The North Korean advanced persistent threat (APT) group known as Kimsuky has been observed using a piece of custom malware called RandomQuery as part of a reconnaissance and information exfiltration operation.
“Lately, Kimsuky has been consistently distributing custom malware as part of reconnaissance campaigns to enable subsequent attacks,” SentinelOne researchers Aleksandar Milenkoski and Tom Read More
Related Posts
![Stopping a K-12 cyberattack (SolarMarker) with ThreatDown MDR](https://www.malwarebytes.com/wp-content/uploads/sites/2/2024/03/image-27.png?w=1024)
Stopping a K-12 cyberattack (SolarMarker) with ThreatDown MDR
Stopping a K-12 cyberattack (SolarMarker) with ThreatDown MDR
[[{“value”:”
In early 2024, a large K-12 school district partnered with ThreatDown MDR to strengthen its cybersecurity posture. Shortly after onboarding, ThreatDown MDR analysts detected unusual patterns of activity subsequently identified as the work of SolarMarker, a sophisticated backdoor. It became evident that SolarMarker had been present in the district’s system since at least 2021, likely exfiltrating data over several years.
Let’s dive further into the investigation’s findings and the steps taken to mitigate the threat.
SolarMarker infection
Background
The incident began with the detection of an anomalous instance of PowerShell attempting to establish an outbound network connection to a suspicious IP address (188.241.83.61). This connection attempt was thwarted by Malwarebytes Web Protection (MWAC), signaling the first indication of a potential security breach.
Initial challenges
Upon investigation, it was discovered that Endpoint Detection and Response (EDR) settings were disabled in the client’s endpoint policy. This limitation prevented the use of Fast Response Scanning (FRS) to capture and analyze detailed endpoint data, necessitating a manual approach to the investigation utilizing Active Response Scanning (ARS).
Investigation and analysis
The first step involved querying active network connections with netstat, which revealed an instance of PowerShell in operation. To further understand the nature of this PowerShell instance, its command line was examined using Windows Management Instrumentation Command-line (WMIC) with the process ID (PID), which unveiled obfuscated code.
Decoding and understanding SolarMarker
The obfuscated PowerShell code was extracted and refactored for clarity. The analysis revealed the following components of the malware’s operation:
powershell
$decodeKey = ‘<Base64_encoded_string>’
$encodedFilePath = ‘C:UsersakeithAppDataRoamingmicROSoftwbpgVnSBjsytaokmJqdVQplHfgwxyNmtaPX.gvzPlATqFe’
$decodedPayload = [System.IO.File]::ReadAllBytes($encodedFilePath)
for ($payloadIndex = 0; $payloadIndex -lt $decodedPayload.Count; $payloadIndex++) {
$decodedPayload[$payloadIndex] = $decodedPayload[$payloadIndex] -bxor $decodeKey[$payloadIndex % $decodeKey.Length]
if ($payloadIndex -ge $decodeKey.Length) {
$payloadIndex = $decodeKey.Length
}
}
[System.Reflection.Assembly]::Load($decodedPayload)
[ab821408b424418fa94bb4d815b4e.ad0682a943e4859ef35309cc0a537]::a1f5abfa214411baa77e25f6ceaa6()
This code reveals the malware’s methodology:
It utilizes a Base64-encoded string as a decryption key.
It targets a specific file path for encoded data.
It reads, decodes, and executes the encrypted payload.
The command line shows signs of the malicious script execution, with parameters indicative of a desire to hide the window (-WindowStyle Hidden), bypass execution policies (-Ep ByPass), and run encoded commands (-ComMand “sa43…).
Further investigation uncovered randomly named folders within the AppDataRoamingMicrosoft directory, each containing encoded payloads. These discoveries suggested a more widespread infection than initially anticipated.
Response and mitigation
The response involved several steps to contain and eliminate the threat:
Terminating the malicious PowerShell instance.
Deleting the identified folders containing encoded payloads.
Conducting a thorough search for persistence mechanisms, which fortunately yielded no findings.
A comprehensive threat scan was executed, and the incident was escalated for visibility with the client. Post-reboot checks confirmed the absence of persistence, no spawn of new PowerShell instances, and blocking of suspicious network connections, indicating successful remediation of the infection.
