The Russian-language malware primarily enlists computers to mine Monero, but theoretically it can do worse.

Source: Artimages via Alamy Stock Photo

An 8-year-old modular botnet is still kicking, spreading a cryptojacker and Web shell on machines spread across multiple continents.

"Prometei" was first discovered in 2020, but later evidence suggested that it's been in the wild since at least 2016. In those intervening years it spread to more than 10,000 computers globally, in countries as diverse as Brazil, Indonesia, Turkey, and Germany, whose Federal Office for Information Security categorizes it as a medium-impact threat.

"Prometei's reach is global due to its focus on widely used software vulnerabilities," explains Callie Guenther, senior manager of cyber-threat research at Critical Start. "The botnet spreads through weak configurations and unpatched systems, targeting regions with inadequate cybersecurity practices. Botnets like Prometei typically do not discriminate by region but seek maximum impact by exploiting systemic weaknesses. \[In this case\], organizations using unpatched or poorly configured Exchange servers are particularly at risk."

Trend Micro details what a Prometei attack looks like: clunky in its initial infection but stealthy thereafter, capable of exploiting vulnerabilities in a variety of different services and systems, and focused on cryptojacking but capable of more.

**Loud Entry Into Unloved Systems**

Don't expect an initial Prometei infection to be terribly sophisticated.

The case Trend Micro observed began with a number of failed network login attempts from two IP addresses appearing to come from Cape Town, South Africa, which aligned closely with known Prometei infrastructure.

After its first successful login into a machine, the malware went to work testing out a variety of outdated vulnerabilities that might still be lingering in its target's environment. For example, it uses the half-decade old "BlueKeep" bug in the Remote Desktop Protocol (RDP) — rated a "critical" 9.8 out of 10 in the Common Vulnerability Scoring System — to try and achieve remote code execution (RCE). It uses the even older EternalBlue vulnerability to propagate via Server Message Block (SMB). On Windows systems, it tries the 3-year-old ProxyLogon arbitrary file write vulnerabilities CVE-2021-27065 and CVE-2021-26858, which have "high" 7.8 CVSS ratings.

Exploiting such old vulnerabilities could be read as lazy. In another light, it's an effective approach to weeding out better-equipped systems belonging to more active organizations.

"Prime targets are those systems that have not been or cannot be patched for some reason, which translates to them being either unmonitored or neglected from normal security processes," Mayuresh Dani, manager of security research at Qualys, points out. "The malware authors want to go after easy pickings, and in today's connected world, I consider this intelligent, as if they know that their targets will be plagued by multiple security issues."

**Prometei's Fire**

Once Prometei gets to where it wants to go, it has some neat tricks for achieving its ends. It uses a domain generation algorithm (DGA) to harden its command-and-control (C2) infrastructure, enabling it to continue operating even if victims try blocking one or more of its domains. It manipulates targeted systems to allow its traffic through firewalls, and runs itself automatically upon system reboots.

One particularly useful Prometei command evokes the WDigest authentication protocol, which stores passwords in plaintext in memory. WDigest is typically disabled in modern Windows systems, so Prometei forces those plaintext passwords, which it then dumps into a dynamic link library (DLL). Then, another Prometei command configures Windows Defender to ignore that particular DLL, allowing those passwords to be exfiltrated without raising any red flags.

The most obvious purpose of a Prometei infection appears to be cryptojacking — using infected machines to help mine the ultra-anonymous Monero cryptocurrency without their owners' knowing it. Beyond that, though, it downloads and configures an Apache Web server that serves as a persistent Web shell. The Web shell allows attackers to upload more malicious files and execute arbitrary commands.

As Stephen Hilt, senior threat researcher at Trend Micro, points out, botnet infections are often associated with other kinds of attacks as well.

"I always look at the cryptomining groups being a canary in the coal mine — it's an indicator that there's probably more going on in your system," he says. "If you look at our 2021 blog, there was LemonDuck, a ransomware group, and \[Prometei\] all within the same machines."

**Russia Links**

There is one specific part of the globe that Prometei does not touch.

The botnet's Tor-based C2 server is made to specifically avoid certain exit nodes in some former Soviet countries. To further ensure the safety of Russian-language targets, it possesses a credential-stealing component that deliberately avoids affecting any accounts labeled "Guest" or "Other user" in Russian.

