Search the Community
Showing results for tags 'ravie lakshmanan'.
Microsoft on Friday shared more of the tactics, techniques, and procedures (TTPs) adopted by the Russia-based Gamaredon hacking group to facilitate a barrage of cyber espionage attacks aimed at several entities in Ukraine over the past six months. The attacks are said to have singled out government, military, non-government organizations (NGO), judiciary, law enforcement, and non-profit organizations with the main goal of exfiltrating sensitive information, maintaining access, and leveraging it to move laterally into related organizations. The Windows maker's Threat Intelligence Center (MSTIC) is tracking the cluster under the moniker ACTINIUM (previously as DEV-0157), sticking to its tradition of identifying nation-state activities by chemical element names. The Ukrainian government, in November 2021, publicly attributed Gamaredon to the Russian Federal Security Service (FSB) and connected its operations to the FSB Office of Russia in the Republic of Crimea and the city of Sevastopol. It's worth pointing out that the Gamaredon threat group represents a unique set of attacks divorced from last month's cyber offensives that knocked out multiple Ukrainegovernment agencies and corporate entities with destructive data-wiping malware disguised as ransomware. The attacks primarily leverage spear-phishing emails as an initial access vector, with the messages carrying malware-laced macro attachments that employ remote templates containing malicious code when the recipients open the rigged documents. In an interesting tactic, the operators also embed a tracking pixel-like "web bug" within the body of the phishing message to monitor if a message has been opened, following which, the infection chain triggers a multi-stage process that culminates in the deployment of several binaries, including — PowerPunch – A PowerShell-based dropper and downloader used to retrieve the next-stage executables remotely Pterodo – A constantly evolving feature-rich backdoor that also sports a range of capabilities intended to make analysis more difficult, and QuietSieve – A heavily-obfuscated .NET binary specifically geared towards data exfiltration and reconnaissance on the target host This is far from the only intrusion staged by the threat actor, which also struck an unnamed Western government organization in Ukraine last month via a malware-laced resume for an active job listing with the entity posted on a local job portal. It also targeted the country's State Migration Service (SMS) in December 2021. The findings also arrive as Cisco Talos, in its continuing analysis of the January incidents, disclosed details of an ongoing disinformation campaign attempting to attribute the defacement and wiper attacks to Ukrainian groups that date back at least nine months. Via thehackernews.com
As many as 13 security vulnerabilities have been discovered in the Nucleus TCP/IP stack, a software library now maintained by Siemens and used in three billion operational technology and IoT devices that could allow for remote code execution, denial-of-service (DoS), and information leak. Collectively called "NUCLEUS:13," successful attacks abusing the flaws can "result in devices going offline and having their logic hijacked," and "spread[ing] malware to wherever they communicate on the network," researchers from Forescout and Medigate said in a technical report published Tuesday, with one proof-of-concept (PoC) successfully demonstrating a scenario that could potentially disrupt medical care and critical processes. Siemens has since released security updates to remediate the weaknesses in Nucleus ReadyStart versions 3 (v2017.02.4 or later) and 4 (v4.1.1 or later). Primarily deployed in automotive, industrial, and medical applications, Nucleus is a closed-source real-time operating system (RTOS) used in safety-critical devices, such as anesthesia machines, patient monitors, ventilators, and other healthcare equipment. The most severe of the issues is CVE-2021-31886 (CVSS score: 9.8), a stack-based buffer overflow vulnerability affecting the FTP server component, effectively enabling a malicious actor to write arbitrary code, hijack the execution flow, and achieve code execution, and in the process, take control of susceptible devices. Two other high-severity vulnerabilities (CVE-2021-31887 and CVE-2021-31888), both impacting FTP servers, could be weaponized to achieve DoS and remote code execution. Real-world attacks leveraging the flaw could hypothetically impede the normal functioning of automated train systems by sending a malicious FTP packet, causing a Nucleus-powered controller to crash, in turn, preventing a train from stopping at a station and causing it to collide with another train on the track. ForeScout's telemetry analysis has revealed closed to 5,500 devices from 16 vendors, with most of the vulnerable Nucleus devices found in the healthcare sector (2,233) followed by government (1,066), retail (348), financial (326), and manufacturing (317). The disclosures mark the seventh time security weaknesses have been discovered in the protocol stacks that underpin millions of internet-connected devices. It's also the fifth study as part of a systematic research initiative called Project Memoria aimed at analyzing the security of TCP/IP network communication stacks — URGENT/11 Ripple20 AMNESIA:33 NUMBER:JACK NAME:WRECK INFRA:HALT In an independent advisory, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged users to take defensive measures to mitigate the risk of exploitation of these vulnerabilities, including minimizing network exposure for all control system devices, segmenting control system networks from business networks, and using VPNs for remote access. Via thehackernews.com