New information stealers flood the cyber crime ecosystem
A recap of some of the major stories in cybersecurity
A roundup of some of the noteworthy developments in the cybersecurity landscape, encompassing the latest vulnerability discoveries and emerging attack trends. Here are this edition's top stories -
↘️ Microsoft said it’s tracking more than 100 different cyber criminal gangs that are actively conducting ransomware attacks, deploying over 50 different ransomware families in malicious campaigns. some of the most prominent ransomware attacks of recent times include LockBit, BlackCat, Vice Society, and Royal. [Microsoft Security Intelligence]
↘️ Microsoft took steps to disable malicious OAuth apps distributed by threat actors who managed to obtain “verified publisher” status through the Microsoft Cloud Partner Program (MCPP) as part of a consent phishing attack designed to infiltrate U.K.- and Ireland-based organizations’ cloud environments. The operators leveraged their bogus status as verified app publishers to trick victims into granting access to their mailboxes and calendars. The campaign, which was first detected on December 6, 2022, was shut down on December 27, 2022. [The Hacker News / Dark Reading / The Record]
↘️ Kremlin-backed threat actor, known as Sandworm, unleashed two different never-before-seen data wipers dubbed NikoWiper and SwiftSlicer on Ukrainian targets in recent months. Sandworm’s rampant use of disk wipers in its campaigns is consistent with a broader spike in threat actor use of such malware in both the weeks leading up to Russia’s invasion of Ukraine, and in the months since then. [The Hacker News]
↘️ A multi-year law enforcement operation has shut down the Exclu encrypted chat service for its use by organized criminal syndicates. 45 arrests have been made. The development, which follows similar takedowns of EncroChat and Sky ECC, highlights the intertwined connections between encrypted messaging apps and crime, prompting government calls for inserting a backdoor to scan for problematic content. In the past, the U.S. FBI and the Australian Federal Police also created a fake end-to-end encrypted chat platform named ANoM, allowing law enforcement to monitor the activities of criminal groups. This ultimately led to the arrest of 800 people. [The Hacker News / Dark Reading]
↘️ Google stated that the ongoing war in Ukraine has shaken up the cybercriminal ecosystem, blurring the lines between financially motivated and government-backed attackers, and even emboldening cybercriminals to go after Russian targets. Hacking crews have also split over political allegiances and geopolitics, changing their priorities and targeting. However, Russia’s hybrid approach to warfare, combining the use of digital weapons and online propaganda alongside traditional military operations, has had mixed results. [The Hacker News / CyberScoop / The Record / ZDNET]
↘️ A Linux variant of the Clop ransomware strain has been discovered in the wild for the first time. While very similar to the Windows flavor, it comes with a defective ransomware encryption scheme which makes it possible to unscramble the original files without paying a ransom demand. It also targets Oracle database directories, a feature not commonly seen in Linux lockers, which typically target ESXi virtual machines. The Linux version further lacks support for excluding certain file types and folders from encryption. Although the malware is unlikely to be a major threat in its present form, the development highlights how ransomware actors are constantly seeking new targets and methods to maximize their profits. The mounting interest in Linux malware is also explained by prevalence of Linux systems in enterprise environments, making them a lucrative target. Another factor in the mix is the rise if cross-platform programming languages such as Rust and Go because they have lowered the barrier of porting malware to other platforms. [The Hacker News / Dark Reading]
↘️ The North Korea-backed Lazarus Group exploited unpatched Zimbra devices in an effort to steal intelligence from a collection of public and private medical and energy sectors. The threat actors quietly exfiltrated about 100GB of data, without waging any disruptive cyber operations or destroying information. [The Hacker News]
↘️ A novel threat actor dubbed Ice Breaker has been found targeting the gaming and gambling sectors with a highly complex compiled JavaScript implant. At this time, not much is known about the group, with indistinct clues pointing to their origin. [The Hacker News]
↘️ It’s not just Ice Breaker. Another newly identified threat actor dubbed NewsPenguin has set its sights on maritime entities in Pakistan by using decoy documents as bait to deliver an advanced espionage tool. Domains associated with these attacks were registered in the second half of 2022, showing that NewsPenguin has been planning the operation for a while. Currently, there’s no evidence that links the group to any known threat actors. [The Hacker News]
