company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Magecart

T-shirt

Credit Card

loading..
loading..
loading..

31,000 users were impacted by a data breach incident at Pro Wrestling Tees

Pro Wrestling Tees reveals a data breach incident that exposed credit card numbers along with CVV of 31,000 customers due to malware in their systems...

26-Dec-2021
2 min read

Related Articles

loading..

APT

Arid Viper's AridSpy malware targets Android users in Palestine & Egypt. This mu...

Arid Viper, also known as APT-C-23, Desert Falcons, or Two-tailed Scorpion, has been an active cyberespionage group since at least 2013. This group, primarily targeting Middle Eastern countries, has recently intensified its efforts in mobile espionage, particularly against Android users in Egypt and Palestine. SecureBlink threat researchers have thoroughly analyzed five ongoing campaigns employing a multistage Android spyware called AridSpy. This detailed analysis aims to dissect the technical nuances, methodologies, and implications of these campaigns. --- ### **Campaign Overview** The five identified campaigns primarily distribute AridSpy via dedicated websites impersonating legitimate applications. These include various messaging apps, a job opportunity app, and a Palestinian Civil Registry app. SecureBlink's telemetry detected six occurrences of AridSpy in Palestine and Egypt, indicating targeted espionage operations. ### **Distribution Mechanism** AridSpy is distributed through fake, but seemingly functional, Android applications. Victims are lured into downloading these apps from third-party websites, as these apps are not available on the Google Play Store. The distribution websites identified include: - lapizachat[.]com - reblychat[.]com - nortirchats[.]com - pariberychat[.]com (inactive) - renatchat[.]com (inactive) ### **Technical Nuances of AridSpy** 1. **Initial Access and Installation** Once a victim downloads the trojanized app, a JavaScript file named `myScript.js`, hosted on the same server, is executed. This script generates the correct download path for the malicious AridSpy payload. The script performs an AJAX request to `api.php` on the server, returning a specific file directory and name. The application installs as a legitimate app but secretly incorporates the first stage of AridSpy. The malware's first stage focuses on avoiding detection by security software and establishing initial communication with the Command & Control (C&C) server. 2. **Multistage Payload Delivery** Unlike its earlier single-stage version, AridSpy now operates as a multistage trojan. The initial app acts as a conduit, downloading and installing additional payloads from the C&C server. This approach helps in evading detection and ensures persistence. - **First-Stage Payload:** The first-stage payload is an AES-encrypted file downloaded from a hardcoded URL. This payload decrypts itself using a hardcoded key and requests the victim to install it manually. It masquerades as a legitimate Google Play services update. Once installed, it operates independently of the initial app. - **Second-Stage Payload:** Named `prefLog.dex`, the second-stage payload contains the main espionage functionalities. It is dynamically loaded and executed by the first-stage payload. This payload establishes a persistent connection with the C&C server, ready to receive commands and exfiltrate data. **Functional Analysis** 1. **Data Exfiltration** The primary goal of AridSpy is to exfiltrate sensitive user data. The malware is capable of: - Capturing images using the device's camera. - Recording audio from the microphone. - Accessing and uploading contact lists, SMS messages, call logs, and other personal data. - Monitoring app usage and collecting keystrokes. AridSpy employs various methods to avoid detection during data exfiltration. For instance, it only captures images when the device screen is turned on or off, ensuring the battery level is above 15% and a minimum of 40 minutes has passed since the last capture. 2. **Command and Control Communication** AridSpy communicates with its C&C server using Firebase for receiving commands and a separate hardcoded domain for data exfiltration. The C&C communication is designed to blend with normal network traffic to evade detection. For instance, it can deactivate itself by changing the exfiltration server to a benign-looking domain, making it less likely to be flagged by network security systems. 3. **Obfuscation Techniques** AridSpy uses trivial string obfuscation techniques where each string is converted from a character array. This method is consistent across all stages of the malware, complicating the reverse engineering process for security analysts. ### **Campaigns in Detail** 1. **LapizaChat Campaign** - **Website:** lapizachat[.]com - **Description:** This campaign used a trojanized version of the legitimate StealthChat app. The malicious version, modified on July 5th, 2023, and September 18th, 2023, included AridSpy code. - **Functionality:** The app provided legitimate messaging services while secretly installing AridSpy. 2. **NortirChat Campaign** - **Website:** nortirchats[.]com - **Description:** The NortirChat app, based on the legitimate Session messaging app, was modified and distributed with AridSpy code starting from March 19th, 2023. - **Functionality:** Similar to LapizaChat, it functioned as a messaging app while deploying AridSpy. 3. **ReblyChat Campaign** - **Website:** reblychat[.]com - **Description:** This campaign used a trojanized version of Voxer Walkie Talkie Messenger. The modified versions, dated June 8th, 2023, and June 11th, 2023, were distributed with AridSpy. - **Functionality:** It provided walkie-talkie communication features while performing espionage activities. 4. **Palestinian Civil Registry Campaign** - **Website:** palcivilreg[.]com - **Description:** This app claimed to offer information about Palestinian residents. It was advertised via a Facebook page and distributed a malicious app that communicated with the legitimate server for data retrieval. - **Functionality:** The app collected personal data under the guise of providing civil registry information. 5. **Job Opportunity App Campaign** - **Website:** almoshell[.]website - **Description:** This app purported to offer job opportunities. Unlike other campaigns, it was not based on a legitimate app but was designed from scratch to lure users into providing personal information. - **Functionality:** The app collected sensitive data during the job application process. **Attribution and Indicators of Compromise (IoCs)** SecureBlink also agrees to be attributed as AridSpy to the Arid Viper group with medium confidence. Key indicators include: - Targeting organizations in Palestine and Egypt, aligning with Arid Viper’s historical focus. - Use of the `myScript.js` JavaScript file across multiple campaigns, previously linked to Arid Viper. - The unique distribution method and code similarities to past campaigns, such as the FIFA World Cup in Qatar campaign. ---

