Latest threats, vulnerabilities, exploits to be aware of

Discussion in 'Operating Systems' started by alanm, Jan 27, 2022.

  1. alanm

    alanm Ancient Guru

    Messages:
    11,344
    Likes Received:
    3,449
    GPU:
    Asus 2080 Dual OC
    Thought it may be useful to keep a running thread on latest security threats to be aware of.

    BlackCat Ransomware | Highly-Configurable, Rust-Driven RaaS On The Prowl For Victims


    BlackCat (aka AlphaVM, AlphaV) is a newly established RaaS (Ransomware as a Service) with payloads written in Rust. While BlackCat is not the first ransomware written in the Rust language, it joins a small (yet growing) sliver of the malware landscape making use of this popular cross-platform language.

    First appearing in late November, BlackCat has reportedly been attacking targets in multiple countries, including Australia, India and the U.S, and demanding ransoms in the region of $400,000 to $3,000,000 in Bitcoin or Monero...

    https://www.sentinelone.com/labs/bl...le-rust-driven-raas-on-the-prowl-for-victims/
     
    386SX likes this.
  2. 386SX

    386SX Ancient Guru

    Messages:
    1,565
    Likes Received:
    1,774
    GPU:
    AMD Vega64 RedDevil
    Windows .... :D


    "polkit", seems to be some dependency for all standard *Nixes, at least I heard it is "most likely included". The daemon does not have to be running for the attack to succeed!:
    https://blog.qualys.com/vulnerabili...ty-discovered-in-polkits-pkexec-cve-2021-4034

    KDE wants to put ads into their desktop (now what was that about Win10 advertising some years ago? :D ), just think about the fact we dealt with a lot of malware through ads before. IIRC even here some members complained about ads infecting them with malware (years if not decades ago), so a possible threat there (and why do they do this???!!!):
    https://www.neowin.net/news/ads-may-be-coming-to-kde-the-popular-linux-desktop/
     
    alanm likes this.
  3. alanm

    alanm Ancient Guru

    Messages:
    11,344
    Likes Received:
    3,449
    GPU:
    Asus 2080 Dual OC
    I wonder if malware authors are targeting linux because less attention on its security than windows.
     
    GoldenTiger and 386SX like this.
  4. anticupidon

    anticupidon Ancient Guru

    Messages:
    6,849
    Likes Received:
    3,169
    GPU:
    Polaris/Vega/Navi
    Interesting thread.
    Will follow it.
    In very broad lines, it's the user in the end, not only the OS.
    A security aware user will update the system, use root/admin only when it's necessary and harden their system. And follow the tech news and security bulletins.
    And have data backed up in 3-2-1 fashion.
    My humble opinion.
     
    386SX and alanm like this.

  5. 386SX

    386SX Ancient Guru

    Messages:
    1,565
    Likes Received:
    1,774
    GPU:
    AMD Vega64 RedDevil
    3-2-1 backup? "3 - 2 - 1, your data is gone!"?? :D
     
  6. alanm

    alanm Ancient Guru

    Messages:
    11,344
    Likes Received:
    3,449
    GPU:
    Asus 2080 Dual OC
    Microsoft sounds the alarm over new cunning Windows malware

    Chinese state-sponsored threat actor Hafnium has been found using a brand new malware to maintain access on a breached Windows endpoint, with the help of hidden scheduled tasks, Microsoft has announced.

    The Microsoft Detection and Response Team (DART) says the group has been leveraging a so far unknown vulnerability (a zero-day) in its attacks.

    "Investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the discovery of a defense evasion malware called Tarrask that creates 'hidden' scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification,” DART explained...
     
    386SX and fantaskarsef like this.
  7. 386SX

    386SX Ancient Guru

    Messages:
    1,565
    Likes Received:
    1,774
    GPU:
    AMD Vega64 RedDevil
    GoldenTiger and anticupidon like this.
  8. alanm

    alanm Ancient Guru

    Messages:
    11,344
    Likes Received:
    3,449
    GPU:
    Asus 2080 Dual OC
     
    386SX and fantaskarsef like this.
  9. 386SX

    386SX Ancient Guru

    Messages:
    1,565
    Likes Received:
    1,774
    GPU:
    AMD Vega64 RedDevil
    Security flaw in MSDT protocol handler is actively (ab-)used by malware gangs!

    https://www.heise.de/news/Zero-Day-...reifen-MSDT-Sicherheitsluecke-an-7128265.html
    (German link, use Google Translate)

    TL;DR: A new malware for MS abusing OS functions. Infection is done by MS DOC files sent by mail currently, but may get triggered by other stuff to come.
    Protection is done by backup the reg key which defines MSDT actions and then delete it (or just delete it if you do not do backups).

