Backdoors Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/backdoors/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Tue, 12 Mar 2024 10:11:02 +0000 en-US hourly 1 https://wordpress.org/?v=93723 200474804 BianLian Exploits TeamCity Vulnerability to Deploy Backdoors https://gridinsoft.com/blogs/bianlian-exploits-teamcity-vulnerability/ https://gridinsoft.com/blogs/bianlian-exploits-teamcity-vulnerability/#respond Tue, 12 Mar 2024 10:11:02 +0000 https://gridinsoft.com/blogs/?p=20303 BianLian, a group of cybercriminals known for their ransomware attacks, recently caught the attention of the information security community. By exploiting vulnerabilities in the JetBrains TeamCity platform, they managed to carry out multistage cyberattacks. Threat actors reportedly start their attack chain with a Golang-based backdoor, and work their way all the way to the ransomware… Continue reading BianLian Exploits TeamCity Vulnerability to Deploy Backdoors

The post BianLian Exploits TeamCity Vulnerability to Deploy Backdoors appeared first on Gridinsoft Blog.

]]>
BianLian, a group of cybercriminals known for their ransomware attacks, recently caught the attention of the information security community. By exploiting vulnerabilities in the JetBrains TeamCity platform, they managed to carry out multistage cyberattacks. Threat actors reportedly start their attack chain with a Golang-based backdoor, and work their way all the way to the ransomware payload.

BianLian Exploits TeamCity vulnerabilities

Recent research uncovered a new trend in BianLian’s modus operandi. They revealed that threat actors behind the ransomware have been observed exploiting security flaws in JetBrains TeamCity software to conduct their attacks. Leveraging known vulnerabilities such as CVE-2024-27198 or CVE-2023-42793, attackers gained initial access to the environment, paving the way for further infiltration. By creating new users and executing malicious commands within the TeamCity infrastructure, threat actors orchestrated post-exploitation maneuvers and lateral movement, expanding their foothold in the victim’s network.

It is not the first case of TeamCity vulnerabilities exploitation. Consider reading our previous report on CozyBear threat actor using a different set of security flaws in this software.

Backdoor Deployment via PowerShell

The original report from GuidePoint Security says that despite initial success, BianLian fell back to a PowerShell version of their backdoor. This happened due to the surprising detection from Microsoft Defender. At the same time, hackers managed to deploy the network reconnaissance tools and use them before going for a PS backdoor.

The PowerShell backdoor version, obfuscated to hinder analysis, exhibited a multi-layered encryption scheme. Still, it was possible to understand what was going on and analyze the adversaries’ actions. Malware established a tunnel connection to the command server, waving ready for further actions. And while using PS in cyberattacks is not something unusual, entire backdoors based on PS, that also incorporates high levels of obfuscation, is a new tactic.

Functionality and Capabilities of Backdoor

The PowerShell backdoor described above mainly aims at facilitating covert access and control over compromised systems. Research summary reveals several features of this malware to be aware of.

The backdoor incorporates functionality to resolve IP addresses based on provided parameters, establishing TCP sockets for communication with remote command-and-control (C2) servers. Also, this enables bidirectional data exchange between the compromised system and the attacker-controlled infrastructure. Here is the code recovered by analysts:

#Function to Resolve IP address
function cakest{
param($Cakes_Param_1)
IF ($Cakes_Param_1 -as [ipaddress]){
return $Cakes_Param_1
}else{
$Cakes_Resolved_IP = [System.Net.Dns]::GetHostAddresses($Cakes_Param_1)[0].IPAddressToString;
}
return $Cakes_Resolved_ IP
}

Leveraging asynchronous execution techniques, the backdoor optimizes performance and evades detection by utilizing Runspace Pools. This allows multiple PowerShell instances to run concurrently, enhancing operational efficiency during post-exploitation activities.

Also, to ensure secure communication, the backdoor establishes SSL streams between the compromised system and C2 servers, encrypting data exchanged over the network. By employing encryption, threat actors mitigate the risk of interception and detection by network monitoring tools. Overall, the C2 communication bears on this code:

function cookies{
param (
#Default IP in parameter = 127.0.0.1
[String]$Cookies_Param1 - "0x7F000001",
[Int]$Cookies_Param2 - 1080,
[Switch]$Cookies_Param3 - $false,
[String]$Cookies_Param4 - "",
[Int]$Cookies_Params - 200,
[Int]$Cookies_Param6 - 0
)

Mimicking tactics observed in advanced malware, the backdoor validates SSL certificates presented by C2 servers, verifying the authenticity of remote endpoints. This authentication mechanism enhances the resilience of the communication channel against potential interception or infiltration attempts.

How to stay safe?

The BianLian threat group continues to evolve, and in light of their recent attacks, it is important to take appropriate security measures. Fortunately, they are more or less the same even for protecting against high-profile cybercrime groups.

