Broad cyber espionage operation targets Barracuda appliances
A recap of some of the major stories in cybersecurity
A roundup of some of the noteworthy developments in the cybersecurity landscape, encompassing the latest vulnerability discoveries and emerging attack trends. Here are this edition's top stories -
↘️ European regulators have hit Meta with a $1.3 billion fine, the largest ever brought under the European Union’s General Data Protection Regulation (GDPR) rules, for transferring Facebook users’ data from the block to servers in the U.S., which lacks a stringent privacy law.
Meta has also been ordered to halt transatlantic data transfers to the U.S. within five months, although it may not have to take that extreme step should a new regulatory framework for international data transfers come into effect later this year. In addition, the ruling gives Meta six months to stop handling data it previously collected, which could mean deleting all that content or moving them back to Europe. The case against Meta stems from U.S. policies that give intelligence agencies the ability to intercept digital communications from abroad. [CyberScoop / WIRED / The New York Times / The Hacker News]
↘️ A product called Echo, made by the Israel-based Rayzone Group, is using ad data intended for marketers to help authorities track people through their mobile phones. [Bloomberg]
↘️ 28-year-old IT security analyst Ashley Liles has pleaded guilty for piggybacking on a cyberattack incident targeting the IT firm he was employed at back in 2018 to extort his employer by “altering the original blackmail email and changing the payment address provided by the original attacker” in an attempt to divert any ransom payments to himself. This incident showcases the dangers posed by malicious insiders within organizations. [SEROCU]
↘️ U.S. government and federal law enforcement agencies disrupted networks used by foreign scammers to obtain fraud proceeds following a three-month campaign. These schemes, which included lottery fraud and romance scams, recruited individuals to act as money mules to receive funds from victims and transmit them to the perpetrators, many of whom are based overseas. [DoJ]
↘️ The U.S. Treasury Department has sanctioned four entities and one individual for engaging in malicious cyber activities on behalf of the North Korean government. This includes maintaining an army of illicit IT workers that have fraudulently gained employment in various firms around the world (chiefly China and Russia).
While these individuals tend to engage in legitimate IT work unrelated to malicious cyber activity, they use virtual currency exchanges and trading platforms to launder illicitly obtained funds back to the DPRK and contribute to the regime’s priorities. The Treasury also sanctioned the Pyongyang University of Automation, which it said is responsible for training “malicious cyber actors,” many of whom land jobs at the Reconnaissance General Bureau (RGB), the country’s main intelligence agency that also houses the infamous Lazarus Group. [The Hacker News]
↘️ Google’s decision to roll out .zip and .mov top level domains in early May has sparked security concerns owing to the fact that they are both common file extension names, thereby confusing people into visiting a malicious website rather than opening a file. The company has said the “risk of confusion between domain names and file names is not a new one.” [Ars Technica / Bleeping Computer / Dark Reading / The Register / Trend Micro / WIRED]
↘️ Sophisticated threat groups aligned with Iran are setting their sights on regional managed service providers (MSPs) and using the compromise as a foothold to launch supply chain attacks against downstream customers. It also comes amid a significant increase APT-aligned attacks against small- and medium-sized businesses (SMBs) for reasons varying from from espionage and intellectual property theft to destructive actions, financial theft, and disinformation campaigns. SMBs are also compromised so that attackers can impersonate them in other attacks and abuse their infrastructure. [The Hacker News / CSO Online]
↘️ A cryptocurrency phishing and scam service called Inferno Drainer has reportedly stolen over $5.9 million worth of digital assets from 4,888 victims so far. It also comes against the backdrop of users falling victim to phishing scams through malicious Google Search ads in recent weeks. [ScamSniffer]
↘️ Google has settled with the U.S. state of Washington, paying $39.9 million to close out a lawsuit related to misleading location tracking practices. The development comes months after Google agreed to pay $9.5 million to D.C. and $20 million to Indiana overs similar allegations. The company is still facing one more location-tracking lawsuit in Texas. [Washington State Office of the Attorney General]
↘️ Several cheap Android TV boxes manufactured by Chinese companies AllWinner and RockChip come preloaded with malware that reaches out to a remote server immediately after powering up. The server has since been taken down. [TechCrunch]
↘️ Chinese state-sponsored hackers have since 2021 carried out a broad hacking campaign that has targeted critical infrastructure systems in the U.S. and Guam. While the intentions of the group, dubbed Volt Typhoon, are said to be espionage, the exact nature of the threat is far from clear. The attacks are characterized by an emphasis on stealth and a lack of custom malware, instead leaning on living-off-the-land commands to search for information within the system, identify other devices connected to the network, and extract data.
