The majority of the targets were businesses connected to the exiled Tibetan administration as well as organizations connected to the Tibetan community. They leveraged the remote code execution flaws CVE-2022-1040 and CVE-2022-30190 (sometimes referred to as “Follina”) in Sophos Firewall and Microsoft Office, respectively, to carry out the attacks.

Given that this organization is specifically renowned for using well-known and documented methodologies, the technical team at Recorded Future finds it quite unique that this APT incorporates new techniques and access ways so swiftly. Since at least 2020, TA413—also known as LuckyCat—has been utilizing malware like ExileRAT, Sepulcher, and the nefarious Mozilla Firefox browser plugin FriarFox to attack organizations and people connected to the Tibetan community.

It wasn’t until June 2022 that this group’s use of the “Follina” vulnerability came to light for the first time. The Proofpoint team submitted this report despite being unable to identify the cyberattack’s goal. Additionally, it is known that it was a component of a spear-phishing effort in May 2022 that disseminated a malicious RTF file that downloaded the LOWZERO Trojan by abusing flaws in Microsoft Equation Editor. They accomplished this using the Royal Road RTF tool, which has been linked to a significant number of cyberattacks involving China.

Another phishing email targeting a Tibetan recipient was discovered in late May. This email had a Microsoft Word attachment that attempted to use the “Follina” vulnerability to launch a custom PowerShell command that would download the aforementioned Trojan from a remote server. When the infected system is identified as a target of interest by the attacker, the Trojan in question, LOWZERO, is capable of downloading further modules from the command and control (C2) server.

The exploitation of freshly released and zero-day vulnerabilities by TA413 is typical of larger patterns with Chinese cyber espionage groups, as exploits frequently show up in use by a number of different Chinese activity groups before being widely available to the general public.

The post How Chinese threat actors are using recently discovered zero day flaws in office and Sophos firewall appeared first on Information Security Newspaper | Hacking News.

The Criminal Investigation Bureau considers that it has been cyberattacks from unknown Internet IP addresses and investigates the origin of the incident, according to the official Taiwanese agency CNA.

On the digital screens of several stores of the 7-Eleven chain, messages of “Pelosi, brawler, leave Taiwan” have appeared, which according to those responsible for the company came from outside their system.

The same thing happened at the Xinzuoying train station in Kaohsiung and at a municipal office in Jushan (downtown), where the message seen on billboards referred to her as the “old witch.”

The Taiwan Railway Administration has temporarily shut down these screens and remains vigilant to prevent further attacks on its ticketing system and train schedule information screens.

The affected companies used software Chinese

The director of the National Communications Commission of Taiwan, Chen Yaw-shyang, has assured that preliminary investigations have determined that the companies affected by the attack used Chinese software in their digital display systems. Thus, it is considered that said software could contain “back doors” or other channels that would have made them vulnerable to this type of intrusion.

The incidents come a day after Taiwan’s Presidency website was temporarily down due to an external cyberattack.

All this has occurred in the midst of the controversy over Nancy Pelosi’s visit to Taiwan, which was not officially announced and has provoked the outrage of the Chinese government, which is responding with trade sanctions on the island and a large display of military maneuvers in its surrounding waters.

The post Television screens at 7 Eleven and train stations in Taiwan hacked to display insults to Nancy Pelosi appeared first on Information Security Newspaper | Hacking News.

The main attack method, employed by this group between 2012 and 2015, involves Microsoft Office documents specially crafted for the exploitation of known vulnerabilities such as CVE-2012-0158 and CVE-2010-3333. This tactic was first detected in 2014, in a phishing campaign associated with the Advanced Persistent Threat (APT) operation known as Naikon.

SentinelLabs identified a second hacking method associated with Aoqin Dragon, based on hiding malicious executables in icons of fake antivirus products. After execution, a malware sample was delivered to the affected systems.

