Novel malware abuses blockchain tech for DDoS attacks
NKAbuse leverages a blockchain technology called NKN for DDoS attacks
↘️ A sophisticated and versatile malware called NKAbuse is harnessing a blockchain-oriented peer-to-peer networking protocol called NKN (short for New Kind of Network) to infect Linux devices in Colombia, Mexico, and Vietnam. What makes the malware unique is the use of the NKN to receive and send data from and to its peers, and its Go implementation to craft binaries for different CPU architectures, making it a potent threat. It simultaneously functions as both a backdoor and a flooder capable of launching DDoS attacks. “[The] use of blockchain technology ensures both reliability and anonymity, which indicates the potential for this botnet to expand steadily over time,” Kaspersky said. [The Hacker News]
↘️ With the release of iOS 17.2, Apple has silently fixed an exploit that let Flipper Zero devices mass-bombard nearby iPhones with Apple TV keyboard popup notifications, essentially rendering the devices useless unless restarted. [ZDNET]
↘️ Video conferencing giant Zoom unveiled an open-source vulnerability impact scoring system (VISS) to “objectively capture the principal impact characteristics of software, hardware, and firmware vulnerabilities as they relate to the associated infrastructure, technology stack, and security of customer data.” It remains to be seen how widely VISS gets adopted by organizations. [Zoom]
↘️ Ukraine's biggest telecom operator Kyivstar became the victim of a “powerful hacker attack,” disrupting customer access to mobile and internet services. A Russia-linked hacking group called Solntsepyok claimed responsibility for the attack. Kyivstar, which has resumed most of the services, said the threat actors broke into its systems through the compromised account of one of the company’s employees. British intelligence agencies called it “one of the highest-impact disruptive cyberattacks on Ukrainian networks.” The cyber attacks take place against the backdrop of the ongoing conflict between Ukraine and Russia, with cyber operations becoming an increasingly common and potent tool for actors seeking to gain an advantage in the conflict. Viewed in that light, the agency’s choice to target a Russian government organization adds a new dimension to the cyber warfare dynamics between the two nations. [The Hacker News]
↘️ The noxious malware known as QakBot has resurfaced as part of a low-volume phishing campaign targeting the hospitality industry, illustrating the persistent challenges in completely eradicating such threats. While the malware’s dismantled its distribution infrastructure was taken down in late August 2023, the latest development shows it was just a temporary setback. The significance of QakBot's resurgence in less than four months lies in its adaptation to evade prior disruption efforts, an indication of the threat actor's continued efforts to refine and retool its strategies. [The Hacker News]
↘️ The U.S. Securities and Exchange Commission (SEC) clarified that “public companies must provide the required cybersecurity incident disclosure within four business days after the company determines the incident to be material,” and “The deadline is not four business days after the incident occurred or is discovered.” To assuage concerns of potential national security risks stemming from such disclosures, the SEC said affected companies do not need to “disclose any specific or technical information about their incident response, systems or potential vulnerabilities if that could impede their incident response and remediation process.” The new rules came into effect on December 18, 2023. [SEC / CyberScoop / TechCrunch]
↘️ Be on the lookout for malicious QR codes. That’s the warning from the U.S. Federal Trade Commission (FTC), which revealed that scammers trying to steal personal information have been using QR codes to direct people to harmful websites that can harvest their data. The people behind those schemes redirect users to the bogus QR codes in deceptive ways, using tactics that include placing their own QR codes on top of legitimate codes on parking meters or sending the patterns to be scanned by text or email in ways that make them appear legitimate. [FTC]
↘️ A dual Russian and Canadian national, who is awaiting his extradition to the U.S. for his alleged participation in LockBit ransomware attacks across the world, was charged in Canada with three counts of extortion, three counts of unauthorized use of a computer and failure to comply with a release order. Mikhail Vasiliev was arrested in October 2022. [The Record]
↘️ Law enforcement agencies across the world have seized the dark web infrastructure associated with BlackCat ransomware, effectively derailing its operations. BlackCat is suspected to be a rebrand of BlackMatter, which, in turn, sprang forth following the demise DarkSide. In hacking the hackers, the desired effect is to keep the criminals on their edge as well as undermine their profitability by slowing them down and driving the cost of conducting malicious activities, if not totally uprooting them. But hours after the seizure of the original main leak site, the group said it “unseized” and responded with its own notice, resulting in what has been described as a “tug of TOR" between the FBI and the adversary, owing to the fact that both parties have the private key to the Tor .onion site and are therefore able to create different sites at the same URL. “If two entities hold the same private key, then they can essentially each update the resource - and jostle for control of the blog,” WithSecure noted. While some of its affiliates, including Scattered Spider, are still active, they are expected to seek out relationships with other RaaS programs. The targeting of a ransomware group has typically resulted in operations ceasing and its members moving to other existing groups or formed new ones. That said, the development is likely to spell the end of BlackCat as a criminal outfit, at least in its present form. As noteworthy as this disruption is, no arrests were made nor were any sanctions issued, meaning the long-term effects of the disruption activity might be limited. [The Hacker News / Dark Reading / Krebs on Security / WIRED]
