company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

XLoader

Checkpoint

Windows

loading..
loading..
loading..

XLoader, a recently emerged malware strain, swindled login credentials from Windows and MacOS systems

Windows and macOS systems found vulnerable to recently developed malware dubbed XLoader. The cross-platform botnet is capable of stealing login credentials in s...

22-Jul-2021
3 min read

Related Articles

loading..

MacOS

BlueNoroff

BlueNoroff APT group targets macOS with fake crypto news and novel persistence, ...

In recent years, the cybersecurity community has observed a surge in state-sponsored attacks focusing on the financial sector, particularly targeting cryptocurrency enterprises. The BlueNoroff APT group, a subdivision of North Korea's Lazarus Group, has been at the forefront of these activities. Demonstrating advanced capabilities, BlueNoroff has developed sophisticated macOS malware that exploits fake cryptocurrency news to deceive targets and employs novel persistence mechanisms to maintain long-term access. This technical report provides an exhaustive analysis of BlueNoroff's recent campaigns up to October 2023. It delves into their tactics, techniques, and procedures (TTPs), offering insights into the malware's architecture and providing recommendations for mitigation. --- ## Campaign Overview ### Background Active since at least 2016, BlueNoroff has primarily targeted financial institutions and cryptocurrency exchanges. Their operations are financially motivated, aiming to circumvent international sanctions by stealing funds to support North Korea's economic objectives. ### Recent Activities BlueNoroff has intensified its efforts against macOS platforms, acknowledging the increasing use of Apple devices in corporate settings. Notable campaigns include: - **RustBucket Campaign (April 2023):** Deployed multi-stage malware written in Rust, targeting macOS users and establishing backdoors for executing arbitrary code. - **KandyKorn Malware (May 2023):** Focused on blockchain engineers, delivering malware designed for persistent system access. --- ## Infection Vector ### Phishing Emails Leveraging Fake Cryptocurrency News The primary infection method involves phishing emails containing links to malicious applications disguised as legitimate PDF documents discussing cryptocurrency trends. - **Email Characteristics:** - **Sender Impersonation:** Often uses names of reputable individuals in the crypto industry or unrelated fields to appear credible. - **Subject Matter:** Topics like "Hidden Risks Behind New Surge of Bitcoin Price" or "Altcoin Season 2.0: The Hidden Gems to Watch." - **Attachments:** Instead of PDFs, the attachments are macOS application bundles posing as documents. ### Execution Flow 1. **Email Delivery:** The target receives a phishing email with a link to a supposed PDF document. 2. **Malicious Application Download:** Clicking the link downloads a macOS application bundle with a misleading name and icon. 3. **Decoy Document Display:** Upon execution, the application opens a legitimate-looking PDF to avoid suspicion. 4. **Background Malware Installation:** Concurrently, the application downloads and executes the next-stage payload. --- ## Technical Analysis ### Stage 1: The Dropper Application - **Implementation:** Written in Swift, designed to appear as a legitimate document viewer. - **Code Signing:** Often signed with valid Apple Developer IDs to bypass Gatekeeper protections. These IDs may be acquired through fraudulent means. - **Execution Details:** - **Decoy Presentation:** Downloads a benign PDF from a remote server and opens it using the default PDF viewer. - **Payload Retrieval:** Fetches