Oct 31, 2023NewsroomCyber War / Malware

The threat actor known as Arid Viper (aka APT-C-23, Desert Falcon, or TAG-63) has been attributed as behind an Android spyware campaign targeting Arabic-speaking users with a counterfeit dating app designed to harvest data from infected handsets.

“Arid Viper’s Android malware has a number of features that enable the operators to surreptitiously collect sensitive information from victims’ devices and deploy additional executables,” Cisco Talos said in a Tuesday report.

Active since at least 2017, Arid Viper is a cyber espionage that’s aligned with Hamas, an Islamist militant movement that governs the Gaza Strip. The cybersecurity firm said there is no evidence connecting the campaign to the ongoing Israel-Hamas war.

The activity is believed to have commenced no earlier than April 2022.

Interestingly, the mobile malware shares source code similarities with a non-malicious online dating application called Skipped, suggesting that the operators are either linked to the latter’s developer or managed to copy its features in an attempt at deception.

The use of seemingly-benign chat applications to deliver malware is “in line with the ‘honey trap’ tactics used by Arid Viper in the past,” which has resorted to leveraging fake profiles on social media platforms to trick potential targets into installing them.

Cisco Talos said it also identified an extended web of companies that create dating-themed applications that are similar or identical to Skipped and can be downloaded from the official app stores for Android and iOS.

• VIVIO – Chat, flirt & Dating (Available on Apple App Store)
• Meeted (previously Joostly) – Flirt, Chat & Dating (Available on Apple App Store)
• SKIPPED – Chat, Match & Dating (50,000 downloads on Google Play Store)
• Joostly – Dating App! Singles (10,000 downloads on Google Play)

The array of simulated dating applications has raised the possibility that “Arid Viper operators may seek to leverage these additional applications in future malicious campaigns,” the company noted.

The malware, once installed, hides itself on a victim machine by turning off system or security notifications from the operating system and also disables notifications on Samsung mobile devices and on any Android phone with the APK package name containing the word “security” to fly under the radar.

It’s also designed to request for intrusive permissions to record audio and video, read contacts, access call logs, intercept SMS messages, alter Wi-Fi settings, terminate background apps, take pictures, and create system alerts.

Among other noteworthy features of the implant includes the ability to retrieve system information, get an updated command-and-control (C2) domain from the current C2 server, as well as download additional malware, which is camouflaged as legitimate apps like Facebook Messenger, Instagram, and WhatsApp.

The development comes as Recorded Future revealed signs possibly connecting Arid Viper to Hamas through infrastructure overlaps related to an Android application named Al Qassam that’s been disseminated in a Telegram Channel claiming affiliation to Izz ad-Din al-Qassam Brigades, the military wing of Hamas.

“They depict not only a possible slip in operational security but also ownership of the infrastructure shared between groups,” the company said. “One possible hypothesis to explain this observation is that TAG-63 shares infrastructure resources with the rest of the Hamas organization.”

Oct 31, 2023NewsroomSoftware Security / Malware

Cybersecurity researchers have uncovered a new set of malicious packages published to the NuGet package manager using a lesser-known method for malware deployment.

Software supply chain security firm ReversingLabs described the campaign as coordinated and ongoing since August 1, 2023, while linking it to a host of rogue NuGet packages that were observed delivering a remote access trojan called SeroXen RAT.

“The threat actors behind it are tenacious in their desire to plant malware into the NuGet repository, and to continuously publish new malicious packages,” Karlo Zanki, reverse engineer at ReversingLabs, said in a report shared with The Hacker News.

The names of some of the packages are below –

• Pathoschild.Stardew.Mod.Build.Config
• KucoinExchange.Net
• Kraken.Exchange
• DiscordsRpc
• SolanaWallet
• Monero
• Modern.Winform.UI
• MinecraftPocket.Server
• IAmRoot
• ZendeskApi.Client.V2
• Betalgo.Open.AI
• Forge.Open.AI
• Pathoschild.Stardew.Mod.BuildConfig
• CData.NetSuite.Net.Framework
• CData.Salesforce.Net.Framework
• CData.Snowflake.API

These packages, which span several versions, imitate popular packages and exploit NuGet’s MSBuild integrations feature in order to implant malicious code on their victims, a feature called inline tasks to achieve code execution.

“This is the first known example of malware published to the NuGet repository exploiting this inline tasks feature to execute malware,” Zanki said.

The now-removed packages exhibit similar characteristics in that the threat actors behind the operation attempted to conceal the malicious code by making use of spaces and tabs to move it out of view of the default screen width.

As previously disclosed by Phylum, the packages also have artificially inflated downloaded counts to make them appear more legitimate. The ultimate goal of the decoy packages is to act as a conduit for retrieving a second-stage .NET payload hosted on a throwaway GitHub repository.

