Health Care
Education
IT & Telecom
Government
CISO/CTO
DevSecops
Product
Our Product
We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.
Threatspy
Solutions
By Industry
Health Care
Education
IT & Telecom
By Role
Government
CISO/CTO
DevSecops
Resources
Resource Library
Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.
Threat Feeds
Threat Research
White Paper
SB Blogs
Subscribe to Our Weekly Threat Digest
Company
Contact Us
Have queries, feedback or prospects? Get in touch and we shall be with you shortly.
Our Story
Our Team
Careers
Press & Media
Contact Us
Request Demo
By submitting this form, you agree to our Subscription Agreement and Legal Policies.
Be informed in your inbox
Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.
Twitter Algorithm Vulnerability Allows for Coordinated Censorship
Federico Andres Lois after analyzing Twitter's source code, which was leaked and posted on GitHub by Twitter as part of its commitme
10-Apr-2023
3 min read
Related Articles
Android
Android software module with spyware functionality. It collects information on ...
Android.Spy.SpinOk module is designed to engage users with mini games, tasks, and alleged prizes, but it also contains spyware functionality. When initialized, the trojan SDK connects to a command and control (C&C) server and sends a request containing technical information about the infected device. This information includes data from sensors like the gyroscope and magnetometer, which can be used to detect emulator environments and adjust the module's behavior to avoid detection by security researchers. The module also ignores device proxy settings to hide network connections during analysis. In response, it receives a list of URLs from the server, which are opened in WebView to display advertising banners. Additionally, this trojan SDK expands the capabilities of JavaScript code executed on loaded webpages containing ads. It allows the module's operators
30-May-2023
1 min read
DLL
Lazarus
Web Server
Learn about the Lazarus hacking group and their exploits on vulnerable Windows I...
North Korean state-backed hackers, known as the Lazarus Group, have resurfaced, targeting vulnerable Windows Internet Information Services (IIS) web servers to gain unauthorized access. This alarming development confirmed by ASEC highlights how web servers with vulnerable versions are getting exploited with vulnerability suitable for the version to install a web shell or execute malicious commands[1](https://asec.ahnlab.com/en/53132) in this case it's Windows IIS server. In this [Threatfeed](https://www.secureblink.com/cyber-security-news), we will delve into the details of the Lazarus Group's activities, tactics, the implications for web server security, and effective countermeasures to protect against such threats. ## Lazarus Group: A State-Backed Hacker Collective The infamous [Lazarus Group](https://www.secureblink.com/cyber-security-news/updated-d-track-backdoor-involved-in-new-wave-of-attacks-by-lazarus) has long been associated with cyberattacks targeting various sectors, including finance, government, and critical infrastructure. This state-sponsored hacking group is known for its advanced tactics and persistent campaigns. With an extensive arsenal of malware and sophisticated techniques, they have wreaked havoc on numerous organizations worldwide. ## Targeting Windows IIS Web Servers: A New Focus Recent [reports](https://asec.ahnlab.com/en/39828/) have revealed a shift in the Lazarus Group's tactics, explicitly focusing on vulnerable Windows IIS web servers. While these servers, widely used to host websites and web applications, have become prime targets due to their prevalence and potential for exploitation.  ***Lazarus Group's Server Exploitation*** In a previous report, Symantec [revealed](https://www.secureblink.com/cyber-security-news/microsoft-iis-servers-actively-targeted-by-a-new-apt-group-dubbed-as-praying-mantis-with-asp.net-exploits) that hackers had been utilizing malware on IIS (Internet Information Services) to discreetly execute commands on compromised systems through web requests, effectively bypassing detection by security tools. By compromising these servers, the Lazarus Group gains an initial foothold from which they can launch further attacks and infiltrate organizations' networks. ## Implications for Web Server Security The targeting of Windows IIS web servers by the Lazarus Group raises serious concerns regarding web server security. Organizations relying on these servers must be vigilant and take immediate steps to bolster their defenses. Failure to do so can result in severe consequences, including data breaches, financial losses, reputational damage, and compromised customer trust. ### Vulnerabilities Exploited by the Lazarus Group The Lazarus Group leverages various vulnerabilities in Windows IIS web servers to gain initial access. Some commonly exploited vulnerabilities include: 1. **CVE-2021-31166:** A remote code execution vulnerability in the HTTP Protocol Stack (http.sys). 