Ngioweb malware fuels NSOCKS proxy

IoT devices are the target of a malware that turns them into a proxy botnet

A roundup of some of the noteworthy developments in the cybersecurity landscape, encompassing the latest vulnerability discoveries and emerging attack trends. Here are this edition’s top stories -

↘️ NSO Group repeatedly developed and used exploits for abusing WhatsApp’s servers to install Pegasus on target devices, including at least once after WhatsApp had sued the company over the issue. NSO Group installed and operated the spyware on behalf of its customers, making the company directly liable for the spyware’s use, new court documents allege. Pegasus is a controversial mobile spyware designed to secretly monitor and extract data from iOS and Android smartphones. NSO Group claims to sell the technology solely to authorized government agencies for legitimate law enforcement, crime-fighting, and anti-terror purposes. But it has repeatedly come to light that the tool has been misused, particularly in authoritarian regimes, to target journalists, human rights activists, political dissidents, and others critical of the government. In recent years, there has been a sharp increase in the number of commercial spyware vendors, driven largely by demand from government agencies. [The Hacker News / The Record]

↘️ Code-hosting platform GitHub on Tuesday announced a new effort to improve the security and sustainability of open source projects through financial help, education, mentorship, tooling, and certification. To that end, the company is inviting applications for the GitHub Secure Open Source Fund until January 7, 2025. [GitHub]

via Tenor

↘️ Ransomware groups are increasingly targeting weekends and holidays, when cybersecurity teams are typically less staffed in order to create maximum impact. “Companies are suffering successful ransomware attacks multiple times within the same year—resulting in closures, layoffs, loss of revenue and customer trust, and cancelation of cyber insurance,” Semperis said. “78% of targeted organizations paid the ransom — 72% paid multiple times, and 32% paid 4 times or more.” Threat to business reputation, access to cyber insurance, and the need to quickly restore normal operations have been cited as the main reasons for paying ransom. [Semperis]

↘️ A cybercriminal group is exploiting vulnerabilities in Internet of Things (IoT) devices and then monetizing the botnet by putting them up for sale on a residential proxy marketplace called NSOCKS by leveraging a malware called Ngioweb. There is indeed a significant incentive for both espionage-motivated and financially motivated actors to set up proxy botnets to help obscure where their malicious activities originate. “These [botnets] can serve as an anonymization layer, which can provide plausibly geolocated IP addresses to scrape contents of websites, access stolen or compromised online assets, and launch cyberattacks,” the researchers said. [The Hacker News]

↘️ A new China-linked cyber espionage group called Liminal Panda has been attributed as behind a series of targeted cyber attacks targeting telecommunications entities in South Asia and Africa since at least 2020 with the goal of enabling intelligence collection. “This adversary compromised these networks by exploiting trust relationships between telecommunications organizations and poor security configurations, allowing them to create footholds to install multiple redundant routes of access across the affected organizations,” CrowdStrike said. [The Hacker News]

↘️ U.S. authorities have charged five individuals with running a multi-year phishing scheme designed to compromise companies and steal data and cryptocurrency. Between September 2021 and April 2023, the defendants disseminated mass SMS phishing messages to employees of various target companies. These messages deceptively indicated account deactivation warnings, directing users to phishing sites mirroring genuine business service providers. These sites attempted to lure the employees into providing confidential information, including account login credentials. Employees who took the bait and entered their credentials on these fake sites had their login information intercepted and used to gain unauthorized access to corporate systems, resulting in the theft of intellectual property and personal identifiers. The members are alleged to be part of the Scattered Spider gang, which has ties to a broader group called The Com. [The Hacker News]

↘️ The China-linked advanced persistent threat (APT) Gelsemium has been observed using two new Linux backdoors named Wolfsbane and FireWood. Throughout its history, Gelsemium has focused on information gathering from Windows systems. Now, it has adapted its tooling to operate just as effectively in Linux environments by modifying existing backdoors Gelsevirine and Project Wood to operate on Linux. The change is likely the manifestation of a long-brewing trend wherein threat actors are increasingly targeting Linux systems. [The Hacker News]

↘️ Telecommunications and financial sectors are the target of a new phishing campaign that leverages an arsenal of legitimate services like Google Docs to redirect victims to Weebly pages designed to harvest their credentials. In abusing widely-used tools in enterprise environments, the idea is to blend in with regular network traffic and evade anti-phishing scanners. “Attackers abuse legitimate Google Docs servers as the initial phishing delivery vector, embedding malicious links inside Google Doc presentations to redirect victims to Weebly-hosted fake login pages,” researchers said. “The threat actors use dynamic DNS for subdomain rotation to keep phishing pages active, making detection and takedown efforts more challenging.” Additional tactics include the incorporation of tracking tools like Snowplow Analytics, Google Analytics, Sentry.io, and Datadog into their phishing kits to monitor key metrics like engagement rates and evaluate the effectiveness of their campaigns. The development coincides with the emergence of a new phishing kit called Gabagool that employs Cloudflare R2 buckets for phishing by hosting malicious content or phishing landing pages. “The attackers start by compromising email accounts and sending phishing emails containing malicious links,” the researchers said. “These links direct victims to fake documents hosted on platforms like SharePoint, SugarSync, or Box, which then reroute to a phishing page hidden within a Cloudflare R2 bucket.” [EclecticIQ / TRAC Labs]

