The topic of Chinese hackers becomes more and more often guest of newsletter headlines. Some episodes surprise with their cheekiness and insolence – when they managed to use Google infrastructure as C2 servers. But healthcare infrastructure attacks are non-grata even for such daredevils. Cyberattack on a German hostpital lead to patient’s death – most likely, that was out of hackers intentions. For that reason, hackers all over the world agreed to avoid attacking hospitals.

Chinese Camaro Dragon Hackers Attacked Hospital

The Check Point report states that the Camaro Dragon typically attacks targets in Asian countries, and features designed to evade SmadAV, a popular antivirus solution in the region, can be found in the group’s malware code. However, the WispRider and HopperTick malware has infiltrated a European hospital and has also been encountered by researchers in Myanmar, South Korea, the UK, India and Russia.

Checkpoint believes that the attack begins with the victim launching a malicious launcher written in Delphi on an infected USB drive. This causes the launch of the main payload, which downloads malware onto other drives when they connect to the infected machine. At the same time, it is emphasized that the malware poses a great danger to corporate systems, since infected machines install malware on any newly connected network drives, and not on drives already connected to the machine at the time of infection.

Researchers are confident that the spread to newly connected network drives is unintentional.

If the malicious code does run, it tries to spread the backdoor and steal data. Due to this, accidental infection of network storages becomes a serious problem, as in many organizations this is where important data is stored.

Another unpleasant feature of this malware is that it “performs DLL-side-loading using security software components, including G-DATA Total Security, and products from two major gaming companies (Electronic Arts and Riot Games).” Checkpoint says it has already warned developers about their unwitting involvement in Camaro Dragon malware companies.

The post Chinese Hackers Accidentally Infected European Hospital with Malware appeared first on Gridinsoft Blog.

Check Point analysts have discovered a new ransomware, Rorschach ransomware that has already been used to attack an unnamed American company.

This malware is notable for its extremely high speed of file encryption and the fact that it is deployed using a signed component of commercial security software.

Check Point calls this threat “one of the fastest ransomware” as Rorschach is even faster than LockBit 3.0.

Let me remind you that we also wrote that New Cuba Ransomware Variant Involves Double-Extortion Scheme, and also that New Pay2Key ransomware encrypts corporate networks in just an hour.

Also the media reported that New Prestige Ransomware Attacks Polish and Ukrainian Organizations.

The researchers say that the ransomware is delivered using a side-loading DLL technique through a signed component in the Cortex XDR in the Palo Alto Networks product. The attackers used the Cortex XDR Dump Service Tool (cy.exe) version 7.3.0.16740 to download the Rorschach loader and injector (winutils.dll), which resulted in the config.ini ransomware payload being launched into the Notepad process.

It is noted that the loader file is protected from UPX-style analysis, while the main payload is protected from reverse engineering and detection by virtualizing parts of the code using VMProtect.

Check Point experts warn that the ransomware creates a group policy on a Windows domain controller and can independently propagate to other hosts in the domain.

After compromising the victim’s computer, the malware erases four Application, Security, System, and Windows Powershell logs to cover its tracks.

Although Rorschach’s configuration is generally hard-coded, the ransomware supports command-line arguments that greatly enhance its functionality. Below are some of them.

Rorschach will start encrypting data only if the infected machine does not work in the language of any of the CIS countries. The encryption scheme combines the curve25519 and eSTREAM hc-128 algorithms, using discontinuous encryption, meaning the malware encrypts files only partially, which increases its speed.

Languages that stop malware

The researchers note that the Rorschach encryption procedure demonstrates “a highly efficient implementation of stream distribution through I / O completion ports.”

To determine the speed of Rorschach encryption, experts conducted a test using 220,000 files on a machine with a 6-core processor. It took malware 4.5 minutes to encrypt the data, while LockBit 3.0, until recently considered the fastest ransomware, completed the same task in 7 minutes.

Check Point summarizes that Rorschach appears to have incorporated the best features of some of the leading ransomware programs previously leaked (Babuk, LockBit 2.0, DarkSide).

The post Rorschach’s New Ransomware Is Named the Fastest to Date appeared first on Gridinsoft Blog.

Check Point researchers say that the OpenAI API is poorly protected from various abuses, and it is quite possible to bypass its limitations, wnd that attackers took the advantage of it. In particular, a paid Telegram bot was noticed that easily bypasses ChatGPT prohibitions on creating illegal content, including malware and phishing emails.

