Category: Cyber Security

Categories
Cyber Security Featured Guest Post Microsoft Security Tech News Uncategorized Unicorns

Gh0stCringe Malware Targets Microsoft SQL, MySQL Servers

Hackers target Microsoft SQL and MySQL database servers to deploy the Gh0stCringe remote access trojans on vulnerable devices. The recent Gh0stCringe (also known as CirenegRAT) variant of Gh0stRAT malware was most recently deployed in 2020 Chinese cyber-espionage operations but dates back to 2018. Security researchers have found that the GhostCringe threat actors are targeting database servers with weak account credentials and no oversight, which could lead to more victims.

As mentioned in the article on bleepingcomputer.com, you can see below, the threat actors are breaching the database servers and using the mysqld.exe, mysqld-nt.exe, and sqlserver.exe processes to write the malicious ‘mcsql.exe’ executable to disk.

https://asec.ahnlab.com/en/32572/

Gh0stCringe was developed based on the source code of publicly released Gh0st RAT. You can see the difference between below:

https://asec.ahnlab.com/en/32572/

Malware can be deployed with specific settings concerning their functions, as detailed below:

  • Self-copy [On/Off]: If turned on, copies itself to a certain path depending on the mode.
  • Mode of execution [Mode]: Can have values of 0, 1, and 2. See below for explanations on the modes.
  • File size change [Size]: In Mode #2, the malware copies itself to the path ‘%ProgramFiles%\Cccogae.exe’, and if there is a set value, it adds junk data of the designated size to the back of the file.
  • Analysis disruption technique [On/Off]: Obtains the PID of its parent process and the explorer.exe process. If it results in a value of 0, terminates itself.
  • Keylogger [On/Off]: If turned on, keylogging thread operates.
  • Rundll32 process termination [On/Off] If turned on, executes ‘taskkill /f /im rundll32.exe’ command to terminate the rundll32 process that is running.
  • Self-copy file property [Attr]: Sets property to read-only, hidden, and system (FILE_ATTRIBUTE_READONLY|FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM).

References:

  • https://asec.ahnlab.com/en/32572/
  • https://www.bleepingcomputer.com/news/security/unsecured-microsoft-sql-mysql-servers-hit-by-gh0stcringe-malware/
Categories
Cyber Security Featured Tech News Uncategorized

After NVIDIA, Lapsus$ Leak 190GB of Alleged Samsung Data, Source Code

The data leak of Samsung’s smartphones has been making headlines lately. A South American hacking group called Lapsus$ uploaded a trove on Friday, which they claim includes information from the smartphone manufacturer according to Bleeping Computer.

The leak of this sensitive data could cause a significant problem for Samsung. The collective has obtained all recent device bootloader sources and code related highly-personal features like biometric authentication, On-Device encryption, etc. They also say it includes confidential information from Qualcomm. This database contains approximately 190GB worth (GB), actively being shared on a torrent. According to The Korean Herald, Samsung is assessing the situation.

According to an article by Bleepingcomputer, here is a list of leaked segments:

Lapsus$ is the same Data extortion entity group that was involved in NVIDIA’s data breach. According to Vx-underground, Lapsus$ says it obtained approximately 1TB of confidential information from the GPU designer, including schematics and driver source code.

References:

  • http://www.koreaherald.com/view.php?ud=20220305000115
  • https://www.bleepingcomputer.com/news/security/hackers-leak-190gb-of-alleged-samsung-data-source-code/
  • https://www.engadget.com/samsung-lapsus-leak-181517961.html
Categories
Cyber Security Europe Featured NVIDIA Region Tech News Uncategorized Unicorns USA

NVIDIA Bites Back At Its Recent CyberAttack Hackers

The recent cyberattacks on Nvidia may have been carried out by the South American hacker group Lapsus$. Vx-underground is reporting that Nvidia has retaliated by sneaking back into the hacker’s system and encrypting all of its stolen data.

With a market cap near 600 billion dollars, Nvidia is the most valuable chipmaker in America. It specializes in producing graphics processing units (GPU) for video game playing and advanced computer simulations to enhance user experience

The LAPSU$ hacker group in South America has illegally tapped into Nvidia’s mailing server and installed malware on the software distribution system. Last week, Lapsus$ announced that it had stolen 1 TB of Nvidia data and threatened to leak sensitive information about employees. The group also shared some screenshots as proof but they weren’t definitive; we may never know if this was true or not- there could be any number of reasons why these posts went up.

With the recent increase in ransomware attacks, it seems that Nvidia has identified these hackers. According to Vx-underground’s Twitter post and backed by screenshots they encrypted their system after being infected with malware for-profit motives which led them to theft data.

References:

  • https://www.tomshardware.com/news/nvidia-allegedly-hacks-hackers-who-stole-companys-data
  • https://www.techspot.com/news/93568-nvidia-allegedly-hacked-hackers-stole-data-back.html
  • https://www.pcmag.com/news/nvidia-investigates-potential-ransomware-incident
  • https://www.techtimes.com/articles/272350/20220227/nvidia-hackers-allegedly-hacked-back-by-nvidia-data-un-stolen.html
  • https://www.reuters.com/technology/chipmaker-nvidia-investigating-potential-cyberattack-report-2022-02-25/