Older variants of the malware contained bits of Russian-language settings and language code, and the name "Prometei" is a translation of "Prometheus" in various Slavic languages. In the famous myth, Zeus programs an eagle to attack Prometheus' liver every day, only for the liver to persist through reboots each night.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'Prometei' Botnet Spreads Its Cryptojacker Worldwide

A hacker leaked the personal data of 180,000 Esport North Africa users just before the tournament. While no…

A hacker leaked the personal data of 180,000 Esport North Africa users just before the tournament. While no financial details were exposed, users are advised to change passwords and stay alert for phishing attacks.

The hacker, known as “Shooked,” leaked the personal details of over 180,000 Esport North Africa (ESNA) users just one day before the tournament is set to begin in Morocco. The 3 GB data dump, which Shooked claims is the “full database,” was released on **Breach Forums** on the morning of Wednesday, October 23, 2024. The ESNA tournament is scheduled to start on Thursday, October 24th.

Screenshot from the targeted site

For context, Esport North Africa (ESNA – Electronic Sports North Africa) is a platform designed to promote competitive gaming and esports development across the North African region. It organizes tournaments in popular games such as FC25, Free Fire, Street Fighter 6, and other competitive titles, providing opportunities for gamers to showcase their skills.

The leaked data was analyzed by the Hackread.com research team and contains over 9 million lines. However, after the removal of duplicate entries, the total number of unique user records stands at 180,000. This data includes the following information:

*   **User ID**
*   **Country**
*   **Usernames**
*   **IP addresses**
*   **Timestamp**
*   **Session ID**
*   **WordPress URLs**
*   **Email addresses (179,224)**

and other details…

Hacker on Breach Forum and sample data (Screenshot: Hackread.com)

While the leaked data does not include passwords or financial details, the breach appears legitimate. However, final confirmation is pending a response from the organization, which Hackread.com has reached out to for comment.

Cyberattacks on gaming companies and gamers are not new, as they are often lucrative targets for criminals. Last year, Akamai’s research revealed how hackers used **the Dark Frost Botnet** to target gaming companies and players, compromising devices to execute DDoS attacks.

If you have an account on ESNA (ESNA.GG), it’s recommended to change your password as a precaution. Additionally, be cautious of potential phishing emails from cybercriminals posing as Esport North Africa representatives, attempting to **exploit the breach**.

**RELATED ARTICLES**

1.  **Online gaming and protection against cyber attacks**
2.  **RapperBot malware hits gaming servers with DDoS attacks**
3.  **Gaming Giant Activision Employees Hit by SMS Phishing Attack**
4.  **Gaming controllers manufacturer exposed 1.1M customer records**
5.  **How data collected in gaming can be used to breach user privacy**

Hackers Leak 180,000 Esport North Africa User Records a Day Before Tournament Begins

Despite a law enforcement sweep last May, the sophisticated downloader malware is re-emerging.

Source: Antony Cooper via Alamy Stock Photo

Just a few months after Europol launched a full-scale disruption effort against malware botnets, one of its primary targets — a downloader malware called Bumblebee — seems to have staged a revival.

The sophisticated piece of malware has been widely used by cybercriminals to break into corporate networks, and its effectiveness is precisely what drew law enforcement's attention. In May, Europol launched full-scale takedowns of a variety of botnets, including IcedID, Trickbot, Smokeloader, SystemBC and Pickabot, as well as Bumblebee. The multipronged effort, dubbed Operation Endgame, was a splashy and highly publicized action to hunt down and stop cybercriminals hiding in their jurisdiction.

In addition to May's botnet bust-up, Operation Endgame added eight Russian nationals to Europe's list of most wanted fugitives for their alleged roles as developers of the Emotet botnet. By mid-June, Operation Endgame made an arrest: a 28-year-old Ukrainian man accused of working as a developer for Russian ransomware groups Conti and LockBit.

**Bumblebee Takes Flight Again**

The botnet was first identified and named by the Google Threat Analysis Group in March 2022. Since its takedown in May, there hadn't been any sign of Bumblebee, until now. Researchers at Netskope found a new instance of Bumblebee being used in combination with a payload not typically associated with the botnet, indicating this is a new iteration of the malware downloader.

Related:Dark Reading News Desk Live From Black Hat USA 2024

"The infection chain used to deliver the final payload is not new, but this is the first time we have seen it being used by Bumblebee," the Netskope researchers wrote in a recent blog post. "These activities might indicate the resurfacing of Bumblebee in the threat landscape."

Its re-emergence would hardly come as a surprise. Other valuable botnet strains like Emotet have likewise risen from the dead. Though disrupted for a time by law enforcement in 2021, Emotet returned with a vengeance and new functionality.

Bumblebee is known for spreading through a variety of methods, including phishing, malicious advertising, and SEO poisoning, explains Patrick Tiquet, vice president of security and architecture for Keeper Security.

