The main feature of Symbiote is that it requires infecting other running processes to achieve a successful engagement. Instead of using an executable as any conventional malware variant would, hackers use a shared object (SO) library loaded into running processes through LD_PRELOAD, thus infecting vulnerable systems.

After infecting running processes on the system, Symbiote provides its operators with rootkit functionalities, in addition to remote access and credential collection capabilities.

Origins

Researchers first detected the malware in November 2021, attributing its development to hacking groups against the financial sector in Latin America. By infecting a target system, Symbiote hides any hint of malicious activity, making infections virtually undetectable, even using forensic analysis techniques.

In addition to rootkit tactics, the malware also implants a backdoor in the system so that operators can log in like any user using an encrypted password and thus execute commands with high privileges.  

Another interesting feature about Symbiote is its Berkely Packet Filter (BPF) hook functionality, employed by other malware variants to cover up your C&C communications. However, Symbiote uses BPF to hide malicious network traffic on infected systems.

If an administrator launches any packet capture tool on the affected Linux system, the BPF bytecode is injected into the kernel that defines which packets should be captured. In this process, Symbiote first adds its bytecode so that it can filter the network traffic it wants to hide.

Evasion tactics

This malware is highly stealthy. According to experts, Symbiote is designed to be loaded through the LD_PRELOAD directive, allowing it to be loaded before any other shared object. Thanks to it loading first, it can hijack imports from other library files uploaded for the application.

Symbiote uses this to hide its presence on the machine by connecting the libc and libpcap functions. The following screenshot shows the various malware evasion tactics:

Because Symbiote works as a user-level rootkit, it can be difficult to detect an infection. Network telemetry can be used to detect anomalous DNS requests, and security tools such as antivirus must be statically linked to ensure that they are not “infected” by user rootkits. Infection vectors are still unknown, so Linux system administrators should remain vigilant for any hint of infection.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post New rootkit malware for Linux is undetectable and is quickly spreading throughout Latin America. Protect your servers before it’s too late appeared first on Information Security Newspaper | Hacking News.

The message describes these online platforms as “worryingly common threats,” detailing how threat actors used these sites for trafficking in stolen personal information: “Using strong relationships with our international partners, we will address crimes like these, which threaten privacy, security, and commerce around the world.”  

WeLeakInfo.to operators claimed to provide their users with a search engine to review and obtain personal information illegally obtained in more than 10,000 data breach incidents, with around 7 billion records indexed, exposing data such as full names, phone numbers, email addresses, and even online account passwords.

On the domains ipstress.in and ovh-booter.com, the report describes them as platforms for launching denial of service (DoS) attacks, commonly known as booting or stressor services. From these websites, threat actors could flood a specific web server with malicious traffic, making them inaccessible to legitimate users. 

As of this operation, the seized domain names, and any related domains, are now in the custody of the federal government, effectively suspending the operation of these malicious services. Visitors to the site will now find a seizure sign, reporting that U.S. federal authorities are responsible for the seizure.

The seizures of these domains were part of coordinated police action with the authorities of Belgium and the Netherlands. These police agencies arrested one of the main operators of these platforms, in addition to collaborating with various raids.

U.S. authorities have asked anyone who has information about other members of this cybercriminal operation to file a complaint immediately, as this is a critical time to act against these groups.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post FBI seizes infrastructure of Weleakinfo and other cyber criminal platforms appeared first on Information Security Newspaper | Hacking News.

After a lot of work of sample collection, analysis and follow-up, experts discovered some details about this RAT. While these phishing campaigns have not been attributed to a specific threat actor, all indications are that this operation is handled by a Chinese Advanced Persistent Threat (APT) group.

Simultaneous operations

As mentioned initially, hackers deployed four malicious email campaigns since the end of February, working simultaneously and using various lures to attract unsuspecting users.

Below, we’ll briefly review the features of each phishing attack based on evidence collected by Malwarebytes.

Interactive map

Hackers began distributing the RAT in a file identified as interactive_map_UA.exe, an alleged interactive map of Ukraine. The malware distribution started a few days after Russia invaded Ukraine, indicating that hackers tried to exploit the international conflict.