↘️ Attackers are targeting Magento e-commerce websites with a new JavaScript-based skimming malware that can dynamically lift payment details from checkout pages. “This malware dynamically creates a fake credit card form or extracts payment fields directly depending on the variant of the malware, activating only on checkout pages,” Sucuri said. “The stolen data is then encrypted and exfiltrated to a remote server.” [Sucuri]

↘️ A new credential phishing scheme is targeting OpenSea users by impersonating the legitimate website with the end goal tricking email recipients to connect their crypto wallets to the phishing page and ultimately drain their wallets. “This campaign demonstrates the speed with which tactics are evolving and the increasing use of tailored credential phishing attacks by threat actors within the expanding crypto and NFT landscape,” researchers said. The development comes as email phishing attacks are increasingly using archive file types other than .zip such as .rar, .7z, .tar, .gz, .bz, and .xz to evade security filters. [Cofense]

↘️ Recraft stands apart from other diffusion models for its ability to parse language tasks and generate photorealistic images. For instance, given the prompt “A piece of paper that prints the result of 2+2=,” the AI tool not only prints the text “2+2=” but also includes the result of the mathematical operation in the image (i.e., 2+2=4). New research has found that it's possible to take advantage of this feature to leak its internal system prompts. This stems from its unique architecture combining AI model Claude, which is used to rewrite the prompts with the expected output, with a diffusion model. [Invicti]

↘️ While two people have been arrested in connection with allegedly stealing data from and extorting dozens of companies that used the cloud data storage company Snowflake, new evidence shows that a third suspect, who goes by the alias Kiberphant0m, is a U.S. Army soldier who is or was recently stationed in South Korea. [Krebs on Security]

↘️ An international law enforcement operation has arrested 11 people and dismantled a pirate streaming service that served over 22 million users worldwide and made €250 million ($263 million) per month. The platform captured and resold copyrighted live broadcasts and on-demand content from major broadcasters like Sky, Dazn, Mediaset, Amazon Prime, Netflix, Disney+, and Paramount. Over 2,500 illegal channels and servers that managed the service have been seized. [Postal and Communications Police]

↘️ A 31-year-old Kansas City man, Nicholas Michael Kloster, has been arrested and charged in the U.S. for breaking into a non-profit and a health club business in the area to pitch his cybersecurity business by posting about it on social media with the message “how to get a company to use your security service.” Kloster has been charged with one count of accessing a protected computer without authorization and obtaining information. [Department of Justice]

↘️ A script kiddie likely of Russian origin has been using publicly available malware tools from GitHub and exploits targeting weak credentials, configurations, and known security flaws to assemble a distributed denial-of-service (DDoS) botnet capable of disruption on a global scale. What distinguishes the campaign is the manner these utilities are integrated. “Instead of forking repositories, the tools are downloaded and modified locally, suggesting a level of customization and adaptability,” Aqua said. The threat actor has established a store of sorts on Telegram, where customers can buy different DDoS plans and services in exchange for a cryptocurrency payment. While DDoS attacks have been a standard item in attacker playbooks for a long time, they have found a new meaning in the aftermath of the Russo-Ukrainian war in 2022. [The Hacker News]

↘️ A public analysis of the security and privacy properties of MMTLS, a modified version of TLS 1.3 that’s used by WeChat, has uncovered implementation weaknesses that’s "inconsistent with the level of cryptography you would expect in an app used by a billion users, such as its use of deterministic IVs and lack of forward secrecy.” [The Citizen Lab]

↘️ In an unusual and unprecedented attack that took place in 2022, the Russia-linked APT28 (aka GruesomeLarch) threat actor broke into the network of a high-value target after first compromising a Wi-Fi-enabled device in a nearby building and using it to exploit compromised accounts on the target’s Wi-Fi network. This is an instance of an attack where a foreign adversary conducted a close access operation while being physically thousands of miles away. [WIRED / The Hacker News]

↘️ Piotr Pogonowski, the former head of Poland’s internal security agency, has been arrested and forcibly dragged to testify before parliament, as part of the current government’s probe into the alleged spyware abuse carried out in recent years under the previous administration of the Law and Justice (PiS) party. The development comes as a team of Bulgarians have been accused of carrying out surveillance on a U.S. military base in Germany on behalf of Russia. Two of them have admitted to being part of the spying conspiracy. Three other alleged accomplices have denied the allegations. [Financial Times / Reuters]

↘️ Two newly identified vulnerabilities (CVE-2024-7208 and CVE-2024-7209) could allow threat actors to abuse hosted email services to spoof the identity of the sender and bypass existing protections like DKIM and SPF, leading to scenarios like SMTP Smuggling or EchoSpoofing. “An authenticated attacker using network or SMTP authentication can spoof the identity of a shared hosting facility, circumventing any DMARC policy and sender verification provided by a domain name owner,” CERT/CC said. [CERT/CC]

