Iran fends off cyberespionage.
Iran's telecommunications minister, Mohammad Javad Azari-Jahromi, announced that the country had thwarted another cyberattack against Iranian government systems, the BBC reports. Jahromi attributed the attack to the Chinese-linked threat group APT27 (also known as Emissary Panda) and said the hackers were trying to conduct espionage. He added that the attack was foiled by Iran's cybersecurity project called the "Dejfa fortress" (Digital Fortress). Jahromi had also announced last Wednesday that the country's electronic infrastructure was targeted by a cyberattack.
Lazarus Group targets Linux.
ZDNet reports that North Korea's Lazarus Group has turned its attention to Linux systems with a new Trojan called "Dacls." Researchers at Netlab 360 analyzed a sample of the malware and identified Windows and Linux versions using the same command-and-control protocol. Once it's on a system, Dacls can establish encrypted communication with its C2 server in order to execute commands, scan the network, manipulate files, and manage processes.
On the malware's download server, the researchers discovered an exploit for a vulnerability (CVE-2019-3396) affecting unpatched versions of Atlassian's Confluence server, which can allow for remote code execution using server-side template injection. The Trojan appears to spread by exploiting this vulnerability, and Netlab 360 urges users of Confluence to update their servers.
Many RSA keys are vulnerable to compromise.
Keyfactor has published a report showing that 1 in 172 RSA certificates have keys that share a factor with another certificate's key, resulting in a total of 435,000 weak certificates on the Internet. The computing power necessary to compromise all of these keys cost Keyfactor less than $3,000.
The researchers stress that these keys are weak because they aren't generated with enough entropy (randomness). IoT devices are particularly susceptible to generating weak keys due to lightweight hardware and a sparse amount of input data, and Keyfactor believes these devices account for the majority of weak certificates on the Internet. As an ever-increasing amount of IoT devices are added to the Internet, Keyfactor recommends that these and other systems "use security best practices from inception, and in any case must have the ability to securely update both software and cryptography to protect against risks like this."
New Mirai variant exploits seventy-one vulnerabilities.
Palo Alto Networks's Unit 42 describes an updated version of the ECHOBOT variant of the Mirai botnet. This variant targets seventy-one different vulnerabilities, thirteen of which haven't previously been seen exploited in the wild. The vulnerabilities' dates of disclosure range from March 2003 to December 2019, possibly indicating, the researchers say, that the attackers are "targeting either legacy devices that are still in use but probably too old to update due to compatibility issues and newer vulnerabilities that are too recent for owners to have patched."
The new exploits target "the usually expected routers, firewalls, IP cameras and server management utilities," as well as "more rarely seen targets like a PLC, an online payment system and even a yacht control web application."
ECHOBOT stands apart from other Mirai variants due to the number of exploits it contains. BleepingComputer notes that ECHOBOT has rapidly adding to its collection since it was first discovered in June. Unit 42 says that unlike other variants of the malware, which focus on targeting the most effective and widespread vulnerabilities, ECHOBOT's developers seem to incorporate any exploit they can get their hands on.
Waterbear is using API hooking.
Trend Micro has an account of recent activity associated with the Waterbear cyberespionage campaign. Waterbear is linked to a threat group known as "BlackTech," which conducts espionage against tech companies and governments in East Asia, with most of its focus on Taiwan.
The two payloads observed in the recent campaign were using several new techniques that are new to Waterbear. The first payload injects code into a certain security product (which the researchers decline to name), which allows the second payload to go undetected. This second payload is "a typical Waterbear first-stage backdoor," which hijacks a DLL in order to import and execute a malicious loader.
The first payload uses API hooking in order to manipulate functions in the memory of the security product. By doing this, it's able to hide the process IDs of both payloads from the security product.
Hawkeye keylogger used to download an old cryptominer.
Cofense has discovered a phishing campaign that uses the sophisticated Hawkeye keylogger as a first-stage loader for an older version of an open-source cryptominer. The keylogger arrives in a malicious attachment that poses as a job application, which is distributed via email. The attachment is a ZIP file that installs Hawkeye Reborn V9.
Cofense emphasizes the rarity of using a keylogger to simply download a cryptominer. The Hawkeye keylogger in particular is a fairly advanced strain of malware that operates on a subscription model. It contains various features for gathering information and exfiltrating data, and it isn't really meant to be used as a first-stage loader. It does possess the ability to install files, although this is usually used to merely establish persistence on the targeted machine. In this case, the attackers used this file installation capability to download and activate an old version of CGMiner, an open-source cryptominer. Once CGMiner is set up and mining Litecoin, Hawkeye ceases to operate.
It's not clear why the attackers chose to use Hawkeye as their loader, but apparently it works. On the bright side, loading a cryptominer is one of the more benign things Hawkeye could be used for.
Card skimmers compromise counterfeit shoe sellers.
Malwarebytes has come across hundreds of counterfeit online shoe stores that have been infected with a payment card skimmer. The skimmer would send billing information and credit card numbers to a server in China. Each of the infected sites were located within the same few IP subnets, and they were all running outdated versions of Magento or PHP software. The researchers believe an attacker scanned the IP blocks for sites running vulnerable software and injected skimming code into each one. Malwarebytes emphasizes that "counterfeit sites pose a double threat, not only from obtaining illicit goods but also getting robbed of data by a different group of criminals."