backdoor   855

« earlier    

New malware found using Google Drive as its command-and-control server
backdoor Trojan, called RogueRobin, which infects victims' computers by tricking them into opening a Microsoft Excel document containing embedded VBA macros, instead of exploiting any Windows zero-day vulnerability.

Enabling the macro drops a malicious text (.txt) file in the temporary directory and then leverages the legitimate 'regsvr32.exe' application to run it, eventually installing the RogueRobin backdoor written in C# programming language on the compromised system

The new malware campaign suggests that the APT hacking groups are shifting more towards abusing legitimate services for their command-and-control infrastructure to evade detection.

It should be noted that since VBA macros is a legitimate feature, most antivirus solutions do not flag any warning or block MS Office documents with VBA code.
cybersecurity  google  threathunting  malware  c2  backdoor  macro 
25 days ago by bwiese
Eastern European Banks Were Attacked Via Backdoors Directly Connected To Local Networks, Report Finds - Slashdot
After the cybercriminals entered a organization's building, connected a device to the local network and scanned the local network seeking to gain access to the resources, they proceeded to stage three. "Here they logged into the target system and used remote access software to retain access,"
wireless  backdoor  network  slashdot  banks 
10 weeks ago by bwiese
Intel Management Engine - Wikipedia
See the talk page. Intel's denial is a "non-denial denial".

Purism disables AMT, but unclear about ME.

See also
CPU  surveillance  backdoor  Intel  awareness 
10 weeks ago by dandv
maurosoria/dirsearch: Web path scanner
Web path scanner. Contribute to maurosoria/dirsearch development by creating an account on GitHub.
web  scanner  dir  buster  find  files  webapp  pentest  path  backups  backdoor 
12 weeks ago by plaxx
The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies - Bloomberg
Apple made its discovery of suspicious chips inside Supermicro servers around May 2015, after detecting odd network activity and firmware problems, according to a person familiar with the timeline. Two of the senior Apple insiders say the company reported the incident to the FBI but kept details about what it had detected tightly held, even internally. Government investigators were still chasing clues on their own when Amazon made its discovery and gave them access to sabotaged hardware, according to one U.S. official. This created an invaluable opportunity for intelligence agencies and the FBI—by then running a full investigation led by its cyber- and counterintelligence teams—to see what the chips looked like and how they worked.

The implant was placed on the board in a way that allowed it to effectively edit this information queue, injecting its own code or altering the order of the instructions the CPU was meant to follow.

telling the device to communicate with one of several anonymous computers elsewhere on the internet that were loaded with more complex code; and preparing the device’s operating system to accept this new code. The illicit chips could do all this because they were connected to the baseboard management controller, a kind of superchip that administrators use to remotely log in to problematic servers, giving them access to the most sensitive code even on machines that have crashed or are turned off.

implanted chips were designed to ping anonymous computers on the internet for further instructions, operatives could hack those computers to identify others who’d been affected. Although the investigators couldn’t be sure they’d found every victim, a person familiar with the U.S. probe says they ultimately concluded that the number was almost 30 companies.

sophisticated designs than they’d previously encountered. In one case, the malicious chips were thin enough that they’d been embedded between the layers of fiberglass onto which the other components were attached

Every Supermicro server, all 7,000 or so, was replaced in a matter of weeks, the senior insider says. (Apple denies that any servers were removed.) In 2016, Apple informed Supermicro that it was severing their relationship entirely—a decision a spokesman for Apple ascribed in response to Businessweek’s questions to an unrelated and relatively minor security incident. That August, Supermicro’s CEO, Liang, revealed that the company had lost two major customers.

A belief formed that China was unlikely to jeopardize its position as workshop to the world by letting its spies meddle in its factories.
“You can have less supply than you want and guarantee it’s secure, or you can have the supply you need, but there will be risk. Every organization has accepted the second proposition.”

In the three years since the briefing in McLean, no commercially viable way to detect attacks like the one on Supermicro’s motherboards has emerged—or has looked likely to emerge.
backdoor  china  motherboard  cybersecurity  supplychain  amazon 
october 2018 by bwiese

« earlier