Cisco Talos has recently received modified versions of the TeamTNT cyber crime group’s malicious shell scripts, an earlier version of which was detailed by Trend Micro, from an intelligence partner. According to our intelligence partner, the malware author modified these tools after they became aware that security researchers published the previous version of their scripts. These scripts are primarily designed to target Amazon Web Services (AWS) but could also run in on-premise, container or other forms of Linux instances. Besides the primary credential stealer scripts, there are several TeamTNT payloads focused on cryptocurrency mining, persistence and lateral movement using techniques such as discovering and deploying onto all Kubernetes pods in a local network. There is also a script with login credentials for the primary distribution server, and another with an API key that might provide remote access to a tmate shared terminal session. Some of the TeamTNT scripts even contain defense evasion functions focused on disabling Alibaba cloud security tools. The focus on compromising modern cloud environments sets TeamTNT apart from many of the other cybercriminals encountered by Cisco Talos.
IN THE MONTHS leading up to Russia’s invasion of Ukraine, two obscure American startups met to discuss a potential surveillance partnership that would merge the ability to track the movements of billions of people via their phones with a constant stream of data purchased directly from Twitter. According to Brendon Clark of Anomaly Six — or “A6” — the combination of its cellphone location-tracking technology with the social media surveillance provided by Zignal Labs would permit the U.S. government to effortlessly spy on Russian forces as they amassed along the Ukrainian border, or similarly track Chinese nuclear submarines. To prove that the technology worked, Clark pointed A6’s powers inward, spying on the National Security Agency and CIA, using their own cellphones against them.
Spanish authorities are pledging full transparency as they launch inquiries into allegations that the phones of dozens of supporters of Catalan independence were hacked with powerful and controversial spyware only sold to government agencies. An internal probe by the country’s intelligence agency, a special parliamentary commission to share its results, and a separate investigation by Spain’s ombudsman will be arranged to show that central authorities in Madrid have “nothing to hide,” the minister for presidency and relations with parliament, Félix Bolaños, announced Sunday. Bolaños also said the government remained committed to negotiations with separatists on the future of the restive northeastern region of Catalonia.
An affiliate of the aggressive Hive ransomware group is exploiting known vulnerabilities in Microsoft Exchange servers to encrypt and exfiltrate data and threaten to publicly disclose the information if the ransom isn’t paid. In a recent attack on an unnamed organization, the Hive affiliate rapidly compromised multiple devices and file servers by exploiting the ProxyShell vulnerabilities in Exchange servers, encrypting the data within 72 hours of the start of the attack, threat hunters with data security vendor Varonis Systems said in a report this week. The attack included all the hallmarks of one associated with Hive, a ransomware-as-a-service (RaaS) group that emerged in June 2021 and has targeted a range of sectors, including healthcare, retail, nonprofits, and energy providers.
Our 24/7 digital lives mean we’re increasingly sitting in front of a screen, whether that’s a laptop, a smartphone or another device. That usually means we’re also sitting in front of a camera. Some of us rarely used this feature, until the pandemic hit and saw homebound workers and bored students alike switch on their webcams to stay connected with the rest of the world. But while online cameras can provide a lifeline to friends and family, and a near-ubiquitous way of participating in meetings, they also put us at risk. Whether it’s financially motivated cybercriminals, stalkers, bullies, trolls or just plain weirdos, the tools and knowledge to hack webcams have never been easier to find online. That puts the onus on us all to become more aware of the risks, and take steps to improve our online privacy and safety. A lot of it is common sense. Some of it needs to be learned behavior.
An Iranian-linked threat actor known as Rocket Kitten has been observed actively exploiting a recently patched VMware vulnerability to gain initial access and deploy the Core Impact penetration testing tool on vulnerable systems. Tracked as CVE-2022-22954 (CVSS score: 9.8), the critical issue concerns a case of remote code execution (RCE) vulnerability affecting VMware Workspace ONE Access and Identity Manager. While the issue was patched by the virtualization services provider on April 6, 2022, the company cautioned users of confirmed exploitation of the flaw occurring in the wild a week later. “A malicious actor exploiting this RCE vulnerability potentially gains an unlimited attack surface,” researchers from Morphisec Labs said in a new report. “This means highest privileged access into any components of the virtualized host and guest environment.”