company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Darkweb

loading..
loading..
loading..

Joker's Stash, The Fall of Internet's Largest Carding Market Place

Joker's Stash the largest carding marketplace on DarkWeb for trading stolen card data, has announced a complete shutdown on February 15, 2021

18-Jan-2021
2 min read

Related Articles

loading..

Ukraine

Frosty Goop

Discover how the FrostyGoop malware disrupted heating systems in Ukraine and the...

### Attack on Ukraine’s District Energy Company In January 2024, the FrostyGoop malware inflicted significant damage on a district energy company in Lviv, Ukraine. This attack led to a two-day heating outage affecting hundreds of apartment buildings. The malware targeted temperature controllers, causing them to misread ambient temperatures and fail to provide adequate heating during harsh winter conditions. ### How FrostyGoop Operates FrostyGoop exploits the Modbus TCP protocol, a common communication method in operational technology (OT) environments. The malware alters temperature readings by manipulating this protocol, tricking controllers into misreporting temperatures. This results in cold water being pumped into buildings instead of heated water. ### Role of CSSC & Dragos The Cyber Security Situation Center (CSSC), part of Ukraine’s Security Service, was actively instrumental in identifying and investigating this wide-scale attack. They shared critical details with Dragos, a leading operational technology defense vendor. Dragos then published a [comprehensive report](https://regmedia.co.uk/2024/07/23/dragos_frostygoop-report.pdf) [PDF] on FrostyGoop. This report highlights that FrostyGoop is the first malware to exploit the industrial Modbus protocol in such a direct manner. Additionally, it is only the ninth piece of malware discovered that specifically targets industrial control systems (ICS) devices. ## Technical Details of FrostyGoop ### Modbus Protocol Exploitation Modbus TCP, operating over port 502, is a widely used protocol in ICS environments. Unfortunately, its lack of robust security features makes it susceptible to attacks like FrostyGoop. ##### Modbus Communication ```python import modbus_tk import modbus_tk.defines as defines from modbus_tk import modbus_tcp server = modbus_tcp.TcpServer() server.start() # Create a slave slave = server.add_slave(1) slave.add_block('block1', defines.HOLDING_REGISTERS, 0, 10) # Write to a holding register slave.set_values('block1', 0, [1234]) # Read from a holding register print(slave.get_values('block1', 0, 10)) ``` This code demonstrates how Modbus TCP facilitates communication with ICS devices. FrostyGoop leverages this protocol's weaknesses to execute its payload. ### FrostyGoop Payload Analysis FrostyGoop is written in Golang and communicates with ICS devices using Modbus TCP. The malware employs two JSON-formatted configuration files: 1. **Device Information File**: Contains device IP addresses, Modbus commands, and register addresses. 2. **Execution Timing File**: Specifies when and how long the commands should be executed. This setup allows FrostyGoop to execute commands immediately or schedule them later. ## Incident Timeline ### Initial Compromise On April 17, 2023, attackers exploited a vulnerability in a Mikrotik router, gaining access to the energy provider's network. They deployed a web shell to facilitate data transfer and further network access. ### Malware Deployment By November 2023, attackers had stolen crucial security credentials. On January 22, 2024, they used a Layer Two Tunneling Protocol (L2TP) connection to launch the FrostyGoop attack from a remote Moscow-based IP address. ## Security Implications and Mitigation Strategies ### Protocol Vulnerabilities The Modbus protocol's inherent security flaws make it a prime target for attacks. The lack of authentication and encryption in Modbus TCP allows malware like FrostyGoop to exploit exposed devices. ### Recommended Mitigations 1. Ensure Modbus-connected devices are not accessible from the internet. 2. Enhance security by requiring multiple verification methods. 3. Secure data in transit with Virtual Private Networks (VPNs) and encryption protocols. 4. Regularly monitor ICS environments to detect and respond to threats promptly. Organizations managing ICS environments should review and enhance their security practices. Implement the recommended mitigations to protect against threats like FrostyGoop.

loading..   23-Jul-2024
loading..   3 min read
loading..

Lazarus

WazirX

Crypto

Discover how WazirX's new bug bounty program aims to recover $234.9M stolen cryp...

