A medium-severity security vulnerability in Fortinet FortiOS has been exploited in a zero-day attack, with a suspected Chinese hacking group behind the operation. Threat intelligence company Mandiant linked the activity to a broader campaign aiming to deploy backdoors in Fortinet and VMware solutions for persistent access to targeted environments. The firm is tracking this malicious operation as UNC3886, an advanced cyber-espionage group with Chinese connections.

Mandiant researchers observed UNC3886 targeting firewall and virtualization technologies lacking EDR support, demonstrating a deeper understanding of these technologies. The group has previously been connected to intrusions targeting VMware ESXi and Linux vCenter servers in a hyperjacking campaign that deployed backdoors like VIRTUALPITA and VIRTUALPIE.

This report comes as Fortinet discloses that government entities and large organizations fell victim to an unidentified threat actor exploiting a zero-day bug in Fortinet FortiOS software, resulting in data loss and OS and file corruption. The vulnerability, labeled CVE-2022-41328 with a CVSS score of 6.5, involves a path traversal bug in FortiOS that could enable arbitrary code execution. Fortinet patched the issue on March 7, 2023.

Mandiant found that UNC3886’s attacks targeted Fortinet’s FortiGate, FortiManager, and FortiAnalyzer appliances to deploy two different implants, THINCRUST and CASTLETAP. This was possible because the FortiManager device was exposed to the internet.

THINCRUST is a Python backdoor that can execute arbitrary commands and read and write files on disk. The threat actor uses its persistence to deliver FortiManager scripts that weaponize the FortiOS path traversal flaw, overwriting legitimate files and modifying firmware images. This includes a new payload called “/bin/fgfm” (CASTLETAP), which communicates with an actor-controlled server to receive instructions, run commands, fetch payloads, and exfiltrate data.

After deploying CASTLETAP to FortiGate firewalls, the threat actor connected to ESXi and vCenter machines to establish persistence using VIRTUALPITA and VIRTUALPIE. In cases where FortiManager devices had internet access restrictions, the attacker pivoted from a compromised FortiGate firewall with CASTLETAP to drop a reverse shell backdoor called REPTILE (“/bin/klogd”) on the network management system.

UNC3886 also used a utility called TABLEFLIP to connect directly to the FortiManager device, bypassing access-control list (ACL) rules. This is not the first instance of Chinese hacking groups targeting networking equipment to distribute custom malware, with recent attacks exploiting vulnerabilities in Fortinet and SonicWall devices.

The speed at which threat actors develop and deploy exploits has increased, with 28 vulnerabilities exploited within seven days of public disclosure, marking a 12% rise over 2021 and an 87% rise over 2020. China-aligned hacking groups have become highly skilled at exploiting zero-day vulnerabilities and deploying custom malware to steal credentials and maintain long-term access to targeted networks. Mandiant warns that this activity is evidence of advanced cyber-espionage threat actors utilizing any available technology to persist and navigate target environments, especially those without EDR solutions.

According to a report by Finnish cybersecurity firm WithSecure, Chinese and Russian cybercriminals have been using a new piece of malware called SILKLOADER to load Cobalt Strike onto infected machines. The malware employs DLL side-loading techniques to deliver commercial adversary simulation software. With the increased detection capabilities against Cobalt Strike, threat actors are seeking alternative options or developing new methods to propagate the framework to evade detection (source: The Hacker News).

SILKLOADER is similar to other loaders like KoboldLoader, MagnetLoader, and LithiumLoader, which incorporate Cobalt Strike components. It uses specially crafted libvlc.dll files to hijack a legitimate VLC media player binary, aiming to evade defense mechanisms. WithSecure’s researchers discovered the shellcode loader during their analysis of “several human-operated intrusions” targeting organizations in Brazil, France, and Taiwan in Q4 2022.

Another loader called BAILLOADER has also been linked to attacks involving Quantum ransomware, GootLoader, and the IcedID trojan in recent months. It is suspected that various threat actors are sharing Cobalt Strike beacons, crypters, and infrastructure provided by third-party affiliates to service multiple intrusions using different tactics.

WithSecure’s analysis of SILKLOADER samples indicates that the malware was initially created by Chinese cybercriminals and later acquired by a Russian threat actor. The increasing modularity of the cybercriminal ecosystem through service offerings makes it difficult to attribute attacks to specific threat groups based solely on the components used in their attacks.

According to a recent report, Google has discovered 18 severe security vulnerabilities in Samsung’s Exynos chips, some of which can be remotely exploited without user interaction to completely compromise a phone. These zero-day vulnerabilities affect a broad range of Android smartphones from Samsung, Vivo, Google, wearables using the Exynos W920 chipset, and vehicles equipped with the Exynos Auto T5123 chipset.

