As the second Kaminsky Fellow, Andrews will study the use of threat intelligence to track campaigns against the human rights community. Read More
Related Posts
New CloudSorcerer APT Group Exploits Cloud Services And GitHub For C2 Servers
New CloudSorcerer APT Group Exploits Cloud Services And GitHub For C2 Servers
The hackers take advantage of Cloud services and GitHub since they are highly popular and can give access to massive amounts of data.
Since they contain intellectual property, sensitive information, and credentials that lucrates the hackers.
Besides this, misconfigurations in cloud settings or public repositories may cause inadvertent data exposures or the collaborative nature of these services, which can be used as a medium for launching malware attacks or accessing bigger systems.
Cybersecurity analysts at Kaspersky Lab recently detected that the new CloudSorcerer APT group has been actively exploiting the cloud services and GitHub for the C2 servers.
CloudSorcerer APT Group
In May 2024, CloudSorcerer was discovered targeting Russian government institutions.
Microsoft Graph, Yandex.Cloud, Dropbox, and GitHub are command-and-control (C2) infrastructure for this highly advanced cyber espionage malware.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
Here, the C2 channels are implemented via APIs with authorization tokens.
It is broken down into two main modules for communication and data collection, relying on COM object interfaces for malicious actions and a pre-defined charcode table to decode commands issued via a fixed sequence of characters.
CloudSorcerer is a C-based PE binary that changes its functioning depending on the process in execution. When it is mspaint.exe, it functions as a backdoor for data collection and code execution.
When it’s not msiexec.exe, it just injects shellcode into specific processes; otherwise, it initiates C2 communication.
The malware collects system information, does various commands such as file operations, shellcode injection, PE file mapping, and uses Windows pipes for inter-process communication to send collected data to the C2 module.
Here below we have mentioned the data that are collected by the malware:-
Computer name
User name
Windows subversion information
System uptime
The starting C2 for CloudSorcerer’s C2 module can be a GitHub page or even a Russian cloud photo server.
It has the capacity to extract and decode a hidden hex string with the aid of charcode table. Not only that even it will reveal the specific cloud service that is being used as well as a verification token (Microsoft Graph or Yandex).
The malware uses an intelligent approach, which makes it possible for it to impersonate legal traffic whilst at the same time switching from one cloud service to another for its C2 operations.
CloudSorcerer’s C2 module connects to cloud APIs using internet functions and the decoded authentication token. It spawns two threads for asynchronous communication with the backdoor module through Windows pipes.
The C2 module is able to accept and decode commands received from clouds, send them to its backdoor, and upload execution results and the exfiltrated data to enable hidden communication and data transfer.
“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo
The post New CloudSorcerer APT Group Exploits Cloud Services And GitHub For C2 Servers appeared first on Cyber Security News.
HPE OneView Vulnerability Let Attacker Bypass Authentication
HPE OneView Vulnerability Let Attacker Bypass Authentication
In the Hewlett Packard Enterprise OneView Software, three security flaws have been identified, which might be remotely exploited to allow authentication bypass, disclosure of sensitive information, and denial of service.
HPE OneView is an integrated IT infrastructure management software that automates IT operations and streamlines infrastructure lifecycle management, including computing, storage, and networking.
Vulnerabilities Disclosed
CVE-2023-30908 – Remote Authentication Bypass
CVE-2022-4304 – Disclosure of sensitive information
CVE-2023-2650 – Denial of Service
CVE-2023-30908 – Remote Authentication Bypass
This vulnerability, with a CVSS score of 9.8, enables an attacker to bypass authentication and obtain unauthorized access to HPE OneView. The flaw is caused by the way HPE OneView manages user credentials.
An attacker might take advantage of this vulnerability by sending the HPE OneView server a specially crafted request.
The CVE-2023-30908 flaw was reported by Sina Kheirkhah (@SinSinology) of the Summoning Team (@SummoningTeam) in association with the Trend Micro Zero Day Initiative.
CVE-2022-4304 – Disclosure of Sensitive Information
A timing-based side channel in the RSA Decryption implementation in OpenSSL may allow a remote attacker to get sensitive information. An attacker might exploit this issue by sending an excessively large number of trial messages for decryption.
CVE-2023-2650 – Denial of Service
A remote attacker might exploit this issue to launch a denial of service (DoS) attack on HPE OneView. The flaw is in the way OpenSSL handles the OBJ_obj2txt() method.
An attacker might take advantage of this flaw by sending a specially crafted request to the HPE OneView server.
Impacted Versions
HPE OneView – Prior to v8.5 and v6.60.05 patch
Fix Available
To address these vulnerabilities in the Hewlett Packard Enterprise OneView Version 8.5 and 6.60.05 patch, HPE has released the following software upgrade.
Hewlett Packard Enterprise OneView v8.5 or later
Hewlett Packard Enterprise OneView v6.60.05 LTS
You can visit the HPE Support Center to download the latest software.
HPE has issued fixes for the impacted HPE OneView versions. To protect systems from these vulnerabilities, users should apply the updates as soon as feasible.
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.
The post HPE OneView Vulnerability Let Attacker Bypass Authentication appeared first on Cyber Security News.
Cyber Security News
Brave: Sharp increase in installs after iOS DMA update in EU
Brave: Sharp increase in installs after iOS DMA update in EU
Brave has seen a sharp increase in users installing its privacy-focused Brave Browser on iPhones after Apple introduced changes to adhere to the new European Digital Markets Act. […] Read More
BleepingComputer