the second-stage malware from a hard-coded URL using insecure HTTP connections, bypassing default macOS security settings via `Info.plist` modifications. - **Bypassing Security Measures:** - **App Transport Security Exception:** Alters `Info.plist` to allow insecure connections to specific domains. - **Universal Binary:** Compiled for both Intel and Apple Silicon architectures to maximize compatibility. ### Stage 2: The Backdoor Payload - **File Details:** - **Name:** `growth` - **Architecture:** x86_64, requiring Rosetta 2 on Apple Silicon Macs. - **Language:** Written in C++, focusing on functionality over stealth. - **Functionalities:** - **Persistence Installation:** Installs a novel persistence mechanism via the `~/.zshenv` file. - **System Reconnaissance:** Collects system information such as OS version, hardware model, and process lists. - **Unique Identifier Generation:** Creates a random UUID to identify the infected machine. - **C2 Communication:** - **Protocol:** Communicates with the command and control server using HTTP POST requests. - **Data Transmission:** Sends collected data and awaits commands. - **Command Execution:** Processes C2 responses to execute arbitrary commands or download additional payloads. - **Code Characteristics:** - **Minimal Obfuscation:** Relies on deceptive practices rather than heavy code obfuscation. - **Persistence Logic:** Encapsulated in specific functions for installing and verifying persistence mechanisms. ### Novel Persistence Mechanism: Abusing `~/.zshenv` - **Mechanism Details:** - **File Modification:** The malware appends execution commands to the `~/.zshenv` file. - **Execution Scope:** Since `~/.zshenv` is sourced in all Zsh sessions—including non-interactive ones—the malware gains execution whenever a shell is invoked, which can occur during various system processes. - **Advantages Over Traditional Methods:** - **Stealth:** This method does not trigger user notifications introduced in macOS Ventura for Login Items, making it less noticeable. - **Reliability:** Ensures consistent execution without relying on Launch Agents or Daemons, which are more likely to be monitored or removed. - **Persistence Installation Function:** - **Verification:** Checks for a marker file (e.g., `.zsh_init_success`) to prevent redundant installations. - **Implementation:** Uses shell commands within the malware code to modify the `~/.zshenv` file. --- ## Network Infrastructure Analysis ### Command and Control Servers - **Domain Mimicry:** Domains are crafted to resemble legitimate cryptocurrency or financial services (e.g., `delphidigital[.]org`, `arkinvest[.]com`). - **Hosting Providers:** Utilizes services known for lax enforcement to host malicious domains and servers. - **SSL Certificates:** May reuse self-signed certificates across multiple domains, aiding in attribution. ### Communication Protocols - **HTTP POST Requests:** Malware communicates using standard HTTP protocols to blend in with normal traffic. - **Custom User-Agent Strings:** Employs unique or spoofed User-Agent strings to avoid detection by security tools. ### Infrastructure Linkage - **WHOIS Data and Registrar Patterns:** Consistent use of certain domain registrars and overlapping registration details. - **Shared Resources:** Reuse of IP addresses and hosting services across different campaigns. --- ## Attribution to BlueNoroff Attribution is based on multiple factors: - **Tactics, Techniques, and Procedures (TTPs):** - **Malware Similarities:** Overlaps with previous BlueNoroff malware, including code structure and functionality. - **Persistence Methods:** Novel use of `~/.zshenv` aligns with the group's history of exploiting macOS features. - **Infrastructure