Kevin Tibbets’ Post

Muhstik Botnet Exploits Apache RocketMQ Vulnerability for DDoS Amplification The Muhstik botnet has capitalized on a critical flaw in Apache RocketMQ, a now-patched vulnerability, to intensify its distributed denial-of-service (DDoS) attacks. By leveraging CVE-2023-33246, Muhstik gains unauthorized access to vulnerable servers, facilitating the deployment of its malicious payload. The malware, adept at cryptocurrency mining and executing DDoS assaults, demonstrates persistence and evasion techniques to avoid detection and removal. Organizations are urged to update their Apache RocketMQ installations promptly to thwart potential attacks. Security Tip for SecureNexa's Followers: Regularly update and patch vulnerable software to mitigate the risk of exploitation by threat actors. Employ robust security measures, such as intrusion detection systems (IDS) and behavior-based analytics, to detect and block suspicious activities on your network. Additionally, enforce stringent access controls and implement multi-factor authentication (MFA) to prevent unauthorized access to critical systems and resources.

YubiKeys cryptographic Flaw Let Attackers Clone Devices by Extracting Private Key: Security researchers have uncovered a significant vulnerability in YubiKeys, specifically targeting the YubiKey 5 Series. This vulnerability, identified as a side-channel attack, allows attackers to clone these devices by extracting the secret keys stored within them. The attack exploits a flaw in the Infineon cryptographic library used in the secure elements of these devices, which […] The post YubiKeys cryptographic Flaw Let Attackers Clone Devices by Extracting Private Key appeared first on Cyber Security News. #CyberSecurity #InfoSec

Security researchers from Avast have revealed that the Lazarus Group, a North Korean APT group, exploited a previously unknown zero-day vulnerability (CVE-2024-38193) in the Windows AFD.sys driver. This flaw allowed the hackers to gain kernel-level access to targeted systems, bypassing security restrictions and accessing sensitive areas. The vulnerability was first detected by researchers Luigino Camastra and Milanek in early June 2024, who noticed the group’s use of the flaw to infiltrate industries like cryptocurrency and aerospace.The Lazarus Group deployed a sophisticated malware known as Fudmodule to evade detection. The group, believed to be backed by the North Korean government, has been active since 2009 and is known for its highly sophisticated cyberattacks on various industries globally, including financial institutions, government bodies, and private businesses. The seriousness of this zero-day exploitation is underscored by the sectors it targeted—primarily those involved in cryptocurrency engineering and aerospace, where the attackers sought to infiltrate networks and steal valuable assets, particularly cryptocurrencies, to fund their operations.Microsoft addressed the flaw with a patch in June 2024, after being alerted by Gen Threat Labs, which provided detailed exploit code enabling a swift response. Microsoft emphasized that successful exploitation of this vulnerability could grant attackers SYSTEM privileges, making it imperative for all Windows users to update their systems promptly.This incident highlights the growing sophistication of cybercriminals and the need for constant vigilance in cybersecurity practices. Regular system updates and awareness of potential vulnerabilities are critical for safeguarding against such advanced threats.For a more in-depth analysis, please visit the original report on cybersecuritynews.com.

YubiKeys cryptographic Flaw Let Attackers Clone Devices by Extracting Private Key Security researchers have uncovered a significant vulnerability in YubiKeys, specifically targeting the YubiKey 5 Series. This vulnerability, identified as a side-channel attack, allows attackers to clone these devices by extracting the secret keys stored within them. The attack exploits a flaw in the Infineon cryptographic library used in the secure elements of these devices, which are widely regarded as robust authentication tools. The vulnerability, termed “EUCLEAK,” was discovered by NinjaLab researchers, who found that the Infineon  Elliptic Curve Digital Signature Algorithm (ECDSA) implementation in YubiKey 5 Series is susceptible to side-channel attacks. The attack targets the non-constant-time modular inversion operation within the ECDSA, allowing attackers to extract the secret key used for cryptographic operations. Stay Connected to Sidharth Sharma, CPA, CISA, CISM, CFE, CDPSE for content related to Cyber Security. #CyberSecurity #JPMC #Technology #InfoSec #DataProtection #DataPrivacy #ThreatIntelligence #CyberThreats #NetworkSecurity #CyberDefense #SecurityAwareness #ITSecurity #SecuritySolutions #CyberResilience #DigitalSecurity #SecurityBestPractices #CyberRisk #SecurityOperations 

