Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape.
****
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, malware)
]]>
Aqua Nautilus researchers shed light on a Linux malware, dubbed perfctl malware, that over the past 3-4 years targeted misconfigured Linux servers.
The malicious code was used to drop cryptocurrency miners and proxyjacking software.
Perfctl is an elusive and persistent malware targeting Linux servers, it employs rootkits to conceal its presence and halts any “noisy” activities when a new user logs in, lying dormant until the server is idle again. For communication, it uses a Unix socket internally and TOR externally. Upon execution, perfctl deletes its binary and operates in the background as a service.
Despite the malware’s primary goal being to run cryptominers, experts warn that it also executes proxyjacking software. In one sandbox test, a threat actor accessed the malware’s backdoor for reconnaissance purposes. The attackers analyzed the server and deployed utilities to investigate its environment and better understand how their malware was being studied.
Once attackers exploited a vulnerability or misconfiguration, the perfctl malware downloads the main payload from an attacker-controlled HTTP server. The payload employs multiple layers to ensure persistence and evade detection. It moves itself to the /tmp directory, renames itself after the process that executed it (e.g., sh), and deletes the original binary to cover its tracks. The malware acts as both a dropper and a local command-and-control (C2) process, attempting to exploit the Polkit vulnerability (aka ) for root access.
The malicious code copies itself to various disk locations using deceptive names, establishes a backdoor on the server for TOR communications.
The malware drops a rootkit alongside modified Linux utilities (e.g., ldd, lsof) that function as user-land rootkits.
The Linux malware is packed and encrypted to evade detection. It uses advanced evasion techniques like halting activity when detecting new users, the malicious code could also terminate the competing malware to maintain exclusive access to the infected system.
“As part of its command-and-control operation, the malware opens a Unix socket, creates two directories under the /tmp directory, and stores data there that influences its operation. This data includes host events, locations of the copies of itself, process names, communication logs, tokens, and additional log information. Additionally, the malware uses environment variables to store data that further affects its execution and behavior.” . “All the binaries are packed, stripped, and encrypted, indicating significant efforts to bypass defense mechanisms and hinder reverse engineering attempts. The malware also uses advanced evasion techniques, such as suspending its activity when it detects a new user in the btmp or utmp files and terminating any competing malware to maintain control over the infected system.”
To maintain persistence, the attacker modifies the ~/.profile script to execute malware upon user login, checking if /root/.config/cron/perfcc is executable. If so, the malware runs before the legitimate server workload. It also executes the ~/.bashrc file in Bash environments to maintain normal server operations while the malware work in the background. The script suppresses errors to avoid warnings.
A small binary called wizlmsh (12kb) is dropped into /usr/bin, running in the background to ensure the persistence of the perfctl malware, verifying the execution of the main payload (httpd).
“The main impact of the attack is resource hijacking. In all cases we observed a monero cryptominer (XMRIG) executed and exhausting the server’s CPU resources. The cryptominer is also packed and encrypted. Once unpacked and decrypted it communicates with cryptomining pools.” concludes the report. “To detect perfctl malware, you look for unusual spikes in CPU usage, or system slowdown if the rootkit has been deployed on your server,” the researchers said. “These may indicate crypto mining activities, especially during idle times.”
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Linux)
]]>Sansec researchers reported that multiple threat actors have exploited a critical Adobe Commerce vulnerability, tracked as (aka CosmicSting, CVSS score of 9.8), to compromise more than 4,000 e-stores over the past three months.
The flaw is an Improper Restriction of XML External Entity Reference (‘XXE’) vulnerability that could result in arbitrary code execution. An attacker could exploit this issue by sending a crafted XML document that references external entities. The experts pointed out that the exploitation of this issue does not require user interaction. The flaw impacts Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier. Adobe warned that it is aware that CVE-2024-34102 has been exploited in the wild in limited attacks targeting Adobe Commerce merchants.
U.S. Cybersecurity and Infrastructure Security Agency (CISA) the vulnerability to its Known Exploited Vulnerabilities catalog in July 2024.
According to Sansec, CosmicSting (CVE-2024-34102) is the most severe bug impacting Magento and Adobe Commerce stores in two years, with hacks occurring at a rate of 3 to 5 per hour. Merchants are urged to implement countermeasures immediately.
An attacker can also chain the flaw with the vulnerability CVE-2024-2961 to run code arbitrary code on the underlying server and install backdoors.