WazirX, India's largest cryptocurrency exchange, has announced a bug bounty program aimed at recovering $234.9 million in stolen crypto assets. This massive cyberattack has raised the temperature across the crypto space especially amongst the Indian crypto community, raising critical questions about exchange security. In this [Threatfeed](https://www.secureblink.com/cyber-security-news) analysis, we analyze the details of this major crypto hack, explore its implications, and how WazirX is reciprocating to this yet another major crisis. ## Cyberattack Details ### Incident On July 18, WazirX [confirmed](https://x.com/WazirXIndia/status/1813843289940058446) a major cyberattack resulting in the theft of over $230 million worth of investor funds. This theft represents nearly half of the exchange's estimated reserves, marking a significant blow to the Indian cryptocurrency landscape. ### Stolen Assets The stolen cryptocurrencies include: - **ETH:** $52.5 million - **USDT:** $5.79 million - **PEPE:** $7.6 million - **GALA:** $3.5 million - **MATIC:** $11.24 million - **SHIB:** $102 million This caused a 25% drop in the price of WazirX’s native token, WRX. ## Suspected Perpetrators ### Lazarus Group Experts suspect the notorious [Lazarus Group](https://www.secureblink.com/cyber-security-news/lazarus-targets-spanish-aerospace-with-lightless-can), allegedly backed by North Korea, may be behind the attack. Known for targeting crypto exchanges and rarely returning stolen funds, the Lazarus Group's involvement underscores the severity and sophistication of the breach. Some of the previous names that Lazarus victimized severely are [CoinsPaid](https://www.secureblink.com/cyber-security-news/lazarus-heist-coins-paid-resilient-amidst-37-3-m-cryptocurrency-theft) with whooping theft of $37.3 million worth of cryptocurrency, [Atomic Wallet](https://www.secureblink.com/cyber-security-news/lazarus-group-behind-the-35-million-atomic-wallet-hack) resulted in $35 millions in cryptos, and $620 million [Axie Infinity's Ronin Network crypto hack linked to Lazarus Group](https://www.secureblink.com/cyber-security-news/540-million-axie-infinity-s-ronin-network-crypto-hack-linked-to-lazarus-group). ### Attack Vector The attack [targeted](https://www.investopedia.com/multi-signature-wallets-definition-5271193) a single multi-sig wallet on the Ethereum network. Multi-sig, short for multi-signature, is a crypto storage solution requiring multiple signatures for withdrawals. This wallet was operated via Liminal's digital asset custody and wallet infrastructure from February 2023, requiring approvals from six signatories, including five from WazirX and one from Liminal. ## Technical Aspects of the Attack ### How the Hack Was Executed Preliminary [investigations](https://wazirx.com/blog/preliminary-report-cyber-attack-on-wazirx-multisig-wallet/) suggest the attack resulted from a discrepancy between the transaction's actual contents and the data displayed on Liminal's interface. This mismatch between the signed and displayed information indicates that the payload was replaced, transferring wallet control to an attacker. Despite strong security systems, hackers managed to alter the transaction to bypass these measures. ### Attackers' Address Crypto sleuth ZachXBT [revealed](https://t.me/investigations/143) in a Telegram post that the attackers' address has over $104 million to dump. The main holdings include: - **Shiba Inu:** $100 million - **FLOKI:** $4.7 million - **Fantom:** $3.2 million - **Chainlink:** $2.8 million - **Fetch.ai:** $2.3 million The remaining funds are split among various tokens. ## Impact on WazirX and Investors ### Immediate Response In response to the attack, WazirX temporarily halted rupee and crypto withdrawals while investigations are underway. The platform is actively attempting to recover the stolen funds, though the complexity of the situation poses significant challenges. ### Investor Confidence The hack has undoubtedly shaken investor confidence, potentially having a chilling effect on the Indian crypto market. Regulatory bodies and other exchanges are likely to scrutinize the details of the attack, with stricter security protocols and regulations potentially emerging in its aftermath. ## Current Status & Recovery Efforts ### Bug Bounty Program To aid in recovering the stolen funds, WazirX has launched a bug bounty program. This initiative invites white-hat hackers and cybersecurity experts to identify vulnerabilities and assist in the recovery process. ### Liminal's Statement Liminal, the service provider for the affected multi-sig wallet, claims no breach within its system. _"We can confirm that Liminal's platform is not breached and Liminal's infrastructure, wallets, and assets continue to remain safe,"_ the company noted. ## Future Implications for the Indian Crypto Market ### Regulatory Scrutiny The incident raises questions about multi-sig security protocols and the overall robustness of crypto exchanges' security measures. As the full impact of the attack unfolds, regulatory bodies may impose stricter security protocols and regulations to prevent future breaches. ### Market Sentiment The hack's aftermath could lead to increased skepticism among investors, potentially slowing down the adoption and growth of the Indian crypto market. Exchanges will need to rebuild trust by demonstrating enhanced security measures and transparency. --- ### Links to keep an eye on at this hour! - [WazirX Blog](https://www.wazirx.com/blog) for updates. - [Web3 Security Firm Cyvers Alert](https://www.cyvers.io/) - [ZachXBT on Telegram](https://t.me/zachxbt)

loading..   22-Jul-2024
loading..   5 min read
loading..

Telegram

ZeroDay

Discover the EvilVideo zeroday flaw in Telegram for Android, its exploitation, a...

