Microsoft unmasks Russia-linked ‘GooseEgg’ malware

/in


Researchers at Microsoft say they have uncovered a malicious tool used by Russian state-sponsored hackers to steal credentials in compromised networks.

The malware, named GooseEgg, exploits a vulnerability labeled CVE-2022-38028 in the Windows Print Spooler service, which manages printing processes. The researchers say GooseEgg appears to be exclusive to a group it tracks as Forest Blizzard, which is associated with Russia’s military intelligence agency, the GRU. 

According to the report, Forest Blizzard  — as also known as Fancy Bear and APT28 — has been deploying the malware since at least June 2020 against state, nongovernmental, education and transportation organizations in Ukraine, Western Europe and North America.

“The use of GooseEgg in Forest Blizzard operations is a unique discovery that had not been previously reported by security providers,” researchers said.

Microsoft has observed that after obtaining access to a target device, Forest Blizzard uses GooseEgg to elevate privileges within the network. GooseEgg itself is a simple launcher application, but it allows attackers to undertake other actions such as remote code execution, installing a backdoor and laterally moving through compromised networks. 

The company patched the Print Spooler security flaw in 2022. “Customers who have not implemented these fixes yet are urged to do so as soon as possible for their organization’s security,” Microsoft said. 

In addition to CVE-2022-38028, Forest Blizzard exploits other bugs, such as CVE-2023-23397, which affects all versions of Microsoft Outlook software on Windows devices.

Earlier in December, Microsoft warned that Forest Blizzard has been attempting to use the Microsoft Outlook bug to gain unauthorized access to email accounts within Microsoft Exchange servers since as early as April 2022. 

The GRU hackers typically target strategic intelligence assets such as government, energy, transportation and nongovernmental organizations in the U.S., Europe, and the Middle East.

Microsoft has also observed Forest Blizzard targeting media organizations, information technology companies, sports organizations and educational institutions.

Get more…

Source…

Hackers are threatening to leak World-Check, a huge sanctions and financial crimes watchlist

/in


A financially motivated criminal hacking group says it has stolen a confidential database containing millions of records that companies use for screening potential customers for links to sanctions and financial crime.

The hackers, which call themselves GhostR, said they stole 5.3 million records from the World-Check screening database in March and are threatening to publish the data online.

World-Check is a screening database used for “know your customer” checks (or KYC), allowing companies to determine if prospective customers are high risk or potential criminals, such as people with links to money laundering or who are under government sanctions. The hackers told TechCrunch that they stole the data from a Singapore-based firm with access to the World-Check database, but did not name the firm.

A portion of the stolen data, which the hackers shared with TechCrunch, includes individuals who were sanctioned as recently as this year.

Simon Henrick, a spokesperson for the London Stock Exchange Group, which maintains the database, told TechCrunch: “This was not a security breach of LSEG/our systems. The incident involves a third party’s data set, which includes a copy of the World-Check data file. This was illegally obtained from the third party’s system. We are liaising with the affected third party, to ensure our data is protected and ensuring that any appropriate authorities are notified.”

LSEG did not name the third-party company, but did not dispute the amount of data stolen.

The portion of stolen data seen by TechCrunch contains records on thousands of people, including current and former government officials, diplomats, and private companies whose leaders are considered “politically exposed people,” who are at a higher risk of involvement in corruption or bribery. The list also contains individuals accused of involvement in organized crime, suspected terrorists, intelligence operatives and a European spyware vendor.

The data varies by record. The database contains names, passport numbers, Social Security numbers, online crypto account identifiers and bank account numbers, and more.

World-Check is currently owned by the London Stock Exchange Group following…

Source…

Androxgh0st Malware Compromises Servers Worldwide for Botnet Attack

/in


Veriti Research has discovered a surge in attacks from operators of the Androxgh0st malware family, uncovering over 600 servers compromised primarily in the U.S., India and Taiwan.

According to Veriti’s blog post, the adversary behind Androxgh0st had their C2 server exposed, which could allow for a counterstrike by revealing the impacted targets. The researchers then went on to alert the victims.

Further research revealed that Androxgh0st operators are exploiting multiple CVEs, including CVE-2021-3129 and CVE-2024-1709 to deploy a web shell on vulnerable servers, granting remote control capabilities. Moreover, evidence suggests active web shells associated with CVE-2019-2725

Androxgh0st Malware Compromises Servers Worldwide, Building Botnets for Attacks
Image: Veriti

Androxgh0st Threat Actor Ramps Up Activity

Hackread.com has been tracking Androxgh0st operations since was first noticed in December 2022. The malware operator is known for deploying Adhublika ransomware and was previously observed communicating with an IP address associated with the Adhublika group.

Androxgh0st operators prefer exploiting Laravel applications to steal credentials for cloud-based services like AWS, SendGrid, and Twilio. They exploit vulnerabilities in Apache web servers and PHP frameworks, deploying webshells for persistence. 

However. their recent focus seems to be building botnets to exploit more systems. Recently, the FBI and CISA issued a joint Cybersecurity Advisory (CSA) advisory, warning about Androxgh0st constructing a botnet to carry out credential theft and establish backdoor access. 

Last year, Cado Security Ltd. revealed the details of a Python-based credential harvester and a hacking tool called Legion, linked to the AndroxGh0st malware family. Legion is designed to exploit email services for abuse.

The Way Forward

Veriti’s research goes onto show the importance of proactive exposure management and threat intelligence in cyber security. Organizations must regularly update their security measures, including patch management for known vulnerabilities, strong web shell deployment monitoring, and behavioural analysis tools to prevent breaches and protect against similar vulnerabilities.

  1. Russian Hackers Hit…

Source…

Carpetright is latest British business to be hit by cyber attack as hackers target company HQ to affect hundreds of customer orders

/in


  •  Hackers targeted the company HQ in Purfleet, Essex on Tuesday



Flooring chain Carpetright is the latest British business to be hit by a cyber attack affecting hundreds of customer orders. 

Hackers targeted the company HQ in Purfleet, Essex on Tuesday, sending malware to gain unauthorised access. 

Carpetright’s network was taken offline due to the cyber attack but bosses insist that the virus was isolated before any data was swiped. 

However phone lines are still down with callers met with the automated message ‘Thank you for your patience while we work on a solution’.

Staff and hundreds of customers were affected by the malicious virus with employees reportedly unable access their payroll information.   

Flooring chain Carpetright is the latest British business to be hit by a cyber attack affecting hundreds of customer orders (file pic)
Hackers targeted the company HQ in Purfleet, Essex on Tuesday, sending malware to gain unauthorised access (stock photo)

A source told The Sun: ‘Some staff networks were taken down including the portals that workers use to book time off and look at payslips.

‘It happened abruptly and was worrying because customers couldn’t get through to helplines.

READ MORE: Hackers publish NHS patients’ data after cyber attack including names, addresses and medical conditions – as they vow to post thousands more unless ransom is paid

‘Everything at HQ was taken offline as that was the best way to stop the attack spreading to customer data.’

A spokesperson for Carpetright said: ‘We would like to apologise for any inconvenience caused.

‘We are not aware of any customer or colleague data being impacted by this incident and are testing and resetting systems, with investigations ongoing.’

The cyber attack at the flooring chain comes after hackers managed to access a ‘small number’ of patients’ data last month. 

Ransomware group – INC Ransom – targeted NHS Dumfries and Galloway and claimed it was in possession of three terabytes of data from NHS Scotland.

A post on its dark web blog included a ‘proof pack’ of some of the data, which was…

Source…