“CosmicSting targets a critical bug in the Adobe Commerce and Magento platforms. Bad actors use it to read any of your files, such as passwords and other secrets. The typical attack strategy is to steal your secret crypt key from app/etc/env.php and use that to modify your CMS blocks via the Magento API. Then, attackers inject malicious Javascript to steal your customer’s data.” reads the advisory published by Sansec. “Combined with another bug (CVE-2024-2961), attackers can also run code directly on your servers and use that to install backdoors.”
The exploitation has a severe impact on e-commerce, the researchers reported that cybercriminals have hacked 5% of all Adobe Commerce and Magento stores this summer. The attacker also compromised e-stores of major organizations, including Ray-Ban, National Geographic, Cisco, Whirlpool and Segway. Sansec experts reported that at least seven distinct groups are exploiting the vulnerability CosmicSting to deploy e-skimmers on victim stores.
“Sansec research shows that seven different groups have been hacking into 4275 online stores since the publication of CVE-2024-34102 (also known as CosmicSting) on June 11th. Despite ongoing warnings, five percent of Adobe Commerce and Magento stores ended up with a payment skimmer on their checkout page this summer.” reports Sansec.
Threat groups exploiting this vulnerability include Bobry, Polyovki (infecting over 650 stores), Surki, Burunduki, Ondatry, Khomyaki, and Belki. The Ondatry group compromised over 4,000 e-stores in 2022 using the TrojanOrder vulnerability, but they have now switched to CosmicSting.
Adobe issued a critical severity rating on July 8th after automated attacks began, stealing thousands of cryptographic keys. However, the experts noticed that updating systems didn’t automatically invalidate old keys, leaving stores vulnerable. Adobe provided a to remove old keys, but not all merchants followed it.
“Each group uses CosmicSting attacks to steal secret Magento cryptographic keys.” continues Sansec. “This key is then used to generate an API authorization token, enabling the attacker to access private customer data and insert payment skimmers into the checkout process through “CMS blocks”
Administrators of Adobe Commerce and Magento e-store are recommended to upgrade their installations as soon as possible.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, CVE-2024-34102)
]]>Researchers at the Recorded Future’s Insikt group have documented the evolution of the . The malware was first identified in 2022, and since then it has been upgraded with advanced features, the latest version 0.7.0 introduces AI-driven capabilities for extracting cryptocurrency seed phrases from images.
The infostealer can steal credentials, system information, and financial data from infected systems, it supports sophisticated evasion techniques, including MSI installer disguise. Threat actors offer the malware for sale on underground forums, however, they ban customers from targeting specific regions.
The latest version of the Rhadamanthys information stealer uses artificial intelligence (AI) for optical character recognition (OCR) to support “Seed Phrase Image Recognition.”
“This allows Rhadamanthys to extract cryptocurrency wallet seed phrases from images, making it a highly potent threat for anyone dealing in cryptocurrencies.” reads the published by Recorded Future’s Insikt Group. “The malware can recognize seed phrase images on the client side and send them back to the command-and-control (C2) server for further exploitation.”
The malware is developed by a threat actor known as “kingcrete2022ˮ that advertises the info stealer on multiple hacking forums, including XSS, Exploit, Best Dark, Opencard, and Center-Club. The malware allows operators to harvest a broad range of information, including system information, credentials, cryptocurrency wallets, browser passwords, cookies, and data stored in various applications.
The subscription fee is $250 per month, or $550 for 90 days.
Version 0.6.0 was released in February 2024, while latest version 0.7.0 of Rhadamanthys was released in June 2024.
“Version0.7.0, the most recent version, includes a complete rewrite of both client-side and server-side frameworks, improving the program’s execution stability. Additionally, 30 wallet-cracking algorithms, AI-powered graphics, and PDF recognition for phrase extraction were added. The text extraction capability was enhanced to identify multiple saved phrases.” reads the report. “Bugs and issues from the previous version were resolved. The Telegram module was rewritten to support HTML formatting and multi-token polling, while the synchronization module now includes file transfer protocol (FTP) support for remote log transfers. The search filter module has been rewritten, and an application programming interface (API) interface with an open platform has been introduced.”
The Rhadamanthys malware infection chain remains unchanged across the various versions. The three stages composing the attack chain:
Rhadamanthys uses mutex objects to ensure only one instance runs on an infected host at a time, utilizing specific bytes for mutex creation.
“Knowing the mutex values and that Rhadamanthys will terminate if they are present enables the creation of a killswitch/vaccine.” continues the report.
