“Hello Brian Krebs! You did a really great job actually, really well, fucking great - it’s great that journalism works so well in the US,” Matveev said in one of the videos. 17, 1992).Ī month after that story ran, a man who appeared identical to the social media photos for Matveev began posting on Twitter a series of bizarre selfie videos in which he lashed out at security journalists and researchers (including this author), while using the same Twitter account to drop exploit code for a widely-used virtual private networking (VPN) appliance. In January 2022, KrebsOnSecurity published Who is the Network Access Broker ‘Wazawaka,’ which followed clues from Wazawaka’s many pseudonyms and contact details on the Russian-language cybercrime forums back to a 33-year-old Mikhail Matveev from Abaza, RU (the FBI says his date of birth is Aug. “Love your country, and you will always get away with everything.” “Mother Russia will help you,” Wazawaka concluded. In a January 2021 discussion on a top Russian cybercrime forum, Matveev’s alleged alter ego Wazawaka said he had no plans to leave the protection of “Mother Russia,” and that traveling abroad was not an option for him. State Department is offering a $10 million reward for the capture and/or prosecution of Matveev, although he is unlikely to face either as long as he continues to reside in Russia. Department of Treasury has added Matveev to its list of persons with whom it is illegal to transact financially. And on April 26, 2021, Matveev and his Babuk gang allegedly deployed ransomware against the Metropolitan Police Department in Washington, D.C. Prosecutors say that on May 27, 2022, Matveev conspired with Hive to ransom a nonprofit behavioral healthcare organization headquartered in Mercer County, New Jersey. The indictments allege that on June 25, 2020, Matveev and his LockBit co-conspirators deployed LockBit ransomware against a law enforcement agency in Passaic County, New Jersey. So, make sure your antivirus package is patched up to date.Indictments returned in New Jersey and the District of Columbia allege that Matveev was involved in a conspiracy to distribute ransomware from three different strains or affiliate groups, including Babuk, Hive and LockBit. The patch is made available in the release of version 6.4.168.0 of ESET Endpoint Antivirus for macOS. The Google researchers have also released the proof-of-concept (PoC) exploit code, which only shows how the ESET antivirus app can be used to cause a crash.ĮSET addressed this vulnerability on February 21 by upgrading the POCO parsing library and by configuring its product to verify SSL certificates. Now since the hacker controls the connection, they can send malicious content to the Mac computer in order to hijack the XML parser and execute code as root. "Vulnerable versions of ESET Endpoint Antivirus 6 are statically linked with an outdated XML parsing library and do not perform proper server authentication, allowing for remote unauthenticated attackers to perform arbitrary code execution as root on vulnerable clients." This attack was possible because the ESET antivirus did not validate the web server's certificate. This event triggers the CVE-2016-0718 flaw that executes the malicious code with root privileges when esets_daemon parsed the XML content. Join our insightful webinar! Save My Seat! Zero Trust + Deception: Learn How to Outsmart Attackers!ĭiscover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Now, when esets_daemon sent a request to during activation of the ESET Endpoint Antivirus product, an MITM attacker can intercept the request to deliver a malformed XML document using a self-signed HTTPS certificate. This POCO version is based on a version of the Expat XML parser library version 2.0.1 from 2007, which is affected by a publicly known XML parsing vulnerability ( CVE-2016-0718) that could allow an attacker to execute arbitrary code via malicious XML content. The service is statically linked with an outdated version of the POCO XML parser library, version 1.4.6p1 released in March 2013. The actual issue was related to a service named esets_daemon, which runs as root. As detailed in the full disclosure, all a hacker needs to get root-level remote code execution on a Mac computer is to intercept the ESET antivirus package's connection to its backend servers using a self-signed HTTPS certificate, put himself in as a man-in-the-middle (MITM) attacker, and exploit an XML library flaw.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |