QakBot goes down in global action
A coalition of law enforcement agencies dismantle the notorious botnet
A roundup of some of the noteworthy developments in the cybersecurity landscape, encompassing the latest vulnerability discoveries and emerging attack trends. Here are this edition's top stories -
↘️ A coordinated operation quietly infiltrated and toppled QakBot, a longstanding botnet network and malware loader responsible for delivering ransomware and causing millions of dollars in losses, making it the latest in a string of counter attacks orchestrated by governments across the world to tackle cybercrime.
The effort saw the seizure of 52 of its servers, which the law enforcement said would “permanently dismantle” the botnet. The number of infected computers totaled 700,000, with about 200,000 located in the U.S. Authorities said they had developed an uninstaller tool that excised the malware from victim computers.
To pull off the feat, the FBI used an infected device under their control to contact each Tier 1 command-and-control server and instructed them to push a removal tool to all compromised endpoints, while also taking steps to lock QakBot operators out of their own infrastructure and disrupt their access.
QakBot generally gains access to devices through phishing campaigns that utilize a variety of lures, including reply-chain email attacks, that aim to trick victims into opening a booby-trapped attachment or link that triggers an infection chain to install the malware and marshal violated machines into a botnet. It’s both versatile and evasive, packing in numerous features to steal sensitive information.
While first appearing as a banking trojan in 2007, it evolved into a widely used initial access broker and a malware delivery service to commit a gamut of online crimes, including crippling ransomware attacks, in recent years, making a profit by renting (or selling) the access to criminal affiliates who rely on that foothold to undertake their own attacks.
That said, any setback to the ecosystem is likely to be temporary, as seen in the case of Emotet. With threat actors having a number of other ways to penetrate systems, QakBot’s takedown is unlikely to cause a massive dent, although it could also force threat actors to pivot to other initial access tactics. In the wake of the operation, data breach notification service Have I Been Pwned added 6.4 million email accounts tied to QakBot to its database. [Europol / The Hacker News / The Register / KrebsOnSecurity / Politico / Associated Press / BankInfoSecurity / Dark Reading / Bleeping Computer / TechCrunch / The Record]
↘️ Chinese hackers tracked as UNC4841, who have been attributed to an eight-month espionage campaign linked to the exploitation of Barracuda email security appliances, intensified their focus on high-priority targets and set up additional persistence mechanisms around the time the company moved to fix the zero-day flaw (CVE-2023-2868) and remediation efforts kicked into high gear in May 2023. This includes a previously unknown implant referred to as FOXTROT that’s said to have been delivered to a sliver of targets, demonstrating high adaptability and sophistication of the actor’s techniques. There is no sign of new compromises beyond the initial 5% that were attacked. The highly surgical operation is evidence that Chinese cyber espionage tactics are evolving to “more purposeful, stealthy, and effective operations that avoid detection and complicate attribution.” [The Hacker News / Ars Technica / CISA]
↘️ Polish police have arrested two men, aged 24 and 29, suspected of illegally hacking into the radio communication network of the Polish PKP railway. The attack was carried out by spoofing a radio command to the trains that triggers their emergency stop function. What’s more, the command could be broadcast by anyone with $30 worth of equipment. The hackers used this command to trigger an emergency stop of trains near the city of Szczecin, causing delays and cancellations. [WIRED / Niebezpiecznik]
↘️ Unnamed hackers claim they accessed spyware firm WebDetetive by exploiting unspecified security flaws and deleted device information to protect victims from surveillance. The Portuguese-language spyware has been used to compromise more than 76,000 Android phones in recent years across South America, largely in Brazil. The data contained 74,336 unique customer email addresses. [TechCrunch]
↘️ A new flaw has been disclosed in the NVMe driver of the Linux kernel (CVE-2023-0122) that could be exploited by a threat actor to achieve pre-authenticated remote denial-of-service (DoS). [CyberArk]
↘️ Two fake apps on the Google Play Store masqueraded as Signal and Telegram apps and attracted hundreds of downloads before they were taken down. Interwoven into the apps was a sophisticated espionage tool tracked as BadBazaar, which is attributed to a China-linked threat actor called GREF. The apps continue to remain accessible on the Samsung Galaxy Store. Used as the vehicles for the surveillance campaign, the apps send a host of private information to the attackers, including Telegram chat backups and Signal conversations by clandestinely linking the victim’s device to a Signal account associated with the adversary. The activity cluster targeted users across many countries, indicating a broad scope of victimology. [The Hacker News / Dark Reading]
↘️ A newly detected Android Trojan called MMRat has been spotted using protocol buffers (protobuf) as a command-and-control mechanism to efficiently transfer large amounts of data from infected devices and commit financial fraud. A notable feature of the malware is that it allows the threat actor to wake up the device remotely when it’s not in use, unlock the screen, and perform bank fraud using victim credentials. The use of such uncommon methods signals the growing sophistication of Android malware and their ability to adeptly blend stealth with efficient data extraction. Users are advised to exercise vigilance when downloading apps, particularly from untrusted sources. On a related note, a phishing site impersonating Binance is distributing a new Android banking trojan known as Remo that abuses the accessibility service APIs to steal sensitive information from banking and cryptocurrency wallet applications in Thailand, Vietnam, and Indonesia. [The Hacker News / Cyble]