Rhadamanthys has enhanced its functionality by implementing additional plugins, starting from version 0.5.0 and expanding in subsequent updates. The experts identify four main plugins, a Keylogger, DataSpyer, Clipper, and Reversed Proxy. In version 0.5.0, these plugins were implemented as .NET assemblies, loaded through the loader.dll file responsible for managing .NET assemblies. However, with the release of version 0.7.0, the plugin system was updated. The plugins are now packaged in ZIP files containing two components: classes.dex and manifest.json, which resemble the structure of an Android Package Kit (APK), although they are not actual APKs.
The report includes Tactics,Techniques,and Procedures (TTPs) associated with this threat.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Zimbra)
]]>Europol, the UK, and the US law enforcement authorities announced a new operation against the ransomware gang. The police arrested an alleged LockBit developer at France’s request while vacationing outside Russia and two individuals in the UK for supporting a LockBit affiliate. In Spain, the local police arrested the administrator of a bulletproof hosting service, they also seized nine servers belonging to the group’s infrastructure.
“Europol supported a new series of actions against LockBit actors, which involved 12 countries and Eurojust and led to four arrests and seizures of servers critical for LockBit’s infrastructure.” reads the press release published by Europol. “A suspected developer of LockBit was arrested at the request of the French authorities, while the British authorities arrested two individuals for supporting the activity of a LockBit affiliate.”
The arrests and sanctions are part of the third phase of the law enforcement operation code-named conducted by law enforcement bodies from 12 countries, Europol, and Eurojust. The operation aims at dismantling the LockBit ransomware group. This follows the in February 2024 and further actions against its administrators in May and beyond.
Europol, the UK and the US published press releases on the formed Tor leak site used by the ransomware gang.
Australia, the UK, and the US imposed sanctions on a key LockBit affiliate who is linked to the cybercrime group .
“Aleksandr Ryzhenkov DOB 26/05/1993 has been unmasked by the NCA as the specific member of Evil Corp who is a LockBit affiliate. Ryzhenkov used the affiliate name Beverley, made over 60 LockBit ransomware builds and sought to extort at least $100 million from victims in ransom demands. Ryzhenkov additionally has been linked to the alias mx1r and associated with UNC2165 (an evolution of Evil Corp affiliated actors).” reads the NCA’s announcement.
The UK also sanctioned 15 Russian citizens for ties to Evil Corp, while the US authorities sanctioned six, and Australia sanctioned two.
LockBit gang has been active since 2019, the list of victims is long and includes major organizations such as , and the . Over the years, law enforcement has arrested multiple individuals involved in the gang’s operation, including , , and .
Astamirov was arrested in Arizona in June 2023 and . Vasiliev, who was extradited to the United States in June, has already been .
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Europol)
]]>On September 27, 2024, US healthcare provider UMC Health System announced an investigation into an IT outage across its network. UMC diverted patients for several days after taking IT systems offline following a ransomware attack.
“However, out of an abundance of caution, we will continue to temporarily divert incoming emergency and non-emergency patients via ambulance to nearby health facilities until this issue is resolved. We are making accommodations wherever possible to minimize any disruption to our patients and our critical services.” . “Our investigation into this incident remains ongoing and will take time to complete. In the meantime, we are standing up this dedicated webpage to provide the latest information. We will continue to provide updates via this site as services are restored and additional information becomes available.”
UMC Health System is a healthcare provider based in Lubbock, Texas. It operates University Medical Center, a major teaching hospital affiliated with Texas Tech University Health Sciences Center. UMC Health System provides a wide range of medical services, including emergency care, specialized surgeries, and comprehensive treatment programs. It serves as a regional medical center, offering both inpatient and outpatient care, and is known for its trauma center and advanced healthcare technologies.
The company announced that the healthcare facilities remain open across all access points including Emergency Centers and Urgent Care Clinics. UMC Clinics also remained open
The company launched an investigation into the security breach with the help of third-party cybersecurity experts. The hospital disconnected its systems from the Internet to contain the threat.
By Monday, the hospital restored some systems and services, but a few patients were still being diverted.
“Third parties that have helped other hospitals address similar issues have been engaged to assist in our response and investigation. Our teams are working around the clock to safely restore systems as quickly as possible.” concludes the notice.
“We appreciate your patience. It remains our mission and our goal to ensure our patients continue to receive the best care.”
The company did not provide details about the attack, such as the family of ransomware that hit the hospital. It’s unclear if threat actors had exfiltrated patients’ data during the attack
Healthcare infrastructure in the US continues to be under attack, in July, the Lockbit ransomware gang the Fairfield Memorial Hospital in Illinois. Unfortunately, the ransomware group claimed the hack of other hospitals in the same period. The extortion group also claimed the hack of the Merryman House Domestic Crisis Center, and the Florida Department of Health.