The group has been observed proxying their traffic through compromised networking devices to stay undetected. It has also demonstrated a “relentless focus on adaption” to pursue its espionage goals. The tradecraft indicates that the actors have gone to great lengths to conceal their connections to China, which has denounced the allegations as a “disinformation campaign.” China, for its part, has repeatedly countered criticisms of its alleged aggressive cyber-espionage operations by accusing the U.S. of conducting similar activities. [WIRED / CyberScoop / The Hacker News / The Record / Dark Reading]
↘️ A new ransomware operation named Buhti is now using the leaked code of LockBit and Babuk ransomware families to target Windows and Linux systems, respectively. Blacktail constitutes a modern example of how easy it is for aspiring threat actors to spring into action using already available malware to inflict significant damage on enterprises. It also continues the pattern of ransomware groups gravitating towards Babuk due to its proven ability to strike Linux and VMware ESXi systems. [The Hacker News]
↘️ A new industrial control system malware called CosmicEnergy has been found to contain code that’s purpose built to take down critical systems such as power plants. The exact motivation for developing it are presently unknown. While there are indications that it may have been created as part of a red team exercise, the fact that it can target a widely used protocol like IEC-104 and not a specific proprietary product gives it additional flexibility.
The discovery is concerning because hackers can repurpose the malware and direct it toward critical infrastructure facilities, which often lack adequate security protections and are “insecure by design.” It also “illustrates the barriers to entry for developing offensive OT capabilities are lowering as actors leverage knowledge from prior attacks to develop new malware.” [The Hacker News / Dark Reading]
↘️ 13 civil society members from Armenia, including journalists, former government workers, and at least one United Nations official, were targeted by NSO Group’s Pegasus spyware. The development marks the first use of the elite tool in a war zone. While there is no conclusive evidence as to who was behind the surveillance, previous reporting has found Azerbaijan to be a likely NSO Group customer. [WIRED / The Hacker News]
↘️ The menu of cybercriminal services available on the undeground now includes on-demand, human-assisted CAPTCHA-breaking functionality, indicating that cybercrooks now have options to get around these barriers. [The Hacker News]
↘️ The threat actor known as Dark Pink has been attributed to five new attacks between February 2022 and April 2023, taking its total victim tally to 13 since it began operating in mid-2021. The new attacks showcase a revamped attack chain, implement different persistence mechanisms, demonstrate new data exfiltration methods, likely in an attempt to dodge detection by distancing their operations from prior indicators of compromise (IoCs). This indicates that the attackers will continue to update their tools and diversify their methods. [The Hacker News]
↘️ Hundreds of motherboard models made by Taiwanese computer components giant Gigabyte include backdoor-like functionality that could pose a significant supply chain risk to organizations. The UEFI firmware comes fitted with an executable that’s designed to drop an additional payload from Gigabyte update servers in an insecure format, potentially exposing the process to abuse by threat actors and making it possible to trojanize the payload through an adversary-in-the-middle (AitM) attack. This buggy implementation of a legitimate feature is part of a Gigabyte service known as APP Center. [The Hacker News / WIRED / Sophos]
↘️ A new Android trojan called SpinOK has been found within an SDK that’s used by over 100 popular apps with more than 421 million downloads. SpinOk packs several spyware functionalities, including file collection and clipboard content capture. The findings once again underscore the supply chain risks associated with integrating third-party SDKs into apps. This is also compounded by the fact that threat actors take steps to ensure that the suspicious code is downloaded only when certain conditions are met on the device to avoid detection. [The Hacker News]
↘️ A new fileless RAT named SeroXen comes with the capability to evade many EDR systems and is a fork of Quasar, an open remote administration tool that has been in use for many years. It’s being sold for a $30 monthly fee. The discovery comes as a threat actor named Spyboy is promoting a tool called Terminator on a Russian-speaking hacking forum that can terminate any antivirus, XDR, and EDR platform by means of a Bring Your Own Vulnerable Driver (BYOVD) attack. [AT&T / Bleeping Computer]