↘️ Apple has begun accepting applications for its 2024 iPhone Security Research Device Program, allowing security researchers to get specialized Apple devices that make it easier to find critical iOS vulnerabilities. Since the launch of the program in 2019, 130 high impact, security-critical vulnerabilities have been discovered. [Apple]
↘️ Airbnb is becoming a new breeding ground for cyber criminals, who are leveraging stolen credentials and session cookies sold on underground forums to illegally gain access to the accounts and “impersonate real users and book properties or perform other unauthorized actions without raising any alerts.” Central to these cyber attacks are stealer malware, which surreptitiously infiltrate devices, harvesting sensitive information such as login data. The monetization doesn’t end there. Threat actors have also been observed advertising “account checkers,” which are automated programs that rapidly test Airbnb accounts located in a text file, indicative of the scale of Airbnb account theft. [SlashNext]
↘️ The U.K. National Cyber Security Centre (NCSC) is warning of adversarial attacks, including risks such as prompt injection, aimed at large language models (LLMs) as they begin to get rapidly integrated into products and services for internal and customer use. “LLM inherently cannot distinguish between an instruction and data provided to help complete the instruction,” the agency said, describing it as a loophole that could be manipulated by bad actors to cause unintended behavior. [NCSC]
↘️ Suspected Chinese hackers breached Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and potentially accessed sensitive data stored on its networks for nine months before being discovered. [Financial Times / The Record]
↘️ Hacking contests like Black Hat, DEF CON, Pwn2Own, or the Tianfu Cup are well-known among the cybersecurity community. But similar competitions are being held on Russian-language cybercrime forums Exploit.in and XSS, offering prize money of up to $80,000 for the winners. Past sponsors have included All World Cards, a well-known carding group, and LockBit, illuminating the different ways criminal groups are looking to advance their tactics and infiltrate target networks. [Sophos / WIRED]
↘️ Cyber criminals are mining the capabilities of an open source infostealer called “SapphireStealer” to spawn a legion of variants with enhanced capabilities that aim to democratize the cybercrime landscape and act as a precursor for ransomware, espionage, and other post-compromise mission objectives. The modifications make it a growing threat, enabling actors with limited expertise to launch attack of their own. “One of the byproducts of readily available and open-source malware codebases is that the barrier to entry into financially motivated cybercrime has continued to decrease over time,” Cisco Talos said. [The Hacker News / Dark Reading]
↘️ The Russian threat actor known as Sandworm have been targeting Android devices in Ukraine with a new malicious framework named Infamous Chisel. The Five Eyes intelligence coalition has described the tool as a “collection of components which enable persistent access to an infected Android device over the Tor network, and which periodically collates and exfiltrates victim information from compromised devices.” The main engine of the toolkit is netd which comes with data gathering and exfiltration capabilities. In tandem, a hacking group linked to Russian domestic intelligence agency the FSB codenamed Gamaredon has intensified its phishing attacks against military and government entities amid Ukraine’s counteroffensives to expel Russian troops [The Hacker News]
↘️ An unpatched security flaw in the mobile app for Microsoft Skype can be used to leak users’ IP addresses (thereby revealing their general physical location) by sending them a link. Here’s the kicker: the victim does not even have to interact with the link, and it works even when connected using a VPN. It’s expected to be addressed in a future product update. [404 Media]
↘️ A well-funded but lesser-known hacking group known as Earth Estries is using previously unknown backdoors to hack government agencies and tech companies in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the U.S. [The Hacker News]
↘️ Sogou, one of the most popular Chinese keyboard apps, had a massive security loophole in its custom encryption algorithm that could be exploited to intercept and decrypt exactly what people were typing, as they were typing it. [MIT Technology Review / The Hacker News]
↘️ Criminals are using a Telegram bot that costs anywhere from $15 to $40 to access to the personal data of nearly any adult in the U.S. The tool retrieves sensitive data, such as addresses, dates of birth, email addresses, phone numbers, and even Social Security numbers, by taking advantage of unfettered access to third-party data brokers who can access the sensitive information from credit bureaus such as Experian, Equifax, and TransUnion. In some case, it also involved stealing former law enforcement officers’ identities. Some of the other tools prevalent among these violence-as-a-service groups include Data-Trac, SearchBug, and USinfoSearch. [404 Media]
↘️ A hacktivist group named GhostSec has claimed it has breached a software system called Behnama that the Iranian authorities have allegedly been using to surveil the country’s citizens. GhostSec has since joined hands with ThreatSec, Stormous, Blackforums, and SiegedSec, as part of a new initiative called The Five Families to grow their work and operations, a trend that’s likely to become frequent in the future. In the meanwhile, another Iranian-focused group called Black Reward breached an online financial services app known as 780 to push anti-Iranian government messages. [Cyberint / CyberScoop]
↘️ Late last year, Apple abandoned its controversial plan to detect known Child Sexual Abuse Material (CSAM) stored in iCloud Photos. The company has now provided more clarity on the decision, noting that it could not develop a privacy-oriented system without introducing new threat vectors that could be exploited by bad actors. “Scanning for one type of content, for instance, opens the door for bulk surveillance and could create a desire to search other encrypted messaging systems across content types,” the company said. [WIRED / Forbes]