The Spanish National Police has apprehended a Ukrainian national wanted internationally for his involvement in a scareware operation spanning from 2006 to 2011. […] Read More
BleepingComputer
The all in one place for non-profit security aid.
The Spanish National Police has apprehended a Ukrainian national wanted internationally for his involvement in a scareware operation spanning from 2006 to 2011. […] Read More
BleepingComputer
Cyber Attack on DP World Halted Container Movements
DP World Australia, a leading provider of landside freight operations, issued an update on Friday, November 10, regarding its efforts to address a cybersecurity incident that affected its systems.
The company has collaborated with cybersecurity experts to restore its terminal operations securely and safely.
The company has placed security as its utmost priority and implemented its robust business continuity plan to ensure the movement of some freight.
This involved working with industry partners, other ports, and terminal operators to minimize the disruption caused by the incident.
The company also coordinates with government and private sector stakeholders to identify and retrieve sensitive inbound freight.
Document
Protect Your Storage With SafeGuard
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
DP World Australia has made significant progress in resolving the cybersecurity incident, with its current focus on testing key systems essential for resuming normal operations and regular freight flow.
The company will provide another update after the testing phase is completed.
A key aspect of the ongoing investigation is the nature and extent of data access and theft.
DP World Australia recognizes the potential concerns this development may raise among stakeholders and diligently assesses whether personal information has been impacted.
As a proactive measure, the company has engaged the Office of the Australian Information Commissioner to address data security and privacy issues.
DP World Australia remains committed to transparent communication as it works towards fully recovering its operations in the aftermath of this cybersecurity incident.
The company is determined to continue its investigation and remediation work to safeguard the security and integrity of its customers, partners, employees, operations, and data.
DP World Australia is steadfast in its commitment to restoring normal operations as swiftly and securely as possible.
The company is devoted to ensuring the uninterrupted flow of goods and services that support Australia’s economy.
Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.
The post Cyber Attack on DP World Halted Container Movements appeared first on Cyber Security News.
Cyber Security News
FTC files complaint against Adobe for deceptive cancellation practices
The Federal Trade Commission has filed a complaint in US federal court against Adobe and two executives, Maninder Sawhney and David Wadhwani, for deceptive practices related to their subscription plans. […] Read More
Earth Hundun Hacker Group Employs Advanced Tactics to Evade Detection
Earth Hundun, a notable Asia-Pacific malware organization, uses Waterbear and Deuterbear.
We first encountered Deuterbear in Earth Hundun’s arsenal in October 2022, signaling its implementation.
This report describes the ultimate Remote Access Trojan (RAT) we recovered from a C&C server from an Earth Hundun campaign in 2024.
We examined the Waterbear downloader’s network actions at the beginning. A case study shows how the Waterbear RAT and its plugins were deployed in the second phase and how Waterbear downloaders spread across networks, complicating detection and monitoring.
Deuterbear now supports plugin shellcode formats and runs RAT sessions without handshakes.
Trendmicro analysis of Earth Hundun’s Waterbear and Deuterbear malware interactions with targets will demonstrate its sophisticated tactics.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
A previous campaign’s flowchart shows Waterbear’s activity in a victim’s network and its proliferation of downloaders.
One of the Waterbear campaign attack chains
Initial Stage
In our previous report, Waterbear used three files for the initial download.
These include a modified legitimate executable, loader, and encrypted downloader.
The Second Stage
Waterbear RAT (A) downloaded the plugin via RAT command 1010 and activated its first export function, “Start,” to inject it into a process.
Depending on the target process architecture, the plugin includes unencrypted Waterbear downloaders 0.27 and 0.28.
Unlike 32-bit processes, 64-bit processes run 0.28, boosting downloads.
This hides their trails or connects to different C&C servers in the victim’s network, showing the threat actor’s communication flexibility.
Command Capabilities:
File Management: Commands for enumerating disk drives, listing files, uploading and downloading files, renaming, creating folders, deleting files, executing files, moving files, and disguising file metadata.
Window Management: Commands for enumerating, hiding, showing, closing, minimizing, maximizing windows, taking screenshots, and setting screenshot events.
Process Management: Commands for enumerating, terminating, suspending, resuming processes, and retrieving process module information.
Network Management: Commands for getting extended TCP tables and setting TCP entry states.
Service Management: Commands for enumerating and manipulating services.
Configuration Management: Commands for getting and setting C&C configurations.
Remote Shell Management: Commands for starting, exiting, and getting the PID of a remote shell.
Registry Management: Commands for enumerating, creating, setting, and deleting registry keys and values.
Basic Control: Commands for getting the current window, setting infection marks, and terminating connections and RAT processes.
Proxy Management: Commands for updating C&C IP addresses, proxying data, shutting down connections, and managing socket handles.
Victim Information Transmission:
Before executing backdoor commands, Waterbear sends detailed victim information to the C&C server, including admin status, system version, host and user names, window text, adapter info, process ID, and infection marks.
Installation Pathway:
Deuterbear uses a two-stage installation process. The first stage involves decrypting and deploying a downloader, which surveys the system and installs the second-stage components.
The first stage components are removed after persistence is achieved to avoid detection.
Command Capabilities:
File Management: Commands for listing files, uploading and downloading files, renaming files, and executing files.
Process Management: Commands for enumerating and terminating processes.
Configuration Management: Commands for collecting and updating downloader configuration data.
Remote Shell Management: Commands for starting, exiting, and getting the PID of a remote shell.
Basic Control: Commands for getting the current window, setting infection marks, and terminating connections and RAT processes.
Plugins Management: Commands for downloading, uninstalling, and executing plugins, including shellcodes and PE DLLs
Victim Information Transmission:
Similar to Waterbear, Deuterbear sends victim information to the C&C server before executing backdoor commands, including admin status, user and host names, OS version, window text, adapter info, process ID, and infection marks.
Differences from Waterbear:
Deuterbear retains fewer commands (20 compared to over 60 for Waterbear) but supports more plugins to enhance flexibility.
It uses the same HTTPS channel and RC4 traffic key as the downloader, eliminating the need for a handshake with the C&C server to update communication protocols.
Waterbear evolved into Deuterbear, a new malware.
Interestingly, Waterbear and Deuterbear evolve separately rather than replacing each other.
Memory scans for downloads and the Waterbear and Deuterbear RATs can protect organizations from Earth Hundun attacks. Also, finding the registry used to decrypt the Deuterbear downloader can help find it in the system.
On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free
The post Earth Hundun Hacker Group Employs Advanced Tactics to Evade Detection appeared first on Cyber Security News.