Update for Log4j

Another of the detected malicious campaigns uses a fake update to fix the Log4Shell vulnerability using a tar file identified as Patch_Log4j.tar.gz. Reports of these emails began in March and targeted at least 100 employees of RT TV, a media network funded by Russia’s government.

The messages appear to be sent by the Russian state defense conglomerate Rostec and include various images and PDFs to make it less suspicious.

The attached PDF, named О кибербезопасности 3.1.2022.pdf, contains instructions on how to run the fake patch, plus a bullet list with supposed safety tips.

Among these recommendations, hackers even added a link to VirusTotal announcing that the file has not been identified as malicious by any antivirus engine.

The message also includes links to the rostec.digital website, registered by threat actors and designed similarly to Rosec actual site. Interestingly, the fraudulent website was registered in mid-2021, months before the Russian invasion of Ukraine began.

Rostec

Hackers again use Rostec’s image in the third campaign, distributing a malicious file named build_rosteh4.exe.

Fake job offers

The latest detected campaign uses a Word document containing an alleged job offer at state oil company Saudi Aramco. The attack involves a self-extracting file using the Jitsi icon and creating a directory identified as Aramco in C:\ProgramData.

The document, written in English, includes a message in Russian asking the user to enable macros on their device.

A remote template injection then allows you to download a template embedded in a macro, which runs a macro to deliver a VBS script identified as HelpCenterUpdater.vbs to the %USER%\Documents\AdobeHelpCenter directory. The template also verifies the existence of %USER%\Documents\D5yrqBxW.txt; as long as it exists, the script will be delivered and executed.

The HelpCenterUpdater.vbs script delivers another obfuscated VBS file named UpdateRunner.vbs and downloads the primary payload, a DLL called GE40BRmRLP.dll, from your C&C server. Although they appear to share code, the script provides an EXE instead of a DLL in another related payload.  

The UpdateRunner.vbs script is responsible for running the DLL through rundll32.exe.

The malicious DLL contains the code that communicates with the C&C server and executes the received commands.

The campaign is still active and relatively prosperous, although many details remain unknown, and it is difficult to know what specific purposes the attackers are pursuing. Malwarebytes has committed to continue monitoring this campaign and the malware used by hackers.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post How hackers took control of 100 email accounts of employees of RT and other Russian organizations for cyber spying purposes? appeared first on Information Security Newspaper | Hacking News.

A few days ago, investigators were alerted to a group of hackers with access to a username and password to the Law Enforcement Inquiry and Alerts (LEIA) system, which allows the search for information internally and in external database repositories, including data classified as “sensitive to law enforcement.” This report was shared with the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ). In total, LEIA enables federated search of 16 federal law enforcement databases in the U.S.

The report received by KerbsOnSecurity includes some screenshots indicating that hackers may have accessed the El Paso Intelligence Center (EPIC), one of the databases accessible from LEIA. In this database, threat actors would have searched for all kinds of records on seized assets, including cars, boats, weapons and even drones.

Strangely, this information was reported to KerbsOnSecurity by “KT”, administrator of an alleged online cybercriminal community known as Doxbin. This same threat actor has been identified as the leader of Lapsus$, a hacking group that recently carried out high-profile attacks against well-known companies such as Microsoft, NVIDIA and Samsung.

This hacker is also blamed for operating a service that offers fake Emergency Data Requests (EDR), using compromised email accounts from law enforcement agencies to ask tech companies for access to their users’ confidential information posing as police officers.  

Although this activity has been linked to some alleged members of Lapsus$, at the moment it is unknown exactly who is behind these attacks, and even the possibility of a hacking group sponsored by national states is still being considered. DEA will continue to investigate the reports, so it only remains to wait for new details to be officially announced.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Threat actors could have hacked the U.S. Drug Enforcement Administration (DEA) and other related law enforcement agencies. Investigation still ongoing appeared first on Information Security Newspaper | Hacking News.

While it was already possible to make these requests in cases of doxing or leaking of bank details, the update will allow users to request the removal of other content that appears in search results, including personal contact information. Google will also allow the removal of additional information that may pose a risk of identity theft, such as access credentials to online platforms.

