company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

USA

Russia

Malware

loading..
loading..
loading..

US charges Russians with cyberattacks on Ukraine, French elections, Olympics

Six GRU agents were charged with carrying out cyber attacks on Ukraine's power network, 2017 French elections and 2018 Olympic games

23-Oct-2020
2 min read

Related Articles

loading..

Trojan

Malware

Phishing

Grandoreiro malware resurfaces, targeting 60+ countries and 1,500 banks with adv...

The resurgence of the Grandoreiro malware signifies a grave threat in the cybersecurity landscape. Initially disrupted by a significant law enforcement operation in January 2024, this Android banking trojan has not only returned but has evolved with enhanced features and capabilities. This [Threatfeed](https://www.secureblink.com/cyber-security-news) meticulously dissects the technical intricacies of Grandoreiro, examining its distribution, technical revamps, and implications for the cybersecurity industry. ## Background and Disruption Efforts ### Law Enforcement Crackdown In January 2024, an international law enforcement operation involving Brazil, Spain, Interpol, ESET, and Caixa Bank aimed to dismantle the Grandoreiro malware network. This malware had been active since 2017, primarily targeting Spanish-speaking countries, and was responsible for $120 million in losses. The operation led to five arrests and thirteen search and seizure actions across Brazil, although specifics about the arrested individuals' roles remain undisclosed. ### Initial Impact and Temporary Cessation The coordinated efforts temporarily disrupted Grandoreiro's operations, significantly impacting its reach and effectiveness. However, the respite was short-lived as the malware resurfaced in March 2024, indicating that key members of the operation had evaded capture. ## Technical Revamp and New Features ### Malware-as-a-Service (MaaS) Model IBM's X-Force team reported that Grandoreiro has re-emerged, likely through a Malware-as-a-Service (MaaS) model. This model enables multiple threat actors to rent the malware, broadening its scope and increasing its resilience against takedown efforts. The rental model has facilitated its spread to over 60 countries, targeting approximately 1,500 banks, including those in English-speaking countries. ### Phishing Campaigns The latest phishing campaigns are highly sophisticated. Emails impersonate government entities in Mexico, Argentina, and South Africa, using official logos and formats to lend credibility. These emails, written in the recipient's native language, prompt users to click links to view invoices or tax documents. Upon clicking, users are redirected to an image of a PDF that triggers the download of a ZIP file containing a bloated (100 MB) executable, which is the Grandoreiro loader. ### Technical Enhancements The Grandoreiro malware has undergone significant technical enhancements, making it more evasive and potent: #### Reworked String Decryption The string decryption algorithm now employs a combination of AES CBC and a custom decoder, enhancing the malware's ability to obfuscate its operations and evade detection. #### Domain Generation Algorithm (DGA) Updates to the domain generation algorithm (DGA) include multiple seeds, enabling more sophisticated command and control (C2) communications. This update allows for better separation of operator tasks, complicating detection efforts. #### Microsoft Outlook Exploitation A new mechanism targets Microsoft Outlook clients, disabling security alerts and using them to propagate phishing emails to new targets. This exploitation broadens the malware's reach and effectiveness. #### Persistence Mechanisms Grandoreiro now relies on creating registry Run keys (`HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run` and `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run`) for persistence. This ensures the malware remains active even after system reboots. #### Expanded Targeting The malware's targeting scope has expanded to include not only banking applications but also cryptocurrency wallets. This diversification increases its potential impact. #### Command Set Expansion The command set has been expanded to include remote control, file upload/download, keylogging, and browser manipulation via JavaScript commands. This expansion provides operators with greater control and versatility. ### Victim Profiling Grandoreiro now performs detailed victim profiling to determine whether to execute on a device. This feature allows operators to selectively target victims, enhancing the malware's effectiveness and reducing the risk of detection. ### Execution Avoidance The latest version of Grandoreiro avoids execution in specific countries such as Russia, Czechia, the Netherlands, and Poland, as well as on Windows 7 machines in the United States without active antivirus. This behavior suggests a strategic approach to avoid regions with robust cybersecurity defenses or significant law enforcement scrutiny. ## Code Analysis and Snippets ### String Decryption Algorithm The updated string decryption algorithm combines AES CBC with a custom decoder. Below is a simplified code snippet illustrating this process: ```python from Crypto.Cipher import AES import base64 def decrypt_string(encrypted_string, key, iv): cipher = AES.new(key, AES.MODE_CBC, iv) decoded_data = base64.b64decode(encrypted_string) decrypted_string = cipher.decrypt(decoded_data) return decrypted_string.rstrip(b'\x00') key = b'your16bytekeyhere' iv = b'your16byteivhere' encrypted_string = 'base64_encoded_encrypted_string_here' decrypted_string = decrypt_string(encrypted_string, key, iv) print(decrypted_string) ``` ### Domain Generation Algorithm (DGA) The updated DGA employs multiple seeds to generate domain names. Here is a conceptual representation: ```python import hashlib def generate_domain(seed, counter): base_domain = 'example.com' hash_object = hashlib.md5((seed + str(counter)).encode()) subdomain = hash_object.hexdigest()[:8] return f"{subdomain}.{base_domain}" seeds = ['seed1', 'seed2', 'seed3'] counter = 1 for seed in seeds: domain = generate_domain(seed, counter) print(domain) ``` ### Persistence Mechanism The persistence mechanism leverages registry Run keys. Below is a PowerShell script example to create these keys: ```powershell New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Malware" -Value "C:\path\to\malware.exe" -PropertyType "String" -Force New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Malware" -Value "C:\path\to\malware.exe" -PropertyType "String" -Force ``` ## Implications for Cybersecurity ### Evasion and Detection The enhanced evasion techniques, such as the reworked string decryption and updated DGA, make Grandoreiro more difficult to detect and analyze. Security professionals must adopt advanced behavioral analysis and anomaly detection techniques to counter these improvements. ### Phishing and Social Engineering The sophisticated phishing campaigns highlight the importance of user education and robust email filtering solutions. Organizations must ensure that employees are trained to recognize phishing attempts and that email security systems are capable of filtering out such threats. ### Persistence and Remediation The persistence mechanisms employed by Grandoreiro underscore the need for thorough system scans and registry monitoring. Security teams must implement comprehensive remediation strategies to ensure complete removal of the malware. ### Victim Profiling and Targeting The detailed victim profiling capability allows operators to maximize their impact while minimizing risk. Security teams should focus on advanced threat detection systems that can identify and respond to such selective targeting. The resurgence of the Grandoreiro malware, enhanced with sophisticated technical features, presents a significant challenge to the cybersecurity community. Despite the recent law enforcement crackdown, the malware has not only returned but has become more formidable. This analysis underscores the need for continuous vigilance, advanced threat detection, and comprehensive user education to combat this evolving threat effectively. The technical advancements in Grandoreiro illustrate the dynamic nature of cyber threats and the necessity for adaptive and proactive cybersecurity measures.