loading..   13-Jun-2024
loading..   5 min read
loading..

Vulnerability

Discover the zero-click Outlook vulnerability CVE-2024-30103, allowing remote co...

A newly identified vulnerability in Microsoft Outlook, CVE-2024-30103, has raised alarms that exposes users to remote code execution (RCE) attacks, potentially granting attackers complete control over affected systems. This flaw, identified by Morphisec Threat Labs researchers Michael Gorelik and Shmuel Uzan in April 2024, presents a significant threat due to its zero-click nature and extensive impact. ### Understanding CVE-2024-30103 #### Discovery and Initial Analysis In April 2024, Morphisec Threat Labs researchers Michael Gorelik and Shmuel Uzan [discovered](https://blog.morphisec.com/cve-2024-30103-microsoft-outlook-vulnerability) [CVE-2024-30103](https://www.tenable.com/cve/CVE-2024-30103). During routine security audits, they identified a flaw in the way Outlook processes specific email components, leading to a potential buffer overflow. The vulnerability exists in the way Microsoft Outlook processes certain email components. Specifically, the flaw allows attackers with valid MS Exchange user credentials to send a specially crafted email that triggers the exploit upon opening. This execution requires no user interaction, significantly increasing the attack surface. ### Key Figures - **CVE ID:** CVE-2024-30103 - **Discovered By:** Michael Gorelik and Shmuel Uzan, Morphisec Threat Labs - **Date Discovered:** April 2024 - **Patch Release:** June 2024 - **Affected Software:** Microsoft Outlook - **Attack Vector:** Zero-click email exploit via Preview Pane - **Potential Impact:** System compromise, data theft, malware propagation #### Zero-Click Exploit Mechanics Unlike traditional phishing attacks that rely on user actions such as clicking malicious links or opening attachments, this vulnerability exploits the email preview functionality in Outlook. When a malicious email is opened, it triggers a buffer overflow, allowing the execution of arbitrary code with the same privileges as the user running Outlook. This exploit vector is particularly dangerous as it can compromise systems without any direct user engagement. ## Timeline of Events ### Initial Discovery and Reporting - **April 3, 2024**: Researchers from Morphisec reported the vulnerability to Microsoft under the responsible disclosure policy. ### Confirmation and Validation - **April 16, 2024**: Microsoft confirmed the existence of the vulnerability after thorough investigation. ### Patch Deployment - **June 11, 2024**: Microsoft released a patch for CVE-2024-30103 as part of its Patch Tuesday updates. Microsoft's prompt response and effective handling of this complex vulnerability are commendable. Their swift action underscores their commitment to security, especially given the challenging nature of the previous patch. ### Technical Breakdown of the Vulnerability #### Email Component Processing Flaw The core of the vulnerability lies in Outlook's handling of email components. When processing certain malformed email headers or content, Outlook fails to properly validate the input, leading to a buffer overflow. This overflow can overwrite critical memory regions, allowing an attacker to inject and execute arbitrary code. ```c // Example of a vulnerable code snippet void processEmailContent(char* emailContent) { char buffer[256]; strcpy(buffer, emailContent); // No boundary check, leading to buffer overflow // Additional processing... } ``` In the above instance, the lack of boundary checking in the `strcpy` function results in a buffer overflow if `emailContent` exceeds 