Starting in 2018, hackers left these tactics behind to resort to using a removable disk shortcut file; clicking this icon triggers a DLL hijack and loads an encrypted payload to deliver a backdoor. This malware runs under the name “Evernote Tray Application” and is executed at system startup; if any removable drives are detected, a copy of the payload will be created to expand the infection.

At least two backdoor variants used by this group have been identified. Known as Mongall, the first backdoor is a DLL injected into memory, protected with encryption and in constant maintenance since its launch in 2013.  This backdoor profiles the host and sends the details to the C&C using an encrypted channel.

Moreover, Heyoka is an open source exfiltration tool that uses spoofed DNS requests to create a two-way communication tunnel. Hackers employ Heyoka by copying files from compromised devices to prevent affected system administrators from detecting malicious activity in its early stages.

Aoqin Dragon is an unusual case, as it managed to go unnoticed for almost ten years. This has been possible due to the continuous evolution of its strategies and the periodic change of tactics, so it is highly likely that this cybercriminal group will change its behavior again in the near future.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Education and telecommunication organizations based in Singapore, Hong Kong, Vietnam, Cambodia, and Australia were being spied on since 2013 appeared first on Information Security Newspaper | Hacking News.

While UNISOC is a major chip producer, its technology has been little analyzed by mobile security specialists, so it is difficult to know what the security risks are present in devices with these chips and there are not even references to any vulnerability detected in their firmware.

A recent research effort was led by Check Point Research, and focuses on the modem of smartphones with UNISOC chips could be a very attractive attack target for cybercriminals, as this component can be accessed remotely and relatively easily, with the potential to deploy denial of service (DoS) attacks and block the communications of the affected devices.

Basic attack concepts

The Long-Term Evolution (LTE) network is made up of a dozen protocols and components, and you need to understand it to understand how the UNISOC modem works. The 3GPP Group introduced the Evolved Packet System (EPS), an LTE technology architecture consisting of three key interconnected components:

• User equipment (UE)
• Evolved UMTS terrestrial radio access network (E-UTRAN)
• Evolved Packet Core (EPC)

E-UTRAN has only one stack, the eNodeB station, which controls radio communications between the EU and the EPC. A UE can be connected to one eNodeB at a time.

The EPC component consists of four stacks, one of which is the Mobility Management Entity (MME). The MME controls the high-level operations of mobile devices on the LTE network. This component sends signaling messages related to security control, management of tracking areas, and mobility maintenance.

Check Point Research’s tests, conducted by a smartphone with a UNISOC modem, focus on communications between MME and UE stacks, which occur via EPS session management (ESM) and mobility management (EMM) protocols. The following screenshot shows the protocol stack of the modem. The no-access stratum (NAS) level hosts EPS and EMM signaling messages.

The NAS protocol operates with high-level structures, which would allow threat actors to create specially crafted EMM packets and send them to a vulnerable device, whose modem will analyze it and create internal objects based on the information received.

A bug in the scanning code would allow hackers to lock the modem and even perform remote code execution (RCE) attacks.

Security flaws in NAS handlers

Most NAS message analyzers have three arguments: an output buffer, which is an object of the appropriate message structure, the NAS message data blob for decoding, and the current offset in the message blob.

The unified function format allows you to easily implement the harness to fuzz the NAS analysis functions. Check Point experts used the classic combination of AFL and QEMU to fuzz the modem binary on a PC, patching the modem binary to redirect malloc calls to the libc equivalent. The fuzzer swapped the NAS message data and passed it as an input buffer to the analysis function.

One of the optional fields ATTACH_ACCEPT is mobile identity. The modem firmware implements an unpacking function such as liblte_mme_unpack_mobile_id_ie of srsRAN to extract the mobile identity from the NAS message. The identity data block begins with the length of the identity; if the device is represented by an International Mobile Subscriber Identity (IMSI), the 2-byte length of message data is copied to the output buffer as the IMSI number.