↘️ The National Institute of Standards and Technology (NIST) has selected a group of cryptographic algorithms called Ascon as the lightweight cryptography standard to protect data flowing through IoT devices following a multi-year effort. The goal is to secure tiny devices using the limited amount of electronic resources they possess. [The Hacker News]
↘️ An unknown threat actor has been surreptitiously mining Monero cryptocurrency on scores of Redis servers around the world for years, using a custom-made malware variant dubbed HeadCrab that is virtually undetectable by security software. It also implements sophisticated obfuscation features to remain hidden on compromised systems, performing its tasks in a fileless fashion to evade detection. [The Hacker News]
↘️ A study of 2,037 online stores found that 250 (12.3%) exposed ZIP, SQL, and TAR archives on public web folders that can be freely accessed without requiring authentication. The archives appear to be backups containing database passwords, secret administrator URLs, internal API keys, and customer data. [Sansec]
↘️ A new malware called Vector Stealer, which is offered for sale for 63 Bitcoin, has been spotted with capabilities to steal .rdp files, enabling threat actors to perform RDP hijacking as these files contain details about the RDP session, including information needed for remote access. [Cyble]
↘️ Several hospital websites in the Netherlands and Europe have been likely targeted by a pro-Kremlin hacking group known as Killnet. The development comes as websites of German airports, public administration bodies and financial sectors as well as U.S. hospitals were hit in an attack orchestrated by the same group. Since Russia began its invasion of Ukraine more than a year ago, the threat landscape has irrevocably shifted, facing a blitzkrieg of attacks with a renewed focus on cyber espionage and opening up fault lines between cybercrime allies. Hacking groups like Killnet and NoName057 have targeted an array of government institutions, businesses and organizations across Europe and the U.S. The attacks are part of the group’s cyber operations aimed at crippling entities in countries that support Ukraine. The hacktivist actors have also leveraged a new DDoS-as-a-Service (DDoSaaS) offered by a threat actor called Passion for $120 a month. “Over the years, DDoS-as-a-Service became a standard tool for hacktivists because it allows those without the ability to build and manage a botnet to launch significantly larger and more impacting attacks,” researchers said. [Security Week / Dark Reading / The Record / Ars Technica / Cado Labs / Radware]
↘️ Threat actors have been spotted using the legitimate ClickFunnels service to create fraudulent pages with the goal of bypassing security services and redirecting users to malicious links. That’s not all. In another innovative technique designed to skirt security filters, phishing actors are using “blank images” within HTML attachments that, when opened, automatically redirect the victim to a rogue URL. The SVG image is encoded using the Base64 encoding format and comes with an embedded JavaScript code. [Avanan]
↘️ A new information stealer called Stealc is being advertised for sale on underground forums, enabling threat actors to steal a wide range of sensitive data from compromised systems. Malware-as-a-service tools like Stealc lower the entry barrier to the cybercrime world by allowing amateur criminals without advanced technical skills to purchase readymade kits from online marketplaces and quickly and easily launch cyber attacks. [The Hacker News]
↘️ OpenAI’s ChatGPT has been the rage since its release last year. Now threat actors are leveraging the AI tool to “improve” the code of a basic Infostealer malware by overriding security guardrails, including using Telegram bots that utlize the less restrictive OpenAI APIs to craft malware and phishing emails. The illicit bot services are being advertised on criminal forums, thereby opening a Pandora’s box that could bombard the world with potentially harmful content. What’s more, cybercriminals are capitalizing on ChatGPT’s popularity by creating fake websites that advertise Android and Windows apps spoofing the brand’s name to deploy stealers and other malware. [Check Point / The Hacker News]
↘️ Password management company Dashlane made its mobile app code for Android and iOS available on GitHub for public perusal in a broader push to make its platform more transparent. It’s not open source, meaning users cannot fork the code or use it for their own applications. [Dashlane]
