company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Redline Infostealer

Russia

Amigoes

loading..
loading..
loading..

RedLine Stealer malware responsible for stealing majority of the credentials

RedLine Stealer malware is the key source for data collection across underground forums; it collects usernames, passwords, cookies, and payment card information...

22-Oct-2021
3 min read

Related Articles

loading..

DVR

HIATUSRAT

FBI warns of HiatusRAT malware targeting vulnerable web cameras and DVRs, exploi...

The FBI has issued an urgent Private Industry Notification (PIN) warning regarding a new wave of malware attacks from **HiatusRAT**, a highly sophisticated and evolving cyber threat. The malware primarily targets vulnerable Internet of Things (IoT) devices, such as web cameras and Digital Video Recorders (DVRs), which are exposed to the internet. The attackers are focusing on Chinese-branded devices that have outdated firmware, unpatched security vulnerabilities, or have reached the end of their lifecycle. According to the FBI's alert, **HiatusRAT** has been actively scanning for these vulnerable devices across various countries, including the United States, Australia, Canada, New Zealand, and the United Kingdom. The FBI's warning sheds light on the evolving tactics used by cybercriminals to exploit known vulnerabilities and weak security measures. ## Technical Analysis ### Targeted Devices and Vulnerabilities The primary targets of **HiatusRAT** malware are **Hikvision** and **Xiongmai** web cameras and DVRs. These devices are typically deployed in surveillance systems and are notorious for having weak or default passwords, and vulnerable ports that are exposed to the internet. The threat actors scan for specific vulnerabilities and then exploit them to compromise the devices. Some of the known vulnerabilities exploited by HiatusRAT include: - **CVE-2017-7921**: A critical vulnerability affecting the video surveillance cameras. - **CVE-2018-9995**: A flaw in the device's firmware that can be leveraged to bypass authentication. - **CVE-2020-25078**: A remote code execution vulnerability in certain DVR systems. - **CVE-2021-33044**: A vulnerability in certain Chinese-branded IoT devices. - **CVE-2021-36260**: A known flaw in some IoT video surveillance systems. - **Weak Vendor-Supplied Passwords**: Attackers often exploit weak or default login credentials. These vulnerabilities, particularly the ones affecting Hikvision and Xiongmai devices, are well-documented and have been publicized in security bulletins for years. However, many devices have not received timely security patches, leaving them vulnerable to exploitation. ### Attack Tools: Ingram and Medusa To carry out their attacks, **HiatusRAT** actors use a combination of open-source tools, most notably **Ingram** and **Medusa**. - **Ingram**: This open-source vulnerability scanning tool is used by attackers to identify devices with web cameras exposed to the internet. Ingram scans for known vulnerabilities in these devices to exploit weaknesses in the firmware and software. - **Medusa**: This is a brute-force password-cracking tool that helps attackers gain unauthorized access to IoT devices by systematically testing different password combinations. By targeting weak or default passwords, the malware compromises the device and installs its payload. ### Exploited Ports The attackers focus on specific TCP ports that are commonly open on devices exposed to the internet. These include: - **23, 26, 554, 2323, 567, 5523, 8080, 9530, 56575** These ports are typically used for telnet and HTTP services, and when exposed to the internet without proper security controls, they become an easy entry point for cybercriminals. ## FBI Recommendations for Network Defenders In response to these ongoing attacks, the FBI has outlined several best practices for network defenders and system administrators: 1. **Limit Use of Vulnerable Devices**: Network administrators should limit the exposure of vulnerable IoT devices to the internet. If such devices must be used, they should be isolated from the rest of the network to prevent lateral movement in case of a breach. 