Microsoft on Tuesday disclosed the intrusion activity aimed at Indian power grid entities earlier this year likely involved the exploitation of security flaws in a now-discontinued web server called Boa.
The tech behemoth’s cybersecurity division said the vulnerable component poses a “supply chain risk that may affect millions of organizations and devices.”
The findings build on a prior report published by Recorded Future in April 2022, which delved into a sustained campaign orchestrated by suspected China-linked adversaries to strike critical infrastructure organizations in India.
The cybersecurity firm attributed the attacks to a previously undocumented threat cluster called Threat Activity Group 38. While the Indian government described the attacks as unsuccessful “probing attempts,” China denied it was behind the campaign.
The connections to China stem from the use of a modular backdoor dubbed ShadowPad, which is known to be shared among several espionage groups that conduct intelligence-gathering missions on behalf of the nation.
Although the exact initial infection vector used to breach the networks remains unknown, the ShadowPad implant was controlled by using a network of compromised internet-facing DVR/IP camera devices.
Microsoft said its own investigation into the attack activity uncovered Boa as a common link, assessing that the intrusions were directed against exposed IoT devices running the web server.
“Despite being discontinued in 2005, the Boa web server continues to be implemented by different vendors across a variety of IoT devices and popular software development kits (SDKs),” the company said.
“Without developers managing the Boa web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files.”
The latest findings once again underscore the supply chain risk arising out of flaws in widely-used network components, which could expose critical infrastructure to breaches via publicly-accessible devices running the vulnerable web server.
Microsoft further said it detected more than one million internet-exposed Boa server components worldwide in a single week, with significant concentrations in India.
The pervasive nature of Boa servers is attributed to the fact that they are integrated into widely-used SDKs, such as those from RealTek, which are then bundled with devices like routers, access points, and repeaters.
The complex nature of the software supply chain means that fixes from an upstream vendor may not trickle down to customers and that unresolved flaws could continue to persist despite firmware updates from downstream manufacturers.
Some of the high-severity bugs affecting Boa include CVE-2017-9833 and CVE-2021-33558, which, if successfully exploited, could enable malicious hacking groups to read arbitrary files, obtain sensitive information, and achieve remote code execution.
Weaponizing these unpatched shortcomings could further enable threat actors to glean more information about the targeted IT environments, effectively making way for disruptive attacks.
“The popularity of the Boa web server displays the potential exposure risk of an insecure supply chain, even when security best practices are applied to devices in the network,” Microsoft said.
“As attackers seek new footholds into increasingly secure devices and networks, identifying and preventing distributed security risks through software and hardware supply chains, like outdated components, should be prioritized by organizations.”
A malicious extension for Chromium-based web browsers has been observed to be distributed via a long-standing Windows information stealer called ViperSoftX.
Czech-based cybersecurity company dubbed the rogue browser add-on VenomSoftX owing to its standalone features that enable it to access website visits, steal credentials and clipboard data, and even swap cryptocurrency addresses via an adversary-in-the-middle (AiTM) attack.
“This multi-stage stealer exhibits interesting hiding capabilities, concealed as small PowerShell scripts on a single line in the middle of otherwise innocent-looking large log files, among others,” Avast researcher Jan Rubín said in a technical write-up.
“ViperSoftX focuses on stealing cryptocurrencies, clipboard swapping, fingerprinting the infected machine, as well as downloading and executing arbitrary additional payloads, or executing commands.”
The distribution vector used to propagate ViperSoftX is typically achieved through cracked software for Adobe Illustrator and Microsoft Office that are hosted on file-sharing sites.
The downloaded executable file comes with a clean version of cracked software along with additional files that set up persistence on the host and harbor the ViperSoftX PowerShell script.
Newer variants of the malware are also capable of loading the VenomSoftX add-on, which is retrieved from a remote server, to Chromium-based browsers such as Google Chrome, Microsoft Edge, Opera, Brave, and Vivaldi.
This is achieved by searching for LNK files for the browser applications and modifying the shortcuts with a “–load-extension” command line switch that points to the path where the unpacked extension is stored.
“The extension tries to disguise itself as well known and common browser extensions such as Google Sheets,” Rubín explained. “In reality, the VenomSoftX is yet another information stealer deployed onto the unsuspecting victim with full access permissions to every website the user visits from the infected browser.”
It’s worth noting that the –load-extension tactic has also been put to use by another browser-based information stealer referred to as ChromeLoader (aka Choziosi Loader or ChromeBack).
VenomSoftX, like ViperSoftX, is also orchestrated to steal cryptocurrencies from its victims. But unlike the latter, which functions as a clipper to reroute fund transfers to an attacker-controlled wallet, VenomSoftX tampers with API requests to crypto exchanges to drain the digital assets.
Services targeted by the extension include Blockchain.com, Binance, Coinbase, Gate.io, and Kucoin.
The development marks a new level of escalation to traditional clipboard swapping, while also not raising any immediate suspicion as the wallet address is replaced at a much more fundamental level.
Avast said it has detected and blocked over 93,000 infections since the start of 2022, with a majority of the impacted users located in India, the U.S., Italy, Brazil, the U.K., Canada, France, Pakistan, and South Africa.
An analysis of the hard-coded wallet addresses in the samples reveals that the operation has netted its authors a sum total of about $130,421 as of November 8, 2022, in various cryptocurrencies. The collective monetary gain has since dropped to $104,500.
