Google removed eight Android apps, with 3M cumulative downloads, from its marketplace for being infected with a Joker spyware variant.

Google removed eight Android apps, with 3M cumulative downloads, from its marketplace for being infected with a Joker spyware variant.

Google has removed eight apps from its Google Play store that were propagating a new variant of the Joker spyware, but not before they already had garnered more than 3 million downloads.

French security researcher Maxime Ingrao of cybersecurity firm Evina discovered a malware that he dubbed Autolycos that can subscribe users to a premium service as well as access users’ SMS messages,. according to a post he made on Twitter last week. This type of malware–in which malicious applications subscribe users to premium services without their knowledge or consent to rack up payment charges–is called toll fraud malware, or more commonly, fleeceware.

_\[**FREE On-demand Event**: **Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office.** **WATCH HERE**.\]_

Ingrao said he discovered eight applications on the site spreading Autolycos since June 2021 that had racked up several million downloads. The cybercriminals behind Autolycos are using Facebook pages and running ads on Facebook and Instagram to promote the malware, he said.

“For example, there were 74 ad campaigns for Razer Keyboard & Theme malware,” Ingrao tweeted in one of a series of follow-up posts describing how the malware works.

****Joker Rides Again****

Ingrao compared the malware to Joker, a spyware discovered in 2019 that also secretly subscribed people to premium services and stole SMS messages, among other nefarious activities.

Indeed, upon further examination, researchers from Malwarebytes believe the malware is a new variant of Joker–what Malwarebytes refers to as “Android/Trojan.Spy.Joker–Malwarebytes intelligence researcher Pieter Artnz said in a post published a day after Ingrao’s revelation.

Joker was the first major malware families hat specialized in in fleeceware, according to Malwarebytes. The trojan would hide in the advertisement frameworks utilized by the malicious apps propagating it; these frameworks aggregate and serve in-app ads.

After the apps with Joker were installed, they would show a “splash” screen, which would display the app logo, to throw off victims while performing various malicious processes in the background, such as stealing SMSes and contact lists as well as performing ad fraud and signing people up for subscriptions without their knowledge.

****Difference in Execution****

One difference between the original Joker and Autolycos, however, was pointed out by Ingrao.”No webview like #Joker but only http requests,” he tweeted.

“It retrieves a JSON (Java Script Object Notation) on the C2 address: 68.183.219.190/pER/y,” Ingrao said of Autolycos in a tweet. “It then executes the URLs, for some steps it executes the URLs on a remote browser and returns the result to include it in the requests.”

Malwarebytes’ Artnz also explained this difference further in his post. While Joker used webviews—or a piece of Web content, such as “a tiny part of the app screen, a whole page, or anything in between”—to do its dirty week, Autolycos avoids this by executing URLs on a remote browser and then including the result in HTTP requests, he wrote.

This helps Autolycos evade detection even more adeptly than the original Joker, according to Malwarebytes’ Artnz said. “Not requiring a WebView greatly reduces the chances that the user of an affected device notices something fishy is going on,” he wrote.

****Lag Time in Discovery and App Removal****

The eight apps in which Ingrao discovered Autolycos are:

*   Vlog Star Video Editor (com.vlog.star.video.editor) – 1 million downloads
*   Creative 3D Launcher (app.launcher.creative3d) – 1 million downloads
*   Wow Beauty Camera (com.wowbeauty.camera) – 100,000 downloads
*   Gif Emoji Keyboard (com.gif.emoji.keyboard) – 100,000 downloads
*   Freeglow Camera 1.0.0 (com.glow.camera.open) – 5,000 downloads
*   Coco Camera v1.1 (com.toomore.cool.camera) –  1,000 downloads
*   Funny Camera by KellyTech –  500,000 downloads
*   Razer Keyboard & Theme by rxcheldiolola – 50,000 downloads.

While Ingrao discovered the offending apps in July 2021 and reported them to Google quickly, he told BleepingComputer that the company took six months to remove six of the apps. Moreover, Google only finally removed the last two on July 13, according to Malwarebytes.

Artnz was critical of the lag time between discovery and removal, though he did not speculate as to the reason why, noting only that “the small footprint and masked usage of APIs must make it hard to find malicious apps among the multitude of apps that can be found in the Google Play Store.”

“It’s possible \[the malicious apps\] would still be available if the researcher hadn’t gone public because he said he got tired of waiting,” Artnz wrote.

Google did not immediately respond to request for comment on Monday. Indeed, the company has a storied history of struggling to keep malicious apps—in particular fleeceware-\-off its mobile app store for the Android platform.

_\[**FREE On-demand Event**: **Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office.** **WATCH HERE**.\]_

Google Boots Multiple Malware-laced Android Apps from Marketplace

An issue was discovered in Infiray IRAY-A8Z3 1.0.957. There is a blank root password for TELNET by default.