2. **Update Firmware and Apply Security Patches**: Ensure that devices such as web cameras and DVRs are updated with the latest security patches. Devices that are no longer supported by the manufacturer should be replaced or disconnected from the network to prevent exploitation. 3. **Monitor for Suspicious Activity**: Regularly monitor network traffic for any suspicious activity, including unauthorized attempts to access or control IoT devices. 4. **Report Indications of Compromise (IOC)**: System administrators and cybersecurity professionals are urged to report any suspected incidents of compromise to the **FBI's Internet Crime Complaint Center (IC3)** or their local FBI field office. This helps track the spread of the malware and prevent further infections. ## Impact of HiatusRAT and Broader Threat Landscape ### Previous Attacks and Escalating Risk This wave of **HiatusRAT** attacks is part of an ongoing series of cyber operations aimed at compromising IoT devices. Prior to this latest campaign, HiatusRAT was involved in several high-profile attacks, including: - **A reconnaissance attack targeting a Department of Defense server.** - **Infections of over a hundred businesses from North America, Europe, and South America**, where **DrayTek Vigor VPN routers** were compromised to create a covert proxy network. These earlier campaigns highlight the evolving nature of HiatusRAT and its increasing focus on deploying additional payloads on infected devices, converting them into **SOCKS5 proxies**. This allows attackers to channel command-and-control (C2) server communication through compromised systems, making detection and mitigation more difficult. ### Link to Chinese Strategic Interests The FBI's analysis suggests that **HiatusRAT's** shifting targeting preferences and information-gathering activities align with **Chinese strategic interests**, as outlined in the **2023 Annual Threat Assessment** by the Office of the Director of National Intelligence (ODNI). This suggests that HiatusRAT may be part of broader geopolitical efforts to gather intelligence and maintain a covert presence in the target countries. ## Best Practices for Securing IoT Devices ### 1. **Device Isolation and Segmentation** One of the most effective ways to defend against these attacks is to isolate IoT devices from other critical parts of the network. By placing vulnerable devices in a separate network segment with strict access controls, the potential for lateral movement and data exfiltration is reduced. ### 2. **Disabling Unused Services** Telnet and HTTP services on IoT devices should be disabled if not required. If the services are necessary, they should be protected by strong authentication mechanisms and encrypted communications. ### 3. **Multi-Factor Authentication (MFA)** Where possible, enable multi-factor authentication (MFA) for accessing web cameras, DVRs, and other IoT devices. This adds an additional layer of protection against brute-force attacks. ### 4. **Regular Security Audits** Conduct regular security audits and vulnerability assessments to identify outdated firmware, exposed ports, and other weaknesses in IoT devices. ### 5. **User Education** Ensure that all users of IoT devices are educated about the importance of strong passwords and security best practices. Default passwords should be changed immediately upon installation, and weak passwords should be avoided.