And Bumblebee's latest attack chain is even more difficult for defenders to spot than previous versions, according to Tamir Passi, senior product director at DoControl. "What makes this version particularly concerning is its sophistication," Passi says. "Instead of the noisy, obvious attacks we've seen before, it's using a stealthier approach that makes it harder to detect. The attackers are leveraging legitimate tools like MSI installers — it's basically hiding in plain sight."

Related:Anti-Bot Services Help Cybercrooks Bypass Google 'Red Page'

Scarier still is what happens after Bumblebee gets inside a corporate network, he adds.

"But here's the real kicker — this isn't just about compromising individual machines," Passi says. "Once attackers gain access, they can potentially harvest credentials and access all sorts of corporate resources, including SaaS applications. Think about it — one successful phishing email could lead to widespread access across your entire cloud environment."

With stakes that high, cybersecurity teams need to rely on a healthy combination of user awareness training, a zero-trust cybersecurity model, strong password security, and more, Tiquet advises.

Law enforcement organizations will continue to do what they can to tamp down the effectiveness of large cybercrime operations, but along with enterprise cybersecurity teams, they are up against formidable, highly motivated adversaries.

"The re-emergence of Bumblebee after Operation Endgame demonstrates the adaptability of the group believed to be responsible for its development," says Callie Guenther, senior manager of cyber-threat research at Critical Start. "Despite law enforcement efforts to disrupt their activities, the actors quickly reintroduced Bumblebee, indicating well-prepared contingency plans."

Related:Anonymous Sudan Unmasked as Leader Faces Life in Prison

Bumblebee Malware Is Buzzing Back to Life

TA866 (also known as Asylum Ambuscade) is a threat actor that has been conducting intrusion operations since at least 2020.

Highlighting TA866/Asylum Ambuscade Activity Since 2021

GoDaddy flagged a ClickFix campaign that infected 6,000 sites in a one-day period, with attackers using stolen admin credentials to distribute malware.

Source: Primakov via Shutterstock

Threat actors have taken a campaign that uses fake browser updates to spread malware to a new level, weaponizing scores of WordPress plug-ins to deliver malicious infostealing payloads, after using stolen credentials to log in to and infect thousands of websites.

Domain registrar GoDaddy is warning that a new variant of malware disguised as a fake browser update known as ClickFix infected more than 6,000 WordPress sites in a one-day period from Sept. 2 to Sept. 3.

Threat actors used stolen WordPress admin credentials to infect compromised websites with malicious plug-ins as part of an attack chain unrelated "to any known vulnerabilities in the WordPress ecosystem," GoDaddy principal security engineer Denis Sinegubko wrote in a recent blog post.

"These seemingly legitimate plugins are designed to appear harmless to website administrators, but contain embedded malicious scripts that deliver fake browser update prompts to end users," he wrote.

The campaign leverages fake WordPress plug-ins that inject JavaScript leading to ClickFix fake browser updates, which use blockchain and smart contracts to obtain and deliver malicious payloads. Attackers use social engineering strategies to trick users into thinking they are updating their browser, but instead they are executing malicious code, "ultimately compromising their systems with various types of malware and information stealers," Sinegubko explained.

Related:Samsung Zero-Day Vuln Under Active Exploit, Google Warns

**Related, Yet Separate Campaigns**

It should be mentioned that ClearFake, widely identified in April, is another fake browser update activity cluster that compromises legitimate websites with malicious HTML and JavaScript. Initially it targeted Windows systems, but later spread to macOS as well.

Researchers have linked ClickFix to ClearFake, but the campaigns as described by various analysts have numerous differences and are likely separate activity clusters. GoDaddy claims to have been tracking ClickFix malware campaign since August 2023, spotting it on more than 25,000 compromised sites worldwide. Other analysts at Proofpoint detailed ClickFix for the first time earlier this year.

The new ClickFix variant as described by GoDaddy is spreading fake browser update malware via bogus WordPress plug-ins with generic names such as "Advanced User Manager" and "Quick Cache Cleaner," according to the post.

"These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end users," Sinegubko wrote.

Related:Bad Actors Manipulate Red-Team Tools to Evade Detection

All information in the plug-in metadata is fake, including the plug-in name, URL, description, version, and author, but appears plausible at first glance and wouldn't raise suspicion immediately, according to GoDaddy.

**Automation Used to Scale Campaign**

Further analysis detected automation in the naming convention of the plug-ins, with researchers noting a JavaScript file naming pattern consisting of the first letter of each word in the plug-in name, appended with "-script.js."

