Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape.
****
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, malware)
]]>
The Israeli cyber army on Saturday hacked into the control tower of Beirut Airport, the Rafic Hariri International Airport. The IDF breached the communication network of the control tower and threatened an Iranian civilian plane attempting to land, the MiddleEastMonitor website.
The Lebanese Ministry of Transport instructed airport authorities to block the Iranian aircraft from entering Lebanese airspace in response to the hack. This decision followed Israeli military warnings about preventing weapons transfers to Hezbollah via Beirut’s airport.
“We will not allow the transfer of weapons to Hezbollah in any form. We are aware of Iranian weapons transfers to Hezbollah, and we will work to thwart them,” Israeli army spokesman Daniel Hagari said in a statement. “We declare that we will not allow hostile aircraft carrying weapons to land at the civilian airport in Beirut. This is a civilian airport for civilian use, and it must remain that way,” he added.
Lebanon’s Transport Minister, Ali Hamieh, told the Lebanese newspaper “An-Nahar” that Israel’s IDF intercepted the airport’s control tower radio, threatening to attack the infrastructure if the Iranian plane landed.
“According to reports, Israel supposedly hacked into the communications system of the control tower, warning that it would not allow the landing of a cargo plane from “Qasem Air,” Flight No. QFZ9964, as it was approaching for landing.” The Jerusalem Post.
Israel’s army claimed that Beirut International Airport was being used as an entry point for weapons to Hezbollah. However, Lebanese authorities denied the accusation, stating that the airport is strictly civilian.
On Saturday, the Israeli army announced the success of a recent airstrike on Beirut’s southern suburb that killed Hezbollah leader Hassan Nasrallah.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Beirut airport)
]]>Israel has been sending text messages, recordings, and hacking radio networks to warn Lebanese citizens to evacuate certain areas in the country, likely due to an imminent full-scale strike. Following these warnings, massive bombings in southern and eastern Lebanon killed over 270 people.
According to Al Jazeera, Israeli intelligence has been gathering data on Lebanon’s citizens for years.
Experts also speculate that the Israeli cyber army might have gained access to the private communication details of people across Lebanon.
Israel is believed to have infiltrated Lebanese telecom networks, allowing it to send targeted warnings to specific individuals. Experts believe that Israel has real-time access to data on Lebanese civilians, not just Hezbollah members, enhancing its intelligence capabilities in the region.
Residents in southern Lebanon and parts of Beirut received messages and phone calls early Monday, warning them to evacuate areas that are hosting Hezbollah. The warnings were sent from Lebanese numbers.
“If you are in a building with Hezbollah weapons, stay away from the village until further notice.” reads the message sent to Lebanese citizens.
One message seen by Al Jazeera urged people to stay away from villages with Hezbollah weapons. These coordinated warnings sparked concerns about escalating conflict in the region.
“In Beirut, Lebanese Information Minister Ziad Makary was among those who received a recorded phone call, according to the state-run National News Agency.” .
“What we don’t know is how Israel got these details of people — cellphone numbers, locations. … Is it because of data leaks or because Israel has hacked into Lebanon’s telecoms infrastructure?” Ibrahim said.
However, media reported that Israeli forces bombed buildings whose residents received no warnings.
The messages are also part of the campaigns conducted by the IDF to destabilize local communities and isolate members of Hezbollah.
According to intelligence analysts, Israel had hacked Lebanese networks well before October 8, gaining access to almost any technology used in the country, including landlines, systems managing car plate numbers, and mobile phones.
Israeli cyber units have developed sophisticated spyware and hacking tools that allow their intelligence to track both Lebanese citizens and visitors.
In 2018, Lebanon’s UN representative Amal Mudallali Israel of hacking Lebanese telecom networks, sending recorded messages to civilians in Kafr Kila warning of imminent explosions during tensions with Hezbollah.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, warfare)
]]>Ukraine’s National Coordination Centre for Cybersecurity (NCCC) has banned the messaging app on government agencies, military, and critical infrastructure, due to national security concerns. The ban does not affect Ukrainian citizens.
