Bandit Stealer: Stealthy Malware Threatens Web Browsers and Crypto Wallets
A new form of stealthy malware, named Bandit Stealer, is alarming cybersecurity experts with its ability to compromise multiple web browsers and cryptocurrency wallets. What makes Bandit Stealer particularly potent is its foundation in the Go programming language, which provides the potential for cross-platform compatibility, according to a recent report by Trend Micro.
The malware is primarily focused on infiltrating Windows systems, using a legitimate command-line tool named runas.exe, which it exploits to escalate its privileges and gain administrative access. This bypasses security measures and allows the malware to harvest a wide array of data. It also cleverly uses runas.exe to create an environment that seems secure but is in fact compromised.
Bandit Stealer has checks that verify whether it’s running in a sandbox or virtual environment, and terminates a variety of processes to hide its presence on the infected system. The malware also manipulates Windows Registry to establish its persistence before it starts collecting data, which includes personal and financial information stored in web browsers and cryptocurrency wallets. The distribution method for Bandit Stealer appears to be through phishing emails with dropper files. These emails trick the recipient into opening a harmless-seeming Microsoft Word attachment while the malware quietly infects the system in the background.
Dark Frost Botnet’s DDoS Attacks Threaten the Gaming Industry
Dark Frost, a newly detected botnet, is launching a series of distributed denial-of-service (DDoS) attacks against the gaming industry. According to a recent analysis by Akamai security researcher Allen West, Dark Frost is modeled after Gafgyt, QBot, Mirai, and other malware strains.
This botnet has grown rapidly and is now comprised of hundreds of compromised devices. Its targets are varied and include gaming companies, game server hosting providers, online streamers, and even other members of the gaming community. As of February 2023, Dark Frost consisted of 414 machines running different instruction set architectures such as ARMv4, x86, MIPSEL, MIPS, and ARM7. These machines form a network of devices around the world that have been infiltrated and compromised.
The operators of the botnet usually use the infected hosts to mine cryptocurrency, steal sensitive data, or use the collective internet bandwidth from these devices to overwhelm websites and internet servers with junk traffic in DDoS attacks.
COSMICENERGY Malware Threatens Industrial Control Systems and Power Grids
A new strain of malware, dubbed COSMICENERGY, has been discovered, designed to infiltrate and disrupt critical systems in industrial environments. The malware was uploaded to the VirusTotal public malware scanning utility in December 2021 by a submitter in Russia, but there’s no evidence that it has been used in real-world attacks so far.
This threat is designed to disrupt electric power by interacting with IEC 60870-5-104 (IEC-104) devices. These devices, such as remote terminal units (RTUs), are frequently used in electric transmission and distribution operations in Europe, the Middle East, and Asia. COSMICENERGY shares similarities with other specialized malware strains like Stuxnet, Havex, Triton, IRONGATE, BlackEnergy2, Industroyer, and PIPEDREAM, which are all capable of sabotaging critical systems and causing major disruptions. COSMICENERGY has the capability to exploit an industrial communication protocol called IEC-104 to send commands to RTUs.
An attacker leveraging this access could send remote commands to actuate power line switches and circuit breakers, causing disruptions in the power supply. Mandiant, a threat intelligence firm owned by Google, urges cyber security professionals to familiarize themselves with prior OT malware families, their capabilities, and their workings. Such knowledge could greatly aid in strengthening threat hunting and detection programs that actively search for suspicious behavior in OT networks.
Critical OAuth Flaw in Expo Framework Risks Account Takeovers
A crucial security flaw has been exposed in the Open Authorization (OAuth) implementation of the Expo.io application development framework. Identified as CVE-2023-28131, this flaw has a severity rating of 9.6 on the CVSS scoring system and could lead to credential leaks, enabling account hijackings and compromising sensitive data. An attacker could exploit this vulnerability to perform actions on various platforms, such as Facebook, Google, or Twitter, on behalf of a compromised user.
Expo is an open-source platform used for creating universal native apps compatible with Android, iOS, and the web. However, the flaw could only be exploited if the sites and applications using Expo have configured the AuthSession Proxy setting for single sign-on (SSO) using a third-party provider like Google and Facebook.
This vulnerability could be leveraged to redirect the secret token associated with a sign-in provider to an attacker-controlled domain, enabling the attacker to gain control of the victim’s account. In relation to the vulnerability disclosure, Expo has issued an advisory recommending users to migrate from using AuthSession API proxies to directly registering deep link URL schemes with third-party authentication providers to enable SSO features.
Barracuda Zero-Day Exploitation Leads to Email Security Gateway Breaches
Barracuda, an email protection and network security services provider, has alerted its users about a zero-day flaw that has been exploited to breach the company’s Email Security Gateway (ESG) appliances. Tracked as CVE-2023-2868, this remote code injection vulnerability affects versions 5.1.3.001 through 9.2.0.006.
The vulnerability is rooted in a component that screens the attachments of incoming emails, stemming from incomplete input validation of user-supplied .tar files. This allows a remote attacker to format file names in a specific manner, leading to remote execution of a system command via Perl’s qx operator with the privileges of the ESG product. Upon detecting the flaw on May 19, 2023, Barracuda promptly deployed patches to all ESG devices worldwide.
Moreover, the company found evidence of active exploitation of CVE-2023-2868, resulting in unauthorized access to a subset of email gateway appliances. The scale of the attack remains undisclosed, but affected users have been contacted with remedial actions to take. The U.S. Cybersecurity and Infrastructure Security Agency has added this vulnerability to its Known Exploited Vulnerabilities catalog, urging federal agencies to apply the fixes by June 16, 2023.
KeePass Vulnerability Exposes Master Passwords to Attackers
A security flaw impacting the KeePass password manager could be exploited to recover a victim’s master password in cleartext under specific circumstances, according to a recent proof-of-concept (PoC). This flaw, assigned CVE-2023-32784, affects KeePass versions 2.x for Windows, Linux, and macOS and is expected to be patched in version 2.54.
The vulnerability allows an attacker to recover most of the password in plaintext, and requires only a memory dump from the targeted system. It’s crucial to note that for successful exploitation, an attacker would need to have already compromised a target’s computer, and the password would need to be typed on a keyboard, not copied from the device’s clipboard. The PoC was developed by a security researcher known as “vdohney,” who discovered the flaw. Despite this vulnerability the researcher underscored that the risk of exploiting it decreases over time after KeePass is no longer running.