↘️ Nickolas Sharp, 37, a former senior developer of network technology provider Ubiquiti pleaded guilty to multiple felony charges on Thursday for posing as an anonymous hacker and a whistleblower in an attempt to extort almost $2 million from the company following an orchestrated security breach in December 2020. [U.S. Department of Justice / The Verge]
↘️ Two fraudulent apps named Ace Pro and MBM_BitScan slipped past the app stores run by both Google and Apple, allowing the threat actors to push users into making fake cryptocurrency investments. The scheme is known as pig butchering, where scammers develop a relationship with victims through apps like Tinder, get them to download a seemingly legitimate app, and then eventually get them to deposit money onto the app. The invested funds are then stolen by the operators. What’s unusual is that the apps managed to get past Apple’s App Store guardrails by connecting it to a remote website with benign functionality, such as a QR code scanner, when they were originally submitted for review. But upon approval, the domains were switched to point to a rogue server to complete the scam. These apps are also unaffected by iOS’ new Lockdown Mode, as they were directly available via the App Store. Sophos called it a “well-organized, syndicated scam operation that uses a combination of romance-centered social engineering and fraudulent crypto trading applications and websites to lure victims and steal their money after gaining their confidence.” The findings indicate the criminals’ success in getting malicious apps into the official app stores. [The Hacker News / Ars Technica / WIRED / Sophos / ESET]
↘️ Pig butchering, romance scams and other kinds of investment fraud cost victims about $3.3 billion in 2022, overtaking business email compromise (BEC) and even ransomware. “It is the long duration and complexity of the communications these scam rings engage in that makes them particularly convincing to even some more skeptical targets,” Sophos threat researcher Sean Gallagher said. “These keyboarders are part of an industrialized scam operation that is willing to invest hundreds of hours in conversation with victims in order to steer them toward investment and then extract all the value they can from them. They have refined emotional manipulation to a science.” [Cofense / Sophos / WIRED]
↘️ Julius “Zeekill” Kivimäki, a 25-year-old Finnish man charged with extorting a local online psychotherapy practice and leaking therapy notes for more than 22,000 patients online, was arrested in France. [Krebs on Security]
↘️ Embattled Israeli spyware vendor NSO Group acknowledged that its clients had sometimes misused the company’s hacking tools like Pegasus but defended the need to give law-enforcement and intelligence agencies the ability to digitally break into and monitor smartphones. [Wall Street Journal]
↘️ Researchers have identified a new backdoor associated with a malware downloader known as Wslink that’s possibly part of the large cache of tools maintained and deployed by the Lazarus Group, a tenacious and prolific threat actor originating from North Korea. [The Hacker News]
↘️ An advanced malware called HiatusRAT is turning business-grade routers medium-sized businesses worldwide into attacker-controlled listening posts that can sniff email and steal files in an ongoing campaign hitting North and South America and Europe. The attacks have dual goals: to steal data in targeted attacks and to co-opt routers to make them part of a covert command-and-control (C2) infrastructure for mounting hard-to-trace proxy campaigns. [The Hacker News]
↘️ The U.K. and U.S. governments sanctioned seven alleged members of the notorious TrickBot gang for their connections to the Conti and Ryuk ransomware brands. The sanctions mark the first public attribution formally linking all the three groups to a single criminal enterprise. The move also follows disclosure last month that law enforcement agencies had infiltrated the Hive ransomware infrastructure and had been stealthily providing them with the decryption keys for months. TrickBot, which began life as a banking trojan, evolved into a multifaceted cyber-Swiss Army knife that, once ensconced on a victim machine, can be used to deliver additional payloads. The TrickBot gang officially shut its operations last year and merged with Conti. [The Hacker News / The Record / WIRED / Dark Reading]
↘️ Cryptocurrency services continue to be a prime source of revenue for cybercriminals, who have plundered a record-breaking $3.8 billion in 2022 alone. Much of the crypto cybercrime boom can be attributed to cyber attacks from North Korean state-backed actors, which is estimated to have stolen $1.65 billion. [The Hacker News]