On September 19, Ukraine announced the ban on Telegram during a meeting focused on threats to national security posed by the use of the Telegram messenger, especially during the ongoing conflict between Russia and Ukraine.
Kyrylo Budanov, the chief of Ukraine’s Defence Intelligence, warned that Russian intelligence could spy on Ukrainian entities potentially accessing Telegram users’ data, including deleted messages.
“The Chief of the Defence Intelligence of Ukraine Kyrylo Budanov provided substantiated evidence that russian special services have access to personal correspondence of Telegram users, even deleted messages, as well as their personal data.” reads the announcement published by the National Security and Defense Council of Ukraine.
“I have always stood for freedom of speech, but the issue of Telegram is not a matter of freedom of speech, it is a matter of national security,” said Budanov.
Representatives of the Security Service of Ukraine and the General Staff of the Armed Forces of Ukraine warned that Russia-linked threat actors are actively using Telegram for cyberattacks, spreading phishing and malware, geolocating users, adjusting missile strikes, etc.
“In order to minimise these threats, it was decided to ban the installation and use of Telegram on the official devices of government officials, military personnel, employees of the security and defence sector, as well as enterprises operating critical infrastructure.” continues the announcement. “The only exceptions will be those for whom the use of this messenger is part of their official duties.”
Despite the ban on military and government devices, Ukrainian users rely heavily on Telegram to communicate and receive news on ongoing conflicts.
At the end of August, French prosecutors Telegram CEO Pavel Durov with facilitating various criminal activities on the platform, including the spread of child sexual abuse material (CSAM), enabling organized crime, illicit transactions, drug trafficking, and fraud. The authorities announced a formal investigation of Durov following .
Durov was indicted and French authorities released under judicial supervision with a ban on leaving the French territory.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Ukraine)
]]>Mandiant researchers warn that an Iran-linked APT group, tracked as UNC1860, is operating as an initial access facilitator that provides remote access to target networks in the Middle East.
UNC1860 is linked to Iran’s Ministry of Intelligence and Security (MOIS), the APT specializes in using customized tools and passive backdoors to gain persistent access to high-profile networks. Targets include organizations in the government and telecommunications sectors across the Middle East. UNC1860 shares similar tactics with other Iran-linked threat groups, such as and Storm-0861, which have facilitated destructive operations in Israel and Albania. The experts observed the use of the malware BABYWIPER in Israel in 2022 and the malware in Albania in 2022.
Although Mandiant cannot confirm UNC1860’s involvement in these attacks, the experts observed the use of custom malaew used by the group suggesting a role in providing initial access for such operations. The group is known for maintaining long-term access to victim networks.
“Mandiant identified two custom, GUI-operated malware controllers tracked as TEMPLEPLAY and VIROGREEN that we assess were used to provide a team outside of UNC1860 remote access to victim networks.” Mandiant . “This tooling, coupled with and evidence suggesting that the group collaborates with MOIS-affiliated groups such as APT34, strengthens the assessment that UNC1860 acts as an initial access agent.”
Mandiant noticed that organizations compromised by the Iran-linked group in 2019 and 2020 had also been previously breached by UNC1860, suggesting UNC1860 may support Iranian state-sponsored hackers in performing lateral movement. Additionally, both APT34-related clusters and UNC1860 have recently shifted their focus toward targets based in Iraq.
The UNC1860 APT uses web shells and droppers like STAYSHANTE and SASHEYAWAY, to gain initial access to compromised systems. These tools allow attackers to perform hand-off operations. In March 2024, the Israeli National Cyber Directorate identified wiper activity targeting various sectors in Israel, with indicators including STAYSHANTE and SASHEYAWAY, both linked to UNC1860. STAYSHANTE is disguised as Windows server files, controlled by the VIROGREEN framework. SASHEYAWAY enables the execution of passive backdoors like TEMPLEDOOR, FACEFACE, and SPARKLOAD. SASHEYAWAY has a low detection rate
“UNC1860 GUI-operated malware controllers TEMPLEPLAY and VIROGREEN could provide third-party actors who have no previous knowledge of the target environment the ability to remotely access infected networks via RDP and to control previously installed malware on victim networks with ease.” continues the report. “These controllers additionally could provide third-party operators an interface that walks operators through how to deploy custom payloads and perform other operations such as conducting internal scanning and exploitation within the target network.”