↘️ A suspected Israel-linked group called Predatory Sparrow (or Gonjeshke Darande) has claimed responsibility for carrying out a cyber attack that disrupted the operation of gas stations throughout Iran. While the group has not declared its affiliation with Israel, it's believed to a persona created by Israeli Military Intelligence Directorate to target Iranian entities. In 2022, the threat actor hacked a major steel company in the southwest of the country. The attack comes against the backdrop of growing tensions in the Middle East as the conflict between Israel and Hamas rages on. Other groups that have singled out Iran with hack-and-leak operations include Black Reward, Tapandegan, Lab Dookhtegan, and GhyamSarnegouni. [The Hacker News / CyberScoop]
↘️ ShellBot, Tsunami, ChinaZ DDoS Bot, and XMRig CoinMiner have emerged as some of the top malware families targeting poorly managed Linux SSH servers. The ultimate goal is to deploy coin miners and use the compromised devices to launch DDoS attacks against targets. [ASEC]
↘️ A new research has shown that the impact of the Log4Shell flaws may have been “overblown and exaggerated,” indicating that a vulnerability described as the most critical ever discovered was far less dangerous than first believed. “The current footprint of internet-facing software that is potentially vulnerable to code execution via Log4Shell is approximately 125,000 hosts,” VulnCheck said. “Of the 125,000 hosts, approximately 95% are using known patched versions. Although many predicted a long tail of exploitation, two years after disclosure there are very few remaining Log4Shell initial access targets.” [VulnCheck]
↘️ Ransomware gangs are increasingly professionalizing their operations to attract media attention and hog limelight. They are increasingly media savvy, putting out FAQs, press releases, and even granting interviews and sharing information a few hours or even days before with journalists before it’s formally announced, while criticizing coverage that they perceive as incorrect. Besides adopting brazen tactics in order to publicly shame organizations and put pressure on victims into paying up, they have charted even more alarming territory by resorting to threats of physical violence, as observed in the case of affiliates like Scattered Spider. They are seeking “notoriety, egotism, credibility” and aim to “mythologize” themselves by engaging with the press, while also controlling the narrative, increasing pressure on victims and using media coverage as a platform to reach fresh recruits. “Ransomware gangs are aware that their activities are considered newsworthy, and will leverage media attention both to bolster their own ‘credibility’ and to exert further pressure on victims,” researchers said. [The Hacker News]
↘️ A DNS cache poisoning vulnerability could be exploited to take over a country's entire DNS name resolution. The approach, called TRAP; RESET; POISON, makes it possible to achieve source port de-randomization, reset the port block allocation, and poison the cache to point DNS requests to a domain of the threat actor's choosing. [SEC Consult]
↘️ Android spyware infections witnessed an 89% surge in the second half of 2023, in part due to a mobile marketing software development kit (SDK) called SpinOk that was incorporated into several legitimate apps and came with capabilities to connect to a command-and-control server and extract a range of data from the device, including potentially sensitive clipboard contents. [ESET]
↘️ A potentially serious vulnerability affecting Google Web Toolkit (GWT), a popular open-source web application framework, remains unpatched eight years after it was discovered. The flaw can expose application owners to unauthenticated server-side code execution. The vulnerability is at such a fundamental level “that securing vulnerable Web applications written using this framework would likely require architectural changes to those applications or the framework itself ,” security researcher Ben Lincoln said. [Bishop Fox]
↘️ The Operation Triangulation spyware attacks targeting Apple iOS devices leveraged never-before-seen exploits that made it possible to even bypass pivotal hardware-based security protections erected by the company. The zero-click assault is an intricate, multi-stage attack is directed at the iMessage app, aimed at iOS versions up to iOS 16.2, enabling the threat actors to escalate privileges and deploy malware. [The Hacker News]
↘️ Four security vulnerabilities have been identified in the Perforce source code management platform, the most critical of which (CVE-2023-45849, CVSS score: 9.8) gives attackers access to a highly privileged Windows OS account to potentially take over the system via remote code execution (RCE) and even perform supply chain attacks. Users of the product are recommended to upgrade to version 2023.1/2513900, released on November 7, 2023, to mitigate the risk. [Microsoft]
↘️ MITRE, in collaboration with Niyo “Little Thunder” Pearson, Red Balloon Security, and Narf Industries, released a draft of a new threat-modeling framework called EMB3D for makers of embedded devices used in critical infrastructure environments. Currently in a pre-release review period, EMB3D is expected to be publicly available in early 2024. [MITRE / Dark Reading]
↘️ Multiple security flaws have been uncovered in the Open Platform Communications Unified Architecture (OPC UA) clients, Inductive Automation Ignition and Softing edgeAggregator, that could be chain to remotely execute code and gain full control over them. OPC UA is a machine-to-machine communication protocol used for industrial automation. [Claroty]
↘️ Israel revealed that at least 15 different hacking groups have targeted the country’s cyberspace in the aftermath of its ongoing war with Hamas, as the attack tempo ratchets upwards. These groups are affiliated with Iran, Hamas and Hezbollah. [Israel National Cyber Directorate]