credential theft Archives

Tech Optimizer

February 14, 2025

XELERA Ransomware Attacking Job Seekers With Weaponized Word Documents

Job seekers are targeted by a ransomware campaign called "XELERA," which uses counterfeit job offers from the Food Corporation of India (FCI) to lure victims. The campaign begins with spear phishing emails containing a malicious Word document named “FCEI-job-notification.doc.” This document hides an OLE object that extracts a compressed PyInstaller executable called “jobnotification2025.exe,” which is designed to evade antivirus detection. The malware's structure includes a core script (mainscript.pyc) and supporting libraries for system monitoring and network operations. A Discord bot serves as a Command-and-Control server, allowing remote command execution, including privilege escalation, system control, credential theft, and visual disruption. The final stage of the attack involves deploying the XELERA ransomware, which demands a ransom in Litecoin and includes functions to terminate Windows Explorer and download a tool for MBR corruption.

Tech Optimizer

February 7, 2025

What is Managed Endpoint Protection?

Managed Endpoint Protection involves outsourcing endpoint security for devices like laptops, desktops, and servers to specialized providers. These services offer continuous monitoring, automated responses, and compliance checks, utilizing advanced analytics and real-time threat intelligence. Key features include continuous monitoring, automated threat containment, vulnerability management, forensic analysis, compliance tools, and threat hunting. Managed services address various threats such as ransomware, phishing, zero-day exploits, credential theft, insider threats, DDoS attacks, and data exfiltration. Benefits include 24/7 expert coverage, access to specialized threat intelligence, faster incident response, reduced operational complexity, predictable pricing, and improved compliance. Challenges include the rapidly evolving threat landscape, skills shortage, budget constraints, and ensuring real-time visibility. Best practices for implementation involve maintaining asset inventories, defining roles, fine-tuning detection thresholds, conducting regular drills, and integrating with broader security measures. When choosing a provider, factors to consider include technical expertise, service level agreements, integration capabilities, pricing, compliance, and ongoing support. SentinelOne offers an autonomous cybersecurity platform that enhances endpoint security through superior visibility, automated responses, and customizable features.

Winsage

December 10, 2024

Microsoft NTLM Zero-Day to Remain Unpatched Until April

Microsoft has issued new guidance to help organizations defend against NTLM relay attacks following the discovery of a zero-day vulnerability affecting all versions of Windows Workstation and Server, from Windows 7 to Windows 11. This vulnerability allows attackers to capture NTLM credentials by tricking users into opening a malicious file. Microsoft has classified the vulnerability as having moderate severity and expects a fix to be rolled out in April. This is the second NTLM credential leak zero-day reported to Microsoft by ACROS Security since October. Microsoft has updated its guidance on enabling Extended Protection for Authentication (EPA) by default on LDAP, AD CS, and Exchange Server to mitigate NTLM-related vulnerabilities.

Winsage

December 10, 2024

Critical Windows Zero-Day Alert: No Patch Available Yet for Users

A newly identified zero-day vulnerability in Windows allows attackers to steal NTLM credentials through methods such as opening a malicious file in Windows Explorer. This vulnerability affects multiple versions of Windows, including Windows Server 2022, Windows 11 (up to v24H2), Windows 10, Windows 7, and Server 2008 R2. The exploitation requires minimal user interaction, such as accessing shared folders or USB disks. In response, 0patch is providing a complimentary micropatch to registered users until Microsoft issues an official fix. The vulnerability is part of a larger trend of unresolved issues in Windows, and cybersecurity experts emphasize the need for enterprises to adopt robust security measures beyond automated patch management.

Winsage

December 7, 2024

Micropatchers share fix for NTLM hash leak flaw in Windows

Acros Security has identified an unpatched NTLM vulnerability in Microsoft Windows, affecting versions from Windows 7 to Windows 11 v24H2, which risks credential theft. The vulnerability can be exploited through Windows Explorer when users view a malicious file, exposing their NTLM hash to remote attackers. Acros plans to release a micropatch to mitigate the risk and has contacted Microsoft regarding the issue. Historically, Acros has reported several zero-day vulnerabilities to Microsoft. The micropatching industry aims to provide more permanent solutions to security flaws, though it may introduce complications. As Windows 10 approaches retirement, IT managers may increasingly consider micropatching for system protection. Mainstream support for Windows 7 ended in 2015, with extended support concluding in 2020.