The IRAY A8Z3 thermal camera for industrial application, manufactured by Infiray/IRay Technologies is affected by multiple vulnerabilities. These are a direct consequence of insecure coding practices, insecure configuration and outdated software components within the embedded firmware. Multiple attack vectors were found that will result in remote code execution (RCE). The vendor did not reply anymore to our communication attempts, hence it is unclear whether patches are available.

**Vendor description**

_"IRay Technology Co., Ltd. is a wholly-owned subsidiary of Raytron Technology Co., Ltd. (SSE: 688002). As a high-tech enterprise, IRay Technology develops and manufactures infrared FPA detectors, thermal imaging modules, and other products, with completely independent intellectual property rights. We are committed to providing global customers with professional thermal imaging products and solutions. The main products include IRFPA detectors, thermal imaging cores, and terminal products for application."_ 

Source: http://www.infiray.com/about.html

**Business recommendation**

The vendor was unresponsive during the disclosure process. Hence it is unclear whether patches are available. Customers are urged to approach their vendor contact and request security reviews and updates. 

SEC Consult recommends to perform a thorough security review of these products conducted by security professionals to identify and resolve all security issues. 

**Vulnerability overview/description****1) Hardcoded Web Credentials (CVE-2022-31210) **

The binary file "/usr/local/sbin/webproject/set\_param.cgi" contains hardcoded credentials to the web application. As these accounts cannot be deactivated or change their passwords, they are considered to be backdoor accounts. 

**2) Authenticated Remote Code Execution (CVE-2022-31208) **

The webserver contains an endpoint that can execute arbitrary commands by manipulating the "cmd\_string" URL parameter. The user can login using one of the backdoor accounts from issue 1. 

**3) Potential Buffer Overflow (CVE-2022-31209) **

The firmware contains a potential buffer overflow by calling strcpy() without checking the string length beforehand. 

**4) Telnet Root Shell without Password (CVE-2022-31211) **

The camera offers a shell through a telnet connection. The root user does not require a password per default. Thus, anyone on the local network can execute arbitrary commands as root on the camera. 

**5) Multiple Outdated Software Components **

Multiple outdated software components containing vulnerabilities were found by the IoT Inspector (ONEKEY) firmware analysis platform.  

**Proof of concept****1) Hardcoded Web Credentials (CVE-2022-31210) **

The following cgi program will be executed during the login process: 

    http ://<my_ip>:8080/set_param.cgi?&group_tag=hash_param_bridge&set_cmd=loading&length=35&name=<user>&password=<password>&access=0&0.3543773172371312 

The following de-compilation shows the code flow with the hardcoded passwords: 

    [ PoC removed ] 

The authentication works by comparing the URL supplied username with the string **"\[removed\]".** Afterwards it will compare the password parameter to **"\[removed\]"** as well. If both string parameters match, a message will be removed from the messaging queue. Otherwise the function will just return. The same comparison holds for the admin account. 

Furthermore, string comparisons are made without checking the case. Hence, drastically improving the chances of brute-force attacks. 

**2) Authenticated Remote Code Execution (CVE-2022-31208) **

The web application offers an option to view the device log. Opening following URL while logged in as admin (e.g. with hardcoded password from section 1) will trigger the request: 

    http ://<my_ip>:8080/cmd.cgi?cmd_tag=cmd_passthrough&cmd_string=[removed]

By changing the "cmd\_string" parameter, arbitrary commands can be executed with the rights of the webserver (www-data). The de-compiled code can be seen in following snippet: 

    [ PoC removed ] 

The "cmd\_string" parameter is directly passed into popen() and hence executed. 

**3) Potential Buffer-Overflow (CVE-2022-31209) **

The firmware contains a potential buffer overflow vulnerability: 

    [ PoC removed ] 

A pointer to the "next\_url" parameter is supplied. A buffer of 64 bytes is allocated and the parameter value copied to it without checking the string length. Hence, a "next\_url" parameter with more than 64 bytes could be supplied in order to overflow the buffer. Please note that this vulnerability is only based on firmware analysis and thus was not tested in a live scenario. 

**4) Telnet Root Shell without Password (CVE-2022-31211) **

The camera has a telnetd server running on port 23 per default. The root password is empty. If the telnet port is exposed to the internet, an attacker could easily connect to the device and gain root access. The telnet server cannot be deactivated and the root password cannot be changed through the web interface. 

**5) Multiple Outdated Software Components **

IoT Inspector (ONEKEY) recognized multiple outdated software components with known vulnerabilities:

    BusyBox 1.25.0:                                  6 CVEs 
    curl 7.54.0:                                    13 CVEs 
    Dnsmasq 2.76:                                    9 CVEs 
    lighttpd 1.4.41:                                 2 CVEs 
    Linux Kernel 3.10.104:                        1004 CVEs 
    hostapd 2.5:                                    22 CVEs 
    wpa_supplicant 2.5-devel_rtw_r17190.20160415:   12 CVEs 

**Vulnerable / tested versions**

The following product/firmware version has been tested: 

*   Infiray IRAY-A8Z3 V1.0.957 

It has to be assumed that further products or firmware versions are affected as well. 

