Hackers Use Weaponized PDF Files to Attack Manufacturing, Commercial, and Healthcare Organizations

Hackers Use Weaponized PDF Files to Attack Manufacturing, Commercial, and Healthcare Organizations

Recently, eSentire TRU (Threat Response Unit) reported that since November 2022, it had observed the resurrection of a malicious campaign that Hackers Attack on targets explicitly the following organizations:-

Manufacturing

Read moreBuilding cyber skills and roles from CyBOK foundations

Commercial

Healthcare

Read moreAccessibility as a cyber security priority

While cybersecurity researchers acknowledge that the campaign is being carried out by threat actors who are native Russian speakers.

In this analysis, experts mainly focus on four separate instances where Bluesteel, a machine-learning tool for PowerShell of eSentire, identified harmful commands executing a script from a domain under the control of an attacker.

Weaponized PDF Files as Initial Vector

Read moreNew interactive video - and related downloads - to help secondary school kids stay safe online

Here the phishing email has been identified as the initial infection vector.

To distribute the malicious payload, the Hackers attack are actively adopting email hijacking, and via PDF attachments, they deliver the malicious payload.

Read moreNigerian Cybercrime Ring's Phishing Tactics Exposed

To deceive users into thinking the domain is genuine, the attackers include the sender domain within the Vesta Control Panel.

The user is redirected to saprefx[.]com domain via a link to the domain embedded with the PDF attachment.

Read moreS3 Ep135: Sysadmin by day, extortionist by night

The behavior of the domain changes depending on the user’s location.

Here we have mentioned the two options available:-

Read moreUS offers $10m bounty for Russian ransomware suspect outed in indictment

Users will either be redirected to the final domain with the JavaScript payload.

Or 

Read moreBelkin Wemo Smart Plug V2 – the buffer overflow that won’t be patched

Users will encounter the TeamViewer installer page.

Generally, the compromised WordPress websites are the hosting platform for the JavaScript payload.

Read moreZut alors! Raclage crapuleux! Clearview AI in 20% more trouble in France

By utilizing the InstallProduct method, the malicious script downloads and executes the MSI file, and all this occurs when the user opens the JavaScript attachment.

Using the C drive’s serial number as a parameter, the VBS file establishes a connection to the C2 server.

Read moreHeads Up CEO! Cyber Risk Influences Company Credit Ratings

It subsequently fetches the Windows Installer product and stealthily launches it in the background without the user’s knowledge.

Several tools and scripts are included inside the MSI files, and they are mainly tailored to capture screenshots of the computer when it was infected.

Read moreCISA, NSA Issue New IAM Best Practice Guidelines

This process is executed through the implementation of an AutoHotKey script. And here below, we have mentioned the tools that are observed:-

AutoIt

Read more6 Ways to Mitigate Risk While Expanding Access

Python scripts

i_view32.exe

Hackers Use Weaponized PDF Files to Attack

Read moreHypervisors and Ransomware: Defending Attractive Targets

In the early stages of the campaign, security analysts observed the threat actors dropping:-

Backdoor

Read moreNIST Launches Cybersecurity Initiative for Small Businesses

Cobalt Strike payload

Python script

Read moreEducating Your Board of Directors on Cybersecurity

The previously mentioned malicious PowerShell command fetches and executes the PowerShell script, which is located at:-

31.41.244[.]142

Read morePersonal Information of 9 Million Individuals Stolen in MCNA Ransomware Attack

The PowerShell script utilizes LoadLibraryA to load kernel32.dll and crypt32.dll.

Then to convert the base64 string into a binary format, it employs the CryptStringToBinaryA function from crypt32.dll.

Read moreMany Vulnerabilities Found in PrinterLogic Enterprise Software

Using CreateToolhelp32Snapshot, the Cobalt Strike loader, acting as the malicious payload, examines the “powershell.exe” process.

The threat actors introduced their personally developed backdoor tool called “resident2.exe” in the second incident, and this tool is a 32-bit executable written in C programming language.

Read moreIndustrial Giant ABB Confirms Ransomware Attack, Data Theft

The threat actors involved in the third incident kickstart their intrusion by manipulating wscript.exe to launch the malicious JavaScript file.

In the last instance of the attack, the threat actors first employed au3.exe, which then generated a chain of additional malicious executables.

