Discover more from Zero-day
Spyware and hack-for-hire groups share spotlight
Apple and Google takes steps to protect users against "Hermit" spyware
RCS Lab, an Italy-based firm, had its enterprise-grade hacking tool — dubbed Hermit — allegedly used by unknown customers to snoop on Android and iOS users in Italy and Kazakhstan and steal swathes of information, casting fresh light on the “flourishing” spyware industry.
Google said it found evidence that in some cases the government actors in control of the spyware worked with the target’s internet service providers to disable mobile data connectivity, likely as a lure to trick the victims into clicking a link to download a fake carrier-branded app under the guise of restoring connectivity. In other instances, the cyber spies are said to have sent links pretending to be from phone makers or messaging applications to trick people into clicking.
What’s more, Google also revealed it blocked 36 domains used by hack-for-hire groups in India, Russia, and the UAE. Hack-for-hire groups are different from surveillanceware vendors in that while the latter typically offer for sale the spying tools that are then used by the clients to operate them, hack-for-hire operators conduct the attacks themselves.
In a related exhaustive investigation, Reuters disclosed how parties involved in litigation battles have in recent years hired Indian cyber mercenary firms like Appin, BellTroX, and Cyberoot to steal information from the other side that would give them an edge. Between 2013 and 2020, the actors are believed to have sent some 80,000 phishing emails to 13,000 targets across multiple countries.
What’s trending in security?
⚠️ An Android banking trojan dubbed BRATA has evolved to incorporate new techniques and capabilities to acquire sensitive information from infected devices in a manner that aligns with an advanced persistent threat (APT) pattern of activity. It’s being suspected that the malware is sold as malware-as-a-service (MaaS) to potential customers, given the steady expansion of capabilities. [The Hacker News]
❓ Microsoft, late last month, released a special report detailing the threat landscape in the ongoing war in Ukraine. But cybersecurity experts have raised questions about the lack of “technical underpinning or evidence to back up its points” with regards to an alleged nuclear power plant assault that took place in early March as well as regarding its attribution of wiper and malware attacks to different Russian intelligence agencies. [CyberScoop]
📶 A newly discovered remote access trojan (RAT) called ZuoRAT has targeted remote workers by exploiting flaws in often unpatched small office/home office (SOHO) routers as part of a highly targeted, sophisticated campaign. Believed to be the work of a state-sponsored actor, the malware is capable of hijacking DNS and HTTP traffic to pivot to other systems and deploy Cobalt Strike and fully functional cross-platform trojans. [The Hacker News]
0⃣️ A total of 18 security vulnerabilities have been exploited as unpatched zero-days in the wild so far this year. “Many of the 2022 in-the-wild zero-days are due to the previous vulnerability not being fully patched,” Google Project Zero researcher Maddie Stone said. “At least nine of the zero-days are variants of previously patched vulnerabilities.” [Google Project Zero]
💲 A China-based advanced persistent threat actor named Bronze Starlight (aka DEV-0401) has relied on a lineup of six ransomware families that have been rapidly cycled through one after the other in a possible attempt to camouflage the true espionage motives behind its campaigns.
While the group appears on the surface to be financially motivated, its real mission may have to do with intellectual property theft in support of Chinese economic objectives. What’s also notable is that it has consistently targeted only a small number of victims over short periods of time with each ransomware family, lending credence to the distraction theory. The reliance on tooling distinctly associated with with Chinese nation-state actors is another sign that there’s more to Bronze Starlight than its ransomware activity might suggest. [The Hacker News]
🔍 A threat actor tracked by Kaspersky called ToddyCat may have been the first hacking group to exploit the ProxyLogon zero-day vulnerability in Exchange Servers last year with the goal of deploying a pair of previously unseen malware tools in a cyber espionage campaign targeting military and government organizations in Europe and Asia. This includes a custom backdoor called Samurai and a post-exploitation toolkit dubbed Ninja.
