Welcome to the next episode of the Xopero Security Center! There is a curious case of… RagnarLocker ransomware. Its operators are running Oracle VirtualBox to hide its presence on infected computers inside a VM. Does it do the trick? Are they successful? Check below.
RagnarLocker ransomware runs Oracle VirtualBox to hide its presence from antivirus software
RagnarLocker is not your typical ransomware. Its operators carefully select targets, avoiding home users, and goes strict after corporations and government organizations. They usually gain access by abusing internet-exposed RDP endpoints and has compromised MSP tools to breach targeted companies.
In the past RagnarLocker group deployed a version of their ransomware customized per each victim but recently attackers come up with a novel strategy to avoid detection. Instead of running the ransomware directly on the vulnerable computer, they download and install Oracle VirtualBox. The group then configures the virtual machine to give it full access to all local and shared drives, allowing the VM to interact with files stored outside its own storage. In the next step attackers boot up the virtual machine, load the ransomware inside and run it. And because the ransomware runs inside the VM, the antivirus software won’t be able to detect any malicious process.
The end? Files on the local system and shared drives are suddenly replaced with their encrypted versions. End the best part – all the file modifications appear to come from a legitimate process. Brilliant.
There is a new Bluetooth vulnerability which exposes a wide range of devices to the BIAS attack
A team of researchers tested the security weakness on a variety of devices, including laptops, tablets, and smartphones from popular consumer brands that were equipped with different versions of the Bluetooth protocol. This is still work in progress but there are at last 28 unique Bluetooth chips vulnerable to the Bluetooth Impersonation AttackS (BIAS).
What is exactly a BIAS attack? This type of attack is able to bypass Bluetooth’s authentication procedures that take place during the establishment of a secure connection. Attackers exploit few flaws such as lack of integrity protection, encryption, and mutual authentication.
During the pairing of two devices, a long-term key is generated that connects the devices together. Once they have done that: each time a secure connection is established, it uses a different session key that is extrapolated from the long-term key and other public factors. Using the flaw, the attacker is then able to impersonate one of the devices that has gone through the authentication process and paired with the other device, without knowing the long-term key. The attacker can then take control of or steal sensitive data from the other device.
Does it mean that your device is vulnerable? Researchers contacted vendors in December 2019. Some of them might have implemented workarounds for the vulnerability… If your device was not updated after December 2019, it is likely still vulnerable.
New Spectra attack breaks the separation between Wi-Fi and Bluetooth
Speaking about Bluetooth…
Academics from Germany and Italy say they developed a new practical attack that breaks the separation between Wi-Fi and Bluetooth technologies running on the same device, such as laptops, smartphones, and tablets.
Called Spectra, this attack works against “combo chips,” specialized chips that handle multiple types of radio wave-based wireless communications, such as Wi-Fi, Bluetooth, LTE, and others.
More particularly, the Spectra attack takes advantage of the coexistence mechanisms that chipset vendors include with their devices. Combo chips use these mechanisms to switch between wireless technologies at a rapid pace. Researchers say that while these coexistence mechanisms increase performance, they also provide the opportunity to carry out side-channel attacks and allow an attacker to infer details from other wireless technologies the combo chip supports.
The researchers analyzed Broadcom and Cypress combo chip which are in hundreds of millions of devices, such as all iPhones, MacBooks, and the Samsung Galaxy S series.
Exploiting Spectra requires attacking a combo chip with malformed wireless traffic, and then attacking the chip interface between the two technologies.
There was a data leak… again. But this time the victim is a malicious actor, a GhostDNS operator
GhostDNS is a router exploit kit that uses cross-site request forgery (CSRF) requests to change the DNS settings and send users to phishing pages to steal their login credentials.
How exactly the malware package fell into the “wrong” hands? A year ago in May 2019, the Avast Web Shield blocked a URL from the file-sharing platform sendspace.com. It turned out that some Avast user was up to no good, uploading a RAR archive with malicious content to the server. The user forgot to disable the Avast Web Shield while doing this, and since the archive was not password protected, it was automatically analyzed by the Shield and it triggered our router exploit kit (EK) detections. What happened next? AVAST security team downloaded the linked file and found the complete source code of the GhostDNS exploit kit.
While analysing the archive researcher discovered two methods for attacking routers, Router EK and BRUT. Router EK attacks from the local network and requires the user to click on a malicious link. When the user clicks on the link, a search for the router’s internal IP address begins. BRUT is a mass scanner that looks for routers exposed on the public internet and attacks them – the malware relies on brute-force attack. After gaining access to the target device, the malware changes the DNS settings so they point to the attacker’s servers.
Shiny new Azure login attracts new shiny phishing attacks
Admins working with Microsoft Azure beware: phishers are updating their assets to reflect changes on the company’s cloud-based login screen.
Microsoft announced the innocuous change to its Azure AD login screen on 26 February, rolling it out in the first week of April. The previous screen featured a login box against a full-frame photograph in the background. In the new version, Microsoft replaced the photograph with plain colours, reducing its size by 99%. That’ll save network bandwidth and reduce page loading times, said executives at the time. Even though users may cache static page assets locally, they’ll still reload them eventually, and every little helps.
Online ne’er-do-wells work quickly, though, and it didn’t take long for phishing scammers to catch on. The company said in a tweet that it had seen multiple sites using the new background in a bid to lure Azure AD users into giving up their account info.
Azure AD is the cloud-based version of the on-premises Active Directory system that holds user authentication and access privilege data. The cloud version is the single sign-on gateway to a range of online applications, including Microsoft’s own cloud services, along with third party apps. As such, it’s the holy grail for phishing scammers who could gain access to lots of enterprise accounts in the cloud if they mount a convincing attack.
Do you have thirst for knowledge? There is ten more cybersecurity stories below
1. Hackers infect multiple game developers with advanced malware (arsTECHNICA)
2. NXNSAttack technique can be abused for large-scale DDoS attacks (ZDNet)
3. Researchers Divulge Details on Five Windows Zero Days (Security Week)
4. European supercomputers hacked to mine cryptocurrency (We live security)
5. The ProLock ransomware doesn’t tell you one important thing about decrypting your files (Graham Cluley)
6.The dark web is flooded with offers to purchase corporate network access (Help Net Security)
7. NetWalker ransomware gang hunts top-notch affiliates (ThreatPost)
8. Microsoft warns of ‘massive’ phishing attack pushing legit RAT (BleepingComputer)
9. EasyJet hacked: data breach affects 9 million customers (BleepingComputer)
10. The wolf is back…(Talos Intelligence)