loading..   18-Dec-2024
loading..   6 min read
loading..

Deloitte

Healthcare

Rhode Island's social services and health data breach exposes personal details o...

On **December 13, 2024**, the state of **Rhode Island** was struck by a significant **cybersecurity breach** affecting its social services and health insurance systems. The breach compromised the personal data of potentially **hundreds of thousands of residents** who used the state's online portal, **RIBridges**, to apply for various assistance programs. This attack, attributed to an **international cybercriminal group**, has raised concerns about the safety of government systems handling sensitive personal information. In this article, we will provide a detailed examination of the breach, its impact, and the ongoing efforts to mitigate the damage, offering insights into the breach's technical aspects, response measures, and the security lessons it underscores. Rhode Island’s **RIBridges system**, which facilitates access to various public assistance programs, was recently subjected to a **cyberattack** by an international hacker group. The breach led to the compromise of personal data, including **Social Security numbers**, **banking information**, and other sensitive details, putting the state’s residents at significant risk. This attack is a stark reminder of the vulnerabilities present in government-run digital platforms and the escalating threats posed by cybercriminals. ### About the Breach The breach was first discovered on **December 5, 2024**, when **Deloitte**, the vendor operating the RIBridges system, alerted the state of a potential security threat. However, it wasn’t until **December 13, 2024**, that the breach was confirmed, with Deloitte identifying malicious code within the system and the likelihood that **personally identifiable information (PII)** had been stolen. --- ## What Happened? On **December 13, 2024**, **Governor Dan McKee** confirmed that the cyberattack, conducted by an international cybercriminal group, had compromised the RIBridges portal. The hackers gained unauthorized access to sensitive data, including **Social Security numbers**, **banking information**, and other **personally identifiable information** (PII) stored within the system. **RIBridges** is a crucial system used by Rhode Island residents to apply for and manage a variety of government assistance programs, including Medicaid, food stamps, and child care support. The breach raised alarm bells as it impacted potentially hundreds of thousands of individuals who had applied for or received these benefits since **2016**. The cyberattack was part of a growing trend where cybercriminal groups target governmental systems to steal sensitive data and demand a ransom. The attackers reportedly threatened to release the stolen data unless they received a payment. --- ## Programs Affected The following programs, which are managed through the **RIBridges system**, were directly impacted by the breach: - **Medicaid** – Health insurance coverage for low-income individuals and families. - **SNAP (Supplemental Nutrition Assistance Program)** – Food assistance for low-income families. - **TANF (Temporary Assistance for Needy Families)** – Financial aid for families in need. - **CCAP (Child Care Assistance Program)** – Financial assistance for child care. - **Health Coverage via HealthSource RI** – Insurance coverage purchased through the state’s marketplace. - **Rhode Island Works (RIW)** – Cash assistance for low-income residents. - **Long-Term Services and Supports (LTSS)** – Support for individuals with disabilities. - **General Public Assistance (GPA)** – Aid for low-income Rhode Islanders. Anyone who has interacted with these services since 2016 could be at risk of having their personal information exposed. --- ## Details of the Data Breach The breach involved **malicious code** that allowed unauthorized access to sensitive files, which were likely downloaded by the attackers. The data compromised in the breach includes: - **Full names** - **Social Security numbers** - **Addresses** - **Dates of birth** - **Bank account numbers and other financial data** At this stage, the exact scope of the breach is still being assessed, but the compromised data is of high concern due to the presence of **financial information** and **identifiable personal details**. --- ## How the Attack Was Detected The breach was first detected by **Deloitte**, the vendor operating the RIBridges system, on **December 5, 2024**. Initial reports indicated a potential threat, but it was unclear whether any sensitive information had been exposed. - **December 5, 2024**: Deloitte notified the state of a possible breach. - **December 10, 2024**: Deloitte confirmed the breach after hackers sent screenshots of the stolen files. - **December 11, 2024**: Deloitte identified that the compromised files contained personal identifiable information (PII). - **December 13, 2024**: The breach was confirmed, and the system was taken offline to prevent further damage. --- ## Impact on Residents The breach has potentially affected **hundreds of thousands of residents** who have applied for or received benefits through the RIBridges system. While the investigation is ongoing, the following individuals are most likely impacted: - **Individuals who have applied for or received benefits through Medicaid, SNAP, TANF, or other programs since 2016.** - **Those who have used HealthSource RI to purchase health insurance.** The stolen data may include highly sensitive personal information, including **Social Security numbers** and **banking information**, which can lead to identity theft and financial fraud if misused. --- ## State's Response to the Breach The state of Rhode Island, along with its vendor **Deloitte**, has taken swift action to address the breach. The **RIBridges system** has been taken offline to prevent further unauthorized access. The following measures are being implemented: 1. **Investigation and Remediation**: Deloitte and state authorities are working together to assess the full scope of the breach and secure the system. 2. **Notification to Affected Individuals**: All impacted individuals will receive a **notification letter** offering free credit monitoring services. 3. **Dedicated Call Center**: A call center has been set up to assist affected residents and guide them on the next steps. 4. **Law Enforcement Involvement**: The **Rhode Island State Police** and **federal law enforcement** agencies are involved in the investigation. --- ## Preventive Actions for Affected Individuals Residents whose data has been compromised should take the following preventive measures: 1. **Freeze Credit**: Consider placing a freeze on your credit with all three major credit bureaus (Experian, Equifax, and TransUnion). 2. **Fraud Alerts**: Place a fraud alert on your credit report to prevent unauthorized use. 3. **Monitor Accounts**: Regularly check your bank and credit card statements for any unusual or unauthorized activity. 4. **Password Updates**: Change passwords on accounts that use the same credentials as the breached services. Use strong, unique passwords. 5. **Credit Monitoring**: Take advantage of the **free credit monitoring** offered by the state to detect fraudulent activity early.