**Vendor contact timeline**

CVE-2022-31211: Multiple Vulnerabilities in Infiray IRAY-A8Z3 thermal camera

Plus: A wild Indian cricket scam, an elite CIA hacker is found guilty of passing secrets to WikiLeaks, and more of the week's top security news.

The websites you visit can reveal (almost) everything about you. If you are looking up health information, reading about trade unions, or researching details around certain types of crime, then you can potentially give away a huge amount of detail about yourself that a malicious actor could use against you. Researchers this week have detailed a new attack, using the web’s basic functions, that can unmask anonymous users online. The hack uses common web browser features—included in every major browser—and CPU functions to analyze whether you’re logged in to services such as Twitter or Facebook and subsequently identify you.

Elsewhere, we detailed how the Russian “hacktivist” group Killnet is attacking countries that backed Ukraine but aren’t directly involved in the war. Killnet has launched DDoS attacks against official government websites and businesses in Germany, the United States, Italy, Romania, Norway, and Lithuania in recent months. And it’s only one of the pro-Russian hacktivist groups causing chaos.

We’ve also looked at a new privacy scandal in India where donors to nonprofit organizations have had their details and information handed to police without their consent. We also looked at the new “Retbleed” attack that can steal data from Intel and AMD chips. And we took stock of the ongoing January 6 committee hearings—and predicted what’s to come.

But that’s not all. Each week we round up the news that we didn’t break or cover in-depth. Click on the headlines to read the full stories. And stay safe out there!

For years, Amazon-owned security camera firm Ring has been building relationships with law enforcement. By the start of 2021, Amazon had struck more than 2,000 partnerships with police and fire departments across the US, building out a huge surveillance network with officials being able to request videos to help with investigations. In the UK, Ring has partnered with police forces to give cameras away to local residents.

This week, Amazon admitted to handing police footage recorded on Ring cameras without their owners’ permission. As first reported by Politico, Ring has given law enforcement officials footage on at least 11 occasions this year. This is the first time the firm has admitted to passing on data without consent or a warrant. The move will raise further concerns over Ring’s cameras, which have been criticized by campaign groups and lawmakers for eroding people’s privacy and making surveillance technology ubiquitous. In response, Ring says it doesn’t give anyone “unfettered” access to customer data or video but may hand over data without permission in emergency situations where there is imminent danger of death or serious harm to a person.

In 2017, the Vault 7 leaks exposed the CIA’s most secretive and powerful hacking tools. Files published by WikiLeaks showed how the agency could hack Macs, your router, your TV, and a whole host of other devices. Investigators soon pointed the finger at Joshua Schulte, a hacker in the CIA’s Operations Support Branch (OSB), which was responsible for finding exploits that could be used in the CIA’s missions. Schulte has now been found guilty of leaking the Vault 7 files to Wikileaks and is potentially facing decades in prison. Following an earlier mistrial in 2018, Schulte was this week found guilty on all nine charges against him. Weeks ahead of his second trial, _The New Yorker_ published this comprehensive feature exploring Schulte’s dark history and how the CIA’s OSB operates.

Hackers linked to China, Iran, and North Korea have been targeting journalists and media outlets, according to new research from security firm Proofpoint. Alongside efforts to compromise the official accounts of members of the press, Proofpoint says, multiple Iranian hacking groups have posed as journalists and tried to trick people into handing over their online account details. The Iranian-linked group Charming Kitten has sent detailed interview requests to its potential hacking targets, and they have also tried to impersonate multiple Western news outlets. “This social engineering tactic successfully exploits the human desire for recognition and is being leveraged by APT actors wishing to target academics and foreign policy experts worldwide, likely in an effort to gain access to sensitive information,” Proofpoint says.

In any company or organization, items will go missing from time to time. Usually these are misplaced phones, security passes, and files occasionally being left at bus stops by mistake. Losing any of these things may open up security risks if devices are insecure or if sensitive information is made public. Less commonly lost are desktop computers—unless you’re the FBI. According to FBI records obtained by VICE’s _Motherboard_, the agency lost 200 desktop machines between July and December 2021. Also lost, or in some cases stolen, were pieces of body armor and night-vision scopes.

Scams don’t get much more elaborate than this. This week, police in India busted a fake “Indian Premier League” cricket tournament. A group of alleged scammers set up the fake league in the western Indian state of Gujarat and hired young men to play cricket matches, posing as professional teams while they livestreamed the matches for people to bet on. According to police, the group hired a fake commentator, created onscreen graphics showing real-time scores, and played crowd noises downloaded from the internet. To hide the fact that the matches took place on a farm instead of inside a large stadium, the videofeed only showed closeups of the action. Police said they caught the gang as a quarterfinal match was being played. Police believe the gang was potentially running multiple leagues and was planning to expand to a volleyball league, too. The match footage is worth watching.