↘️ Shortcomings in the biometric security architecture of Android phones could permit threat actors to brute-force an encoded fingerprint, provided they have physical access to a targeted phone for hours and have a copy of a fingerprint database to compare it against. The novel attack has been dubbed BrutePrint. While this is not something average smartphone users have to worry about, targets of value like human rights defenders and dissidents could be at elevated risk should their phones be confiscated. [The Hacker News / Dark Reading]
↘️ Amazon agreed to pay $30.8 million in the U.S. to settle charges that it engaged in unlawful surveillance and jeopardized its customers’ privacy by allowing any employee or contractor to access private videos of Ring camera users, for failing to establish meaningful privacy and security guardrails, and for retaining children’s voices captured through Alexa interaction to train its systems. The Federal Trade Commission’s (FTC) Alvaro M. Bedoya said the settlement is a “warning for every AI company sprinting to acquire more and more data.” Hackers also broke into a massive 55,000 Ring accounts belonging to U.S. customers, in some cases maintaining access to linked devices for more than a month. [The Hacker News / Ars Technica / The New York Times]
↘️ In a new twist, a Magecart campaign is using victim sites as hosts for delivering the card-skimming malware to other target sites. Magecart is a loose collective of cybercriminal groups involved in skimming attacks aimed at online payment systems. The typical modus operandi for these groups has been to surreptitiously inject malicious code into legitimate e-commerce sites that the sites use by exploiting known vulnerabilities. The latest campaign is slightly different in that the attacker is not just injecting a Magecart card skimmer into target sites but is also hijacking them to distribute malicious code. [The Hacker News]
↘️ Potentially hundreds of companies globally are being issued an extortion notice by the Clop ransomware group after it exploited a vulnerability in the file transfer tool MOVEit to break into computer networks around the world and steal sensitive information. There is evidence that the financially motivated group has been looking for ways to exploit the flaw since July 2021 with the goal of establishing access to as many victim environments as possible to conduct file exfiltration at scale.
The hacks are a continuation of a similar pattern that has played out since December 2020, as the Cl0p actors exploit zero-day flaws in various enterprise focused file transfer software to access customer systems and steal data.
Meanwhile, Progress Software is urging MOVEit Transfer customers to apply patches to a third critical vulnerability in the software in less than one month. While the first flaw was widely exploited in late May, there is no evidence that the other two bugs have been abused in the wild. [The Hacker News / Malwarebytes]
↘️ Threat actors are scraping OpenAI ChatGPT API keys from source code repositories and offering them for sale, as cybercriminals continue to exploit the newfound popularity of the service. [Vice]
↘️ A threat actor of unknown provenance known as Asylum Ambuscade is straddling the line between cybercrime and cyberespionage, with the group linked to a constellation of financially motivated cybercrime attacks since early 2020. While it’s unusual for a hacking crew to blend their motivations, it’s not uncommon. The notorious and virulent Lazarus Group is known to carry out cryptocurrency heists while simultaneously orchestrating data theft campaigns. [The Hacker News]
↘️ Google has launched a new conceptual framework called Secure AI Framework (SAIF) to secure AI systems and defend against prompt injection-style attacks. The announcement comes amid warning from the FBI that malicious actors are leveraging AI-tools to manipulate benign photographs into explicit content and facilitate sextortion schemes. [Google]
↘️ The US International Trade Administration (ITA) admitted it promotes the sale of American-approved commercial spyware to foreign governments. [The Register]
↘️ A newly declassified report from the Office of the Director of National Intelligence (ODNI) has revealed the federal government is buying troves of data about Americans from commercial data brokers. [WIRED / The Verge]
↘️ The recent attacks exploiting a zero-day vulnerability in Barracuda Email Security Gateway (ESG) appliances have been attributed by Mandiant to a suspected China-nexus group named UNC4841. Mandiant described the attacks as the “broadest cyber espionage campaign known to be conducted by a China-nexus threat actor since the mass exploitation of Microsoft Exchange in early 2021.” The as-yet-uncategorized threat group shares infrastructure and malware code overlaps with other China-backed hacking groups.