  • First and foremost, it is recommended to regularly update and patch externally facing applications. This helps mitigate known vulnerabilities that threat actors may exploit to infiltrate your systems.
  • Ensure your team is well-versed in incident response procedures. Every member of your team should have a thorough understanding of how to respond effectively to security incidents. Regular drills should be conducted to refine response strategies and minimize the impact of potential security breaches.
  • Conduct penetration tests informed by threat intelligence to proactively identify and address weaknesses in your defenses. Penetration tests involve simulated attacks on your systems to uncover vulnerabilities that could be exploited by malicious actors. By using threat intelligence to inform these tests, you can focus on the most impactful threats facing your organization.

  • Additionally use advanced security solutions. EDR and XDR are a must, when we talk about corporate-grade cybersecurity. They can cover large networks of computers, orchestrating the response and detecting even sophisticated attacks like the one I’ve described above.

BianLian Exploits TeamCity Vulnerability to Deploy Backdoors

The post BianLian Exploits TeamCity Vulnerability to Deploy Backdoors appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/bianlian-exploits-teamcity-vulnerability/feed/ 0 20303
What is a Bootkit? Explanation & Protection Guide https://gridinsoft.com/blogs/what-is-bootkit/ https://gridinsoft.com/blogs/what-is-bootkit/#respond Fri, 26 Jan 2024 09:05:36 +0000 https://gridinsoft.com/blogs/?p=19259 Bootkit is a rather unusual and unspoken, though widely used kind of malware. These advanced malware types operate beneath the surface, embedding themselves in a computer’s boot sector, allowing them to activate before the operating system (OS) even starts. But why do they need such a deep integration? And where are they used? Let’s find… Continue reading What is a Bootkit? Explanation & Protection Guide

The post What is a Bootkit? Explanation & Protection Guide appeared first on Gridinsoft Blog.

]]>
Bootkit is a rather unusual and unspoken, though widely used kind of malware. These advanced malware types operate beneath the surface, embedding themselves in a computer’s boot sector, allowing them to activate before the operating system (OS) even starts. But why do they need such a deep integration? And where are they used? Let’s find out.

What is a Bootkit?

A bootkit is a sophisticated type of malware that starts and operates even before the operating system starts – during the boot process. Unlike many other malware types that target software vulnerabilities or user actions, bootkits embed themselves in the system’s boot process, making them exceptionally challenging to detect and remove.

Type of Bootkit

One of the defining characteristics of a bootkit is its ability to load before the operating system (OS) itself. This gives the attacker a significant advantage, as they can intercept and manipulate the boot process, allowing them to gain control over the system even before the user logs in. Being integrated that close to the bare metal also opens the possibility of exploiting kernel-level vulnerabilities and hardware flaws.

Bootkit history

Bootkits vs. Rootkits

While often confused, bootkits and rootkits operate at different levels of a system. Rootkits infect the OS after it loads, granting the max privileges possible to its master. At the same time bootkits are embedded in the system bootloader or even motherboard firmware. This, eventually, changes both the capabilities and the purpose of the bootkit. The two things in common between these two are both being advanced and high-severity threats.

Functionalities of Bootkits

Bootkits are versatile in their malicious functionalities. To understand and combat these malicious entities effectively, we must dissect the intricacies of their functionalities.

  • Persistence. One of the primary functionalities of bootkits is their persistence. One of the primary functionalities of bootkits is their persistence. They can implant themselves in the GUID Partition Table (GPT), a more modern system architecture. This positioning allows bootkits to remain active and undetected through system reboots and even full operating system reinstalls, contributing to their prolonged presence and challenging removal from the infected system.
  • Data Theft. Some bootkits are engineered to steal sensitive data from the compromised system. During the boot process, they may intercept and exfiltrate data such as login credentials, financial information, personal files, and any other valuable data they can access.
  • Backdoor Access. Bootkits can create backdoors within the system, which provide unauthorized remote access to the compromised computer. Adversaries will be able to execute commands, upload additional malware, or manipulate the system as they see fit. It essentially grants them a persistent presence on the compromised device.
  • Bypassing security measures. One of the key traits of bootkits is their ability to circumvent security measures. They load themselves into the system’s memory before any security software or antivirus programs have a chance to activate. As a result, they can operate undetected and unimpeded by security tools, allowing them to carry out their malicious activities without being stopped.

Can I detect and remove the bootkit?

Detecting a bootkit before it is injected into the firmware or the first partitions of the hard disk is the most effective way to prevent it from causing damage. However, detecting a bootkit infection is not an easy task, and even if it is detected, removing it can be even more challenging.

If the bootkit has been injected into the EFI partition, only a complete operating system reinstallation can remove the malicious bootkit code from the disk. However, this may not be enough if the malware managed to infect the firmware, which will result in a new system being compromised, too. In such cases, it is advisable to determine which bootkit has infected the system and use special LiveCD antivirus utilities to clean the system of any malicious code.