According to the report, the following records may be considered personal contact information:

• Government identification numbers, including social security numbers, tax identification keys and the like depending on the country in question
• Bank account numbers and credit cards
• Images of handwritten signatures
• Images of identity documents
• Medical records
• Physical addresses, phone numbers and email addresses

On the processes that are implemented when receiving one of these requests, Google ensures that they evaluate all the content of websites that may incur in the exposure of confidential data, trying not to limit the availability of other useful data for users. The company also looks at whether content users want to remove is part of public or government records; if so, the request is inadmissible.

Although this is undoubtedly good news, users should remember that removing this content from the results in Google Search, this will not remove the content from the Internet. To do this, it is necessary to communicate directly with the administrators of the website in question.

Google continues to implement changes to its policies in order to improve the privacy experience of its users. In recent days it was revealed the application of a new measure to allow users under the age of 18 to request the removal of any image of theirs from image search results. The parents and guardians of minors may also carry out this procedure.

Full information about these requests and other security and privacy measures implemented by Google is available on the company’s official communication channels.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Now you can ask Google to remove your phone number, email address, physical address and other personal contact data from Search Results. Learn how to do it appeared first on Information Security Newspaper | Hacking News.

Mike Hanley, GitHub’s chief security officer, confirmed the incident by mentioning that even the platform uses some of the affected apps: “Our analysis suggests that threat actors could be mining the contents of the downloaded private repository, to which the stolen OAuth token had access, in search of secrets that could be used to move to another infrastructure.”

The list of affected applications includes:

• Heroku Dashboard (ID: 145909)
• Heroku Dashboard (ID: 628778)
• Heroku Dashboard – Preview (ID: 313468)
• Heroku Dashboard – Classic (ID: 363831)
• Travis CI (ID: 9216)

GitHub’s security teams identified unauthorized access to their npm production infrastructure on April 12, when threat actors used a compromised AWS API key. This key could have been obtained by downloading some private npm repositories using the compromised tokens.

The tokens used for the attack were revoked when the platform identified the compromise. Hanley confirmed that the impact of the incident includes unauthorized access to private GitHub.com repositories, in addition to potential access to npm packages on its AWS S3 storage.

Even though threat actors could have stolen information from the compromised repositories, the platform has concluded that none of the packages were modified for malicious purposes: “npm uses an infrastructure independent of GitHub,” Hanley’s message ended.

Security teams on the platform are already working to notify affected users, in addition to maintaining an active investigation into the intrusion. To speed up the investigation, GitHub recommends users review their organizations’ audit logs, in addition to the security logs for each account to identify potential signs of attack.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites

The post GitHub was hacked. Source code is filtered from different repositories appeared first on Information Security Newspaper | Hacking News.

The UK-based firm has confirmed that this is not a legitimate offer and users of the messaging app should ignore this alleged promotion: “We have been informed about social media posts claiming to offer consumers a basket of free Easter chocolate… We can confirm that this has not been generated by us and we urge consumers not to interact.”

Some users responded to one of the company’s posts on Twitter, confirming that they had received the text message and even with testimonies from victims who fell into the trap by clicking on the attached link.

British authorities also issued a warning about this phishing campaign, asking users to ignore these messages in the face of the potential risk of handing over their personal information to individuals with questionable intentions. Mersyside Police say they are aware of how difficult it is to refuse a free chocolate, but strongly ask users not to interact with those messages.

This seems to be clearly a phishing scam in which criminals create attractive messages in order to trick users into handing over their personal information, mainly through a link to a fraudulent website with forms for data registration.

Finally, the UK’s National Cyber Security Centre advised users in general to think twice before clicking on any similar links, opening unsolicited messages or downloading suspicious attachments. Indicators such as misspellings, shortened URLs, and low-resolution images can help identify a potential phishing attack.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Do not open this WhatsApp message offering Free Cadbury Chocolates; hackers can empty your bank accounts appeared first on Information Security Newspaper | Hacking News.

In their investigation, authorities report that the individual from whom these virtual assets were seized was engaged in the sale of stolen confidential information on an unspecified dark web platform. Identified as “Moniker 1”, the seller made more than 100,000 transactions before being detected, though he couldn’t help but transact with undercover agents.

