Safety information report
TrickBot Malware gangs shut down their botnet infrastructure
go by the name of TrickBot The modular Windows The criminal software platform officially closed its infrastructure on Thursday , It was previously reported that he was about to retire during the stagnation of his activities for nearly two months , Marks the end of one of the most persistent malware activities in recent years .
Network security company AdvIntel and Intel471 The two reports suggest that , As the visibility of their malware operations increases ,TrickBot The five-year legend may be coming to an end , Promote operators to update 、 Improve malware , for example BazarBackdoor( also called BazarLoader).
Malware tracking research project Abuse.ch Of Feodo Tracker Show , Although since 2021 year 12 month 16 Not since TrickBot Attack set new (C2) The server , but BazarLoader and Emotet In full swing , new C2 The server was recently on 2 month 19 Day and 24 Daily registration .
TrickBot The demise of is accompanied by Conti Extortion software operators recruit top talent from the former , Focus on BazarBackdoor And other more covert alternatives to malware .
News source :
https://thehackernews.com/202...
Clown thief malware adds more features to attract hackers
A name is Jester Stealer Information theft malware is becoming more and more popular in the underground cyber crime community because of its function and affordable price . Researchers say , at present ,Jester Stealer Every month 99 The price of US dollars is authorized to users , Or lifelong access 249 dollar .
according to Cyble Research Analysis of ,Jester Stealer Is an emerging malware , On 2021 year 7 It first appeared on the cybercrime forum in June . It USES AES-CBC-256 Encrypted communication , Support Tor Network server , Redirect logs to telegram robot , And bundle the stolen data in memory before it is leaked .
The clown thief is a .net Of malware , Usually reach the target system through phishing email , Disguised as a txt,jar,ps1,bat,png,doc,xls,pdf,mp3,mp4 or ppt File attachment . perhaps , Threat actors use random distribution channels , For example, through YouTube Promote pirated content and hacker tools .
It has several built-in inspection functions , Prevent analysis by checking whether the analysis is performed in a virtualized environment . If the malware detects the presence of... On the host system VirtualBox,VMBox or VMWare, It will terminate its execution .
All stolen data will be copied to the system memory , So nothing will be written to the disk . Data is passing through the port 9050 Filed in... Before the leak ZIP In file , The port passes through TOR Proxy delivery .
Once penetration is complete ,Jester Stealer Will delete itself from the infected machine , To minimize the possibility that victims are aware of data leakage .
News source :
https://www.bleepingcomputer....
new "SockDetour" No file back door ” Target U.S. defense contractors
Network security researchers have got rid of previously unrecorded invisible custom malware SockDetour, The malware targeted U.S. defense contractors , The target is in infected Windows Used as an auxiliary implant on the host .
Palo Alto Networks Of Unit42 Threat Intelligence said in a report released on Thursday ,“ It's hard to detect , Because it's infected Windows Run without files and sockets on the server .”
The researchers point out that :" trusteeship SockDetour Of FTP The server is a provider of compromised quality network equipment (QNAP) Small offices and home offices (SOHO) Network Attached Storage (NAS) The server ." It is known that NAS There are multiple vulnerabilities in the server , Including remote code execution vulnerabilities CVE-2021-28799.
what's more , It is said that the same server has been infected QLocker Blackmail Software , This increases TiltedTemple The possibility of participants using the above vulnerabilities to obtain unauthorized initial access .
In terms of itself ,SockDetour Designed as a separate back door , It hijacks the network socket of the legitimate process to establish its own encryption C2 passageway , Then load the unrecognized plug-in retrieved from the server DLL file .
News source :
https://thehackernews.com/202...
Malware spreads through game apps on the Microsoft Store
A new malware that can control social media accounts is being distributed as a Trojan horse game application through Microsoft's official app store , Infected Sweden , Bulgaria , Russia , Bermuda and Spain 5,000 More than one Windows machine .
