Instagram’s Threads reaches over 100 million users in five days. Mergers and acquisitions. Investments and exits. Executive moves. Company news. Labor markets. Read More
The CyberWire
The all in one place for non-profit security aid.
Instagram’s Threads reaches over 100 million users in five days. Mergers and acquisitions. Investments and exits. Executive moves. Company news. Labor markets. Read More
The CyberWire
Hackers Leveraging Extended Attributes To Evade Detection In macOS Systems
Researchers discovered a novel approach employed by the threat actor to conceal codes using Extended Attributes to avoid detection in macOS devices.
Extended attributes are metadata that can be linked to different file systems’ files and directories. They let users retain more details about a file than just the typical attributes, such as permissions, timestamps, and file size.
The most similar method discovered while investigating malware leveraging extended attributes was in 2020, when Bundlore adware concealed its payload in resource forks and was accessed by the unique path `filename/..namedfork/rsrc`.
The samples are attributed to APT Lazarus with a medium degree of confidence, according to Group-IB experts. Since they have only seen a small number of samples in the wild, researchers are unable to confirm that there were any victims of this incidence.
Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)
The malware that was found was termed “RustyAttr,” and it was developed by Lazarus utilizing the Tauri framework.
In several file systems, files and directories can be linked to metadata called Extended Attributes (EAs). Although the Finder and Terminal do not display these directly, we can easily extract and view the attributes by using `xattr`.
Researchers say an extended attribute of custom type “test” has been defined by the threat actor.
Tauri is a framework for creating web-based, lightweight desktop apps. It enables programmers to use Rust for the backend and web frontend (HTML, CSS, and JavaScript) to create applications.
In the extended attributes, the malicious script will be retrieved and executed by the application.
Two categories of decoys were identified by the researchers. The first kind of decoy really retrieves a PDF file from filedn[.]com, a file hosting service.
The “Investment Decision-Making Questionnaire” contains questions about game project development and funding. The second decoy only shows a dialog box with the words, “This app does not support this version.”
When the Tauri application runs, it tries to use a WebView to render an HTML webpage. A random template that was downloaded from the internet was used by the TA.
But researchers saw that another dubious piece of javascript called “preload.js” was loaded on these pages.
The ‘invoke’ function in Tauri is an Application Programming Interface (API) that promotes communication between the frontend (JavaScript) and backend (Rust), allowing the frontend to call Rust functions, send arguments, and receive data.
“At the time of our analysis, the files are fully undetected on VirusTotal, likely due to the fact that the malicious components are concealed within the attributes”, researchers said.
Analyze Unlimited Phishing & Malware with ANY.RUN For Free - 14 Days Free Trial.
The post Hackers Leveraging Extended Attributes To Evade Detection In macOS Systems appeared first on Cyber Security News.
Ransomware Attacks Targeting VMware ESXi Infrastructure Adopt New Pattern
Cybersecurity professionals at Sygnia have noted a notable change in the strategies used by ransomware groups that are aiming at virtualized environments, specifically VMware ESXi infrastructure, in relation to development.
The incident response team has noted a steady increase in these attacks, with threat actors exploiting misconfigurations and vulnerabilities in virtualization platforms to maximize their impact.
Sygnia’s analysis reveals that notorious ransomware groups such as LockBit, HelloKitty, BlackMatter, RedAlert (N13V), Scattered Spider, Akira, Cactus, BlackCat, and Cheerscrypt frequently leverage this attack vector.
These threat actors have adopted a new attack pattern, focusing on data exfiltration before encrypting the targeted systems.
The modus operandi of these ransomware attacks involves gaining initial access to the virtualized environment, escalating privileges, and conducting extensive reconnaissance to identify valuable data.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
The threat actors then exfiltrate this data, enabling them to encrypt the existing files and release the stolen information publicly to inflict additional reputational damage on the targeted organizations.
One of the most alarming aspects of these attacks is the unique actions taken by the threat actors during the ransomware execution phase.
Sygnia’s investigations have revealed that the attackers shut down all virtual machines before initiating the encryption process, targeting the ‘/vmfs/volumes’ folder of the ESXi filesystem. This tactic ensures maximum disruption and makes recovery efforts more challenging for the victims.
Attack Kill Chain
This includes regularly patching and updating virtualization infrastructure, enforcing strong access controls, monitoring suspicious activities, and having a robust incident response plan in place.
A ransomware attack on ESXi infrastructure can be catastrophic, with extensive data loss, operational disruption, financial damage, data theft, and legal and reputational harm that can threaten an organization’s very survival.
The key attack vectors are unpatched vulnerabilities, misconfigurations, phishing, compromised credentials, and insecure workloads.
Organizations must adopt a multi-layered security approach, including timely patching, hardening, network segmentation, strong authentication, and workload protection, to mitigate the risk of ransomware compromising their ESXi infrastructure.
As ransomware groups continue to adapt their tactics, it is crucial for organizations relying on virtualized environments to remain vigilant and proactive in their cybersecurity efforts.
By staying informed about the latest threats and implementing effective defense strategies, businesses can better protect their critical assets and minimize the risk of falling victim to these devastating attacks.
ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service
The post Ransomware Attacks Targeting VMware ESXi Infrastructure Adopt New Pattern appeared first on Cyber Security News.
New BLUFFS Bluetooth Attack Methods Can Have Large-Scale Impact: Researcher
An academic researcher demonstrates BLUFFS, six novel attacks targeting Bluetooth sessions’ forward and future secrecy.
The post New BLUFFS Bluetooth Attack Methods Can Have Large-Scale Impact: Researcher appeared first on SecurityWeek.
SecurityWeek RSS Feed