Tag Archive for: Exploits

Price of zero-day exploits rises as companies harden products against hackers

/in


Tools that allow government hackers to break into iPhones and Android phones, popular software like the Chrome and Safari browsers, and chat apps like WhatsApp and iMessage, are now worth millions of dollars — and their price has multiplied in the last few years as these products get harder to hack.

On Monday, startup Crowdfense published its updated price list for these hacking tools, which are commonly known as “zero-days,” because they rely on unpatched vulnerabilities in software that are unknown to the makers of that software. Companies like Crowdfense and one of its competitors Zerodium claim to acquire these zero-days with the goal of re-selling them to other organizations, usually government agencies or government contractors, which claim they need the hacking tools to track or spy on criminals.

Crowdfense is now offering between $5 and $7 million for zero-days to break into iPhones, up to $5 million for zero-days to break into Android phones, up to $3 million and $3.5 million for Chrome and Safari zero-days respectively, and $3 to $5 million for WhatsApp and iMessage zero-days.

In its previous price list, published in 2019, the highest payouts that Crowdfense was offering were $3 million for Android and iOS zero-days.

The increase in prices comes as companies like Apple, Google, and Microsoft are making it harder to hack their devices and apps, which means their users are better protected.

“It should be harder year over year to exploit whatever software we’re using, whatever devices we’re using,” said Dustin Childs, who is the head of threat awareness at Trend Micro ZDI. Unlike CrowdFense and Zerodium, ZDI pays researchers to acquire zero-days, then reports them to the companies affected with the goal of getting the vulnerabilities fixed.

“As more zero-day vulnerabilities are discovered by threat intelligence teams like Google’s, and platform protections continue to improve, the time and effort required from attackers increases, resulting in an increase in cost for their findings,” said Shane Huntley, the head of Google’s Threat Analysis Group, which tracks hackers and the use of zero-days.

In a report last month, Google said it saw hackers use 97 zero-day…

Source…

Vedalia APT Group Exploits Oversized LNK Files to Malware

/in


The Vedalia Advanced Persistent Threat (APT) group, also known by its alias Konni, has been distributing malware using an innovative technique involving oversized LNK files.

This method marks an evolution in the group’s operational tactics, aiming to bypass conventional security measures and compromise targeted systems.

Broadcom recently published a blog post stating that the Vedalia APT group has utilized huge LNK files in their latest malware campaign.

Document

Run Free ThreatScan on Your Mailbox

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Key Highlights of the Campaign

  • Innovative Delivery Mechanism: The Vedalia APT group has ingeniously utilized LNK files with double extensions, effectively masking the malicious .lnk extension.
  • This tactic deceives users into believing the files are harmless, increasing the likelihood of execution.
  • Obscuration through Whitespace: A notable characteristic of these LNK files is the excessive use of whitespace.
  • This technique is designed to hide the malicious command lines embedded within, making detection by security software and analysts more challenging.
  • Bypassing Security Defenses: The embedded command line script within the LNK files is crafted to search for and execute PowerShell commands.
  • This approach is specifically chosen to evade detection mechanisms. It leverages PowerShell’s legitimate system functions to locate and deploy the embedded malicious files and payload.

File-based

  • CL.Downloader!gen20
  • Scr.Mallnk!gen13
  • Trojan.Gen.NPE
  • WS.Malware.1

Implications and Recommendations

The Vedalia APT group’s adoption of oversized LNK files for malware delivery underscores the evolving landscape of cyber threats.

Organizations and individuals are advised to remain vigilant, update their security solutions, and educate users about the risks of opening files from unknown sources.

This campaign by the Vedalia APT group serves as a reminder of the continuous innovation among cyber adversaries.

By staying informed and proactive, organizations…

Source…

UnitedHealth Exploits an ‘Emergency’ It Created

/in


Last Thursday, the medical colossus UnitedHealthcare applied for an emergency exemption that would fast-track its takeover of a medical practice in Corvallis, Oregon, in a letter warning regulators that the practice might close its doors if the merger were not approved right away.

Although the specific reason for the exemption request is redacted from the publicly posted version of the application, a clinic insider says the “emergency” is the same one that has plunged thousands of other health providers across the nation into a terrifying cash crunch: the weeks-long outage of UnitedHealth’s Change Healthcare clearinghouse and claims processing systems, which has halted the flow of information that enables physicians, hospitals, and other health care providers to get paid for their work. 

“Our claims processing goes through [Change], so all of a sudden there was no money coming in,” the insider, an employee of The Corvallis Clinic who did not want to be identified for fear of jeopardizing the transaction, told the Prospect. The clinic’s shareholders, who include include more than half of its 110 physicians and one of its behavioral health providers, worked without pay last week in order to “scrape together enough money to pay the staff,” the insider said, but on Thursday the shareholders explained that they weren’t sure they would be able to open the doors Monday without an emergency cash injection. “They’re praying that the sale’s going to go through and that Optum will front them the money.” 

More from Maureen Tkacik

The situation underscores the perverse state of affairs in which UnitedHealth, which comprises some 2,642 separate companies that collectively raked in $371.6 billion last year, has arguably profited from the desperation that the hacking of its Change computer systems in late February has inflicted upon the health care system. An estimated half of all health care transactions are processed or somehow otherwise touched by Change, a rollup of dozens of health care technology firms that provide 137 software applications that have been affected by the outage. 

Every dollar in revenue that has disappeared from hospitals, medical…

Source…

Magnet Goblin Exploits 1-Day Ivanti Vulnerabilities

/in


Security researchers have uncovered a trend involving the exploitation of 1-day vulnerabilities, including two in Ivanti Connect Secure VPN. 

The flaws, identified as CVE-2023-46805 and CVE-2023-21887, were quickly exploited by multiple threat actors, leading to various malicious activities. Tracking these exploits, the Check Point Research (CPR) team said it encountered a cluster of activities attributed to a threat actor dubbed Magnet Goblin.

The actor has been observed methodically leveraging 1-day vulnerabilities, particularly targeting edge devices like the Ivanti Connect Secure VPN. Magnet Goblin uses custom Linux malware to pursue financial gain. 

These exploits involve the deployment of malware via a range of methods, including the exploitation of vulnerabilities in Magento, Qlik Sense and potentially Apache ActiveMQ.

Detailed in an advisory published on Friday, the researchers’ investigation revealed a sophisticated infrastructure behind Magnet Goblin’s operations. They found evidence of the deployment of payloads such as WARPWIRE JavaScript credential stealers and Ligolo tunneling tools. 

Read more on similar attacks: Two Ivanti Zero-Days Actively Exploited in the Wild

Furthermore, the threat actor’s activities extended beyond Linux environments, with some instances targeting Windows systems using tools like ScreenConnect and AnyDesk, suggesting a wide-ranging and adaptable approach.

CPR said the analysis of NerbianRAT variants sheds light on the intricacies of the malware’s operation. From initialization to command-and-control, the malware exhibits a sophisticated design, allowing for flexibility in executing various actions on infected machines. Additionally, MiniNerbian, a simplified version of NerbianRAT, further showcases the threat actor’s adaptability and stealthy tactics.

“Magnet Goblin, whose campaigns appear to be financially motivated, has been quick to adopt 1-day vulnerabilities to deliver their custom Linux malware, NerbianRAT and MiniNerbian,” warned CPR.

“Those tools have operated under the radar as they mostly reside on edge devices. This is part of an ongoing trend for threat actors to target areas which until now have been…

Source…