company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

PyPl

AWS

Fabric

loading..
loading..
loading..

37,000 PyPI Downloads: Fabric Typosquatting Supply Chain Attack Steals AWS

Fabrice malware, a PyPI typosquatting supply chain attack, steals AWS credentials from Linux & Windows. Learn how to protect against similar threats.

11-Nov-2024
6 min read

Related Articles

loading..

GeoVision

Zero Day

Mirai botnet exploits zero-day vulnerability in GeoVision devices, affecting ove...

A dangerous malware botnet has been detected exploiting a zero-day vulnerability (CVE-2024-11120) in end-of-life GeoVision video surveillance devices, potentially compromising over 17,000 systems worldwide. The Mirai botnet variant, known for Distributed Denial of Service (DDoS) and cryptomining attacks, is exploiting this critical flaw to install malware on outdated devices, posing a significant security risk. ### **Critical Vulnerability Details** The flaw, CVE-2024-11120, was uncovered by Piort Kijewski of The Shadowserver Foundation and has a severity score of 9.8 (CVSS v3.1), highlighting its critical impact. This is an OS command injection vulnerability that allows unauthenticated attackers to execute arbitrary commands on the device, potentially seizing control. "Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device," warns Taiwan's CERT (TWCERT). The organization has already received numerous reports of this vulnerability being actively exploited in the wild, signaling an urgent need for mitigation. According to TWCERT, the vulnerability (TVN-202411014) is highly exploitable and poses severe consequences, requiring immediate attention. The vulnerability has been exploited in multiple instances, highlighting the need for swift action to mitigate the risks. ### **Impacted GeoVision Models** The vulnerability affects several discontinued GeoVision models, grouped by functionality: #### **Video Servers:** - **GV-VS12**: A two-channel H.264 video server designed for converting analog video to digital streams. - **GV-VS11**: A single-channel video server used for digitizing analog video signals. ### **License Plate Recognition System:** - **GV-DSP LPR V3**: A Linux-based system dedicated to license plate recognition. #### **Mobile Surveillance DVRs:** - **GV-LX4C V2 / GV-LX4C V3**: Compact digital video recorders (DVRs) developed for mobile surveillance applications. These models are end-of-life products and are no longer receiving security updates, making them particularly vulnerable to attack. ### **Global Exposure** According to The Shadowserver Foundation, approximately 17,000 GeoVision devices are currently exposed online and vulnerable to exploitation by CVE-2024-11120. Most of these devices (over 9,100) are located in the United States, with Germany, Canada, Taiwan, Japan, Spain, and France also reporting significant numbers of vulnerable devices. Piort Kijewski, the researcher who uncovered the issue, has identified the botnet as a variant of Mirai—a notorious malware strain often used for DDoS attacks and cryptomining operations. With thousands of exposed devices left defenseless, the potential for large-scale disruptions is high. ### **Symptoms and Mitigation Steps** Infected devices may show symptoms such as excessive heating, slower response times, and unexpected configuration changes due to increased resource usage from unauthorized activities. If any of these symptoms are observed, it is critical to perform a factory reset, change the default admin password to something strong, disable remote access, and isolate the device behind a firewall. For organizations unable to replace these end-of-life devices, network administrators should place them on a dedicated local area network (LAN) or subnet, away from critical infrastructure, and closely monitor their activity for any signs of compromise. **How to Protect Against Mirai Botnet Attacks** The following steps are recommended to mitigate the impact of this vulnerability: 1. **Device Replacement**: Replace outdated GeoVision devices with supported models that continue to receive security patches. 2. **Password Management**: Immediately change default credentials to strong, unique passwords. 3. **Access Restrictions**: Disable remote management interfaces and place devices behind firewalls to limit exposure. 4. **Network Segmentation**: Isolate vulnerable devices to prevent them from compromising other parts of the network. 5. **Firmware Updates**: Ensure that any devices still supported receive the latest firmware updates to minimize risk. Note: Prioritizing mitigation steps based on the organization's resources and device importance can help in effective risk management. GeoVision devices' end-of-life status leaves them highly susceptible to attacks, and no security patches are expected. As such, users and administrators must take immediate action to secure these devices or consider their replacement to mitigate the risk. The exploitation of CVE-2024-11120 by a Mirai botnet highlights the risks associated with using unsupported, vulnerable hardware. With thousands of GeoVision devices exposed globally, the threat of these devices being compromised for malicious purposes, such as DDoS attacks or cryptomining, is significant. Users should take all available precautions to mitigate these risks, including restricting access and ensuring strong password practices.

loading..   19-Nov-2024
loading..   4 min read
loading..

