AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 05/16/2022

BPFdoor: Stealthy Linux malware bypasses firewalls for remote access

A recently discovered backdoor malware called BPFdoor has been stealthily targeting Linux and Solaris systems without being noticed for more than five years. BPFdoor is a Linux/Unix backdoor that allows threat actors to remotely connect to a Linux shell to gain complete access to a compromised device. The malware does not need to open ports, it can’t be stopped by firewalls, and can respond to commands from any IP address on the web, making it the ideal tool for corporate espionage and persistent attacks. BPFdoor is a passive backdoor, meaning that it can listen on one or more ports for incoming packets from one or more hosts, that attackers can use to send commands remotely to the compromised network.


How a pentester’s attempt to be ‘as realistic as possible’ alarmed cybersecurity firms

Over the last several weeks, researchers at multiple security firms have been scratching their heads trying to figure out who was targeting German companies with what appeared to be a supply chain attack. On Wednesday, they got their answer: An intern at a threat intelligence firm that was simulating “realistic threat actors” for its clients. Security research teams at JFrog, ReversingLabs and Snyk released reports in recent weeks after they detected several malicious JavaScript packages in the widely used npm registry. The code was targeted at a German media conglomerate and other German firms. But on Wednesday, employees of Germany-based Code White GmbH came forward to admit that the malicious packages were part of a test they were running. 


Novel Phishing Trick Uses Weird Links to Bypass Spam Filters

Researchers have identified a never-before-seen method for sneaking malicious links into email inboxes. The clever trick takes advantage of a key difference in how email inboxes and browsers read URLs, according a Monday report by Perception Point. The attacker crafted an unusual link using an “@” symbol in the middle. Ordinary email security filters interpreted it as a comment, but browsers interpreted it as a legitimate web domain. Thus the phishing emails successfully bypassed security, but when targets clicked on the link inside, they were directed to a fake landing page nonetheless. On May 2, Perception Point’s incident response (IR) team flagged a hastily-designed phishing email trying to pass itself off as a Microsoft notice. “You have new 5 held messages,” it read, directing the recipient to follow a “Personal Portal” hyperlink.


How to Turn a Coke Can Into an Eavesdropping Device

A soda can, a smartphone stand, or any shiny, lightweight desk decoration could pose a threat of eavesdropping, even in a soundproof room, if an attacker can see the object, according to a team of researchers from Ben-Gurion University of the Negev. At the Black Hat Asia security conference on Thursday, and aiming to expand on previous research into optical speech eavesdropping, the research team showed that audio conversations at the volume of a typical meeting or conference call could be captured from up to 35 meters, or about 114 feet, away. The researchers used a telescope to collect the light reflected from an object near the speaker and a light sensor — a photodiode — to sample the changes in the light as the object vibrated.


Disgruntled admin wipes employer’s databases, gets 7 years in prison

Han Bing, a former database administrator for Lianjia, a Chinese real-estate brokerage giant, has been sentenced to 7 years in prison for logging into corporate systems and deleting the company’s data. Bing allegedly performed the act in June 2018, when he used his administrative privileges and “root” account to access the company’s financial system and delete all stored data from two database servers and two application servers. This has resulted in the immediate crippling of large portions of Lianjia’s operations, leaving tens of thousands of its employees without salaries for an extended period and forcing a data restoration effort that cost roughly $30,000.


Italy prevents pro-Russian hacker attacks during Eurovision contest

Italian police thwarted hacker attacks by pro-Russian groups during the May 10 semi-final and Saturday final of the Eurovision Song Contest in Turin, authorities said on Sunday. Ukraine’s Kalush Orchestra won the contest with their entry “Stefania”, riding a wave of public support to claim an emotional victory that was welcomed by the country’s president Volodymyr Zelenskiy. During voting and the performances, the police cybersecurity department blocked several cyber attacks on network infrastructure by the “Killnet” hacker group and its affiliate “Legion”, police said. The police also gathered information from the pro-Russian group’s Telegram channels to prevent other critical events and identified the attacks’ geographic location.


Zyxel silently patches command-injection vulnerability with 9.8 severity rating

Hardware manufacturer Zyxel quietly released an update fixing a critical vulnerability that gives hackers the ability to control tens of thousands of firewall devices remotely. The vulnerability, which allows remote command injection with no authentication required, carries a severity rating of 9.8 out of a possible 10. It’s easy to exploit by sending simple HTTP or HTTPS requests to affected devices. The requests allow hackers to send commands or open a web shell interface that enables hackers to maintain privileged access over time. The vulnerability affects a line of firewalls that offer a feature known as zero-touch provisioning. Zyxel markets the devices for use in small branch and corporate headquarter deployments. The devices perform VPN connectivity, SSL inspection, web filtering, intrusion protection, and email security and provide up to 5Gbps throughput through the firewall. The Shodan device search service shows more than 16,000 affected devices are exposed to the Internet.

Related Posts