Tag: malware

Police operation claims takedown of prolific Redline and Meta password stealers

Posted on by faz_business


A coalition of international law enforcement agencies say they have disrupted the operations of two prolific infostealers that stole the sensitive data of millions of people. 

The Dutch National Police, who led the so-called “Operation Magnus” takedown, reports it gained “full access” to the servers used by the Redline and Meta infostealers. 

Infostealers are a type of malware specifically designed to extract sensitive information, such as passwords, credit card data, search histories, and the contents of cryptocurrency wallets, from an infected system. 

Redline is considered one of the most prolific strains of infostealer malware. Criminals have been using Redline, which has been active since 2020, to steal the sensitive data of hundreds of millions of people, according to a recent report. The malware has been attributed to a 2022 hack at Uber, the theft of login details from Worldcoin Orb operators, and the breach of a senior official at Israel’s National Cybersecurity Directorate

Meta is a relatively new infostealer, though Operation Magnus notes: “We gained full access to all Redline and Meta servers. Did you know they were actually pretty much the same?”  

In a video posted to the website on Monday, the agencies say they were able to access the usernames, passwords, IP addresses, timestamps and registration dates, along with the source code for both infostealers, and the Telegram bots used by the operators of the malware.

The agencies also teased a list of usernames belonging to “VIP” — or “very important to the police” — users of the Redline and Meta infostealers. It’s not yet clear if any arrests have been made as part of the operation, but the website claims that “legal actions are underway.”

Operation Magnus, which was supported by the U.S. Federal Bureau of Investigation and the U.K.’s National Crime Agency, was announced on a newly created website outing the Redline and Meta operations. Simone van Wordragen, a spokesperson for the Dutch National Police, told TechCrunch that it will release more information about the takedown on Tuesday.

A similar takedown approach was taken during the recent operation targeting LockBit, which saw police take control of the ransomware gang’s dark web leak site to post details of the operation. 

Stealthy Malware Has Infected Thousands of Linux Systems for Years

Posted on by faz_business


Other discussions include: Reddit, Stack Overflow (Spanish), forobeta (Spanish), brainycp (Russian), natnetwork (Indonesian), Proxmox (Deutsch), Camel2243 (Chinese), svrforum (Korean), exabytes, virtualmin, serverfault and many others.

After exploiting a vulnerability or misconfiguration, the exploit code downloads the main payload from a server, which, in most cases, has been hacked by the attacker and converted into a channel for distributing the malware anonymously. An attack that targeted the researchers’ honeypot named the payload httpd. Once executed, the file copies itself from memory to a new location in the /temp directory, runs it, and then terminates the original process and deletes the downloaded binary.

Once moved to the /tmp directory, the file executes under a different name, which mimics the name of a known Linux process. The file hosted on the honeypot was named sh. From there, the file establishes a local command-and-control process and attempts to gain root system rights by exploiting CVE-2021-4043, a privilege-escalation vulnerability that was patched in 2021 in Gpac, a widely used open source multimedia framework.

The malware goes on to copy itself from memory to a handful of other disk locations, once again using names that appear as routine system files. The malware then drops a rootkit, a host of popular Linux utilities that have been modified to serve as rootkits, and the miner. In some cases, the malware also installs software for “proxy-jacking,” the term for surreptitiously routing traffic through the infected machine so the true origin of the data isn’t revealed.

The researchers continued:

As part of its command-and-control operation, the malware opens a Unix socket, creates two directories under the /tmp directory, and stores data there that influences its operation. This data includes host events, locations of the copies of itself, process names, communication logs, tokens, and additional log information. Additionally, the malware uses environment variables to store data that further affects its execution and behavior.

All the binaries are packed, stripped, and encrypted, indicating significant efforts to bypass defense mechanisms and hinder reverse engineering attempts. The malware also uses advanced evasion techniques, such as suspending its activity when it detects a new user in the btmp or utmp files and terminating any competing malware to maintain control over the infected system.

By extrapolating data such as the number of Linux servers connected to the internet across various services and applications, as tracked by services such as Shodan and Censys, the researchers estimate that the number of machines infected by Perfctl is measured in the thousands. They say that the pool of vulnerable machines—meaning those that have yet to install the patch for CVE-2023-33426 or contain a vulnerable misconfiguration—is in the millions. The researchers have yet to measure the amount of cryptocurrency the malicious miners have generated.

People who want to determine if their device has been targeted or infected by Perfctl should look for indicators of compromise included in Thursday’s post. They should also be on the lookout for unusual spikes in CPU usage or sudden system slowdowns, particularly if they occur during idle times. Thursday’s report also provides steps for preventing infections in the first place.

This story originally appeared on Ars Technica.

TikTok says it fixed a vulnerability that enabled a cyberattack on high-profile accounts

Posted on by faz_business


TikTok says it has fixed a vulnerability that allowed for a cyberattack that targeted high-profile accounts, as reported by Axios. A TikTok spokesperson added that the company is currently working to restore access to impacted users.

The social media giant hasn’t announced how many accounts were hit by the attack, but we do know that CNN and Paris Hilton were targets. The hack involved sending messages to users that were filled with malicious code. When the user opened up the message, the code went to work and took over the entire account. Oddly, the impacted accounts didn’t post anything while they were compromised.

It remains unclear who was behind the attack and what their ultimate goal was, aside from taking over celebrity TikTok accounts. TikTok also remains mum as to the specifics regarding the vulnerability that allowed for the attack in the first place. This type of hack is extremely rare, however, so it shouldn’t be a big concern for average users.

The hack is known as a zero-click attack, meaning that you don’t have to click on anything to get infected. In this case, users just had to open up a direct message. The method used here is similar to zero-click spyware attacks, only those hackers target high-profile government officials and journalists for the purpose of secretly gathering information. This attack took over the whole account for unknown purposes.

This isn’t the first big TikTok hack. Last year, over 700,000 accounts in Turkey were compromised due to insecure SMS channels. Researchers at Microsoft discovered a flaw back in 2022 that let hackers overtake accounts with just a single click. Later that same year, an alleged security breach allegedly impacted more than a billion users. That’s a whole lot of people.