All a sudden there's this little red icon of a microphone in the top left corner of my screen and a little black and white microphone icon it my system tray. No process in task viewer. No startup app. Can't click either of them.
If it's #malware, it's a little obvious. I don't even have a microphone plugged into this PC.
A recent advisory from the Dutch #MIVD & #AIVD has exposed a new threat lurking within #FortiGate appliances: the #COATHANGER malware, a remote access trojan (RAT) that's as elusive as it is persistent. Here are the highlights taken from their released TLP-CLEAR advisory:
Incident response uncovered previously unpublished malware, a remote access trojan (RAT) designed specifically for Fortigate appliances.
refer to the malware as COATHANGER based on a string present in the code.
It hides itself by hooking system calls that could reveal its presence.
It survives reboots and firmware upgrades. Even fully patched FortiGate devices may therefore be infected, if they were compromised before the latest patch was applied.
high confidence that the malicious activity was conducted by a statesponsored actor from the People’s Republic of China
The Chinese threat actor(s) scan for vulnerable edge devices at scale and gain access opportunistically, and likely introduce COATHANGER as a communication channel for select victims.
initial access occurred through exploitation of the CVE-2022-42475 vulnerability
Although this incident started with abuse of CVE-2022- 42475, the COATHANGER malware could conceivably be used in combination with any present or future software vulnerability in FortiGate devices.
MIVD & AIVD refer to this RAT as COATHANGER. The name is derived from the peculiar phrase that the malware uses to encrypt the configuration on disk: ‘She took his coat and hung it up’.
Please note that second-stage malware like COATHANGER are used in tandem with a vulnerability: the malware is used for persistence to a victim network after the actor gained access.
The implant connects back periodically to a Command & Control server over SSL, providing a BusyBox reverse shell.
It hides itself by hooking most system calls that could reveal its presence, such as stat and opendir. It does so by replacing them for any process that is forced to load preload.so.
Section 3.2 of the PDF has a detailed description of how COATHANGER malware behaves and interacts.
Communication to the C2 server is done over a TLS tunnel. COATHANGER first sends the following request to the HTTP GET request to the C2 server: GET / HTTP/2nHost: www.google.comnn
The COATHANGER malware drops the following files;
/bin/smartctl or /data/bin/smartctl<br></br>/data2/.bd.key/authd<br></br>/data2/.bd.key/httpsd<br></br>/data2/.bd.key/newcli<br></br>/data2/.bd.key/preload.so<br></br>/data2/.bd.key/sh<br></br>/lib/liblog.so<br></br>
Several methods have been identified to detect COATHANGER implants. A script was released by them for automated detection HERE These include a YARA-rule, a JA3-hash, different CLI commands, file checksums and a network traffic heuristic.
Two YARA rules are provided for detection on the COATHANGER samples.
The COATHANGER implant communicates to the C2 server using TLS. This TLS connection is fingerprintable using the following JA3-hash: 339f6adf54e6076d069dcaac54fddc25
With access to the CLI of a FortiGate device, the presence of COATHANGER can be detected in three ways.
Check if the files /bin/smartctl or /data/bin/smartctl exist and inspect the timestamps of smartctl and other files in the same directory. If smartctl was modified later than the majority of other files or is not a symlink, it is likely that the smartctl binary was tampered with.
Use the following command:
fnsysctl ls -la /bin<br></br>fnsysctl ls -la /data/bin<br></br>
The following command shows a list of active TCP sockets. Whenever the FortiGate device has internet access and the malware is active, the outgoing connection will appear in the results. Check the reputation of all outgoing contection IP's.diagnose sys tcpsock
The specific version of COATHANGER that this report describes uses the process name 'httpsd' to obfuscate itself. Therefore, any suspicious outgoing connections to external IP addresses from a process called httpsd is a strong indicator of the presence of COATHANGER:
The specific version of COATHANGER that this report describes uses the process name httpsd to obfuscate itself. All active processes can be listed using the following command:fnsysctl ps
Running the following command returns all PID's named 'httpsd'
diagnose sys process pidof httpsd<br></br>
Using the retrieved process IDs from the previous command yields process information for the processes named httpsd.
diagnose sys process dump <PID><br></br>
When the process has a GID set to 90, the device is infected with COATHANGER.
PSA: If you bought an Acemagic S1, maybe because of the Black Friday deal or the review on techstage.de: It comes preinstalled with malware, don't use the preinstalled OS under any circumstances. Change all your passwords now if you did.
