Audit finds notable security gaps in FBI’s storage media management
An audit from the Department of Justice’s Office of the Inspector General (OIG) identified “significant weaknesses” in FBI’s inventory management and disposal of electronic storage media containing sensitive and classified information. […] Read More
10,000 Victims a Day: Infostealer Garden of Low-Hanging Fruit
Imagine you could gain access to any Fortune 100 company for $10 or less, or even for free. Terrifying thought, isn’t it? Or exciting, depending on which side of the cybersecurity barricade you are on. Well, that’s basically the state of things today. Welcome to the infostealer garden of low-hanging fruit.
Over the last few years, the problem has grown bigger and bigger, and only now are we Read More
APT Groups Using HrServ Web Shell to Hack Windows Systems
A HrServ web shell is a malicious script or program that enables remote server administration, allowing unauthorized access and control.
Hackers target web shells to gain unauthorized access to a server or website, allowing them to execute commands, upload/download files, and manipulate the system for malicious purposes like:-
Data theft
Launch further attacks
Cybersecurity researchers at Securelist recently discovered a new web shell dubbed “hrserv.dll,” with advanced features like:-
Custom encoding
In-memory execution
Not only that, but even during the analysis, security analysts also identified similar related variants from 2021, suggesting a potential connection to malicious activity.
In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway
HrServ Web Shell
PAExec.exe creates a ‘MicrosoftsUpdate’ scheduled task, triggering a .BAT file. The script copies $publichrserv.dll to System32, configures a registry service using ‘sc,’ and activates the newly created service.
HrServ starts by registering a service handler, then launches an HTTP server using custom encoding:-
Base64
FNV1A64
Specific functions are activated based on the ‘cp’ GET parameter in HTTP requests, and the DLL also leverages the NID cookie.
The naming patterns mimic Google’s, likely to hide malicious activity in network traffic, posing detection challenges.
A cp value of 6 triggers code execution, and in one scenario with an unknown cp value, a versatile implant activates in system memory.
Commands of the memory implant (Source – Securelist)
It creates a file in “%temp%” and does the following things:-
Retrieves registry info
Takes actions based on it
Records output in the file
Researchers found HrServ variants in 2021 using custom encoding. After implanting in system memory, they erase traces by deleting “MicrosoftsUpdate” job and initial files. Subtle differences exist in behavior despite similar encoding.
Besides this, security analysts could not attribute the TTPs to any known threat actors. Moreover, as per the current report, a government entity in Afghanistan has been identified as a victim.
Since 2021, WebShell shell has done in-memory executions via registry tweaks, and it communicates using distinct strings from memory implant. Despite APT-like behavior, financially motivated traits dominate in this case.
Sysdig’s Alessandro Brucato and Michael Clark join Dave to discuss their work on “AWS’s Hidden Threat: AMBERSQUID Cloud-Native Cryptojacking Operation.” Attackers are targeting what are typically considered secure AWS services, like AWS Fargate and Amazon SageMaker. This means that defenders generally aren’t as concerned with their security from end-to-end.
The research states “The AMBERSQUID operation was able to exploit cloud services without triggering the AWS requirement for approval of more resources, as would be the case if they only spammed EC2 instances.” This poses additional challenges targeting multiple services since it requires finding and killing all miners in each exploited service. Read More