Invisible UEFI rootkit strikes again
"CosmicStrand" predates all other rootkits known to date
A new UEFI rootkit called CosmicStrand has been uncovered intercepting the boot sequence and introduce malicious logic to it. It’s said to have been used at least since 2016, predating all other rootkits discovered to date: LoJax, MosaicRegressor, TrickBoot, FinFisher, ESPecter, and MoonBounce. Victimology patterns have offered little to no clues about the threat actor and their objective.
The Unified Extensible Firmware Interface (UEFI), which connects a computer’s operating system with the firmware of the underlying hardware, is the first code to run during a computer’s booting sequence, ahead of the operating system and the security software installed in the machine. Therefore, malware planted in the UEFI firmware image is not only difficult to identify but is also extremely persistent as it cannot be removed by reinstalling the operating system or by replacing the storage drive.
What’s trending in security?
🚩 The Russian hacking group Turla released an Android app as a digital booby trap that seemingly aims to help pro-Ukrainian hackers launch DoS attacks against Russian networks. The malware false-flag, which was actually designed to scope out potential attackers, was flagged by the Google Threat Analysis Group (TAG). [The Hacker News]
🔑 An ongoing malware campaign dubbed Ducktail has been targeting individuals and organizations using Facebook’s business and advertising platform. Targets are carefully scouted and phished via LinkedIn to distribute a bespoke info-stealer designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim’s Facebook account and ultimately hijack any Facebook Business account to which the victim has sufficient access. The goal is to use the hijacked business accounts to make money by pushing out ads.
The findings are yet another indicator of how threat actors are increasingly leveraging legitimate services offered by Discord and Telegram to conduct cybercrime. Besides used for distributing and exfiltrating data, the services also obviate the need for maintaining a dedicated infrastructure, compromised websites or otherwise, that can be taken down. [The Hacker News]
🔍 NSO Group may have attracted infamy for marketing its Pegasus hacking tool in recent years. But it’s far from the only company dabbling in the murky and unregulated surveillance-for-hire industry that’s increasingly come under the spotlight. Joining this list is an Austrian private-sector offensive actor called DSIRF (aka KNOTWEED) that leveraged several zero-day flaws in Windows to plant a backdoor called Subzero. The development is the latest to take aim at the scourge of mercenary spyware sold by private companies, prompting Apple, Google, and Microsoft to enter a cat-and-mouse game of rolling out mitigations and countermeasures for flaws exploited as zero-days. [The Hacker News]
📍 In yet another case of rampant and unbridled surveillance, new documents obtained by the American Civil Liberties Union (ACLU) showed that U.S. government agencies such as Customs and Border Protection (CBP), Immigration and Customs Enforcement (ICE), and the Department of Homeland Security (DHS) purchased 336,000 smartphone-generated location points across North America from 2017 to 2019, with data coming from Venntel and Babel Street, two location data broker, that capture the information from smartphone apps without users’ consent. The warrantless bulk purchase of access to people’s sensitive location information was first came to light in 2020. Governments in the E.U. are also exploring similar data collection practices for what they claim is essential for national security and fighting crimes. [ACLU / Politico]
📧 Phishing continues to be the plague of enterprises and a primary means for threat actors to compromise user systems and open the door to malicious payloads. But Microsoft’s decision to clamp down on macros — which are used for automating frequently used tasks in Office — by default has spurred threat actors to find other ways to get around the protections and deliver malware. Key to this shift is using filetypes such as ISO, RAR, and LNK. [The Hacker News]
☢️ The Spanish police announced the arrest of two hackers believed to be responsible for cyberattacks on the country’s radioactivity alert network (RAR), which took place between March and June 2021. The intrusions are said to have disabled more than one-third of the sensors that are used to monitor excessive radiation levels across the country. [The Hacker News]
🖼️ Tech companies should move push ahead with a controversial technology called client-side scanning that checks for child abuse imagery on users’ phones, Ian Levy, the NCSC’s technical director, and Crispin Robinson, the technical director of cryptanalysis at GCHQ said in a new paper. [The Guardian / The Register]
🎚 A Russia-based ransomware command and control network has been found to have a foothold in at least one U.S. host located in the state of Ohio, in a rare instance where evidence has been unearthed related to how the infrastructure is set up prior to the attacks. [Censys]