The access to the devices allowed the actors to deploy three different backdoors as a form of fault tolerance, suggesting heightened desire to maintain persistent access to these devices by means of redundant tools. Barracuda has indicated that around 5% of active ESG devices worldwide have shown evidence of compromise. UNC4841 is said to have exfiltrated email-related data from select victims by using the ESG appliance as a jumping off point to move deeper into the victim networks, including European and Southeast Asian government officials, as well as high-profile academics in Hong Kong and Taiwan. [The Hacker News]
↘️ An unknown actor has created a network of fake security researcher accounts on GitHub and Twitter to lure the infosec community to repositories hosting malware disguised as zero-day exploits for popular software. The development underscores the need to act with caution when executing code from untrusted sources. [The Hacker News]
↘️ The Russia-linked Gamaredon group has been observed infecting USB drives for lateral movement across victim networks and reach air-gapped machines within targeted organizations to deploy malwar as pro-Russian actors intensify their cyber attacks on Ukraine while displaying a high level of persistence. [The Hacker News / CyberScoop]
↘️ Researchers have disclosed security flaws in products from Schneider Electric and WAGO that could lead allow a bad actor to potentially modify firmware or trigger a denial-of-service condition. For operational technology tools, patches are often difficult to implement considering their long-term use, making it imperative that companies consider security implications from the outset. To complicate matters further, it also makes it difficult to build newer products that can co-exist with old systems while also implementing new security features. [The Hacker News]
↘️ A new information stealer called Mystic has quickly become a favorite among threat actors for its ability to lift credentials from scores of web browsers and extensions, and steal cryptocurrency, establishing a strong foothold in the threat landscape within a short span of time. The malware pairs its information gathering features with obfuscation techniques that make it capable of advanced evasion. While the prevalence of commodity stealers have shot up in recent months, what makes Mystic special, however, is the author’s commitment to improving its functionality by crowdsourcing recommendations and seeking feedback from customers for future enhancements. [The Hacker News]
↘️ Security flaws have been discovered in smart pet feeders from Dogness that could be exploited by a remote attacker to execute unauthorized code, modify device settings, and siphon sensitive information, including live video feeds sent to the cloud server. These weaknesses could have transformed the pet feeder into a surveillance tool. [Kaspersky]
↘️ A Chinese threat actor known as Mustang Panda has been linked to a new malware called WispRider that spreads by self-propagating through infected USB drives, potentially allowing them to spread beyond their intended targets. WispRider acts as both an infector and backdoor. USB-based attacks have been around for two decades, but they are increasingly becoming a popular attack vector of APTs and other large cybercriminal groups because of how rapidly threat actors can spread various types of malware. It also allows them to sneak malware onto otherwise heavily secured and air-gapped networks.
The development is a sign that Mustang Panda is extending its reach globally, which previously primarily focused its cyber espionage activities on organizations in Southeast Asia. “The consequences of a successful infection are twofold: the malware not only establishes a backdoor on the compromised machine but also spreads itself to newly connected removable drives,” Check Point said. “This approach not only enables the infiltration of potentially isolated systems but also grants and maintains access to a vast array of entities, even those that are not primarily targeted.” [The Hacker News]
↘️ A data breach storm brewed in India after it emerged that a Telegram bot in a channel called “hak4learn” was offering access to the private data of millions of Indians from India’s CoWIN vaccination tracking platform, which has more than one billion users. The now-inactive bot allowed users to input a phone number or India’s national ID, aka Aadhaar number, to return a citizen’s details, including their name, passport number, and date of birth. Further analysis has shown that the data belonged to residents in 11 different states. The Indian government, however, said there is no evidence that the CoWIN app or database has been directly breached, but acknowledged that the data seems to have been populated with data stolen in the past without sharing any further specifics. It’s suspected that the information was scraped through compromised credentials obtained from healthcare workers. This isn’t the first time the news of a data leak has surfaced. In 2021, a hacker crew called Dark Leak Market said it had access to the data of 150 million Indians registered on CoWIN. The health ministry denied the claims. [CloudSEK / The Hindu / WIRED / BBC / The Indian Express]