Connections:** - **Domain Themes:** Consistent focus on cryptocurrency and financial entities. - **Technical Overlaps:** Shared IP addresses and SSL certificates with known BlueNoroff infrastructure. - **Historical Context:** - **Financial Motive:** Aligns with North Korea's strategy of using cyber operations for economic gain. - **Prior Campaigns:** Continuation of methods observed in operations like AppleJeus and previous RustBucket incidents. --- ## Mitigation Strategies ### User Awareness and Training - **Phishing Education:** Regular training to recognize and report suspicious emails, especially those related to financial topics. - **Policy Enforcement:** Implement strict policies regarding the opening of email attachments and execution of downloaded files. ### Technical Controls - **Endpoint Protection:** - **Anti-Malware Solutions:** Deploy advanced security software capable of detecting and blocking known threats and suspicious behaviors. - **Application Whitelisting:** Restrict execution to approved applications, preventing unauthorized code from running. - **System Monitoring:** - **File Integrity Monitoring:** Watch for changes to critical files like `~/.zshenv` and system binaries. - **Process Monitoring:** Alert on the execution of unexpected processes or scripts. - **Network Security:** - **Firewall Rules:** Block known malicious IP addresses and domains associated with BlueNoroff. - **Network Traffic Analysis:** Inspect outbound traffic for anomalies, such as unusual HTTP POST requests. ### Incident Response Preparedness - **Response Planning:** Develop and regularly update incident response plans specific to malware infections. - **Backup and Recovery:** Maintain regular backups of critical systems and data to enable restoration in case of compromise. - **Threat Intelligence Integration:** Incorporate the latest threat intelligence feeds to stay updated on emerging threats. --- ## Conclusion The BlueNoroff APT group's ongoing targeting of macOS systems within the cryptocurrency sector highlights the evolving tactics of state-sponsored actors. Their innovative methods—such as abusing the `~/.zshenv` file for persistence and leveraging convincing phishing lures—underscore the need for heightened vigilance and robust security measures. Organizations in the financial and cryptocurrency industries must adopt a comprehensive security posture, combining user education, advanced technical defenses, and proactive monitoring to mitigate the risks posed by such sophisticated threats. --- ## Indicators of Compromise (IOCs) ### File Hashes (SHA-1) - **Dropper Applications:** - `3f17c5a7d1e7fd138163d8039e614b8a967a56cb` - `e5d97afa5f1501b3d5ec1a471dc8a3b8e2a84fdb` - **Backdoor Payload:** - `7e07765bf8ee2d0b2233039623016d6dfb610a6d` ### Malicious Domains - `delphidigital[.]org` - `matuaner[.]com` - `arkinvst[.]com` - `solanalab[.]org` - `zoom-client[.]com` - Additional domains listed in the campaign's indicators. ### IP Addresses - `23.254.253[.]75` - `45.61.135[.]105` - `172.86.108[.]47` - `216.107.136[.]10` - Additional IPs associated with the C2 infrastructure. --- ## References - **SentinelLabs Report on Hidden Risk Campaign:** [Link to Original Report](https://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/) - **ESET Research on RustBucket Malware:** [ESET Blog](https://www.welivesecurity.com/) - **Apple Documentation on Zsh Startup Files:** [Apple Support](https://support.apple.com/en-us/HT208050) - **MITRE ATT&CK Framework - Lazarus Group:** [MITRE ATT&CK](https://attack.mitre.org/groups/G0032/) --- **Disclaimer:** This document is based on information available up to October 2023. Subsequent developments may not be reflected.