BitLocker

Decryptor

Discover how ShrinkLocker ransomware leverages BitLocker encryption vulnerabilit...

ShrinkLocker ransomware is a rapidly emerging cybersecurity threat in 2024, leveraging VBScript and Windows BitLocker encryption to execute sophisticated ransomware attacks. This highlights significant cybersecurity risks, especially for organizations with vulnerabilities in BitLocker implementations. This ransomware highlights significant cybersecurity risks, particularly for organizations vulnerable to BitLocker exploits. This ransomware stands out for its use of older technologies, exploiting legacy system vulnerabilities in a new, dangerous way, making it a significant risk in 2024. This unique combination represents a shift towards using simpler yet effective tools to achieve significant impact, optimizing ShrinkLocker for searchability and accessibility to attackers with limited resources. This unique attack vector takes a step back from sophisticated encryption methods, such as elliptic-curve cryptography (ECC) or RSA-2048, opting instead for simplicity and efficiency. Using a simpler encryption method like BitLocker reduces the need for complex infrastructure or specialized expertise, making it more accessible for attackers with limited resources. But make no mistake: ShrinkLocker has proven itself capable of wreaking havoc on both individual systems and corporate environments, presenting unique challenges for cybersecurity professionals worldwide. ### An Unconventional Approach to Encryption ShrinkLocker stands out from traditional ransomware by using BitLocker, a legitimate encryption feature in Windows, rather than creating a custom encryption algorithm. By repurposing existing system tools, ShrinkLocker makes it more challenging for defenders to detect and respond. This tactic re-encrypts the victim’s drive using a newly generated password, which is then uploaded to a server controlled by the attacker. The attack begins by checking if BitLocker is enabled on the target system. If it is not, ShrinkLocker installs it before encrypting the drive using a randomly generated password. Following this, the infected system reboots, and the user is prompted to enter the password, with an attacker’s email address displayed for ransom instructions. If the user attempts to bypass this step, they remain locked out of their system, as the drive cannot be accessed without the correct password, highlighting the severity and lock-in effect of the attack. This method turns a legitimate security feature into an attack vector, effectively locking users out of their systems while presenting the attacker as the sole keyholder. ### Easy Implementation and Broad Scope ShrinkLocker’s simplicity also means it can propagate quickly across a corporate network, leveraging network propagation of ransomware and exploiting corporate network cybersecurity threats. This rapid spread poses significant risks to unprepared organizations.  By using Group Policy Objects (GPOs) and scheduled tasks, ShrinkLocker can automate the deployment of encryption commands across multiple devices, making it faster and easier to spread the ransomware. GPOs help configure and enforce ransomware scripts across systems in the network, while scheduled tasks ensure the encryption process continues smoothly without manual intervention. This efficient use of built-in Windows management tools allows ShrinkLocker to encrypt multiple devices within as little as 10 minutes each, potentially compromising an entire domain with minimal effort. To mitigate this rapid propagation, defenders should monitor Group Policy changes and scheduled task creation, as these are key indicators of ransomware spreading across a network. This attack vector is particularly appealing to individual threat actors who lack sophisticated technical capabilities but seek impactful results. Notably, the origins of ShrinkLocker might lie in innocent intentions. Our analysis suggests that the script could have been written over a decade ago, likely as a benign tool designed for system management, such as automating routine administrative tasks like user account management, performing disk maintenance such as defragmentation, or managing encryption settings to ensure data security. Originally, it might have been used by IT administrators to simplify repetitive tasks, improve system efficiency, or enhance data protection in corporate environments. Over time, however, this tool has been co-opted for nefarious purposes by malicious actors seeking to exploit its capabilities for harm. This provides an interesting historical context: while the code is outdated and, in some cases, incompatible with modern systems, it has been repurposed into an effective weapon by cybercriminals. ### Case Study: ShrinkLocker in Action Our investigation into ShrinkLocker included a detailed analysis of an attack on a healthcare company in the Middle East, highlighting the specific risks posed by ransomware targeting critical sectors. This incident demonstrated the growing threat of supply chain vulnerabilities, which refer to weaknesses in third-party vendors or partners that attackers can exploit to gain access to larger networks. In this case, initial infiltration occurred on an unmanaged contractor’s