In an advisory released by the company, Apple revealed patches for three previously unknown bugs it says may already have been used by attackers. Read More
Related Posts
Hackers Exploit Windows Search Feature to Execute Malware on Infected Systems
Hackers Exploit Windows Search Feature to Execute Malware on Infected Systems
Malware authors persistently seek novel approaches to exploit unsuspecting users in the active cyber threat landscape.
To easily locate all the available files, folders, and other items on your Windows system, Microsoft Windows OS offers an outstanding powerful tool known as the Windows search feature.
Unexplored by many, the “search-ms” URI protocol handler in Windows allows potent local and remote searches, but security researchers at Trellix warn of potential exploitation.
Infection Chain
Cybersecurity researchers at Trellix Advanced Research Center revealed that this new attack technique exploits the “search-ms” URI protocol with JavaScript on websites and HTML attachments.
This expands the attack surface and not only that even also explores the “search” protocol as well.
Threat actors exploit the “search-ms” protocol to deceive users with emails, compromised websites, and disguised remote files to make them execute malicious code unknowingly.
Besides this, security analysts detected several phishing emails using the “search-ms” protocol to deliver a malicious payload, masked as urgent sales quotation requests.
Various attack variants involve emails with HTML/PDF attachments containing URLs to compromised websites using the ‘search-ms’ URI protocol handler, while embedded scripts in HTML files can also trigger the attack.
Once the link in the email or attachment is clicked, users get redirected to a website exploiting the “search-ms” URI protocol handler, revealing a suspicious script in the GET request for page.html:-
Experts uncover numerous PowerShell file variants in this investigation, comprising:-
The “over.ps1” file downloads an ISO file.
PowerShell scripts directly download the DLL payload and execute it.
PowerShell scripts that trigger the download of a zip file containing an EXE payload.
PowerShell scripts that download and execute DLL files.
PowerShell scripts that download and execute VBS files.
The campaign deploys remote access trojans (RATs) like Async RAT and Remcos RAT to gain unauthorized control over infected systems, facilitating:-
Data theft
User monitoring
Command execution
The Remcos RAT employs null byte injection in its EXE payload to evade security products. The attacker employs a proactive approach, continuously updating files to avoid security product detection, and bypassing static signatures and known IoCs.
Security analysts found attacker-controlled file servers, some lacking authentication, posing a significant security risk by enabling easy access for further exploitation.
Recommendations
Here Below we have mentioned all the recommendations:-
Make sure to exercise caution and be vigilant about untrusted links.
It is crucial not to click on suspicious URLs or download files from unknown sources to avoid potential risks.
Beware of the exploitation of the “search” / “search-ms” URI protocol handler to deliver malicious payloads to systems.
Make sure to avoid engaging with potentially harmful links and files.
Always keep your system and AV tools updated with the available latest security patches and updates.
Make sure to use a robust AV solution.
Keep yourself informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.
The post Hackers Exploit Windows Search Feature to Execute Malware on Infected Systems appeared first on Cyber Security News.
Cyber Security News
Tor Claims Network is Safe Amid Law Enforcement Infiltration to Expose Criminals
Tor Claims Network is Safe Amid Law Enforcement Infiltration to Expose Criminals
The Tor Project has responded to recent reports that law enforcement agencies in Germany have successfully infiltrated the Tor network to unmask criminals, stating that “Tor users can continue to use Tor Browser to access the web securely and anonymously.”
An investigative report by German media outlets Panorama and STRG_F revealed that German police had surveilled Tor servers for months, using timing analysis techniques to deanonymize users of darknet sites.
The report claimed this led to the identification and arrest of an administrator of a pedophile forum.
In response, the Tor Project acknowledged that one user of an outdated application called Ricochet was likely deanonymized through a “guard discovery attack.” However, they emphasized that this vulnerability has since been patched in current versions of Tor software.
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
“For the great majority of users worldwide that need to protect their privacy while browsing the Internet, Tor is still the best solution for them,” the Tor Project stated.
They encouraged users to keep their software up-to-date to benefit from the latest security improvements.
The organization noted that the reported attacks occurred between 2019-2021, and that since then they have implemented new processes to identify and remove potentially malicious relays from the network.
They also highlighted that the number of exit nodes has increased significantly in recent years, improving the network’s speed and capacity.
However, the Tor Project expressed frustration at not being given full access to details of the reported attacks. They have called for anyone with additional information to contact them securely to help assess any remaining vulnerabilities.
While acknowledging the potential for misuse, the Tor Project defended the importance of online anonymity tools, stating: “Tor is one of the few alternatives that provide a vision and actionable model for a decentralized Internet that make this sort of attack impractical for those who seek to surveil a large portion of internet users.”
The organization encouraged volunteers to contribute bandwidth and relays to further strengthen and diversify the Tor network against potential attacks or surveillance efforts.
Are You From SOC/DFIR Teams? – Try Advanced Malware and Phishing Analysis With ANY.RUN – 14-day free trial
The post Tor Claims Network is Safe Amid Law Enforcement Infiltration to Expose Criminals appeared first on Cyber Security News.
Megazord Ransomware Attacking Healthcare And Government Entities
Megazord Ransomware Attacking Healthcare And Government Entities
[[{“value”:”
Hackers primarily use ransomware to gain financial gain from their victims by blackmailing them for payments to recover their encrypted files and systems.
However, ransomware can also be weaponized as a destructive cyber weapon that creates confusion in critical infrastructures.
Megazord ransomware has been actively attacking healthcare and government entities.
Megazord Ransomware Attack
In addition, ransomware can also be deployed by some threat actors who steal data that is then sold on deep web markets or used for carrying out further extortions.
Certain hackers may be driven by political reasons to deploy ransomware against enemy countries or ideological enemies.
Megazord is a Rust-coded ransomware targeting healthcare, education, and government. Initial access originates from spear-phishing and exploiting vulnerabilities.
Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot
It uses RDP and IP scanners to detect lateral movement within victims. Post-compromise terminates processes and services before encrypting local data storage and files.
It primarily focuses attacks on critical sectors like healthcare.
Files encrypted with the “POWERRANGES” extension include a ransom note named “powerranges.txt” in each affected folder. The note directs victims to contact the threat actor via the TOX messenger using a unique Telegram channel link.
Various industries are indiscriminately targeted by Megazord operators, who seek initial entry through techniques such as spear phishing and exploiting vulnerabilities.
They utilize LOLBINS and existing infrastructure to extend their stay on a network using Remote Desktop Protocol (RDP), Advanced IP Scanner, and NET.EXE for moving laterally.
Megazord terminates numerous processes and services at execution to facilitate encryption done by separate CMD.EXE instances and looks for local virtual machines in an attempt to terminate them.
Apart from this, the Megazord shares several code similarities with Akira, which is why it is thought to be linked to Akira ransomware.
Moreover, the Symantec detection covers signatures like:-
File-Based
Ransom.Akira!g2
Trojan.Gen.MBT
W97M.Downloader
WS.Malware.1
Machine Learning-Based
Heur.AdvML.A!300
Heur.AdvML.B
Heur.AdvML.B!100
Heur.AdvML.B!200
Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.
The post Megazord Ransomware Attacking Healthcare And Government Entities appeared first on Cyber Security News.
“}]] Read More
Cyber Security News