SentinelOne Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/sentinelone/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Tue, 04 Apr 2023 08:31:38 +0000 en-US hourly 1 https://wordpress.org/?v=61435 200474804 Russian-Speaking Hack Group Winter Vivern Attacks Governments in Europe and Asia https://gridinsoft.com/blogs/hack-group-winter-vivern/ https://gridinsoft.com/blogs/hack-group-winter-vivern/#respond Mon, 03 Apr 2023 08:16:44 +0000 https://gridinsoft.com/blogs/?p=14021 The Russian-speaking hack group Winter Vivern (aka TA473 in the Proofpoint classification) has been actively exploiting a vulnerability in Zimbra and has been stealing letters from NATO officials, governments, military personnel and diplomats since February 2023. Let me remind you that we also wrote that the FBI and NSA release a statement about attacks by… Continue reading Russian-Speaking Hack Group Winter Vivern Attacks Governments in Europe and Asia

The post Russian-Speaking Hack Group Winter Vivern Attacks Governments in Europe and Asia appeared first on Gridinsoft Blog.

]]>

The Russian-speaking hack group Winter Vivern (aka TA473 in the Proofpoint classification) has been actively exploiting a vulnerability in Zimbra and has been stealing letters from NATO officials, governments, military personnel and diplomats since February 2023.

Let me remind you that we also wrote that the FBI and NSA release a statement about attacks by Russian hackers, and also that the State Department Offers $1 million for Info on Russian Hackers.

And also the media wrote that Due of the sanctions, Russian hackers are looking for new ways to launder money.

In mid-March 2023, SentinelOne experts submitted a report on the Russian-speaking Winter Vivern group, which was seen in attacks on government agencies in several countries in Europe and Asia, as well as on telecommunications service providers.

As analysts from Proofpoint have now reported, these same attackers are using the CVE-2022-27926 vulnerability in Zimbra Collaboration servers to access messages from organizations and individuals associated with NATO.

According to the researchers, Winter Vivern attacks begin with the use of the Acunetix vulnerability scanner, with which hackers look for unpatched webmail platforms.

The attackers then send a phishing email from the compromised mailbox, which is spoofed to look like it was written by someone the victim knows or someone related to the target organization.

Hack Group Winter Vivern
Phishing email

The emails contain a link that exploits the aforementioned CVE-2022-27926 vulnerability in the Zimbra framework and injects payloads (JavaScript) into a web page. These payloads are used to steal usernames, passwords, and tokens from cookies received from a compromised Zimbra endpoint. This allows attackers to gain full access to the victim’s mailbox.

In addition, hackers can use hacked accounts to carry out further phishing attacks and penetrate deeper into targeted organizations.

Hack Group Winter Vivern
Attack scheme

Experts note that in some cases TA473 also targets RoundCube webmail request tokens. According to analysts, this only emphasizes that before attacks, compiling phishing emails and preparing a landing page, attackers conduct thorough reconnaissance and find out what exactly their target is using.

At the same time, malicious JavaScript is not only protected by three levels of base64 obfuscation to make analysis more difficult, but the grouping also uses parts of legitimate JavaScript code that runs on regular webmail portals to mix with normal operations and reduce the likelihood of detection.

Hack Group Winter Vivern

Despite this, the researchers argue that in general Winter Vivern operations are not particularly sophisticated, instead hackers take a simple and effective approach that works even against high-value targets that are unable to install updates and patches in a timely manner. So, the problem CVE-2022-27926 was fixed back in April 2022, with the release of Zimbra Collaboration 9.0.0 P24.

The post Russian-Speaking Hack Group Winter Vivern Attacks Governments in Europe and Asia appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hack-group-winter-vivern/feed/ 0 14021
Chinese Hacker Group Revealed after a Decade of Undetected Espionage https://gridinsoft.com/blogs/chinese-hacker-group-revealed-after-a-decade-of-undetected-espionage/ https://gridinsoft.com/blogs/chinese-hacker-group-revealed-after-a-decade-of-undetected-espionage/#respond Fri, 10 Jun 2022 13:23:43 +0000 https://gridinsoft.com/blogs/?p=8440 The New Chinese Spying Threat Actor Identified SentinelLabs, an American cybersecurity company, has reported about a Chinese hacking group Aoqin Dragon, which has managed to conduct successful spying activities against companies in Australia and South Asia for about ten years without being tracked. Different cybersecurity companies partially encountered the group’s actions in the past, but… Continue reading Chinese Hacker Group Revealed after a Decade of Undetected Espionage

The post Chinese Hacker Group Revealed after a Decade of Undetected Espionage appeared first on Gridinsoft Blog.