256 bytes. This simplistic representation underscores the critical nature of proper input validation. #### Exploit via Preview Pane Microsoft Outlook's Preview Pane, a feature designed to display email content without requiring the user to open attachments, is a primary attack vector. The preview functionality processes email content in a way that triggers the vulnerability upon rendering the malicious email. ```python # Python pseudo-code representing the exploit mechanism def send_malicious_email(target_email): email_content = generate_exploit_payload() send_email(to=target_email, content=email_content) def generate_exploit_payload(): # Payload generation logic that exploits the buffer overflow payload = "A" * 1024 # Example of overflowing buffer payload += "\x90" * 100 # NOP sled payload += shellcode # Arbitrary code execution return payload ``` In this pseudo-code, the `generate_exploit_payload` function creates a payload designed to overflow the buffer and execute shellcode. The `send_malicious_email` function sends this payload to the target, exploiting the vulnerability when the email is previewed. ### Impact and Potential Consequences #### System Compromise Exploiting CVE-2024-30103 allows attackers to execute code with the same privileges as the user running Outlook. This can lead to complete system compromise, data theft, or further malware propagation. Attackers can bypass Outlook's registry block lists and create malicious DLL files, facilitating DLL hijacking. #### Propagation and Spread The zero-click nature of this vulnerability enables it to spread rapidly from user to user. As the malicious email only needs to be opened for the exploit to trigger, the vulnerability can propagate through email chains without user awareness. ### Mitigation and Patch Deployment #### Microsoft’s Response Microsoft addressed CVE-2024-30103 in the June 2024 Patch Tuesday update. The patch fixes the underlying buffer overflow issue by implementing proper input validation and boundary checks in the affected email processing components. ```c // Patched code snippet with boundary check void processEmailContent(char* emailContent) { char buffer[256]; if (strlen(emailContent) < sizeof(buffer)) { strcpy(buffer, emailContent); // Safe copy with boundary check } else { // Handle error } // Additional processing... } ``` In the patched version, the length of `emailContent` is checked before copying it into the buffer, preventing overflow. #### Recommendations for Organizations Organizations are strongly advised to apply the latest patches to all Outlook clients immediately. Additionally, disabling the Preview Pane feature can mitigate the risk of exploitation. Regular security audits and employee training on email security can further reduce the attack surface. ### Future Research and Insights #### Morphisec’s Upcoming Presentation Morphisec will unveil detailed technical insights and a proof of concept (PoC) for CVE-2024-30103 at the DEFCON 32 conference in Las Vegas. This presentation will provide a deeper understanding of the vulnerability and its exploitation mechanics, aiding security professionals in defending against similar threats. #### Continuous Vigilance The discovery of CVE-2024-30103 underscores the importance of continuous vigilance and proactive security measures. As threat landscapes evolve, staying informed about new vulnerabilities and adopting best practices in software development and security can help mitigate risks.

loading..   12-Jun-2024
loading..   5 min read
loading..

FortiGate

Coathanger

Chinese hackers exploited a FortiGate vulnerability, breaching 20,000 systems gl...

