Invisible Threats: SSID Confusion, Kimsuky, Malware

The Daily Decrypt
The Daily Decrypt
Invisible Threats: SSID Confusion, Kimsuky, Malware
Loading
/

In today’s episode, researchers unveiled a new security vulnerability dubbed SSID Confusion attack exploiting a flaw in the IEEE 802.11 Wi-Fi standard, allowing malicious actors to manipulate victims into connecting to rogue networks to eavesdrop on their traffic. The breach forum known as BreachForums was seized by law enforcement agencies, marking the second takedown within a year. Also, the Kimsuky hacking group has launched a social engineering attack targeting activists in North Korea and anti-North Korea sectors by impersonating individuals on Facebook Messenger to distribute malware. The episode further delves into the sophisticated malware that infected the Linux kernel.org infrastructure for two years, compromising encrypted password data and providing insights into the propagation tactics employed by the malware. Original URLs:

1. https://thehackernews.com/2024/05/new-wi-fi-vulnerability-enabling.html

2. https://thehackernews.com/2024/05/fbi-seizes-breachforums-again-urges.html

3. https://thehackernews.com/2024/05/north-korean-hackers-exploit-facebook.html

4. https://arstechnica.com/security/2024/05/ssh-backdoor-has-infected-400000-linux-servers-over-15-years-and-keeps-on-spreading/

Search phrases: 1. Preventing SSID Confusion attack 2. Protecting network traffic from Wi-Fi spoofing 3. Law enforcement takedown of cybercrime forums 4. Fate of Baphomet and ShinyHunters 5. Kimsuky hacking group tactics 6. Social engineering attacks on Facebook Messenger 7. Malware targeting North Korean activists 8. Linux malware infection 9. Ebury malware impact on network security 10. Minimizing Ebury malware spread

[00:00:00] A new security vulnerability known as the SSI D confusion attack manipulates devices, and to connecting to a different, less secure network than intended. Potentially exposing users, traffic. How can the SSI D confusion attack be prevented? And what steps should users take to protect their network traffic from being intercepted through wifi spoofing.

 Law enforcement agencies in collaboration with the FBI and international partners from Australia, Iceland, New Zealand, Switzerland, the UK and Ukraine have taken down the cyber crime forum breach forums for the second time.

 The Kim Suki hacking group is leveraging fake Facebook accounts to launch social engineering attacks via messenger. Targeting activists in the north Korean human rights and anti north Korean sectors with malware delivered through decoy documents.

 The Linux operating systems, Colonel infrastructure was infected by malware revealing the theft of encrypted password data from over [00:01:00] 550 system users and allowing attackers to send spam from the servers.

How can organizations minimize the spread and impact of the Ebery malware to prevent disruptions to the network security?

 You’re listening to the daily decrypt.

 Imagine connecting to your trusted wifi network only to find out later that an attacker intercepted your traffic.

Wifi is pretty important technology. Allows us to connect our devices to the internet wirelessly. We rely on different.

Coffee shops, vendor locations to connect to the internet and maybe in some areas where we are. Sell services. And to reliable, we’ll use local wifi. I often have to use target wifi because the target in my area is in a cellular dead zone. So it’s pretty crucial for. Day-to-day lives.

The SSI de confusion attack impacts all operating systems and wifi clients, including home and mesh networks using WEP w P a 3 8 [00:02:00] 0 2 11 X E a P and a M P E protocols. That’s a lot of jargon for all the different security standards that come with wifi. The method involves downgrading victims to a less secure network by spoofing a trusted network name or SSI D so attackers can intercept to their traffic to carry out further attacks.

Now the SSI D stands for service set identifier, essentially the name of a wifi network.

It helps devices recognize and connect to the correct network. However, the wifi standard doesn’t require the SSI D to always be authenticated, which is where the vulnerability comes in. Attackers can deceive a client into connecting to an untrusted wifi network instead of the intended one by staging an adversary in the middle or AIT M attack. For example. When the victim wants to connect to a network named trusted net. The attacker tricks it into connecting to a network called wrong net. With similar credentials. The victim’s device shows it’s [00:03:00] connected to trusted net while it’s actually connected to wrong net. And AIT M attack the adversary in the middle. Is where an attacker secretly intercepts and possibly alters the communications between two parties who believe they are directly communicating with each other.