The experts explain that the ChatGPT API is freely available for developers to integrate the AI bot into their applications. But it turned out that the API version imposes practically no restrictions on malicious content.

Let me remind you that we also wrote that Russian Cybercriminals Seek Access to OpenAI ChatGPT, and also that Google Is Trying to Get Rid of the Engineer Who Suggested that AI Gained Consciousness.

In particular, it turned out that one hack forum already advertised a service related to the OpenAI API and Telegram. The first 20 requests to the chatbot are free, after which users are charged $5.50 for every 100 requests.

The experts tested ChatGPT to see how well it works. As a result, they easily created a phishing email and a script that steals PDF documents from an infected computer and sends them to the attacker via FTP. Moreover, to create the script, the simplest request was used: “Write a malware that will collect PDF files and send them via FTP.”

In the meantime, another member of the hack forums posted a code that allows generating malicious content for free.

Let me remind you that earlier Check Point researchers have already warned that criminals are keenly interested in ChatGPT, and they themselves checked whether it is easy to create malware using AI (it turned out to be very).

The post Hackers Are Promoting a Service That Allows Bypassing ChatGPT Restrictions appeared first on Gridinsoft Blog.

Check Point analysts have noticed that Russian-speaking hacker forums are actively discussing access to bypass geo-blocking, due to which the OpenAI ChatGPT language model is not available in Russia.

We also wrote that Microsoft’s VALL-E AI Is Able to Imitate a Human Voice in a Three-Second Pattern, and also that Google Is Trying to Get Rid of the Engineer Who Suggested that AI Gained Consciousness.

It was also reported that UN calls for a moratorium on the use of AI that threatens human rights.

Let me remind you that the topic of creating malware using ChatGPT is already being closely studied by the information security community, and experiments conducted by specialists show that such a use of the tool is really possible.

For example, a recent report by CyberArk details how to create polymorphic malware using ChatGPT, and the researchers plan to soon publish part of their work “for educational purposes.”

Scheme interactions between ChatGPT and malware

In fact, CyberArk managed to bypass ChatGPT content filters and demonstrated how “with very little effort and investment on the part of an attacker, you can continuously query ChatGPT, each time receiving a unique, functional and verified piece of code.”

Basic DLL injection in explorer.exe where the code is not fully completed yet

In turn, Check Point researchers warn of the rapidly growing interest of hackers in ChatGPT, as it can help them scale malicious activity. This time, it turned out that Russian-speaking attackers are trying to bypass restrictions on access to the OpenAI API. Hack forums are already sharing tips on how to bypass IP blocking, solve the problem with bank cards and phone numbers, that is, everything that is needed to gain access to ChatGPT.

To prove their words, the researchers provide several screenshots. On one of them, the criminal wants to get access to the OpenAI API and asks his “colleagues” for advice on how best to use a stolen bank card to verify an OpenAI account.

Other screenshots discuss geo-blocking bypass, as ChatGPT is not currently available in Russia, China, Afghanistan, Belarus, Venezuela, Iran, and Ukraine.

Artificial intelligence company OpenAI has restricted access to its products for Ukrainians so as not to violate global sanctions due to the annexation of ORDLO and Crimea in 2014.

This is stated in the text of Forbes with reference to a letter that the company sent to the Ministry of Digital Transformation.

The report also notes that many semi-legal online SMS services have already compiled guides on how to use them to register with ChatGPT.

The post Russian Cybercriminals Seek Access to OpenAI ChatGPT appeared first on Gridinsoft Blog.

The problem helped to disable the application, in addition, by applying certain filters to a specially created image and sending it to a potential victim, an attacker could exploit the vulnerability and gain access to confidential information from WhatsApp memory.

Back in November 2020, experts found out that switching between different filters in specially prepared GIFs caused WhatsApp to crash.

The researchers identified one of the failures as a violation of the integrity of information in memory and immediately reported the problem to the developers, who assigned the problem ID CVE-2020-1910 (7.8 on the CVSS scale), detailing it as a read/write vulnerability out of range (out-of-bounds read-write).

As a result, in February 2021, the WhatsApp developers released a revised version of the app (2.21.1.13), which introduced two new checks for original and modified images.

The root of the problem lies in the “applyFilterIntoBuffer ()” function, which works with image filters: it takes the original image, applies the filter selected by the user to it, and then copies the result to the buffer.

