The Russian-speaking hack group Winter Vivern (aka TA473 in the Proofpoint classification) has been actively exploiting a vulnerability in Zimbra and has been stealing letters from NATO officials, governments, military personnel and diplomats since February 2023.

Let me remind you that we also wrote that the FBI and NSA release a statement about attacks by Russian hackers, and also that the State Department Offers $1 million for Info on Russian Hackers.

And also the media wrote that Due of the sanctions, Russian hackers are looking for new ways to launder money.

In mid-March 2023, SentinelOne experts submitted a report on the Russian-speaking Winter Vivern group, which was seen in attacks on government agencies in several countries in Europe and Asia, as well as on telecommunications service providers.

As analysts from Proofpoint have now reported, these same attackers are using the CVE-2022-27926 vulnerability in Zimbra Collaboration servers to access messages from organizations and individuals associated with NATO.

According to the researchers, Winter Vivern attacks begin with the use of the Acunetix vulnerability scanner, with which hackers look for unpatched webmail platforms.

The attackers then send a phishing email from the compromised mailbox, which is spoofed to look like it was written by someone the victim knows or someone related to the target organization.

Phishing email

The emails contain a link that exploits the aforementioned CVE-2022-27926 vulnerability in the Zimbra framework and injects payloads (JavaScript) into a web page. These payloads are used to steal usernames, passwords, and tokens from cookies received from a compromised Zimbra endpoint. This allows attackers to gain full access to the victim’s mailbox.

In addition, hackers can use hacked accounts to carry out further phishing attacks and penetrate deeper into targeted organizations.

Attack scheme

Experts note that in some cases TA473 also targets RoundCube webmail request tokens. According to analysts, this only emphasizes that before attacks, compiling phishing emails and preparing a landing page, attackers conduct thorough reconnaissance and find out what exactly their target is using.

At the same time, malicious JavaScript is not only protected by three levels of base64 obfuscation to make analysis more difficult, but the grouping also uses parts of legitimate JavaScript code that runs on regular webmail portals to mix with normal operations and reduce the likelihood of detection.

Despite this, the researchers argue that in general Winter Vivern operations are not particularly sophisticated, instead hackers take a simple and effective approach that works even against high-value targets that are unable to install updates and patches in a timely manner. So, the problem CVE-2022-27926 was fixed back in April 2022, with the release of Zimbra Collaboration 9.0.0 P24.

The post Russian-Speaking Hack Group Winter Vivern Attacks Governments in Europe and Asia appeared first on Gridinsoft Blog.

SentinelLabs, an American cybersecurity company, has reported about a Chinese hacking group Aoqin Dragon, which has managed to conduct successful spying activities against companies in Australia and South Asia for about ten years without being tracked.

Different cybersecurity companies partially encountered the group’s actions in the past, but due to the Aoqin Dragon’s skillful changing of tactics, the gang remained undetected until recently.

It has been revealed that the gang used bait documents with embedded scripts (earlier these were RTF files until the respective vulnerabilities were fixed) thematically united by two main subjects: news and politics of the Asia-Pacific region and porn. This factor allowed SentinelLABS to understand the area of the hacker’s activity, and Chinese hieroglyphs in the malware code gave researchers a hint about the origin of the malefactors.

Although the techniques and practices changed throughout the decade, two things remain unchanged in the Aoqin Dragon tactics: vast usage of fake removable drives shortcuts to initiate the infection downloading via user’s unawareness, spreading to existing removable drives, and installation of backdoors.

The modern implies user clicking on the spoofed removable drive icon whereafter the download of malware, which is the “Evernote Tray Application” DLL-hijacking file begins. As a result, any connected removable disk gets a copy of the malware, and, upon the next system boot, a backdoor starts allowing hackers to go rampant throughout a compromised system.

Two backdoors, Monghall and Heyoka, are the criminals’ regular tools to implement spying malware of different nature and conduct data theft on the compromised systems.

Aoqin Dragon has been identified, but it is nothing close to being seized. Presumably, PRC authorities have no interest in stopping these hackers’ practically making nation-state threat actors out of them, just like Russian special services cooperate with Russia-originating hacker groups. Therefore, it is believed that Aoqin Dragon will go on with its attacks protected by the Chinese government.

The post Chinese Hacker Group Revealed after a Decade of Undetected Espionage appeared first on Gridinsoft Blog.

The vulnerability received the identifier CVE-2021-3438 and has been present in the driver code since 2005, that is, it poses a threat to hundreds of millions of devices manufactured and sold over the past 16 years.

The vulnerability is described as a buffer overflow in the SSPORT.SYS driver file.

The bug can be used to elevate privileges, that is, it can help locally installed malware to gain access at the administrator level (of course, only if a vulnerable driver is used on the system).

Experts note that on some Windows systems, the vulnerable printer driver could be installed even without the user’s awareness. This could happen if users connected one of the vulnerable printers to their PCs and the driver was downloaded via Windows Update.

Experts advise users to check lists of problem devices and, if necessary, look for updates on the manufacturer’s website.

Let me remind you that I also talked about the fact that New Issues Found with Windows Print Spooler.

The post Researchers found a vulnerability that affects millions of HP, Xerox and Samsung printers appeared first on Gridinsoft Blog.

Sarwent is a not-so-famous backdoor trojan, active since 2018. Previous versions of malware had a very limited set of functions, for example, they could download and install other malware on compromised computers.

“Sarwent has received little attention from researchers, but this backdoor malware is still being actively developed, and enforced with new commands. Updates to Sarwent malware show a continued interest in backdoor functionality such as executing PowerShell commands. Updates also show a preference for using RDP. Sarwent has been seen using the same binary signer as at least one TrickBot operator”, — write SentinelOne researchers.

However, the more recent Sarwent variation has received two important updates.

First, the malware “learned” to execute custom CLI commands using Windows Command Prompt and PowerShell. Secondly, Sarwent now creates a new Windows user account on infected machines, enables the RDP service, and then makes changes to the Windows Firewall settings to allow external access through RDP to the infected host.

In fact, this means that Sarwent operators can use the created account to access the infected host and will not be blocked by the local firewall.

Researchers note that so far the new version of Sarwent has been found only as a secondary infection when computers were infected with another malware, for example, Predator the Thief.

It is not yet clear what Sarwent operators do with RDP access on infected hosts.

“Typically, this evolution of the malware indicates a hacker’s desire to monetize the malware with new methods, or the new functionality may be determined by the needs of the customers of the attackers”, – write the researchers.

That is, the group standing behind Sarwent can independently use RDP access (for example, to steal proprietary data or deploy ransomware), or hackers can rent RDP access to infected hosts to other criminals.

There is also a possibility that RDP endpoints are put up for sale on special trading platforms where they trade access to hacked networks and machines (an example can be seen below).

Let me remind you that due to pandemic, RDP and VPN usage grew by 41% and 33%.

The post Sarwent malware opens RDP ports on infected machines appeared first on Gridinsoft Blog.