company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Twitter

Cryptocurrency

loading..
loading..
loading..

USA Cybersecurity Firm’s Twitter/X Account of Mandiant HIJACKED

Twitter/X account of cybersecurity firm & Google subsidiary Mandiant has been hijacked to impersonate Phantom crypto wallet and share a cryptocurrency scam

06-Jan-2024
4 min read

Related Articles

loading..

Vulnerability

UC Santa Cruz students uncover a critical flaw in CSC's laundry machines, allowi...

Two University of California, Santa Cruz students, Alexander Sherbrooke and Iakov Taranenko, uncovered a significant security flaw in the API of CSC ServiceWorks’ internet-connected laundry machines. This vulnerability allows unauthorized users to remotely control laundry cycles and manipulate account balances, essentially enabling free laundry. Despite multiple attempts to report the issue, CSC ServiceWorks has yet to address the problem. This [Threatfeed](https://www.secureblink.com/cyber-security-news) dissects the technical aspects of the vulnerability, its implications, and the company's response, or lack thereof. ## Exploitation of the Vulnerability ### Initial Discovery Alexander Sherbrooke discovered the flaw in January while experimenting with the CSC Go app. He executed a script from his laptop, which successfully initiated a laundry cycle without any funds in his account. This critical "oh s—" moment revealed a systemic failure in CSC's API security. ### Technical Analysis The vulnerability exists in the API utilized by the CSC Go mobile app, which facilitates communication between users' devices and CSC’s servers. Key weaknesses include: 1. **Client-Side Security Checks**: The app conducts security validations locally, trusting any input from the user's device without re-verification on the server side. 2. **Direct Command Injection**: By intercepting and analyzing network traffic, the students found they could bypass the app’s security checks and send unauthorized commands directly to CSC’s servers. ### Exploit Methodology Sherbrooke and Taranenko exploited the vulnerability by: 1. **Interception of Network Traffic**: Using tools like Wireshark, they monitored the communication between the app and the servers. 2. **Manipulation of API Requests**: They crafted API requests to alter their account balances and initiate laundry cycles without real funds. 3. **Testing with Fake Accounts**: They created accounts using non-existent email addresses, which the server accepted without verification. ### Code Snippet ```python import requests # API endpoint for starting a laundry cycle url = "https://api.cscserviceworks.com/startCycle" # Payload with the machine ID and user session token payload = { "machine_id": "123456", "session_token": "abcdefg123456", "command": "start" } # Sending the request response = requests.post(url, json=payload) # Checking the response if response.status_code == 200: print("Laundry cycle started successfully.") else: print("Failed to start laundry cycle.") ``` ## Extended Technical Analysis ### API Security Flaws 1. **Lack of Server-Side Validation**: The API fails to validate critical actions on the server side, relying solely on the client-side app for security checks. 2. **Insecure Authentication Mechanism**: The API does not verify email ownership, allowing the creation of accounts with arbitrary email addresses. 3. **Unrestricted API Access**: The API permits direct interaction with all connected laundry machines, exposing the entire network to potential abuse. ### Implications of the Vulnerability 1. **Financial Loss**: Unauthorized use of laundry services could lead to substantial revenue losses for CSC ServiceWorks. 2. **Potential for Broader Exploitation**: The vulnerability could be exploited to interfere with the operation of laundry machines on a large scale, potentially leading to service disruptions. 3. **Safety Risks**: Although not confirmed, there is a theoretical risk that malicious actors could bypass safety mechanisms, leading to overheating or other hazards. ### Recommendations 1. **Implement Server-Side Validation**: All critical operations should be verified on the server side, ensuring that commands come from authenticated and authorized sources. 2. **Secure Authentication Processes**: Introduce multi-factor authentication and ensure that account creation includes email verification. 3. **Rate Limiting and Monitoring**: Implement rate limiting on API requests and establish monitoring to detect and respond to unusual activities. ## Response from CSC ServiceWorks ### Reporting Attempts Sherbrooke and Taranenko attempted to contact CSC ServiceWorks through various channels, including the company's online contact form and phone support. They also reported the issue to the CERT Coordination Center at Carnegie Mellon University. ### CSC’s Inaction Despite these efforts, CSC ServiceWorks has not addressed the vulnerability. The company's failure to respond highlights a critical gap in their security posture and incident response processes. ### Recommendations for CSC ServiceWorks 1. **Establish a Security Response Team**: Develop a dedicated team to handle security vulnerabilities and coordinate with researchers. 2. **Create a Vulnerability Disclosure Program**: Implement a formal program for reporting and addressing security flaws. 3. **Enhance Communication Channels**: Ensure that there are clear, monitored channels for receiving and responding to security reports. The discovery of this vulnerability by Sherbrooke and Taranenko underscores the importance of robust API security practices. CSC ServiceWorks' lack of response to the reported flaw raises significant concerns about their commitment to security. It is imperative that they take immediate action to secure their systems and establish better mechanisms for handling security disclosures. This incident serves as a stark reminder of the potential risks associated with internet-connected devices and the critical need for vigilant security measures.