Transactions made by this seller include:

• In January 2016, an undercover agent purchased ten Netflix account usernames and passwords
• In April 2016, an undercover agent purchased a username and password from a World Wrestling Entertainment account
• In September 2016, an undercover agent purchased nearly 70 Uber account usernames and passwords
• In March 2017, an agent purchased three Xfinity account usernames and passwords
• In March 2017, an agent purchased access credentials to an HBO Go account

The work of the undercover agents made it possible to trace two residences in Florida, USA, allegedly belonging to the seller. Apparently, Moniker 1 used these addresses as a shipping address for some narcotics purchases.

The person associated with the shipping addresses lived at a residence in Parkland, Florida. The researchers identified the resident and, using a call log, monitored Internet traffic to and from the IP address associated with this residence. Authorities later identified the defendant’s bank account and requested an access order for his transaction history. Once with access to this information, the researchers confirmed that these records matched the seller’s activity, recorded in cryptocurrency transactions.

In mid-May 2017, agents completed a search warrant during which a laptop owned by the defendant was seized, eventually leading to the seizure of the cryptocurrency accumulated by the seller.

After his arrest, the defendant acknowledged making thousands of transactions on platforms such as Silk Road, Agora, Nucleus, AlphaBay, Dream Market, Abraxas, Sheep and Evolution.

Blockchain analysis confirmed that 96% of transactions at the defendant’s cryptocurrency address were associated with various dark web platforms. Court documents mention that the individual obtained thousands of Ethereum units by converting Bitcoin obtained from illegal transactions into illegal online platforms.

Apparently, Moniker 1 turned Bitcoin into Ethereum using a virtual exchange platform that did not require users to provide personal information to complete the transaction, completing their illegal operations anonymously. According to information from other court documents, this exchange platform could be ShapeShift, as it shares the characteristics described by the agents.

A history review to the Ethereum blockchain showed that approximately 919.30 Ethereum units were deposited into the Ethereum 7800 wallet through nine transactions between March 16 and 17, 2017 or approximately. These deposits were traced back to a known Ethereum address associated with the first exchange platform.

Another review, this time on the Bitcoin blockchain, showed that approximately thirty-two Bitcoin units were sent through nine transactions from the m6GW Bitcoin wallet to other Bitcoin addresses, and from those addresses, transfers were made to hide traces of these operations.

At the end of 2021, the defendant signed a consent to confiscation, which the DOJ released through its official communication platforms. Because no one filed a lawsuit against this decision, so no one will be able to file any more legal remedies to access these assets in favor of the defendant. It is not yet known what sentence the defendant faces, although he is expected to face severe charges including conspiracy to commit fraud, money laundering and other crimes.

According to the DOJ press release, this case was the result of so-called “Operation TORnado,” described as a joint investigation arising from the ONGOING efforts of the OCDETF. The forfeiture lawsuit lists the value of the seized cryptocurrency at $47 million USD, while the figure of $34 million USD appears in the USAO announcement.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How FBI tracked one the most famous and richest dark web vender and seized $34 million USD? appeared first on Information Security Newspaper | Hacking News.

In its report, the team claims to have implemented advanced mitigation mechanisms and initiated an investigation after detecting the attack: “While the investigation is ongoing, we believe that the incident is limited to our corporate network; to date, we have no indication that this incident involves external resources such as Levi’s Stadium’s control systems,” the statement said.

The incident has already been notified to the competent authorities and the 49ers are working together with an external cybersecurity firm for the investigation of the attack, so they expect that the affected systems will be restored shortly.

San Francisco nearly played in the Super Bowl, a scenario in which the ransomware attack could have severely affected the team’s sports readiness and logistics at a time when ransomware groups have become a critical security threat to the U.S. government.

While the incident had no impact on the big NFL game, cybersecurity specialists mention that it is still difficult to determine what the impact of the incident will be on the team’s operations, which could generate problems ahead of the NFL Draft, to be held in the coming days.

BlackByte is a ransomware-as-a-service (RaaS) operation, very small compared to other cybercriminal groups but could increase in the coming weeks. Like other operations, ransomware affiliates can steal information for double extortion purposes, threatening to leak sensitive information if victims refuse to pay ransoms.

In late 2021, the FBI reported that the BlackByte ransomware had compromised multiple U.S. and foreign companies, including at least three critical infrastructure agencies such as financial networks, distribution chains, and government facilities, among others.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post NFL team confirms ransomware attack hours before the Super Bowl appeared first on Information Security Newspaper | Hacking News.