TEMPLEPLAY is a .NET-based controller for TEMPLEDOOR, it supports backdoor funcionalitiess, file transfers, and proxy connections to target servers. The UNC1860’s arsenal includes a wide range of passive tools and backdoors supporting initial access, lateral movement, and data gathering.
The implants used by the APT group demonstrate a deep knowledge of the Windows OS, reverse engineering of kernel components, and detection evasion techniques. Their passive implants, such as TOFUDRV and TOFULOAD, do not initiate outbound traffic, instead relying on inbound commands from volatile sources, making detection harder. These implants use HTTPS-encrypted traffic and undocumented Input/Output Control commands to evade network monitoring and endpoint detection. Tools like TEMPLEDROP repurpose Iranian antivirus drivers to protect files, while TEMPLELOCK, a .NET-based utility, terminates and restarts the Windows Event Log service to evade detection.
“These capabilities demonstrate that UNC1860 is a formidable threat actor that likely supports various objectives ranging from espionage to network attack operations.” concludes the report. “As tensions continue to ebb and flow in the Middle East, we believe this actor’s adeptness in gaining initial access to target environments represents a valuable asset for the Iranian cyber ecosystem that can be exploited to answer evolving objectives as needs shift.”
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Iran)
]]>At least nine eight individuals, including a child, were killed and over 2,800 were injured due to the explosion of their pagers across Lebanon. A Hezbollah official told Reuters that this incident is the “biggest security breach” in nearly a year of conflict with Israel.
The detonations occurred simultaneously across the country, and experts have proposed several hypotheses about the attack.
Threat actors targeted the pagers because they are used by Hezbollah fighters to communicate in an attempt to avoid being tracked and localized by Israeli intelligence.
, one of the fighters killed was the son of a Hezbollah parliament member, and Iran’s ambassador to Lebanon, Mojtaba Amani, sustained a minor injury from the pager explosions. The detonated pagers were the latest models recently introduced by Hezbollah, according to security sources.
The pagers that exploded were the latest models brought by Hezbollah in recent months, the experts identified three different models targeted in the attack.
Footage of communication pagers worn by Hezbollah members exploding across Lebanon.
— Faytuks News (@Faytuks)
Unprecedented incident. https://t.co/gf37usZrxC pic.twitter.com/5VNZKzxEbi
The cause of the pager explosions in Lebanon is still unclear, multiple experts believe that this is a case of a supply chain attack.
Looking at the footage of the explosion, we can notice that there is no smoke or fire usually associated with the explosion of a lithium battery.
Threat actors were likely able to intercept the supply and tamper the hardware to cause the explosion on command. CNN that the pagers were possibly modified before shipping, indicating a coordinated attack. Experts like Justin Cappos emphasized that normal devices with lithium-ion batteries are not at risk. However, these specific pagers seem intentionally designed to explode. The news is still developing, and authorities have yet to confirm the cause.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Lebanon)
]]>Poland security services announced they have thwarted a cyber operation orchestrated by Russia and Belarus, aimed at destabilizing the country, according to Deputy Prime Minister and Minister for digital affairs Krzysztof Gawkowski.
“The Belarusian and Russian foreign services… had a specific goal – to extort information, to blackmail individuals and institutions and to wage a de facto cyberwar,” .
Nation-state actors targeted government institutions and state-owned companies involved in military contracts. The operation is the response to the support offered by Poland to Ukraine immediately after the invasion of the country. According to the Minister, the cyberattacks against Polish organizations and institutions have doubled since last year.
“Poland has registered up to 1,000 online attacks daily targeting government institutions and agencies, officials said, linking them to the country’s support for neighboring Ukraine in its 2 1/2-year war against Russia’s invasion.” the Associated Press.