💵 Researchers have unearthed extensive similarities between the latest version of LockBit ransomware and BlackMatter. LockBit 3.0, which comes with the slogan “Make Ransomware Great Again!,” is also notable for offering the first ransomware bug bounty program. The improvements to anti-analysis and obfuscation capabilities are part of continued efforts from cybercriminals to stay ahead in the extortion game and get better at what they do without attracting any attention. With the recent disbanding of cybercrime syndicate Conti, the latest version puts LockBit at the forefront of the ransomware landscape. It also signifies the growing use and increased sophistication of the ransomware-as-a-service (RaaS) model. [The Hacker News / VentureBeat]
🔐 GitHub announced the general availability of an enhanced 2FA experience on NPM, the popular JavaScript package manager, in addition to allowing developers to connect their Twitter and GitHub accounts as a recovery method. [GitHub]
💲 A new hack-for-hire actor called the Atlas Intelligence Group (A.I.G.), aka Atlantis Cyber-Army, has been growing rapidly since May 2022 and offering a range of services for sale, including exclusive leaked databases, DDoS attacks, and initial access to organizations of interest for pricing ranging from €15 to €1,000. It works by outsourcing specific aspects of an attack to “mercenaries” who have no further knowledge about the full extent of the campaign, giving the operators a high level of operations security (OPSEC). As if that’s not enough, each campaign is said to involve a different set of hired guns. What’s more, the cybergang claims to have connections with people in several law enforcement entities in Europe to gather sensitive information. [Cyberint]
⚠️ According to IBM’s Cost of a Data Breach 2022, the global average cost of a data breach soared to an all-time high of $4.35 million. The report analyzed 550 businesses impacted by data breaches between March 2021 and March 2022. On average, companies required 277 days to identify (207 days) and contain (70 days) data breaches, down from 287 days in 2021, and 83% of companies had suffered more than one breach. Separate research from Unit 42, meanwhile, found that attackers typically start scanning for vulnerable endpoints within 15 minutes of public disclosure. What’s more, the amount of time malicious intruders are spending inside victims’ networks (aka dwell time) is increasing, going from 11 days to 15, providing them with the ability to carry out higher complexity campaigns and more damaging cyberattacks. [IBM / Unit 42 / Sophos]
⚖️ A Romanian/Latvian national, Mihai Paunescu (aka Virus), who was accused of running a bulletproof hosting service to help distribute the Gozi virus and other malware has been extradited to the U.S. The hosting service was “service was specifically designed to allow cyber criminals to remain hidden and anonymous from law enforcement,” the Justice Department said. The Gozi malware was designed to steal bank account information is estimated to have infected over one million victim computers worldwide, among them at least 40,000 computers in the U.S. Paunescu was arrested in Colombia in June 2021. [DoJ]
🐼 Intrusion Truth, a mysterious global network of contributors that aims to expose Chinese state-backed digital threat actors, emerged after a period of silence to summarize past hacking activity by APT41 (aka Winnti or Wicked Panda) and a front company called Chengdu 404. [Intrusion Truth]
❌ The government of Belgium has claimed it detected several Chinese advanced persistent threat actors, including APT27, APT30, APT31, and Gallium, attacking its public service and defense ministries. China, however, rejected the accusations, stating it does not “encourage, support or connive at cyberattacks.” [Federal Public Service]
🆙 Researches have disclose details of a brand new ransomware family written in Rust, making it the third strain after BlackCat and Hive to use the programming language. It also the latest to target VMware ESXi virtual machines, joining the likes of Black Basta, RedAlert, and Cheerscrypt in recent weeks, indicating a growing attacker interest in the technology platform. [The Hacker News]
🚨 Microsoft warned of an uptick in malware native to Internet Information Services (IIS) web servers that is being used to install backdoors. While not as commonly used in attacks against servers as web shells, IIS extensions provide a durable persistence mechanism, Microsoft noted. [The Hacker News]
🗄️ The past two weeks in data breaches, leaks, and ransomware: Italy’s L’Agenzia delle Entrate, Associated Eye Care, Bandai Namco, Cleartrip, Dodo Point, Entrust, Feelyou, Israel’s Health Ministry, JusTalk, Knauf, Marriott, Neopets, PolicyBazaar, Professional Finance Company (PFC USA), Roblox, SHI, Tutu.ru, Twitter, WeWork India, WordFly, and government websites from Albania.