Discover more from Zero-day
Conti gets dis-conti-nued
The notorious ransomware gang has likely shut down its operations for a potential rebrand
Conti’s “performative” ransomware attack on Costa Rica attack was not just an an attempt to make one final score, it was also a way to create a distraction as the group’s leaders planned to kill off their brand. According to new research, the flameout comes as the group shuttered its infrastructure to shift to other subsidiary operations, a move that’s expected to have ripple effects throughout the cybercrime underground.
That said, the ContiLeaks saga has also revealed that the the group is using the privileges of the ME firmware as a way to gain indirect access to the UEFI/BIOS, drop additional payloads, and gain runtime control of the system below the operating system using System Management Mode (SMM).
What’s more, Costa Rica’s public health service, known as the Costa Rican Social Security Fund (CCSS), was forced to take its systems offline after being hit by Hive ransomware, lending credence to theories that the Conti gang had entered into a working relationship with other ransomware groups, including Hive, as it readies to wind down its operations. Or it’s likely that the latest attack is the work of a common affiliate actor.
What’s trending in security?
⚠️ In a worrying trend, threat actors are increasingly employing more advanced techniques to hide malicious code designed to steal credit card information. The skimming attacks have involved the use of obfuscated code that’s injected into image files or masquerades as legitimate web analytics functions to evade detection. [The Hacker News]
💥 A DDoS-focused botnet known as Fronton, which first made headlines in March 2020, has more capabilities than previously known. This incudes the ability to create massive numbers of fake social media accounts that can then be used to shape opinion via social media manipulation. [The Hacker News]
📱 An analysis of the low power mode (LPM) implementation on iPhones has found that it introduces potentially serious security risks, even allowing attackers to run malware on powered-off devices. This is made possible by the fact that Bluetooth, near-field communications (NFC), and ultra-wideband (UWB) connectivity are kept alive in the phone to facilitate Find My features and make payments.
LPM is activated when the user switches off the iPhone or when the device shuts down due to low battery, enabling wireless chips to continue operating, resulting in a scenario where a malicious actor could abuse this always-on mechanism to run malware that remains active even when an iPhone appears to be powered down until the phone’s battery dies out. This malware could be designed to track and report the user’s movements and carry out other surveillance activities.
However, there are some caveats to pull this off in an adversarial setting. For such a compromise to happen, the device must be already infected by some other means, granting an attacker privileged access to the device. [The Hacker News]
💲 Karakurt, the data extortion arm of Conti, has demanded ransoms ranging from $25,000 to $13 million in Bitcoin, according to the U.S. Cybersecurity and Infrastructure Security Agency. Unlike traditional ransomware attacks, the actor is known for stealing data and threatening to auction it off or release it to the public unless they receive payment of the demanded ransom. [CISA]
🤖 A coordinated law enforcement operation involving almost a dozen countries disrupted the prolific Android malware FluBot. The Dutch Police, which seized the infrastructure last month, noted that as many as 10,000 victims of the malware were disconnected from the FluBot network. The banking trojan spreads via SMS phishing messages that use various pretexts to try and get recipients to click on a link for downloading the malware to their smartphones. [The Hacker News]
🛡️ The U.S. Justice Department (DoJ) said it will not bring charges under federal hacking laws against security researchers and white hat hackers who act in good faith — using a computer “solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability” — because the “activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices.” The development marks a major amendment to how the government enforces the Computer Fraud and Abuse Act (CFAA), a federal statute that outlaws unauthorized access to computers and networks, to prosecute cybercrime. [DoJ]
☁️ Google Cloud announced what’s called the Assured Open Source Software service that gives enterprises and government customers access to security-vetted collection of open-source packages to bolster the security of the software supply chain. [Google Cloud]
🚨 A lesser known Chinese-speaking hacking group known as LuoYu is infecting victims with WinDealer information stealer malware that’s deployed by switching legitimate app updates with malicious payloads in man-on-the-side attacks. [The Hacker News]
⚡ Germans seeking information about the current Ukraine crisis are being lured using decoy sites to prompt potential victims into downloading a Microsoft HTML help file that’s engineered to download a PowerShell-based remote access trojan (RAT) capable of stealing data and executing other malicious commands on a victim’s computer. [Malwarebytes] [Malwarebytes]
📧 Thousands of websites are surreptitiously collecting email addresses (and passwords in some cases) even before online forms are submitted, potentially violating GDPR requirements. This kind of data collection has been likened to a keylogger, a malware that’s used to stealthily record keystrokes entered by a victim. The regional differences in the number of websites that record such information, 1,844 in the E.U. and 2,950 in the U.S., are likely due to companies being more cautious about tracking users, and even possible integrating with fewer third-parties due to GDPR. [The Hacker News / WIRED]
🔍 Google’s Threat Analysis Group published details of three campaigns that used the popular Predator spyware, developed by the North Macedonian firm Cytrox, to target Android users. The campaigns involved the abuse of five zero-day flaws to deploy Alien, Android malware designed to load Cytrox’s spyware tool, Predator. By fixing the issues, the idea is to send surveillance vendors back to the drawing board to find new exploits.