loading..   17-Dec-2024
loading..   6 min read
loading..

GitHub

WordPress

MUT-1244 exploited trust to steal 390,000 WordPress credentials, SSH keys, and A...

Imagine this: over 390,000 WordPress credentials stolen, SSH keys compromised, and sensitive data siphoned—all orchestrated by MUT-1244. This elusive adversary leveraged trust in tools and platforms to execute a year-long siege, infiltrating systems through phishing campaigns and trojanized GitHub repositories. It’s a stark reminder of how even seasoned experts can be caught off guard in the ever-evolving cybersecurity battle. Through phishing schemes that exploited academic researchers, trojanized GitHub repositories posing as legitimate exploit tools, and the stealthy, malicious transformation of the @0xengine/xmlrpc NPM package, MUT-1244 showcased a calculated strategy to manipulate trust and leverage platform vulnerabilities for maximum impact. ## **MUT-1244 Campaign** ### **Scope of the Attack** MUT-1244's activities targeted a wide range of individuals and entities, including **academic researchers**, **cybersecurity professionals**, **red teamers**, and **malicious actors**. Leveraging a blend of trust exploitation and technical sophistication, the campaign resulted in the theft of: - **Over 390,000 WordPress credentials**. - **SSH private keys**. - **AWS access keys**. - **Sensitive system data** including command histories and environment variables. In parallel, compromised systems were exploited for **cryptocurrency mining**, utilizing advanced evasion techniques to avoid detection while remaining persistent over extended periods. ### **Dual Vectors of Initial Compromise** MUT-1244 employed two primary methods for initial access: 1. **Phishing Campaigns:** - Thousands of **academic researchers** were targeted with emails urging them to install a fake kernel upgrade masquerading as a "CPU Microcode Update for High-Performance Computing (HPC) Users." - Victims who executed the malicious command inadvertently installed malware that enabled the attackers to gain access to sensitive data and deploy secondary payloads. 2. **Trojanized GitHub Repositories:** - Over **49 malicious repositories** were created, posing as **proof-of-concept (PoC) exploit codes** for known CVEs. - Repository names were designed to appear legitimate and were indexed by trusted threat intelligence sources like **Feedly** and **Vulnmon**, increasing their credibility. - These repositories deployed malware via: - **Backdoored configuration files**. - **Malicious PDFs** embedding payloads. - **Python droppers** containing obfuscated backdoors. - **NPM packages** such as the notorious **@0xengine/xmlrpc**. --- **@0xengine/xmlrpc: Evolution from Legitimate Tool to Malicious Package** ### **Timeline of Malicious Activity** The **@0xengine/xmlrpc** package first appeared in October 2023 as a seemingly legitimate XML-RPC implementation for Node.js. However, starting with **version 1.3.4**, the package was transformed into malware through the addition of heavily obfuscated malicious code in the **validator.js** file. Over the following year, the package received **16 updates**, maintaining an illusion of legitimacy. ### **Distribution Strategy** The package’s distribution relied on two key methods: 1. **Direct Installation from NPM:** - Developers who installed the package unknowingly activated its malicious payload during usage. 2. **Dependency in the "yawpp" Repository:** - The GitHub repository "yawpp" masqueraded as a WordPress tool for credential validation and content posting. - Installation of "yawpp" triggered the automatic download of **@0xengine/xmlrpc** as a dependency, embedding malware into the users’ systems. ### **Functionality** The malware was designed to: - **Mine Monero Cryptocurrency:** - Utilized **XMRig** to mine cryptocurrency, with rewards directed to the attacker’s wallet. - Operations were orchestrated via a script (**Xsession.sh**) downloaded from a Codeberg repository. - **Exfiltrate Sensitive