Parents, students, and staff from schools in the school district were notified of the situation just a few hours ago, and have been receiving regular updates through The Tenafly Public Schools notification system, a structure independent of the affected systems.

So far, the ransomware variant used in this attack or the amount of the ransom demanded by cybercriminals is unknown. It is also not known whether local authorities plan to negotiate with the attackers or whether they will try to restore their systems on their own.

Unofficial sources had reported that the ransomware attack rendered dozens of computers useless in the county before which local authorities were being forced to pay a ransom in cryptocurrency.

The Bergen County Prosecutor’s Office and the New Jersey State Police’s CyberCrime Unit are already aware of the attack, and an investigation has been ordered by the Federal Bureau of Investigation (FBI), as Bergen authority believes this case is beyond its capabilities.

This is an increasingly common hacking variant. Just a few weeks ago, Somerset County suffered a cybersecurity breach that forced the temporary shutdown of all its electronic systems, while last year Hillsborough and Bernards Township school districts also had to disrupt their academic activities due to an encryption malware infection.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post <strong>Ransomware attack targeting public schools in New Jersey forces cancellation of final exams</strong> appeared first on Information Security Newspaper | Hacking News.

The main attack method, employed by this group between 2012 and 2015, involves Microsoft Office documents specially crafted for the exploitation of known vulnerabilities such as CVE-2012-0158 and CVE-2010-3333. This tactic was first detected in 2014, in a phishing campaign associated with the Advanced Persistent Threat (APT) operation known as Naikon.

SentinelLabs identified a second hacking method associated with Aoqin Dragon, based on hiding malicious executables in icons of fake antivirus products. After execution, a malware sample was delivered to the affected systems.

Starting in 2018, hackers left these tactics behind to resort to using a removable disk shortcut file; clicking this icon triggers a DLL hijack and loads an encrypted payload to deliver a backdoor. This malware runs under the name “Evernote Tray Application” and is executed at system startup; if any removable drives are detected, a copy of the payload will be created to expand the infection.

At least two backdoor variants used by this group have been identified. Known as Mongall, the first backdoor is a DLL injected into memory, protected with encryption and in constant maintenance since its launch in 2013.  This backdoor profiles the host and sends the details to the C&C using an encrypted channel.

Moreover, Heyoka is an open source exfiltration tool that uses spoofed DNS requests to create a two-way communication tunnel. Hackers employ Heyoka by copying files from compromised devices to prevent affected system administrators from detecting malicious activity in its early stages.

Aoqin Dragon is an unusual case, as it managed to go unnoticed for almost ten years. This has been possible due to the continuous evolution of its strategies and the periodic change of tactics, so it is highly likely that this cybercriminal group will change its behavior again in the near future.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Education and telecommunication organizations based in Singapore, Hong Kong, Vietnam, Cambodia, and Australia were being spied on since 2013 appeared first on Information Security Newspaper | Hacking News.

The main feature of Symbiote is that it requires infecting other running processes to achieve a successful engagement. Instead of using an executable as any conventional malware variant would, hackers use a shared object (SO) library loaded into running processes through LD_PRELOAD, thus infecting vulnerable systems.

After infecting running processes on the system, Symbiote provides its operators with rootkit functionalities, in addition to remote access and credential collection capabilities.

Origins

Researchers first detected the malware in November 2021, attributing its development to hacking groups against the financial sector in Latin America. By infecting a target system, Symbiote hides any hint of malicious activity, making infections virtually undetectable, even using forensic analysis techniques.

In addition to rootkit tactics, the malware also implants a backdoor in the system so that operators can log in like any user using an encrypted password and thus execute commands with high privileges.  

Another interesting feature about Symbiote is its Berkely Packet Filter (BPF) hook functionality, employed by other malware variants to cover up your C&C communications. However, Symbiote uses BPF to hide malicious network traffic on infected systems.

If an administrator launches any packet capture tool on the affected Linux system, the BPF bytecode is injected into the kernel that defines which packets should be captured. In this process, Symbiote first adds its bytecode so that it can filter the network traffic it wants to hide.

Evasion tactics

This malware is highly stealthy. According to experts, Symbiote is designed to be loaded through the LD_PRELOAD directive, allowing it to be loaded before any other shared object. Thanks to it loading first, it can hijack imports from other library files uploaded for the application.

Symbiote uses this to hide its presence on the machine by connecting the libc and libpcap functions. The following screenshot shows the various malware evasion tactics:

Because Symbiote works as a user-level rootkit, it can be difficult to detect an infection. Network telemetry can be used to detect anomalous DNS requests, and security tools such as antivirus must be statically linked to ensure that they are not “infected” by user rootkits. Infection vectors are still unknown, so Linux system administrators should remain vigilant for any hint of infection.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post New rootkit malware for Linux is undetectable and is quickly spreading throughout Latin America. Protect your servers before it’s too late appeared first on Information Security Newspaper | Hacking News.