In related news, the Spanish government has pledged to further regulate and oversee the country’s secret services following revelations that top politicians’ mobile phones were hacked by the intelligence agencies to deploy the Pegasus spyware. [The Hacker News / AFP]
🐟 In a sign that phishing attacks are getting more realistic, emails with package delivery themes are now using automated chatbots to guide visitors through the process of handing over their login credentials to threat actors. The emails contain a link that, once clicked, redirect users to a rogue website with a chatbot-like interactive system designed to increase victim engagement and confidence and ultimately siphon personal details. [Trustwave]
✈️ A previously unknown Chinese hacking group known as “Space Pirates” is targeting enterprises in the IT services and aerospace industries in Russia, Georgia, and Mongolia with phishing emails to install novel malware like Deed RAT on their systems, while also relying on PlugX and ShadowPad, tools that are commonly shared across Chinese threat actors to obscure attribution. [Bleeping Computer / Positive Technologies]
❌ The Spanish police have announced the arrest of 13 people and the launch of investigations on another seven for their participation in a phishing ring that stole online bank credentials, using them to make online purchases, transfers or take out unauthorized personal loans. [Policia Nacional]
🔓 Researchers have disclosed a Bluetooth flaw that could be abused to remote unlock cars, smart locks, and building access systems, putting proximity-based authentication at risk of exploitation. [Ars Technica / The Hacker News]
ℹ️ A new analysis of 350 campaigns that occurred between 2008 to 2020 and covers 86 advanced persistent groups (APTs) has revealed that threat actors primarily use publicly known vulnerabilities in their attacks against organizations. “One could perform 12% of all possible updates restricting oneself only to versions fixing publicly known vulnerabilities without significant changes to the odds of being compromised compared to a company that updates for all versions,” the researchers said. [arXiv]
🛑 With Sri Lanka in the middle of an economic crisis, hacktivist collective Anonymous jumped in to show support by hitting government entities in the country with distributed denial-of-service (DDoS) attacks, while also sharing thousands of usernames, passwords, and email addresses from the database of Sri Lanka Scholar, an educational portal, essentially violating the privacy of citizens. [Rest of World]
📄 Cyber attackers are targeting poorly secured Elasticsearch cloud buckets exposed on the public internet and stealing the data, then replacing it with a ransom note. He findings come as a new study from IBM X-Force revealed there was a 94.34% reduction in the average duration between initial access and ransom requests over the last two years, from over two months to just a little more than three days. [Secureworks / IBM X-Force]
💳 Versus, one of the most popular English-speaking criminal darknet markets that dabbles in sales of drugs, stolen payment cards, and exfiltrated databases, is shutting down after discovering a severe exploit that could have allowed access to its database and exposed the IP address of its servers. [Bleeping Computer]
📩 Business email compromise (BEC) attacks have caused billions of dollars in losses to businesses globally in recent years, but law enforcement has been steadily cracking down on the scheme in recent years. Last week, Interpol coordinated the arrest of the suspected head of SilverTerrier, aka TMT, a massive cybercrime enterprise active since at least 2015 and has impacted 50,000 organizations worldwide. The arrest marks the culmination of a year-long investigative effort that was preceded by two operations — Falcon I and Falcon II — resulting in the arrest of 14 other members of the gang. According to statistics maintained by the FBI, BEC attacks caused a staggering $43 billion in actual and attempted losses worldwide between June 2016 and December 2021. [The Hacker News]
🎗️ A ransomware group called GoodWill has been spotted making unusual demands in exchange for the decryption key, requiring victims to donate to the poor and provide financial assistance to patients in need in a Robin Hood-like fashion. [CloudSEK]
⚙️ Over 3.6 million MySQL servers are publicly exposed on the Internet and responding to queries, making them an attractive target for threat actors. Of these accessible MySQL servers, 2.3 million are connected over IPv4, with 1.3 million devices over IPv6. Separately, as many as 380,000 accessible Kubernetes API instances have been observed responding with a 200 OK HTTP response to scanning probes. [Shadowserver]
⏲️ An Linux-based Internet of Things (IoT) botnet dubbed “EnemyBot” is expanding its front lines to rapidly weaponize newly released vulnerabilities in enterprise services — potentially leading to it being a much more virulent threat than it has been. Controlled by a threat actor known as Keksec, it sprang to life focusing on adding IoT devices and routers to its botnet footprint. It’s also capable of executing new code that could add to its functions or update its vulnerability list, making it possible to adopt new vulnerabilities within days of those issues being discovered. [The Hacker News]