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #42/2023 is out! It includes the following and much more:
➝ 🔓 👀 Tracking Unauthorized Access to #Okta's Support System
➝ 🔓 🇯🇵 #Casio discloses #databreach impacting customers in 149 countries
➝ 🔓 🧬 Hacker leaks millions more #23andMe user records on #cybercrime forum
➝ 🔓 🇨🇳 D-Link confirms data breach after employee #phishing attack
➝ 🔓 💰 #Equifax Fined $13.5 Million Over 2017 Data Breach
➝ 🇺🇦 🧹 Ukrainian activists hack Trigona #ransomware gang, wipe servers
➝ 🇺🇸 🇰🇵 FBI: Thousands of Remote IT Workers Sent Wages to #NorthKorea to Help Fund Weapons Program
➝ 🇮🇳 ☁️ #India targets #Microsoft, #Amazon tech support #scammers in nationwide crackdown
➝ 🇵🇸 🇮🇷 #Hamas-linked app offers window into cyber infrastructure, possible links to Iran
➝ 👮🏻♂️ 🥷🏻 Police seize #RagnarLocker leak site
➝ 🇰🇵 North Korean Hackers Exploiting Recent #TeamCity Vulnerability
➝ 🇨🇳 🇷🇺 #China replaces #Russia as top #cyberthreat
➝ 🇺🇦 📡 CERT-UA Reports: 11 Ukrainian Telecom Providers Hit by Cyberattacks
➝ 🇫🇷 🇪🇸 #France frees the two biggest Spanish hackers
➝ 🇺🇸 ⚓️ Ex-Navy IT head gets 5 years for selling people’s data on #darkweb
➝ 🇨🇭 🗳️ #Switzerland’s e-voting system has predictable implementation blunder
➝ 🔓 🏭 Critical Vulnerabilities Expose #Weintek HMIs to Attacks
➝ 🔓 🏭 #Milesight Industrial Router #Vulnerability Possibly Exploited in Attacks
➝ 🦠 🇻🇳 Fake #Corsair job offers on #LinkedIn push #DarkGate malware
➝ 🦠 Google-hosted #malvertising leads to fake #Keepass site that looks genuine
➝ 🦠 💬 #Discord still a hotbed of #malware activity — Now APTs join the fun
➝ 🦠 🕵🏻♂️ SpyNote: Beware of This Android #Trojan that Records Audio and Phone Calls
➝ 🛍️ 🦠 #Android will now scan sideloaded apps for malware at install time
➝ 💬 🔐 #WhatsApp#passkeys on the way, but as usual, for Android first
➝ 🇷🇺 🗂️ Pro-Russian Hackers Exploiting Recent #WinRAR Vulnerability in New Campaign
➝ 🗓️ ❌ Signal Pours Cold Water on Zero-Day Exploit Rumors
➝ 🔓 💥 #Cisco warns of new #IOS XE #zeroday actively exploited in attacks
📚 This week's recommended reading is: "RTFM: Red Team Field Manual v2" by Ben Clark and Nicholas Downer
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #39/2023 is out! It includes the following and much more:
➝ 🔓 #GitHub repos bombarded by info-stealing commits masked as #Dependabot
➝ 🇯🇵 💸 #Sony Investigating After Hackers Offer to Sell Stolen Data
➝ 🔓 #BORN Ontario child registry #databreach affects 3.4 million people
➝ 🇭🇰 🔓 Personal data of 25,000 Hongkongers at risk after #cyberattack against consumer watchdog, up from earlier estimate of 8,000
➝ 🇺🇸 🔓 National Student Clearinghouse data breach impacts 890 #schools
➝ 🇨🇦 ✈️ #AirCanada discloses data breach of employee and 'certain records'
➝ 🇰🇵 🇪🇸 North Korean hackers posed as #Meta recruiter on #LinkedIn
➝ 👥 ShadowSyndicate: A New #Cybercrime Group Linked to 7 #Ransomware Families
➝ 🇷🇺 ✈️ Russian flight booking system suffers ‘massive’ cyberattack
➝ 🇨🇳 🇺🇸 Chinese hackers stole emails from US State Dept in #Microsoft breach, Senate staffer says
➝ 🇨🇳 Chinese Hackers TAG-74 Targets South Korean Organizations in a Multi-Year Campaign
➝ 🇺🇦 🚀 Ukrainian Military Targeted in Phishing Campaign Leveraging #Drone Manuals
➝ 🥷🏻 💰 Hackers steal $200M from #crypto company #Mixin
➝ 🇳🇬 ⚖️ Nigerian man pleads guilty to attempted $6 million BEC email heist
➝ 🇺🇸 ⚖️ ShinyHunters member pleads guilty to $6 million in data theft damages
➝ 🇨🇳 #China-Linked Budworm Targeting Middle Eastern #Telco and Asian Government Agencies
➝ 🇨🇳 🚪 Backdoored firmware lets China state hackers control #routers with “magic packets”
