CyberSecurity news
FlagThis - #sophos
|
securebulletin.com@Secure Bulletin
//
Sophos has revealed a significant malware campaign operating on GitHub, targeting a diverse audience, including hackers, gamers, and cybersecurity researchers. The threat actor, identified by the alias "ischhfd83," has cleverly disguised malicious code within seemingly legitimate repositories, some appearing as malware development tools and others as gaming cheats. This deceptive approach aimed to infect users with infostealers and Remote Access Trojans (RATs) like AsyncRAT and Remcos. Upon investigation, Sophos uncovered a network of 133 backdoored repositories linked to the same threat actor, indicating a widespread and coordinated effort to compromise unsuspecting individuals.
The campaign employed sophisticated techniques to enhance its credibility and evade detection. The threat actor used multiple accounts and contributors, alongside automated commits to mimic active development. Victims who compiled the code in these repositories inadvertently triggered a multi-stage infection chain. This chain involved VBS scripts, PowerShell downloads, and obfuscated Electron apps, all designed to stealthily deploy malicious payloads. By masquerading as valuable resources, such as hacking tools or game enhancements, the threat actor successfully lured users into downloading and executing the backdoored code, showcasing the campaign's deceptive effectiveness. Sophos reported the malicious repositories to GitHub, leading to the takedown of most affected pages and related malicious pastes. However, the incident highlights the importance of vigilance when downloading and running code from unverified sources. Cybersecurity experts recommend users carefully inspect code for obfuscated strings, unusual domain calls, and suspicious behavior before execution. Employing online scanners and analysis tools, as well as running untested code in isolated environments, can further mitigate the risk of infection. The discovery also underscores the growing trend of cybercriminals targeting each other, further complicating the threat landscape.
Share:
References :
Classification:
@www.bleepingcomputer.com
//
DragonForce ransomware group has been actively exploiting vulnerabilities in SimpleHelp, a remote monitoring and management (RMM) software, to target managed service providers (MSPs) and their customers. This attack serves as a stark reminder of the supply chain risks inherent in relying on third-party software, particularly RMM tools which, if compromised, can grant attackers widespread access to numerous client systems. Sophos researchers uncovered that the DragonForce operator chained three specific SimpleHelp flaws, identified as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726, to breach an MSP. This breach resulted in data theft and the subsequent deployment of ransomware across the MSP's customer endpoints, causing significant disruption and potential financial losses.
The vulnerabilities exploited by DragonForce allowed the attackers to perform several malicious actions. CVE-2024-57727 enabled unauthorized remote attackers to download arbitrary files, including server configuration files containing sensitive secrets and hashed user passwords. CVE-2024-57728 permitted admin users to upload arbitrary files, leading to potential arbitrary code execution on the host. Furthermore, CVE-2024-57726 allowed low-privilege technicians to create API keys with excessive permissions, potentially enabling them to escalate privileges to the server administrator role. All of these vulnerabilities were present in SimpleHelp's remote support software version 5.5.7 and earlier, highlighting the critical importance of promptly applying security patches. The DragonForce attack on the MSP via SimpleHelp illustrates a growing trend of cybercriminals targeting RMM and other remote tools to facilitate software supply chain attacks. By compromising a single MSP, attackers can gain access to a large number of downstream customers, amplifying the impact of their attacks. Security experts warn that MSPs must prioritize the security of their RMM software, including implementing robust patch management processes and closely monitoring for suspicious activity. This incident underscores the need for a proactive and vigilant approach to cybersecurity to mitigate the risk of ransomware and other threats exploiting channel vulnerabilities.
Share:
References :
Classification:
info@thehackernews.com (The@The Hacker News
//
A new Android malware campaign, potentially linked to previous attacks targeting Indian military personnel, has been identified focusing on users in Taiwan. The malware, known as PJobRAT, is an Android Remote Access Trojan (RAT) that steals sensitive data. It operates by disguising itself as legitimate chat applications, tricking users into installation. Once installed, PJobRAT can extract SMS messages, phone contacts, device information, documents, and media files from infected devices, enabling deep surveillance and remote control.
Researchers at Sophos X-Ops uncovered this recent campaign, observing activity from January 2023 to October 2024. The malicious chat apps, named SangaalLite and CChat, were distributed through compromised WordPress sites. While this particular campaign may be paused, it illustrates that threat actors often retool and retarget after an initial campaign, improving their malware and adjusting their approach before striking again. Users are advised to avoid installing apps from untrusted sources and employ mobile security solutions for protection.
Share:
References :
Classification:
|