In the first half of 2024, over 400,000 attempted or successful cyberattacks were recorded, surpassing the total of 370,000 attacks from the entire previous year.
Gawkowski revealed that the operation aimed at stealing data for blackmail purposes.
The Polish government plans to introduce new legislation aimed at strengthening the country’s resilience to cyber attacks. The government plans to require internet operators to store data on servers within Poland to enhance protection and allow better oversight by national authorities.
In August 2023, Poland’s Internal Security Agency (ABW) and national police into a hacking attack on the state’s railway network. According to the Polish Press Agency, the attack disrupted the traffic overnight.
Stanisław Zaryn, deputy coordinator of special services, told the news agency that Polish authorities are investigating an unauthorized usage of the system used to control rail traffic.
“For the moment, we are ruling nothing out,” . “We know that for some months there have been attempts to destabilise the Polish state,” he added. “Such attempts have been undertaken by the Russian Federation in conjunction with Belarus.”
Since the beginning of the Russian invasion of Ukraine, Poland’s railway system represented a crucial transit infrastructure for Western countries’ support of Ukraine.
Zaryn explained that the attacks are part of a broader activity conducted by Russia to destabilize Poland.
Early 2023, Poland’s security agency pro-Russian hackers are continuously targeting the state since the start of the invasion of Ukraine.
Poland is in a strategic position and is considered a key Ukraine’s ally, it continues to provide support to Ukrainian refugees aligned with NATO’s strategy.
In July 2022, pro-Russia hacker crew in Poland including the Ministry of Foreign Affairs, Senate, Border Control and the Police.
In April 2022, the same group claimed the responsibility for DDoS attacks on the sites of institutions in states such as the USA, Estonia, Poland, the Czech Republic, and also on NATO sites.
In October 2022, Microsoft reported that a new strain of ransomware, tracked as , is being used in attacks aimed at transportation and logistics organizations in Ukraine and Poland.
Microsoft pointed out that this campaign was not connected to any of the 94 currently active ransomware activity groups that it is tracking.
The campaign shares victimology with recent operations conducted by Russia-linked threat actors, the IT giant attributed it to the .
Poland’s security agency also reports the case of the November attack on the Polish parliament that was attributed to the pro-Russian group NoName057(16).
The attack was a response to the adoption by the Sejm of the Republic of Poland of a resolution designating Russia as a state sponsor of terrorism.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Russia)
]]>
The FBI, CISA, and NSA linked threat actors from Russia’s to global cyber operations since at least 2020. These operations include espionage, sabotage, and reputational damage. The United States and its allies state that GRU is behind global critical infrastructure attacks.
Starting January 13, 2022, the group employed the wiper in attacks against Ukrainian organizations. The government expert pointed out that Unit 29155 operates independently from other GRU-affiliated groups like and .
Russia’s GRU Unit 29155 is also responsible for attempted coups, influence operations, and assassination attempts across Europe. Since 2020, the unit has expanded into offensive cyber operations aimed at espionage, reputational harm, and data destruction. The FBI believes the unit’s cyber actors are junior GRU officers gaining experience under senior leadership. They also rely on non-GRU actors, including cybercriminals, to carry out their operations.
The FBI, NSA, and CISA assess that Russia’s GRU Unit 29155 is responsible for various activities such as attempted coups, sabotage, influence operations, and assassination attempts across Europe. Since 2020, the unit has expanded into offensive cyber operations aimed at espionage, reputational harm, and data destruction. The FBI believes the unit’s cyber actors are junior GRU officers gaining experience under senior leadership. They also rely on non-GRU actors, including cybercriminals, to carry out their operations.
“FBI assesses the Unit 29155 cyber actors to be junior active-duty GRU officers under the direction of experienced Unit 29155 leadership. These individuals appear to be gaining cyber experience and enhancing their technical skills through conducting cyber operations and intrusions.” reads the . “Additionally, FBI assesses Unit 29155 cyber actors rely on non-GRU actors, including known cyber-criminals and enablers to conduct their operations.”