A recently disclosed security flaw in OSGeo GeoServer GeoTools has been exploited as part of multiple campaigns to deliver cryptocurrency miners, botnet malware such as Condi and JenX, and a known backdoor called SideWalk. The security vulnerability is a critical remote code execution bug (CVE-2024-36401, CVSS score: 9.8) that could allow malicious actors to take over susceptible instances. In mid-July, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalogue, based on evidence of active exploitation. The Shadowserver Foundation said it detected exploitation attempts against its honeypot sensors starting July 9, 2024. According to Fortinet FortiGuard Labs, the flaw has been observed being used to deliver GOREVERSE, a reverse proxy server designed to establish a connection with a command-and-control (C2) server for post-exploitation activity. These attacks are said to target IT service providers in India, technology companies in the U.S., government entities in Belgium, and telecommunications companies in Thailand and Brazil. The GeoServer server has also served as a conduit for Condi and a Mirai botnet variant dubbed JenX, and at least four types of cryptocurrency miners, one of which is retrieved from a fake website that impersonates the Institute of Chartered Accountants of India (ICAI). Perhaps the most notable of the attack chains leveraging the flaw is the one that propagates an advanced Linux backdoor called SideWalk, which is attributed to a Chinese threat actor tracked as APT41. The starting point is a shell script that's responsible for downloading the ELF binaries for ARM, MIPS, and X86 architectures, which, in turn, extracts the C2 server from an encrypted configuration, connects to it, and receives further commands for execution on the compromised device. This includes running a legitimate tool known as Fast Reverse Proxy (FRP) to evade detection by creating an encrypted tunnel from the host to the attacker-controlled server, allowing for persistent remote access, data exfiltration, and payload deployment. "The primary targets appear to be distributed across three main regions: South America, Europe, and Asia," security researchers Cara Lin and Vincent Li said.

🎃 Interesting APT Research and Cybersecurity News of the Week The week was rich with news about Lazarus. This APT actor, known for targeting industrial secrets and cryptocurrency: ◼ Released a real MOBA game to lure crypto investors to its site and infect them with malware, exploiting a zero-day in Chrome. The game was actively promoted on social media. https://lnkd.in/dQnE3EBb ◼ Published a malicious npm package, nft_marketplace, infecting developers with the BeaverTail backdoor. https://lnkd.in/d6UE5Bdm ◼ Lured developers with job offers in cryptocurrency projects, prompting them to install Python malware during the "interview" process. https://lnkd.in/daqbdumT Overview of new versions of info-stealers: Kral, Amos, Vidar. https://lnkd.in/dw7q4mXZ Targeted attacks on Armenian-speaking users involve persuading victims to copy and paste a malicious script into PowerShell, which installs PDQ RMM. Researchers attribute the attack to MuddyWater APT. https://lnkd.in/dhu5x_ve Meet the latest versions of the Grandoreiro banker, affecting clients of 1,700 banks in 45 countries. Surprisingly, this Windows malware continues to thrive despite the global rise of mobile banking. https://lnkd.in/gdHggS9F New players in the ransomware scene: Embargo. They use their own Rust-based malware and disable EDR using MS4Killer. https://lnkd.in/dNUcixh4 New encryption methods and evasion techniques in Quilin/Agenda RaaS. https://lnkd.in/gmmWdthw Docker servers are being attacked by the SRBminer cryptomining bot. The attack method is notable—via the gRPC protocol over h2c (unencrypted HTTP/2). https://lnkd.in/gKwaDbnp The week was eventful for network security vendors: ◼ Cisco's bulletin describes 36 vulnerabilities, including an actively exploited zero-day in ASA & FTD, CVE-2024-20481, used to disrupt the RAVPN service. https://lnkd.in/e69mGRbg ◼ Fortinet patched CVE-2024-47575, an RCE in FortiManager, which was later found to be actively exploited. Reports indicate the attack scheme involves compromising MSPs through this vulnerability, and then their clients. https://lnkd.in/gGvrjtJ8 Not network security related, but still notable—CVE-2024-38094 in SharePoint server quickly gained a public PoC and is now being exploited by attackers. https://lnkd.in/ehFyCvMe #APT #digest #vulnerabilities #cybersecurity