For example, the Advanced User Manager plug-in contains the aum-script.js file, according to the researchers, who used this naming convention to detect other malicious plug-ins related to the campaign, such as Easy Themes Manager, Content Blocker, and Custom CSS Injector.

The plug-in and author URIs also frequently reference GitHub, but analysis showed that repositories associated with the plug-in don't actually exist. Moreover, the GitHub usernames followed a systematic naming convention linked to the plug-in names, which "indicates an automated process behind the creation of these malicious plugins," Sinegubko wrote.

Indeed, the researchers eventually discovered that the plug-ins are systematically generated using a common template, allowing "threat actors to rapidly produce a large number of plausible plugin names, complete with metadata and embedded code designed to inject JavaScript files into WordPress pages," Sinegubko wrote. This allowed attackers to scale their malicious operations and add an additional layer of complexity for detection.

Related:The Lingering 'Beige Desktop' Paradox

**Credential Theft as Initial Entry?**

GoDaddy isn't clear on how attackers acquired WordPress admin credentials to initiate the latest ClickFix campaign, but it noted that potential vectors include brute-force attacks and phishing campaigns aimed at acquiring legitimate passwords and usernames. 

Moreover, as the payloads of the campaign itself are the installation of various infostealers on compromised end-user systems, it's possible that the threat actors are collecting admin credentials in this way, Sinegubko observed.

"When talking about infostealers, many people think about bank credentials, crypto-wallets and other things of this nature, but many stealers can collect information and credentials from a much wider range of programs," he noted.

Another possible scenario is that the residential IP addresses from which the fake plug-ins were installed could belong to a botnet of infected computers that the attackers use as proxies to hack websites, according to GoDaddy.

Because the campaign includes the theft of legitimate credentials to log in to WordPress sites, people are urged to follow general best practices for protecting their passwords as well as avoid interacting with any unknown websites or messages that ask them to divulge private credentials.

GoDaddy also included a long list of indicators of compromise (IoCs) for the campaign — including names of plug-ins and malicious JavaScript files, endpoints to which smart contracts in the campaign connect, and associated GitHub accounts — in the blog post, so defenders can identify if a website has been compromised.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Swarms of Fake WordPress Plug-ins Infect Sites With Infostealers

Russia-linked hackers have taken aim at Japan, following its ramping up of military exercises with regional allies and the increase of its defense budget.

Source: StudioProX via Shutterstock

Two Russian hacking groups leveled distributed denial-of-service (DDoS) attacks at Japanese logistics and shipbuilding firms — as well as government and political organizations — in what experts believe are attempts to pressure the Japanese government. The attacks came after lawmakers boosted the nation's defense budget, and its military conducted exercises with regional allies.

The two pro-Russian cyberthreat groups — NoName057(16) and the Russian Cyber Army Team — started attacking Japanese targets on Oct. 14, with more than half of the attacks targeting logistics, shipbuilding, and manufacturing firms, according to network-monitoring firm Netscout. The groups, especially NoName057(16), have made a name for themselves by attacking Ukrainian and European targets following Russia's invasion of Ukraine.

In the latest spate of attacks, the groups targeted Japanese industry and government agencies after the Ministry of Foreign Affairs of the Russian Federation expressed concern over the ramp-up of Japan's military, says Richard Hummel, director of threat intelligence for Netscout.

"Japan had their elections last week, and the leader that took over is no fan of Russia and, in fact, has been very vocal about supporting Ukraine and sending aid," he says. "Japan is also working with the US military on joint exercises and ballistics missiles testing — these are the \[regional events\] that NoName057 will go after."

Related:Hong Kong Crime Ring Swindles Victims Out of $46M

With geopolitical rivalries with China and Russia heating up, Japan is in the midst of its largest military buildup since World War II. In December 2022, the nation unveiled a five-year $320 billion plan that includes long-range cruise missiles that could hit targets in China, North Korea, and Russia. The move marked a significant shift away from Japan's self-defense-only policy, with the government continuing the move by increasing military spending by 16% this year.

On Oct. 17, Japan's Deputy Chief Cabinet Secretary Kazuhiko Aoki said the government is investigating the DDoS attacks.

More than half of the attacks targeted the logistics and manufacturing sector, while nearly a third targeted government agencies and political organizations in Japan, Netscout stated in its analysis.

The Russian group "has leveraged every attack capability of the DDoSia botnet, employing a wide range of direct-path attack vectors against multiple targets," the analysis stated. "As of this writing, approximately 40 targeted Japanese domains have been identified. On average, each domain is hit by three attack waves, utilizing four distinct DDoS attack vectors, utilizing approximately 30 different attack configurations to maximize attack impact."