↘️ A security vulnerability in Arm Mali GPU (CVE-2022-38181, CVSS score: 8.8) could be exploited to achieve arbitrary kernel code execution and root on Pixel 6 phones using a malicious app installed on the targeted device. Fixes for the flaw were released by Arm and Google in October 2022 and January 2023. The disclosure also comes as two security defects were disclosed in the XNU kernel, both of which existed for 19 years. [GitHub]
↘️ After a three-month-long lull, the notorious Emotet malware operation has resurfaced yet again as of March 7 with renewed phishing activity. The emails arrive in victim inboxes as innocuous-looking replies to existing email conversations and threads, a technique called email thread hijacking. Emotet, which emerged as a banking trojan in 2014, has evolved into a sophisticated and lucrative malware delivery vehicle. It has also survived multiple takedown attempts. [The Hacker News]
↘️ A new Linux version of a botnet called Medusa (not to be confused with an Android banking trojan of the same name) has been spotted with capabilities to execute DDoS attacks, steal sensitive data, deploy ransomware, and brute-force internet-connected devices to inject additional payloads and further propagate the infection. Available for sale since 2015, Medusa is a variant of the Mirai botnet. [Cyble]
↘️ Google suspended popular Chinese app Pinduoduo from the Play Store after flagging it as malware for containing backdoor functionality. PDD Holdings, the company behind the app, has denied any wrongdoing. [Krebs on Security / TechCrunch / Reuters / Bloomberg]
↘️ A new threat actor TA866 has been linked to a phishing campaign targeting companies in Germany and the U.S. It’s called Screentime due to the tactics used by the group to whittle down a large pool of potential victims to the most lucrative targets. The attacks involve a preliminary evaluation of breached systems to determine if they are deemed valuable enough for further intrusion, including serving off-the-shelf malware such as Rhadamanthys Stealer. [The Hacker News]
↘️ Reddit disclosed that one of its employees fell victim to a phishing scam that enabled the threat actor grab the credentials and 2FA tokens and gain unauthorized access to its internal systems. The incident highlights how attackers are increasingly finding ways around multi-factor authentication (MFA) schemes through techniques like AitM phishing pages and MFA fatigue. It’s not the first time a successful credential phishing campaign has led to the breach of its network. In 2018, a similar attack led to the theft of sensitive user data. [The Hacker News / Ars Technica / Dark Reading]
↘️ Vladislav Klyushin, 42, a Russian national and owner of Moscow-based cybersecurity firm M-13, has been convicted in a U.S. court for his role in a $90-million insider trading case that involved accessing non-public information stolen from U.S. computer networks as part of a hack-and-trade scheme carried out between 2018 and 2020. The attacks deployed malware that could harvest and steal employee login information to gain access to victim networks and steal earnings reports before they were made public. Prosecutors said Klyushin, who was extradited from Switzerland to the U.S. on December 18, 2021, had sensitive connections to the Russian government and Russian military hackers. Klyushin’s four other associates remain at large. [U.S. Department of Justice]
↘️ The SideWinder APT has been linked to 2020 attack on the Maldivian government as well as a series of phishing operations that targeted organizations in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka between June and November 2021. The findings add volume to the threat actor’s attack spree and shows the group casting a far wider net than previously thought using a trove of custom tools, including previously unidentified remote access Trojans (RATs), information stealers, reverse shells, and stagers. They also reveal something previously unknown about the group: an interest in targeting cryptocurrency. [The Hacker News]
↘️ Cybersecurity authorities in the E.U. have warned of sustained malicious cyber activity orchestrated by China-linked threat actors such as APT27, APT30, APT31, Ke3chang, GALLIUM, and Mustang Panda. “Recent operations pursued by these actors focused mainly on information theft, primarily via establishing persistent footholds within the network infrastructure of organizations of strategic relevance,” the agencies said. [ENISA]
↘️ Researchers are warning about an uptick in malicious cyber activity targeting data center service providers globally. The recent attacks witnessed “bad actors attempt[ing] to leverage a weakness in their cybersecurity supply chain with the goal of stealing sensitive data from their target enterprises and government organizations.” [Resecurity]
