Posts

Showing posts from August, 2023

North Korean Hackers Deploy New Malicious Python Packages in PyPI Repository

Image
Three additional rogue Python packages have been discovered in the Package Index (PyPI) repository as part of an ongoing malicious software supply chain campaign called  VMConnect , with signs pointing to the involvement of North Korean state-sponsored threat actors. The findings come from ReversingLabs, which detected the packages tablediter, request-plus, and requestspro. First disclosed at the start of the month by the company and Sonatype, VMConnect refers to a collection of Python packages that mimic popular open-source Python tools to download an unknown second-stage malware. The latest tranche is no different, with ReversingLabs noting that the bad actors are disguising their packages and making them appear trustworthy by using typosquatting techniques to impersonate prettytable and requests and confuse developers. The nefarious code within tablediter is designed to run in an endless execution loop in which a remote server is polled periodically to retrie...

Hackers Can Exploit Windows Container Isolation Framework to Bypass Endpoint Security

Image
New findings show that malicious actors could leverage a sneaky malware detection evasion technique and bypass endpoint security solutions by manipulating the Windows Container Isolation Framework. The findings were presented by Deep Instinct security researcher Daniel Avinoam at the DEF CON security conference held earlier this month. Microsoft's container architecture (and by extension, Windows Sandbox) uses what's called a dynamically generated image to separate the file system from each container to the host and at the same time avoid duplication of system files. It's nothing but an "operating system image that has clean copies of files that can change, but links to files that cannot change that are in the Windows image that already exists on the host," thereby bringing down the overall size for a full OS. "The result is images that contain 'ghost files,' which store no actual data but point to a different volume on the system," Avinoam said...

The Hidden Dangers of Public Wi-Fi

Image
Public Wi-Fi, which has long since become the norm, poses threats to not only individual users but also businesses. With the rise of remote work, people can now work from virtually anywhere: a cafe close to home, a hotel in a different city, or even while waiting for a plane at the airport. Next, let's explore the risks of connecting to public Wi-Fi, both for you personally and for businesses. According to the Forbes Advisor the majority of people (56%) connect to public Wi-Fi networks that don't require a password. This convenience comes at a price, and many are unaware that attackers can steal card details, passwords, and other sensitive information. Man-in-the-Middle (MITM) Attacks:  This is one of the most common threats on public Wi-Fi. In an MITM attack, the hacker secretly intercepts and possibly alters the communication between two parties. The user believes they are directly communicating with a website, email server, or another user, but the hacker is relaying t...

MMRat Android Trojan Executes Remote Financial Fraud Through Accessibility Feature

Image
A previously undocumented Android banking trojan dubbed  MMRat  has been observed targeting mobile users in Southeast Asia since late June 2023 to remotely commandeer the devices and perform financial fraud. "The malware, named after its distinctive package name com.mm.user, can capture user input and screen content, and can also remotely control victim devices through various techniques, enabling its operators to carry out bank fraud on the victim's device," Trend Micro said. What makes MMRat stand apart from others of its kind is the use of a customized command-and-control (C2) protocol based on protocol buffers (aka protobuf) to efficiently transfer large volumes of data from compromised handsets, demonstrating the growing sophistication of Android malware. Possible targets based on the language used in the phishing pages include Indonesia, Vietnam, Singapore, and the Philippines. The entry point of the attacks is a network of phishing sites that mimic official ap...

China-Linked BadBazaar Android Spyware Targeting Signal and Telegram Users

Image
  Cybersecurity researchers have discovered malicious Android apps for Signal and Telegram distributed via the Google Play Store and Samsung Galaxy Store that are engineered to deliver the BadBazaar spyware on infected devices. Slovakian company ESET attributed the campaign to a China-linked actor called GREF. "Most likely active since July 2020 and since July 2022, respectively, the campaigns have distributed the Android BadBazaar espionage code through the Google Play store, Samsung Galaxy Store, and dedicated websites representing the malicious apps Signal Plus Messenger and FlyGram," security researcher Lukáš Štefanko said in a new report shared with The Hacker News. Victims have been primarily detected in Germany, Poland, and the U.S., followed by Ukraine, Australia, Brazil, Denmark, Congo-Kinshasa, Hong Kong, Hungary, Lithuania, the Netherlands, Portugal, Singapore, Spain, and Yemen. BadBazaar was first documented by Lookout in November 2022 as target...

Critical Vulnerability Alert: VMware Aria Operations Networks at Risk from Remote Attacks

Image
VMware has released software updates to correct two security vulnerabilities in Aria Operations for Networks that could be potentially exploited to bypass authentication and gain remote code execution. The most severe of the flaws is CVE-2023-34039 (CVSS score: 9.8), which relates to a case of authentication bypass arising as a result of a lack of unique cryptographic key generation. "A malicious actor with network access to Aria Operations for Networks could bypass SSH authentication to gain access to the Aria Operations for Networks CLI," the company  said  in an advisory. ProjectDiscovery researchers Harsh Jaiswal and Rahul Maini have been credited with discovering and reporting the issue. The second weakness, CVE-2023-20890 (CVSS score: 7.2), is an arbitrary file write vulnerability impacting Aria Operations for Networks that could be abused by an adversary with administrative access to write files to arbitrary locations and achieve remote code execution. Credited with re...

Lazarus Exploits ManageEngine to Deploy QuiteRAT

Image
  The North Korean state-sponsored Lazarus APT group has initiated a fresh initiative aimed at internet backbone infrastructure and healthcare organizations situated in Europe and the U.S. Cisco Talos reported that the hackers commenced their attack by taking advantage of a vulnerability within ManageEngine ServiceDesk (CVE-2022-47966) as early as January, a mere five days after its disclosure. Diving into details The exploit was employed by Lazarus to establish initial access, prompting the immediate downloading and running of a malicious binary through the Java runtime process, thereby initiating the implant on the compromised server.  This binary represents a modified version of the group’s MagicRAT malware, dubbed  QuiteRAT . The Lazarus Group APT has also introduced a fresh malware named CollectionRAT in this campaign. It functions as a RAT capable of executing arbitrary commands on a compromised system.  Furthermore, security researchers could establish a conne...