“Since the transactions on blockchains/ledgers are inherently irreversible, when the user checks the transaction history of payments afterward, it is already too late,” Rubín said.
Meta Platforms is said to have fired or disciplined over two dozen employees and contractors over the past year for allegedly compromising and taking over user accounts, The Wall Street Journal reported Thursday.
Some of these cases involved bribery, the publication said, citing sources and documents.
Included among those fired were contractors who worked as security guards at the social media firm’s facilities and were given access to an internal tool that allowed employees to help “users they know” gain access to accounts after forgetting their passwords, or had their accounts locked out.
The system, called “Oops” and short for Online Operations, is off limits to a vast majority of the platform’s users, leading to the rise of a “cottage industry of intermediaries” who charge users thousands of dollars and reach out to insiders who were willing to reset the accounts.
“You really have to have someone on the inside who will actually do it,” an owner of a content creator platform was quoted as saying.
According to the Journal, the alternative to Meta’s automatedaccount recovery process, which is limited to employees and their friends and family, business partners, and public figures, is estimated to have processed around 50,270 reports in 2020, up from 22,000 in 2017.
Given the limited access to the tool, it’s not surprising that a black market of sorts has sprung up to service users who have lost access to their accounts.
In one instance, a former security contractor purportedly assisted unnamed third-parties to fraudulently take over Instagram accounts. The individual claimed he was tricked into filing Oops reports to reset the affected accounts in question.
Another case involved a contractor who was fired after an internal investigation found that she reset multiple user accounts on behalf of hackers in return for receiving Bitcoin payments for her services.
Meta told the Journal that buying or selling accounts or paying for an account recovery service is a violation of the social network’s terms of service.
An ongoing supply chain attack has been leveraging malicious Python packages to distribute malware called W4SP Stealer, with over hundreds of victims ensnared to date.
“The threat actor is still active and is releasing more malicious packages,” Checkmarx researcher Jossef Harush said in a technical write-up, calling the adversary WASP. “The attack seems related to cybercrime as the attacker claims that these tools are undetectable to increase sales.”
The findings from Checkmarx build on recent reports from Phylum and Check Point, which flagged 30 different modules published on the Python Package Index (PyPI) that were designed to propagate malicious code under the guise of benign-looking packages.
The attack is just the latest threat to target the software supply chain. What makes it notable is the use of steganography to extract a polymorphic malware payload hidden within an image file hosted on Imgur.
The installation of the package ultimately makes way for W4SP Stealer (aka WASP Stealer), an information stealer engineered to exfiltrate Discord accounts, passwords, crypto wallets, and other files of interest to a Discord Webhook.
Checkmarx’s analysis further tracked down the attacker’s Discord server, which is managed by a lone user named “Alpha.#0001,” and the various fake profiles created on GitHub to lure unwitting developers into downloading the malware.
Furthermore, the Alpha.#0001 operator has been observed advertising the “fully undetectable” for $20 on the Discord channel, not to mention releasing a steady stream of new packages under different names as soon as they are taken down from PyPI.
As recently as November 15, the threat actor was seen adopting a new username on PyPI (“halt”) to upload typosquatting libraries that leveraged StarJacking – a technique wherein a package is published with an URL pointing to an already popular source code repository.
“The level of manipulation used by software supply chain attackers is increasing as attackers get increasingly more clever,” Harush noted. “This is the first time [I’ve] seen polymorphic malware used in software supply chain attacks.”
“The simple and lethal technique of fooling using by creating fake GitHub accounts and sharing poisoned snippets has proven to trick hundreds of users into this campaign.”
The development also comes as U.S. cybersecurity and intelligence agencies published new guidance outlining the recommended practices customers can take to secure the software supply chain.
“Customer teams specify to and rely on vendors for providing key artifacts (e.g. SBOM) and mechanisms to verify the software product, its security properties, and attest to the SDLC security processes and procedures,” the guidance reads.
The threat actors behind the Hive ransomware-as-a-service (RaaS) scheme have launched attacks against over 1,300 companies across the world, netting the gang $100 million in illicit payments as of November 2022.
“Hive ransomware has targeted a wide range of businesses and critical infrastructure sectors, including government facilities, communications, critical manufacturing, information technology, and — especially — Healthcare and Public Health (HPH),” U.S. cybersecurity and intelligence authorities said in an alert.
Active since June 2021, Hive’s RaaS operation involves a mix of developers, who create and manage the malware, and affiliates, who are responsible for conducting the attacks on target networks by often purchasing initial access from initial access brokers (IABs).
In most cases, gaining a foothold involves the exploitation of ProxyShell flaws in Microsoft Exchange Server, followed by taking steps to terminate processes associated with antivirus engines and data backups as well as delete Windows event logs.
The threat actor, which recently upgraded its malware to Rust as a detection evasion measure, is also known to remove virus definitions prior to encryption.
“Hive actors have been known to reinfect — with either Hive ransomware or another ransomware variant — the networks of victim organizations who have restored their network without making a ransom payment,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said.
According to data shared by cybersecurity company Malwarebytes, Hive compromised about seven victims in August 2022, 14 in September, and two other entities in October, marking a drop in activity from July, when the group targeted 26 victims.