GRU Unit 29155 has been conducting cyber operations against NATO members, European countries, Latin America, and Central Asia. The threat actors targeted critical infrastructure sectors such as government, finance, transportation, energy, and healthcare. Their activities include website defacement, infrastructure scanning, data exfiltration, and leaking stolen data. Since 2022, the unit focused on disrupting aid efforts for Ukraine.
“To date, the FBI has observed more than 14,000 instances of domain scanning across at least 26 NATO members and several additional European Union (EU) countries. Unit 29155 cyber actors have defaced victim websites and used public website domains to post exfiltrated victim information.” continues the report. “Whether through offensive operations or scanning activity, Unit 29155 cyber actors are known to target critical infrastructure and key resource sectors, including the government services, financial services, transportation systems, energy, and healthcare sectors of NATO members, the EU, Central American, and Asian countries.”
GRU Unit 29155 targeted government and critical infrastructure by exploiting IP ranges using publicly available tools for scanning and vulnerability exploitation. The group only relies on common red-teaming techniques and tools like and SaintBot, often overlapping with other cyber actors, making it harder to attribute its activities. The nation-state actor attempted to exploit flaws in internet-facing systems, including Dahua IP cameras, to gain initial access. Using Shodan, they identify IoT devices and leverage default credentials to execute remote commands and exfiltrate data, including images and plaintext credentials.
Since 2020, Unit 29155 actors used virtual private servers (VPSs) to host tools, conduct reconnaissance, exploit victim systems, and exfiltrate data. Once successfully exploited a system, the attackers deplyed a Meterpreter payload and established communication through reverse TCP connections to their infrastructure. These reverse TCP sessions are initiated via specific ports, facilitating further control and data extraction from the compromised systems.
The joint advisory also includes tactics, techniques, and procedures associated with Unit 29155 along with mitigations.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Russia)
]]>
A cyber attack targeted the German Air Traffic Control Agency (DFS), as reported by Spiegel and European Truth. DFS, based in Langen near Frankfurt, confirmed that attackers breached its office connection but confirmed that air traffic was not impacted.
“Our office connection was hacked, and we are now taking protective measures.” DFS is working to minimise the consequences of the incident.” a spokesperson for DFS said on 1 September.
DFS immediately reported the attack to national security authorities. Cybersecurity experts linked the attack to the Russian nation-state actor which was responsible for the .
The APT28 group (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.
The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).
In May, Germany temporarily its ambassador to Moscow following a state-sponsored Russian cyberattack that targeted members of its ruling party.
DFS did not share details about the security breach.
The attacks, aimed at , defense, aerospace companies, began two years ago and were linked to the Russian hacker group APT28, which exploited a vulnerability in Microsoft Outlook to hack email accounts. On May 3, the EU and NATO Russia’s cyber campaign against Germany and the Czech Republic, while NATO expressed solidarity with both countries in response to the attacks.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, German air traffic control)
]]>China-linked APT exploited a zero-day vulnerability, tracked as , in Versa Director, to deploy a custom webshell on breached networks.
Versa Director is a centralized management and orchestration platform used primarily by Internet Service Providers (ISPs) and Managed Service Providers (MSPs) to manage and monitor Software-Defined Wide Area Networks (SD-WANs).
The vulnerability CVE-2024-39717 resides in the “Change Favicon” feature in Versa Director’s GUI, it allows administrators with specific privileges to upload a malicious file disguised as a PNG image. Exploitation requires successful authentication by a user with the necessary privileges. Although details are limited, Versa Networks confirmed one case where the vulnerability was exploited due to a customer’s failure to implement recommended firewall guidelines.
“This vulnerability has been exploited in at least one known instance by an Advanced Persistent Threat actor.” reads the published by Versa Networks.
This oversight allowed the attacker to exploit the vulnerability without needing to access the GUI. Threat actors uploaded a custom webshell to target systems to steal credentials. The company confirmed that at least one APT group actively exploited the flaw in the wild.
The vulnerability impacts Versa Director versions 22.1.3, 21.2.3, 22.1.2.
