern underscores the growing intersection between environmental issues and cyber security, a nexus that is increasingly becoming a focal point for attackers in the digital age,” the researchers said.

    Despite the environmental services sector becoming a new target in Q4 2023, the cryptocurrency industry continues to be the primary casualty in terms of the volume of HTTP DDoS attack requests.

    With more than 330 billion HTTP requests targeting it, the attack traffic represents more than 4% of all HTTP DDoS traffic for the quarter. Gaming and gambling and telecommunications emerged as the second and third most attacked industries.

    On the other end of the spectrum are the U.S. and China, acting as the main sources of HTTP DDoS attack traffic. It’s worth noting that the U.S. has been the largest source of HTTP DDoS attacks for five consecutive quarters since Q4 2022.

    htrooot

    “Together, China and the U.S. account for a little over a quarter of all HTTP DDoS attack traffic in the world,” the researchers said. “Brazil, Germany, Indonesia, and Argentina account for the next 25%.”

    The development comes amid a heavy onslaught of DDoS attacks targeting Palestinian banking, information technology (IT), and internet platforms following the onset of the Israel-Hamas War and Israel’s counteroffensive codenamed Operation Iron Swords.

    The percentage of DDoS attack traffic targeting Palestinian websites grew by 1,126% quarter-over-quarter, Cloudflare said, adding DDoS attack traffic targeting Taiwan registered a 3,370% growth amidst the Taiwanese presidential elections and rising tensions with China.

    Akamai, which also published its own retrospective on DDoS Trends in 2023, said “DDoS attacks became more frequent, longer, highly sophisticated (with multiple vectors), and focused on horizontal targets (attacking multiple IP destinations in the same attack event).”

    The findings also follow a report from Cloudflare about the increasing threat posed by unmanaged or unsecured API endpoints, which could enable threat actors to exfiltrate potentially sensitive information.

    “HTTP anomalies — the most frequent threat toward APIs — are common signals of malicious API requests,” the company said. “More than half (51.6%) of traffic errors from API origins comprised ‘429’ error codes: ‘Too Many Requests.'”

    13Jan
    29-Year-Old Ukrainian Cryptojacking Kingpin Arrested for Exploiting Cloud Services

    A 29-year-old Ukrainian national has been arrested in connection with running a “sophisticated cryptojacking scheme,” netting them over $2 million (€1.8 million) in illicit profits.

    The person was apprehended in Mykolaiv, Ukraine, on January 9 by the National Police of Ukraine with support from Europol and an unnamed cloud service provider following “months of intensive collaboration.”

    “A cloud provider approached Europol back in January 2023 with information regarding compromised cloud user accounts of theirs,” Europol said, adding it shared the intelligence with the Ukrainian authorities.

    As part of the probe, three properties were searched to unearth evidence against the suspect.

    Cryptojacking refers to a type of cyber crime that entails the unauthorized use of a person’s or organization’s computing resources to mine cryptocurrencies.

    On the cloud, such attacks are typically carried out by infiltrating the infrastructure via compromised credentials obtained through other means and installing miners that use the infected host’s processing power to mine crypto without their knowledge or consent.

    “If the credentials do not have the threat actors’ desired permissions, privilege escalation techniques are used to obtain additional permissions,” Microsoft noted in July 2023. “In some cases, threat actors hijack existing subscriptions to further obfuscate their operations.”

    The core idea is to avoid paying for necessary infrastructure required to mine cryptocurrencies, either by taking advantage of free trials or compromising legitimate tenants to conduct cryptojacking attacks.

    In October 2023, Palo Alto Networks Unit 42 detailed a cryptojacking campaign in which threat actors were found stealing Amazon Web Services (AWS) credentials from GitHub repositories within five minutes of their public disclosure to mine Monero.

    10Jan
    NoaBot: Latest Mirai-Based Botnet Targeting SSH Servers for Crypto Mining

    A new Mirai-based botnet called NoaBot is being used by threat actors as part of a crypto mining campaign since the beginning of 2023.

    “The capabilities of the new botnet, NoaBot, include a wormable self-spreader and an SSH key backdoor to download and execute additional binaries or spread itself to new victims,” Akamai security researcher Stiv Kupchik said in a report shared with The Hacker News.

    Mirai, which had its source code leaked in 2016, has been the progenitor of a number of botnets, the most recent being InfectedSlurs, which is capable of mounting distributed denial-of-service (DDoS) attacks.

    There are indications that NoaBot could be linked to another botnet campaign involving a Rust-based malware family known as P2PInfect, which recently received an update to target routers and IoT devices.

    This is based on the fact that threat actors have also experimented with dropping P2PInfect in place of NoaBot in recent attacks targeting SSH servers, indicating likely attempts to pivot to custom malware.

    Despite NaoBot’s Mirai foundations, its spreader module leverages an SSH scanner to search for servers susceptible to dictionary attack in order to brute-force them and add an SSH public key in the .ssh/authorized_keys file for remote access. Optionally, it can also download and execute additional binaries post successful exploitation or propagate itself to new victims.

    “NoaBot is compiled with uClibc, which seems to change how antivirus engines detect the malware,” Kupchik noted. “While other Mirai variants are usually detected with a Mirai signature, NoaBot’s antivirus signatures are of an SSH scanner or a generic trojan.”