How to Prevent Bootkits

Preventing bootkit malware requires taking several measures to reduce the risk of infection. Here are some steps that can be taken:

  1. Secure Boot and UEFI
    Secure Boot is a feature that is available in UEFI-enabled computers. Its purpose is to ensure that only trusted software is loaded during the boot process. UEFI itself is a more secure and modern technology that allows for a more firm control over the situation. This helps to prevent bootkit malware from infecting the computer. Still, recent developments have shown that the BlackLotus UEFI bootkit can bypass Secure Boot.
  2. Update Your System
    Keeping your operating system and security software up-to-date can prevent bootkit malware from infecting your computer. Pay attention to firmware updates as well: although rare, UEFI/BIOS vulnerabilities exist, too, and may be exploited in different scenarios.
  3. Use antivirus software
    While antivirus software can’t detect all bootkit malware, it can prevent such an infection in its early stage. Advanced control systems may also be useful for detecting the threats that integrate on such a low level.
  4. Be cautious when downloading software
    It is crucial to download software from trusted sources only, especially when we talk about hardware control utilities and drivers. Those two integrate deep enough into the system to allow their exploitation for bootkit injection.
  5. Use a hardware-based solution
    Hardware-based solutions, such as a Trusted Platform Module (TPM), can help prevent bootkit malware by ensuring that only trusted software is loaded during the boot process.

What is a Bootkit? Explanation & Protection Guide

The post What is a Bootkit? Explanation & Protection Guide appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/what-is-bootkit/feed/ 0 19259
TeamTNT Group Returns with Silent Bob Campaign https://gridinsoft.com/blogs/grouping-teamtnt-and-silent-bob/ https://gridinsoft.com/blogs/grouping-teamtnt-and-silent-bob/#respond Fri, 07 Jul 2023 16:45:27 +0000 https://gridinsoft.com/blogs/?p=15791 Aqua Security security researchers have warned that the TeamTNT group may be preparing a new large-scale anti-cloud campaign called “Silent Bob”. Such suspicions arose after experts discovered hackers targeting misconfigured servers. Aqua Security launched an investigation after discovering an attack on one of its lures. Subsequently, 4 images of malicious containers were discovered. However, given… Continue reading TeamTNT Group Returns with Silent Bob Campaign

The post TeamTNT Group Returns with Silent Bob Campaign appeared first on Gridinsoft Blog.

]]>
Aqua Security security researchers have warned that the TeamTNT group may be preparing a new large-scale anti-cloud campaign called “Silent Bob”.

Such suspicions arose after experts discovered hackers targeting misconfigured servers.

Grouping TeamTNT and Silent Bob

Aqua Security launched an investigation after discovering an attack on one of its lures. Subsequently, 4 images of malicious containers were discovered. However, given that some features of the code have remained unused, it appears that the campaign has not yet fully launched at this time.

This infrastructure is in the early stages of testing and is basically similar to an aggressive cloud worm that is focused on attacking the open APIs of JupyterLab and Docker to deploy Tsunami malware, capture cloud credentials, capture resources and further infect the worm.the specialists Aqua security said.

TeamTNT is a cybercriminal group known for destructive attacks on cloud systems, especially Docker and Kubernetes environments. The group specializes in cryptomining.

We wrote that, for example, only within one month, two years ago, the group’s botnet infected more than 50,000 systems. However, in those good old days, mining botnets even attacked PostgreSQL databases. And also, if you remember, there was such a pretentious malware as KingMiner, which attacked MSSQL.

Although TeamTNT ceased operations at the end of 2021, Aqua Security linked the new campaign to TeamTNT based on the use of Tsunami malware, the dAPIpwn function, and a C2 server that responds in German.

Detected group activity begins when an attacker identifies a misconfigured Docker API or JupyterLab server and deploys a container or interacts with the Command Line Interface (CLI) to scan for additional victims.

Such a process is designed to spread malware to more servers. The secondary payload includes a cryptominer and a backdoor, with the backdoor using the Tsunami malware as an attack tool.

Grouping TeamTNT and Silent Bob

First, the attacker identifies a misconfigured server (either Docker API or JupyterLab) and deploys a container or interacts with a command line interface (CLI) to scan and identify additional victims. This process is designed to spread malware to an increasing number of servers. The secondary payload of this attack includes a crypto-miner and a backdoor, with the latter using the Tsunami malware as the weapon of choice.say security researchers Ofek Itach and Assaf Morag.

Aqua Security also published a list of recommendations to help organizations mitigate the threat.

