Qakbot – CyberSecurity Confabulation

Patch Tuesday, May 2024 Edition

Posted 10 months ago by BrianKrebs

Microsoft today released updates to fix more than 60 security holes in Windows computers and supported software, including two “zero-day” vulnerabilities in Windows that are already being exploited in active attacks. There are also important security patches available for macOS and Adobe users, and for the Chrome Web browser, which just patched its own zero-day flaw.

First, the zero-days. CVE-2024-30051 is an “elevation of privilege” bug in a core Windows library. Satnam Narang at Tenable said this flaw is being used as part of post-compromise activity to elevate privileges as a local attacker.

“CVE-2024-30051 is used to gain initial access into a target environment and requires the use of social engineering tactics via email, social media or instant messaging to convince a target to open a specially crafted document file,” Narang said. “Once exploited, the attacker can bypass OLE mitigations in Microsoft 365 and Microsoft Office, which are security features designed to protect end users from malicious files.”

CVE-2024-30040 is a security feature bypass in MSHTML, a component that is deeply tied to the default Web browser on Windows systems. Microsoft’s advisory on this flaw is fairly sparse, but Kevin Breen from Immersive Labs said this vulnerability also affects Office 365 and Microsoft Office applications.

“Very little information is provided and the short description is painfully obtuse,” Breen said of Microsoft’s advisory on CVE-2024-30040.

Meanwhile, Kaspersky Lab, one of two companies credited with reporting exploitation of CVE-2024-30040 to Microsoft, has published a fascinating writeup on how they discovered the exploit in a file shared with Virustotal.com.

Kaspersky said it has since seen the exploit used together with QakBot and other malware. Emerging in 2007 as a banking trojan, QakBot (a.k.a. Qbot and Pinkslipbot) has morphed into an advanced malware strain now used by multiple cybercriminal groups to prepare newly compromised networks for ransomware infestations.

The only vulnerability fixed this month that earned Microsoft’s most-dire “critical” rating is CVE-2024-30044, a flaw in Sharepoint that Microsoft said is likely to be exploited. Tenable’s Narang notes that exploitation of this bug requires an attacker to be authenticated to a vulnerable SharePoint Server with Site Owner permissions (or higher) first and to take additional steps in order to exploit this flaw, which makes this flaw less likely to be widely exploited as most attackers follow the path of least resistance.

Five days ago, Google released a security update for Chrome that fixes a zero-day in the popular browser. Chrome usually auto-downloads any available updates, but it still may require a complete restart of the browser to install them. If you use Chrome and see a “Relaunch to update” message in the upper right corner of the browser, it’s time to restart.

Apple has just shipped macOS Sonoma 14.5 update, which includes nearly two dozen security patches. To ensure your Mac is up-to-date, go to System Settings, General tab, then Software Update and follow any prompts.

Finally, Adobe has critical security patches available for a range of products, including Acrobat, Reader, Illustrator, Adobe Substance 3D Painter, Adobe Aero, Adobe Animate and Adobe Framemaker.

Regardless of whether you use a Mac or Windows system (or something else), it’s always a good idea to backup your data and or system before applying any security updates. For a closer look at the individual fixes released by Microsoft today, check out the complete list over at the SANS Internet Storm Center. Anyone in charge of maintaining Windows systems in an enterprise environment should keep an eye on askwoody.com, which usually has the scoop on any wonky Windows patches.

Malware threat on rise and some details

Posted 1 year ago by Naveen Goud

Hackers are currently exploiting an old vulnerability in Microsoft Excel to inject a newly identified malware known as ‘Agent Tesla.’ This malicious software is capable of either cleaning up a database or discreetly gathering intelligence, depending on the commands it receives from the C2C servers. A study conducted by Zscaler ThreatLabz reveals that the malware’s distribution begins with a phishing campaign. Subsequently, it responds to the hackers’ commands to collect intelligence or, if necessary, wipe out stored information.

