Perfectl Malware

Perfectl in an impressive piece of malware:

The malware has been circulating since at least 2021. It gets installed by exploiting more than 20,000 common misconfigurations, a capability that may make millions of machines connected to the Internet potential targets, researchers from Aqua Security said. It can also exploit CVE-2023-33246, a vulnerability with a severity rating of 10 out of 10 that was patched last year in Apache RocketMQ, a messaging and streaming platform that’s found on many Linux machines.

The researchers are calling the malware Perfctl, the name of a malicious component that surreptitiously mines cryptocurrency. The unknown developers of the malware gave the process a name that combines the perf Linux monitoring tool and ctl, an abbreviation commonly used with command line tools. A signature characteristic of Perfctl is its use of process and file names that are identical or similar to those commonly found in Linux environments. The naming convention is one of the many ways the malware attempts to escape notice of infected users…

Continue reading Perfectl Malware

Chinese researchers accuse NSA of being behind a powerful exploit

A Chinese cybersecurity firm released a report Wednesday that revealed a decade-old exploit allegedly created by a covert hacking group associated with the U.S. National Security Agency. The report is the first time that a Chinese cybersecurity firm has both attributed a cyberattack to a U.S. hacking group and included technical indicators of compromise. “It’s a completely different type of report here that that seems to mimic Western name-and-shame,” said Winnona DeSombre, fellow at the Atlantic Council and Harvard’s Belfer Center. Pangu Lab researchers said they first discovered the backdoor in 2013 during an “in-depth forensic investigation of a host in a key domestic department.” The researchers were later able to tie it to the “The Equation Group,” a group of hackers said to be affiliated with the NSA, after NSA documents leaked by a group known as the “The Shadow Brokers” published hacking files that allegedly belonged to the […]

The post Chinese researchers accuse NSA of being behind a powerful exploit appeared first on CyberScoop.

Continue reading Chinese researchers accuse NSA of being behind a powerful exploit

Russia-linked Sandworm reportedly has retooled with ‘Cyclops Blink’

A long-running hacking group associated with Russian intelligence has developed a new set of tools to replace malware that was disrupted in 2018, according to an alert Wednesday from the U.S. and U.K. cybersecurity and law enforcement agencies. The advanced persistent threat group, known primarily as Sandworm, is now using a “large-scale modular malware framework” that the agencies call Cyclops Blink. Western governments have blamed Sandworm for major incidents such as the disruption of Ukraine’s electricity grid in 2015, the the NotPetya attacks in 2017 and breaches of the Winter Olympics in 2018. Cyclops Blink has largely replaced the VPNFilter malware in Sandworm’s activities since at least June 2019, said the joint alert from the U.K.’s National Cyber Security Centre (NCSC), and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, National Security Agency and FBI in the U.S. The NCSC also issued a separate analysis paper on Cyclops Blink. […]

The post Russia-linked Sandworm reportedly has retooled with ‘Cyclops Blink’ appeared first on CyberScoop.

Continue reading Russia-linked Sandworm reportedly has retooled with ‘Cyclops Blink’

Nation-State Attacker of Telecommunications Networks

Someone has been hacking telecommunications networks around the world:

  • LightBasin (aka UNC1945) is an activity cluster that has been consistently targeting the telecommunications sector at a global scale since at least 2016, leveraging custom tools and an in-depth knowledge of telecommunications network architectures.
  • Recent findings highlight this cluster’s extensive knowledge of telecommunications protocols, including the emulation of these protocols to facilitate command and control (C2) and utilizing scanning/packet-capture tools to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata.

Continue reading Nation-State Attacker of Telecommunications Networks

Chinese hackers posed as Iranians to breach Israeli targets, FireEye says

Suspected Chinese spies masqueraded as Iranian hackers in a two-year campaign to break into government and telecommunication networks in Israel, security firm FireEye said Tuesday. The alleged Chinese intruders used a hacking tool previously associated with Iranian operatives, and embedded some of their malicious code with Farsi, the predominant language in Iran. It was part of a broader campaign to gather intelligence at organizations in other Middle East and Central Asian countries that has continued this year, according to FireEye. The findings show how spies plant digital evidence in an effort to throw off investigators in the high-stakes world of espionage. The revelations come amid a period of heightened scrutiny of Chinese cyber activity: The U.S. and its European allies in July condemned China’s alleged exploitation of Microsoft software and said that it enabled ransomware attacks. John Hultquist, vice president of threat intelligence at Mandiant FireEye, said the targeting at […]

The post Chinese hackers posed as Iranians to breach Israeli targets, FireEye says appeared first on CyberScoop.

Continue reading Chinese hackers posed as Iranians to breach Israeli targets, FireEye says

Security researchers suggest naming state-harbored hackers ‘privateers’

The ransomware-induced disruption of Colonial Pipeline, which supplies 45% of fuel consumed on the East Coast, has already forced big changes to U.S. government policies on pipeline security and brought heightened scrutiny of organizations’ decisions to pay hackers ransoms. Now, the incident has factored into one prominent security firm’s decision to change how it publicly classifies the relationship between criminal hacking groups and the governments that host them. Talos, the threat intelligence unit of Cisco, said Wednesday that it would begin using the term “privateers” to describe hacking groups that aren’t controlled by governments but which “benefit from government decisions to turn a blind eye toward their activities.” Other cybersecurity executives have compared the safe havens that some governments provide cybercriminals today with 17th century piracy. “If it were the 17th century, and pirates harassing the English merchant fleet were ducking into Dutch harbors, at what point would the Dutch […]

The post Security researchers suggest naming state-harbored hackers ‘privateers’ appeared first on CyberScoop.

Continue reading Security researchers suggest naming state-harbored hackers ‘privateers’

Robert M. Lee’s & Jeff Haas’ Little Bobby Comics – From The Archive – ‘WEEK 111’

via the respected information security capabilities of Robert M. Lee & the superlative illustration talents of Jeff Haas at Little Bobby Comics! From the Little Bobby Archive’s and Originally Published March 12, 2017.

Permalink
The post Robert M…. Continue reading Robert M. Lee’s & Jeff Haas’ Little Bobby Comics – From The Archive – ‘WEEK 111’