loading..   21-May-2024
loading..   4 min read
loading..

Cyberattack

ARRL suffers a cyberattack disrupting Logbook of the World and exposing member d...

The American Radio Relay League (ARRL), a cornerstone organization for amateur radio enthusiasts in the United States, recently encountered an alarming breach. This incident disrupted key IT systems, including the Logbook of the World (LoTW), a critical platform for amateur radio operators. This [Threatfeed](https://www.secureblink.com/cyber-security-news) will thoroughly dissect the series of events, exploring the technical intricacies of the attack. ## Background on ARRL and LoTW The ARRL serves as a national association for amateur radio in the U.S., interfacing with regulatory bodies, providing technical advice, and promoting educational programs. LoTW, an online database for logging and confirming contacts (QSOs and QSLs) between amateur radio operators, is a vital resource for the community, enabling the verification of communication for operator awards. ## How it was pulled off!!! On Thursday, ARRL announced a cyberattack that affected its network and headquarters-based systems. The disruption impacted several online services, notably LoTW and the ARRL Learning Center. The organization reassured members that they do not store credit card information or social security numbers, though personal data like names, addresses, and call signs were potentially at risk. ## Potential Attack Vectors Given the nature of the attack, several vectors could be considered: ### 1. **Phishing Attacks** Phishing remains a prevalent method for breaching networks. Attackers might have targeted ARRL staff or members with emails designed to capture credentials or install malware. ### 2. **Malware and Ransomware** The absence of a clear statement from ARRL leaves open the possibility of a ransomware attack. Malware could have been used to encrypt critical data, demanding a ransom for decryption keys. ### 3. **Exploiting Vulnerabilities** Software vulnerabilities, particularly in web applications, could have been exploited. Known vulnerabilities in database management systems or web servers might have been a target. ## Technical Dissection ### Initial Access The initial access phase is crucial in understanding the attack. Potential entry points include: - **Credential Theft**: Weak or reused passwords could have been exploited. - **Unpatched Software**: Outdated systems with known vulnerabilities. ### Persistence and Escalation Once inside, attackers typically establish persistence to maintain access: - **Backdoors**: Custom scripts or tools to ensure continued access. - **Privilege Escalation**: Exploiting vulnerabilities to gain higher privileges. ### Data Exfiltration and Impact The attackers might have sought to extract valuable data: - **Personal Information**: Names, addresses, and call signs. - **Operational Data**: Logs and QSO confirmations, crucial for amateur radio operations. ### Detection and Response ARRL's detection and response strategies are critical. Early detection could mitigate damage: - **Monitoring**: Real-time monitoring of network activity. - **Incident Response Plan**: Procedures for containing and remediating breaches. ## Cybersecurity Measures and Best Practices ### Immediate Actions - **Isolation**: Isolate affected systems to prevent further spread. - **Assessment**: Conduct a thorough assessment to understand the scope. ### Long-term Measures - **Regular Audits**: Conduct regular security audits and vulnerability assessments. - **User Training**: Educate staff and members on phishing and social engineering tactics. - **Advanced Security Tools**: Implement intrusion detection systems (IDS) and security information and event management (SIEM) solutions. ### Example: Implementing Multi-Factor Authentication (MFA) To enhance security, ARRL could implement MFA: ```python # Example Python code to demonstrate MFA setup import pyotp import qrcode # Generate a base32 secret base32secret = pyotp.random_base32() # Create a TOTP object totp = pyotp.TOTP(base32secret) # Generate a QR code for the TOTP qr = qrcode.make(totp.provisioning_uri("user@example.com", issuer_name="ARRL")) qr.show() # Verifying a TOTP code print(totp.verify('123456')) # Replace '123456' with the actual OTP ``` This code demonstrates the generation and verification of a TOTP (Time-based One-Time Password), adding an extra layer of security. ## Conclusion The ARRL cyberattack underscores the critical need for robust cybersecurity measures in organizations handling sensitive data. By examining potential vectors, technical details, and response strategies, this analysis highlights the importance of vigilance and preparedness in defending against cyber threats. Implementing best practices and advanced security measures can significantly mitigate risks and protect valuable resources like LoTW.