Amazon Handed Ring Videos to Cops Without Warrants

By Deeba Ahmed
The Vault 7 leak included trojans, viruses, malware, zero-day exploits, malware remote control systems, and related documents dating…
This is a post from HackRead.com Read the original post: CIA Whistleblower Found Guilty of Leaking Vault 7 Documents to WikiLeaks

A Manhattan federal court jury has convicted Joshua Schulte for leaking Vault 7 related sensitive documents and other classified US intelligence malware tools. As reported by Hackread.com in May 2018, the ex-CIA software engineer was detained at the Metropolitan Detention Center until the trial.

Joshua A. Schulte

**Trial Details**

Schulte defended himself during the trial. However, the jury found him guilty on 8 espionage charges and an additional obstruction charge. The jury deliberated for three days before announcing the verdict.

Schulte may get up to 80 years sentence. As per a statement from US Attorney Damian Williams, Joshua Schulte was convicted for one of the most “damaging” and “brazen” espionage acts in the history of the US.

Furthermore, Williams stated that Schulte’s actions had a “devastating effect” on US intelligence by offering “critical intelligence” to anti-US actors.

**The Infamous Vault 7 Leaks**

The 33-year-old Joshua is a former software engineer/programmer convicted for leaking sensitive documents, several top-secret hacking tools, and exploits dubbed Vault 7. It is worth noting that the Vault 7 leak included trojans, viruses, malware, zero-day exploits, malware remote control systems, and related documents dating from 2013 to 2016.

The documents, as seen by Hackread.com, also exposed how the CIA targets unsuspected individuals and businesses by exploiting vulnerabilities in a targeted system. The list of CIA’s targets, according to the Vault 7 leak, included the following:

*   iPhones (report)
*   Notepads (report)
*   Smart TVs (report)
*   Mac devices (report)
*   Video players (report)
*   Linux devices (report)
*   Web browsers (report)
*   Air-gapped PCs (report)
*   Security cameras (report)
*   Android smartphones (report)
*   Windows-based computers (report)
*   Microphones and Webcams (report)
*   Trucks and other Internet-connected devices (report)

According to WikiLeaks, these documents exposed “the entire hacking capacity of the CIA.”

The documents and tools in discussion were published by WikiLeaks on their website under the handle of Vault 7 on on 7 March 2017. These documents contained a trove of 8,000 documents and 943 attachments showing how the CIA developed tools to hack their targets and turn them into spying devices.

Schulte was arrested on 24 August 2017 and charged with unauthorized disclosure of confidential information and stealing classified material in June 2018. He is also facing separate charges over alleged possession of child pornography.

In conclusion, although Schulte has been convicted, the Vault 7 leaks shed light on the CIA’s extensive and invasive surveillance capabilities which concern all Americans and people/businesses around the world.

CIA Whistleblower Found Guilty of Leaking Vault 7 Documents to WikiLeaks

Joshua Schulte has been convicted for his role in the Vault 7 Wikileaks data dump that exposed invasive US cyber intelligence tactics.

Joshua Schulte, a former CIA programmer, has been found guilty by a jury in a Manhattan, NY court for stealing the trove of classified data on US cyber espionage that was exposed in the Vault 7 Wikileaks data dump.

Schulte, 33, was convicted of stealing and revealing secrets, including details about how the CIA used malware to compromise mobile phones and smart devices to spy on targets. The verdict was reported by Courthouse News Service, which said that in addition to the conviction on nine counts of stealing classified documents, Schulte has unrelated charges pending for child pornography. Altogether, he faces up to 80 years in prison.

A 2020 trial for Schulte ended with a deadlocked jury and a mistrial. Schulte opted to represent himself in the most recent proceedings, according to Courthouse News.

Schulte was first named as a suspect in the Vault 7 Wikileaks release in 2018. The cache of cyber spy secrets including zero-day vulnerabilities in Android, iOS, and Windows, along with known bugs in routers, smart TVs, and smart vehicles that were allegedly being exploited for spycraft by the CIA.

In a 2017 statement released along with the Vault 7 files, Wikileaks had bragged, "This extraordinary collection ... gives the entire hacking capacity of the CIA."

Federal prosecutors who charged Schulte agreed.

US Attorney Damian Williams said in reaction to the verdict that it was "one of the most brazen and damaging acts of espionage in American history."

Prosecutors described Schulte as a disgruntled employee motivated by petty revenge against the CIA. "Schulte was aware that the collateral damage of his retribution could pose an extraordinary threat to this nation if made public, rendering them essentially useless, having a devastating effect on our intelligence community by providing critical intelligence to those who wish to do us harm," Williams said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Ex-CIA Programmer Found Guilty of Stealing Vault 7 Data, Giving It to Wikileaks

Microsoft has linked a threat that emerged in June 2021 and targets small-to-mid-sized businesses to state-sponsored actors tracked as DEV-0530.

Microsoft has linked a threat that emerged in June 2021 and targets small-to-mid-sized businesses to state-sponsored actors tracked as DEV-0530.