Researchers at Lumen’s Black Lotus Labs discovered a zero-day vulnerability in Versa Director on June 17. The experts spotted a malicious Java binary named “VersaTest.png” uploaded from Singapore to . The file was analyzed and found to be a custom Java web shell, internally named “Director_tomcat_memShell” and referred to by researchers as “VersaMem.” This malware, designed specifically for Versa Director, currently has zero detections on VirusTotal.
Black Lotus Labs detected unusual traffic indicating the exploitation of several U.S. Versa Director servers between June 12 and mid-July 2024. The initial access to these compromised systems was likely through port 4566, typically used for high-availability (HA) pairing between Versa nodes. The compromised systems showed brief TCP traffic on port 4566, followed by extended HTTPS sessions on port 443, which is unusual for legitimate traffic from non-Versa nodes like SOHO devices.
This pattern suggests a successful exploitation, leading to the use of the VersaMem web shell. The researchers identified four U.S. victims and one non-U.S. victim, mainly in the ISP, MSP, and IT sectors, with the earliest exploitation detected at a U.S. ISP on June 12, 2024.
“Black Lotus Labs identified a unique, custom-tailored web shell that is tied to this vulnerability, which we call “VersaMem.” The web shell’s primary purpose is to intercept and harvest credentials which would enable access into downstream customers’ networks as an authenticated user. VersaMem is also modular in nature and enables the threat actors to load additional Java code to run exclusively in-memory. Analysis of our global telemetry identified actor-controlled small-office/home-office (SOHO) devices exploiting this zero-day vulnerability at four U.S. victims and one non-U.S. victim in the Internet service provider (ISP), managed service provider (MSP) and information technology (IT) sectors as early as June 12, 2024.” reads the published by Black Lotus Labs. “The threat actors gain initial administrative access over an exposed Versa management port intended for high-availability (HA) pairing of Director nodes, which leads to exploitation and the deployment of the VersaMem web shell.”
The VersaMem web shell is a sophisticated, custom-tailored JAR web shell designed to target Versa Director systems. The malware is developed through Apache Maven, it was built on June 3, 2024, and attaches itself to the Apache Tomcat process on execution. The malicious code uses the Java Instrumentation API and Javassist toolkit to modify Java code in memory, avoiding detection.
The web shell supports two primary functions: capturing plaintext user credentials and dynamically loading Java classes in memory. It intercepts credentials by hooking into Versa’s “setUserPassword” method, encrypting and storing them on disk. It also hooks into the “doFilter” method of the Tomcat web server to inspect and dynamically load malicious Java modules based on specific parameters. The malware operates directly in memory, it doesn’t modify files on disk to avoid detection
“Given the severity of the vulnerability, the sophistication of the threat actors, the critical role of Versa Director servers in the network, and the potential consequences of a successful compromise, Black Lotus Labs considers this exploitation campaign to be highly significant.” concludes the report that includes Indicators of Compromise (IoCs). “Black Lotus Labs assesses this exploitation activity was ongoing as of at least early August 2024”
The Volt Typhoon group has been active since at least mid-2021 it carried out cyber operations against critical infrastructure. In the most recent campaign, the group targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.
The APT group is using almost exclusively and hands-on-keyboard activity to evade detection.
In December 2023, Microsoft first noticed that to conceal malicious traffic, the threat actor routes it through compromised small office and home office (SOHO) network devices, including routers, firewalls, and VPN hardware. The group also relies on customized versions of open-source tools for C2 communications and to stay under the radar.
The Chinese cyberespionage group has successfully breached the networks of multiple US critical infrastructure organizations. Most of the impacted organizations are in the Communications, Energy, Transportation Systems, and Water and Wastewater Systems sectors.
U.S. agencies fear the possibility that these actors could gain access to the networks of critical infrastructure to cause disruptive effects in the event of potential geopolitical tensions and/or military conflicts.
The Volt Typhoon’s activities suggest that the group primarily aims to establish a foothold within networks to secure access to Operational Technology (OT) assets.
The US agencies also released a containing recommendations on how to identify and mitigate living off the land techniques adopted by the APT group.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Volt Typhoon)
]]>