Related:Iran's APT34 Abuses MS Exchange to Spy on Gulf Gov'ts

**Hacktivists and the Resurgence of DDoS**

The attacks mark the latest shift in DDoS attacks. In the past, 85% to 90% of such attacks originated in the gaming world, with players targeting other players, Netscout's Hummel says. Over the past few years, while many hacktivism attacks amounted to little more than PR stunts, cybercriminals have increasingly used DDoS attacks to cause outages in business operations to support a cause or monetize a botnet — sometimes, both.

US authorities recently charged two Sudanese brothers — 22-year-old Ahmed Salah Yousif Omer and 27-year-old Alaa Salah Yusuuf Omer — following more than 35,000 DDoS attacks during the past 18 months, which targeted government agencies, a major Los Angeles-area hospital, and technology companies. The US Department of Justice charged one of the two brothers with three counts of damage to a protected computer, and the indictment included his message taking credit for "any damage to the hospital ... and their health systems + any collateral damage," according to a federal indictment.

The impact of a DDoS attack on the ability of connected medical devices to operate means that increasingly they will have physical impacts, Hummel says.

Related:DPRK's APT37 Targets Cambodia With Khmer, 'VeilShell' Backdoor

The brother was "charged with essentially attempted murder, because they were taking down hospital infrastructure where people needed life-saving technology," he says. "If the Internet goes down, then \[these connected medical devices\] stop functioning, they stop checking in."

**Definitively Russian? Nyet**

Both NoName057 and the Russian Cyber Army Team obviously pursue priorities expressed by the Russian government, but that does not necessarily mean they are a military or intelligence agency operation, Hummel says.

Overall, the groups have claimed 60 attacks against 19 different targets in the weeks following the criticism of Japan's accelerated military buildup by Russia's Minister of Foreign Affairs. In a Telegram post, NoName057(16) confirmed the link.

"Particular discontent was caused by the participation of non-regional NATO member countries in the maneuvers, which, in Russia's opinion, increases the threat and is unacceptable," they stated in the Telegram post (machine translated from Russian). "We punish Russophobic Japan and remind you that any measures directed against Russia may end badly."

The groups' attacks against Japan match with previous targeting against any critic of Russia or its strategy, Hummel says.

"I can't say definitively if they are part of the Russian government ... or if any agency is giving them direct instructions," he says. "What I can tell you is that all of the targeting is against groups that are anti-Russia or anti-Muslim. And oftentimes, it's usually going to be in that political sphere when people are vocal about their support of anybody against Russia."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Russia-Linked Hackers Attack Japan's Govt, Ports

A new Gorilla Botnet has launched massive DDoS attacks, targeting over 100 countries, according to cybersecurity firm NSFOCUS.…

A new Gorilla Botnet has launched massive DDoS attacks, targeting over 100 countries, according to cybersecurity firm NSFOCUS. This botnet, which utilizes Mirai botnet source code and advanced techniques, poses a growing and global threat.

NSFOCUS Global Threat Hunting System has detected a new cybersecurity threat: The Gorilla Botnet. In September 2024, this botnet launched a massive series of distributed denial-of-service attacks (DDoS attacks), targeting over 300,000 targets in over 100 countries.

According to NSFOCUS, a renowned Chinese company specializing in application security, Gorilla Botnet is inspired by the infamous **Mirai botnet** and has become a major concern due to its wide reach and stealth capabilities. Gorilla Botnetleverages a network of compromised IoT devices like an army to launch large-scale DDoS attacks. These attacks flood targeted systems with traffic, crippling their access to users.

What makes Gorilla Botnet particularly dangerous is its use of encryption to obscure key data, ensuring long-term control over compromised devices and supporting various CPU architectures, making it compatible with a wide range of devices.

Gorilla Botnet uses a distributed C&C network to manage its operations and offers a variety of DDoS attack methods, including UDP Flood, ACK Bypass Flood, and VSE Flood. Additionally, it utilizes connectionless protocols like UDP to spoof IP addresses and further hide its origin.  

****Global Reach and Impact****

Since September 2024, when its activity was first detected, Gorilla has wasted no time making its mark. In just a month, the botnet unleashed over 300,000 attack commands, averaging a whopping 20,000 per day.

This series of attacks targeted over 100 countries, including economic powerhouses like:

*   **China**
*   **Canada**
*   **Germany**
*   **United States**

Additionally, critical infrastructure including universities, government websites, telecoms, banks, and gaming platforms, fell victim to these attacks.  