Data:** - Collected **SSH keys**, **bash histories**, **environment variables**, and other sensitive information every **12 hours**. - Data was exfiltrated to file-sharing platforms such as **Dropbox** and **file.io** using hardcoded credentials. ### **Evasion and Persistence** To avoid detection, the malware employed: - **Activity-Based Mining:** - Suspended mining during periods of user activity, detected via the **xprintidle utility**. - Resumed operations during inactivity, ensuring minimal disruption to the victim’s workflow. - **Systemd-Based Persistence:** - Registered as a legitimate service (**Xsession.auth**) to automatically restart operations after system reboots. --- **Exploiting Trust in the Cybersecurity Ecosystem** MUT-1244’s campaign highlights a recurring trend in modern cyberattacks: the exploitation of trust. By targeting **cybersecurity professionals** and **red teamers**, the attackers weaponized tools and repositories that their victims were likely to use. Examples include: - **Malicious PoC Exploits:** - Security professionals seeking exploit codes for CVEs unknowingly downloaded trojanized repositories, infecting their systems. - **Yawpp Credential Checker:** - Advertised as a tool for validating WordPress credentials, it attracted malicious actors who themselves fell victim to the malware. --- **Wider Implications and Lessons Learned** ### **Impacts of the Campaign** - **Operational Disruption:** - Up to **68 systems** were confirmed to be actively mining cryptocurrency for the attackers. - **Credential Theft:** - Over **390,000 WordPress credentials** were exfiltrated, potentially enabling further compromises of WordPress sites. - **Erosion of Trust:** - The campaign exploited trust in **open-source repositories** and tools, undermining confidence in widely-used platforms like GitHub and NPM. ### **Mitigation Strategies** To counter similar threats, organizations and developers should: 1. **Vigorously Vet Dependencies:** - Perform thorough checks on packages and repositories before incorporation. - Use tools to monitor for unexpected changes in package behavior or dependencies. 2. **Implement Continuous Monitoring:** - Regularly audit systems for unauthorized activities and anomalous traffic. - Employ advanced malware detection solutions to identify obfuscated code and suspicious behavior. 3. **Educate and Train Personnel:** - Raise awareness about phishing campaigns and the risks associated with blindly trusting open-source tools. 4. **Strengthen Incident Response Capabilities:** - Maintain robust backup and recovery mechanisms to mitigate the impact of breaches. - Collaborate with threat intelligence teams to identify and block malicious actors. --- **Conclusion: A Wake-Up Call for Cybersecurity** The MUT-1244 campaign exemplifies the evolving sophistication of supply chain attacks. By combining technical expertise, social engineering, and strategic exploitation of trusted platforms, the threat actor successfully infiltrated a wide array of systems over an extended period. This case serves as a stark reminder that vigilance, rigorous monitoring, and robust security practices are essential to defending against increasingly complex cyber threats. The cybersecurity community must learn from such incidents to bolster defenses, ensuring that trust and collaboration—cornerstones of the open-source ecosystem—are not weaponized against us.

loading..   14-Dec-2024
loading..   5 min read
Company Logo
logo

Secure Blink automates the web application and API security for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

LinkedIn Logo
Twitter Logo
Telegram Logo
YouTube Logo
contact@secureblink.com

This website uses cookies to ensure you get the best experience on our website. By continuing on our website, you consent to our use of cookies. To find out more about how we use cookies, please see our Cookies Policy.

contact@secureblink.com

@ Copyright 2024 Secure Blink. All rights reserved.

4th Floor, Plot No- 7-10 Sector 126, Noida, UP -201303