Vulnerabilities - Tech Insight

Cybercriminals Exploit WinRAR Zero-Day to Steal Trader Funds

pippy — Thu, 28 Sep 2023 13:48:54 +0000

Cybercriminals Exploit https://techinsight.newshub.talkabout.tech/wp-content/uploads/sites/7/2019/09/uk-technology-heatmap-3.jpg-Day Vulnerability in WinRAR to Steal Trader Funds

In a disconcerting revelation, cybersecurity firm Group-IB has unearthed a brazen cybercrime tactic involving the exploitation of a zero-day vulnerability within the popular archiving software, WinRAR. These audacious attacks are specifically engineered to target traders, with the aim of illicitly siphoning off their funds.

The WinRAR Vulnerability Unveiled

The vulnerability, first detected in June, pertains to how WinRAR handles ZIP file formats. A “zero-day” vulnerability denotes an unpatched security flaw that cybercriminals can exploit before the software vendor has had a chance to rectify it.

Exploiting this loophole, cunning hackers implant malicious scripts into archive files masquerading as common formats, like “.jpg” or “.txt”. This astute camouflage enables them to slip past victims’ defences and wreak havoc undetected.

Widespread Exploitation via Trading Forums

According to Group-IB, hackers began exploiting this vulnerability as early as April, distributing their nefarious ZIP archives on specific trading forums. At least eight forums, dedicated to trading, investment, and cryptocurrency-related discussions, have reportedly witnessed the posting of these malicious files. For security reasons, Group-IB has refrained from disclosing the names of these targeted forums.

Can Forums Counter these Cyberattacks?

In an effort to combat this menace, some forum administrators have issued warnings to their users upon learning about these malicious entities. However, this is not a foolproof solution. Group-IB discovered that hackers could regain access to disabled accounts, enabling them to continue their malicious activities through forum threads or private messages.

Upon opening one of these virus-laden files, the attackers gain access to victims’ brokerage accounts, where they execute unauthorized financial transactions, posing a grave threat to financial security.

Count of Victims and Financial Losses

At present, Group-IB reports that more than 130 traders have fallen victim to these attacks. However, it remains unclear how substantial the financial losses have been or whether any successful withdrawals were made.

The Culprits Behind the Exploitation

While the identities of the hackers remain elusive, Group-IB noted the use of the DarkMe trojan, a malware strain previously associated with the “Evilnum” threat group. This group has a track record of targeting financial institutions and online trading platforms across the UK and Europe. Nevertheless, confirming whether this specific group is responsible for the ongoing attack remains inconclusive.

Group-IB’s Alert and WinRAR Response

Group-IB promptly alerted Rarlab, the developer of WinRAR, about the vulnerability, designated as CVE-2023-38831. Rarlab responded by releasing an updated WinRAR version (6.23) on August 2, designed to patch the issue.

This discovery serves as a stark reminder of the ever-present cybersecurity threats that continue to evolve and target unsuspecting victims. Traders and forum users are urged to exercise utmost caution when handling archive files and to keep their software and systems up to date to minimize such risks.

Stay updated with TechInsight on tech and AI’s latest news.

The post Cybercriminals Exploit WinRAR Zero-Day to Steal Trader Funds first appeared on Tech Insight.

OneLogin: Another One Bites the Dust

John Connor — Sun, 05 Mar 2023 17:09:42 +0000

The 1980 Queen hit ‘Another One Bites the Dust’ was an anthem for the 80s generation. But it also happens to describe security systems nearly 40 years later. After the massive ransomware attack last week (‘WannaCry’), and Android iOS breach (‘Judy’), another critical breach has been reported by the access management service (AMS) OneLogin.

OneLogin is a major player in the AMS service field. They provide password management for enterprise level clientele. The service is helpful for this client base because it provides a single sign on (SSO) cloud solution for ease and greater levels of security. Their client list is impressive – AAA, Yelp, and Dell, to name a few. Their open source tool kits are being used by more than three hundred venders and seventy software-as-a-service (SaaS) vendors worldwide.

With all this corporate access information, no wonder OneLogin is a target for high-level hacking. Yesterday the company announced that a major malicious attack had occurred on their US operations. The attacker was able to access the AWS API and create a number of instances within the infrastructure. The hacker had seven hours of uninterrupted access.

The company is still determining the extent of the breach, but in their announcement did indicate that some very major events had happened. It appears that the attacker was able to access information about the company’s users including various types of keys, and, far more concerning, was able to decrypt data that was at rest within the archives. This means that the actor was able to find access to the highest level of security, and that OneLogin had apparently left a gaping hole in their system, allowing for a breach of end to end encryption. This sort of breach indicates a substantial concern within the OneLogin system that will raise attention at the highest levels.

The company has provided a guide for securing data that has been breached, which, no doubt, was the task of a substantial part of the corporate IT world this morning. However, the guide simply provides 11 steps to recreating security for breached data, but this does not mean that the hacker, with seven hours of access, has not already obtained and decrypted whatever data was present. At the enterprise level, this is the equivalent of breaking into the CEO’s office and rifling through his desk and personal files for 7 hours. It’s not good.

This is not the first attack on OneLogin. A previous hack had compromised a substantial amount of data, but encryption was never broken. This current attack has led some in the security world to question how to best secure high level corporate data, given the increasing level of hacker ability. Companies would be wise to be researching different methodologies (both in house and third party), and identifying deeper levels of security risk than the home page of the company offers. OneLogin is a high level security system, and such a hack should make other IT professionals question where safety is even possible at this point. As the Queen ballad reminds us, no one is safe.

The post OneLogin: Another One Bites the Dust first appeared on Tech Insight.