Lazarus Group, a North Korean cyber threat actor, is using fake job interviews to deliver malware, including InvisibleFerret, a Python-based backdoor. InvisibleFerret steals sensitive information, including source code, credentials, and cryptocurrency wallets, using reconnaissance, data exfiltration, and persistence techniques. ANY.RUN’s sandbox can be used to analyze InvisibleFerret and identify its tactics, techniques, and procedures (TTPs), helping businesses strengthen their defenses against similar threats.

North Korean Hackers Actively Exploiting Chromium RCE Zero-Day In The Wild: Microsoft has identified a North Korean threat actor, Citrine Sleet, exploiting a zero-day vulnerability in Chromium (CVE-2024-7971) to gain remote code execution on cryptocurrency targets.  The threat actor deployed the FudModule rootkit, previously attributed to Diamond Sleet, suggesting potential shared use of malware between these North Korean threat actors. The V8 JavaScript engine in Chrome […] The post North Korean Hackers Actively Exploiting Chromium RCE Zero-Day In The Wild appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

New Dark Skippy Attack Let Hackers Steal Secret Keys From Signing Device: The threat landscape is significantly evolving, and cybersecurity researchers are continuously developing new security mechanisms to mitigate such evolving and sophisticated threats. Cybersecurity researchers Lloyd Fournier, Nick Farrow, and Robin Linus recently discovered a new Dark Skippy attack that enables hackers to steal secret keys from signing devices. While it was discovered on the 8th […] The post New Dark Skippy Attack Let Hackers Steal Secret Keys From Signing Device appeared first on Cyber Security News. #CyberSecurity #InfoSec

#Day80 of #100Dayschallenge Day 80 : Cryptojackers — Stealing Your CPU for Profit 💰 Cryptojackers : Turning Your Devices into Money-Making Machines (For Them) Cryptojackers a type of malware that secretly uses your device’s resources to mine cryptocurrency for attackers. 1. What is Cryptojacking? Cryptojacking is the unauthorized use of a device’s computing power to mine cryptocurrencies like Bitcoin or Monero. It can occur through malicious websites, scripts, or infected software without the victim’s awareness. 2. Notable Examples: Coinhive: A now-defunct service once abused for browser-based cryptojacking. Smominru Botnet: A malware campaign that infected millions of devices to mine Monero. 3. How Does Cryptojacking Work? Delivery: Malware is delivered via phishing, malicious websites, or compromised software. Execution: The cryptojacker runs a mining script or program, consuming CPU/GPU resources. Profit: The attacker earns cryptocurrency while the victim deals with system slowdowns and increased energy consumption. 4. Risks of Cryptojacking: Performance Issues: Slows down devices, making them unusable for legitimate tasks. Increased Costs: Raises electricity bills due to high CPU/GPU usage. Device Damage: Can overheat and reduce the lifespan of hardware components. 5. Prevention Tips: Ad Blockers: Prevent mining scripts from running on malicious websites. Antivirus Software: Detect and remove cryptojacking malware. Browser Extensions: Use anti-cryptojacking plugins to block mining scripts. Monitor System Performance: Look for sudden spikes in CPU/GPU usage or fan noise. 6. Ethical Hacker’s Role: Ethical hackers mitigate cryptojacking risks by: Testing systems for vulnerabilities that cryptojackers exploit. Implementing robust security measures like network monitoring and endpoint protection. Educating users about cryptojacking and its warning signs. 🔍 Have you ever noticed your device running slower than usual? Could cryptojacking be the culprit? Let’s discuss below! #CyberSecurity #EthicalHacking #Cryptojacking #Malware #InfoSec #CryptoMining