]]>
The New Chinese Spying Threat Actor Identified

SentinelLabs, an American cybersecurity company, has reported about a Chinese hacking group Aoqin Dragon, which has managed to conduct successful spying activities against companies in Australia and South Asia for about ten years without being tracked.

Different cybersecurity companies partially encountered the group’s actions in the past, but due to the Aoqin Dragon’s skillful changing of tactics, the gang remained undetected until recently.

It has been revealed that the gang used bait documents with embedded scripts (earlier these were RTF files until the respective vulnerabilities were fixed) thematically united by two main subjects: news and politics of the Asia-Pacific region and porn. This factor allowed SentinelLABS to understand the area of the hacker’s activity, and Chinese hieroglyphs in the malware code gave researchers a hint about the origin of the malefactors.

Although the techniques and practices changed throughout the decade, two things remain unchanged in the Aoqin Dragon tactics: vast usage of fake removable drives shortcuts to initiate the infection downloading via user’s unawareness, spreading to existing removable drives, and installation of backdoors.

Modern day Aoqin Dragon attach scheme. Image: SentinelLabs.

The modern implies user clicking on the spoofed removable drive icon whereafter the download of malware, which is the “Evernote Tray Application” DLL-hijacking file begins. As a result, any connected removable disk gets a copy of the malware, and, upon the next system boot, a backdoor starts allowing hackers to go rampant throughout a compromised system.

Two backdoors, Monghall and Heyoka, are the criminals’ regular tools to implement spying malware of different nature and conduct data theft on the compromised systems.

Aoqin Dragon has been identified, but it is nothing close to being seized. Presumably, PRC authorities have no interest in stopping these hackers’ practically making nation-state threat actors out of them, just like Russian special services cooperate with Russia-originating hacker groups. Therefore, it is believed that Aoqin Dragon will go on with its attacks protected by the Chinese government.

The post Chinese Hacker Group Revealed after a Decade of Undetected Espionage appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/chinese-hacker-group-revealed-after-a-decade-of-undetected-espionage/feed/ 0 8440
Researchers found a vulnerability that affects millions of HP, Xerox and Samsung printers https://gridinsoft.com/blogs/vulnerability-that-affects-hp-xerox-and-samsung-printers/ https://gridinsoft.com/blogs/vulnerability-that-affects-hp-xerox-and-samsung-printers/#respond Fri, 23 Jul 2021 16:01:22 +0000 https://blog.gridinsoft.com/?p=5736 In February of this year, SentinelOne experts found a 16-year-old vulnerability in the driver of HP, Xerox and Samsung printers. The problem allows attackers to gain administrator rights on systems that use vulnerable software. The vulnerability received the identifier CVE-2021-3438 and has been present in the driver code since 2005, that is, it poses a… Continue reading Researchers found a vulnerability that affects millions of HP, Xerox and Samsung printers

The post Researchers found a vulnerability that affects millions of HP, Xerox and Samsung printers appeared first on Gridinsoft Blog.

]]>
In February of this year, SentinelOne experts found a 16-year-old vulnerability in the driver of HP, Xerox and Samsung printers. The problem allows attackers to gain administrator rights on systems that use vulnerable software.

The vulnerability received the identifier CVE-2021-3438 and has been present in the driver code since 2005, that is, it poses a threat to hundreds of millions of devices manufactured and sold over the past 16 years.

This vulnerability affects a very long list of devices: more than 380 models of HP and Samsung printers, as well as at least a dozen of different Xerox products.the researchers write.

The vulnerability is described as a buffer overflow in the SSPORT.SYS driver file.

