Malicious QR codes used in phishing campaign
Threat actors find new ways to conduct social engineering
A roundup of some of the noteworthy developments in the cybersecurity landscape, encompassing the latest vulnerability discoveries and emerging attack trends. Here are this edition's top stories -
↘️ China has closed a record number of personal data breaches, acting on 36,000 cases related to violation of personal information over the past three years. 64,000 suspects have been detained as well as more than 30 million illegal SIM cards and 300 million illegal internet accounts have been seized. [Global Times]
↘️ A series of security vulnerabilities have been discovered in CyberPower’s PowerPanel Enterprise Data Center Infrastructure Management (DCIM) platform and Dataprobe’s iBoot power distribution unit (PDU). These vulnerabilities could empower malicious actors to not only paralyze entire data centers but also infiltrate and manipulate data and execute large-scale attacks. [The Hacker News / CyberScoop]
↘️ Previously undocumented attack methods could be abused by a threat actor to encrypt files without executing code on the targeted endpoint using a cloud-based ransomware (DoubleDrive), neutralize the Windows Defender endpoint detection and response (EDR) agent and allows any malicious code to run fully undetected (Defender-Pretender), and remotely delete entire databases from fully patched servers (Erase Data Remotely). It doesn’t end there, for researchers have also devised new tools like Chimera and NixImports to automate DLL side-loading and evade static analysis, respectively.
In a related development, a new “threadless” process injection technique utilizes DLL Notification Callbacks in remote processes to trigger shellcode execution and evade process injection detections by security solutions. [SafeBreach / ShorSec]
↘️ Microsoft’s PowerShell Gallery has been found to harbor software supply chain risks because of its lax protections, making it a fertile environment for attackers who want to upload malicious packages to the online repository. These vulnerabilities pertain to naming policies, package ownership verification, and exposure of unlisted modules, allowing threat actors to upload typosquatted versions, spoof popular packages, and lay the ground for supply chain attacks. That said, there is no evidence to that that these weaknesses have been abused to sneak malicious package into the repository. [The Hacker News]
↘️ LinkedIn has become the target of an ongoing attack wave resulting in accounts being locked out for security reasons or ultimately hijacked by attackers by using brute-force tools to penetrate the accounts that lack two-factor authentication protections. “Some have even been pressured into paying a ransom to regain control or faced with the permanent deletion of their accounts,” Cyberint said. The specific intentions of the threat actors are uncertain yet, although signs point to it being either financially motivated or driven by a need to acquire sensitive company information. Plus, hijacked LinkedIn accounts can be used by adversaries to socially engineer targets by impersonating a trusted colleague. [Cyberint]
↘️ The information stealer malware known as Raccoon Stealer has resurfaced with a new version 2.3.0, an improvement over version 2.1, which was released in February 2023. The features of the revamped Raccoon Stealer include Quick search for cookies and passwords, bot detection, block IPs used by crawlers and bots that intelligence firms use to monitor traffic, and log statistics. Subscribers of the tool are also being urged to ‘crypt’ their builds to evade detection and to ‘keep in mind’ that long-term use could increase the chances of detection. The latest development underscores the continued threat posed by stealer malware to users and enterprises alike. [Cyberint]
↘️ A large-scale phishing campaign is using malicious QR codes with the hopes of acquiring Microsoft credentials from a wide array of industries, including an unnamed energy company in the U.S., a sign that social engineering attacks are getting increasingly sophisticated. Threat actors are also finding new ways to weave trusted platforms like Google Drive, OneDrive, Notion, GitHub, Telegram, Discord, Slack, Trello, and Steam to conceal malicious activities within normal internet traffic — including payload delivery, data exfiltration, and acting as dead drop resolvers — and obviate the need for a separate infrastructure setup. An analysis of more than 400 malware families deployed over the past two years has found that at least a quarter of them abused legitimate internet services in some way as part of their infrastructure, allowing malicious hackers to more easily blend in, complicating detection efforts. [Cofense / Cloudflare / Interisle Consulting Group / Recorded Future]
↘️ Threat actors associated with the Monti ransomware have resumed its operations after a two-month break, this time targeting legal and government entities with a fresh Linux-based ransomware variant. While the group hasn't gained significant attention from researchers due to its relatively low attack volume, that could change in the future as the cybercrime crew continues to hone its tradecraft. [The Hacker News]
↘️ Chinese authorities have pledged to “publicly disclose a highly secretive global reconnaissance system” operated by the U.S. government following an investigation into the alleged hacking of earthquake monitoring equipment in Wuhan. [The Record / FMPRC]
↘️ The cyber attack on satellite communications provider Viasat that took place at the onset of Russia’s invasion of Ukraine was carried out by threat actors with detailed knowledge of the compromised system and that there was previously unknown component of the hack that entailed the use of sophisticated methods to try and prevent the terminals from being restored. [CyberScoop / The Record / Black Hat USA]