Winsage

December 6, 2024

New Windows zero-day exposes NTLM credentials, gets unofficial patch

A newly discovered zero-day vulnerability allows attackers to capture NTLM credentials from Windows users by simply viewing a malicious file in File Explorer. This flaw affects multiple Windows versions, including Windows 7, Server 2008 R2, and Windows 11 24H2, and has been reported to Microsoft, but no official fix has been issued. The exploit triggers an outbound NTLM connection to a remote share, leading to the automatic transmission of NTLM hashes associated with the logged-in user, which can be intercepted and cracked for unauthorized access. 0patch has previously reported two other unresolved vulnerabilities to Microsoft and will offer a micropatch for this issue free of charge until an official fix is provided. Users can also disable NTLM authentication as an alternative solution.

AppWizard

December 6, 2024

New Android Spyware Alert—Delete All These Apps Now

Samsung is tightening security measures against apps from unofficial app stores due to a newly discovered threat from a sophisticated malware called DroidBot. Cleafy, a cybersecurity firm, describes DroidBot as an advanced Android Remote Access Trojan (RAT) that combines traditional hidden VNC and overlay functionalities with spyware capabilities, including keylogging and data exfiltration. The malware has infected 77 applications, including those from banking institutions and cryptocurrency exchanges, and is present in countries such as the UK, Italy, France, Spain, and Portugal, with potential expansion into Latin America and the United States. DroidBot operates as Malware as a Service, available for rent to various threat actors, with 17 identified affiliate groups. It disguises itself as popular applications to entice users into downloading it and exploits permissions to operate covertly, particularly using Accessibility Services. Its functionalities include intercepting SMS messages, keylogging, and creating fake login screens to capture user credentials. Users are advised to avoid installing banking apps from unofficial sources, delete any malicious applications, and ensure their devices are secure by enabling Play Protect and keeping the operating system updated. Key safety measures include using official app stores, verifying app developers, being cautious with permissions, avoiding direct download links, and checking the legitimacy of apps claiming to link to established services.

AppWizard

December 5, 2024

New DroidBot Android malware targets 77 banking, crypto apps

A new Android banking malware called 'DroidBot' targets the credentials of over 77 cryptocurrency exchanges and banking applications in several European countries, including the UK, Italy, France, Spain, and Portugal. Discovered by Cleafy, it has been operational since June 2024 and functions as a malware-as-a-service (MaaS) platform with a subscription price of ,000 per month. At least 17 affiliate groups are using malware builders to customize their attacks. DroidBot has caused 776 unique infections across the UK, Italy, France, Turkey, and Germany. The developers, believed to be based in Turkey, provide affiliates with tools like a malware builder and command and control servers. DroidBot disguises itself as trusted applications to deceive users and includes features such as keylogging, overlaying fake login pages, SMS interception, and remote control via Virtual Network Computing. It exploits Android's Accessibility Services to monitor user actions. Targeted applications include Binance, KuCoin, BBVA, Unicredit, Santander, Metamask, BNP Paribas, Credit Agricole, Kraken, and Garanti BBVA. Users are advised to download apps only from Google Play, scrutinize permission requests, and activate Play Protect.

Tech Optimizer

December 3, 2024

How Hackers Are Using Corrupted Word Docs To Cleverly Evade Antivirus Tools

Security researchers at Any.Run have discovered a zero-day attack that bypasses detection tools used by security professionals. This attack utilizes deliberately corrupted files that evade antivirus software, obstruct uploads to sandboxes, and circumvent Outlook's spam filters. These files are sent via email, disguised as communications from payroll or human resources. When opened, they prompt a restoration process in software like Microsoft Word, which can redirect users to credential-stealing sites. This method combines social engineering and malware, posing a significant threat to organizations reliant on detection tools.

Winsage

November 28, 2024

Firefox and Windows zero-days exploited by Russian RomCom hackers

The Russian-based RomCom cybercrime group has exploited two zero-day vulnerabilities to target Firefox and Tor Browser users in Europe and North America. The first vulnerability, CVE-2024-9680, is a use-after-free bug in Firefox's animation timeline feature, allowing code execution within the browser's sandbox. Mozilla issued a patch for this on October 9, 2024. The second vulnerability, CVE-2024-49039, is a privilege escalation flaw in the Windows Task Scheduler service, which Microsoft addressed on November 12. RomCom combined these vulnerabilities into a zero-day chain exploit that enables remote code execution without user interaction, requiring victims only to visit a malicious website. The attacks specifically targeted Tor Browser users, particularly versions 12 and 13. ESET estimates the campaign's scale could affect between one and 250 victims per country. RomCom has a history of exploiting zero-day vulnerabilities, including an incident in July 2023 targeting organizations at the NATO Summit. The group is linked to various financially motivated campaigns and is currently targeting organizations in Ukraine, Europe, and North America across multiple sectors.