While UNISOC is a major chip producer, its technology has been little analyzed by mobile security specialists, so it is difficult to know what the security risks are present in devices with these chips and there are not even references to any vulnerability detected in their firmware.

A recent research effort was led by Check Point Research, and focuses on the modem of smartphones with UNISOC chips could be a very attractive attack target for cybercriminals, as this component can be accessed remotely and relatively easily, with the potential to deploy denial of service (DoS) attacks and block the communications of the affected devices.

Basic attack concepts

The Long-Term Evolution (LTE) network is made up of a dozen protocols and components, and you need to understand it to understand how the UNISOC modem works. The 3GPP Group introduced the Evolved Packet System (EPS), an LTE technology architecture consisting of three key interconnected components:

• User equipment (UE)
• Evolved UMTS terrestrial radio access network (E-UTRAN)
• Evolved Packet Core (EPC)

E-UTRAN has only one stack, the eNodeB station, which controls radio communications between the EU and the EPC. A UE can be connected to one eNodeB at a time.

The EPC component consists of four stacks, one of which is the Mobility Management Entity (MME). The MME controls the high-level operations of mobile devices on the LTE network. This component sends signaling messages related to security control, management of tracking areas, and mobility maintenance.

Check Point Research’s tests, conducted by a smartphone with a UNISOC modem, focus on communications between MME and UE stacks, which occur via EPS session management (ESM) and mobility management (EMM) protocols. The following screenshot shows the protocol stack of the modem. The no-access stratum (NAS) level hosts EPS and EMM signaling messages.

The NAS protocol operates with high-level structures, which would allow threat actors to create specially crafted EMM packets and send them to a vulnerable device, whose modem will analyze it and create internal objects based on the information received.

A bug in the scanning code would allow hackers to lock the modem and even perform remote code execution (RCE) attacks.

Security flaws in NAS handlers

Most NAS message analyzers have three arguments: an output buffer, which is an object of the appropriate message structure, the NAS message data blob for decoding, and the current offset in the message blob.

The unified function format allows you to easily implement the harness to fuzz the NAS analysis functions. Check Point experts used the classic combination of AFL and QEMU to fuzz the modem binary on a PC, patching the modem binary to redirect malloc calls to the libc equivalent. The fuzzer swapped the NAS message data and passed it as an input buffer to the analysis function.

One of the optional fields ATTACH_ACCEPT is mobile identity. The modem firmware implements an unpacking function such as liblte_mme_unpack_mobile_id_ie of srsRAN to extract the mobile identity from the NAS message. The identity data block begins with the length of the identity; if the device is represented by an International Mobile Subscriber Identity (IMSI), the 2-byte length of message data is copied to the output buffer as the IMSI number.

The check is bypassed to ensure that the provided length value is greater than one. Therefore, if the value of the length field is zero, 0-2 = 0xFFFFFFFE bytes of the NAS message are copied to the heap memory, leading to a DoS condition.

In the following screenshot, you can see the message ATTACH_ACCEPT, which causes the overflow.

Conclusions

The highlighted 0x23 value indicates that the following data is the identity block of the message, where the first 0x01 is the length and the second 0x01 is the IMSI type.

UNISOC is aware of this condition, and has already been assigned the identification key CVE-2022-20210. While the hacking variants described by Check Point are not easy to exploit and require great resources and planning, the possibility of exploitation is real and should not be dismissed.

Errors will be properly addressed, protecting millions of smart device users. Google is also aware of the report and will issue some additional protections for the Android system. 

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Millions of Android smartphones exposed to remote hacking due to vulnerability in UNISOC baseband chips appeared first on Information Security Newspaper | Hacking News.

The message describes these online platforms as “worryingly common threats,” detailing how threat actors used these sites for trafficking in stolen personal information: “Using strong relationships with our international partners, we will address crimes like these, which threaten privacy, security, and commerce around the world.”  

WeLeakInfo.to operators claimed to provide their users with a search engine to review and obtain personal information illegally obtained in more than 10,000 data breach incidents, with around 7 billion records indexed, exposing data such as full names, phone numbers, email addresses, and even online account passwords.

On the domains ipstress.in and ovh-booter.com, the report describes them as platforms for launching denial of service (DoS) attacks, commonly known as booting or stressor services. From these websites, threat actors could flood a specific web server with malicious traffic, making them inaccessible to legitimate users. 