The post TeamTNT Group Returns with Silent Bob Campaign appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/grouping-teamtnt-and-silent-bob/feed/ 0 15791
Shuckworm Gang Attacks Ukrainian Companies Using Pterodo Backdoor and USB Drives https://gridinsoft.com/blogs/shuckworm-attacks-ukrainian-companies/ https://gridinsoft.com/blogs/shuckworm-attacks-ukrainian-companies/#respond Mon, 19 Jun 2023 11:04:06 +0000 https://gridinsoft.com/blogs/?p=15406 Symantec experts report that the Shuckworm hack group (aka Armageddon, Gamaredon, Iron Tilden, Primitive Bear, Trident Ursa, UNC530, Winterflounder, and so on) is attacking Ukrainian companies using the Pterodo backdoor distributed via USB drives. The main targets of hackers are important organizations in the military and IT sectors. According to experts, in some cases, the… Continue reading Shuckworm Gang Attacks Ukrainian Companies Using Pterodo Backdoor and USB Drives

The post Shuckworm Gang Attacks Ukrainian Companies Using Pterodo Backdoor and USB Drives appeared first on Gridinsoft Blog.

]]>

Symantec experts report that the Shuckworm hack group (aka Armageddon, Gamaredon, Iron Tilden, Primitive Bear, Trident Ursa, UNC530, Winterflounder, and so on) is attacking Ukrainian companies using the Pterodo backdoor distributed via USB drives.

The main targets of hackers are important organizations in the military and IT sectors.

According to experts, in some cases, the group managed to organize long-term attacks that lasted up to three months, which in the end could give attackers access to “significant amounts of confidential information.”

Let me remind you that we also reported that TrickBot Hack Group Systematically Attacks Ukraine, and also that Microsoft Accuses Russia of Cyberattacks against Ukraine’s Allies.

The media also wrote that Sandworm Targets Ukraine With Industroyer2 Malware.

Shuckworm activity in 2023 spiked between February and March 2023, and hackers continued to have a presence on some compromised machines until May 2023.

To launch attacks, Shuckworm typically uses phishing emails containing malicious attachments disguised as .docx, .rar, .sfx, lnk, and hta files. Topics such as armed conflict, criminal prosecution, crime control, and child protection are often used as bait in emails to trick targets into opening the message itself and malicious attachments.

The new Shuckworm campaign debuted a new malware, which is a PowerShell script that distributes the Pterodo backdoor. The script is activated when infected USB drives are connected to the target computers. It first copies itself to the target machine to create an rtf.lnk shortcut file (video_porn.rtf.lnk, do_not_delete.rtf.lnk and evidence.rtf.lnk). Such names are an attempt to induce targets to open files so that Pterodo can infiltrate their machines.

The script then examines all drives connected to the target computer and copies itself to all attached removable drives for further lateral movement and in the hope of infiltrating isolated devices that are intentionally not connected to the internet to prevent them from being hacked.

To cover its tracks, Shuckworm has created dozens of malware variants (more than 25 PowerShell script variants between January and April 2023), and is rapidly changing IP addresses and infrastructure used for control and management.

The group also uses legitimate services to manage, including Telegram and the Telegraph platform, to avoid detection.

The post Shuckworm Gang Attacks Ukrainian Companies Using Pterodo Backdoor and USB Drives appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/shuckworm-attacks-ukrainian-companies/feed/ 0 15406
Vulnerability Found in Twitter Code That Provokes a “Shadowban” of the Victim https://gridinsoft.com/blogs/shadowban-on-twitter/ https://gridinsoft.com/blogs/shadowban-on-twitter/#respond Thu, 13 Apr 2023 18:13:25 +0000 https://gridinsoft.com/blogs/?p=14193 Recently, Twitter fulfilled a promise made by Elon Musk and published on GitHub the source code of its recommender algorithm, where a vulnerability was discovered that could send a user to a shadowban. Numerous researchers immediately took up the study of the source code, and now one of the problems they discovered was assigned the… Continue reading Vulnerability Found in Twitter Code That Provokes a “Shadowban” of the Victim

The post Vulnerability Found in Twitter Code That Provokes a “Shadowban” of the Victim appeared first on Gridinsoft Blog.

]]>

Recently, Twitter fulfilled a promise made by Elon Musk and published on GitHub the source code of its recommender algorithm, where a vulnerability was discovered that could send a user to a shadowban.

Numerous researchers immediately took up the study of the source code, and now one of the problems they discovered was assigned the CVE identifier. The vulnerability allows to achieve a “shadowban” of the victim, that is, someone else’s account will be hidden from others “without the right of recourse.”

Let me remind you that we also wrote that Elon Musk confirmed that the Russian offered a Tesla employee a million dollars for hacking the company, and also that CERT launched Twitter bot that comes up with names for vulnerabilities.

Also the media wrote that Hacker George “GeoHot” Hotz Will Be a Twitter Intern and Promises to Fix a Search.

The issue was discovered by Federico Andres Lois while investigating the recommendation engine that powers the For You section of Twitter. According to the study, the coordinated efforts of other users can lead to a “shadow ban” of any account that is unlikely to be overcome.

In order for the victim to receive large-scale reputation penalties, it is enough to unsubscribe from him, enable mute for this account, block it or report violations.