In a separate incident, a JavaScript malware has been detected infecting servers across 40 financial institutions worldwide. This web-based malware is estimated to have affected at least 50,000 online sessions within financial institutions in North America, Europe, Japan, and Canada. The primary objective is to compromise popular banking applications, steal credentials, and drain funds from accounts. The infection spreads through hackers injecting malware in the form of scripts into the webpage framework of banking institutions. The malware then lies dormant before taking control from the admin and transferring it to the hacker, who can access currency transfer apps or use it for malvertising purposes.

AT&T Alien Labs cybersecurity researchers have uncovered a new campaign where criminals are circulating JaskaGO malware among Windows and MacOS users. This malicious software, based on the GO Programming language, can exfiltrate information and deploy additional payloads. Upon installation, the malware checks whether it is running in a virtual environment or sandbox, and then performs server-related tasks to evade detection by malware detection tools. Once established, it connects with a remote server and operates according to the hacker’s commands.

Delft, a Denmark-based cybersecurity firm, suggests that blockchain technology can not only help mitigate malware risks but also act as a catalyst in its spread. Criminals can use the blockchain network to hide their tracks as soon as their code is triggered, creating an environment favorable for crypto-miners and potentially leading to the development of innovative malware tools.

Microsoft has issued an alert regarding the resurgence and spread of QakBot malware, distributed through an email phishing campaign impersonating an IRS employee. QakBot, active since 2008, had its crime infrastructure seized by the FBI in 2022 during ‘Operation Duck Hunt.’ However, a small campaign targeting the hospitality industry was observed from December 11th, 2023, indicating the re-emergence of the criminals spreading the malware.

The post Malware threat on rise and some details appeared first on Cybersecurity Insiders.

The Latest in Cybersecurity Incidents making to Google Headlines

Posted 2 years ago by Naveen Goud

Collaborative Efforts Dismantle Qakbot Malware’s IT Infrastructure

In a significant joint operation, the FBI, in partnership with the Department of Justice and international allies, has successfully taken down the IT infrastructure owned by the Qakbot Malware group. Drawing expertise from cyber law enforcement units in countries including France, the USA, Germany, the Netherlands, Romania, Latvia, and the UK, a coordinated cyber attack was launched against the botnet infrastructure. This operation aimed to disrupt the malicious activities carried out by cybercriminals using Qakbot, including ransomware distribution, DDoS attacks, financial fraud, and various forms of social engineering.

The collaborative effort yielded positive results, with law enforcement agencies managing to infiltrate the Qakbot infrastructure. Their efforts unveiled a staggering 700,000 infected computers worldwide, all harboring the Qakbot malware. Particularly concerning was the identification of over 200,000 infected computers within the United States alone.

University of Michigan’s Network Disrupted Due to Suspicious Activity

In a recent cybersecurity development, the University of Michigan has taken the precautionary step of severing network connections for its students and staff since August 27, 2023. The decision came in response to the detection of suspicious activities within the university’s computer network across its campuses.

The university’s IT teams are working tirelessly to rectify the situation and restore network services as swiftly as possible. While the restoration process is underway, the administration has granted temporary permission for students and staff to access certain applications such as Zoom, Adobe, Dropbox, Slack, Google, and Canva from external networks using school devices.

Hospital Sisters Health System Takes Protective Measures Against Network Malware

Hospital Sisters Health System (HSHS) has taken a proactive stance in the face of a potential network malware infection. Over the past two days, the healthcare provider has opted to shut down its computer network to contain any potential threats and safeguard its clinical and administrative applications.

HSHS has released a statement regarding the temporary shutdown, outlining the suspension of services such as MyChart Communications. This platform is typically used by patients to manage appointments, view test results, access medical history, and make payments. The network will remain inactive until further notice, reflecting HSHS’s commitment to maintaining the integrity of patient data and healthcare operations.

The post The Latest in Cybersecurity Incidents making to Google Headlines appeared first on Cybersecurity Insiders.

