Hey guys the Croatian government has been hacked, malware developers are stepping up their game, cloud flare crashed and more in this hacking news segment. Let’s login.
Croatian Government Cyber Attack
So in a new article by zdnet.com titled “Croatian government targeted by mysterious hackers”, ZDNet discusses a series of spear phishing attacks against the Croatian government. Let’s break that down.
As it currently stands an unknown hacking group has been targeting Croatian government employees. The hacking group is thought to be government-sponsored and the attack follows a spear-phishing style campaign to infect users.
A spear-phishing campaign, for my listeners who are curious, is generally an email based attacked that sends malicious payloads to specific types of individuals in the hopes the victim downloads malware.
The spear-phishing email contained an excel sheet with an embedded macro. When a user opens the email, downloads and opens the file they are prompted with enabling macros. Once the macros are turned on then a malware payload is downloaded to the computer to infect the victim. Two variants of downloadable malware were found when examining the campaign.
The first malware is known as the ‘Empire backdoor’ that is a backdoor that is part of the Empire post-exploitation framework.
A post-exploitation framework is pretty much what it sounds like. A framework meant to be used once you have exploited a target. Once a hacker is within the victim machines then they usually do things similar to the following:
- Plant a backdoor for future access
- Patch the way in to prevent others from hacking in and kicking them out
- Download their payloads, such as a botnet, miner, or other resources for their gain
- Clean records and traces of their activity
- Repeat the process with new machines sometimes using the newly infected machine in the attack.
Back to the story. The other malware that is downloaded is known as SilentTrinity, which is part of another post-exploitation tool like Empire. A major difference the article notes is that a presentation held at Positive Hack Days or PHDays has concluded the SilentTrinity tool has never before been weaponized for malware as this phishing campaign has.
The campaign was invisible for two months before the Information Systems Security Bureau issues two alerts about the attacks. The Information Systems Security Bureau distributed shared indicators of compromise with Croatian agencies and asked to verify they were not infected.
Now some speculation I would like to discuss. The articles discuss a possible related FireEye report that may point to Russian threat actors being behind these attacks. The report tries to tie hackers who used a WinRAR vulnerability together with the Empire backdoor against Ukraine government agencies to these attacks because they used the same Command and Control server.
My opinion, and just that my opinion is as follows:
If the command and control server of one malware is the same as another malware then generally it is safe to assume it is the same hacker or hacker group. There can be instances when the same IP is used because there are only a finite number of ipv4 addresses but that falls under a very small percentage of possibility. Again that is just my two cents.
Golang Malware Hits Linux
So for all my Linux enthusiasts out there, I have some interesting and troubling news. Since mid-2018 and still active, a crypto miner malware has been targeting Linux servers. According to an article by infosecurity-magazine.com titled “Golang Malware Targets Linux-Based Servers” Two very interesting aspects of this malware are the fact it targets Linux servers and that it is written in Golang. A
For my listeners who aren’t familiar with Golang, Golang is a language from Google that was introduced almost 10 years ago and is popular among some developers but not actively used for malware.
The malware has currently infected several thousand machines and once a machine is infected the malware uses Cryptonight algorithm to mine XMR, which is also known as Monero. Cryptonight is a CPU based crypto mining algorithm that can mine altcoins such as Bytecoin, XMR, and Bitcoal.
The malware appears to be using the following vulnerabilities:
- ThinkPHP or CVE-2019-9082
- Atlassian Confluence Vulnerability or CVE-2019-3396
- Drupal or CVE-2018-7600 which also goes by Druppalgeddon2
The malware also uses the following seven methods for spreading:
- Four separate web application exploits
- SSH credential enumeration
- Redis database password enumeration
- Lastly, it uses SSH keys found in the infected machine
A very interesting aspect of Golang malware is that it is currently not detected by most Anti-Virus software. This leaves a very open avenue for creating malware that hackers can exploit with some ease. You do need to have programming language and learn to program in Golang but just the fact that a language makes the malware undetectable is a nice feature to have.
I find it very interesting that a programming language makes a malware invisible but it’s a development that I imagine will have anti-virus developers running to upgrade in their software. Well, it will have them running if we continue to see more malware written in Golang anyways.
The Cloud Crashed: Cloudflare Network Outage
I want to preface this story with 2 words: Bad Deployment. According to a notice by Cloudflare, there was a 30 minutes window when Cloudflare sites would display a 502 error. This error was not because Cloudflare was hacked but because a spike in CPU usage by their network meant that normal traffic could not be processed and was dropped.
You may be wondering, how did this happen? Well back to my 2 words Bad Deployment. The notice goes on to discuss a misconfigured rule within their Cloudflare WAF or Web Application Firewall.
Generally, a new deployment runs in a simulation mode so they can test, benchmark, and tweak the rules. This time a regular expression caused a massive CPU spike and created the outage.
For my listeners who are interested, a regular expression is a sequence of characters and/or symbols that are used to match a specific string within a larger text. To put it simply it’s a way to define a pattern to search text.
One simple example would be a regular expression that looks for two forward slashes, any characters up until a period and then either com, net, org. If you think a regular would match website URLs in documents or text then you guessed correct.
Back to the story, Cloudflare rolled back the deployment and the incident was stopped. Although it took 30 minutes that could cost some businesses a large revenue and Cloudflare has apologized and taken steps to prevent this from happening again.
Christmas Gaming Grinch Jailed
If any of my listeners have been gamers for a few years then you may have heard or remembered the DDoS attacks back in December 2013 and January 2014 that caused gaming services to be out. This was a major Grinch and troll move against gamers since certain games require online access to authenticate or downloads updates and services such as online play are non-existent without access to the wire.
Well, the Grinch has been caught and sentenced. According to an article by thehackernews.com titled “DDoS Attacker Who Ruined Gamers’ Christmas Gets 27 Months in Prison”, a 23-year-old hacker from Utah who launched the DDoS attacks has received a 27-month jail sentence.
A hacker going by DerpTroll has pleaded guilty November 2018. Along with his plead he confessed to be a part of a hacker group going by DerpTrolling. This was the actual hacker group behind the gaming DDoS attacks.
The Attacks caused at least $95,000 in damages according to a Department of Justice report. To add to the 27-month jail sentence. The hacker will also have to pay back the $95,000 as restitution to Daybreak Games which was previously Sony Online Entertainment.
Before we move on to the next story its important to note that this attack is different from the Lizard Squad attacks that also made headlines in 2014 due to Christmas attacks.
So guys I really am thankful for the reviews and some feedback ive received. Due to some personal life issues ill be taking a haitus from the show but i intend to return back in the future. Please feel free to send me an email at [email protected] and as always show notes are at https://exploitbrokers/podcasts/hn06
this is lauro logging off.