The check is bypassed to ensure that the provided length value is greater than one. Therefore, if the value of the length field is zero, 0-2 = 0xFFFFFFFE bytes of the NAS message are copied to the heap memory, leading to a DoS condition.

In the following screenshot, you can see the message ATTACH_ACCEPT, which causes the overflow.

Conclusions

The highlighted 0x23 value indicates that the following data is the identity block of the message, where the first 0x01 is the length and the second 0x01 is the IMSI type.

UNISOC is aware of this condition, and has already been assigned the identification key CVE-2022-20210. While the hacking variants described by Check Point are not easy to exploit and require great resources and planning, the possibility of exploitation is real and should not be dismissed.

Errors will be properly addressed, protecting millions of smart device users. Google is also aware of the report and will issue some additional protections for the Android system. 

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Millions of Android smartphones exposed to remote hacking due to vulnerability in UNISOC baseband chips appeared first on Information Security Newspaper | Hacking News.

This momentum has been instrumental in validating Putin’s position to millions of people, as Russian state media has ceased to operate in the West. In addition, Chinese state media no longer rely solely on social media platforms for operations like this, as they seem to have found a more efficient way to distribute their messages using Internet search results.

These practices are not new, although they seem to remain effective in China without search engines having done anything to prevent them. According to a Brookings report, China has been able to alter the results of consultations such as ‘Xinjiang’ or ‘COVID-19’ online, two issues of concern for the Communist Party, which seeks to reduce discussion about its questionable human rights record and its abysmal decisions in addressing the early phases of the pandemic.

For 120 consecutive days, the Brookings team compiled information about queries for these terms in sources such as Google Search, Google News, Bing Search, Bing News, and YouTube, making interesting findings.

Search results pollution

The report notes that, over the days, the terms analyzed showed progressively more content sponsored by the Chinese state. Specifically, state propaganda had already hoarded the first 10 results for ‘Xinjiang’ and ‘COVID-19’ by the last few days of the analysis.

Another interesting finding is that Chinese state media has also resorted to conspiracy theories, generating a lot of sensationalist content to appear in search results before validated information. The Brookings report cites as an example the large volume of content related to Fort Detrick, a former military base in the U.S. that housed a biological weapons program, which the Chinese government has linked to false theories about the origin of the coronavirus.

Finally, when searching for pandemic-related terms on news and video platforms, you are much more likely to find content created by Chinese media, notably influencing the distribution of information.

Web browsers can take some steps to address these issues, including analyzing hosting practices, content forwarding, and syndication, as well as boosting the practice of tagging online platforms operated by state media, which can give users a clearer idea of the intent with which content on the Internet was crafted.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post How Chinese government successfully controlled Google, Bing, and YouTube search results in disinformation campaigns appeared first on Information Security Newspaper | Hacking News.

After a lot of work of sample collection, analysis and follow-up, experts discovered some details about this RAT. While these phishing campaigns have not been attributed to a specific threat actor, all indications are that this operation is handled by a Chinese Advanced Persistent Threat (APT) group.

Simultaneous operations

As mentioned initially, hackers deployed four malicious email campaigns since the end of February, working simultaneously and using various lures to attract unsuspecting users.

Below, we’ll briefly review the features of each phishing attack based on evidence collected by Malwarebytes.

Interactive map

Hackers began distributing the RAT in a file identified as interactive_map_UA.exe, an alleged interactive map of Ukraine. The malware distribution started a few days after Russia invaded Ukraine, indicating that hackers tried to exploit the international conflict.

Update for Log4j

Another of the detected malicious campaigns uses a fake update to fix the Log4Shell vulnerability using a tar file identified as Patch_Log4j.tar.gz. Reports of these emails began in March and targeted at least 100 employees of RT TV, a media network funded by Russia’s government.

The messages appear to be sent by the Russian state defense conglomerate Rostec and include various images and PDFs to make it less suspicious.

The attached PDF, named О кибербезопасности 3.1.2022.pdf, contains instructions on how to run the fake patch, plus a bullet list with supposed safety tips.