As of this operation, the seized domain names, and any related domains, are now in the custody of the federal government, effectively suspending the operation of these malicious services. Visitors to the site will now find a seizure sign, reporting that U.S. federal authorities are responsible for the seizure.

The seizures of these domains were part of coordinated police action with the authorities of Belgium and the Netherlands. These police agencies arrested one of the main operators of these platforms, in addition to collaborating with various raids.

U.S. authorities have asked anyone who has information about other members of this cybercriminal operation to file a complaint immediately, as this is a critical time to act against these groups.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post FBI seizes infrastructure of Weleakinfo and other cyber criminal platforms appeared first on Information Security Newspaper | Hacking News.

One of those arrested faces charges of possession of fraudulent documents, impersonation, and obtaining money with false claims, and could spend more than three years in prison. The other two defendants face only one count of possession of fraudulent documents, which Interpol believes they would have used in a business email compromise (BEC) campaign.

During the arrest of the three individuals, laptops and smartphones used for this fraudulent operation were confiscated, allowing law enforcement to discover that the hackers were using the RAT known as Agent Tesla. This malware variant allows information theft, keystroke logging, and theft of credentials stored in web browsers, email clients, and other platforms.

The defendants allegedly used Agent Tesla to steal credentials in the targeted organizations, in addition to accessing internal emails and maintaining constant surveillance of employees in these companies. The collection of information about the target is a fundamental part of a BEC attack since threat actors need to know the processes, standards, and actors involved in the processes of the affected organizations.

Cybersecurity specialists report that Agent Tesla has become one of the most widely used malware variants today, above other variants such as AveMaria, Formbook, Lokibot, RedLine, and Wakbot.

In recent days, Interpol also collaborated with the arrest of the alleged leader of SilverTerrier, another BEC operation allegedly run by cyber criminals in Nigeria.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Interpol arrests hackers who attacked oil and gas companies worldwide: Operation Killer Bee appeared first on Information Security Newspaper | Hacking News.

Even though Verizon was notified and has already acknowledged the leak, its representatives deny that the compromised information poses a security threat to its employees and customers.

The alleged hackers behind this incident claimed that it was very easy for them to access this database, as they simply had to contact a Verizon employee and pose as a co-worker in the internal support area. After fooling this unsuspecting employee, the hackers were able to connect to Verizon’s internal tool and access sensitive information.

Once in the database, the hacker reported having created a tool that allowed them to download the information stored in the company’s systems. Verizon would soon receive a ransom note threatening to expose the compromised information if a $250,000 ransom is not paid.

Not a security risk?

As mentioned above, a Verizon representative stated that the company does not consider the compromised records as confidential information, so they do not plan to negotiate any ransom with the hackers. The representative added that, for Verizon, information security is a serious matter, so the company has the best measures to protect their customer and employees’ data.

Information security specialists differ from Verizon’s stance, as while the leak does not involve passwords, bank records, or social security numbers, the stolen data could still prove useful for multiple hacking groups. Phishing campaigns, phone fraud, SIM swap, and email spam are just some of the risks to which those affected could be exposed.  

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Full names, IDs, email addresses, and phone numbers of hacked Verizon employees: Customers could experience increased SIM swap attacks appeared first on Information Security Newspaper | Hacking News.

These rules were announced overnight in late April, receiving criticism from major players in the industry because system administrators were required to report 22 types of cybersecurity incidents just six hours after their detection, in addition to establishing as a requirement the registration of VPN users and other controversial measures.

The Government of India published an FAQ document related to these new rules and specifying that improvements and revisions will continue to apply. For example, India has clarified that minor security incidents, such as social media account takeover, will not have to be reported within six hours; on the other hand, only the most severe incidents, capable of disrupting operations in the affected organization, will have to be reported within this period.

Authorities also reversed the restriction of using only a couple of Indian Network Time Protocol (NTP) servers, specifying that the use of other NTP servers synchronized with local operators is also allowed.

The document also more clearly lists the requirements for entities that can operate in India without having a physical presence in the nation. As it reads, these companies must designate a point of contact to communicate with CERT-India, which administers the new rules. Non-Indian organizations can store certain data abroad, but must make it available to the CERT-In.

Indian officials avoided making any mention of the criticism the first version of this project received. The FAQ does not address objections to measures such as VPN user retention, in addition to frequently referencing that some of these measures were implemented for national security purposes, making it difficult to change specific aspects.

This document also does not offer any explanation as to how CERT-In will use the documents it collects to analyze security incidents, a matter of interest as organizations can submit reports in formats such as PDFs or faxes that do not lend themselves to automated ingestion or analysis.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post India relaxes cyber security incidents reporting rules and says new rules apply to MNCs appeared first on Information Security Newspaper | Hacking News.