loading..   09-Nov-2024
loading..   7 min read
loading..

Source Code

SONARQUBE

Nokia source code breach exposes millions in stolen data, highlighting critical ...

Nokia, the telecommunications giant known for its pivotal role in global communications, finds itself in the crosshairs of a potential Nokia data breach. This incident could have serious cybersecurity ramifications for the entire sector. Third-party breaches are responsible for over 63% of all data incidents, leading to an average financial loss of $4.29 million per incident. This makes it imperative for companies like Nokia to strengthen vendor risk management. In an era where cyberattacks have surged by over 300% globally, even industry titans like Nokia are not immune to the vulnerabilities exposed through third-party collaborations. A hacker identified as IntelBroker has claimed to have stolen Nokia’s source code through a third-party contractor’s server, further exposing vulnerabilities in the Nokia source code that could have serious security implications. This breach adds a layer of urgency for Nokia to reassess its cybersecurity framework. The revelation has put the Finnish conglomerate on high alert, prompting an urgent investigation to determine the validity of these claims and the potential impact on their digital infrastructure. ### **Third-Party Breach and Vendor Risks: Managing Vendor Security in Cybersecurity** According to reports, Nokia suspects that the breach may have occurred via a third-party vendor who worked directly with the company’s development team. _“Nokia is aware of reports that an unauthorized actor has alleged to have gained access to certain third-party contractor data and possibly data of Nokia,”_ the company shared with BleepingComputer, emphasizing the gravity of the situation. _“Nokia takes this allegation seriously, and we are investigating. To date, our investigation has found no evidence that any of our systems or data have been impacted. We continue to closely monitor the situation.”_ This cautious response from Nokia follows a claim made by IntelBroker, a notorious hacker previously implicated in other cybercrimes. The hacker has declared that they are selling a _“large collection of Nokia source code,”_ allegedly extracted from a third-party contractor’s server, adding another layer of concern about the exposure of Nokia source code and the associated security risks. The breach emphasizes the need for increased vigilance in safeguarding intellectual property, reinforcing security protocols in vendor engagements, and addressing potential vulnerabilities if exploited by malicious actors. The situation underscores a recurring issue in cybersecurity—the vulnerability introduced by third-party access, leaving even large corporations at the mercy of their partners' security practices. A not-so-recent instance includes the [2020 SolarWinds](https://www.secureblink.com/cyber-security-news/40-plus-victims-of-the-solarwinds-hack-identified-by-microsoft) supply chain attack, where compromised third-party software led to breaches in several high-profile organizations, highlighting the widespread impact of such vulnerabilities. ### **Stolen Nokia Source Code and IntelBroker's Troubling Past: The Impact on Cybersecurity** IntelBroker’s statement about the stolen data is particularly concerning, as it allegedly includes highly sensitive elements—SSH keys, source code, RSA keys, BitBucket logins, SMTP accounts, webhooks, and hardcoded credentials. Such critical data, including the stolen Nokia source code, can be leveraged to further compromise company assets or even other linked systems, raising alarms about cascading cyber risks across the sector. The effects of the Nokia data breach could weaken industry partnerships and trust, which are crucial elements in the interconnected digital ecosystem. The impact could extend far beyond immediate losses, potentially triggering security failures in interconnected organizations and harming trust in industry partnerships. These cascading incidents can lead to widespread service disruptions, financial losses, and long-term reputational damage, as attackers exploit one breach to gain access to interconnected systems, creating a domino effect that could cripple not just one organization, but multiple stakeholders involved. The hacker claims to have gained access through the third-party vendor’s SonarQube server, which reportedly used default login credentials—a startling lapse in security hygiene. This negligence represents a significant flaw in basic cyber practices, painting a broader picture of the consequences of overlooking simple security fundamentals. According to a recent study, over 30% of all data breaches involve the use of default credentials, emphasizing how widespread and preventable such oversights can be. IntelBroker's ability to gain unrestricted access using default credentials highlights how even the most straightforward preventive measures, if ignored, can lead to high-stakes breaches. Furthermore, the data reportedly stolen includes Python project files linked to Nokia’s development efforts, suggesting that this was not a random attack but a targeted effort to obtain valuable intellectual property. When asked by BleepingComputer to confirm the authenticity of a file tree representing the stolen data, Nokia declined to provide an immediate response—a silence that adds another layer of uncertainty to an already tense situation. ### **A Hacker's History: IntelBroker's High-Profile Breaches and Nokia's Cybersecurity Fallout** IntelBroker has already made waves in the cyber world, leaving a trail of disruption that should serve as a warning to every organization about the potential risks and consequences of