“The threat actor behind this campaign is being careful and paying attention to details, and is determined to keep this malicious campaign alive and active,” Zanki said.

Oct 30, 2023The Hacker NewsSaaS Security / Data Security

Earlier this week, ServiceNow announced on its support site that misconfigurations within the platform could result in “unintended access” to sensitive data. For organizations that use ServiceNow, this security exposure is a critical concern that could have resulted in major data leakage of sensitive corporate data. ServiceNow has since taken steps to fix this issue.

This article fully analyzes the issue, explains why this critical application misconfiguration could have had serious consequences for businesses, and remediation steps companies would take, if not for the ServiceNow fix. (Although, recommended to double check that the fix has closed the organization’s exposure.)

In a Nutshell

ServiceNow is a cloud-based platform used for automating IT service management, IT operations management, and IT business management for customer service, as well as HR, security operations, and a wide variety of additional domains. This SaaS application is considered to be one of the top business-critical applications due to its infrastructural nature, extensibility as a development platform, and access to confidential and proprietary data throughout the organization.

Simple List is an interface widget that pulls data that is stored in tables and uses them in dashboards. The default configuration for Simple List allows the data in the tables to be accessed remotely by unauthenticated users. These tables include sensitive data, including content from IT tickets, internal classified knowledge bases, employee details, and more.

These misconfigurations have actually been in place since the introduction of Access Control Lists in 2015. To date, there were no reported incidents as a result. However, considering the recent publication of the data leakage research, leaving it unresolved could have exposed companies more than ever.

This exposure was the result of just one default configuration — and there are hundreds of configurations covering access control, data leakage, malware protection, and more that must be secured and maintained. For organizations using an SSPM (SaaS Security Posture Management solution), like Adaptive Shield, organizations can more easily identify risky misconfigurations and see if they are compliant or non-compliant (see image 1 below).

Learn more about how SSPM secures the critical apps in your SaaS stack

Inside the ServiceNow Misconfigurations

It’s important to reiterate that this issue was not caused by a vulnerability in ServiceNow’s code but by a configuration that exists within the platform.

This issue stems from security controls in a ServiceNow Access Control List (ACL) widget called Simple List, which puts records into easily readable tables. These tables organize information from multiple sources and have configurations with a default setting of Public Access.

Because these tables are the core of ServiceNow, the issue wasn’t contained within a single setting that can be fixed. It needed to be remediated in multiple locations within the application in combination with the usage of the UI widget, and throughout all tenants. Further complicating the issue, was that changing a single setting could break existing workflows connected to the Simple List tables, causing severe disruption of existing processes.

Remediation Steps

Published by ServiceNow in their knowledge base article – General Information | Potential Public List Widget Misconfiguration, the exposure assessment and remediation measures include:

• Review Access Control Lists (ACLs) that either are entirely empty or, alternately, contain the role “Public”
• Review public widgets and set the “Public” flag to false where it is not aligned with their use cases
• Consider using stricter access control measures using built-in controls offered by ServiceNow, such as IP Address Access Control or Adaptive Authentication
• Consider installing ServiceNow Explicit Roles Plugin. ServiceNow states that the plugin prevents external users from accessing internal data and instances using this plugin are not affected by this issue (the plugin ensures that every ACL declares at least one role requirement)

These recommended remediation steps can still be utilized for organizations that are exposed (even after the fix) as it’s worth double checking to ensure top security throughout the organization.

Learn more about automating your ServiceNow Security

Automate Data Leakage Prevention for ServiceNow

Organizations that use a SaaS Security Posture Management (SSPM) solution, like Adaptive Shield, are able to gain visibility into ServiceNow’ and any other SaaS app’s configurations and remediate any configuration issue.

Image 1: Adaptive Shield dashboard with the compliance framework: ServiceNow KB1553688 – Public List Widget Misconfiguration

SSPMs alert security teams when there are high-risk configurations, enabling them to adjust their settings and prevent any type of data leakage. This way, companies gain a better understanding of their company’s attack surface, level of risk, and security posture with an SSPM.

Click here to request a demo and get an assessment of any app exposure

Oct 30, 2023NewsroomCyber War / Malware

A pro-Hamas hacktivist group has been observed using a new Linux-based wiper malware dubbed BiBi-Linux Wiper, targeting Israeli entities amidst the ongoing Israeli-Hamas war.

“This malware is an x64 ELF executable, lacking obfuscation or protective measures,” Security Joes said in a new report published today. “It allows attackers to specify target folders and can potentially destroy an entire operating system if run with root permissions.”

Some of its other capabilities include multithreading to corrupt files concurrently to enhance its speed and reach, overwriting files, renaming them with an extension containing the hard-coded string “BiBi” (in the format “[RANDOM_NAME].BiBi[NUMBER]”), and excluding certain file types from being corrupted.