↘️ A previously unknown hacking group is targeting the telecom sector in the Middle East in what appears to be a cyber espionage campaign similar to many that have hit similar organizations in multiple countries in recent years. The cluster is being tracked as WIP26, a “work in progress” designation SentinelOne uses for activity it has not been able to attribute to any specific cyber attack group. [The Hacker News]
↘️ A cryptocurrency mining operation has been observed targeting macOS with pirated software since at least 2019. The malware is believed to have undergone three major development stages, each time adding more complex evasion techniques. The latest versions of the poisoned software are an improvement over previous samples of the malware, with obfuscation features that have made it almost invisible to malware scanners. [The Hacker News / Dark Reading]
↘️ Popular crypto exchange Coinbase said it was ensnared in an Oktapus-related smishing attack that resulted in the exposure of employee data. The incident once again demonstrates how human error remains a key factor in the success of cyber attacks, and the risk that increasingly sophisticated social engineering campaigns pose to enterprises. [The Hacker News]
↘️ And the Anker security fiasco finally comes to an end. The company admitted its Eufy security cameras are not natively end-to-end encrypted and noted that it’s fixed the issues. [The Verge]
↘️ The U.S. Federal Bureau of Investigation (FBI) managed to get hold of the real IP address of a cyber criminal using the TOR browser as part of an ongoing anti-terrorism case. Muhammed Momtaz Al-Azhari was charged in 2020 with attempting to provide material support to the Islamic State and for using the browser to visit an ISIS-related website on the dark web in May 2019. The question remains: how did the agency get this info when the browser is anonymous? And it’s not revealing how it did. That said, it’s possible that the FBI may have hosted a TOR entry node of their own to capture the IP address. [Vice]
↘️ 2022 witnessed 6.3 trillion overall intrusion attempts, an increase of 19% year-over-year, according to SonicWall. It also recorded 5.5 billion malware attacks, a 2% increase year-over-year. There was also a 43% increase in cryptojacking malware and an 87% increase in IoT malware, which offset a 21% decline in ransomware volumes. [SonicWall]
↘️ Embattled password manager LastPass shared more details of the data breach that took place last year, and it’s not looking good. To pull off the heist, the adversary infiltrated the home computer of one of its DevOps engineers and planted keylogger software that made it possible to extract encrypted password vaults from its cloud storage environment. This attack path is not simple or direct, but the idea of an attacker targeting a privileged employee’s personal accounts or devices as a way into a corporate network is far from novel. It’s a time-worn technique and often a successful one, though the methods in which attackers use it have evolved over time. Given that the scope of the incident has kept changing with each disclosure, the latest twist in the tale is unlikely to win any favors. [The Hacker News / LastPass]
↘️ A new UEFI bootkit called BlackLotus has become the first publicly known malware to bypass Windows Secure Boot protections. The Unified Extensible Firmware Interface (UEFI) is the software that connects the operating system with the hardware that runs it. It gets executed when a computer powers up and dictates the booting sequence before the operating system starts any of its routines. These traits make the UEFI an ideal place to launch malware. The major threat posed by UEFI bootkits is well known: With control over the operating system’s boot process, they can disable security mechanisms and deploy kernel- or user-mode payloads during system startup, operating stealthily and with high privileges. Needless to say, it represents a milestone in the continuing evolution of UEFI bootkits. It’s currently not clear how many devices have been infected by BlackLotus or how it gets installed. [The Hacker News / Eclypsium / Binarly]
↘️ Meta disclosed that “Russian-origin attempts at covert activity (CIB) related to Russia’s war in Ukraine have sharply increased, [while] overt efforts by Russian state-controlled media have reportedly decreased over the last 12 months” across its platform. The covert influence operations, which are propaganda networks designed to spread misinformation, influence elections, undermine trust, and sow discord between different social groups, substituted quality with quantity and bears “a closer resemblance to a spammers’ playbook.” It also said it took action against two networks engaging in coordinated inauthentic behavior (CIB) in Serbia and Cuba. The disclosure comes close on the heels of a new investigation that has unmasked an Israeli covert disinfo unit called Team Jorge that claims to have manipulated more than 30 elections around the world for a fee using a “disinformation-as-a-service” platform. [Meta / The Guardian / Forbidden Stories / Atlantic Council / WIRED / CyberScoop / Graphika]