↘️ Hackers based in China are targeting the gambling sector in Southeast Asia as part of a campaign that delivers Cobalt Strike beacons to compromised systems. The activity points to a threat actor called Bronze Starlight, although exact attribution remains a challenge due to the complexity of the Chinese threat landscape, which is characterized by substantial cooperation among its constituent threat groups, along with the possibility of shared vendors, digital quartermasters, and/or campaign orchestrators. This also is an indication of how Chinese cyber espionage threat actors are progressively refining their operational tactics in manners that obfuscate clear attribution. [The Hacker News]
↘️ Threat actors are known to propagate malware by phishing or leveraging counterfeit websites of widely used applications to deliver trojanized installers. A social engineering attack has been observed distributing an information stealer called LummaC, which then procures the Amadey botnet to ultimately execute a remote access trojan known as SectopRAT. [Cyble]
↘️ Three security vulnerabilities in the Moovit transportation software could allow users to obtain free public transit rides and access users’ personal information. [SafeBreach]
↘️ The best way to catch a criminal is to catch them in the act. Cybersecurity researchers built a honeynet composed of several RDP Windows servers that were deliberately exposed on the cloud, allowing hackers to take control of the machines and carry out various activities. Some even used the compromised computers to download or watch porn because it may have been censored in their country of origin. But unbeknownst to them, every single move was monitored. This enabled the researchers to classify hackers into five broad categories: Rangers, Thieves, Barbarians, Wizards, and Bards. [GoSecure / WIRED / TechCrunch]
↘️ Digital adversaries with limited resources and capabilities are beginning to use artificial intelligence for intrusion and information operations to produce higher quality and hyper-realistic fabricated content (aka deepfakes) at scale, mount persuasive social engineering attacks, and augment malware development. “Bringing AI to cybercrime is a major accelerant and it lowers the barrier of entry significantly,” researchers said. “Also, because it’s the criminal underground, scam advertisements about AI tools are likely to be as common as those selling legitimate tools.” Also worth mentioning is a category of attacks called prompt injection in which legitimate tools like ChatGPT and Bard are coerced into doing something bad via what’s called a jailbreak. [Mandiant / Trend Micro / Wall Street Journal]
↘️ The continued abuse of legitimate Remote Monitoring and Management (RMM) software by threat actors has led the U.S. government to release a Cyber Defense Plan to mitigate threats to the RMM ecosystem. “Cyber threat actors can gain footholds via RMM software into managed service providers (MSPs) or manage security service providers (MSSPs) servers and, by extension, can cause cascading impacts for the small and medium-sized organizations that are MSP/MSSP customers,” it said. [CISA]
↘️ The majority of distributed denial-of-service (DDoS) attacks are launched in response to disputes over business or gain a competitive edge in gaming. “There are countries in which you see extensive use of DDoS aspiring to shut down a competing business and draw their customers to the person launching the attack,” the FBI said. DDoS attacks are typically conducted via booter (aka stresser) services, which rent out access to a network of infected devices to other criminal actors. Another common method is the use of botnets like Mirai and its myriad variants, thanks in part to the leak of its source code in 2016. Such botnets continue to pose a major threat as they are bolstered by a growing pool of vulnerable IoT devices that get added to the network every day. [The Record]
↘️ Researchers have found a novel post-compromise method to feign Airplane Mode in Apple iPhone, while stealthily allowing an app to maintain internet access. This is achieved by hooking an underlying function responsible for disabling the radios (within CommCenter) into doing nothing and just allowing the user interface changes (controlled by the SpringBoard) to take place as soon as the mode is enabled. By decoupling the two components, it’s possible to seemingly activate the Airplane Mode without actually doing it. To make it even more stealthy, a bad actor could modify an SQL database managed by CommCenter to track the cellular data access status of each app to allow access to a malicious app already installed on the device, while disabling it for the rest of the apps. [The Hacker News]
↘️ Cybersecurity researchers have shared details about a rootkit detector for non-traditional architecture, Windows 11 on ARM64, that can “scan SYSCALLs and tell its users whether their system has been tampered with using the previously mentioned techniques.” [CyberArk]
↘️ Threat actors are actively exploiting poorly secured web servers such as IIS, Apache Tomcat, JBoss (now WildFly), and Nginx to target domestic companies in South Korea to drop web shells and retain persistent remote access and deliver additional tools such as Mimikatz and Ladon to steal credentials and elevate privileges. It’s suspected that the end goal of the operation was to expose unauthorized ads on the affected companies’ websites and profit off it. [ASEC]
↘️ Online betting platforms have become the target of account takeover attacks as part of a campaign dubbed Capra. “The threat actor took a list of email addresses from a separate, unrelated data breach and checked those addresses for accounts on the target betting platforms,” researchers said. “The threat actor used the target’s page-response to test whether an email address was Registered or Non-Registered.” Armed with this information, a request is sent to the authentication server to get an allowlist token and gain access to the account. [HUMAN]
↘️ The Federal Criminal Police Office of Germany, or BKA, said the country had recorded 136,865 cases of cybercrime in 2022, resulting in an estimated loss of 203 billion euros. While domestic cybercrime decreased by 6.5% in comparison to 2021, the agency said crimes committed by foreign actors increased by 8%. [BKA]