Hackerzhome

hackerzhome-logo-bg

Cybersecurity news all over the world

HACKERZHOME NEWS

April 20, 2023

Thursday

Hacking of Microsoft SQL servers to release Trigona ransomware

Trigona ransomware payloads are being installed and all files are being encrypted by attackers who are breaking into Microsoft SQL servers. These servers are open to the Internet and are not sufficiently protected.

By using account credentials that are simple to guess, brute-force or dictionary assaults are being used to access the MS-SQL servers.

The threat actors use malware known as CLR Shell after connecting to a server, according to security researchers from South Korean cybersecurity firm AhnLab, who discovered the attacks.

By taking advantage of a flaw in the Windows Secondary Logon Service (which is necessary to start the ransomware as a service), this malware is used to gather system data, change the configuration of the compromised account, and escalate privileges to LocalSystem.

According to AhnLab, “CLR Shell is a type of CLR assembly malware that receives instructions from threat actors and engages in malicious behavior, much like the WebShells of web servers.”

The attackers then start the Trigona ransomware as svchost.exe by installing and running a dropper malware as the svcservice.exe service.


In order to assure that the PCs would remain encrypted even after a reboot, they additionally configure the ransomware program to automatically activate each system restart through a Windows autorun key.

NEWS 1
Hacking of Microsoft SQL servers to release Trigona ransomware

Breaking news

LIVE

You are not up to date!

Subscribe to our newsletter and stay updated on cybersecurity news

Findings on GoAnywhere MFT zero-day attacks are shared by Fortra.

The Clop ransomware gang used CVE-2023-0669, a zero-day vulnerability in the GoAnywhere MFT system, to steal data from more than a hundred businesses. Fortra has concluded its investigation into this incident.
After Fortra informed customers of the serious GoAnywhere remote code execution vulnerability on February 3, 2023, the problem was made public.
On February 6, 2023, a functioning exploit was shortly made public, raising the possibility that other threat actors will use it. Fortra made the security patch for the zero-day vulnerability available a day later and advised all users to apply it.

The GoAnywhere MFT problem was used by the Clop ransomware gang to steal the data for 130 businesses, according to a report by BleepingComputer on February 10th, 2023.

BleepingComputer made multiple attempts to get in touch with Fortra regarding the reported attacks and extortion attempts, but the software provider remained unresponsive.

Fortra has released a comprehensive timeline of what happened, approximately 1.5 months after the initial disclosure of the zero-day.

NEWS 2

For placing advertisements and promotions in this newspaper, or anywhere on our website, contact us through email at [email protected] or fill out this contact form.

Share this news:

April 20, 2023 /

Thursday

Hackerzhome News

2

Have you heard?
YouTube Videos That Use A Highly Evasive Loader To Distribute Aurora Stealer Malware Know more!

Three zero-click iPhone exploits were used by NSO Group to target human rights advocates.

Three zero-click iPhone exploits were used by NSO Group to target human rights advocates.

According to the most recent discoveries from Citizen Lab, Israeli spyware maker NSO Group used at least three cutting-edge “zero-click” flaws against iPhones in 2022 to get past Apple’s defenses and install Pegasus.

According to the interdisciplinary laboratory housed at the University of Toronto, NSO Group clients regularly used at least three iOS 15 and iOS 16 zero-click attack chains against civil society targets throughout the world.

Pegasus is a sophisticated cyber weapon created by NSO Group that can collect sensitive data from a device in real-time, including messages, locations, photographs, and call logs, among other things. Typically, zero-click and/or zero-day exploits are used to deliver it to targeted iPhones.

It has been promoted as a tool for law enforcement authorities to combat severe crimes including child sexual abuse and terrorism, but it has also been illegally used by authoritarian governments to spy on human rights activists, proponents of democracy, journalists, dissidents, and others.

NSO Group was added to the U.S. government’s trade blocklist in late 2021 as a result of Pegasus’ abuse, and Apple later sued NSO Group for allegedly targeting its users.

NEWS 3

Gangs who utilize ransomware Driver for Process Explorer to disable security software

Gangs who utilize ransomware Driver for Process Explorer to disable security software
NEWS 4

Threat actors use the new hacking tool AuKill to disable Endpoint Detection & Response (EDR) Software on targets’ PCs before installing backdoors and ransomware in Bring Your Own Vulnerable Driver (BYOVD) assaults.

Such attacks use genuine drivers that are signed with a working certificate and capable of executing with kernel privileges to disable security features and seize control of the machine.

This method is common among a variety of threat actors, from state-sponsored hacking outfits to ransomware gangs with financial motives.

The Microsoft Process Explorer v16.32 driver is placed adjacent to a vulnerable Windows driver (procexp. sys) by the AuKill malware, which was discovered by Sophos X-Ops security experts.

This widely used and reliable tool assists in gathering data on running Windows processes.

It first checks to see if it is already operating with SYSTEM privileges; if not, it pretends to be the TrustedInstaller Windows Modules Installer service and requests SYSTEM privileges.

AuKill launches a number of threads that continuously scan for and deactivate security processes and services (and guarantee they stay stopped by preventing them from restarting) in order to disable security software.

Hackers aggressively take advantage of a serious RCE flaw in PaperCut servers.

The creator of print management software PaperCut is advising users to upgrade their programs right now since hackers are aggressively using bugs to break into servers that are exposed to them.

All significant platforms and brands are compatible with PaperCut’s printing management software. While the official website claims it serves hundreds of millions of individuals from over 100 countries, it is used by big businesses, government agencies, and educational institutions.

On January 10th, 2023, the company claims to have received two reports from cybersecurity expert Trend Micro notifying it of two high and critical severity problems affecting PaperCut MF/NG.

They are as follows: ZDI-CAN-18987 / PO-1216, ZDI-CAN-19226 / PO-1219.

The software maker revised its March 2023 security bulletin today to inform users that hackers are currently actively using the flaws.

The advice states that as of April 18, 2023, “we have evidence to suggest that unpatched servers are being exploited in the wild,” namely ZDI-CAN-18987 and PO-1216.

On May 10, 2023, Trend Micro will release more details about the weaknesses, giving impacted organizations time to install the security upgrades.

Hackers aggressively take advantage of a serious RCE flaw in PaperCut servers.
NEWS 5

For placing advertisements and promotions in this newspaper, or anywhere on our website, contact us through email at [email protected] or fill out this contact form.

Share this news: