Tag Archive for: Untold

Don’t trust that update! Untold number of Android users duped by dangerous SpyNote trojan

/in


Android users have been put on spyware high-alert as a banking trojan by the name of SpyNote has recently returned to the limelight.

The Android-based malware has been a background security threat for users since 2022. However, now in its third revision and with source code of of one of its variants (known as ‘CypherRat’) having leaked online in January of 2023, detections of this spyware have spiked throughout the year.

Source…

The untold history of today’s Russian-speaking hackers

/in


Clop, a Russian-speaking hacking group specialising in ransomware, has its own website. Yes, this is a thing — criminals openly encouraging their victims to negotiate a ransom for the return of their data as though it were a legitimate commercial deal.

Using language that is both business-like and chilling, it urges users to open a dialogue, stating they have a three-day window to discuss price. It promises that the Clop team will provide some specimen files they have encrypted “as proof we are not lying”. Failure to comply means all the stolen data will be published.

As with other ransomware groups, Clop’s webpage is only accessible on the dark web via Tor (“The Onion Router”). If that sounds challenging, these days a seven-year-old would be able to access it for you in a couple of minutes. The homepage includes an indignant rant at the BBC for allegedly misreporting Clop’s activities. It finishes with an exhortation to the mainstream media: “Stop creating propaganda by crafting interesting stories. Only story is we want money for our work. If we have your business files you have to pay. Speak and be reasonable and we shake on agreement.” 

According to Mikko Hypponen, chief research officer at WithSecure in Helsinki and one of the most celebrated hunters of Russian cyber gangs, Clop “is a Russian-speaking crime group operating out of Russia and Ukraine”. Hypponen notes that since Russia’s invasion of Ukraine, the number of ransomware attacks against companies and institutions in Europe and the US that emanate from Ukraine has dropped, while those launched from inside Russia have increased.

It’s been a busy few months for Clop. In June, the group announced that it had found a vulnerability in a software product called MOVEit. This file-transfer software in turn allowed the hackers from Clop access to the digital payroll provider Zellis.

Although Boots, British Airways and the BBC were reported by the BBC itself to be among the hundreds of companies that fell victim to the massive ransomware attack that month, Clop denied harvesting data from them — hence the acrimonious exchanges with the broadcaster. Zellis issued a press release, admitting that…

Source…

SolarWinds: The Untold Story of the Boldest Supply-Chain Hack

/in


But they had been at it only 24 hours when they found the passage they’d been looking for: a single file that appeared to be responsible for the rogue traffic. Carmakal believes it was December 11 when they found it.

The file was a .dll, or dynamic-link library—code components shared by other programs. This .dll was large, containing about 46,000 lines of code that performed more than 4,000 legitimate actions, and—as they found after analyzing it for an hour—one illegitimate one.

The main job of the .dll was to tell SolarWinds about a customer’s Orion usage. But the hackers had embedded malicious code that made it transmit intelligence about the victim’s network to their command server instead. Ballenthin dubbed the rogue code “Sunburst”—a play on SolarWinds. They were ecstatic about the discovery. But now they had to figure out how the intruders had snuck it into the Orion .dll.

This was far from trivial. The Orion .dll file was signed with a SolarWinds digital certificate, which was supposed to verify that the file was legitimate company code. One possibility was that the attackers had stolen the digital certificate, created a corrupt version of the Orion file, signed the file to make it look authentic, then installed the corrupt .dll on Mandiant’s server. Or, more alarmingly, they might have breached SolarWinds’ network and altered the legitimate Orion .dll source code before SolarWinds compiled it—converting the code into software—and signed it. The second scenario seemed so far-fetched that the Mandiant crew didn’t really consider it—until an investigator downloaded an Orion software update from the SolarWinds website. The backdoor was in it.

The implication was staggering. The Orion software suite had about 33,000 customers, some of whom had started receiving the hacked software update in March. That meant some customers might have been compromised for eight months already. The Mandiant team was facing a textbook example of a software-supply-chain attack—the nefarious alteration of trusted software at its source. In a single stroke, attackers can infect thousands, potentially millions, of machines.

In 2017 hackers had sabotaged a software supply…

Source…

A ‘Worst Nightmare’ Cyberattack: The Untold Story Of The SolarWinds Hack

/in


“This release includes bug fixes, increased stability and performance improvements.”

The routine software update may be one of the most familiar and least understood parts of our digital lives. A pop-up window announces its arrival and all that is required of us is to plug everything in before bed. The next morning, rather like the shoemaker and the elves, our software is magically transformed.

Last spring, a Texas-based company called SolarWinds made one such software update available to its customers. It was supposed to provide the regular fare — bug fixes, performance enhancements — to the company’s popular network management system, a software program called Orion that keeps a watchful eye on all the various components in a company’s network. Customers simply had to log into the company’s software development website, type a password and then wait for the update to land seamlessly onto their servers.

The routine update, it turns out, is no longer so routine.

Hackers believed to be directed by the Russian intelligence service, the SVR, used that routine software update to slip malicious code into Orion’s software and then used it as a vehicle for a massive cyberattack against America.

“Eighteen thousand [customers] was our best estimate of who may have downloaded the code between March and June of 2020,” Sudhakar Ramakrishna, SolarWinds president and CEO, told NPR. “If you then take 18,000 and start sifting through it, the actual number of impacted customers is far less. We don’t know the exact numbers. We are still conducting the investigation.”

On Thursday, the Biden administration announced a roster of tough sanctions against Russia as part of what it characterized as the “seen and unseen” response to the SolarWinds breach.

NPR’s months-long examination of that landmark attack — based on interviews with dozens of players from company officials to victims to cyber forensics experts who investigated, and intelligence officials who are in the process of calibrating the Biden administration’s response — reveals a hack unlike any other, launched by a sophisticated adversary who took aim at a soft underbelly of digital life: the routine software update.

By design,…

Source…