Among these recommendations, hackers even added a link to VirusTotal announcing that the file has not been identified as malicious by any antivirus engine.

The message also includes links to the rostec.digital website, registered by threat actors and designed similarly to Rosec actual site. Interestingly, the fraudulent website was registered in mid-2021, months before the Russian invasion of Ukraine began.

Rostec

Hackers again use Rostec’s image in the third campaign, distributing a malicious file named build_rosteh4.exe.

Fake job offers

The latest detected campaign uses a Word document containing an alleged job offer at state oil company Saudi Aramco. The attack involves a self-extracting file using the Jitsi icon and creating a directory identified as Aramco in C:\ProgramData.

The document, written in English, includes a message in Russian asking the user to enable macros on their device.

A remote template injection then allows you to download a template embedded in a macro, which runs a macro to deliver a VBS script identified as HelpCenterUpdater.vbs to the %USER%\Documents\AdobeHelpCenter directory. The template also verifies the existence of %USER%\Documents\D5yrqBxW.txt; as long as it exists, the script will be delivered and executed.

The HelpCenterUpdater.vbs script delivers another obfuscated VBS file named UpdateRunner.vbs and downloads the primary payload, a DLL called GE40BRmRLP.dll, from your C&C server. Although they appear to share code, the script provides an EXE instead of a DLL in another related payload.  

The UpdateRunner.vbs script is responsible for running the DLL through rundll32.exe.

The malicious DLL contains the code that communicates with the C&C server and executes the received commands.

The campaign is still active and relatively prosperous, although many details remain unknown, and it is difficult to know what specific purposes the attackers are pursuing. Malwarebytes has committed to continue monitoring this campaign and the malware used by hackers.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post How hackers took control of 100 email accounts of employees of RT and other Russian organizations for cyber spying purposes? appeared first on Information Security Newspaper | Hacking News.

The main attraction of these services is Huawei AppGallery, the company’s own app store that works essentially in the same way as the Play Store. Specialist Dylan Roussel has investigated the operation of the Huawei app, discovering an API that takes the name of a package as a parameter and returns a JSON object with the details of the application. This finding aroused Roussel’s curiosity, so he decided to continue investigating until he knew what else he could find.

For his tests, the researcher tested the API with the app package name AppGallery:

{
  "app": {
    ...
    "name": "AppGallery",
    "openCount": 0,
    "openCountDesc": "",
    "openurl": "",
    "permissions": [],
    "pkgName": "com.huawei.appmarket",
    "price": "0",
    "productId": "",
    "rateNum": "0",
    "recommImg": "",
    "releaseDate": "2022-04-20 17:03:53",
    "sha256": "2e1a1ce4e86cbfc87f05411a2585e557af78b893f6be85f8f6cb93f889faee05",
    "size": "50347219",
    "tagName": "",
    "updateDesc": "",
    "url": "https://appdlc-dre.hispace.dbankcloud.com/dl/appdl/application/apk/40/4037feaa91cf453ca2dd1ebf444aedaa/com.huawei.appmarket.2204201539.apk?sign=mw@mw1651866832368&maple=0&distOpEntity=HWSW",
    "version": "12.1.1.302",
    "versionCode": 120101302
  },
  ...
}

The API returns various details, including some IDs, app version, logos and other images, descriptions, system permissions, and pricing. In addition, the API also returns a URL to the app in AppGallery, from where it is possible to download the app.

After trying this search on a free app, it was time to try a paid app. Roussel used the package name of a paid app, also getting the download link with the same type of sign parameter at the end; at the conclusion of the test, the researcher was able to download the application and use it normally.

The researcher decided to continue with his tests to prove that this was not just a mistake. By using the package names of two apps and a mobile game, Russel was able to download and use these tools; It is worth mentioning that the game had a license check, which could not prevent the researcher from using the game without paying.

