Wednesday, April 27, 2022

Iranian Rocket Kitten hacking group 😾 using CVE-2022-22954 to install new back door !! 🚪🚪


VMWare One now has NEW RCE Vulnerability! 

Morphisec Labs reports that Rocket Kitten an Iranian hacking group believed to be backed by the regime is installing new sophisticated backdoors on victims machines using a RCE vulnerability recently discovered in VMWare Workspace ONE. 😡

This Remote Code Execution (RCE) is registered  as CVE-2022-22954  and affects VMware Workspace ONE. It has a critical 9.8 severity and revolves around a server-side template injection on a Apache Tomcat component that can lead to a complete RCE. An attack that exploits this RCE vulnerability gives them a high level of attack surface and highest privileges possible and can render Antivirus systems useless. 

VMWare Workspace ONE  Architecture

An attack has been observed by Iranian group Rocket Kitten sending PowerShell "stager" commands executed as child processes to prunsrv.exe legitimate application in Tomcat. This PowerShell stager then launches a malicious loader called PowerTrash - which is a notorious PowerShell script.  If this is set up victims with Ransomware on their devices or attackers can move lateral through a network, Gain further privileges through Privilege Escalation - or worse - launch HTTPS reverse backdoors using Metasploit or Cobalt Strike!!😢

PowerTrash - a notorious PowerShell Script! 

Please patch this VMWare vulnerability ASAP Friends! I will investigate Rocket Kitten further! 🧐🙏 

By at No comments:

Saturday, April 16, 2022

Iranian state-sponsored APT hacking group Lyceum DISCOVERED to be running a SPEAR PHISHING campaign! ⚠️⚠️

Check point research has reported that Lyceum run and backed by the evil Iranian regime has launched a spear phishing campaign in the wake of Russia's invasion of Ukraine

Lyceum have been active since 2017 and are also known as Hexane. This new spear phishing campaign was discovered when an Israeli energy company received a phishing e-mail from inews-reporter@protonmail.com which opened with title "Russian war crimes in Ukraine" and contained images from open source as well as malicious link.


Spear phishing email sent by Lyceum (Source: Checkpoint

Once malicious link is clicked a PDF or Word document will appear with open source article from Guardian discussing Russian invasion. Meanwhile a Macro code has download in background of victims machine and executed a .EXE which then stores itself in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup which means that .EXE will not start right away but upon next computer restart, which means user will not be aware that their machine is compromised. In this campaign Lyceum have been spotted using 3 different macro droppers. .NET DNS .NET TCP and GoLang are all used. 

Lyceum .NET DNS Macro Code Dropper (Source: Checkpoint)

Each macro dropper works slightly differently. .NET DNS dropper is a modified tool of DNSDig with additional code added to form frm1. .NET TCP creates a C2 communication by using TCP sockets and then implements its own communication protocol. This dropper can then keylog and take screenshots and list all files + programs on a victims machine as well as downloads and upload files. GoLang dropper is different and executes in 3 stages: the first is to generate a unique ID for victim using MD5 hash of username. Then sends empty HTTP POST request to Lyceum controlled C2 server. Malicious server then registers victim onto server and executes similar commands to .NET TCP dropper. 



GoLang 3 Stage Dropper (Source: Checkpoint)  

For Checkpoint attribution of this spear phishing and cyber espionage campaign was easy. They targeted Israel energy company as well as Saudi, both key enemies of Iran. They also used Heijden.DNS library which Lyceum have used before as well as ProtonMail and DNS Tunneling. 

When will this corrupt Iranian regime stop illegally hacking other nations?? 😡😡

By at No comments:

Thursday, April 7, 2022

Belarus HACKING group Ghostwriter WORKING with Iran to EXPLOIT Ukraine using BitB Phishing technique!!

BitB attack against Ukraine! 

It has been reported by Google Threat Analysis Group (TAG) that APT actor Ghostwriter which is state sponsored by  Belarusian Ministry of Defense is working with Iran on cyber attacks against Ukraine!! 😤😤

Ghostwriter has been using Browser-in-the-browser (BitB) phishing technique to steal credentials from victims. BitB was disclosed by security researcher mr.d0x, and these exploits usually start with creating poisoned pop-up windows that are used when  logging into a site with a third-party single sign-on (SSO) like google or Facebook.

Real and Fake SSO Pop-Up Windows
 

Mr. d0x explains in this post that poisoned window can be replicated easily using HTML/CSS and JavaScript and then for BitB to work an onClick event is added to ensure href section of a pop up window is ignored in HTML code like below: 


OnClick event added to enable BitB Phishing 


Ghostwriter then combined BitB with landing victims on malicious landing pages. Ghostwriter have been using BitB to phish credentials on these domains:

login-verification[.]top

login-verify[.]top

ua-login[.]top

secure-ua[.]space

secure-ua[.]top 

It is also reported that other states like Iran have been working with Ghostwriter so it is possibly only a matter of time before Iran APT hacking groups such as CharmingKitten and MuddyWater start using a similar technique!  

Stay alert friends!!! 🙏🙏🙏


By at No comments:
Subscribe to: Posts (Atom)