Summary:
During the Black Hat Asia conference, a security researcher detailed a two-year-long campaign conducted by an advanced persistent threat gang known as SideWinder which they have been tracking since 2017. The APT group has conducted approximately 1,000 raids and leveraged complex and increasingly sophisticated attack methods including multiple layers of malware, additional obfuscation, and memory-resident malware that leaves researchers little evidence to work on.
The main initial access vector of this threat actor group consists of spear-phishing emails with malware-laced attachments that are targeted toward a curated list of targets. The group does not leverage Zero-days exploits, but instead makes use of known Windows or Android vulnerabilities.
While the initial research showed SideWinder being linked to India, however, over the years the attribution of this threat actor has become a challenge.
Insights:
The researcher highlighted that SideWinder APT stands apart from other APT groups due to its large toolset that includes many different malware families, various new spear-phishing documents, and a very large infrastructure. In addition, SideWinder showcases dogged persistence and a high volume of activity.
The group has also been found to be switching gears if the first attack attempt fails to infiltrate the victim. They remain careful and innovative while approaching targets and ensure that they gain a foothold. In such an instance, the threat actor group sent out a spearphishing email that had a malicious payload, although no email content. After a short while, another spearphishing email containing an apology letter for the previous email was sent, however this time a different malicious payload was inside the document. All this was done to ensure that they got a foothold into the victim’s environment.
A group of pro-Russian hackers who go by the name “Killnet”, have announced that they “declare war” and intend to launch global cyberattacks against 10 countries including the UK – for standing up to Vladimir Putin’s war in Ukraine.
The other countries mentioned as a target by the Russian-linked groups include the US, Germany, Italy, Latvia, Romania, Lithuania, Estonia, Poland, and Ukraine.
The development comes after Killnet’s failed cyberattack against the Eurovision online voting system during the Eurovision Song Contest which was claimed to be disrupted by the Italian police. However, Killnet’s announcement on Monday referred to it as false and called them the “deceitful police of Italy”. In the same announcement, the Italian police were also featured in the target list in addition to 10 other countries mentioned above.
Killnet also claimed responsibility for the seemingly offline website of the cyber arm of the Italian police.
Summary:
A security researcher has recently disclosed multiple bugs that he chained together to take over Facebook accounts linked to a Gmail account. The researcher who reported the issue to Facebook detailed each issue and steps to take over the account in his report which includes:
Insights:
The issue was reported to Facebook and reportedly has been fixed in February. Although the issue is the result of multiple bugs, the major bugs in the researcher’s report are intended by design. This includes the XSS bug in the Facebook sandbox domain and another bug that enables sharing of sensitive information with this sandbox domain.
As per the researcher, the exploitation was carried out only for Facebook users who signed up using a Gmail account which has an OAuth mechanism to authenticate users to Facebook. However, the researcher highlights that it was possible to target all Facebook users.
Summary:
Several researchers including NSA are warning about the widespread critical vulnerability that affects Zyxel firewall product line models that are being exploited by hackers. Starting on May 13, one of the researchers reported seeing exploitation attempts. The vulnerability is a type of OS command injection vulnerability that affects Zyxel firewalls supporting Zero Touch Provisioning (ZTP), which includes the ATP series, VPN series, and the USG FLEX series. An attacker successfully able to exploit vulnerable systems affected by this vulnerability could modify specific files and then execute some OS commands on a vulnerable device.
Insights:
After the disclosure, Zyxel patched the vulnerability in April, however, there were reports by various researchers of it being exploited in the wild. Researchers have seen approximately 20,800 Zyxel firewall models exposed over the internet that may be potentially affected by this vulnerability. The majority of such affected models reside in Europe – France (4.5K) and Italy (4.4K).
The researcher who originally discovered and notified the issue to Zyxel had a fair amount of criticism on how the vulnerability was handled by the vendor. Without publishing an associated CVE, Zyxel patched the issue despite the researcher proposing a coordinated disclosure. The release of the patch is more or less similar to releasing details of the vulnerability and it is fairly trivial for attackers to reverse the patch and learn about the precise exploitation details.