For Roussel, it is hard to believe that AppGallery is affected by such a simple error, considering that in repository stores the work of dozens of developers who seek profit through this medium.

The good news is that Huawei is already aware of this bug, although it will take a few more days to complete a functional solution. Everything is expected to be fixed by May 25.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How to download paid applications for free from Huawei AppGallery: New vulnerability found appeared first on Information Security Newspaper | Hacking News.

This group is known for using various malware strains and distributing them in complex attack chains. According to the Cybereason report, it all starts with the exploitation of multiple vulnerabilities in an enterprise resource planning tool. Hackers then search for a file identified as gthread-3.6.dll in the VMware Tools folder; this allows you to inject other payloads such as webshells and credential dump tools.

Threat actors also strive to hide their malicious activity; among the techniques used by APT41, the use of the Windows Server Common Log File System (CLFS) stands out, since it uses an undocumented file format that can be accessed through APIs but cannot be analyzed, allowing hackers to hide their malicious payloads, bypassing detection during years: “The attackers stole intellectual property such as confidential documents, blueprints, diagrams, formulas and proprietary data related to the manufacturing industry.”

Experts add that the attacks targeted technology and manufacturing companies, especially in East Asia, Western Europe and North America, all considered industrial hotspots globally.   

Industrial espionage is a practice commonly associated with hacking groups sponsored by China and its all-powerful Communist Party. In the past, the United States and other nation states have accused the Asian giant of facilitating cyberattack campaigns for the theft of confidential records, either by financing their activities or by simply turning a blind eye to these groups and operations.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How Chinese cyber army steals intellectual property from your company appeared first on Information Security Newspaper | Hacking News.

Investigators collected multiple pieces of evidence that Chinese hackers managed to target seven Indian state centers responsible for carrying out the dispatch of electric power, in addition to taking control of a network located at a border point.

The hackers would have used the Trojan known as ShadowPad during the attack. This malware would have been developed by cybercriminals paid by the Government of China, a common practice of state-sponsored hacking.

In its report, Recorded Future mentions that ShadowPad continues to be used by an increasing number of groups linked to the People’s Liberation Army and the Ministry of State Security, with its origins linked to Chinese government contractors.

Chinese Foreign Ministry spokesman Zhao Lijian said his government is aware of these reports, saying China has always spoken out against cyberattacks: “I would like to advise the company in question that if they are really concerned about global cybersecurity, they should pay more attention to cyberattacks by U.S. government hackers against the rest of the world.”

On the other hand, Indian Ministry of External Affairs spokesman Arindam Bagchi said his country has not discussed the issue with China: “We have seen reports. There is a mechanism in place to safeguard our critical infrastructure to keep it resilient. We have not raised this issue with the government of China.”

Features of this incident such as prolonged targeting of India’s power grid make researchers believe that the main objective of this campaign is to collect information around surrounding critical infrastructure systems, or to have an access point to critical information for future hacking campaigns.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.  

The post How Chinese hackers tried to shutdown Indian electrical grids appeared first on Information Security Newspaper | Hacking News.

The first reports indicated that only an antivirus engine was able to detect a sample of Bvp47, although with the passage of the hours more indicators of compromise have been known, which will considerably improve the detection of this security threat.

The backdoor was first identified by Chinese security firm Pangu Lab, describing it as an advanced development for Linux with remote access capabilities protected through an RSA asymmetric cryptography algorithm, which requires a private key for enablement. This malware would have impacted almost 300 organizations in 45 countries, going unnoticed for almost 10 years.

This private key was found in leaks published by Shadow Brokers hackers, in addition to other hacking tools and zero-day exploits used by Equation Group. The backdoor could also operate on major Linux distributions, including JunOS, FreeBSD, and Solaris.

A subsequent automated analysis seems to confirm the authorship of Bvp47, as it shares multiple features with another backdoor developed by Equation Group. According to Kaspersky experts, this backdoor shares 30% of the code strings with other malware identified in 2018 and available in virusTotal databases.

