Project Freta is a cloud-based malware detection service announced by Microsoft Research Team. Malware, rootkits, cryptominers… Hard to detect threats which are lurking in cloud VM images should be much easier to reach and deal with. And Freta already supports over 4k Linux kernel versions. Let’s just say that it looks promising.
Towards trusted and invisible cloud malware scanner – Microsoft introduces Project Freta
Cloud environments with thousands of VMs running concurrently… Ensuring that none of the VMs are running malware can be a challenging task for many system administrators. To scan virtual machine for malware administrator need to run a supporting software on each VM first. This is not only time-consuming but it can also alert malware running on the system that something is searching for it… Malware could discover that it is running in a VM and terminate itself. Either way, malware can escape detection. Now – thanks to project Freta – administrators will be able to outsmart it.
According to Mike Walker, Microsoft’s senior director of New Security Ventures “When attackers and defenders share a microarchitecture, every detection move a defender makes disturbs the environment in a way that is eventually discoverable by an attacker invested in secrecy”. With Project Freta researchers completely separated the security plane from the computing plane. The scanning mechanism leaves the VM’s memory untouched so the process itself remains invisible to malware. Project Freta works out what system objects the VM holds based on a live in-memory snapshot of the Linux system, looking for processes, in-memory files, kernel modules and networks, among other things.
What’s the ultimate goal? Making the cloud an unsuitable place for cyberattacks. The main objectives are to infer the presence of malware from memory, and more importantly, render evasion infeasible and increase the development cost of undiscoverable cloud malware. Project Freta lets users submit memory images (.vmrs, .lime, .core, or .raw files) via an online portal or an API, then a detailed report is generated which can be exported in JSON format.
Why „Freta”? The project is named after Warsaw’s Freta Street (Poland), the birthplace of Marie Curie, the famous physicist and two time Nobel prize laureate.
Shopped recently in a small online store? Magecart attacks 570 websites
The payment-card-skimming Magecart malware has turned up 570 e-commerce belonged to small/medium sized-merchants in 55 countries.
The majority was hosted in the U.S., U.K., the Netherlands, France, India, etc.
The Keeper group includes an interconnected network of 64 attacker domains used to deliver malicious JS payloads and 73 exfiltration domains used to receive stolen payment cards data from victim domains.
The research revealed that over 85% of the victim sites operated on the Magento CMS, 5% WordPress, and 4% Shopify. The attackers likely targeted small and medium-sized retailers because they are less likely to have a dedicated IT security team, to implement CMS and plugin patches promptly, and to have security measures in place and attack detection capabilities.
The researchers estimated that the group may have generated over $7 million USD from selling compromised payment cards between 2017 and today.
The full list of compromised websites can be found here.
Conti ransomware achieved lazing-fast encryption speeds – it uses 32 simultaneous CPU threads
Conti is another example of “human-operated ransomware”. Under the hood, Conti operates like most ransomware. What really stands out is its support for multi-threaded operations. Many other ransomware families also support multi-threaded operations, so what is so special in that particular case? Conti stood out because of the large number of concurrent threads it utilized – namely, 32 – which results in faster encryption compared to many other families.
The second unique feature is the fine-grained control over the ransomware’s encryption targets via a command-line client. The ransomware can be configured to skip encrypting files on the local drives and encrypt data on networked SMB shares just by feeding the ransomware’s binary a list of IP addresses via the command-line. It means that it can cause targeted damage in an environment.
What happens when systems immediately start showing signs of infection? An attack is detected immediately. But when destruction is limited to the server that has no Internet capability, the attack may not be noticeable for days, or weeks – as long as the data is accessed by a user.
The third unique technique spotted in the threat code is its abuse of Windows Restart Manager. Conti invokes this component to unlock and shut down app processes so it can encrypt their respective data.
For now, there is no way to recover files locked through the Conti ransomware. Unless companies can afford to pay huge ransom demands the offline backups should be prioritized.
240 top Microsoft Azure-hosted subdomains hacked to spread malware
UNESCO, Red Cross, Siemens, Xerox, 3M, Warner Bros, Toshiba, Volvo, Hawaiian Airlines… These subdomains are on the list of 240 hijacked websites, which belong to some of the most prominent organizations and brands worldwide. They were used by cybercriminals to redirect users to download unexpected content such as malware, malicious Chrome extensions, online gambling, and adult content. What do they have in common? All were hosted by Microsoft Azure.
The hijacked domain names were reported by Zach Edwards from Victory Medium, who notified Microsoft and the affected companies/organizations about the issue in June.
According to Edwards, most of the subdomains were taken over by a single group, which he believes is active for five years. As per his analysis, this group has the support of an international criminal gang. The group is much sophisticated and automated than expected – they have hit tons of organizations and uploaded tons of malware.
Furthermore, Edwards assessed that the hackers try to hide their presence after hijacking a subdomain, for which they make the root URL to show a “coming soon” or the 404 error message. Around 20% of the subdomains he reported were shut down.
However, the bigger problem is that the website’s DNS entries are hijacked mainly because of how they were hosted. The problem with some hosting providers, apparently including Azure, is that when you’re done with the subdomain and stop paying for it, the name becomes available for someone else to use – including cybercriminals who are on the lookout for cloud server names that have been retired and forgotten about, but never properly purged from the DNS.
Please do NOT visit these domains as they have the potential to infect your device with malware. You can just check the full list here.
Do you have thirst for knowledge? There is ten more cybersecurity stories below
1. EDP energy giant confirms Ragnar Locker ransomware attack (BleepingComputer)
2. Free decryptor available for ThiefQuest ransomware victims (ZDNet)
3. Microsoft Seizes Domains Used in COVID-19-Themed Attacks (Dark Reading)
4. Drone Path Often Reveals Operator’s Location (Dark Reading)
5. German police seize DDoSecrets server distributing ‘BlueLeaks’ files (CyberScoop)
6. 15 Billion credentials currently up for grabs on hacker forum (Threat Post)
7. Nvidia fixes code execution vulnerability in GeForce Experience (ZDNet)
8. Google Tsunami vulnerability scanner is now open-source (Security Affairs)
9. Cerberus Banking Trojan Delivered via App Hosted on Google Play (Security Week)
10. Huge DDoS Attack Launched Against Cloudflare in Late June (Dark Reading)