Read moreOrganizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation

Here below, we have mentioned the files that the threat actors drop:-

Terminal App Service.vbs (C:ProgramDataCis)

Read moreGoogle Cloud Users Can Now Automate TLS Certificate Lifecycle

app.js (C:ProgramDataDored) – similar to the previous case

au3.exe (C:ProgramData2020)

Read moreZyxel Firewalls Hacked by Mirai Botnet

au3.ahk (C:ProgramData2020)

index.js (C:ProgramDataDored) – screenshot sender script, similar to the 3rd incident

Read moreWatch Now: Threat Detection and Incident Response Virtual Summit

i_view32.exe (C:ProgramDataDored)

skev.jpg – screenshot image (C:ProgramDataDored)

Read moreNCC Group Releases Open Source Tools for Developers, Pentesters

hcmd.exe (AppDataRoaminghcmdhcmd.exe)

index.js (AppDataRoaminghcmd)

Read moreMemcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation

hcmd.exe (AppDataRoaminghcmd)

Recommendations

Here below, we have mentioned all the recommendations offered by the security researchers:-

Read morePyPI Enforcing 2FA for All Project Maintainers to Boost Security

Validate that every device has the necessary EDR solutions implemented for enhanced protection.

Make use of PSAT to provide your employees with proper education on the risks involved with commodity stealers and drive-by downloads.

Read moreCredible Handwriting Machine

Ensure there are established protocols for employees to follow when submitting content that may be deemed malicious for proper assessment.

Use Windows Attack Surface Reduction rules to block the execution of downloaded content initiated by JavaScript and VBScript.

Read moreGoogle Is Not Deleting Old YouTube Videos

Looking For an All-in-One Multi-OS Patch Management Platform – Try Patch Manager Plus.

The post Hackers Use Weaponized PDF Files to Attack Manufacturing, Commercial, and Healthcare Organizations appeared first on Cyber Security News.

Read moreFriday Squid Blogging: Peruvian Squid-Fishing Regulation Drives Chinese Fleets Away

   Read More 

Cyber Security News 

Related Posts

Google Warns: Android Zero-Day Flaws in Pixel Phones Exploited by Forensic Companies
Google Warns: Android Zero-Day Flaws in Pixel Phones Exploited by Forensic Companies

Google Warns: Android Zero-Day Flaws in Pixel Phones Exploited by Forensic Companies

[[{“value”:”Google has disclosed that two Android security flaws impacting its Pixel smartphones have been exploited in the wild by forensic companies.
The high-severity zero-day vulnerabilities are as follows –

CVE-2024-29745 - An information disclosure flaw in the bootloader component
CVE-2024-29748 - A privilege escalation flaw in the firmware component

"There are indications that the [“}]]   Read More 

The Hacker News | #1 Trusted Cybersecurity News Site 

Critical RCE Flaw in WordPress Bricks Theme Exposes 25,000+ Sites

Critical RCE Flaw in WordPress Bricks Theme Exposes 25,000+ Sites

[[{“value”:”

A critical Remote Code Execution (RCE) vulnerability in the Bricks Builder theme for WordPress has put over 25,000 websites at risk, prompting an urgent security update.

The flaw, identified as CVE-2024-25600, was discovered by a security researcher known as ‘snicco’ and reported to the Patchstack bug bounty program.

WordPress Bricks Theme RCE Flaw

The vulnerability affects all versions of the Bricks Builder theme up to 1.9.6 and allows unauthenticated attackers to execute arbitrary PHP code on the server. 

A hacker could take over an entire site without user credentials. The severity of this RCE flaw has been rated 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS), indicating a critical level of risk.

Document

Live Account Takeover Attack Simulation

How do Hackers Bypass 2FA?

Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks

.

A majority of the attacks are from the following IP addresses –

200.251.23[.]57

92.118.170[.]216

103.187.5[.]128

149.202.55[.]79

5.252.118[.]211

91.108.240[.]52

Impact and Exploitation

The Bricks Builder theme is a popular WordPress development tool that enables users to create high-performance websites with a code-free approach. Due to its ease of use and developer-friendly components, it has become a preferred choice for many developers.

However, discovering this vulnerability has led to active exploitation, with attackers running malicious PHP code on vulnerable sites.

Patchstack reported that the exploitation attempts began on February 14, just days after the vulnerability was disclosed. 

Wordfence also confirmed the active exploitation of the flaw, having detected multiple attacks.

The Bricks team responded promptly to the disclosure, releasing a security patch with version 1.9.6.1 on February 13, 2024.

The update addressed the root cause of the vulnerability and was made available as a one-click update.

Website administrators using the Bricks Builder theme are strongly advised to update to the latest version immediately to prevent potential exploits.

It is also recommended to check for signs of compromise even after updating, as attackers may have exploited the vulnerability before the patch was applied.

Recommendations for Users

Attention all users: it is highly recommended you upgrade to Bricks version 1.9.6.1 at your earliest convenience.

This latest version includes critical security patches and bug fixes, improving overall system stability and performance.

Failing to update may result in potential system vulnerabilities and data breaches. Kindly take action immediately to ensure the safety and integrity of your system.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

The post Critical RCE Flaw in WordPress Bricks Theme Exposes 25,000+ Sites appeared first on Cyber Security News.

“}]]   Read More 

Cyber Security News