This allows the attacker to eavesdrop on or manipulate the communication.

A successful SSI, D confusion attack can also disable any VPN that automatically turns off on trusted networks. Exposing the victims, traffic. The prerequisite for pulling off this attack include the victim, wanting to connect to a trusted wifi network. The presence of a rogue network with the same authentication credentials and the attacker being within range to perform the AETM attack. To counter SSI D confusion proposed mitigations include updating the 8 0 2 11 wifi standard to incorporate the SSI D as part of the four way handshake when connecting to product protected networks. Improvements to beacon protection can also help beacons or management frames that a wireless access point [00:04:00] transmits to announce its presence and capabilities. Networks can avoid this attack by not reusing credentials across SSI, DS. And by using unique passwords.

The main takeaways from this are to really just ensure that your wifi network has a unique SSI. D again, that’s the network name? That is not commonly used by default configurations or routers. So basically just avoid using the generic names like home net gear, LyncSys bell connect, whatever. Your ISP might utilize.

And then of course, go in and change those passwords and use something unique for your networks. Additionally always make sure that your devices are up to date.

Regularly patch, any routers or wifi access points that you have within your systems, along with your personal devices, anything that is going to be connecting to wifi? Now your exposure for home network is probably a bit more limited, but. As you’re out roaming and going to different areas. One of the things to keep in mind is maybe make sure that your phone has auto connect turned off for any wifi. That is outside of your [00:05:00] house or place of business.

This way, it gives you an opportunity to actually look at the network and verify its authenticity.

And of course, double check those SSI D names. That’s a big one with a lot of these.

I had actually came across my first Rogue wifi. Out in the wild. A couple months back, I was traveling, so I wasn’t even in my home. State. And I went to a coffee shop that I was familiar with. And sat down to get some work done.

Open on my laptop and starting looking at the wifi networks. And I noticed, of course, there’s the coffee shop that I was at. And it was password protected. And then there was. Another access point for a store that was right next, next door.

And it had the name in the SSI D spelled correctly. Then there was another access point. For the same store, however. The eye in the store, his name was replaced with an exclamation mark, mark. And it was the [00:06:00] strongest Wi-Fi. Access point available and it did not have a password. Safe to assume that was the rogue access point.

Unfortunately, I couldn’t get in touch with anybody at the store, but.

Just It exists out there and you do need to be vigilant, pay attention to those wifi names. In addition to that, if you are connecting to wifi, If you have the capabilities you use a VPN, make sure that is set up and running. And then another step is if you’re ever in a public location using wifi and a website that you’re visiting pops up with that certificate error. That you’re probably familiar with. Do not click through it. That is the biggest red flag.

When you’re in a public area using someone else’s wifi, not immediately means that they could be intercepting your traffic.

And other news law enforcement agencies, including the us FBI and [00:07:00] international partners have seized control of a breach forums platform for the second time in a year, replacing the website with a seizure banner and the collaborative effort involved authorities from Australia, Iceland, New Zealand, Switzerland, the UK, the us and Ukraine. Indicating a global response to cyber crime. Following the arrest of the previous administrator Connor, Brian Fitzpatrick. Bafflement took over. As the forums administrator with the FBI now controlling the associated telegram channel as well. The FBI is actively seeking information on cyber criminal activities related to breech forums, encouraging individuals to report any relevant details to assist in ongoing investigations. While it remains unclear whether Baffin Mont and shiny hunters, another administrator have been arrested the seizure banner with features their profile pictures with a depiction of them behind bars. Breech forum served as a marketplace for cybercriminals to engage in illicit activities, such as trading stolen data access devices. [00:08:00] Identification means hacking tools, breach database, and other illegal services.

The history of breach forums includes its emergence in 2022.

After the takedown of raid forums. Followed by a shutdown in 2023 and a subsequent resurgence under new management before the recent law enforcement intervention.