****Advanced Capabilities****

According to NSFOCUS’s **report**, Gorilla Botnet’s sophistication goes beyond its attack methods. The malware incorporates encryption algorithms commonly **used** by the notorious **Keksec** hacking group, making it difficult to detect/analyze.

The botnet also shows a strong focus on persistence. By exploiting vulnerabilities like the Apache Hadoop YARN RPC flaw and installing services that automatically execute on system startup, Gorilla becomes a stubborn opponent to eradicate.   

Organizations should strengthen their cybersecurity to address the growing threat of the Gorilla Botnet. Firewalls help block suspicious traffic, while intrusion detection systems (IDS) can spot unusual activity and alert security teams. Using cloud-based **DDoS protection** can also help reduce high-volume attacks, minimizing downtime for critical systems.

1.  Goldoon Botnet Hit D-Link Devices by Exploiting 9-Year-Old Flaw
2.   Russian Hackers Target Ubiquiti Routers for Data, Botnet Creation
3.  Golang Botnet “Zergeca” Discovered, Delivers Brutal DDoS Attacks
4.  Mirai-like Botnet Hits Zyxel NAS Devices in Europe for DDoS Attacks
5.  US Charges Duo Behind Anonymous Sudan for 35,000 DDoS Attacks

Mirai-Inspired Gorilla Botnet Hits 0.3 Million Targets Across 100 Countries

Microsoft researchers toyed with app permissions to uncover CVE-2024-44133, using it to access sensitive user data. Adware merchants may have as well.

Source: Delphotos via Alamy Stock Photo

A security weakness in the Safari browser on macOS devices might have exposed users to spying, data theft, and other forms of malware.

The issue is enabled by the special permissions Apple gives to its proprietary apps — in this case, its browser — and the ease with which an attacker can reach important app configuration files. In the end, it allows an attacker to bypass the Transparency, Consent, and Control (TCC) security layer that MacBooks use to guard sensitive data. Its CVE entry, CVE-2024-44133, has earned a "medium" severity 5.5 rating in the Common Vulnerability Scoring System (CVSS).

Researchers from Microsoft have named their exploit of CVE-2024-44133 "HM Surf." In a new blog post, they described how HM Surf could open the door to a user's browsing data, camera, and microphone, as well as their device's location, among other things. And the threat doesn't only appear to be theoretical: There's already inconclusive but not insignificant evidence to suggest that one adware program has already exploited CVE-2024-44133, or something quite like it, in the wild.

Apple released a fix for CVE-2024-44133 in its update to macOS Sequoia back on Sept. 16.

"It's a serious concern, because of the unauthorized access it gives," says Xen Madden, cybersecurity expert at Menlo Security, emphasizing the need for organizations to update their macOS devices. But, she adds, "By the looks of it, most EDR tools will detect it, especially since Microsoft Defender is detecting it."

**Exploiting HM Surf**

In any and all Apple devices, TCC is there to manage what sensitive data and features apps can access. If some app wants to access your camera, for example, thanks to TCC, you can rest assured that your Mac will ask for your permission first.

Unless your app has a special "entitlement." Some of Apple's proprietary apps possess entitlements — special permissions, approved by Apple, which allow them unique privileges compared to other apps. The core of why HM Surf works is Safari's entitlement, "com.apple.private.tcc.allow," which allows it to bypass TCC at an app level, and apply it only on a per website ("per origin") basis. In other words, Safari can freely access your camera and microphone as it wishes, but any given website you visit through Safari likely cannot.

Safari's configuration — including the rules that define per-origin TCC protections — are stored in various files under ~/Library/Safari, within the user's home directory. Manipulating these files could provide a path to TCC bypass, though the home directory is itself TCC protected.

Getting around that roadblock is simple, though, using the autological directory service command line utility (DSCL), a tool in macOS for managing directory services from the command line. In HM Surf, DSCL is used to temporarily change the home directory, removing the TCC umbrella shielding ~/Library/Safari. Now they could modify Safari's per-origin TCC configurations — allowing all kinds of permissions for a malicious website of their own creation — before ultimately reinstating the home directory. Thereafter, if a user visited the malicious site, the site would have full rein to capture screenshots, location data, and more, without ever triggering a permission pop-up.

**Was CVE-2024-44133 Already Exploited?**

After concocting their exploit, Microsoft started scanning customer environments for activity that aligned with what they'd found. On one device, lo and behold, they spotted something quite closely resembling what they were looking for.