➝ 🇺🇸 👮🏻♂️Security researcher warns of chilling effect after feds search phone at #airport
➝ 🦠 ❗️FBI Warns Organizations of Dual Ransomware, Wiper Attacks
➝ 🤖 🦠 #Bing Chat responses infiltrated by ads pushing #malware
➝ 🏥 🎣 Red Cross-Themed #Phishing Attacks Distributing DangerAds and AtlasAgent Backdoors
➝ 🥷🏻 🐍 #SSH keys stolen by stream of malicious #PyPI and #npm packages
➝ 🏦 🎠 New Variant of #Banking#Trojan BBTok Targets Over 40 Latin American Banks
➝ 🦠 🚪 #Deadglyph: New Advanced Backdoor with Distinctive Malware Tactics
➝ 🚀 #Sysdig Launches Realtime Attack Graph for Cloud Environments
➝ 🐛 📨 Critical vulnerabilities in #Exim threaten over 250k #email servers worldwide
➝ 🔓 Progress warns of maximum severity WS_FTP Server vulnerability
➝ 🩹 🔥 #Google fixes fifth actively exploited Chrome zero-day of 2023
➝ 🩹 🍏 #macOS 14 #Sonoma Patches 60 #Vulnerabilities
➝ 🩹 🦊 #Firefox 118 Patches High-Severity Vulnerabilities
➝ 🤫 ✅ Google quietly corrects previously submitted disclosure for critical #webp 0-day
➝ 👀 🇪🇬 0-days exploited by commercial surveillance vendor in #Egypt
📚 This week's recommended reading is: "Philosophy of Cybersecurity" by @LukaszOlejnik and Artur Kurasinski
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
Quanto denunciato da @marcocappato è gravissimo!
Esprimiamo tutta la nostra solidarietà e il nostro appoggio a uno dei pochissimi politici che siano stati in grado di smuovere il gelatinoso sistema politico italiano.
I #trojan di stato contro i dissidenti sono un crimine! https://youtu.be/KpPrKNUExeE?si=o-aWpMOW-gyUmfqm
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #26/2023 is out! It includes, but not only:
➝ 🦠 🇺🇸 Schools say US teachers’ retirement fund was breached by #MOVEit hackers
➝ 🇨🇳 🇺🇸 Chinese spy #balloon did not collect information over US, #Pentagon says
➝ 🇨🇳 🦠 #TSMC Says Supplier Hacked After #Ransomware Group Claims Attack on Chip Giant
➝ 🇷🇺 Russian Cybersecurity Executive Arrested for Alleged Role in 2012 Megahacks
➝ 🇷🇺 🛰️ Hackers attack Russian #satellite telecom provider, claim affiliation with #WagnerGroup
➝ 🇬🇧 ⚕️ More than a million #NHS patients’ details compromised after cyber attack
➝ 📊 🐛 #MITRE releases new list of top 25 most dangerous software #bugs
➝ 🇷🇺 Pro-Russia DDoSia hacktivist project sees 2,400% membership increase
➝ 💻 🛡️ #Brave Browser boosts privacy with new local resources restrictions
➝ 🦠 🏦 Anatsa Banking #Trojan Targeting Users in US, UK, Germany, Austria, and Switzerland
➝ 🇺🇸 💵 White House releases cybersecurity budget priorities for FY 2025
➝ 🇺🇸 🇧🇷 8Base Ransomware Spikes in Activity, Threatens U.S. and Brazilian Businesses
➝ 🇬🇧 🔐 #Apple speaks out against bill that could mandate #CSAM scanning in iMessage
➝ 🇵🇭 2,700 People Tricked Into Working for Cybercrime Syndicates Rescued in #philippines
➝ 🇩🇪 ⚡️ #Siemens Energy confirms data breach after MOVEit data-theft attack
➝ 🕵🏻♂️ 📱 #LetMeSpy, a phone tracking app spying on thousands, says it was hacked
➝ 🦠 💰 Prominent #cryptocurrency exchange infected with previously unseen Mac #malware
➝ 🤖 📝 #LLMs and #IncidentResponse? It Starts with Summarization
➝ 🇺🇸 👨🏻🎓Hackers steal data of 45,000 New York City students in MOVEit breach
➝ 🇨🇦 ⛽️ Suncor Energy cyberattack impacts Petro-Canada gas stations
➝ 🦠 🕹️ Trojanized Super Mario Game Installer Spreads SupremeBot Malware
➝ 🇩🇪 💾 SSD missing from #SAP datacenter turns up on #eBay, sparking security investigation
Birth Anniversary of English #Biochemist Frederick Gowland Hopkins (1861). He was co-awarded the Nobel Prize in Physiology or Medicine in 1929 for the discovery of #Vitamins.