system, highlighting the significant risks associated with supply chain attacks. Once inside the network, the attacker moved laterally, gaining control of the Active Directory domain controller, ultimately modifying the default Group Policy Preferences to distribute the ransomware across all domain-joined systems. This attack also showcased how ShrinkLocker’s scripting inconsistencies, such as typos and redundant code, suggest a less sophisticated origin. These inconsistencies may lead to operational errors, making the ransomware less reliable, but they can also hinder detection efforts by introducing unpredictable behaviors that complicate analysis. As a result, defenders may struggle to create reliable detection signatures, and the inconsistencies could sometimes allow the ransomware to bypass automated security measures. However, defenders could potentially leverage these inconsistencies by identifying patterns of errors or unusual behaviors, which might help in detecting and mitigating the attack more effectively. Despite these apparent flaws, the ransomware’s ability to modify registry settings and exploit BitLocker highlights a disturbing trend: the barrier to entry for creating impactful malware has become increasingly lower. ### Decrypting ShrinkLocker ShrinkLocker is particularly intriguing because it remains one of the few ransomware types for which a decryption solution is available, offering a rare opportunity for recovery in the face of an otherwise devastating attack. However, users should be aware that the decryption tool has limitations, such as being effective only within a specific time frame after infection, and there is a risk of data corruption during the recovery process. This is uncommon due to the typical complexity of modern ransomware, which often employs advanced encryption methods such as elliptic-curve cryptography (ECC) and RSA-2048 that make developing decryption tools extremely challenging. By exploiting a specific window of opportunity—during the brief period when BitLocker protectors are removed but before encryption is fully reconfigured, leaving the disk momentarily unprotected—our team has been able to create a decryption tool. However, users may face challenges in timing this window correctly, as it requires technical precision and careful monitoring. This tool—now publicly available—can be accessed through Bitdefender's official website. Users will need to ensure they have a USB drive prepared and follow the provided instructions to run the decryptor on an infected system. This allows users to recover their data without paying the ransom, providing a glimmer of hope amidst the chaos of encryption. Our approach involved transferring the decryption tool to an infected system via USB, navigating to the decryptor, and initiating the recovery. The process, while time-consuming depending on the system hardware, successfully reverts the ransomware’s effects, restoring access to encrypted data. ### Mitigating ShrinkLocker and Similar Attacks Preventing ShrinkLocker attacks requires proactive monitoring and careful configuration of BitLocker settings. Monitoring specific Windows event logs—such as those generated when protectors are deleted or suspended—can provide an early warning of potential encryption attempts. Furthermore, configuring policies to require BitLocker recovery information to be stored in Active Directory Domain Services (AD DS) can create an additional hurdle for attackers. Organizations, particularly those in highly targeted sectors like healthcare, finance, and critical infrastructure, are advised to implement a multi-layered, defense-in-depth architecture to defend against these evolving threats. This approach includes multiple layers of security, such as firewalls, intrusion detection systems, network segmentation, and robust access controls. These layers create redundancies that can help thwart attacks at different stages. Additional measures include patching vulnerabilities in a timely manner, employing Multi-Factor Authentication (MFA) to minimize unauthorized access, and maintaining endpoint detection and response (EDR) tools to identify suspicious activities. By combining these measures, organizations can reduce their risk of falling victim to simple yet effective attacks like ShrinkLocker. ### A New Threat or a Flash in the Pan? ShrinkLocker’s emergence is a reminder that older, less sophisticated approaches can still be effective in the right hands. By leveraging legacy technologies and repurposing them for malicious intent, ShrinkLocker has demonstrated that even outdated scripting languages like VBScript can be used to execute devastating attacks. The ability to provide a decryptor, however, offers a small but significant victory for defenders. The landscape of ransomware is ever-changing, but by understanding the nuances of these unconventional threats, security teams can be better prepared to defend against both the old and the new. ShrinkLocker may be a digital relic, but its impact on modern systems is a wake-up call for defenders to remain vigilant in the face of evolving threats.

loading..   15-Nov-2024
loading..   8 min read
loading..

macOS

Flutter

Discover how DPRK-backed actors use Flutter apps to bypass Apple security and ta...