It was a program digging into the victim's Chrome configuration settings, adding approval for microphone and camera access to a specific URL. It also did more: gathering user and device information, laying the groundwork for a second-stage payload.

This program, it turned out, was a well-known macOS adware program called "AdLoad." AdLoad hijacks and redirects browser traffic, pestering users with unwanted advertisements. It also goes further: harvesting user data, turning infected devices into nodes in a botnet, and acting as a staging ground for further malicious payloads.

In its blog post, Microsoft noted that though AdLoad's activity closely resembled the HM Surf technique, "Since we weren’t able to observe the steps taken leading to the activity, we can’t fully determine if the AdLoad campaign is exploiting the HM surf vulnerability itself." Still, it added, "Attackers using a similar method to deploy a prevalent threat raises the importance of having protection against attacks using this technique."

Dark Reading has contacted both Apple and Microsoft for further comment on this story.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

MacOS Safari 'HM Surf' Exploit Exposes Camera, Mic, Browser Data

Protect yourself from the ClickFix attack! Learn how cybercriminals are using fake Google Meet pages to trick users…

Protect yourself from the ClickFix attack! Learn how cybercriminals are using fake Google Meet pages to trick users into downloading malware. Discover the latest tactics employed by these malicious actors and stay safe online.

Cybersecurity researchers at Sekoia have detected an uptick in cyberattacks targeting users of the popular video conferencing platform, Google Meet, employing a notorious tactic, dubbed “ClickFix.” This tactic emerged in May 2024 and involves mimicking legitimate services like Google Chrome, Facebook, or Google Meet, to trick users into downloading malware.

According to Sekoia’s report, attackers are displaying fake error messages mimicking legitimate alerts from Google Meet, prompting users to click a “Fix It” button or perform other actions. However, these actions unknowingly execute malicious code that installs malware on the victim’s device. 

The ClickFix campaign leverages multiple malware distribution campaigns. Sekoia researchers analyzed a ClickFix cluster impersonating Google Meet video conferences, which targeted both Windows and macOS users.

For Windows users, the fake error message claimed microphone or headset issues, prompting them to copy a script that downloaded Stealc and Rhadamanthys infostealers. macOS users were tricked into downloading the AMOS Stealer malware.  

> _“Given the variety of initial malicious websites redirecting to this infrastructure, we assess with high confidence that it is shared among multiple threat actors. They collaborate within a centralized Traffers team to share certain resources, including this infrastructure and the AMOS Stealer, which is also sold as Malware-as-a-Service.”_
> 
> Sekoia

****Possible Perpetrators****

The investigation revealed that two cybercrime groups, “Slavic Nation Empire” (linked with cryptocurrency scam team Marko Polo) and “Scamquerteo Team” (a subgroup of cryptocurrency scam team CryptoLove), were likely behind this ClickFix cluster. These groups specialize in targeting users involved in cryptocurrency assets, Web3 applications, and decentralized finance (DeFi).  

Both teams use the same ClickFix template to impersonate Google Meet, suggesting they share materials and infrastructure. Sekoia analysts estimate that both teams use the same cybercrime service to supply the fake Google Meet cluster, and it is likely that a third party manages their infrastructure or registers their domain names.

The malware delivered through these attacks includes infostealers, botnets, and remote access tools. These malicious programs can steal sensitive data, compromise systems, and enable further attacks.

****ClickFix Scope****

The ClickFix tactic is particularly dangerous because it bypasses traditional security measures. By not requiring users to download a file directly, it avoids detection by web browser security features. This makes it more likely to ensnare unsuspecting victims.  

To protect yourself from ClickFix attacks, be cautious of unexpected error messages, verify scripts before copying and pasting them from unknown sources, use strong security software like antivirus and anti-malware, be cautious with links, and enable two-factor authentication to add an extra layer of security to your online accounts.

1.  Konni RAT Exploiting Word Docs to Steal Data from Windows
2.  Fake Chrome Browser Update Installs NetSupport Manager RAT
3.  Bifrost RAT Variant Targets Linux Devices, Mimics VMware Domain
4.  AsyncRAT Infiltrates Key US Infrastructure Through GIFs and SVGs
5.  Popular Android Screen Recorder iRecorder App Revealed as Trojan

ClickFix Attack: Fake Google Meet Alerts Install Malware on Windows, macOS

The U.S. government on Wednesday announced the arrest and charging of two Sudanese brothers accused of running Anonymous Sudan (a.k.a. AnonSudan), a cybercrime business known for launching powerful distributed denial-of-service (DDoS) attacks against a range of targets, including dozens of hospitals, news websites and cloud providers. One of the brothers is facing life in prison for allegedly seeking to kill people with his attacks.