In relay attacks, threat actors begin by intercepting and manipulating communications between two parties, such as a keyless car and the device that opens its doors. Attackers must place themselves in the middle of both ends of communication, transmitting a malicious signal to impersonate the legitimate user.

Technology devices that use BLE for authentication have security measures against relay attacks by default, most based on latency and link-layer encryption. The tool developed by the researchers operates at the link layer and has a latency of 8ms, within the Generic Attribute Profile (GATT) response range.

Thanks to its features, the tool can forward encrypted link layer PDUs, in addition to detecting encrypted changes in connection parameters to continue relaying connections through parameter changes. That is why BLE protections do not work against this attack.

Experts at NCC Group mention that it takes around 10 seconds to complete an attack on any of the affected systems, including Tesla Model 3 and Model Y cars, as they use a BLE-based input system.

While the technical details behind this new attack have not been released, researchers reported testing this tool on a 2020 Tesla Model 3, via an iPhone 13 mini with version 4.6.1-891 of the Tesla app. The attack was also successfully replicated in a Tesla Model Y 2021 model, as they employ similar technologies.

The researchers mention that it is complicated to implement solutions for this security problem due to the features of BLE. In addition, even if industry members responded immediately and in a coordinated manner, updates could take months to arrive for all affected users.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Critical vulnerability in Bluetooth Low Energy (BLE) allows easily hacking Tesla cars, smart locks and millions of devices that use this Bluetooth technology appeared first on Information Security Newspaper | Hacking News.

These features have access to Secure Element, which stores sensitive device information and remains active on the latest iPhone models even with the phone turned off. According to specialists at the Technical University of Darmstadt, Germany, this would allow malware to be loaded onto a Bluetooth chip running on an inactive device.

The compromise of these features would allow threat actors to access protected information, including payment card details, banking information and other sensitive data. While this risk is considered real and active, the researchers acknowledge that exploiting these flaws is complex, as hackers would require loading malware onto a target iPhone when it’s turned on, which mandatory requires a remote code execution (RCE) tool.

According to the report, the bug exists because of the way Low Power Mode (LPM) is implemented on Apple’s wireless chips: “The LPM setting is triggered when the user turns off their phone or when the iOS system automatically shuts down due to lack of battery.”

Experts believe that, in addition to its obvious advantages, the current implementation of LPM created new attack vectors. LPM support is based on iPhone hardware, so bugs like this can’t be fixed with software updates.

One attack scenario, tested by the researchers, describes how the smartphone’s firmware would allow attackers to have system-level access for remote code execution using a known Bluetooth vulnerability, such as the popular Braktooth flaw. The research was shared with Apple before its publication. Although the company did not comment on it, experts proposed that Apple add a hardware-based switch to disconnect the battery, preventing functions related to the error from receiving power with the device turned off.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Researchers find new way to hack any iPhone even when it’s turned off appeared first on Information Security Newspaper | Hacking News.

The most severe vulnerability, tracked as CVE-2022-22282, was described as an unauthenticated access control evasion, while two minor security flaws were described as encrypted cryptographic key flaws and an open redirect; these flaws do not yet receive CVE tracking keys.

The company adds that, at the moment, there are no known workarounds for the vulnerability, so users of affected deployments are advised to update as soon as possible. SonicWall also mentions that no active exploitation attempts have been detected, so it’s still a good time to install official updates.

Flaws reside in the SMA Series 1000 6200, 6210, 7200, 7210 and 8000v (ESX, KVM, Hyper-V, AWS, Azure) models. SonicWall mentions that SMA Series 1000 products with versions earlier than 12.4.0 are not affected.

As mentioned above, CVE-2022-22282 is the most serious of the reported errors, as a successful attack would allow access control to be evaded and access to internal resources. This bug received a score of 8.2 according to the Common Vulnerability Scoring System (CVSS) and can be exploited remotely and without interaction from the target user.

On the other hand, encrypted cryptographic key error can also result in complex attacks: “The use of a cryptographic key increases the possibility of recovering encrypted data in the system,” reports the MITRE CWE database.

SMA Series 1000 VPN devices are used to protect remote connections on corporate networks, so it is highly likely that hacking groups will attempt to exploit these flaws. Previously, these devices have been the target of dangerous attacks; Months ago, a wave of HelloKitty ransomware attacks impacted SMA 100 versions by exploiting a zero-day vulnerability.