Of the 18 vulnerabilities, four can allow an attacker to achieve internet-to-Samsung, Vivo, and Google, as well as wearables using the Exynos W920 chipset and vehicleses in late 2022 and early 2023. This means that a hacker can remotely compromise a phone at the baseband level without user interaction, requiring only knowledge of the victim’s phone number. If exploited, a threat actor could gain entrenched access to cellular information passing in and out of the targeted device. Google Project Zero’s head, Tim Willis, disclosed the four flaws but withheld additional details.

The remaining 14 vulnerabilities are considered less severe as they require a rogue mobile network insider or an attacker with local access to the device. Pixel 6 and 7 handsets have already received a patch as part of March 2023 security updates, but patches for other devices are expected to vary depending on the manufacturer’s timeline.

While waiting for the patches, users are recommended to turn off Wi-Fi calling and Voice over LTE (VoLTE) in their device settings to “remove the exploitation risk of these vulnerabilities.” Even though the attacks may appear difficult to execute, skilled attackers can devise an operational exploit to breach affected devices remotely and silently.

According to a new analysis by ESET researchers Lukáš Štefanko and Peter Strýček, copycat websites for popular instant messaging apps like Telegram and WhatsApp are being used to distribute trojanized versions, infecting Android and Windows users with cryptocurrency clipper malware. The malware is designed to target victims’ cryptocurrency funds, with several targeting cryptocurrency wallets.

While the first instance of clipper malware on the Google Play Store dates back to 2019, this marks the first time Android-based clipper malware has been built into instant messaging apps. Some of these apps use optical character recognition (OCR) to recognize text from screenshots stored on compromised devices, which is a new feature for Android malware.

The attack begins with unsuspecting users clicking on fraudulent ads on Google search results that lead to hundreds of sketchy YouTube channels, which then direct them to lookalike Telegram and WhatsApp websites. What’s unique about this latest batch of clipper malware is that it can intercept a victim’s chats and replace any sent and received cryptocurrency wallet addresses with addresses controlled by the threat actors.

One cluster of clipper malware makes use of OCR to find and steal seed phrases by leveraging a legitimate machine learning plugin called ML Kit on Android, making it possible to empty the wallets. Another cluster is designed to keep tabs on Telegram conversations for certain Chinese keywords related to cryptocurrencies and exfiltrate the complete message, along with the username, group or channel name, to a remote server.

Lastly, a fourth set of Android clippers come with capabilities to switch the wallet address as well as harvest device information and Telegram data such as messages and contacts. The rogue Android APK package names include org.telegram.messenger, org.telegram.messenger.web2, org.tgplus.messenger, io.busniess.va.whatsapp, and com.whatsapp.

ESET also found two Windows clusters, one which is engineered to swap wallet addresses and a second group that distributes remote access trojans (RATs) in place of clippers to gain control of infected hosts and perpetrate crypto theft.

It is important to note that these clusters, despite following a similar modus operandi, represent different sets of activity likely developed by different threat actors. The campaign, like a similar malicious cyber operation that came to light last year, targets Chinese-speaking users primarily motivated by the fact that both Telegram and WhatsApp are blocked in the country.

Employee well-being has become a primary focus for many businesses. Even before the pandemic, the C-suite was acutely aware of how employee mental health impacts business outcomes. But for cybersecurity professionals, stress has always been a part of the job.

A new survey revealed that one of the most concerning aspects of employee mental health is how it impacts cybersecurity programs and, more broadly, a business’ ability to protect itself from cyberattacks.

CISOs and their teams appear to be taking the brunt of unmitigated work-related stress levels and it’s affecting the entire organization. CISOs at small to midsize businesses with teams of five employees or fewer were surveyed to better understand how work-related stress is impacting CISOs – from their ability to do their job and lead their team to how it’s affecting their own professional outlook and personal life. Here’s what the survey results revealed.

Among the CISOs surveyed, there was a distressing number of respondents suffering from work-related stress. According to the report, 94% of CISOs reported being stressed at work, with 65% confiding that work-stress levels compromised their ability to protect their organizations.

More than 70% of the CISOs surveyed believed their stress levels were higher than their colleagues in other areas of the business. Unfortunately, CISO stress levels were not confined to the leadership role. Employee burnout is spreading like wildfire across security teams. Increased workloads are affecting all levels of the department, creating high churn rates while simultaneously hampering recruitment efforts. Nearly three-quarters of the CISOs surveyed said they had employees quit during the past year because of stress – with 47% reporting more than one employee exiting their role.

The rise in churn rates is leaving CISOs with a limited pool of candidates, underscoring the current talent shortage that is happening across the cybersecurity space. When asked about their hiring process, 83% of CISOs said they have had to compromise on candidate selection – hiring employees who lacked necessary skills and capabilities.