The bug can be used to elevate privileges, that is, it can help locally installed malware to gain access at the administrator level (of course, only if a vulnerable driver is used on the system).

Successful exploitation of this driver vulnerability would allow attackers to install programs, view, modify, encrypt, or delete data, and create new accounts with full user rights. Among the obvious options for the abuse of such vulnerabilities is the fact that they can be used to bypass security solutions.says the SentinelOne report.

Experts note that on some Windows systems, the vulnerable printer driver could be installed even without the user’s awareness. This could happen if users connected one of the vulnerable printers to their PCs and the driver was downloaded via Windows Update.

Just by running the printer software, the driver gets installed and activated on the machine regardless of whether you complete the installation or cancel. Thus, in effect, this driver gets installed and loaded without even asking or notifying the user. Whether you are configuring the printer to work wirelessly or via a USB cable, this driver gets loaded. In addition, it will be loaded by Windows on every boot.write the researchers.

Experts advise users to check lists of problem devices and, if necessary, look for updates on the manufacturer’s website.

Let me remind you that I also talked about the fact that New Issues Found with Windows Print Spooler.

The post Researchers found a vulnerability that affects millions of HP, Xerox and Samsung printers appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/vulnerability-that-affects-hp-xerox-and-samsung-printers/feed/ 0 5736
Sarwent malware opens RDP ports on infected machines https://gridinsoft.com/blogs/sarwent-malware-opens-rdp-ports-on-infected-machines/ https://gridinsoft.com/blogs/sarwent-malware-opens-rdp-ports-on-infected-machines/#respond Tue, 26 May 2020 16:12:00 +0000 https://blog.gridinsoft.com/?p=3834 SentinelOne experts noticed that the new version of the Sarwent malware opens the RDP ports on infected computers. Researchers believe that this is due to the fact that maware operators can sell access to infected hosts to other criminal groups. Sarwent is a not-so-famous backdoor trojan, active since 2018. Previous versions of malware had a… Continue reading Sarwent malware opens RDP ports on infected machines

The post Sarwent malware opens RDP ports on infected machines appeared first on Gridinsoft Blog.

]]>
SentinelOne experts noticed that the new version of the Sarwent malware opens the RDP ports on infected computers. Researchers believe that this is due to the fact that maware operators can sell access to infected hosts to other criminal groups.

Sarwent is a not-so-famous backdoor trojan, active since 2018. Previous versions of malware had a very limited set of functions, for example, they could download and install other malware on compromised computers.

“Sarwent has received little attention from researchers, but this backdoor malware is still being actively developed, and enforced with new commands. Updates to Sarwent malware show a continued interest in backdoor functionality such as executing PowerShell commands. Updates also show a preference for using RDP. Sarwent has been seen using the same binary signer as at least one TrickBot operator”, — write SentinelOne researchers.

However, the more recent Sarwent variation has received two important updates.

First, the malware “learned” to execute custom CLI commands using Windows Command Prompt and PowerShell. Secondly, Sarwent now creates a new Windows user account on infected machines, enables the RDP service, and then makes changes to the Windows Firewall settings to allow external access through RDP to the infected host.

In fact, this means that Sarwent operators can use the created account to access the infected host and will not be blocked by the local firewall.

Sarwent Opens RDP Ports

Researchers note that so far the new version of Sarwent has been found only as a secondary infection when computers were infected with another malware, for example, Predator the Thief.

It is not yet clear what Sarwent operators do with RDP access on infected hosts.

“Typically, this evolution of the malware indicates a hacker’s desire to monetize the malware with new methods, or the new functionality may be determined by the needs of the customers of the attackers”, – write the researchers.

That is, the group standing behind Sarwent can independently use RDP access (for example, to steal proprietary data or deploy ransomware), or hackers can rent RDP access to infected hosts to other criminals.

There is also a possibility that RDP endpoints are put up for sale on special trading platforms where they trade access to hacked networks and machines (an example can be seen below).

Sarwent Opens RDP Ports

Let me remind you that due to pandemic, RDP and VPN usage grew by 41% and 33%.

The post Sarwent malware opens RDP ports on infected machines appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/sarwent-malware-opens-rdp-ports-on-infected-machines/feed/ 0 3834