Israeli cyber security company Check Point Call malware "Electron Bot", It refers to the commands and controls used in recent activities (C2) Domain . The identity of the attacker is unclear , But there is evidence that they may be from Bulgaria .
Check Point Of Moshe Marelus In a report released this week , It is mainly distributed through the Microsoft Store platform , And from dozens of infected applications ( Mainly games ) Delete in , These applications are constantly uploaded by attackers .
Electron Bot The core function of is to open a hidden browser window , To carry on SEO poisoning , Generate ad hits , Direct traffic to YouTube and SoundCloud Content hosted on , And promote specific products to generate profits through advertising clicks or improve store ratings to achieve higher sales .
most important of all , It also has the ability to control Facebook,Google and SoundCloud The function of social media account on , Including registering for a new account , Log in and comment and like other posts to increase viewing times .
News source :
https://thehackernews.com/202...
NVIDIA suffered “ Devastating ” Network attack
American chip maker giant NVIDIA confirmed today , It is currently investigating a “ event ”, It is reported that this incident led to the shutdown of some of its systems for two days .
just as The Telegraph As first reported , Systems affected by cyber attacks include the company's developer tools and e-mail systems . The reported interruption is the result of a network intrusion , It is unclear whether any business or customer data was stolen during the incident .
Nvidia tell BleepingComputer, The nature of the event is still under evaluation , The company's business activities have not been affected . An insider described the incident as “ Total destruction ” The internal system of NVIDIA .
Lapsus$ Blackmail software groups claim they're from Nvidia Destroyed and stole... From your network 1 TB The data of . They also leaked everything they claimed to be Nvidia Employee's password hash value .
News source :
https://www.bleepingcomputer....
Security vulnerabilities threaten
CISA Warning Zabbix Vulnerabilities actively exploited in the server
U.S. cybersecurity infrastructure and Security Agency (CISA) The notice issued warned that , Threat actors are using Zabbix Vulnerabilities in open source tools to monitor the network 、 The server 、 Virtual machines and cloud services .
The agency requires federal agencies to target those tracked as CVE-2022-23131 and CVE-2022-23134 Fix any security issues Zabbix The server , To avoid... From malicious network participants “ Significant risks ”. The severity score of one of the vulnerabilities is 9.1( Full marks 10).
An attacker who exploits this security issue can bypass the configured security assertion markup language (SAML, Non default state ) Authentication on the server .SAML It's an open standard , Provides a single point of authentication for exchanging data between identity providers and service providers ( Single sign on ). The Dutch National Cybersecurity center warned that , This vulnerability is being actively exploited , It can allow to root Permission to execute code remotely .
Second loophole CVE-2022-23134 It is a moderately serious improper access control problem , Allows an attacker to change the configuration file (setup.php Script ) And access the dashboard with elevated privileges .
CISA These vulnerabilities have been added to their known exploits Directory , These vulnerabilities represent a common attack medium , And ask federal agencies to 3 month 8 Install available patches by .
News source :
https://www.bleepingcomputer....
Cisco switch operating system finds new high-risk vulnerabilities
Cisco has released software updates , To solve four security vulnerabilities in its software , These vulnerabilities may be weaponized by malicious actors to control the affected systems .
The most critical vulnerability is CVE-2022-20650(CVSS score :8.8), It is associated with CiscoNX-OS The software NX-API Command injection defect in function , The flaw stems from the lack of sufficient input validation of the data provided by the user .
" An attacker can send a message to the affected device NX-API Send an elaborate HTTPPOST Request to exploit this vulnerability ," Cisco said ." Successful exploitation of this vulnerability could allow an attacker to exploit the underlying operating system in a root Authority to execute arbitrary commands .
This vulnerability will affect the operation of Cisco NX-OS Software independence NX-OS Mode of Nexus3000 Series switches 、Nexus5500 Platform switch 、Nexus5600 Platform switch 、Nexus6000 Series switches and running Cisco NX-OS The software Nexus9000 Series switches .
News source :