    Besides incorporating obfuscation tactics to render analysis challenging, the attack chain ultimately results in the deployment of a modified version of the XMRig coin miner.

    What makes the new variant a cut above other similar Mirai botnet-based campaigns is that it does not contain any information about the mining pool or the wallet address, thereby making it impossible to assess the profitability of the illicit cryptocurrency mining scheme.

    “The miner obfuscates its configuration and also uses a custom mining pool to avoid exposing the wallet address used by the miner,” Kupchik said, highlighting some level of preparedness of the threat actors.

    Akamai said it identified 849 victim IP addresses to date that are spread geographically across the world, with high concentrations reported in China, so much so that it amounts to almost 10% of all attacks against its honeypots in 2023.

    “The malware’s method of lateral movement is via plain old SSH credentials dictionary attacks,” Kupchik said. “Restricting arbitrary internet SSH access to your network greatly diminishes the risks of infection. In addition, using strong (not default or randomly generated) passwords also makes your network more secure, as the malware uses a basic list of guessable passwords.”

    9Jan
    Turkish Hackers Exploiting Poorly Secured MS SQL Servers Across the Globe

    Poorly secured Microsoft SQL (MS SQL) servers are being targeted in the U.S., European Union, and Latin American (LATAM) regions as part of an ongoing financially motivated campaign to gain initial access.

    “The analyzed threat campaign appears to end in one of two ways, either the selling of ‘access’ to the compromised host, or the ultimate delivery of ransomware payloads,” Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a technical report shared with The Hacker News.

    The campaign, linked to actors of Turkish origin, has been codenamed RE#TURGENCE by the cybersecurity firm.

    Initial access to the servers entails conducting brute-force attacks, followed by the use of xp_cmdshell configuration option to run shell commands on the compromised host. This activity mirrors that of a prior campaign dubbed DB#JAMMER that came to light in September 2023.

    This stage paves the way for the retrieval of a PowerShell script from a remote server that’s responsible for fetching an obfuscated Cobalt Strike beacon payload.

    The post-exploitation toolkit is then used to download the AnyDesk remote desktop application from a mounted network share for accessing the machine and downloading additional tools such as Mimikatz to harvest credentials and Advanced Port Scanner to carry out reconnaissance.

    Lateral movement is accomplished by means of a legitimate system administration utility called PsExec, which can execute programs on remote Windows hosts.

    That attack chain, ultimately, culminates with the deployment of Mimic ransomware, a variant of which was also used in the DB#JAMMER campaign.

    “The indicators as well as malicious TTPs used in the two campaigns are completely different, so there is a very high chance these are two disparate campaigns,” Kolesnikov told

    “More specifically, while the initial infiltration methods are similar, DB#JAMMER was slightly more sophisticated and used tunneling. RE#TURGENCE is more targeted and tends to use legitimate tools and remote monitoring and management, such as AnyDesk, in an attempt to blend in with normal activity.”

    Securonix said it uncovered an operational security (OPSEC) blunder made by the threat actors that allowed it to monitor clipboard activity owing to the fact that the clipboard sharing feature of AnyDesk was enabled.

    This made it possible to glean their Turkish origins and their online alias atseverse, which also corresponds to a profile on Steam and a Turkish hacking forum called SpyHack.

    “Always refrain from exposing critical servers directly to the internet,” the researchers cautioned. “With the case of RE#TURGENCE attackers were directly able to brute force their way into the server from outside the main network.”

    8Jan
    North Korea’s Cyber Heist: DPRK Hackers Stole $600 Million in Cryptocurrency in 2023

    Threat actors affiliated with the Democratic People’s Republic of Korea (also known as North Korea) have plundered at least $600 million in cryptocurrency in 2023.

    The DPRK “was responsible for almost a third of all funds stolen in crypto attacks last year, despite a 30% reduction from the USD 850 million haul in 2022,” blockchain analytics firm TRM Labs said last week.

    “Hacks perpetrated by the DPRK were on average ten times as damaging as those not linked to North Korea.”

    There are indications that additional breaches targeting the crypto sector towards the end of 2023 could push this figure higher to around $700 million.

    The targeting of cryptocurrency companies is not new for North Korean state-sponsored actors, who have stolen about $3 billion since 2017.

    These financially motivated attacks are seen as a crucial revenue-generation mechanism for the sanctions-hit nation, funding its weapons of mass destruction (WMD) and ballistic missile programs.

    The intrusions leverage social engineering to lure targets and typically aim to compromise private keys and seed phrases – which are used to safeguard digital wallets – and then use them to gain unauthorized access to the victims’ assets and transfer them to wallets under the threat actor’s control.

    “They are then swapped mostly for USDT or Tron and converted to hard currency using high-volume OTC brokers,” TRM Labs said.

    The company further noted that DPRK hackers continued to explore other money laundering tools after the U.S. Treasury Department sanctioned a crypto mixer service known as Sinbad for processing a chunk of their proceeds, indicating constant evolution despite law enforcement pressure.

    “With nearly USD 1.5 billion stolen in the past two years alone, North Korea’s hacking prowess demands continuous vigilance and innovation from business and governments,” TRM Labs said.