The Alphv/BlackCat ransomware gang has taken responsibility for the February cyberattack that hit social media site Reddit.
The post Ransomware Gang Takes Credit for February Reddit Hack appeared first on SecurityWeek.
SecurityWeek RSS Feed
The all in one place for non-profit security aid.
The Alphv/BlackCat ransomware gang has taken responsibility for the February cyberattack that hit social media site Reddit.
The post Ransomware Gang Takes Credit for February Reddit Hack appeared first on SecurityWeek.
SecurityWeek RSS Feed
Sandman APT Attacks Telcos Organizations to Steal System Information
Due to its vital infrastructure and the enormous quantity of sensitive data it manages, which includes both personal and business communications, the telecommunications sector is aggressively targeted by hackers.
Cyberattacks on telecommunications can lead to:-
Service disruptions
Data breaches
National security risks
In August 2023, SentinelLabs and QGroup GmbH identified an unknown threat cluster targeting telecoms, orchestrated by an unknown actor using the LuaJIT-based backdoor, dubbed ‘Sandman’ and ‘LuaDream.’
Researchers at SentinelLabs reported recently that the Sandman APT group is actively targeting telecom companies to deploy LuaDream malware and steal system information.
Security experts noted a clear focus on telecom providers across diverse regions in the activity cluster, as evidenced by C2 netflow data.
Here below, we have mentioned the targeted regions:-
Middle East
Western Europe
South Asian subcontinent
Targeted victims (Source – SentinelLabs)
LuaDream is a multi-component backdoor with multi-protocol capabilities like:-
Managing plugins
Exfiltrating system data
Exfiltrating user data
Technical Analysis
LuaDream’s architecture indicates an actively developed, versioned project with modular, multi-protocol capabilities, which includes:-
Stealing data for precise follow-up attacks.
Controlling plugins to expand LuaDream’s capabilities.
Accurate clustering is challenging due to sophisticated tactics, suggesting a motivated adversary with likely espionage goals targeting communication providers for sensitive data.
The string artifacts and compilation timestamps of LuaDream point to malware development activities in the first half of 2022, suggesting probable activity beginning in that year.
Document
FREE Demo
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Experts can’t attribute LuaDream to known actors but lean toward private contractors. LuaJIT’s use in APT malware, historically associated with Western actors, is expanding to a broader threat landscape, as seen with Sandman APT.
Security analysts saw Sandman attack certain workstations during August 2023 using pass-the-hash methods and stolen passwords. Sandman primarily concentrated on deploying LuaDream, with an average of five days elapsing between endpoint intrusions.
Sandman used DLL hijacking with a malicious ualapi.dll, loaded by the Spooler service without restarting it, which is part of the LuaDream loading process.
Here below, we have mentioned the DLL images that are involved in LuaDream staging:-
ualapi.dll
MemoryLoadPex64.dll
common.dll
While besides this, the C2 details were included in LuaDream’s config, and it’s been revealed that it communicates via WebSocket protocol with mode.encagil[.]com.
Netflow data analysis shows a lack of C2 infrastructure segmentation, as multiple LuaDream deployments in different regions communicate with the same server.
Moreover, Sandman’s attribution and mysterious actors like Metador remain a mystery. LuaDream exemplifies the ongoing innovation in cyber espionage malware.
IOCs
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.
The post Sandman APT Attacks Telcos Organizations to Steal System Information appeared first on Cyber Security News.
Cyber Security News
Lazarus Hackers Exploited Windows kernel 0-day In The Wild
[[{“value”:”
The Lazarus threat group has been exploiting a Microsoft vulnerability associated with Windows Kernel Privilege Escalation to establish a kernel-level read/write primitive.
This vulnerability was previously unknown which exists in the appid.sys AppLocker driver.
This vulnerability has been assigned with CVE-2024-21338 and has been addressed by Microsoft on their February patch.
Once established, threat actors could perform direct kernel object manipulation in their new version of the FudModule rootkit. There has been a major advancement in the rootkit, which handles table entry manipulation techniques.
According to the Avast report, the threat actors were previously using BYOVD (Bring Your Own Vulnerable Driver) techniques for establishing the admin-to-kernel primitive, which is a noisy method.
But it seems like this new zero-day exploitation has paved a new way for establishing kernel-level read/write primitives.
Investigating further, it was discovered that this issue is technically due to a thin line on Windows Security that Microsoft has left for a long time.
Microsoft still holds the right to patch admin-to-kernel vulnerabilities, stating that “administrator-to-kernel is not a security boundary”.
This also means that threat actors who have admin-level privileges still have access to exploit the kernel of Windows. As this is an open space for attackers to play with, they try to exploit vulnerabilities in every possible way to access the Kernel.
Once kernel-level access is achieved, the threat actors can do any kind of malicious activities, including disruption of software, concealing infection indicators, kernel-mode telemetry disabling, and much more.
There were three categories of Admin-to-kernel exploits discovered, each with a trade-off between attack difficulty and stealth.
N-Day BYOVD Exploits (requires the attacker to drop a vulnerable drive on the file system and load it to the kernel)
Zero-day exploits (requires the attacker to discover a zero-day vulnerability) and
Beyond BYOVD (used by the Lazarus threat group for exploiting the kernel).
Moreover, the Lazarus group selected the third method of kernel exploit as a means of stealth and to cross the admin-to-kernel boundary on Windows systems.
In addition, this approach also offers the minimizing of swapping with another vulnerability that enables the threat actors to stay undetected for longer periods.
The threat group’s exploitation begins with performing a one-time setup for both the exploit and the rootkit by dynamically resolving all necessary Windows API functions. After this, the exploit inspects the build number to see if the version supports this rootkit.
If it is supported, the hard-coded constants are tailored for the build version, which can sometimes lead to updating the build revision.
This is done so that the exploit does not have any interruption during the execution and that it supports a wide range of target machines.
The FudModule Rootkit is a data-only rootkit that is capable of read/write primitives that affect the user-mode thread and can read and write arbitrary kernel memory using system calls.
It is executed entirely from user space, and kernel tampering is performed with the rootkit’s privileges.
You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter
The post Lazarus Hackers Exploited Windows kernel 0-day In The Wild appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
6 Simple Steps to Eliminate SOC Analyst Burnout
The current SOC model relies on a scarce resource: human analysts. These professionals are expensive, in high demand, and increasingly difficult to retain. Their work is not only highly technical and high-risk, but also soul-crushingly repetitive, dealing with a constant flood of alerts and incidents. As a result, SOC analysts often leave in search of better pay, the opportunity to move beyond Read More