U.S. Hacks QakBot, Quietly Removes Botnet Infections

Posted 2 years ago by BrianKrebs

The U.S. government today announced a coordinated crackdown against QakBot, a complex malware family used by multiple cybercrime groups to lay the groundwork for ransomware infections. The international law enforcement operation involved seizing control over the botnet’s online infrastructure, and quietly removing the Qakbot malware from tens of thousands of infected Microsoft Windows computer systems.

Qakbot/Qbot was once again top malware loader observed in the wild in the first six months of 2023. Source: Reliaquest.com.

In an international operation announced today dubbed “Duck Hunt,” the U.S. Department of Justice (DOJ) and Federal Bureau of Investigation (FBI) said they obtained court orders to remove Qakbot from infected devices, and to seize servers used to control the botnet.

“This is the most significant technological and financial operation ever led by the Department of Justice against a botnet,” said Martin Estrada, the U.S. attorney for the Southern District of California, at a press conference this morning in Los Angeles.

Estrada said Qakbot has been implicated in 40 different ransomware attacks over the past 18 months, intrusions that collectively cost victims more than $58 million in losses.

Emerging in 2007 as a banking trojan, QakBot (a.k.a. Qbot and Pinksplipbot) has morphed into an advanced malware strain now used by multiple cybercriminal groups to prepare newly compromised networks for ransomware infestations. QakBot is most commonly delivered via email phishing lures disguised as something legitimate and time-sensitive, such as invoices or work orders.

Don Alway, assistant director in charge of the FBI’s Los Angeles field office, said federal investigators gained access to an online panel that allowed cybercrooks to monitor and control the actions of the botnet. From there, investigators obtained court-ordered approval to instruct all infected systems to uninstall Qakbot and to disconnect infected machines from the botnet, Alway said.

The DOJ says their access to the botnet’s control panel revealed that Qakbot had been used to infect more than 700,000 machines in the past year alone, including 200,000 systems in the United States.

Working with law enforcement partners in France, Germany, Latvia, the Netherlands, Romania and the United Kingdom, the DOJ said it was able to seize more than 50 Internet servers tied to the malware network, and nearly $9 million in ill-gotten cryptocurrency from QakBot’s cybercriminal overlords. The DOJ declined to say whether any suspects were questioned or arrested in connection with Qakbot, citing an ongoing investigation.

According to recent figures from the managed security firm Reliaquest, QakBot is by far the most prevalent malware “loader” — malicious software used to secure access to a hacked network and help drop additional malware payloads. Reliaquest says QakBot infections accounted for nearly one-third of all loaders observed in the wild during the first six months of this year.

Researchers at AT&T Alien Labs say the crooks responsible for maintaining the QakBot botnet have rented their creation to various cybercrime groups over the years. More recently, however, QakBot has been closely associated with ransomware attacks from Black Basta, a prolific Russian-language criminal group that was thought to have spun off from the Conti ransomware gang in early 2022.

Today’s operation is not the first time the U.S. government has used court orders to remotely disinfect systems compromised with malware. In April 2022, the DOJ quietly removed malware from computers around the world infected by the “Snake” malware, an even older malware family that has been tied to the GRU, an intelligence arm of the Russian military.

Documents published by the DOJ in support of today’s takedown state that beginning on Aug. 25, 2023, law enforcement gained access to the Qakbot botnet, redirected botnet traffic to and through servers controlled by law enforcement, and instructed Qakbot-infected computers to download a Qakbot Uninstall file that uninstalled Qakbot malware from the infected computer.

“The Qakbot Uninstall file did not remediate other malware that was already installed on infected computers,” the government explained. “Instead, it was designed to prevent additional Qakbot malware from being installed on the infected computer by untethering the victim computer from the Qakbot botnet.”

The DOJ said it also recovered more than 6.5 million stolen passwords and other credentials, and that is has shared this information with two websites that let users check to see if their credentials were exposed: Have I Been Pwned, and a “Check Your Hack” website erected by the Dutch National Police.