On the Bvp47 attack, the researchers point out that the threat actors control 3 servers, one responsible for the external attacks and two other internal machines in charge of an email server and a business server.

Attackers establish a connection between the external server and the email server via a TCP SYN packet with a payload of 264 bytes. The email server then connects to the commercial server’s SMB service to perform some sensitive operations, including running PowerShell scripts.

The trading server then connected to the email server for the download of additional files, including the Powershell script and the encrypted data from the second stage. The connection between the internal machines allows the transmission of encrypted data through a specialized protocol.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Advance NSA backdoor detected in 245 organizations in 45 countries including China, India and Mexico appeared first on Information Security Newspaper | Hacking News.

During the event he highlighted the work of the Kunlun Lab hacking team, which won rewards of more than $650,000 USD for their work demonstrating the exploitation of some of these flaws.

Below is a brief description of the failures addressed according to a company report:

• CVE-2021-22040: A use-after-free error in the ESXi, Workstation, and Fusion XHCI USB driver whose exploitation would allow local threat actors with administrator privileges to execute code as the VMX process of the virtual machine running on the host
• CVE-2021-22041: A bug in the ESXi, Workstation, and Fusion USB UHCI driver would allow local attackers with administrator privileges to execute code as the VMX process of a virtual machine running on the host
• CVE-2021-22042: Unauthorized access to settingsd in ESXi would allow malicious hackers within the VMX process to escalate their privileges on the affected system
• CVE-2021-22043: A settingsd TOCTOU error in ESXi that exists due to the way temporary files are handled would allow threat actors to escalate their privileges on the affected system

The firm has also announced some alternative solutions for administrators who cannot update their implementations at the moment, in addition to recommending that clients apply the measures they consider necessary as soon as possible since the successful exploitation of these failures could result in catastrophic scenarios.

Finally, VMware mentioned that these failures were notified to the Chinese government, in compliance with a recently enacted law that states that Chinese researchers who find zero-day vulnerabilities must notify government agencies and manufacturers of the affected technology directly. Researchers will not be able to sell this information to third parties outside of China unrelated to the manufacturer/developer.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Chinese researchers find multiple vulnerabilities in VMware ESXi, Workstation and Fusion; update ASAP appeared first on Information Security Newspaper | Hacking News.

Of all the investigations active at the FBI, more than 2,000 relate to hacking tactics deployed by Chinese government agents, who are caught trying to spy on people of interest in the U.S., steal sensitive information, and even access software critical to North America.

Wray claims that the Chinese government has been able to steal an unprecedented volume of information, causing severe damage to all kinds of organizations at an alarming rate of 2 new incidents recorded daily.

In their quest to compromise targets in the West, Chinese hackers resort to all sorts of methods and tools. For example, the plan identified as “Made in China 2025”, lists 10 key points for the success of his republic over the next few years, demonstrating that it is vital for China to adopt a preponderant role globally in fields such as robotics, clean energy, aerospace and pharmaceutical research, even at the cost of intellectual property theft.

In addition to the obvious cyberwarfare tactics, the Chinese Communist Party turns to its most skilled intelligence agents in search of access to critical information that may affect its adversaries. As if that were not enough, the Chinese government also maintains significant investments to distribute its ideological influence and infer in key actors abroad.

Faced with this risk scenario, the FBI uses all its intelligence resources for the early identification and dismantling of hacking campaigns orchestrated by the Chinese Communist Party. In a recent operation, American agents managed to interrupt the execution of a backdoor on Microsoft Exchange servers that could have proved disastrous for thousands of public and private organizations.

U.S. agencies also try to share all of their findings with the independent research community and security firms, which will allow them to create an environment that is always up-to-date on the latest threats. In this way, the FBI shows its commitment to law enforcement agencies around the world and works to ensure that cybercrime cannot act freely against critical targets.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post China launches more cyber attacks than any other country: New FBI report appeared first on Information Security Newspaper | Hacking News.