Microsoft researchers have linked an emerging ransomware threat that already has compromised a number of small-to-mid-sized businesses to financially motivated North Korean state-sponsored actors that have been active since last year.

A group tracked by researchers from Microsoft Threat Intelligence Center (MSTIC) as DEV-0530 but that calls itself H0lyGh0st has been developing and using ransomware in attacks since June 2021.

The group has successfully compromised small-to-mid-sized businesses—including manufacturing organizations, banks, schools, and event and meeting planning companies—in multiple countries starting as early as September, researchers from MTIC and Microsoft Digital Security Unit (MDSU) said in a blog post published Thursday.

H0lyGh0st’s standard modus operandi is to use a namesake ransomware to encrypt all files on the target device using the file extension .h0lyenc, then send the victim a sample of the files as proof. The group interacts with victims on a _.onion_ site that it maintains and on which it provides a contact form for victims to get in touch, researchers said.

_\[**FREE On-demand Event**: **Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office.** **WATCH HERE**.\]_

The group typically demands payment in Bitcoin in exchange for restoring access to the files. On its website, H0lyGh0st claims that it won’t sell or publish victim data if they pay, researchers said. However, it uses double extortion to pressure targets to pay, threatening to publish stolen data on social media or send it to the victims’ customers if they don’t meet ransom demands.

****Introducing H0lyGh0st****

H0lyGh0st’s ransomware campaigns are financially motivated, with researchers observing text linked to a ransom note that they intercepted in which attackers claim they aim to “close the gap between the rich and poor,” researchers said.

“They also attempt to legitimize their actions by claiming to increase the victim’s security awareness by letting the victims know more about their security posture,” they said.

DEV-0530 also has connections with another North Korean-based group tracked as PLUTONIUM, also known as DarkSeoul or Andariel, according to MSTIC, with researchers observing communications between the two groups. H0lyGh0st also has been seen using tools created exclusively by PLUTONIUM, they said.

****A Tale of Two Families****

Since it began using ransomware in June 2021 and until May 2022, H0lyGh0st has employed two custom-developed malware families–SiennaPurple and SiennaBlue, researchers said. MSTIC identified four variants linked to these families: BTLC\_C.exe, HolyRS.exe, HolyLock.exe, and BLTC.exe.

BTLC\_C.exe is written in C++ and is classified as SiennaPurple, while the rest are written in the open-source Go programming language, researchers said. All of the variants are compiled into .exe to target Windows systems, they said.

BLTC\_C.exe is a portable ransomware developed by the group that was first seen in June 2021. However, it may have been an early version of the group’s development efforts, as it doesn’t have many features compared to all malware variants in the SiennaBlue family, researchers said.

Later in the group’s evolution, between October 2021 and May 2022, MSTIC observed a cluster of new DEV-0530 ransomware variants written in Go, which they classify as SiennaBlue variants, they said.

Though new Go functions have been added to the various variants over time, all the ransomware in the SiennaBlue family share the same core Go functions, researchers observed. These features include various encryption options, string obfuscation, public key management, and support for the internet and intranet, researchers said.

****Most Recent Variant****

The latest ransomware variant to be used by the group is BTLC.exe, which researchers have seen in the wild since April of this year, they said.

BTLC.exe can be configured to connect to a network share using the default username, password, and intranet URL hardcoded in the malware if the ServerBaseURL is not accessible from the device, researchers said.

The malware also includes a persistence mechanism in which it creates or deletes a scheduled task called _lockertask_ that can launch the ransomware. Once the malware is successfully launched as an administrator, it tries to connect to the default ServerBaseURL hardcoded in the malware, attempts to upload a public key to the C2 server, and encrypts all files in the victim’s drive, they said.

**_FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE._**

Emerging H0lyGh0st Ransomware Tied to North Korea

Researchers who helped thwart the Russian nation-state group's recent attack on Ukraine's power supply will disclose at Black Hat USA what they found while reverse-engineering the powerful Industroyer2 malware used by the powerful hacking team.

The infamous Sandworm threat group operating out of Russia's military GRU unit has no qualms about taunting researchers when it finds it is being watched. Just ask Robert Lipovsky and his fellow researchers at ESET, who got the message loud and clear when they dissected one of Sandworm's newer malware variants earlier this year: The Sandworm attackers disguised the loader for one of its data-wiping variants as the IDAPro reverse-engineering tool — the very same tool the researchers had used to analyze the attackers' malware.

Lipovsky, principal threat intelligence researcher at ESET, knew it was no coincidence. Sandworm most likely was brazenly — and sarcastically — making a point that the group knew ESET was on its trail. "There's no reason to use IDAPro" in an attack on an engineering substation because that's not a tool that would be used on that system, he explains. "It's fairly clear the attackers are fully aware we are onto them and blocking their threats. They are maybe trolling us, I would say."

That wasn't the only message Sandworm seemed to be sending. The group also dropped a Trojan-ridden version of ESET's security software in its targeting of Ukrainian networks. "They were sending a message that they were aware we are doing our job protecting the users in Ukraine," Lipovsky says.