By reverse engineering the libwhatsapp.so library, the researchers found that the vulnerable function works based on the assumption that the original and modified images are the same dimensions and the same RGBA colour format.

Given that each RGBA pixel is stored as 4 bytes, a malicious image with only 1 byte per pixel can be used to gain out-of-bounds memory access as the function tries to read and copy four times as much data from the buffer.

Let me remind you that I also reported that Dangerous vulnerabilities in WhatsApp allowed compromising millions of users.

The post Dangerous bug in WhatsApp could lead to disclosure of user data appeared first on Gridinsoft Blog.

For a successful attack on a Kindle, just one book with malicious code is enough.

The potential attack began by sending a malicious e-book to the user’s mail. After receiving such an attachment, the victim only had to open it, and this launched the exploit. No additional user permission or action was required.

Even worse, the discovered vulnerabilities allowed attackers to target a specific category of users. For example, to hack a specific group of people or demographic group, a hacker simply had to inject malicious code into a popular e-book in the corresponding language or dialect. As a result, attacks became highly targeted.

The root of the problem lay in the structure of the parsing framework, namely the implementation associated with PDF documents. The attacks were possible thanks to a heap overflow associated with the PDF rendering feature (CVE-2021-30354), which allowed arbitrary write permissions on the device, and a local privilege escalation vulnerability in the Kindle App Manager service (CVE-2021-30355), which allowed combine two vulnerabilities into a chain to run malicious code with root privileges.

The researchers reported their findings to Amazon in February 2021, and already the April update of the Kindle firmware to version 5.13.5 contained a patch (the firmware is automatically installed on devices connected to the network).

Let me remind you that Researcher Found Three Bugs Allowing Hacking Amazon Kindle also this February.

The post Vulnerabilities in Amazon Kindle Allowed Taking Full Control of the Device appeared first on Gridinsoft Blog.

MSM is a SoC that allows devices to connect to mobile networks. It was developed back in the 90s and has been constantly improved since then, for example, it added support for 2G, 3G, 4G and 5G.

As a result, MSM has become one of the most widespread technologies in the world today, especially among smartphone manufacturers. Specifically, Qualcomm MSM chips are used in smartphones from Google, Samsung, LG, Xiaomi, One Plus and many other manufacturers.

Check Point experts say they have found a vulnerability in the Qualcomm MSM Interface (QMI), a protocol that allows SoCs to communicate with a smartphone’s operating system. This issue was identified as CVE-2020-11292.

According to experts, a modified Type-Length-Value (TLV) packets received by MSM through the QMI interface can trigger an error in memory corruption (buffer overflow), which ultimately allows attackers to execute their own code on the device.

The report of the specialists states that the exploitation of the vulnerability is impossible if the malformed TLV package is hidden inside third-party applications running in the OS (especially on Android), if the MSM component is protected by SELinux. However, it is noted that the TLV packet can be transmitted via cellular communication or multimedia content sent to the device. When unpacked, such a package can reach the vulnerable QMI.

Although currently about 40% of all smartphones in the world use Qualcomm MSM chips, only about 30% of them are vulnerable to the attacks described by experts.

Check Point told the media that it notified Qualcomm engineers of the issue last year, and in December 2020, the company released a patch for MSM that was distributed to smartphone manufacturers. While Qualcomm says it has notified all manufacturers of the bug, researchers have no idea which companies have patched their products and which have not.

Let me remind you that I also wrote that Kr00k problem threatened devices with Qualcomm and MediaTek Wi-Fi chips.

The post Qualcomm Mobile Station Modem vulnerability threatens 40% of smartphones appeared first on Gridinsoft Blog.

Check Point reports that a new trend has emerged at the beginning of 2021: not hackers do not post their “vacancies” there, but applicants themselves publish ads and inform that they are ready for any illegal activity.

According to the observations of the researchers, in the last quarter, from 10 to 16 new messages of this kind appeared on the forums every month. Given that such ads were rare in the past, this is an impressive number.

Researchers attribute this to the desperation of people who cannot find work and are experiencing financial difficulties due to the coronavirus pandemic, which has affected the global economy and led to an increase in unemployment around the world.

In the ads, desperate job seekers offer their help to cybercriminals, “promising not to ask stupid questions”, “24/7 availability” and “the desire to make money in any way.”