loading..   20-May-2024
loading..   4 min read
loading..

Trojan

Malware

Phishing

Grandoreiro malware resurfaces, targeting 60+ countries and 1,500 banks with adv...

The resurgence of the Grandoreiro malware signifies a grave threat in the cybersecurity landscape. Initially disrupted by a significant law enforcement operation in January 2024, this Android banking trojan has not only returned but has evolved with enhanced features and capabilities. This [Threatfeed](https://www.secureblink.com/cyber-security-news) meticulously dissects the technical intricacies of Grandoreiro, examining its distribution, technical revamps, and implications for the cybersecurity industry. ## Background and Disruption Efforts ### Law Enforcement Crackdown In January 2024, an international law enforcement operation involving Brazil, Spain, Interpol, ESET, and Caixa Bank aimed to dismantle the Grandoreiro malware network. This malware had been active since 2017, primarily targeting Spanish-speaking countries, and was responsible for $120 million in losses. The operation led to five arrests and thirteen search and seizure actions across Brazil, although specifics about the arrested individuals' roles remain undisclosed. ### Initial Impact and Temporary Cessation The coordinated efforts temporarily disrupted Grandoreiro's operations, significantly impacting its reach and effectiveness. However, the respite was short-lived as the malware resurfaced in March 2024, indicating that key members of the operation had evaded capture. ## Technical Revamp and New Features ### Malware-as-a-Service (MaaS) Model IBM's X-Force team reported that Grandoreiro has re-emerged, likely through a Malware-as-a-Service (MaaS) model. This model enables multiple threat actors to rent the malware, broadening its scope and increasing its resilience against takedown efforts. The rental model has facilitated its spread to over 60 countries, targeting approximately 1,500 banks, including those in English-speaking countries. ### Phishing Campaigns The latest phishing campaigns are highly sophisticated. Emails impersonate government entities in Mexico, Argentina, and South Africa, using official logos and formats to lend credibility. These emails, written in the recipient's native language, prompt users to click links to view invoices or tax documents. Upon clicking, users are redirected to an image of a PDF that triggers the download of a ZIP file containing a bloated (100 MB) executable, which is the Grandoreiro loader. ### Technical Enhancements The Grandoreiro malware has undergone significant technical enhancements, making it more evasive and potent: #### Reworked String Decryption The string decryption algorithm now employs a combination of AES CBC and a custom decoder, enhancing the malware's ability to obfuscate its operations and evade detection. #### Domain Generation Algorithm (DGA) Updates to the domain generation algorithm (DGA) include multiple seeds, enabling more sophisticated command and control (C2) communications. This update allows for better separation of operator tasks, complicating detection efforts. #### Microsoft Outlook Exploitation A new mechanism targets Microsoft Outlook clients, disabling security alerts and using them to propagate phishing emails to new targets. This exploitation broadens the malware's reach and effectiveness. #### Persistence Mechanisms Grandoreiro now relies on creating registry Run keys (`HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run` and `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run`) for persistence. This ensures the malware remains active even after system reboots. #### Expanded Targeting The malware's targeting scope has expanded to include not only banking applications but also cryptocurrency wallets. This diversification increases its potential impact. #### Command Set Expansion The command set has been expanded to include remote control, file upload/download, keylogging, and browser manipulation via JavaScript commands. This expansion provides operators