According to Lois, Twitter’s current recommendation algorithm “allows for coordinated, non-recourse damage to [any] account’s reputation.” This issue has already been assigned CVE-2023-23218.

It turns out that any accounts that have undergone mass blocking and unsubscribing will receive a “shadowban” and will not be displayed in the recommendations of other people, while the owner of the affected account will not even know about the restrictions imposed on him. At the same time, the researcher notes that it seems that it is simply impossible to fix such a ban.

Lois writes that apps like Block Party, which allow Twitter users to filter accounts in bulk, are essentially tools that (intentionally or not) have a similar effect on users.

Many Twitter users have already started talking about the fact that the error can be used by numerous armies of bots on the platform. When a Twitter user suggested that Musk solve the problem by only allowing mute, blocking, and reporting for “blue tick” Twitter users, Musk replied that he wanted to know “who is behind these botnets”.

Global penalties should not be applied because they can be fooled quite easily, all penalties (if any) should be applied at the content level.writes Lois.

However, that would require Twitter to have a team of moderators, and they appear to have been fired en masse, along with other staff, when Musk took over the company last November.

Another obvious solution to the problem would be to use the entropy of time for negative signals, but according to Lois, the design of Twitter’s recommender algorithm makes it easy to overcome this. For example, by repeatedly following/unsubscribing from specific accounts every 90 days.

Such tactics can be used indefinitely.the expert says.

The post Vulnerability Found in Twitter Code That Provokes a “Shadowban” of the Victim appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/shadowban-on-twitter/feed/ 0 14193
YouTube Video Causes Pixel Smartphones to Reboot https://gridinsoft.com/blogs/youtube-and-pixel-smartphones/ https://gridinsoft.com/blogs/youtube-and-pixel-smartphones/#comments Thu, 02 Mar 2023 10:33:41 +0000 https://gridinsoft.com/blogs/?p=13573 Users have found that Pixel smartphones powered by Google Tensor processors are rebooting when user is trying to watch a clip from the movie “Alien” on YouTube in 4K HDR. Let me remind you that we also wrote that Janet Jackson Song Killed Hard Drives on Old Laptops, as well as Cellmate men’s chastity belts… Continue reading YouTube Video Causes Pixel Smartphones to Reboot

The post YouTube Video Causes Pixel Smartphones to Reboot appeared first on Gridinsoft Blog.

]]>

Users have found that Pixel smartphones powered by Google Tensor processors are rebooting when user is trying to watch a clip from the movie “Alien” on YouTube in 4K HDR.

Let me remind you that we also wrote that Janet Jackson Song Killed Hard Drives on Old Laptops, as well as Cellmate men’s chastity belts are vulnerable to attacks and dangerous for users.

Also the media wrote that Bypassing the Lock Screen on Pixel Smartphones Netted a Researcher $70,000.

A strange issue was reported by users on the Google Pixel subreddit. So, a person with the nickname OGPixel5 writes that when you try to watch this video on YouTube, Google Pixel 6, 6a and Pixel 7 smartphones instantly reboot. Something in this video has an extremely negative effect on the devices, as they go into reboot without having time to show their owner a single frame.

At the same time, other users note that after a reboot, for some reason, cellular communication does not work, and in order to activate it again, you will need to restart the device again, but manually.

The main theory of users is that something in the video format (it’s 4K HDR) is causing smartphones to crash. Similar errors have happened before, for example, in 2020 there was a lot of discussion about “cursed wallpapers” that crashed when set as a background (the problem was a color space error).

All phones affected by this bug use Tensor SoC from Google Exynos, so the problem does not appear on other devices. It is likely that Samsung Exynos-based devices can also experience crashes, but so far no one has reported such problems.

For the first time, information about the reboot-inducing YouTube video appeared on the network last weekend, and today ArsTechnica journalists reported that the developers seem to have already fixed this bug. The publication reported that yesterday, the Pixel 7 Pro available to the editors instantly turned off when trying to open a video, and today it plays it normally. Several users on the Pixel subreddit have also reported that the video is working fine now.

Although users and journalists did not find updates to the application and other signs of the release of any “patch”, the publication notes that Google may well remotely influence the operation of smartphones without actually installing updates.

The post YouTube Video Causes Pixel Smartphones to Reboot appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/youtube-and-pixel-smartphones/feed/ 1 13573
Application Bugs Allowed to Open and Start Cars Hyundai, Genesis and Others https://gridinsoft.com/blogs/vulnerabilities-in-hyundai-and-genesis/ https://gridinsoft.com/blogs/vulnerabilities-in-hyundai-and-genesis/#respond Tue, 06 Dec 2022 11:01:10 +0000 https://gridinsoft.com/blogs/?p=12419 Experts from Yuga Labs discovered vulnerabilities in mobile applications for Hyundai and Genesis vehicles. In addition, the SiriusXM smart car platform, used in cars from other manufacturers (Acura, BMW, Honda, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru and Toyota), allowed to remotely unlock the car, start the engine and perform other actions. Let me remind… Continue reading Application Bugs Allowed to Open and Start Cars Hyundai, Genesis and Others

The post Application Bugs Allowed to Open and Start Cars Hyundai, Genesis and Others appeared first on Gridinsoft Blog.