Today’s economic climate is having a major impact on cybersecurity departments. Reduced budgets, hiring freezes, and lack of resources are all leading to untenable workloads for CISOs and their staff. In fact, 38% of CISOs reported they are considering or actively searching for a new job. The reality is that security teams are inundated with alerts – required to manage an overwhelming number of cybersecurity threats coming from all directions.

The surge in work responsibilities is putting a spotlight on cybersecurity program gaps with many outside of the IT department questioning the safety of the organization. Nearly 80% of CISOs surveyed said they had received complaints from their bosses, colleagues, or subordinates about how security tasks were being handled. Consequently, 93% of CISOs say they are spending more time than they should on tactical tasks (versus strategic high-quality work). It’s a vicious cycle: the lack of appropriate headcounts and resources lead to CISOs managing too many tedious, redundant work tasks which result in less than satisfactory security outcomes – opening the door to high-stress work environments.

Anyone who has ever held a job knows it’s difficult to leave work-related stress at work. But for CISOs, it’s especially difficult to manage a healthy work-life balance because of the critical and immediate nature of their work responsibilities. According to the survey, a whopping 84% of CISOs said they had postponed or canceled a vacation because of an urgent security task – 11% report this has happened four or more times during the past year. Work fatigue has caused 64% of CISOs to cancel a private event and 77% of the CISOs surveyed claim that work-related stress is impacting their physical health.

The survey makes clear how CISO stress levels are impacting every part of their life; meanwhile, cybersecurity threats continue to grow at an alarming rate. How Businesses Can Help Reduce CISO Stress Levels# The mental health of your employees impacts every facet of the business.

According to a report from the MIT Sloan Management Review, “Organizations outperforming their peers are those that have cultivated a strong sense of empathy and flexibility, developed new skills to address workforce needs, and extended holistic mental health support to employees.” A stressed out security team is not operating at full capacity, missing key threats and leaving the organization vulnerable to attacks. It stands to reason that improving work-related stress levels for CISOs – and their staff – has a direct impact on the business’ cybersecurity efforts. But what deliberate steps can businesses take to reduce work-related stress levels? For starters, 100% of CISOs said they need additional resources to cope with security challenges, including automation capabilities, better training opportunities, and the ability to outsource tasks.

More than half of the CISOs surveyed want the ability to consolidate security technologies on a single platform – a move they said would directly impact their work life, helping to lower stress levels. Ultimately, businesses that fail to address CISO stress levels are putting their company at risk. It is impossible to prioritize cybersecurity initiatives without taking into account the mental health of the teams that manage it. Protecting your CISO’s well-being is the first step to protecting your business.

Original Article Source: The Hacker News

The Slovak cybersecurity company ESET has discovered the first publicly known malware capable of bypassing Secure Boot defenses in Unified Extensible Firmware Interface (UEFI) bootkits, called BlackLotus. The bootkit is capable of running on fully updated Windows 11 systems, disabling OS-level security mechanisms, and deploying arbitrary payloads during startup with high privileges.

According to ESET, BlackLotus is programmed in Assembly and C, is 80 kilobytes in size, and is available for purchase at $5,000 (with a subsequent version costing $200). The malware also includes geofencing capabilities, avoiding infection in several countries.

BlackLotus exploits CVE-2022-21894, a security flaw that allows arbitrary code execution during early boot phases, enabling malicious actors to carry out harmful actions on systems with UEFI Secure Boot enabled without requiring physical access. The vulnerability was addressed in Microsoft’s January 2022 Patch Tuesday update, but the affected, validly signed binaries have yet to be added to the UEFI revocation list, making its exploitation still possible.

The bootkit turns off security mechanisms like BitLocker, Hypervisor-protected Code Integrity (HVCI), and Windows Defender, while dropping a kernel driver and an HTTP downloader to communicate with a command-and-control (C2) server to retrieve additional user-mode or kernel-mode malware.

The exact modus operandi used to deploy the bootkit is still unknown, but it starts with an installer component that writes files to the EFI system partition, disables HVCI and BitLocker, and reboots the host. Following the restart, CVE-2022-21894 is weaponized to achieve persistence and install the bootkit, which is then automatically executed on every system start to deploy the kernel driver.

ESET researcher Martin Smolár said that “many critical vulnerabilities affecting security of UEFI systems have been discovered in the last few years. Unfortunately, due the complexity of the whole UEFI ecosystem and related supply-chain problems, many of these vulnerabilities have left many systems vulnerable even a long time after the vulnerabilities have been fixed.” Smolár further noted that it was just a matter of time before someone would take advantage of these failures and create a UEFI bootkit capable of operating on systems with UEFI Secure Boot enabled.

The security community is encouraged to remain vigilant and take appropriate measures to secure their systems against such attacks.