On June 6, 2024, a threat actor named 'Ancryno' began selling a Telegram zero-day exploit on the Russian-speaking XSS hacking forum. Dubbed 'EvilVideo,' this vulnerability allowed attackers to send malicious Android APK payloads disguised as video files. This [Threatfeed](https://www.secureblink.com/cyber-security-news) delves into the underlying nuances revolving around the intricacies of the EvilVideo exploit, its discovery, impact, and subsequent mitigation. --- #### Discovery and Disclosure Security researchers discovered the flaw after a Proof of Concept (PoC) demonstration was shared on a public Telegram channel. The exploit, targeting Telegram versions v10.14.4 and older, was confirmed to work by ESET. Researcher Lukas Stefanko responsibly disclosed the flaw to Telegram on June 26, 2024, and again on July 4, 2024. Telegram responded promptly, stating they were investigating the report. On July 11, 2024, they released version 10.14.5, which patched the vulnerability. This patch ended a five-week period during which threat actors could have exploited the zero-day. ![figure-2-post-on-an-underground-forum(1).png](https://sb-cms.s3.ap-south-1.amazonaws.com/figure_2_post_on_an_underground_forum_1_1d15dda10f.png) ***Snapshot of an Unground Forum's Post [ESET](https://www.welivesecurity.com/en/eset-research/cursed-tapes-exploiting-evilvideo-vulnerability-telegram-android/)*** --- #### Exploit Mechanism The EvilVideo exploit was crafted to work solely on Telegram for Android. It allowed attackers to create specially crafted APK files that appeared as embedded videos when sent to other users on Telegram. ##### Exploit Details 1. **Payload Creation:** The exploit uses the Telegram API to programmatically create a message that appears to show a 30-second video. 2. **Media Auto-Download:** On its default setting, the Telegram app automatically downloads media files. Users who have this setting enabled would receive the payload once they opened the conversation. 3. **Manual Download:** For users who have disabled auto-download, a single tap on the video preview would initiate the file download. 4. **Execution:** When users attempt to play the fake video, Telegram suggests using an external player, prompting the recipient to tap "Open" and execute the payload. 5. **Installation:** The victim must enable the installation of unknown apps from the device settings, allowing the malicious APK file to install on the device. --- #### Impact Analysis The EvilVideo exploit was significant but required multiple steps to execute, reducing the likelihood of a successful attack. Despite the threat actor's claim that the exploit was "one-click," the necessity for multiple user actions added friction to the process. ##### C2 Server and Malicious APKs ESET identified a command and control server (C2) at 'infinityhackscharan.ddns[.]net' used by the payloads. Two malicious APK files using this C2 were found on VirusTotal, masquerading as Avast Antivirus and an 'xHamster Premium Mod.' --- #### Technical Analysis ESET's analysis revealed that the exploit was most likely crafted using the Telegram API. This allowed developers to upload specifically crafted multimedia files to Telegram chats or channels programmatically. The malicious payload appeared as a 30-second video due to this API manipulation. ```python import telegram # Replace with your own token and chat ID bot = telegram.Bot(token='YOUR_BOT_TOKEN') chat_id = 'YOUR_CHAT_ID' # Craft the malicious payload payload = open('malicious_payload.apk', 'rb') bot.send_video(chat_id=chat_id, video=payload, supports_streaming=True, caption="Check out this cool video!") ``` This Python snippet demonstrates how the Telegram API can be used to send a video, which in this case, would be the malicious payload. --- #### Mitigation and Recommendations Telegram's fix in version 10.14.5 now displays the APK file correctly in the preview, preventing deception by appearing as video files. Users are advised to perform a filesystem scan using a mobile security suite if they received suspicious video files that requested an external app to play via Telegram. ##### File Locations - Internal Storage: `/storage/emulated/0/Telegram/Telegram Video/` - External Storage: `/storage/<SD Card ID>/Telegram/Telegram Video/` --- #### Indicators of Compromise (IoCs) **Files** | SHA-1 | Filename | Detection | Description | |--------------------------------------|---------------|----------------------|-------------------------| | F159886DCF9021F41EAA2B0641A758C4F0C4033D | Teating.apk | Android/Spy.SpyMax.T | EvilVideo payload | **Network** | IP | Domain | Hosting Provider | First Seen | Details | |------------------|-------------------------------|---------------------------------|--------------|----------------------------| | 183.83.172[.]232 | infinityhackscharan.ddns[.]net | Administrator Beam Cable System | 2024-07-16 | C&C server of EvilVideo | --- #### MITRE ATT&CK Techniques | Tactic | ID | Name | Description | |------------------|-------|-------------------------------|------------------------------------------------------| | Initial Access | T1664 | Exploitation for Initial Access | The EvilVideo vulnerability can be abused by Android malware to achieve initial device access. | | Execution | T1658 | Exploitation for Client Execution | The EvilVideo vulnerability tricks the victim into installing a malicious app that impersonates a multimedia file. |

loading..   22-Jul-2024
loading..   4 min read