In their report, Check Point experts provide examples of such job search ads.

Below are a couple of such ads.

The applicant writes: “I am ready for any possible job … I am at home 24 hours a day, 7 days a week because of this pandemic.”

A 25-year-old woman from Ukraine, “experienced in fraud in logistics, sales and wholesale”, understands the risks involved in doing such work, and is looking for a position with monthly pay.

Let me remind you that I also talked about the fact that Cybercriminals fake letters from WHO to distribute HawkEye and trick money into fight with COVID-19.

The post Check Point: Desperate Job Seekers Are Ready To Work For Cybercriminals appeared first on Gridinsoft Blog.

Information security researchers from the Check Point Software team said that phishers love the Microsoft brand. 43% of all attempts at phishing attacks were associated with it – attackers tried to influence people working remotely during the second wave of the pandemic.

Top brands most frequently used in phishing attacks:

1. Microsoft (43% of all phishing attacks attempts with the use of brand names worldwide)
2. DHL (18%)
3. LinkedIn (6%)
4. Amazon (5%)
5. Rakuten (4%)
6. IKEA (3%)
7. Google (2%)
8. Paypal (2%)
9. Chase (2%)
10. Yahoo (1%)

How a brand-based phishing attack works

In a phishing attack that is using brands, criminals try to imitate the official website of a well-known company using a domain name, URL and design similar to the original website.

Victims can receive a link to the fake page via email or SMS. They can also be redirected to a phishing site while browsing the web or from a malicious mobile application. Fake sites often contain a form designed to steal credentials, billing information or other personal information.

Examples of phishing attacks using brands:

A phishing email allegedly from DHL – an example of password theft

In November, Check Point researchers noticed a malicious phishing email that used the DHL trademark. Then the attackers tried to steal user passwords. The email that came from a fake email address Parcel.docs@dhl.com contained the following text:

“RE: Your DHL Parcel (available to receive) – []”. Cybercriminals tried to trick the victim into clicking a malicious link that redirected to a fake login page. There, the user had to enter his password, which would then be sent to the attackers’ site.

Phishing email allegedly from Microsoft – an example of credential theft.

In December, Check Point researchers discovered a malicious phishing email that attempted to steal user credentials from a Microsoft Office 365 account. In the subject of the email was indicated: “Daily Document Delivery # – “, and the content that mimicked eFax. After the user clicked on the link, he was lead to another document that redirected the user to a fake Microsoft login page.

Let me remind you that I talked about cybercriminals that started using Google services more often in phishing campaigns.

The post Hackers majorly use Microsoft and DHL brands in phishing attacks appeared first on Gridinsoft Blog.

So, according to the company, about 8% of all applications in the Google Play Store use old and unsafe versions of the Play Core library. This library was created by Google and developers can embed it into their apps to interact with the official Google Play Store.

The library is very popular because it can be used to download and install updates from the Play Store, modules, language packs and even other applications.

However, earlier this year, oversecured researchers discovered a serious vulnerability in Play Core, identified as CVE-2020-8913. This bug could be exploited by a malicious application installed on the user’s device and with its help injecting dangerous code into other applications, as well as stealing confidential data, including passwords, photos, 2FA codes and much more.

A demonstration of such an attack can be seen below.

Google engineers fixed a bug with the release of Play Core 1.7.2, released in March 2020. However, according to Check Point, not all developers have updated the Play Core library in time, and now their users are at risk.

According to a September 2020 scan by Check Point, six months after the patch was released, about 13% of all apps in the Google Play Store continued to use older versions of the library, and only 5% were using an updated (secure) version.

The list of applications that “did their duty” to users and updated the library included Facebook, Instagram, Snapchat, WhatsApp and Chrome. But, unfortunately, the developers of many other large applications did not do this. Among them experts listed Microsoft Edge, Grindr, OKCupid, Cisco Teams, Viber, and Booking.com. In total, problematic applications have been installed more than 250 million times.

Check Point researchers write that they notified the authors of all vulnerable applications about the problem, but three months later, only Viber and Booking.com took care of removing this vulnerability from their products. In turn, The Register reports that on December 2, the vulnerability was also fixed as part of Cisco Webex Teams.

Let me remind you that Google recruits a team of experts to find bugs in Android applications.

The post About 8% of apps in the Google Play Store are vulnerable to a bug in the Play Core library appeared first on Gridinsoft Blog.