Lipovsky was part of the ESET team that — along with Ukraine's computer emergency response team (CERT-UA) and Microsoft — in April blocked a cyberattack by Sandworm on an energy company in Ukraine using a new version of its game-changing Industroyer malware weapon, Industroyer2. Had it not been thwarted in time, the attack would have knocked several high-voltage substations from part of the nation's electric grid.

Industroyer2 is a more custom version of the first iteration (Industroyer) that Sandworm unleashed in December 2016, temporarily knocking out power in parts of Kyiv, the capital of Ukraine. The Industroyer2 attack attempt in April also came with destructive disk-wiping tools designed to destroy engineering workstations running Windows, Linux, and Solaris, in an attempt to thwart recovery operations when the attackers' planned power blackout hit. Industroyer was the first known malware able to shut out the lights, and it can communicate with ICS hardware in electrical substations — circuit breakers and protective relays, for instance — via popular industrial network protocols.

Even after the high-profile foiling of the Industroyer2 attack attempt on Ukraine in April, Sandworm continues to relentlessly hammer at Ukraine's cyber defenses. "It didn't end with Industroyer2. It continues today," says Lipovsky, who with ESET senior malware researcher Anton Cherepanov will share their insiders' view of Sandworm and dissect the group's Industroyer2 malware at Black Hat USA in Las Vegas next month. 

"There are more wipers today … and new execution chains being used," he says.

Most of the current attack attempts by Sandworm against Ukraine's infrastructure now carry disk-wiping weapons. "We've seen disruption activity \[attempts\] at an increased rates since February," he says, when Russia first invaded Ukraine. Intel-gathering via cyber-espionage attacks also has been active, he adds, noting that while Sandworm is the most prominent Russian threat actor targeting Ukraine, it's not the only one.

**Industroyer2 up Close**

In their Black Hat talk, Lipovsky and Cherepanov plan to reveal more technical details about Sandworm that haven't yet been made public, as well as share recommendations for utilities to defend against the nation-state group's attacks.

Lipovsky and his team describe Industroyer2 as a simpler, more streamlined version of the first version. Unlike the first Industroyer, Industroyer2 speaks just one OT protocol, IEC 104. The original version used four different industrial protocols. It's likely more efficient and focused that way: "\[IEC 104 is\] one of most common \[OT\] protocols and a regional thing" in Europe, he notes.

The disk-wiping capabilities with Industroyer2 eclipse that of the first version. "The first one was a framework with multiple components, and it was also calling additional modules that were there for wiping," he says. Industroyer2 is more "self-contained" and offers wipers as separate executables, he says, malware weapons that have been discovered in other recent cyber incidents. 

CaddyWiper is the main disk wiper used with Industroyer2. Sandworm pointed CaddyWiper at a Ukrainian bank 24 hours before Russia invaded Ukraine in February, at a government agency in early April, and on some Windows workstations at the targeted Ukrainian energy firm. Sandworm also set destructive malware programs ORCSHRED, SOLOSHRED, and AWFULSHRED on Linux and Solaris workstations there. And, as a final touch, Sandworm had scheduled CaddyWiper to execute on April 8 as a way to erase all evidence of Industroyer2, but it was blocked.

Interestingly, Sandworm does not typically wipe domain controllers, so as not to disrupt its own foothold in the victim's network. "They wipe regular workstations to disrupt a target's operations, but they want to keep their presence once they've infiltrated an environment," Lipovsky says.

Even with all that ESET and other researchers now know about Industroyer2, there is still no full picture of the initial attack vector in the Industroyer2 attack on the Ukrainian energy firm. CERT-UA said the attack appeared to be in two stages, the first one likely in February of this year and the other in April, when the goal was to disconnect the electrical substations and sabotage the power operations on April 8.

**Defense Against Industroyer, Sandworm**

While Industroyer2 has been trained on Ukraine, its emergence has shaken the OT industry.  "Industroyer was a wake-up call for the whole ICS community. This is a serious threat," Lipovsky says.

The playbook for protecting an OT network from Industroyer and related attacks isn't much different than others. "It's what we've always been saying: Have visibility into the environment; have EDR, XDR tools; multiple layers of security in the stack; and access controls," Lipovsky says.

In their talk at Black Hat Lipovsky and Cherepanov also will share EDR rules, configuration suggestions to stop lateral movement, and rules for Snort and YARA tools

They also plan to reiterate that engineering workstations in OT networks have become major targets, so they have to be part of the security equation. "A lot of SCADA software and monitoring is happening on regular workstations that run Windows or Linux. These machines should have the appropriate security measures and solutions that are multilayered," including running EDR or XDR tools, he says.