The hacking group, LinkedIn North Korea has launched a new social engineering attack using fake Facebook accounts to target individuals via messenger and distribute malware.

The attack involves creating a Facebook account, impersonating a public official in the north Korean human rights field to deceive activists in the north Korean human rights and anti north Korean sectors.

Unlike traditional spear fishing through emails. This campaign uses Facebook messenger to trick targets and to opening. Seemingly private documents hosted on one drive disguised as Microsoft common console documents. The decoy [00:09:00] docs appear as essays or content related to trilateral summit between Japan, South Korea in the U S potentially indicating a focus on targeting specific individuals in Japan and South Korea. By using uncommon MSC files and disguising them as innocuous word files come Suki aims to evade detection and increase the chances of infecting victims.

Once malicious documents are opened.

Victims who launched the MSC file are and agree to open it. Using Microsoft management console are shown a console screen containing a word document that triggers the attack sequence. Establishing a connection with an adversary controlled server to exfiltrate information. The command and control server can harvest IP addresses, user agent strings, timestamp info, and deliver additional payloads aligning with prior Kim Suki activities, such as the distribution of recon shark malware. South Korean cybersecurity company, Jenny ans highlighted the rise of personalized [00:10:00] social media attacks, emphasizing the importance of early detection to mitigate the impact of such targeted threats. That may go undetected by traditional security monitoring.

For those of you tech enthusiasts and cybersecurity professionals out there. I think one of the things that was brought up a lot in my early studies anyways, was how secure and reliable Linux is. And.

Not a lot of malware was targeting Linux.

And if you didn’t already figure it out, that is. Far from the truth. And especially dating back to 2009 to 2011. There was a hidden bank door within the Linux operating system that went undetected for years.

This story from ARS Technica discusses, some malware that was affecting over 400,000 Linux systems. Between 2009 and 2011, the central hub for [00:11:00] Linux development. colonel.org was infiltrated. The breach compromise, encrypted passwords of over 550 users, enabling attackers to control the servers and carry out malicious activity. Linux is an open source operating system that powers everything from servers to smartphones. It’s critical for maintaining the backbone of the internet and many other digital services. The attackers targeted the Etsy shadow files. Which store encrypted passwords. By cracking these encrypted passwords, they accessed and controlled the servers, sending spam and conducting other nefarious activities.

The NC shadow file store encrypted passwords for user accounts.

If these are compromised, attackers can potentially decrypt the passwords and gain on authorized access to systems. The malware dubbed Ebery. Created a backdoor in open SSH, allowing remote access without valid passwords. This infection spread to 25,000 servers in less than two years. [00:12:00] Highlighting the malware’s extensive reach and impact. Open SSH is a suite of secure networking utilities based on secure shell SSH protocol.

It’s used to secure remote connections.

By compromising open SSH, the attackers could intercept credentials and spread the infection to other systems. The malware was sophisticated, installing root kits, like phalanx and backdoors, , which were hard to detect.

These tools allowed the attackers to maintain control and avoid detection by traditional security measures.

Rootkits are collections of software tools that enable unauthorized access to a computer or network often hiding their presence or the presence of other malware in general, refers to a malicious software designed to disrupt damage or gain unauthorized access to computer systems for two years, the attackers quietly harvested passwords and controlled key servers within the Linux development network. Despite the severity of this breach, the full extent wasn’t known until much later. In 2014, Essent researchers [00:13:00] discovered that the Avery malware had a far reaching impact, infecting not only Linux, but also free BSD, open BSD Sonoma, west servers, and even one Mac. The malware’s ability to spread and its continuous evolution over the years, underscore is potency. The Linux community renowned for its security and transparency faced a significant challenge.

The infection of colonel.org demonstrated that even the most secure systems are not immune to sophisticated cyber threats.

The Avery malware has proven to be a formidable adversary, exploiting weaknesses and systems that many believe to be secure as we move forward. It’s crucial for both individuals and organizations to remain aware of the evolving landscape of cyber security threats and to implement robust security measures to protect their digital assets. [00:14:00]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.