]]>

Experts from Yuga Labs discovered vulnerabilities in mobile applications for Hyundai and Genesis vehicles.

In addition, the SiriusXM smart car platform, used in cars from other manufacturers (Acura, BMW, Honda, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru and Toyota), allowed to remotely unlock the car, start the engine and perform other actions.

Let me remind you that we also wrote that Ferrari Has So Far Denied If It Attacked by Ransomware, and also that Teen gets remote access to 25 Tesla cars.

Also the media reported that Bug in Honda cars allows remotely unlock and start a car.

Yuga Labs specialist Sam Curry has posted two long threads on Twitter (Hyundai, SiriusXM) about problems he and his colleagues have recently discovered in the software of many different vehicles.

The analysis began with applications for Hyundai and Genesis vehicles (MyHyundai and MyGenesis), which allow authenticated users to remotely start and stop the engine, and lock and unlock their vehicles.

vulnerabilities in Hyundai and Genesis

By intercepting and studying the traffic generated by these applications, the researchers were able to extract API calls from it. They discovered that the validation of the car owner is based only on his email address, which is simply included in the body of the JSON POST requests. Then it turned out that MyHyundai, moreover, does not require confirmation of the email address during registration.

Based on the collected data, the experts created a new account using the target’s email address with an additional control character at the end. After that, they sent an HTTP request to the Hyundai endpoint. The request contained the experts’ email in the JSON token and the victim’s address in the JSON body, which allowed the validation to be bypassed.

vulnerabilities in Hyundai and Genesis

To test their attack, the researchers tried to unlock the Hyundai car they had in their possession. The attack worked and the car was successfully unlocked. After that, a Python script was created to automate all stages of the attack, for which you only need to specify the victim’s email address. You can see the script in action in the video below.

Sam Curry
Sam Curry
The vulnerability has been fixed and the main problem was access control affecting user accounts in the application itself. You could log into someone else’s account if you knew [the victim’s] email address and therefore remotely monitor/locate her car.writes Curry.

The Yuga Labs analysts then switched to studying the products of SiriusXM, which, among other things, is a provider of telematics services for more than 15 major automakers. The company claims to operate services for approximately 12 million connected cars.Как выяснили эксперты, мобильные приложения Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru и Toyota используют SiriusXM для реализации функций удаленного управления автомобилем.

Examining network traffic from the Nissan app showed that it was possible to send fake HTTP requests to an endpoint knowing only the VIN number of a particular car. The response to such a request contains the victim’s name, phone number, address, and vehicle details. In addition to disclosing data, such requests could also contain commands to perform actions with the car. So, for cars manufactured after 2015, it was possible: remote start and stop, blocking, unlocking, headlight and horn control.

vulnerabilities in Hyundai and Genesis

At the same time, experts emphasize that the VIN of almost any car can be found right in the parking lot (usually located at the bottom of the windshield) or on a specialized car sales website.

Hyundai representatives have already told the media that the vulnerabilities discovered by Yuga Labs were not used to attack car owners, and “customer accounts were not accessible to third parties.”

We also emphasize that exploiting the vulnerability required knowing the email address associated with a specific Hyundai account and vehicle, as well as having the specific script used by the researchers. Despite this, Hyundai took countermeasures within days of receiving the [vulnerability] notification.the company said.

SiriusXM developers also stated that the bugs found by specialists did not affect any client and were eliminated 24 hours after receiving the report. In addition, the company reported that the vulnerabilities were closed as part of a bug bounty program that SiriusXM has had for a long time.

The post Application Bugs Allowed to Open and Start Cars Hyundai, Genesis and Others appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/vulnerabilities-in-hyundai-and-genesis/feed/ 0 12419
PCspoF Attack Could Disable Orion Spacecraft https://gridinsoft.com/blogs/pcspof-and-the-orion-spacecraft/ https://gridinsoft.com/blogs/pcspof-and-the-orion-spacecraft/#respond Thu, 17 Nov 2022 14:31:10 +0000 https://gridinsoft.com/blogs/?p=11981 A team of researchers from the University of Michigan, the University of Pennsylvania, and NASA have detailed a TTEthernet (Time-Triggered Ethernet) PCspoF attack that could disable the Orion spacecraft. Experts say vulnerabilities in this network technology, which is widely used in the space and aviation industries, could have catastrophic consequences for critical systems, including the… Continue reading PCspoF Attack Could Disable Orion Spacecraft

The post PCspoF Attack Could Disable Orion Spacecraft appeared first on Gridinsoft Blog.

]]>
A team of researchers from the University of Michigan, the University of Pennsylvania, and NASA have detailed a TTEthernet (Time-Triggered Ethernet) PCspoF attack that could disable the Orion spacecraft.