a Nokia cybersecurity breach, including loss of intellectual property, weakened customer trust, and significant financial repercussions. The hacker is linked to numerous cybersecurity incidents, including breaches of [DC Health Link](https://www.secureblink.com/cyber-security-news/fbi-probing-170-000-dc-health-link-data-breach-in-u-s-house-members)—the health care plan administrator for U.S. House members and their families—and attacks on [Hewlett Packard Enterprise (HPE)](https://www.secureblink.com/cyber-security-news/critical-hp-printers-vulnerability-leaked-sensitive-many-data) and the [Weee!](https://www.secureblink.com/cyber-security-news/weee-grocery-confirms-data-breach-exposing-1-1-million-customer-records) grocery service. More recently, IntelBroker leaked sensitive data from companies such as [FACEBOOK](https://www.secureblink.com/cyber-security-news/200-000-facebook-marketplace-records-leaked-claims-intel-broker), [GE's Pipeline](https://www.secureblink.com/cyber-security-news/intel-broker-offers-ge-s-pipelines-for-500-amid-cyberattack-probe), [T-Mobile](https://www.secureblink.com/cyber-security-news/second-t-mobile-data-breach-of-2023-attackers-access-info-of-hundreds), [AMD](https://www.secureblink.com/cyber-security-news/sink-close-a-high-severity-amd-cpu-vulnerability-enables-undetectable-malware), and [Apple](https://www.secureblink.com/cyber-security-news/apple-addresses-newly-disclosed-zero-day-in-multiple-older-i-os-devices), all of which were stolen from a third-party SaaS vendor. What distinguishes IntelBroker is not just the scale of their attacks, but the calculated selection of targets. The hacker seems to have a penchant for compromising systems through neglected points of entry—third-party vendors and weak security practices—which further fuels the debate around the weakest link in cybersecurity chains. To mitigate these risks, companies should enforce stricter vendor security protocols, such as implementing multi-factor authentication, conducting regular penetration testing, and requiring compliance with industry security standards like ISO 27001. Adopting guidelines from authoritative sources, such as NIST or CISA, can also enhance cyber resilience and ensure a more secure vendor relationship. These strategies can help reduce vulnerabilities and create a more resilient digital ecosystem. The implications of exposing source code are dire, as it could allow adversaries to exploit vulnerabilities, reverse-engineer proprietary systems, or even cripple network infrastructure—threatening Nokia’s reputation and its client networks. ### **Nokia on High Alert: Vendor Risks and Industry-Wide Cybersecurity Reassessment** This unfolding scenario has once again thrown a spotlight on the security pitfalls associated with external vendors and the shared vulnerabilities they can introduce. The third-party vendor risks in the Nokia breach emphasize how critical it is for companies to manage and scrutinize vendor relationships comprehensively. Cybersecurity is much like a fortified wall—only as strong as its most fragile brick. In this instance, Nokia's defenses may have been compromised by a weak point in the wall, represented by a third-party vendor's insufficient security measures. Nokia’s acknowledgment of a potential breach, albeit with no confirmation of compromised data thus far, raises significant questions about the accountability of third-party partners in ensuring airtight cybersecurity standards. Businesses are increasingly reliant on a broad ecosystem of vendors, partners, and third-party services—making vendor management a critical aspect of enterprise security. Companies will be closely watching how Nokia navigates this crisis—not just for a resolution, but also for signs of enhanced protocols that could prevent such incidents in the future. With the stakes so high, enterprises will need to reimagine their approach to cybersecurity. Beyond simple contractual obligations, companies should be mandating robust, verifiable security practices among their vendors. Practical steps include regular security audits, strong data encryption standards, and mandatory compliance with certifications like ISO 27001, ensuring vendors meet high cybersecurity standards. Implementing these practices helps build a more resilient digital infrastructure capable of mitigating risks. This is especially critical following incidents like the Nokia source code breach, where third-party weaknesses lead to significant exposures. These practices could include implementing zero-trust network architectures, requiring end-to-end encryption for sensitive data, and closely monitoring access privileges. The fallout from this breach has the potential to reshape how the tech industry approaches third-party relationships, compelling everyone from startups to giants like Nokia to think harder about the defenses in their extended digital ecosystem. ### **Summary: Nokia Source Code Breach and Its Cybersecurity Impact** Nokia faces a potential data security breach after a hacker known as IntelBroker claimed to have stolen Nokia's source code via a third-party contractor, an incident now widely known as the Nokia source code breach. This breach highlights significant cybersecurity flaws in vendor relationships and brings into focus the necessity of digital ecosystem resilience. The incident has underscored the significant risks associated with third-party vendor security, as Nokia continues to investigate and monitor the situation. This alleged breach pushes the industry to reconsider its approach to cybersecurity rigor. Enhanced vendor scrutiny, proactive security measures, and holistic supply chain audits may become crucial steps in preventing similar future incidents.