In early 2024, the Dutch Military Intelligence and Security Service (MIVD) issued a stark warning regarding a large-scale cyber-espionage campaign orchestrated by Chinese state-sponsored hackers. This campaign, exploiting a zero-day vulnerability in Fortinet’s FortiGate systems, has had a profound impact on global cybersecurity, affecting thousands of systems worldwide. This detailed analysis examines the technical nuances, implications, and strategies employed in this sophisticated attack. ## Overview of the Breach ### The Vulnerability: CVE-2022-42475 The vulnerability in question, [CVE-2022-42475](https://nvd.nist.gov/vuln/detail/CVE-2022-42475), is a critical remote code execution flaw found in FortiOS and FortiProxy. Discovered in 2022, this zero-day exploit allowed attackers to deploy malware on FortiGate network security appliances, compromising their integrity and security. **Key Points:** - **Zero-day nature:** Exploited before public disclosure. - **Scope:** Affected at least 20,000 systems globally. - **Persistence:** Malware could survive reboots and firmware upgrades. ### Initial Discovery and Impact The breach was initially [uncovered](https://www.ncsc.nl/actueel/nieuws/2024/juni/10/aanhoudende-statelijke-cyberspionagecampagne-via-kwetsbare-edge-devices) by MIVD and the General Intelligence and Security Service (AIVD) in a joint report in February 2023. It was revealed that over a span of a few months, the Chinese hacking group had infected approximately 14,000 devices. These targets included Western governments, international organizations, and companies within the defense sector. ## Technical Dissection of the Attack ### Exploitation Mechanism The attackers exploited CVE-2022-42475 to gain remote code execution on vulnerable FortiGate systems. The exploit allowed them to bypass security measures and deploy the Coathanger malware. **Attack Vector:** - **Initial Access:** Exploitation of the RCE vulnerability. - **Payload Deployment:** Installation of the Coathanger RAT. - **Persistence:** Malware’s ability to withstand system reboots and firmware updates. ### Coathanger Malware Analysis The Coathanger RAT is a sophisticated piece of malware designed to maintain persistent access to compromised systems. It achieves this by intercepting system calls and embedding itself in a manner that resists detection and removal. **Features:** - **Stealth:** Intercepts system calls to avoid detection. - **Persistence:** Survives firmware upgrades and system reboots. - **Control:** Provides remote access for continuous monitoring and data exfiltration. Below is an instance of how the Coathanger RAT might intercept system calls: ```c // Example of system call interception by Coathanger #include <stdio.h> #include <stdlib.h> #include <dlfcn.h> static int (*original_open)(const char *pathname, int flags, mode_t mode); int open(const char *pathname, int flags, mode_t mode) { // Check for specific file accesses if (strstr(pathname, "sensitive_file")) { // Hide presence by redirecting to a benign file pathname = "/dev/null"; } return original_open(pathname, flags, mode); } __attribute__((constructor)) void init() { original_open = dlsym(RTLD_NEXT, "open"); } ``` This snippet illustrates a method of intercepting the `open` system call to redirect accesses to sensitive files, thereby hiding malicious activity. ## Broader Implications and Threat Landscape ### Government and Defense Sector Impact The breach’s impact on governments and defense sectors is significant. Compromised systems within these sectors can lead to severe consequences, including the theft of sensitive data and intellectual property. The infiltration of a Dutch Ministry of Defence network highlights the targeted nature of this campaign. ### International Espionage The campaign underscores a broader strategy of cyber-espionage conducted by state-sponsored actors. By targeting critical infrastructure and defense sectors, the attackers aim to gain strategic advantages on the global stage. **Case Study:** - **Target:** Dutch Ministry of Defence - **Outcome:** Malware deployed in R&D networks, but network segmentation prevented further spread. ## Mitigation and Response ### Detection and Removal Detecting and removing the Coathanger RAT is challenging due to its stealth and persistence mechanisms. Traditional antivirus and anti-malware solutions may fail to detect it. Advanced techniques such as behavioral analysis and system integrity checks are required. ### Fortinet's Response Fortinet released patches to address CVE-2022-42475. However, due to the malware’s persistence, merely applying patches is insufficient. Comprehensive system audits and manual removal processes are necessary. **Example Mitigation Steps:** 1. **Apply Security Patches:** Ensure all FortiGate systems are updated with the latest firmware. 2. **Conduct System Audits:** Perform detailed audits to detect signs of malware. 3. **Isolate Compromised Systems:** Immediately isolate any compromised systems to prevent further spread. 4. **Reinstall Firmware:** Reinstall the firmware to eliminate persistent malware. 5. **Monitor for Indicators of Compromise (IoCs):** Continuously monitor systems for signs of compromise.

loading..   12-Jun-2024
loading..   4 min read