More than 500,000 commercial customers from 215 countries and territories around the world use SonicWall products, so the scope of exploitation is considerable.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post 3 critical vulnerabilities in SonicWall SMA 1000 SSLVPN affect over 500k companies appeared first on Information Security Newspaper | Hacking News.

Threat actors could have manipulated compromised devices in multiple ways, without legitimate users even being able to identify the malicious activity. The flaws were addressed in early 2020 and since then the company has actively monitored the problem, although this is not enough to prevent all risks.

The disadvantage of the firmware patches issued by Konica Minolta is that they had to be applied manually by the company’s technical service teams, which already represents a problem considering that there are hundreds of thousands of users of these multifunctional devices. As if that were not enough, the pandemic severely delayed the application of the patches, leaving an undetermined number of users totally exposed to the attack.

EXPLOITATION PROCESS

To better understand the active exploitation risk, SEC Consult Vulnerability Lab developed a proof of concept (PoC), trying to successfully replicate an attack on the Konica Minolta bizhub C3300i and C3350i devices, or more precisely on its terminal.

At the conclusion of the tests, the experts demonstrated that it was possible to deploy three different attacks, which were assigned a CVE vulnerability key:

• CVE-2022-29586: Sandbox bypass in the tactical display terminal
• CVE-2022-29587: Running UI/Chromium terminal as root
• CVE-2022-29588: Passwords stored in plain text in the file system 

Below is a brief explanation of each error.

SANDBOX BYPASS IN THE TACTICAL DISPLAY TERMINAL

These machines have a touch screen for ease of use. According to the report, the touch screen terminal has a user interface based on a proprietary application; when opening some applications through this terminal, it is possible to notice a slight change in the appearance of the user interface.

This behavior is the result of a context change, so the applications that run are not based solely on the proprietary application. After connecting a keyboard to one of the printer’s multiple USB ports and pressing specific key combinations, it was possible to determine that some parts of the application run an ordinary Chromium browser in “kiosk mode”, which can be easily escaped from the secure environment.

The researchers mention that the exploitation of this fault involves a few steps:

Step 1 – Public User Access

Physical access is required to exploit this vulnerability, in addition to using “User Authentication” and enabling “Public User Access” on the device. The “Public User Access” button must be pressed on the touch screen terminal of the physical printer.

Step 2 – Utility

After enabling “Public User Access”, a menu opens where you can select functions such as “Scan”, “Copy” and “Utility”, which is the button that should be pressed below.

Step 3 – Utility X2

The “Utility” button should be pressed again as shown below:

Step 4 – Access to Chromium

At this stage a slight change in the user interface is observed. This is because the proprietary application launches in a Chromium browser in kiosk mode:

Step 5 – Connect a keyboard    

For the next step, a USD keyboard is connected, since the touch screen keyboard does not have some keys necessary for the attack.

Step 6 – Access to Chromium Developer Console

Most available shortcuts are locked on a normal Linux operating system or block the printer. However, it is possible to gain full access to the system by pressing F12 from the USB keyboard, allowing you to open the Chromium Developer Console as shown below:

This allows hackers to access the file system, from where a folder can be added using the “Add folder to workspace” option. In the window that appears, approval is requested to add the folder, where it is enough to click on the “Allow” button.

If these steps are completed properly, attackers will be able to access arbitrary files in the file system with root access and write arbitrary files, manipulate web application scripts, and other hacking tasks.

PASSWORDS STORED IN PLAIN TEXT IN THE FILE SYSTEM

Threat actors who have successfully exploited the first of these flaws can access the “/var/log/nginx/html” directory. This folder contains a file called ADMINPASS that, as we can guess, contains the administrator password in plain text for the printer terminal and the web interface.

The following screenshot shows how this information is fully exposed to malicious activity.

RUNNING UI/CHROMIUM TERMINAL AS ROOT

Finally, the researchers identified that it is possible to access files such as /etc/shadow, as can be seen in the following image:

Experts thought of two possible explanations for this behavior:

• An incorrect set of permissions for files with sensitive data
• Chrome browser is running as root

Eventually Konica Minolta confirmed the second of these hypotheses.

The manufacturer determined that a total of 46 models of multifunctional Konica Minolta Bizhub MFP are affected by these flaws. As mentioned above, there are hundreds of thousands of users of these machines worldwide; In addition, these devices are renamed and sold by other companies that will also be affected by security issues.

Konica Minolta is still trying to correct these flaws, although it is difficult to estimate the number of missing users of the patches or if these bugs have been actively exploited.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post CRITICAL VULNERABILITIES ALLOW HACKING MULTIPLE KONICA MINOLTA DEVICES appeared first on Information Security Newspaper | Hacking News.