The U.S. government on Wednesday announced the arrest and charging of two Sudanese brothers accused of running **Anonymous Sudan** (a.k.a. **AnonSudan**), a cybercrime business known for launching powerful distributed denial-of-service (DDoS) attacks against a range of targets, including dozens of hospitals, news websites and cloud providers. The younger brother is facing charges that could land him life in prison for allegedly seeking to kill people with his attacks.

Image: FBI

Active since at least January 2023, AnonSudan has been described in media reports as a “hacktivist” group motivated by ideological causes. But in a criminal complaint, the FBI said those high-profile cyberattacks were effectively commercials for the hackers’ DDoS-for-hire service, which they sold to paying customers for as little as $150 a day — with up to 100 attacks allowed per day — or $700 for an entire week.

The complaint says despite reports suggesting Anonymous Sudan might be state-sponsored Russian actors pretending to be Sudanese hackers with Islamist motivations, AnonSudan was led by two brothers in Sudan — **Ahmed Salah Yousif** **Omer**, 22, and **Alaa Salah Yusuuf Omer**, 27.

AnonSudan claimed credit for successful DDoS attacks on numerous U.S. companies, causing a multi-day outage for Microsoft’s cloud services in June 2023. The group hit **PayPal** the following month, followed by **Twitter/X** (Aug. 2023), and **OpenAI** (Nov. 2023). An indictment in the Central District of California notes the duo even swamped the websites of the **FBI** and the **Department of State**.

Prosecutors say Anonymous Sudan offered a “Limited Internet Shutdown Package,” which would enable customers to shut down internet service providers in specified countries for $500 (USD) an hour. The two men also allegedly extorted some of their victims for money in exchange for calling off DDoS attacks.

The government isn’t saying where the Omer brothers are being held, only that they were arrested in March 2024 and have been in custody since. A statement by the **U.S. Department of Justice** says the government also seized control of AnonSudan’s DDoS infrastructure and servers after the two were arrested in March.

AnonSudan accepted orders over the instant messaging service **Telegram**, and marketed its DDoS service by several names, including “**Skynet**,” “**InfraShutdown**,” and the “**Godzilla botnet**.” However, the DDoS machine the Omer brothers allegedly built was not made up of hacked devices — as is typical with DDoS botnets.

Instead, the government alleges Skynet was more like a “distributed cloud attack tool,” with a command and control (C2) server, and an entire fleet of cloud-based servers that forwards C2 instructions to an array of open proxy resolvers run by unaffiliated third parties, which then transmit the DDoS attack data to the victims.

**Amazon** was among many companies credited with helping the government in the investigation, and said AnonSudan launched its attacks by finding hosting companies that would rent them small armies of servers.

“Where their potential impact becomes really significant is when they then acquire access to thousands of other machines — typically misconfigured web servers — through which almost anyone can funnel attack traffic,” Amazon explained in a blog post. “This extra layer of machines usually hides the true source of an attack from the targets.”

The security firm **CrowdStrike** said the success of AnonSudan’s DDoS attacks stemmed from a combination of factors, including sophisticated techniques for bypassing DDoS mitigation services. Also, AnonSudan typically launched so-called “Layer 7” attacks that sought to overwhelm targeted “API endpoints” — the back end systems responsible for handling website requests — with bogus requests for data, leaving the target unable to serve legitimate visitors.

The Omer brothers were both charged with one count of conspiracy to damage protected computers. The younger brother — Ahmed Salah — was also charged with three counts of damaging protected computers.

A passport for Ahmed Salah Yousif Omer. Image: FBI.

If extradited to the United States, tried and convicted in a court of law, the older brother Alaa Salah would be facing a maximum of five years in prison. But prosecutors say Ahmed Salah could face life in prison for allegedly launching attacks that sought to kill people.

As Hamas fighters broke through the border fence and attacked Israel on Oct. 7, 2023, a wave of rockets was launched into Israel. At the same time, AnonSudan announced it was attacking the APIs that power Israel’s widely-used “red alert” mobile apps that warn residents about any incoming rocket attacks in their area.

In February 2024, AnonSudan launched a digital assault on the **Cedars-Sinai Hospital** in the Los Angeles area, an attack that caused emergency services and patients to be temporarily redirected to different hospitals.

The complaint alleges that in September 2023, AnonSudan began a week-long DDoS attack against the Internet infrastructure of Kenya, knocking offline government services, banks, universities and at least seven hospitals.

Tag

#botnet