with greater control and versatility. ### Victim Profiling Grandoreiro now performs detailed victim profiling to determine whether to execute on a device. This feature allows operators to selectively target victims, enhancing the malware's effectiveness and reducing the risk of detection. ### Execution Avoidance The latest version of Grandoreiro avoids execution in specific countries such as Russia, Czechia, the Netherlands, and Poland, as well as on Windows 7 machines in the United States without active antivirus. This behavior suggests a strategic approach to avoid regions with robust cybersecurity defenses or significant law enforcement scrutiny. ## Code Analysis and Snippets ### String Decryption Algorithm The updated string decryption algorithm combines AES CBC with a custom decoder. Below is a simplified code snippet illustrating this process: ```python from Crypto.Cipher import AES import base64 def decrypt_string(encrypted_string, key, iv): cipher = AES.new(key, AES.MODE_CBC, iv) decoded_data = base64.b64decode(encrypted_string) decrypted_string = cipher.decrypt(decoded_data) return decrypted_string.rstrip(b'\x00') key = b'your16bytekeyhere' iv = b'your16byteivhere' encrypted_string = 'base64_encoded_encrypted_string_here' decrypted_string = decrypt_string(encrypted_string, key, iv) print(decrypted_string) ``` ### Domain Generation Algorithm (DGA) The updated DGA employs multiple seeds to generate domain names. Here is a conceptual representation: ```python import hashlib def generate_domain(seed, counter): base_domain = 'example.com' hash_object = hashlib.md5((seed + str(counter)).encode()) subdomain = hash_object.hexdigest()[:8] return f"{subdomain}.{base_domain}" seeds = ['seed1', 'seed2', 'seed3'] counter = 1 for seed in seeds: domain = generate_domain(seed, counter) print(domain) ``` ### Persistence Mechanism The persistence mechanism leverages registry Run keys. Below is a PowerShell script example to create these keys: ```powershell New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Malware" -Value "C:\path\to\malware.exe" -PropertyType "String" -Force New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Malware" -Value "C:\path\to\malware.exe" -PropertyType "String" -Force ``` ## Implications for Cybersecurity ### Evasion and Detection The enhanced evasion techniques, such as the reworked string decryption and updated DGA, make Grandoreiro more difficult to detect and analyze. Security professionals must adopt advanced behavioral analysis and anomaly detection techniques to counter these improvements. ### Phishing and Social Engineering The sophisticated phishing campaigns highlight the importance of user education and robust email filtering solutions. Organizations must ensure that employees are trained to recognize phishing attempts and that email security systems are capable of filtering out such threats. ### Persistence and Remediation The persistence mechanisms employed by Grandoreiro underscore the need for thorough system scans and registry monitoring. Security teams must implement comprehensive remediation strategies to ensure complete removal of the malware. ### Victim Profiling and Targeting The detailed victim profiling capability allows operators to maximize their impact while minimizing risk. Security teams should focus on advanced threat detection systems that can identify and respond to such selective targeting. The resurgence of the Grandoreiro malware, enhanced with sophisticated technical features, presents a significant challenge to the cybersecurity community. Despite the recent law enforcement crackdown, the malware has not only returned but has become more formidable. This analysis underscores the need for continuous vigilance, advanced threat detection, and comprehensive user education to combat this evolving threat effectively. The technical advancements in Grandoreiro illustrate the dynamic nature of cyber threats and the necessity for adaptive and proactive cybersecurity measures.

loading..   18-May-2024
loading..   6 min read