“While the string “bibi” (in the filename), may appear random, it holds significant meaning when mixed with topics such as politics in the Middle East, as it is a common nickname used for the Israeli Prime Minister, Benjamin Netanyahu,” the cybersecurity company added.

The destructive malware, coded in C/C++ and carrying a file size of 1.2 MB, allows the threat actor to specify target folders via command-line parameters, by default opting for the root directory (“https://thehackernews.com/”) if no path is provided. However, performing the action at this level requires root permissions.

Another notable aspect of BiBi-Linux Wiper is its use of the nohup command during execution so as to run it unimpeded in the background. Some of the file types that are skipped from being overwritten are those with the extensions .out or .so.

“This is because the threat relies on files such as bibi-linux.out and nohup.out for its operation, along with shared libraries essential to the Unix/Linux OS (.so files),” the company said.

The development comes as Sekoia revealed that the suspected Hamas-affiliated threat actor known as Arid Viper (aka APT-C-23, Desert Falcon, Gaza Cyber Gang, and Molerats) is likely organized as two sub-groups, with each cluster focused on cyber espionage activities against Israel and Palestine, respectively.

“Targeting individuals is a common practice of Arid Viper,” SentinelOne researchers Tom Hegel and Aleksandar Milenkoski said in an analysis released last week.

“This includes pre-selected Palestinian and Israeli high-profile targets as well as broader groups, typically from critical sectors such as defense and government organizations, law enforcement, and political parties or movements.”

Attack chains orchestrated by the group include social engineering and phishing attacks as initial intrusion vectors to deploy a wide variety of custom malware to spy on its victims. This comprises Micropsia, PyMicropsia, Arid Gopher, and BarbWire, and a new undocumented backdoor called Rusty Viper that’s written in Rust.

“Collectively, Arid Viper’s arsenal provides diverse spying capabilities such as recording audio with the microphone, detecting inserted flash drives and exfiltrating files from them, and stealing saved browser credentials, to name just a few,” ESET noted earlier this month.

Oct 30, 2023The Hacker NewsWebinar / Web App Security

Modern web app development relies on cloud infrastructure and containerization. These technologies scale on demand, handling millions of daily file transfers – it’s almost impossible to imagine a world without them. However, they also introduce multiple attack vectors that exploit file uploads when working with public clouds, vulnerabilities in containers hosting web applications, and many other persistent threats.

We surveyed organizations responsible for securing critical web applications used by healthcare, financial services, technology, and other critical infrastructure verticals to learn how they tackle the most destructive threats and summarized our findings in the OPSWAT 2023 State of Web Application Security Report. The survey report revealed that:

• 97% of organizations use or will deploy containers in their web hosting environments.
• 75% use cloud storage access solutions and want to prevent malware, secure sensitive data, and mitigate security compliance risks.
• 94% connect to other storage services and are interested in stopping malicious files from infecting your storage.
• Yet only 2% of organizations feel confident with current security strategies.

In this webinar, join our panel of web application security experts as they expand on the insights gathered while protecting the world’s most critical applications.

Our experts will also share five must-know web application security insights, including:

1. The leap to cloud infrastructure, how to elevate security without hindering performance.

Platforms like Microsoft Azure, Amazon Web Services, and Google Cloud Platform are ubiquitous for hosting web applications. However, embracing public cloud hosting without implementing the requisite security measures exposes applications to data breaches.

2. Containerization security risks, why you need to fortify your builds.

Despite significant advantages, containers may bring additional security risks. Malware or vulnerabilities hidden in containers hosting web applications can disrupt business, risk customer data, and lead to compliance violations.

3. Strategies to secure file storage while defeating persistent threats and achieving security compliance.

You must check files for malware and sensitive data to prevent breaches and ensure compliance. Our panel will outline pitfalls and tools you can use to avoid costly and embarrassing data leaks.

4. Best practices to secure your software supply chain by locking down every stage of the dev lifecycle.

Organizations must implement automated tools, services, and standards that enable teams to securely develop, secure, deploy, and operate applications.

5. Proven technologies to prevent file-borne and zero-day malware by disarming threats at the perimeter.

Despite most organizations increasing their security budgets, most only use five or fewer AV engines to detect malicious files. Surprisingly, very few disarm files with potentially dangerous payloads with Content Disarm and Reconstruction (CDR) technology.

Join our panel of cybersecurity veterans Emo Gokay, Multi-Cloud Security Engineer at EY Technologies and George Prichici, VP of Products at OPSWAT, as they share insights and strategies gathered from the frontlines of securing critical infrastructure from advanced and persistent malware.

Register now to walk away with five key web application security insights and strategies.