Weekly Cyber Reports

This Week in Cyber 16th December 2022

Latest news & views from our Cyber Analysts

Written by

Team Nucleus

Content
Written on

16th December, 2022

SHARE ARTICLE

 


Cyber Security Researchers Understand the Destructive Azov Ransomware

The Israeli cyber security team ‘CheckPoint’ has disassembled and understood the new Azov ransomware which is has been described as ‘effective, fast and unfortunately unrecoverable data wiper’. The origins of this ransomware are yet to be known however it has been seen in the wild many times and the victims that have been on the receiving end know all too well about the effectiveness. The wiper routine is set to overwrite a file's contents in alternating 666-byte chunks with random noise, a technique referred to as intermittent encryption that's being increasingly leveraged by ransomware operators to evade detection and encrypt victims' files faster. Interestingly, the ransomware also incorporates a logic bomb which means that a required number of variables must match before the ransomware is executed. The cyber team go on to say ‘when probed further one finds very advanced techniques — manually crafted assembly, injecting payloads into executables in order to backdoor them, and several anti-analysis tricks usually reserved for security textbooks or high-profile brand-name cybercrime tools’. In conclusion, this ransomware is fast, effective and has advanced anti-analysis tricks which makes it an incredibly dangerous malware to encounter.



Over 144,000 Malicious Packages Uploaded to Open Source Repositories as Part of New Campaign

Open source repositories NuGet, PyPi and npm have recently been inundated with malicious packages and applications from a large phishing group. Security vendors CheckMarx and Illustria first discovered the campaign several months ago when they noticed large clusters of packages being uploaded to NuGet. A total of 135,000 packages were found on this platform from the same vendor, with a further 212 on npm and 7824 on PyPi. These packages are aimed at credential harvesting, trying to steal a user’s email address, username, and password data. Some of the packages even mimic legitimate sites such as the e-commerce site, AliExpress, with some even including fake webchat services showing information the users had been promised on running it. Checkmarx released in a statement that “The messages in these packages attempt to entice readers into clicking links with promises of game cheats, free resources and increased followers and likes on social media platforms like TikTok and Instagram,”. They go on to say that over 65,000 URLs on 90 domains have been linked to this attack and a lot of this was carried out using automation. This allowed the threat actor to create a large number of packages and user accounts quickly, making it more difficult to effectively trace and remove. Furthermore, they admit that due to the automation, it will be difficult to keep up with and remove any new packages quickly.



Microsoft Warns of DDoS Attacks Against Minecraft Servers from Cross-Platform Botnet

On Thursday, software giant Microsoft disclosed information regarding a cross-platform botnet named 'MCCrash' designed to launched DDoS attacks against Minecraft Servers. This activity is being tracked as DEV-1028 and the bot malware originates from malicious software downloaded to Windows systems but can spread itself to Linux-based devices. This means that even if it is wiped from the original host, it can persist inside IOT (Internet of Things) devices, or other Linux-based systems on the network. The initial point of infection is a pool of machines that have been compromised through installing cracking tools claiming to provide illegal Windows licenses, namely 'KMSAuto++' and 'W10DigitalActivation'. While the majority of disclosed infected systems are based in Eastern Europe / Asia, given the wide range of server versions this could possibly affect, it is very likely that Europe and the US could see more of an impact. According to Microsoft, the malware has Minecraft version 1.12.2 hardcoded into it, but using the same attack method, all versions from 1.7.2 to 1.18.2 are vulnerable. Infection is not possible from 1.19 onwards due to a modification made to Minecraft's code earlier on this year.

Full Microsoft security blog:


https://www.microsoft.com/en-us/security/blog/2022/12/15/mccrash-cross-platform-ddos-botnet-targets-private-minecraft-servers/



ChatGPT – What is it and how can it help Revolutionise Tech?

Admittedly this post is not entirely focused on Cyber Security, however the repercussions of this technology could certainly become a future concern for security professionals. Firstly, ChatGPT is a natural language processing tool driven by AI technology that allows you to have human-like conversation with its interface ‘chatbot’. This AI tool has been created by OpenAI (AI and research company) who have released ChatGPT to the public in late 2022. Some of the features of this tool include writing essays; composing messages whether they are formal or informal; writing and debugging code; answering complex mathematical questions with steps and workings out; and much more. The implementation of this tool could easily eliminate many professions due to how powerful the tool can be, however there are still many flaws which means job security is not being threatened for now. The tool has come with some security features which prevents it from writing malicious code, hateful speech essays and other potentially harmful uses in the hands of the public. However, one user has proven how easily the tool can be tricked into writing malicious code just by wording the questions in a specific way.

NUCLEUS

Recommended Posts

Subscribe to Nucleus blog updates.

Subscribe to our newsletter and stay updated.

Subscribe to Nucleus