Experts say vulnerabilities in this network technology, which is widely used in the space and aviation industries, could have catastrophic consequences for critical systems, including the disruption of NASA missions.

Let me remind you that we also wrote that NASA has faced 6000 cyberattacks in the past four years, and also that Malware Hides in Images from the James Webb Telescope.

TTEthernet turns ordinary Ethernet into a deterministic network with certain transfer times between nodes and significantly expands the use of the classic Ethernet standard. In such a mixed-criticality network, traffic with different timing and fault tolerance requirements can coexist.

In fact, TTEthernet allows time-critical traffic (from devices that send highly synchronized, scheduled messages according to a predetermined schedule) to use the same switches that handle non-critical traffic, such as passenger Wi-Fi on airplanes.

In addition, TTEthernet is compatible with the standard Ethernet used in conventional systems. TTEthernet isolates time-triggered traffic from so-called best-effort traffic, i.e., non-critical systems, by forwarding their messages around more important time-triggered traffic.

This allows to combine different devices in one network, mission-critical systems can work on cheaper network equipment, and the two types of traffic do not overlap.

The creators of PCspooF say that TTEthernet is essentially the “backbone of the network” in spacecraft, including NASA’s Orion spacecraft, the Lunar Gateway space station, and the Ariane 6 launch vehicle. contender” to replace the Controller Area Network bus and the FlexRay protocol.

According to the researchers, the PCspooF attack is the first attack in history that broke the isolation of different types of traffic from each other. The essence of the problem lies in the fact that PCspooF violates the synchronization system, called the Protocol control frame (PCF), whose messages cause devices to work on schedule and ensure their fast communication.

PCspoF Attack Could Disable Orion Spacecraft

So, the researchers found that non-critical best-effort devices can display private information about the time-triggered part of the network. In addition, these devices can be used to create malicious sync messages. A malicious, non-critical device can violate the isolation guarantee on the TTEthernet network.

PCspoF and the Orion spacecraft

The compromised best-effort device can then create EMI in the switch, forcing it to send fake synchronization messages to other TTEthernet devices.

PCspoF and the Orion spacecraft

Once such an attack is launched, TTEthernet devices occasionally lose synchronization and reconnect. As a result, they lose synchronization (desynchronization can be up to a second), leading to the inability to send dozens of time-triggered messages and cause critical systems to fail. In the worst case, PCspooF provokes such failures simultaneously for all TTEthernet devices on the network, the researchers explain.

To test PCspooF, experts used NASA hardware and software components to simulate an asteroid redirection mission when Orion had to dock with an automated manned spacecraft. As a result, the PCspooF attack forced Orion to deviate from the course and completely fail the docking.

After successfully testing the attack, researchers reported the issue to organizations using TTEthernet, including NASA, the European Space Agency (ESA), Northrop Grumman Space Systems, and Airbus Defense and Space. Now, based on the data from the researchers, NASA is revising the protocols for onboard experiments and testing its off-the-shelf commercial equipment.

As protection against PCspooF and the consequences of such attacks, experts recommend using optical connectors or voltage stabilizers (to block electromagnetic interference); checking source MAC addresses to make sure they are authentic; hiding key PCF fields, using a link layer authentication protocol such as IEEE 802.1AE; increase the number of sync masters and disable dangerous state transitions.

Space technologies do not guarantee absolute protection: there are examples of authentic attacks. For example, the media wrote that DopplePaymer ransomware operators were hacked by NASA contractor.

The post PCspoF Attack Could Disable Orion Spacecraft appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/pcspof-and-the-orion-spacecraft/feed/ 0 11981
New PowerShell Backdoor Masquerades as a Windows Update https://gridinsoft.com/blogs/new-powershell-backdoor/ https://gridinsoft.com/blogs/new-powershell-backdoor/#respond Thu, 20 Oct 2022 10:45:24 +0000 https://gridinsoft.com/blogs/?p=11272 Cybersecurity experts from SafeBreach have found a new, previously undocumented and “undetectable” PowerShell backdoor, which hackers actively use and has been used to attack at least 69 targets. Let me remind you that we also wrote that Germans Interested in the Situation in Ukraine Are Attacked by the PowerShell RAT Malware. The backdoor spreads through… Continue reading New PowerShell Backdoor Masquerades as a Windows Update

The post New PowerShell Backdoor Masquerades as a Windows Update appeared first on Gridinsoft Blog.

]]>
Cybersecurity experts from SafeBreach have found a new, previously undocumented and “undetectable” PowerShell backdoor, which hackers actively use and has been used to attack at least 69 targets.

Let me remind you that we also wrote that Germans Interested in the Situation in Ukraine Are Attacked by the PowerShell RAT Malware.

The PowerShell backdoor is a stealthy tool of its own design and its associated command and control servers appear to be the work of a sophisticated unknown attacker, who already has about 100 victims.”the researchers note in their report.