loading..   07-Nov-2024
loading..   9 min read
loading..

JIRA

Schneider Electric faces a 40GB data breach, exposing isolated system vulnerabil...

[Schneider Electric](https://www.secureblink.com/cyber-security-news/1-5-tb-allegedly-stolen-from-schneider-electric-by-cactus-ransomware) recently confirmed a security breach involving its internal developer platform, resulting in the compromise of over 40GB of sensitive data from there JIRA server. The breach was claimed by a threat actor known as 'Grep,' who publicly [mocked](https://x.com/grepcn/status/1853089027777261941) Schneider on X (formerly Twitter). The stolen dataset reportedly includes over 400,000 rows of information, comprising 75,000 unique email addresses, employee names, project data, and critical infrastructure details. The attack vector leveraged exposed credentials that allowed Grep unauthorized access to Schneider Electric’s isolated JIRA server. Once access was obtained, the attackers used the MiniOrange REST API—a third-party MFA management tool—to scrape user information. The reliance on this open-source MFA tool played a significant role in the vulnerability, as Grep exploited insufficient API protections. This incident exposes an inherent weakness in isolated environments that are often perceived as secure by virtue of reduced network accessibility, without adequately accounting for poor credential hygiene and inadequate API security configurations. ### Exploit Analysis & Threat Actor Profile Grep’s actions are affiliated with a newly-formed hacking group named the International Contract Agency (ICA). Named after the fictional organization from the game *Hitman: Codename 47*, ICA distinguishes itself by its non-traditional extortion model. Instead of directly demanding ransom from targeted entities, ICA threatens to leak the data if the affected company fails to acknowledge the breach within a 48-hour window. In Schneider's case, Grep humorously demanded $125,000 in "Baguettes"—a sarcastic nod to Schneider's French origins—claiming it was not a serious financial demand but a mechanism to ensure public awareness of the incident. The data compromised includes project issues, plugins, and a significant volume of employee and customer personal details. The target environment was an "isolated" server, which Schneider believed would be inherently more secure. However, this perceived isolation led to complacency, resulting in weak credential management practices. Grep's successful scraping of the 40GB dataset from what was thought to be an isolated server reveals that the weakest link, often involving human error, remains a critical entry point for attackers, regardless of the perceived security of system boundaries. ### Detailed Technical Response & Analysis Following the breach, Schneider Electric mobilized its Global Incident Response team, emphasizing that its products and services were not directly impacted. Nonetheless, this statement fails to address deeper concerns about Schneider’s systemic cybersecurity protocols. This breach is part of an ongoing trend, as earlier in the year, Schneider’s Sustainability Business division fell victim to a [Cactus ransomware attack](https://www.secureblink.com/cyber-security-news/1-5-tb-allegedly-stolen-from-schneider-electric-by-cactus-ransomware), during which attackers purportedly extracted terabytes of proprietary data. The implications of these recurring incidents are manifold. As a company that forms the backbone of energy management and industrial automation solutions globally, any compromise involving Schneider Electric's systems potentially threatens critical infrastructure. Such infrastructure, once breached, can cascade into operational disruptions, creating far-reaching national and global consequences. The attack trajectory underscores the necessity for layered security mechanisms that do not solely rely on network isolation but also integrate robust credential policies, thorough monitoring, and encryption. Moreover, ICA's strategic decision to disclose breaches only when unacknowledged forces a reevaluation of traditional cybersecurity incident management protocols. By compelling companies to respond publicly, ICA manipulates the timeline and transparency of data breaches. Schneider’s compliance with the 48-hour acknowledgment prevented immediate data exposure, but the incident underlines the need for adopting proactive measures instead of reactive containment. ### Evolving Cyber Threats and the Importance of Robust Technical Controls This breach is a critical lesson in the importance of assuming an eventual breach mindset, even in seemingly secure environments. Credential management must be prioritized through strategies such as enforcing least privilege principles, implementing password rotation policies, and deploying strong MFA implementations that are less susceptible to automated scraping. Reliance on third-party and open-source solutions such as the MiniOrange REST API introduces additional attack surfaces, requiring organizations to conduct comprehensive code audits, penetration testing, and detailed security assessments. The attack also highlights the importance of API security, emphasizing the need for rate limiting, proper authentication, and auditing all access points, especially for systems interfacing with critical internal infrastructure. Furthermore, this incident showcases the critical necessity for corporations involved in essential services to transition from passive cybersecurity measures to an actively engaged, proactive cybersecurity model. Threat actors like Grep are evolving, leveraging data not just for immediate financial gain but as a means to publicly pressure organizations into acknowledging weaknesses. The stakes are increasingly high, and sophisticated defense mechanisms must involve advanced threat intelligence, real-time threat hunting, and granular access control mechanisms. Organizations must also consider the human factor, which remains a significant vulnerability. Extensive employee training on cybersecurity best practices—including managing personal credentials, identifying phishing attempts, and understanding data sensitivity—must form the foundation of any corporate security strategy. The absence of such training often results in inadvertent gaps that adversaries like ICA can exploit.

loading..   05-Nov-2024
loading..   5 min read