A #Trojan is a small celestial body (mostly asteroids) that shares the orbit of a larger one, remaining in a stable orbit approximately 60° ahead or behind the main body.
In the Solar System, most known trojans share the orbit of Jupiter. In other planetary orbits only nine Mars trojans, 28 Neptune trojans, two Uranus trojans, and a single Earth trojan, have been found to date.
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #22/2023 is out! It includes, but not only:
➝ 🇺🇸 🪖 Air Force denies running simulation where AI drone “killed” its operator
➝ 🇺🇸 🏂 #Burton Snowboards discloses #databreach after February attack
➝ 🇺🇸 🧪 Enzo Biochem #Ransomware Attack Exposes Information of 2.5M Individuals
➝ 🧠 🤖 Introducing Charlotte AI, #CrowdStrike’s Generative AI Security Analyst
➝ 🐍 🦠 Malicious #PyPI Packages Using Compiled #Python Code to Bypass Detection
➝ 🇰🇵 🎠 N. Korean ScarCruft Hackers Exploit LNK Files to Spread #RokRAT
➝ 🦠 📱 New Zero-Click Hack Targets #iOS Users with Stealthy Root-Privilege #Malware
➝ 🇷🇺 🇺🇸 #Russia says U.S. accessed thousands of #Apple phones in spy plot
➝ 🇯🇵 🚗 #Toyota Discloses New Data Breach Involving Vehicle, Customer Information
➝ ☁️ 👻 Organizations Warned of #Salesforce ‘Ghost Sites’ Exposing Sensitive Information
➝ 🔐 👀 #Amazon faces $30 million fine over Ring, Alexa #privacy violations
➝ 🔐 🧱 Active Mirai Botnet Variant Exploiting #Zyxel Devices for #DDoS Attacks
➝ 🇷🇺 🇺🇦 Russia’s ‘Silicon Valley’ hit by cyberattack; Ukrainian group claims deep access
➝ 🦠 🤖 #Spyware Found in #GooglePlay Apps With Over 420 Million Downloads
➝ 🦠 🚪 #RomCom malware spread via Google Ads for #ChatGPT, GIMP, more
➝ 👛 Southeast Asian hacking crew racks up victims, rapidly expands criminal campaign
➝ 🍏 #Microsoft finds #macOS bug that lets hackers bypass SIP root restrictions
➝ 🦠 🚪 #Barracuda zero-day abused since 2022 to drop new malware, steal data
➝ 🇬🇷 Worst cyberattack in #Greece disrupts high school exams, causes political spat
➝ 🇮🇳 🎠 Sneaky DogeRAT Trojan Poses as Popular Apps, Targets Indian #Android Users
➝ 🇺🇸 U.S. Department of Defense releases 2023 Cyber Strategy
➝ 📱☝🏻 New BrutePrint Attack Lets Attackers Unlock Smartphones with Fingerprint Brute-Force
➝ 🇯🇵 🎠 New GobRAT Remote Access #Trojan Targeting #Linux Routers in #Japan
➝ 🦠 📂 Clever ‘File Archiver In The Browser’ phishing trick uses #ZIP domains
📚 This week's recommended reading is: "Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks" by Scott J. Shapiro
Subscribe to the #newsletter to have it piping hot in your inbox every Sunday ⬇️
A New Banking Trojan on the Rise: TOITOIN Banking Trojan (heimdalsecurity.com)
TOITOIN is a new banking trojan active since 2023, and it targets businesses from Latin America, employing a multi-stage infection chain.