loading..   18-May-2024
loading..   6 min read
loading..

Cryptojacking

Explore the Kinsing Hacker Group's evolving cryptojacking tactics, targeting Lin...

The cryptojacking group known as Kinsing, also referred to as H2Miner, has exhibited a remarkable ability to evolve and adapt over time. This [Threatfeed](https://www.secureblink.com/cyber-security-news) dives deep into the technical aspects and methodologies employed by Kinsing, with a particular focus on its exploitation of newly disclosed vulnerabilities to expand its botnet for cryptojacking purposes. The findings discussed herein are derived from extensive research conducted by Aqua Security, CyberArk, and TrustedSec, among others. ### Historical Context and Evolution Kinsing has been actively orchestrating illicit cryptocurrency mining campaigns since 2019. Initially documented by TrustedSec in January 2020, the group has continuously enhanced its toolkit, integrating newly discovered vulnerabilities to maintain its foothold in compromised systems. #### Early Documentation In its early days, Kinsing targeted a variety of systems using the Golang-based malware. Its campaigns have weaponized flaws in numerous platforms including: - **Apache ActiveMQ** - **Apache Log4j** - **Apache NiFi** - **Atlassian Confluence** - **Citrix** - **Liferay Portal** - **Linux** - **Openfire** - **Oracle WebLogic Server** - **SaltStack** These vulnerabilities were exploited to breach systems and enlist them in a crypto-mining botnet. ### Technical Analysis #### Attack Infrastructure Kinsing’s attack infrastructure can be categorized into three primary components: 1. **Initial Servers**: These are responsible for scanning and exploiting vulnerabilities. 2. **Download Servers**: These servers stage payloads and scripts. 3. **Command-and-Control (C2) Servers**: These maintain communication with compromised servers. The C2 servers primarily resolve to Russia, while download servers span countries like Luxembourg, Russia, the Netherlands, and Ukraine. #### Exploitation Techniques ##### Misconfigured Instances Kinsing leverages misconfigured Docker, PostgreSQL, and Redis instances to gain initial access. Upon gaining access, the malware disables security services and removes rival miners already installed on the hosts. ##### Specific Exploits Kinsing uses shell and Bash scripts to exploit Linux servers. For Windows servers, the malware utilizes PowerShell scripts. Once inside, it downloads binaries compatible with x86 or ARM architectures, depending on the system. ### Detailed Campaign Insights #### Exploitation of Vulnerabilities Kinsing has weaponized a wide array of vulnerabilities across different systems. Notable examples include: - **CVE-2019-19781**: A remote code execution vulnerability in Citrix NetScaler. - **Project India Exploit**: Used for executing commands through vulnerabilities and placing output into XML files for retrieval. ##### Example: Citrix NetScaler Vulnerability In January 2020, TrustedSec observed a compromise exploiting the Citrix NetScaler vulnerability. The attacker accessed the `smb.conf` file using a directory traversal attack, then executed a script (`ci.sh`) to maintain persistence and deploy the Monero coin miner, XMRig. ### Types of Scripts Used Kinsing deploys various scripts post-initial access to download next-stage components, eliminate competition, and evade defenses. These scripts can be categorized as: 1. **Type I and Type II Scripts**: Used to download next-stage attack components and disable security defenses. 2. **Auxiliary Scripts**: Used to exploit vulnerabilities and disable specific security components associated with cloud services. 3. **Binaries**: These include the core Kinsing malware and the crypto-miner for mining Monero. #### Example: Auxiliary Script An auxiliary script might look like the following: ### Advanced Techniques and Tools Kinsing’s campaigns also utilize rootkits to hide malicious processes, making detection and removal more challenging. The malware continuously monitors the mining process and communicates with the C2 server, performing connectivity checks and sending execution results. #### Peer-to-Peer Communications A notable advancement is the use of Peer-to-Peer (P2P) communications, as seen in the P2PInfect malware. This technique allows the malware to propagate and deliver other modules without relying on a single C2 server. ### Security Implications and Defensive Measures #### Impact on Systems Kinsing's operations target various operating systems, often by exploiting web application vulnerabilities or misconfigurations such as Docker API and Kubernetes. The widespread nature of these attacks highlights the importance of proactive security measures.