The backdoor spreads through spear phishing, as part of malicious Word documents that are usually disguised as job offers. When such a document is opened, a macro is triggered within it that delivers the updater.vbs PowerShell script to the victim’s computer, which creates a scheduled task claiming to be part of a Windows update.

New PowerShell Backdoor
Bait from hacker’s letter

The VBS script executes two other PowerShell scripts (Script.ps1 and Temp.ps1), which are stored obfuscated inside the malicious document itself. When SafeBreach analysts first discovered these scripts, none of the products featured on VirusTotal identified them as malicious.

New PowerShell Backdoor

Script.ps1 connects to the C&C servers of the attackers, sends the victim ID to its operators, and then waits for further commands, which it receives in encrypted form (AES-256 CBC). Based on the count of such identifiers, the analysts could conclude that about 69 victims were registered on the attackers’ control servers, which probably corresponds to the approximate number of hacked computers.

The Temp.ps1 script, in turn, decodes the commands received from the server as a response, executes them, and then encrypts and uploads the result via a POST request to the control server.

The experts created a script that deciphered the commands of the malware operators, and found that two-thirds of them were intended to steal data, and the rest were used to compile lists of users, files, delete files and accounts, and also compile lists of RDP clients.

Researchers believe that this PowerShell backdoor seems to be created by some previously unknown attackers, and so far there is too little data to talk about the attribution of these attacks.

The post New PowerShell Backdoor Masquerades as a Windows Update appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/new-powershell-backdoor/feed/ 0 11272
Hundreds of Microsoft SQL Servers Infected with Maggie Backdoor https://gridinsoft.com/blogs/maggie-backdoor-in-microsoft-sql/ https://gridinsoft.com/blogs/maggie-backdoor-in-microsoft-sql/#respond Fri, 07 Oct 2022 09:00:52 +0000 https://gridinsoft.com/blogs/?p=10965 Security researchers have discovered a new malware that targets Microsoft SQL servers. The backdoor is dubbed Maggie, has already infected hundreds of machines around the world. The greatest distribution of malware is observed in South Korea, India, Vietnam, China, Russia, Thailand, Germany and the USA. Let me remind you that we also wrote that Fargo… Continue reading Hundreds of Microsoft SQL Servers Infected with Maggie Backdoor

The post Hundreds of Microsoft SQL Servers Infected with Maggie Backdoor appeared first on Gridinsoft Blog.

]]>
Security researchers have discovered a new malware that targets Microsoft SQL servers. The backdoor is dubbed Maggie, has already infected hundreds of machines around the world. The greatest distribution of malware is observed in South Korea, India, Vietnam, China, Russia, Thailand, Germany and the USA.

Let me remind you that we also wrote that Fargo Ransomware aims at vulnerable Microsoft SQL servers, and also that Epsilon Red ransomware threatens Microsoft Exchange servers.

DCSO CyTec experts report that the malware is disguised as an Extended Stored Procedure DLL (sqlmaggieAntiVirus_64.dll) digitally signed by DEEPSoft Co. Ltd, which appears to be based in South Korea.

Maggie is controlled using SQL queries that tell it to execute certain commands or interact with files. The malware is also capable of brute forcing administrator credentials to penetrate other Microsoft SQL servers.

Extended Stored Procedure files extend the functionality of SQL queries by using an API that accepts remote user arguments and responds with unstructured data. As a result, the list of commands supported by the backdoor looks quite impressive.

Maggie backdoor in Microsoft SQL

So, Maggie can request system information, run programs, interact with files and folders, enable remote desktop services (TermService), start a SOCKS5 proxy server, and set up port forwarding.

The researchers note that the command list also contains four “Exploit” commands, which means that attackers may rely on exploiting known vulnerabilities to perform certain actions, such as adding a new user. Unfortunately, we were unable to study these exploits, as they seem to depend on an additional DLL and are not shipped with Maggie.

The SqlScan and WinSockScan commands are responsible for brute-forcing administrator passwords, which are executed after defining a file with a list of passwords and the number of threads. If successful, a new hard-coded user appears on the server.

The researchers’ report also notes that the malware has a simple TCP redirect feature that helps attackers connect to any IP address available to the infected MS-SQL server.

If this feature is enabled, Maggie will redirect any incoming connection (on any port that MSSQL Server is listening on) to a previously set IP address and port if the source IP address matches the user-specified mask.the experts explain.

In addition, the backdoor has SOCKS5 proxy functionality that can be used to route all network packets through the proxy, making the threat even more invisible if needed.

Maggie backdoor in Microsoft SQL

Currently, it remains unclear how exactly hackers use Maggie after infection, how the malware is introduced to servers at all, and who is behind these attacks.

The post Hundreds of Microsoft SQL Servers Infected with Maggie Backdoor appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/maggie-backdoor-in-microsoft-sql/feed/ 0 10965