Despite protection mechanisms (such as the bar indicating the disabling of macros), malicious hackers continue to resort to abusing macros for their attack campaigns, so Microsoft has had to devise new security methods. The most recent of these mechanisms is a default change for five Office applications that run macros.

Microsoft announced that, for macros in files on the Internet, users will no longer be able to enable macros with just one click; instead, a button with more information about the file and macros will appear, so the company hopes that users will have more information at hand about potential security risks.

On the other hand, when you download an untrusted Office file with macros included, a “Learn More” button will appear to inform the user that the file contains Visual Basics for Applications (VBA) macros.

By clicking on “Learn More”, users will be redirected to an article with information about phishing techniques, malware deployment and other hacking variants related to the use of macros. Removing Mark of the Web (MOTW) can also prove useful against macro attacks. This is an attribute that Windows adds to files when it is obtained from an untrusted location.

System administrators can use the “Block macros from running on Office files from the Internet” policy to prevent users from inadvertently opening Internet files that contain macros. Microsoft recommends that you enable this policy to avoid problems related to these default changes.

Finally, Microsoft issued a couple of additional recommendations:

• Open files from a trusted location
• Open files with digitally signed macros and provide the certificate to the user

A full report on the new configurations against macro attacks is available on the company’s official platforms.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Microsoft makes things harder for cyber criminals by disabling macros by default in Office products appeared first on Information Security Newspaper | Hacking News.

The main goal of this fraud variant is to obtain confidential information from victims, including email addresses, dates of birth, social security numbers, and even some financial details. The agency mentions that, since 2019, this variant of hacking has generated millionaire losses thanks to hackers using business accounts on a website focused on employment, advertising fraudulent job offers.

As mentioned above, the IC3 attributes the increase in this trend to low security standards on this website, allowing threat actors to run any ads to attract potential victims: “These ads appear alongside legitimate jobs posted by other companies, making it difficult for applicants and other companies to distinguish between legitimate and fraudulent job postings,” notes the report.

Authorities did not disclose the compromised online work platform, although security specialists believe it could be LinkedIn, one of the most important professional networking platforms. A few months ago it was reported that a flaw in LinkedIn would have allowed any user to post a job offer from a verified business account without requiring verification.

Last week, LinkedIn published its latest Transparency Report, which includes detailed reports on fraudulent practices on the platform. The report notes that, over the past year, security teams blocked a total of 11.5 million fake accounts on the website, in addition to removing more than 60 million posts deemed spam or fraudulent content.

These malicious posts take a lot of information from legitimate businesses, be it logos, addresses, phones and email addresses, which makes the scam even more credible, As if that were not enough, the FBI pointed to the detection of some cases in which scammers even get names of real employees in these companies, using this information to contact unsuspecting users. Remember that it is not advisable to share these details with any user over the Internet, even when establishing contact through a recognized platform.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How scammers are using job offers to steal your identity appeared first on Information Security Newspaper | Hacking News.

At the moment the ransomware variant used by this group is unknown, although it is known that the attack vector used was through malicious emails. Three members of the operation were in charge of receiving the ransoms using cryptocurrency, in addition to handing the victims the decryption key once the payment was completed.

To launder funds received as ransom payments, threat actors conducted complex financial transactions using online payment systems banned in Ukraine, passing them on an extensive network of fictitious identities until the original trail was lost.

In addition to operating a ransomware variant, the hackers also offered services similar to a virtual private network (VPN), which allowed other cybercriminal groups to carry out all sorts of illegal activities, from ransomware infections to corporate hacking.

Cybercriminal infrastructure was used to compromise all kinds of systems, including government agencies and private companies. Members of this group were able to deploy denial of service (DoS) attacks, ransomware infections, and theft of sensitive information. One of the defendants also faces charges of stealing payment card data in the UK. During the raid, authorities confiscated all kinds of computer equipment, cloned bank cards, USB storage devices, cars and cash. The defendants face charges of money laundering, developing and distributing malicious software.

Ukrainian authorities have been very active in recent months on cybercrime-related issues, arresting ransomware actors, scammers, botnet operators and phishing actors.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Ransomware gangs can be traced. Big gang arrested in Ukraine appeared first on Information Security Newspaper | Hacking News.