↘️ Two U.S. men, Sagar Steven Singh and Nicholas Ceraolo, have been charged with hacking into a U.S. Drug Enforcement Agency (DEA) last year. Both are alleged to be part of a larger criminal organization that specializes in using fake emergency data requests from compromised police and government email accounts to publicly threaten and extort their victims. [Krebs on Security / Vice]
↘️ Serious security flaws have been discovered in the implementation of the Open Authorization (OAuth) SSO feature used by the online travel agency Booking.com (and its sister site Kayak.com) that could have been abused to take control of a user’s account, gain full visibility into their personal or payment-card data, and perform actions on the victim’s behalf. In order to exploit these vulnerabilities, an attacker would have needed to trick the targeted user into clicking on a specially crafted link to obtain the authentication codes. [Salt Security / Dark Reading / Ars Technica]
↘️ A new phishing campaign is targeting Eastern European institutions and businesses, likely including Ukraine, with Remcos RAT and Formbook using a malware loader called DBatLoader. [The Hacker News]
↘️ Threat actors connected to the North Korean government (codenamed UNC2970) have been linked to a hacking campaign that uses new techniques and malware in hopes of gaining a foothold inside media and tech companies. [The Hacker News]
↘️ AI-generated video tutorials on how to access cracked software are directing unsuspecting users to links loaded with info-stealer malware. The videos, generated using tools like Synthesia and D-ID, feature fake personas to make the lures more compelling and trustworthy to its targets, supercharging threat actors’ ability to deliver malware. [The Hacker News]
↘️ European and U.S. law enforcement officials took down ChipMixer, a cryptocurrency mixer responsible for processing transactions worth more than $3 billion linked to criminal activity. Among ChipMixer’s prominent users were the Lazarus Group, an online crime syndicate connected to the North Korean government, and ransomware crews. The takedown is the latest in a string of international operations to shutter cryptocurrency infrastructure involved in laundering criminal proceeds. [The Hacker News / Forbes]
↘️ Cybercriminals flooded the threat landscape with almost 200,000 new mobile banking trojans in 2022, twice the number of banking trojans than the year before, marking the biggest acceleration of mobile malware development seen in the last six years. [The Hacker News]
↘️ 20-year-old Conor Fitzpatrick was charged in the U.S. for his role as an administrator of BreachForums, which facilitated access to sensitive personal information stolen from several companies. Law enforcement was able to tie Fitzpatrick to running the site using data obtained from Verizon, Google, and Apple, not to mention out himself through a number of apparent operational security failures. If proven guilty, he faces up to five years in prison. [The Hacker News / The Record / CyberScoop]
↘️ A new botnet called Andoryu has been found to communicate with its command-and-control (C2) servers using the SOCKS5 protocol. It’s propagated by exploited remote code execution flaws in GitLab and Lilin DVR. [QiAnXin]
↘️ Between January 2020 and June 2022, Cybercriminal gangs and threat groups posted more than 200,000 advertisements on 155 dark web forums seeking attack specialists, reverse engineers, and testers with skills in software development, maintaining IT infrastructure, and designing fraudulent sites and email campaigns, highlighting a boom in activity and the professionalization of the cybercrime ecosystem. The highest-paying job included a monthly salary of $20,000, while ads for capable attack specialists topped at $15,000 per month. The development comes as darknet markets made $1.5 billion in revenue in 2022, down from $3.1B in 2021 due to the demise of the Hydra marketplace. That said, deep and dark web ads and sellers promoting counterfeit currency witnessed a 91% jump year-over-year. [Kaspersky / Intel 471 / Chainalysis / Cybersixgill]
↘️ A new likely Russia state-nexus adversary called Gossamer Bear has been attributed to credential collection campaigns targeting government research labs, military suppliers, logistics companies, and non-governmental organizations (NGOs) in Ukraine from August 2022. The adversary, active since at least 2014 and maintaining a high operational tempo coinciding with the Russo-Ukrainian war, is also said to have engaged in consistent targeting of U.K. government organizations and associated entities. [CrowdStrike]