↘️ New academic research dubbed MakeShift has uncovered that bikes with Shimano Di2 wireless gear-shifting technology are vulnerable to critical weaknesses that could be exploited to stage record and replay attacks, which can lead to unintended gear shifting (or even disable shifting) that can be completely controlled by an attacker fro up to 10 meters without the need for any cryptographic keys. [University of California San Diego]

↘️ A newly discovered Android banking malware dubbed DroidBot is being used to target 77 financial services companies across Europe. Offered under a malware-as-a-service (MaaS) model for $3,000 per month, the malware has been primarily observed in France, Italy, Portugal, and Spain. Further, evidence indicates DroidBot is being continuously updated and is possibly on the precipice of spilling over into Latin America. It’s believed that the developers of the malware are native Turkish speakers. [The Hacker News]

↘️ Talking about a hacker of hackers! The Russia-linked Turla group has been observed breaching hackers operating out of Pakistan, latching onto their infrastructure and espionage campaigns to steal information from government, military, and defense targets in Afghanistan and India. The campaign is believed to have been underway since December 2022. The development is significant as it projects Turla as a hacking group that routinely infiltrates other threat actors for the sake of gaining access to their targets and create a smokescreen to complicate attribution efforts. [The Hacker News]

↘️ Security researchers have shed light on a commercial spyware application called FlexiSPY that’s designed to monitor activity on mobile devices and computers. Developed by a U.K.-based company since at least 2006, it’s compatible with Android, iOS, Windows, and macOS. “Data captured by FlexiSPY is uploaded to the company’s servers, where it can be accessed by the user through an online control panel,” iVerify said. “The software is designed to operate stealthily, hiding itself from the device's user and anti-malware scans.” [iVerify]

↘️ The pro-Russian hacktivist group Noname057 (16) has claimed over 6,600 attacks since March 2022, with 96% targeting Europe countries. Another emerging trend in hacktivist activity is the targeting of operational technology systems that are critical for operating essential infrastructure in the manufacturing, energy, healthcare and transportation sectors. [Orange Cyberdefense]

↘️ Well, that didn’t take long. As Bluesky experiences an influx of new users, it has also become the target of scammers who are now leveraging the social media platform to promote fake cryptocurrency schemes. The dececentralized nature of Bluesky means that users have more control over their content. But it also opens up new avenues for abuse as attackers could set up their own instances and them to advertise dubious trading schemes. The development also comes as Spotify playlists and podcasts are being misused by bad actors to push pirated software, game cheat codes, spam links, and warez sites. This is done by injecting targeted keywords and links in playlist names and podcast descriptions, thereby pushing them to the top of search result rankings on Google and others. [BleepingComputer]

↘️ Apple’s latest mobile operating system, iOS 18, appears to have added an undocumented security feature that automatically reboots devices if they’re not used for 72 hours, creating new headaches for anyone trying to maintain access to a stolen or lawfully seized iOS device without a valid passcode. In doing so, the idea is to revert the device to a more secure state called Before First Unlock (BFU), during which it’s fully encrypted and requires a passcode to be entered before enabling certain features such as the notification center, control center, camera, Wi-Fi, Face ID, Touch ID, screenshots, and lock screen widgets. Once it has been unlocked with a passcode, its state changes to After First Unlock (AFU). The inactivity reboot feature is a crucial deterrent against theft, as “thieves won't have the financial and legal means to obtain up-to-date exploits to unlock iPhones within 3 days of getting them.”

Law enforcement, on the other hand, will have to act faster than before to extract the data they can within the timeframe. “Security-wise, this is a very powerful mitigation,” security researcher Jiska Classen said. “An attacker must have kernel code execution to prevent an inactivity reboot. This means that a forensic analyst might be able to delay the reboot for the actual data extraction, but the initial exploit must be run within the first three days.”

That said, Apple seems to be making it just as harder to extract any information from the devices. It has been found that Graykey, a forensics tool used by law enforcement officials to break into locked iPhones, has only limited access to devices running iOS 18 and iOS 18.0.1. This partial extraction "can only draw out unencrypted files and some metadata, including file sizes and folder structures," per 404 Media. The same applies to Google's own Pixel lineup, with the tool only capable of extracting partial data. Earlier this year, it was also revealed that Cellebrite was unable to retrieve data from a sizable chunk of modern iPhones as of April 2024. [Jiska Classen / 404 Media]

↘️ While the recent law enforcement disruption of RedLine and Meta Stealer led to a “significant decrease in the number of logs sourced from information-stealing malware in September and October,” other stealer malware families such as Lumma are filling the void and gaining traction through Telegram channels advertising cracked software. “With Telegram’s popularity as a messaging and sharing platform, threat actors have identified it as a lucrative distribution vector, bypassing traditional detection mechanisms and reaching a broad, often unsuspecting audience,” researchers said. Stealer malware, including the likes of HawkEye (aka PredatorPain), have proven to be a lucrative business model, as it allows threat actors to collect sensitive information from infected hosts, and subsequently sell them for profit to other e-crime groups, who could use the data to infiltrate the systems and stage follow-on attacks. [McAfee Labs]