Sandworm APT Trolls Researchers on Its Trail as It Targets Ukraine

An emerging threat cluster originating from North Korea has been linked to developing and using ransomware in cyberattacks targeting small businesses since September 2021.
The group, which calls itself H0lyGh0st after the ransomware payload of the same name, is being tracked by the Microsoft Threat Intelligence Center under the moniker DEV-0530, a designation assigned for unknown, emerging, or a

An emerging threat cluster originating from North Korea has been linked to developing and using ransomware in cyberattacks targeting small businesses since September 2021.

The group, which calls itself H0lyGh0st after the ransomware payload of the same name, is being tracked by the Microsoft Threat Intelligence Center under the moniker DEV-0530, a designation assigned for unknown, emerging, or a developing group of threat activity.

Targeted entities primarily include small-to-midsize businesses such as manufacturing organizations, banks, schools, and event and meeting planning companies.

"Along with their H0lyGh0st payload, DEV-0530 maintains an .onion site that the group uses to interact with their victims," the researchers said in a Thursday analysis.

"The group's standard methodology is to encrypt all files on the target device and use the file extension .h0lyenc, send the victim a sample of the files as proof, and then demand payment in Bitcoin in exchange for restoring access to the files."

Ransom amounts demanded by DEV-0530 range anywhere between 1.2 and 5 bitcoins, although an analysis of the attacker's cryptocurrency wallet shows no successful ransom payments from its victims as of early July 2022.

DEV-0530 is believed to have connections with another North Korean-based group known as Plutonium (aka DarkSeoul or Andariel), a sub-group operating under the Lazarus umbrella (aka Zinc or Hidden Cobra).

The illicit scheme adopted by the threat actor is also known to take a leaf from the ransomware landscape, leveraging extortion tactics to apply pressure on victims into paying up or risk getting their information published on social media.

DEV-0530's dark web portal claims it aims to "close the gap between the rich and poor" and "help the poor and starving people," in a tactic that mirrors another ransomware family called GoodWill that compels victims into donating to social causes and providing financial assistance to people in need.

The technical breadcrumbs that tie the group to Andariel stem from overlaps in the infrastructure set as well as based on communications between email accounts controlled by the two attacker collectives, with DEV-0530 activity consistently observed during Korea Standard Time (UTC+09:00).

"Despite these similarities, differences in operational tempo, targeting, and tradecraft suggest DEV-0530 and Plutonium are distinct groups," the researchers pointed out.

In a sign that suggests active development, four different variants of the H0lyGh0st ransomware were churned out between June 2021 and May 2022 to target Windows systems: BTLC\_C.exe, HolyRS.exe, HolyLock.exe, and BLTC.exe.

While BTLC\_C.exe (dubbed SiennaPurple) is written in C++, the other three versions (codenamed SiennaBlue) are programmed in Go, suggesting an attempt on the part of the adversary to develop cross-platform malware.

The newer strains also come with improvements to their core functionality, including string obfuscation and abilities to delete scheduled tasks and remove themselves from the infected machines.

The intrusions are said to have been facilitated through the exploitation of unpatched vulnerabilities in public-facing web applications and content management systems (e.g., CVE-2022-26352), leveraging the purchase to drop the ransomware payloads and exfiltrate sensitive data prior to encrypting the files.

The findings come a week after the U.S. cybersecurity, and intelligence agencies warned about the use of Maui ransomware by North Korean government-backed hackers to target the healthcare sector since at least May 2021.

The expansion from financial heists to ransomware is being viewed as yet another tactic sponsored by the North Korean government to offset losses from sanctions, natural disasters, and other economic setbacks.

But given the narrow set of victims than is typically associated with state-sponsored activity against cryptocurrency organizations, Microsoft theorized the attacks could be a side-hustle for the threat actors involved.

"It is equally possible that the North Korean government is not enabling or supporting these ransomware attacks," the researchers said. "Individuals with ties to Plutonium infrastructure and tools could be moonlighting for personal gain. This moonlighting theory might explain the often-random selection of victims targeted by DEV-0530."

**The ransomware threat evolves in a post-Conti world**

The development also comes as the ransomware landscape is evolving with existing and new ransomware groups, namely LockBit, Hive, Lilith, RedAlert (aka N13V), and 0mega, even as the Conti gang formally shuttered its operations in response to a massive leak of its internal chats.

Adding fuel to the fire, LockBit's improved successor also comes with a brand new data leak site that allows any actor to purchase data stolen from victims, not to mention incorporating a search feature that makes it easier to surface sensitive information.

Other ransomware families have also added similar capabilities in an attempt to create searchable databases of information stolen during attacks. Notable among this list are PYSA, BlackCat (aka ALPHV), and the Conti offshoot known as Karakurt, according to a report from Bleeping Computer.