loading..   18-May-2024
loading..   4 min read
loading..

Healthcare

WebTPA's data breach affects 2.5M, exposing sensitive data. Discover the cyberse...

In December 2023, WebTPA, a Texas-based company providing health insurance and benefit plans, identified a significant data breach affecting 2.5 million individuals. The breach, which occurred between April 18 and April 23, 2023, was detected approximately eight months later. This delay highlights critical issues in cybersecurity practices and threat detection methodologies. This analysis will meticulously dissect the breach, emphasizing cybersecurity industry standards, potential vulnerabilities, and best practices for mitigating such risks. ### Breach Detection and Response Timeline WebTPA discovered the breach on December 28, 2023. The company then launched an investigation to mitigate the threat and secure their network. The breach occurred over five days in April 2023, indicating a substantial gap between the breach event and its detection. This eight-month gap raises concerns about WebTPA's network monitoring and incident response capabilities. ### Impacted Data and Potential Risks The data compromised in this breach includes: - Names - Contact information - Dates of birth - Dates of death - Social Security numbers (SSNs) - Insurance information Not every data element was present for each individual. The exposure of SSNs is particularly concerning due to the risk of identity theft. Additionally, while financial account and credit card information were not impacted, the breached data still poses significant risks for phishing attacks and fraud. ### Technical Dissection of the Breach #### Vulnerability Exploitation The breach occurred on a network server, suggesting potential vulnerabilities in server configurations, outdated software, or unpatched systems. These vulnerabilities can be exploited through various attack vectors, including: - **SQL Injection**: If the server was running web applications with vulnerable SQL queries, attackers could exploit these to access and exfiltrate data. - **Unpatched Software**: Exploits targeting known vulnerabilities in unpatched software could have provided attackers with access. - **Weak Authentication Mechanisms**: Insufficient authentication and authorization mechanisms might have allowed unauthorized access. ##### Example of SQL Injection Vulnerability: ```sql -- Vulnerable SQL Query SELECT * FROM users WHERE username = 'admin' AND password = 'password123'; -- Attacker Input Exploiting SQL Injection username = 'admin' OR '1'='1'; -- always true condition ``` #### Detection and Monitoring Deficiencies The eight-month delay in breach detection suggests inadequate network monitoring. Effective monitoring systems should detect suspicious activity in real-time, or at least within hours. Implementing robust Intrusion Detection Systems (IDS) and Security Information and Event Management (SIEM) systems could have significantly reduced detection time. ##### Example of SIEM Rule for Detecting Unusual Login Activity: ```json { "rule": { "title": "Unusual Login Activity", "description": "Detects logins from unusual locations or IP addresses.", "condition": "WHEN login_attempt THEN CHECK user_location != usual_location", "actions": ["alert", "log"] } } ``` ### Industry Standards and Best Practices To prevent such breaches, companies must adhere to industry standards and best practices in cybersecurity. Key measures include: #### Regular Vulnerability Assessments and Penetration Testing Regularly scheduled vulnerability assessments and penetration testing help identify and remediate potential security flaws. ##### Example of Penetration Testing Script: ```bash #!/bin/bash # Simple penetration testing script using Nmap and Nikto nmap -A -T4 example.com -oN nmap_results.txt nikto -h example.com -output nikto_results.txt ``` #### Data Encryption and Access Controls Encrypting sensitive data both in transit and at rest ensures that even if data is exfiltrated, it remains unreadable. Implementing strict access controls ensures that only authorized personnel have access to sensitive information. ##### Example of Implementing AES Encryption in Python: ```python from Crypto.Cipher import AES import os def encrypt_data(data): key = os.urandom(16) # Generate a random key cipher = AES.new(key, AES.MODE_EAX) nonce = cipher.nonce ciphertext, tag = cipher.encrypt_and_digest(data.encode('utf-8')) return (key, nonce, ciphertext) def decrypt_data(key, nonce, ciphertext): cipher = AES.new(key, AES.MODE_EAX, nonce=nonce) data = cipher.decrypt(ciphertext) return data.decode('utf-8') ```

loading..   18-May-2024
loading..   3 min read