Login

Register

Login

Register

#cybersecurity | hacker | COVID-19 decoy doc, Cloudflare tools used to spread Blackwater malware


Researchers have uncovered a new malware campaign that uses the COVID-19 pandemic as a lure, and also abuses platform-as-a-service web infrastructure tools to apparently thwart attempts at blocking command-and-control communications.

Dubbed BlackWater, the backdoor malware specifically takes advantage of Cloudflare Workers — an offering of Cloudflare, a popular provider of website operators with content delivery network, DDoS mitigation and internet security services. As Cloudflare explains on its own website, Cloudflare Workers offer a “lightweight JavaScript execution environment that allows developers to augment existing applications or create entirely new ones without configuring or maintaining infrastructure.”

These JavaScript programs enable serverless functions to run directly on Cloudflare’s edge, as close as possible to the end user, where they interact with connections from remote web clients, BleepingComputer explains in a report on BlackWater threat, citing research from the MalwareHunterTeam. Under normal conditions, Workers can be used to modify a website’s HTTP requests and responses, make parallel requests and disable Cloudflare features. But malicious actors are now also using them to act as a C2 server, or at minimum a proxy that acts as a front end to a ReactJS Strapi App that itself performs like a back-end C2 server. BlackWater does this by using a command line to connect to the Cloudflare Worker over attacker-established domains.

SC Media contacted Cloudflare for comment and received the following response: “Cloudflare took immediate action to shut down the malicious domains as soon as we were made aware.”

SentinelLabs researcher Vitali Kremez told BleepingComputer that the attackers likely chose this technique because “it returns back the legit Cloudflare proxy IP, which acts as a reverse proxy passing the traffic to the C2. It makes blocking the IP traffic impossible given it is Cloudflare (unless the whole Cloudflare worker space is banned) infrastructure while hiding the actual C2.”

The malware is delivered via an RAR file — most likely distributed as an attachment via an email phishing campaign — that appears to contain information about the novel coronavirus in the form of Word document. But the file is actually an executable that, upon activation, extracts a decoy Word doc that serves as a distraction while the backdoor is implemented.

The decoy doc observed by MalwareHunterTeam purports to be from the Wessex Learning Trust, a British general secondary education conglomerate, and appears to contain details and instructions for parents and students.

“This is a good example of the power of using Platform-as-a-Service to build code. Unfortunately, it is a malicious example,” said Chris Morales, head of security analytics at Vectra, to SC Media. “CloudFlare was built to support code for remote access just like this. And yes, by running on a Platform as a Service, it makes it difficult to block without stopping access to the entire cloud platform as traffic is legitimate traffic from the site.”

“What this tells me is that the PaaS providers still have a ways to go in ensuring their platforms are not used for malicious means. They need to provide better auditing of the code run on their services and back end,” Morales continued. “Amusingly the Cloudflare website espouses the security benefits of using service workers on the edge and the security of JavaScript. What they did not account for is this code being used against people in a way it was designed for.”

Joseph Carson, chief security scientist and advisory CISO at Thycotic, told SC Media that’s especially important during times of crisis to “always be vigilant and suspicious of any attachments, even when they appear to be coming from legitimate sources.”

“The best way to reduce the risks of such threats is for companies to practice the principle of least privilege,” he added.



Original Source link

Leave a Reply

Shqip Shqip አማርኛ አማርኛ العربية العربية English English Français Français Deutsch Deutsch Português Português Русский Русский Español Español

National Cyber Security Consulting App

 https://apps.apple.com/us/app/id1521390354

https://play.google.com/store/apps/details?id=nationalcybersecuritycom.wpapp


NATIONAL CYBER SECURITY RADIO
[spreaker type=player resource="show_id=4560538" width="100%" height="550px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]
HACKER FOR HIRE MURDERS
 [spreaker type=player resource="show_id=4569966" width="100%" height="350px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]

ALEXA “OPEN NATIONAL CYBER SECURITY RADIO”

National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.   

nationalcybersecurity.com

FREE
VIEW