In February the . The security incident severely impacted normal operations also causing the delay of medical care.
Lurie Children’s Hospital is one of the top pediatric hospitals in the United States.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, UMC)
]]>is a member-owned, not-for-profit credit union that serves Northern California, particularly the San Francisco Bay Area. Founded in 1936, it is one of the oldest and largest credit unions in the country. With more than $9 billion in assets, it is the 22nd-largest credit union in the country.
At the end of June, the American credit union Patelco Credit Union shut down several of its banking systems to contain a ransomware attack.
The credit union investigated the security breach and discovered that threat actors first gained access to its systems on May 23, 2024, and exfiltrated a database containing personal information.
The company initially to the Maine Attorney General’s Office that the security breach impacted 726,000 customers and employees. The company offered impacted individuals two years of free identity protection services.
Patelco Credit Union now provides an update on the incident and that the data breach impacted 1,009,472 people following the July ransomware attack.
“Following the investigation and a thorough review of the data involved, we confirmed on August 14, 2024, that the accessed databases contained your personal information. Although the investigation identified unauthorized access to some of our databases, the specific data that was accessed has not been determined.” reads the sent to the impacted individuals. “Accordingly, we are notifying individuals whose information was in those databases. The information in the accessed databases included first and last name with Social Security number, Driver’s License number, date of birth, and/or email address. Not every data element was present for every individual.”
Patelco did not reveal the ransomware group that breached its systems, however the RansomHub group added Patelco Credit Union to its Tor leak site in August.
“We conducted negotiations for up to 2 weeks, and unfortunately we were unable to reach an agreement.
The company’s management doesn’t care about the privacy of customers at all. We auction the sensitive data extracted from their network,We will update the data sample in the next few days” wrote the ransomware gang on its leak site.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, ransomware)
]]>In May, the Community Clinic of Maui that impacted thousands of patients following a cyber attack. In June, the gang took credit for the attack.
The Community Clinic of Maui, also known as Mālama I Ke Ola Health Center, is a nonprofit healthcare organization dedicated to serving the Maui community. The clinic provides a range of services including primary care, dental care, and mental health support. The clinic operates with a mission to deliver culturally sensitive healthcare, emphasizing education, prevention, and advocacy regardless of patients’ ability to pay.
The cyber attack impacted the systems at the health center in Wailuku for more than two weeks.
Mālama investigated the security breach with external cybersecurity professionals, and on August 7, 2024, the experts determined that personal data may ‘have been subject to unauthorized access and acquisition between May 4, 2024 and May 7, 2024.’
The Community Clinic of Maui now discloses a following the LockBit ransomware attack.
“The personal information that was potentially impacted included first and last names with one or more of the following identifiers: Social Security Number, Date Of Birth, Driver’s License Number / State Id Number, Passport Number, Financial Account Number, Routing Number, Bank Name, Credit / Debit Card Number, Card CVV Expiration Date, Pin/Security Code, Login Information, Medical Diagnosis, Clinical Information, Medical Treatment/Procedure Information, Treatment Type, Treatment Location, Treatment Cost Information, Doctor’s Name, Medical Record Number, Patient Account Number, Prescription Information and/ or Biometric Data. Mālama has no evidence that any personal information has been or will be misused for identity theft as a direct result of this incident.” reads the published by Malama.
Starting on September 26, 2024, Mālama notified affected individuals and offered complimentary credit monitoring to those whose Social Security numbers were potentially exposed.
“On May 7, 2024, Malama experienced a cybersecurity incident that impacted connectivity to our network.” reads the shared with the Maine Attorney General. “Upon learning of this issue, we immediately commenced a prompt and thorough investigation. We also notified law enforcement. As part of our investigation, we have been working very closely with external cybersecurity professionals experienced in handling these types of incidents. After an extensive forensic investigation and comprehensive document review, on August 7, 2024, we determined your personal data may have been subject to unauthorized access and acquisition between May 4, 2024 and May 7, 2024.”
The Community Clinic of Maui is unaware of any misuse of the compromised data.
In July, the Lockbit ransomware gang the Fairfield Memorial Hospital in Illinois. Unfortunately, the ransomware group claimed the hack of other hospitals in the same period. The extortion group also claimed the hack of the Merryman House Domestic Crisis Center, and the Florida Department of Health.
Healthcare infrastructure in the US continues to be under attack, in February the . The security incident severely impacted normal operations also causing the delay of medical care.