2. **CVE-2021-31176:** A remote code execution vulnerability in the HTTP Protocol Stack (http.sys). 3. **CVE-2021-31178:** A remote code execution vulnerability in the HTTP Protocol Stack (http.sys). 4. **CVE-2021-31207:** A remote code execution vulnerability in the HTTP Protocol Stack (http.sys). These vulnerabilities, when left unpatched, provide an entry point for the Lazarus Group to infiltrate the targeted web servers. ### Consequences of a Successful Attack Once the Lazarus Group gains access to a Windows IIS web server, they can exploit it for various malicious purposes. Some potential consequences include: 1. **Data Theft:** Sensitive information, such as customer data, financial records, or intellectual property, may be stolen and used for nefarious purposes. 2. **Disruption of Services:** The attackers may disrupt the normal functioning of the web server, leading to downtime, loss of business, and inconvenience to users. 3. **Propagation of Malware:** Compromised web servers can be used as distribution points for malware, infecting visitors to the websites hosted on those servers. 4. **Espionage and Surveillance:** The Lazarus Group's activities may extend beyond mere financial gains, with the potential for targeted surveillance and espionage. ## Protecting Against Lazarus Group Attacks To mitigate the risks associated with Lazarus Group attacks targeting Windows IIS web servers, organizations should implement robust security measures. Here are some essential steps to enhance web server security: ### 1. Regular Patching and Updates Maintain a proactive approach to patch management. Stay informed about the latest security updates for Windows IIS servers and promptly apply patches to address known vulnerabilities. Regularly update server software, frameworks, and applications to protect against newly discovered vulnerabilities. ### 2. Harden Server Configuration Implement secure configurations for Windows IIS servers, following industry best practices and guidelines. Disable unnecessary services and features, limit user privileges and enforce strong password policies. Regularly review and update security settings based on evolving threats and recommendations. ### 3. Network Segmentation Isolate web servers from critical internal systems through network segmentation. By compartmentalizing the network, organizations can limit the potential impact of a compromised web server and prevent lateral movement by attackers. ### 4. Intrusion Detection and Prevention Systems (IDPS) Deploy IDPS solutions capable of detecting and blocking suspicious activities. These systems monitor network traffic and identify potential intrusions or malicious behaviors. Configure alerts and response mechanisms to swiftly address any detected threats. ### 5. Web Application Firewalls (WAF) Implement WAF solutions to provide an additional layer of protection for web applications hosted on Windows IIS servers. WAFs can detect and block common web-based attacks, such as SQL injections, cross-site scripting (XSS), and remote file inclusion (RFI). ### 6. Security Awareness and Training Educate employees about the risks associated with cyberattacks, including phishing and social engineering techniques used by the Lazarus Group. Regularly conduct security awareness training sessions to reinforce good cybersecurity practices and encourage a culture of vigilance within the organization. ## Response Lazarus group has employed various attack vectors, including [Log4Shell](https://www.secureblink.com/cyber-security-news/multiple-log4j-cves-resulted-in-dos-and-sensitive-data-exfiltration), public certificate vulnerability, and the [3CX supply chain attack](https://www.secureblink.com/cyber-security-news/lazarus-group-backdoors-3-cx-customers-with-gopuram-malware-1), to initiate their breaches. This group is known for its highly dangerous activities and actively launches attacks globally. Therefore, it is crucial for corporate security managers to adopt attack surface management techniques to identify vulnerable assets and exercise caution by promptly applying the latest security patches whenever possible. Specifically, as the threat group primarily relies on the DLL side-loading technique for initial infiltrations, companies should proactively monitor abnormal process execution relationships. By doing so, they can detect any suspicious activities and take preemptive measures to prevent the threat group from carrying out actions such as information exfiltration & lateral movement. ## File Detection – Trojan/Win.LazarLoader.C5427612 (2023.05.15.02) – Trojan/Win.LazarLoader.C5427613 (2023.05.15.03) ## IoCs [DLL Side-loading File Path] – C:\ProgramData\USOShared\Wordconv.exe – C:\ProgramData\USOShared\msvcr100.dll ## MD5 – e501bb6762c14baafadbde8b0c04bbd6: diagn.dll – 228732b45ed1ca3cda2b2721f5f5667c: msvcr100.dll – 47d380dd587db977bf6458ec767fee3d: ? (Variant malware of msvcr100.dll) – 4d91cd34a9aae8f2d88e0f77e812cef7: cylvc.dll (Variant malware of msvcr100.dll)
29-May-2023
6 min read
Server
Emby
Hack
Emby takes swift action against recent server hacks. Learn about the vulnerabili...