Based on statistics gathered by Digital Shadows, 705 organizations were named in ransomware data leak websites in the second quarter of 2022, marking a 21.1% increase from Q1 2022. The top ransomware families during the period included LockBit, Conti, BlackCat, Black Basta, and Vice Society.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Targeting Small and Midsize Businesses with H0lyGh0st Ransomware

By Deeba Ahmed
Binance CEO Changpeng Zhao (CZ) said in a Tweet that their intel unit identified an exploit on Uniswap…
This is a post from HackRead.com Read the original post: Uniswap V3 LPs Lose Millions in Fake Token Phishing Attack

****Binance CEO Changpeng Zhao (CZ) said in a Tweet that their intel unit identified an exploit on Uniswap V3 on the Ethereum blockchain.****

Uniswap liquidity providers (LPs) have suffered a phishing attack lasting around eight hours. It was a fake token phishing attack in which 73,399 addresses received malicious ERC-20 tokens from where the hacker stole the funds and laundered them through Tornado Cash.

**About Uniswap**

Uniswap is a decentralized project with a listed token. Uniswap crypto exchange is primarily used for trading altcoins such as avalanche and Shiba Inu. It is among those few tokens with limited information for the founding members of the project team.

Uniswap LPs are basically users who receive interest from the exchange for depositing cryptocurrency into its system. The company has around 230,000 LPs.

**What Happened?**

On Monday, July 11th, unidentified scammers targeted Uniswap LPs and sent them fake Uniswap tokens to 74,800 out of the 230,000 LPs. They were directed to a dodgy website where they had to exchange the tokens for crypto, explained MetaMask security researcher Harry Denley.

However, clicking the link caused infection and loss of funds from the two wallets. Sending these fake tokens cost the attackers 8.5 ether or $9,024 in transaction fees and another 90.86 ether.

Denley further revealed that the attacker targeted native coins, including Binance Coin, Ethereum, and Uniswao LPs, and employed a two-step approach. They requested for address and browser client info to /66312712367123.com and tried to steal assets. Around $4.7 million worth of crypto was lost in the attack.

**The Past Link**

The scam may appear new, but it is connected to the exchange’s previous actions. In 2020, it sent an airdrop of 400 $UNI tokens, which currently are worth $2,224. The tokens were sent to every wallet involved in a trade on Uniswap. At different stages in 2021, crypto whales received airdrops worth five to six-figure amounts.

**Binance Intervened to Stop the Attack**

Binance CEO Changpeng Zhao (CZ) claimed in a Tweet that their intel unit identified an exploit on Uniswap V3 on the Ethereum blockchain. Zhao contacted Uniswap and informed the team that the exploit appeared as a phishing attack.

Binance Intel eventually was contacted to address the issue, and the attack was finally stopped on 11 July, around 23:00 UTC. The latest update is that the Uniswap protocol is completely safe. However, Uniswap’s price dropped, and the exchange experienced 10% losses in one night due to the attack.

CZ on Twitter having a conversation with Uniswap and alerting customers of the phishing scam

**Uniswap Response**

The crypto exchange posted the following statement on Twitter, revealing that there was no exploit and airdrops caused the losses.

> “To be clear: there was no exploit. The Protocol always was — and remains — secure… airdrops that direct you to unofficial domains are likely phishing attempts. We will never airdrop users without notice on multiple official channels.”

Uniswap V3 LPs Lose Millions in Fake Token Phishing Attack

Developers can now rest assured that the code they are using, as well as their GitHub accounts, are safe.

TEL AVIV, Israel , July 14, 2022 /PRNewswire/ -- Scribe Security, a leading software supply chain security solutions provider, announced today the release of Scribe Integrity, a code integrity validator that authenticates open-source and proprietary source code, and an integral building block of its platform solving the software supply chain security challenge. Scribe Integrity provides developers with an added layer of visibility, allowing developers peace of mind that the code they are using is safe. Scribe is simultaneously introducing its open-source Github security project, GitGat.

In 2021, software supply chain (SSC) attacks more than tripled, with recent attacks on SolarWinds, CodeCov, and Log4Shell underscoring the growing risk of such attacks to enterprises.

DevSecOps and security teams often focus on software vulnerabilities, overlooking the risk of tampering with software in the build process. Scribe bridges this gap in a practical manner by providing a convenient work tool that automatically reports integrity validation within a trusted software bill of materials SBOM.

Scribe leverages the principle of 'hash everything, sign everything', utilizing open-source intelligence that it collects on open-source dependencies. In this first release, Scribe's solution addresses the widely used Node.js and the popular npm package manager, which have recently suffered from a multitude of attacks.

Scribe's additional release, GitGat, is a Policy-as-Code tool, utilizing Open Policy Agent (OPA), an open source project, that addresses users' security posture. GitGat allows users to periodically run reports to gain insight into the changing security landscape of the organization. As GitGat evolves, it will cover more parts of the CI/CD toolchains.

"As software supply chains are an overlooked corner of the cyber world, they have become an increasingly attractive attack vector for hackers," said Scribe CEO and Co-founder, Rubi Arbel. "We are excited to be introducing a developer-first, practical tool that will give DevSecOps and security practitioners the assurance they need to trust the software they build and use."

**About Scribe**

Founded by cyber security and cryptography experts, Scribe Security develops a novel software supply chain security solution to increase trust in software products. For more information visit https://scribesecurity.com/

Tag

#intel