Tag Archive for: dangerous.

Dangerous Windows 10, 11, Server Zero-Day Exploited By Lazarus Hackers


The notorious and highly prolific North Korean Lazarus criminal hacking group has been exploiting an admin-to-kernel privilege escalation Windows security flaw using an updated version of its FudModule rootkit.

What Is CVE-2024-21338 And Why Is It So Dangerous?

In a detailed analysis of the exploit, Lazarus and the FudModule Rootkit, Jan Vojtěšek from the Avast Threat Labs explains how researchers found the exploit for this previously unknown zero-day vulnerability in the Windows appid.sys AppLocker driver.

Although the vulnerability itself, which is monitored as CVE-2024-21338, was reported to Microsoft by Avast in August 2023 along with a proof-of-concept exploit, it wasn’t patched until the February 13 Patch Tuesday updates were made available. However, when the updates were distributed, CVE-2024-21338 wasn’t listed as a zero-day with exploits in the wild.

“From the attacker’s perspective, crossing from admin to kernel opens a whole new realm of possibilities,” Vojtěšek says. “With kernel-level access, an attacker might disrupt security software, conceal indicators of infection (including files, network activity, processes,) disable kernel-mode telemetry, turn off mitigations, and more.”

As for the FudModule rootkit, Vojtěšek says this represents “one of the most complex tools Lazarus holds in their arsenal.”

Microsoft Issued Fix As Part Of February Patch Tuesday

Microsoft has now published an updated security advisory recognizes this as a zero-day vulnerability.

Impacting various versions of Windows 10, Windows 11 and Windows Server, users are advised to check the updated security advisory and apply the patch if they have not already done so.

That Microsoft has now issued a patch for this vulnerability means, the Avast analysis says, that Lazarus’ offensive operations will undoubtedly be disrupted.

“While discovering an admin-to-kernel zero-day may not be as challenging as discovering a zero-day in a more attractive attack surface (such as standard user-to-kernel, or even sandbox-to-kernel),” Vojtěšek concludes, “we believe that finding…

Source…

Beware of this ‘dangerous’ Chrome app that can automatically steal your passwords and photos


A team of researchers have found malware that, once installed on any Android device, can automatically steal users’ data like photos, passwords and chats. It is a new variant of MoqHao (also referred to as Wroba and XLoader), which is a well-known Android malware family. Recently, the McAfee Mobile Research Team found that MoqHao has begun distributing this ‘new dangerous’ variant via SMS links.

What makes this malware dangerousAccording to the report, the hackers send a link to download the malicious app via SMS. While a typical MoqHao malware requires users to install and launch the app, this variant requires little execution from the users’ side. When the app is installed, hackers’ malicious activity starts automatically.

The malware disguises itself as ‘Chrome’ that can fool Android users into downloading the app. Once downloaded, the malware requests users to set itself as the default SMS app with prompts in various languages like Hindi, English, French, Japanese and German.

“Also, the different languages used in the text associated with this behaviour suggests that, in addition to Japan, they are also targeting South Korea, France, Germany, and India,” McAfee said.

How this malware worksThe hackers use social engineering techniques to convince users to set this malicious app as the default app. They show messages just like the way a legitimate app would flash. This message is fake and is used to make users believe that they have downloaded a legitimate app.

How to spot the malware-laden Chrome app
This app has an italic ‘r’ and asks users to let the app always run in the background. Google Chrome doesn’t ask for such permission. Furthermore, any link that comes via an SMS is a red flag and must not be clicked.

McAfee said that the company has already reported this technique to Google and the company is “already working on the implementation of mitigations to prevent this type of auto-execution in a future Android version.”

Expand


The Google Chrome app is available to download from Google Play Store and it is advised that users download all apps from the official store. Android users are protected by Google Play Protect, which is on by default on Android devices with…

Source…

Chinese hacking operations have entered a far more dangerous phase, US warns


China’s cyber activity is moving beyond the last decade’s spying and data theft toward direct attacks on U.S. critical infrastructure, the directors of the FBA, NSA, and the Cybersecurity and Infrastructure Security Agency, or CISA, told lawmakers on Wednesday. 

The Volt Typhoon hacking group is planting malware on network routers and other internet-connected devices that, if triggered, could disrupt water, power, and rail services, possibly causing widespread chaos or even injuring and killing Americans, they said. 

While Russia is known for cyber attacks that cause real-world harm—for example, targeting U.S. political campaigns and Ukrainian power plants—China is viewed as far more risk-averse. It’s best known for cyber theft, of intellectual property or government information, such as the Office of Personnel Management hack uncovered in 2015. But Volt Typhoon, which Microsoft revealed last May, represents something far more threatening. 

At a meeting with reporters last week, a senior NSA official put the issue in starker terms. 

“They’re in places that they are not there for intelligence purposes. They are not there for financial gain. Those are two hallmarks of Chinese intrusions in other sets and other lanes,” the official said. 

China is still undertaking those activities, “but this is unique in that it’s prepositioning on critical infrastructure, on military networks, to be able to deliver effects at the time and place of their choosing so that they can disrupt our ability to support military activities or to distract us, to get us to focus on, you know, a domestic incident at a time when something’s flaring up in a different part of the world and they don’t want us facing the foreign aspects of that,” the official said.

FBI Director Christopher Wray underscored the seriousness to lawmakers on the House Select Committee on the CCP on Wednesday. 

“There has been far too little public focus on the fact that PRC hackers are targeting our critical infrastructure, our water treatment plants, our electrical grid, our oil and natural gas pipelines, our transportation systems, and the risk that poses to every American requires our attention. Now, China’s…

Source…

5 Most Dangerous New Hacking Techniques



Increasing Militarization Of The Internet

The rise of Stuxnet, Flame, Gause, the Olympic Games operations and Shamoon have all shed light on the issue of nation-state driven cyberwarfare and cyberespionage activities. Now that we are in cyberspace, we have another domain for humans to occupy and dominate, according to Ed Skoudis, founder of Counter Hack Challenges.

Skoudis told RSA Conference 2013 attendees that he worries about some of the risks of taking action over the Internet. Many of the nation-state driven activities could have a tremendous impact on the private sector, he said. “It could have a cascading impact,” he said. “It is possible that every cyberaction could cause bigger problems than people think.” Some of the techniques outlined by Skoudis and Johannes Ullrich, chief research officer at the SANS Institute are not new, but they are being ramped up by cybercriminals to become a serious problem.

Here’s a look at the five most dangerous new hacking techniques that concern top security experts Ullrich and Skoudis.


Rise Of Offensive Forensics

Anti-forensics is the process of cybercriminals getting into a targeted environment and hacking the forensics tools themselves. Offensive forensics is taking forensics techniques and analyzing file systems and memory in-depth then combing them for information assets and extracting them.


Mis-Attribuiton

The industrial processes used to build Stuxnet and other malware provides unique fingerprints for malware analysis investigators to categorize it. Coding styles down to machine level language can indicate a specific threat actor. A nation-state backed cybercriminal that doesn’t want to get noticed may place phony clues in malware to shake off investigators, Skoudis said. The catastrophic attack on Saudi Aramco via Shamoon infections on that company’s workstations had some…

Source…