Conclusion
As we’ve seen in our 2024 State of Ransomware in Education report, the educational sector continues to be a prime target for attackers. In this case, attackers used SolarMarker, a sophisticated backdoor, to lurk within the school district’s network for years, likely stealing data in the process. Its presence went undetected until the district onboarded with ThreatDown MDR. Despite facing initial obstacles, such as disabled EDR settings, the ThreatDown MDR team successfully identified and neutralized the SolarMarker infection through manual intervention.
Discover how ThreatDown MDR can safeguard your K-12 institution.
“}]] Read More
Malwarebytes
![Cyber crime chronicles featuring scams, spies, and cartel schemes.](https://thecyberwire.com/images/social-media/hh/hacking-humans-n2k-284.jpg?#)
Cyber crime chronicles featuring scams, spies, and cartel schemes.
Cyber crime chronicles featuring scams, spies, and cartel schemes.
This week we are joined by Maria Varmazis, host of the N2K daily space show, T-Minus. Maria shares an interesting story about Apple users reporting that they are being targeted in elaborate phishing attacks that involve’s a bug in Apple’s password reset feature. Joe and Dave share some listener follow up from Leo who shares some thoughts on episode 282 and the recruiter scam that was discussed. Dave shares a story from Mexico on one of the most violent criminal groups and drug cartels, Jalisco New Generation. They have been running call centers that offer to buy retirees’ vacation properties and then empty the victims’ bank accounts. Joe has the story of Facebook spying on users’ Snapchats in a secret project. Our catch of the day comes from listener Van, who writes in to share a voicemail they received related to a tax scam. Read More
The CyberWire
Hackers Can Crack Down 59% Of Passwords Within A Hour
Hackers Can Crack Down 59% Of Passwords Within A Hour
Researchers analyzed real-world passwords leaked on the dark web instead of artificial ones used in labs, as their findings showed that a worrying 59% of these passwords could be cracked within an hour using just a modern graphics card and some technical knowledge, highlighting the weakness of many real-world passwords and the effectiveness of brute-force attacks with GPUs.
Password cracking refers to retrieving the original password from its hashed form. Traditionally, passwords were stored in plain text, making them vulnerable to data breaches.
Modern systems address this by using hashing algorithms like SHA-1 to convert passwords into unique, fixed-length hash values. When a user logs in, their entered password is hashed and compared to the stored hash, and if they match, access is granted.
Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot
Crackers aim to decrypt the hash back to the original password, often using rainbow tables, which pre-compute hashes for common passwords. This allows them to access compromised accounts and potentially others where the same password was reused.
To enhance password security, password hashing with salt incorporates a random data string (salt) before applying a hashing function, which can be dynamically generated or static, creating unique password-salt combinations for each user.
Feeding this combination into the hashing algorithm creates a distinct hash, rendering pre-computed rainbow tables ineffective for attackers. Consequently, this method significantly increases the difficulty of cracking passwords.
Modern GPUs are significantly faster than CPUs for password cracking. For instance, an RTX 4090 paired with a hashcat can analyze 164 billion hashes per second for salted MD5 hashes, while an 8-character password using uppercase/lowercase letters and digits (36 characters each) has 2.8 trillion combinations.
A powerful CPU (6.7 GH/s) could crack this password in 7 minutes, while an RTX 4090 (164 GH/s) needs only 17 seconds.
Even without owning such GPUs, attackers can rent them for a few dollars per hour, enabling them to crack massive leaked password databases efficiently.
Researchers at Kaspersky analyzed real-world passwords and found that many are vulnerable to cracking.
Using a combination of brute-force and smart-guessing algorithms, they cracked 45% of passwords in under a minute and 59% within an hour.
Smart-guessing algorithms achieved this by prioritizing common character combinations. This emphasizes that cracking all passwords in a database takes roughly the same time as cracking one because each guess is checked against a database of hashed passwords.
Password cracking algorithms leverage human predictability to efficiently guess combinations, where people favor common phrases, dates, and patterns, making them vulnerable to dictionary attacks.
Even attempts at randomness are biased towards keyboard center keys, allowing algorithms to crack most passwords containing dictionary words or frequent symbol combinations within minutes or hours.
Basic substitutions like “pa$$word” or “@” for letters offer minimal protection. Similarly, including popular words or number sequences like “123456” significantly weakens passwords.
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free
The post Hackers Can Crack Down 59% Of Passwords Within A Hour appeared first on Cyber Security News.