A newly discovered macOS app, linked to DPRK, conceals sophisticated malware designed to breach system defenses. The malware uses advanced obfuscation tactics, such as packing the code and encrypting certain components, to evade detection. This campaign, discovered by Jamf Threat Labs, highlights the evolving threat posed by DPRK-backed actors, who often target sensitive data and use techniques such as social engineering and code obfuscation. This advanced persistent threat (APT) utilizes Flutter-built applications. Flutter's inherent obfuscation capabilities make it highly effective at evading detection. Features like hiding dynamic library calls and obscuring code flow complicate the analysis process, effectively aiding in concealing malicious activity. The findings mark a concerning escalation in novel methodologies used to breach macOS defenses, including cross-platform tools and techniques to bypass Apple notarization. ### DPRK Targets macOS Using Flutter-Built Malware In October, Jamf Threat Labs detected several malware samples uploaded to VirusTotal, a widely used malware analysis platform, that initially evaded detection despite exhibiting malicious behavior. Analysis of these samples pointed toward DPRK actors, with techniques aligning closely with previously observed malware campaigns. Disturbingly, some malware versions had even managed to pass Apple's notarization process temporarily, indicating sophisticated obfuscation and manipulation tactics. ### Complexity of the Flutter Packaging The malware was discovered in three different packaging forms: Go, Python, and Flutter. Among these, the Flutter variant stood out due to its complexity in reversing and analysis. Flutter, a cross-platform framework developed by Google, is typically used for consistent app design across platforms like macOS, iOS, and Android. For legitimate developers, Flutter's ability to write once and deploy across multiple platforms saves significant development time and resources, making it an attractive option. These same benefits also appeal to attackers, as they can create malware with broader reach and less effort. For example, popular apps like Google Ads and Alibaba are built using Flutter, demonstrating its versatility for creating high-performance cross-platform solutions. Its cross-platform capabilities are appealing to attackers because they can create malware that works across multiple operating systems with minimal adjustments, broadening the scope of potential targets. Its use makes malware more challenging to analyze due to the obfuscation capabilities inherent in how Flutter compiles its applications. Its unique structure, particularly the use of the Dart programming language compiled into dynamic library (dylib) files, makes the code inherently obscure, providing a natural avenue for obfuscation. In standard Flutter applications, the app logic is encapsulated in a dylib, loaded by the Flutter engine rather than directly by the primary executable. This level of abstraction complicates the analysis process as the dylib is not explicitly referenced in the main application executable. While this architecture is designed to optimize cross-platform compatibility, it inadvertently serves as a highly effective method for concealing malicious logic. ![Flutter Layout](https://sb-cms.s3.ap-south-1.amazonaws.com/flutter_0c0702e574.jpg) ***Flutter Layout (Source: Jamf)*** ### Anatomy of the Discovered Malware The identified malware functions as a stage-one payload, meaning it serves as the initial component in a multi-stage attack designed to establish a foothold, gather information, or prepare the system for more complex payloads that follow. Among the samples, six infected applications were detected, with five bearing valid developer signatures that had already been revoked by Apple at the time of discovery. One such app, titled _"New Updates in Crypto Exchange,"_ presented itself as a functional minesweeper game. However, upon execution, it initiated a network request to a domain (_“mbupdate[.]linkpc[.]net”_) previously linked to DPRK malware campaigns. The malicious code was deeply embedded within the application, with pre-compiled Dart snapshots complicating any decompilation or analysis attempts due to the need for specialized tools and the extra layer of abstraction that Dart introduces. Further investigation revealed that the malware could execute remote AppleScript commands, such as launching applications, modifying system settings, or downloading additional malicious components. This capability allows attackers to take control of infected devices using sophisticated payload delivery mechanisms. ### Golang and Python Variants In addition to the Flutter version, Jamf Threat Labs also [identified](https://www.jamf.com/blog/jamf-threat-labs-apt-actors-embed-malware-within-macos-flutter-applications/) Go and Python variants of the malware. The [Golang](https://www.secureblink.com/cyber-security-news/chinese-hackers-dragon-spark-use-golang-to-launch-espionage-attacks) variant, similarly signed and notarized by Apple, mirrored the network request and payload execution seen in the Flutter version. This included making HTTPS requests to command-and-control servers and executing payloads, using comparable obfuscation and scripting techniques. The use of different programming languages, such as Golang and Flutter, highlights the attackers' adaptability and their ability to exploit various ecosystems, which complicates detection and mitigation by requiring different analysis tools and expertise for each language. This further demonstrated the attackers' adeptness at exploiting different programming ecosystems to maintain their campaign's adaptability. ![https://www.bleepstatic.com/images/news/u/1220909/2024/Phishing/24/signed.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/signed_6f8ba5bc61.jpg) ***Trojanized Mindsweeper (Source: Jamf)*** The Python variant, built using Py2App, was crafted as a standalone application. While it appeared to be a functional notepad app, malicious components were embedded within the Python script, enabling it to send and execute commands from a remote server. The consistent use of 'osascript' across these variants suggests a preference for exploiting native macOS features to achieve execution. Leveraging native features like 'osascript' allows attackers to exploit macOS's trusted components, such as built-in automation tools like Automator, making the malware more difficult to detect and resist. By leveraging its trusted status within macOS environments, attackers make detection even more challenging. For instance, 'osascript' has been previously used in malware attacks to execute AppleScript commands, which are often trusted by the system and less likely to trigger traditional antivirus alerts, making this technique particularly effective in avoiding detection. ### A New Testing Ground for Future Attacks? The findings suggest that this malware campaign could be a test run for future, more extensive attacks. The use of legitimate-looking applications, such as those with similar names to popular software or polished user interfaces, along with signed developer accounts and advanced obfuscation techniques, suggests a deliberate effort to bypass security measures. This points towards a strategic probing of macOS's security architecture, indicating attackers' intent to identify and exploit weaknesses in the system. DPRK's history of leveraging sophisticated social engineering campaigns further raises concerns about the potential evolution of these malware tools. The clear mismatch between the content of these apps and their filenames—where the app names suggest legitimate functionality, but the actual code contains malicious behavior—implies an attempt to test whether Apple’s notarization process could be circumvented with carefully concealed malicious components. Additionally, the use of Flutter as a delivery mechanism is a novel approach for DPRK actors, demonstrating their willingness to experiment with different frameworks and methodologies to evade security measures. ### Conclusion and Implications for macOS Security The discovery of DPRK-backed malware utilizing Flutter-built applications to target macOS users highlights the evolving threat landscape. This sophisticated campaign illustrates how attackers refine their tactics to exploit legitimate development frameworks and leverage vulnerabilities in Apple's notarization process. Although it remains uncertain whether this specific malware campaign was intended for broad deployment or as a proof of concept, it underscores the need for heightened vigilance and more robust security defenses for macOS. To counter these threats effectively, measures could include stricter application signing requirements, enhancing behavioral detection systems using machine learning-based anomaly detection tools (e.g., CrowdStrike Falcon, Microsoft Defender for Endpoint), and employing advanced threat-hunting tools like Splunk or Carbon Black to identify unusual patterns and vulnerabilities. Jamf Threat Labs remains committed to monitoring and analyzing further developments in this campaign, ensuring that macOS users are well-protected against emerging threats. ### Indicators of Compromise (IOCs) The following domains, signatures, and application identifiers have been flagged as part of this investigation: - Domain: mbupdate[.]linkpc[.]net - Applications: "New Updates in Crypto Exchange (2024-08-28).app" - Malware signatures: Flutter dylib containing Dart snapshots (_kDartVmSnapshotData, _kDartIsolateSnapshotInstructions) For detailed technical insights and mitigations, Jamf Threat Labs has your back—while Jamf solutions ensure macOS security for everything else.

loading..   13-Nov-2024
loading..   7 min read