    Command for deletion (run elevated cmd!):
    reg delete HKEY_CLASSES_ROOT\ms-msdt /f

    Downside of the fix:
    Some MS help docs won't display anymore. (Sooooooo sad! :D )

    Stay safe friends! ;)

    Edit: Just to make it clear: This is NO theoretical attack! This was discovered in the wild already!
     
    alanm and fantaskarsef like this.
  10. alanm

    alanm Ancient Guru

    Messages:
    11,344
    Likes Received:
    3,449
    GPU:
    Asus 2080 Dual OC
    ^Thats what the vid above it was about. :)



    More humorous than serious security threats. :D
     
    tsunami231, fantaskarsef and 386SX like this.

  11. tsunami231

    tsunami231 Ancient Guru

    Messages:
    13,168
    Likes Received:
    1,231
    GPU:
    EVGA 1070Ti Black
    yah you should never open spam that, but for some reason gmail has made so i cant block emails from spam folder with out actual open it in first place you have actual open to just get block email option.
     
  12. 386SX

    386SX Ancient Guru

    Messages:
    1,565
    Likes Received:
    1,774
    GPU:
    AMD Vega64 RedDevil
    You guys know "Hertzbleed"?

    https://www.hertzbleed.com/

    Side channel attack using CPU frequencies.

    Fix: none, no fix planned by neither AMD nor Intel
    Workaround: disable turbo boost (or what it is called on your platform)


    Honestly? After reading that I thought ENABLING turbo would probably block this because frequency changes all the time and makes it more difficult for an attacker to read stuff, but obviously I am wrong there ...
     
  13. Astyanax

    Astyanax Ancient Guru

    Messages:
    14,017
    Likes Received:
    5,645
    GPU:
    GTX 1080ti
    another thing that home users don't need to worry about, along the same lines as spectre and meltdown.
     
    386SX likes this.
  14. anticupidon

    anticupidon Ancient Guru

    Messages:
    6,849
    Likes Received:
    3,169
    GPU:
    Polaris/Vega/Navi
    Wait sir, I am calling you from Microsoft Norton Antivirus company , you have 800 viruses in your CPU from Hertzbleed. (with strong Indian accent)!
     
    Maddness likes this.
  15. Maddness

    Maddness Ancient Guru

    Messages:
    2,060
    Likes Received:
    1,225
    GPU:
    3080 Aorus Xtreme
    I have had phone calls like this probably a dozen times.
     

  16. 386SX

    386SX Ancient Guru

    Messages:
    1,565
    Likes Received:
    1,774
    GPU:
    AMD Vega64 RedDevil
  17. alanm

    alanm Ancient Guru

    Messages:
    11,344
    Likes Received:
    3,449
    GPU:
    Asus 2080 Dual OC
    An older exploit, but just found out about it. In case anyone has a 7-zip install that hasnt been updated.

     
    386SX likes this.
  18. Astyanax

    Astyanax Ancient Guru

    Messages:
    14,017
    Likes Received:
    5,645
    GPU:
    GTX 1080ti
    deleting the chm file does not remove the exploit vector.

    It was a hoax

    https://twitter.com/wdormann/status/1521237068336316417
     
    alanm likes this.
  19. 386SX

    386SX Ancient Guru

    Messages:
    1,565
    Likes Received:
    1,774
    GPU:
    AMD Vega64 RedDevil
  20. 386SX

    386SX Ancient Guru

    Messages:
    1,565
    Likes Received:
    1,774
    GPU:
    AMD Vega64 RedDevil
    Good morning gentlemen. :)

    New day new vulnerability.

    Today for offer: Malware which deactivates antivirus by Genshin Impact Anti-Cheat DLLs.

    https://www.trendmicro.com/en_us/re...pact-anti-cheat-driver-to-kill-antivirus.html

    It is the same since decades: Anti-cheat and anti-tamper programs messing up your computer. Denuvo anyone? Disklock? Securom? Gamespy? Valve Anti-Cheat (VAC)?

    [​IMG]

    :D

    Edit:

    .... means if you do not have Genshin Impact installed and see this *.sys file in your system / memory, you're f*cked.
    If possible I would add the file name / hash / etc. to a "blacklist" in your IDS/IPS.

    GI is available for free afaik on Epic. Maybe (if I have the time) I will install it temporarily to check the file for hashes and signatures.


    IMPORTANT: As written in the article PoCs do exist already and are well documented. So this is a practical attack, no theoretical! It is already seen "in-the-wild". Defend yourself! ;)

    Stay safe guys! :)
     
    Last edited: Aug 29, 2022
    fantaskarsef likes this.

Share This Page