Lurie Children’s Hospital is one of the top pediatric hospitals in the United States.
In early November 2023, the Cogdell Memorial Hospital (Scurry County Hospital District) it was experiencing a computer network incident that prevented the hospital from accessing some of its systems and severely limiting the operability of its phone system. The hospital immediately removed network connectivity and continued to provide most routine services.
The facility operates as a Critical Access Hospital and a Rural Health Clinic serving rural West Texas.
In November 2023, the Lorenz extortion group .
Cyber attacks against hospitals are very dangerous, and despite major ransomware gangs imposing restrictions on their affiliates to avoid targeting them, many incidents have recently made headlines.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Lockbit ransomware)
]]>The Department of Justice charged the British national Robert Westbrook (39) for hacking into the systems of five U.S. companies.
Westbrook was arrested in the United Kingdom this week with is awaiting extradition to the United States.
“Robert Westbrook, 39, of London, United Kingdom, was arrested in the United Kingdom this week with a view towards extradition to the United States so that he can face an indictment charging him with securities fraud, wire fraud, and five counts of computer fraud.” reads the published by DoJ. “From January 2019 through May 2020, Westbrook executed a hack-to-trade scheme through which he generated millions of dollars in profits.”
Westbrook hacked into the email accounts of corporate executives at five US companies, by resetting their passwords.
From January 2019 to May 2020, the man carried out a hack-to-trade scheme, earning over $3 million in profits. Westbrook breached the corporate executives’ Office365 email accounts to obtain non-public information, such as upcoming earnings announcements. Then he used the insider information to buy securities and sold them quickly after the information was made public, profiting significantly. He also set up auto-forwarding rules to send emails from compromised accounts to his own.
The U.S. Securities and Exchange Commission (SEC) also filed a civil complaint against the British national based on his illegal activities.
“As a result of these hacks, Westbrook deceptively obtained material nonpublic information that he used to trade in the securities of the five public companies prior to the release of at least 14 earnings announcements.” reads the published by SEC. “The SEC’s complaint charges Westbrook with violating the antifraud provisions of the Securities Exchange Act of 1934. The complaint seeks a final judgment ordering Westbrook to pay civil penalties, ordering him to return his ill-gotten gains with prejudgment interest, and enjoining him from committing future violations of the charged provisions of the federal securities laws.”
The securities fraud charge carries up to 20 years in prison and a $5 million fine. The wire fraud charge also carries up to 20 years, with a fine of $250,000 or twice the gain/loss. Each computer fraud charge has a maximum penalty of 5 years in prison and a fine of $250,000 or twice the gain/loss.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, British national)
]]>U.K. transport officials and police are investigating a cyber attack on public Wi-Fi networks at the country’s biggest railway stations. Following the ‘cyber-security incident,’ passengers trying to log onto the Wi-Fi at several stations on Wednesday evening were displayed a page with the message “We love you, Europe,” followed by an anti-Islam message listing a series of terror attacks.
The police confirmed they are investigating reports of “Islamophobic messaging on some Network Rail Wi-Fi services.”
The Wi-Fi networks at 19 stations, including Manchester Piccadilly, London Euston, Manchester Piccadilly, Liverpool Lime Street, Birmingham New Street, Glasgow Central and several London terminuses.
Network Rail, which oversees the stations affected by the cyberattack, confirmed that the Wi-Fi service had been disabled as a precaution. Network Rail also confirmed that no passenger data was compromised following the cyber attack.
“British Transport Police are investigating the incident,” Network Rail said in a . “This service is provided via a third party and has been suspended while an investigation is under way.”
Network Rail’s wifi system is run by a third-party company, Telent, with the actual internet service provided by another company, Global Reach.
“Telent can confirm that the incident was an act of cyber vandalism which originated from within the Global Reach network and was not a result of a network security breach or a technical failure.“ reads a issued by Telent following investigations with Global Reach.
“The aim is to restore public Wi-Fi services by the weekend,” Telent added.
“The rail provider said it believed other organisations, not just railway stations, had been affected.” the BBC.
“This service is provided via a third party and has been suspended while an investigation is under way,” a Network Rail spokesperson said.
In early September, Transport for London (TFL) a cyberattack that exposed some customer names, contact details, and possibly bank account information.
(TfL) is a local government body responsible for most of the transport network in London, United Kingdom.
The National Crime Agency investigated the security breach and the UK police a 17-year-old from Walsall who is allegedly linked to the cyberattack. The attack has continued to disrupt TFL’s online services, affecting functions like refunds and real-time transit information.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Wi-Fi networks)
]]>