Emby, a renowned media server platform, recently responded swiftly to an outbreak of hacks targeting a subset of user-hosted media server instances. The compromise was achieved by exploiting a known vulnerability combined with insecure admin account configurations. To safeguard users, Emby remotely shut down the affected servers as a precautionary measure. ## Detection and Response to Malicious Plugin Installation Upon detecting a malicious plugin within the compromised systems, Emby promptly took action. The company informed users of the affected servers through log file entries, emphasizing that the shutdown was implemented to mitigate potential risks to their safety. ## Exploitation and Proxy Header Vulnerability The series of attacks began in mid-May 2023, when threat actors specifically targeted Emby servers exposed to the Internet. These servers were further exploited due to insecure admin login configurations, allowing unauthorized access without the need for a password on the local network. To bypass the login restrictions imposed by the LAN, the attackers leveraged a flaw referred to as the "proxy header vulnerability." Emby had already acknowledged this vulnerability since February 2020 and subsequently addressed it in recent patches available in the beta channel. ## Installation of a Malicious Plugin and Emby's Mitigation Measures Upon gaining unauthorized access, the threat actors proceeded to install a malicious plugin on the compromised Emby instances. This plugin was designed to harvest the credentials of unsuspecting users signing into the compromised servers. Emby's response involved a careful analysis and evaluation of mitigation strategies. Consequently, the Emby team promptly developed and deployed an update to Emby Server instances. This update effectively detects and prevents the loading of the malicious plugin, thereby neutralizing its impact. ## Precautionary Shutdown for Disabling the Malicious Plugin In light of the severity and nature of the situation, Emby opted to shut down the affected servers as a precautionary measure. This strategic decision was intended to disable the malicious plugin and prevent any immediate escalation of the compromised environment. It also served to draw the attention of server administrators to address the issue promptly and directly. ## Recommendations for Server Administrators To effectively counter the threat and restore server functionality, Emby advises administrators to take the following steps: 1. **Removal of Malicious Files**: Administrators must delete the malicious "helper.dll" or "EmbyHelper.dll" files from the plugins folder in the Emby Server Data Folder, as well as from the cache and data subfolders. 2. **Blocking Access to Malware**: Adding a new entry, such as "emmm.spxaebjhxtmddsri.xyz 127.0.0.1," to the hosts file will block the malware's access to the attackers' server. 3. **Server Review**: Administrators should thoroughly review compromised servers for any recent changes, including suspicious user accounts, unknown processes, unknown network connections and open ports, SSH configurations, and firewall rules. It is also advisable to change all passwords to enhance security measures. ## Emby's Security Update and Ongoing Investigations Emby is committed to promptly addressing the issue and plans to release a security update, Emby Server 4.7.12, to rectify the vulnerability and reinforce the platform's defenses against similar threats. While Emby has not disclosed the exact number of impacted servers, a recent community post by Emby developer softworkz hinted at the successful takedown of a botnet composed of approximately 1,200 hacked Emby Servers. Further details are expected to be released soon. Emby remains dedicated to maintaining a secure and reliable media server platform and encourages users to stay vigilant as more information becomes available.
27-May-2023
3 min read
Secure Blink help Developers and Security Engineer to secure their Web Applications & APIs proactively using our cutting-edge heuristic approach.