In more ProxyLogon-related news, a newly discovered backdoor codenamed SessionManager has been linked to a volley of attacks compromising unpatched Microsoft Exchange servers to maintain persistent, update-resistant, and stealth access to the IT infrastructure of targeted organizations. [The Hacker News]
🧊 As many as 56 security flaws, collectively labeled OT:ICEFALL, in operational technology (OT) products from 10 vendors have been disclosed, with numerous instances of vulnerabilities tied to “insecure-by-design practices.” [The Hacker News / Dark Reading / Threatpost]
🔝 MITRE shared this year’s top 25 most frequent and critical errors that can lead to serious vulnerabilities in software that can be exploited to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition. [MITRE]
🎓 Chinese hacking group APT40 has been disclosed as linked to an espionage operation to lure university students who studied English into translating stolen documents via a front company named Hainan Xiandun. In July 2021, the U.S. Justice Department indicted four Chinese nationals for their role in carrying out intellectual property theft. [Financial Times]
💥 Ukrainian government and private sector organizations have been the target of 796 cyberattacks since the onset of the war on February 24, 2022, when Russia staged a military invasion on the country. Top sectors targeted include government and local authorities, military, finance, commercial, energy, transport infrastructure, and telecommunications sectors. [SSSCIP]
*⃣️ A new phishing campaign has been targeting U.S. organizations in the military, security software, manufacturing supply chain, healthcare and pharmaceutical sectors to steal Microsoft Office 365 and Outlook credentials. The attacks leverage fake voicemail-themed notifications to lure victims into opening a malicious HTML attachment that, upon opening, redirects users to credential-phishing pages. [Zscaler]
☢️ The advanced persistent threat group Fancy Bear is behind a phishing campaign that exploits the specter of nuclear war to exploit a recently disclosed one-click Microsoft flaw called Follina to deliver malware that can steal credentials from the Chrome, Firefox and Edge browsers. [The Hacker News]
🌐 Microsoft may have officially retired Internet Explorer, the browser it debuted in 1995, but it’s expected to thrive to provide backward compatibility. It’s also expected to support IE’s underling browser engine, called MSHTML, which last year came under the spotlight for a critical security flaw that was exploited by threat actors. [WIRED / The Hacker News]
🛒 Magecart attacks targeting e-commerce websites are showing signs of decline, in what could be case of threat actors pivoting to other profitable targets such as cryptocurrency wallet thefts. But worryingly, the disappearance of Magecart from the radar could also be because the attacks have moved server-side and become harder to detect. [The Hacker News]
🚨 Nation-state actors are continue to swarm on unpatched VMware Servers without Log4Shell mitigations to deploy malware that provided them with monitoring capabilities, reverse shell access, payload delivery, and data exfiltration capabilities. [The Hacker News]
❌ A threat actor dubbed Evilnum has resurfaced with updated tactics, techniques, and procedures, swapping out Windows Shortcut files (LNK) sent inside malicious archive files (ZIP) as email attachments in spear-phishing emails with rogue Word documents that leverage template injection to deliver the backdoor payloads. Predominant targets are fin-tech entities located in the U.K. and Europe. [Zscaler]
🐝 The Bumblebee loader, which was first spotted this March, has been linked to a number of ransomware families, including Conti, Mountlocker and Quantum, lending credence to hypothesis that Bumblebee is being introduced as a replacement loader for TrickBot and BazarLoader. “Bumblebee’s links to a number of high-profile ransomware operations suggest that it is now at the epicenter of the cyber-crime ecosystem,” the researchers said. [Symantec]
💨 The Conti ransomware operation finally shut down its last public-facing infrastructure, consisting of two Tor servers used to leak data and negotiate with victims, closing the final chapter of the notorious cybercrime brand. The group commenced operations in 2020 after taking the place of the Ryuk ransomware. As of last month, the group is winding down in preparation for a possible rebrand.
According to a new report from Group-IB, the syndicate amassed more than 850 victims, compromising over 40 organizations worldwide as part of a “lightning-fast” hacking spree that lasted from November 17 to December 20, 2021. That said, continues to run a lucrative business that has shown little signs of collapsing, the larger group splintering into smaller factions and acquiring cybercriminal operations such as TrickBot. [The Hacker News]
☁️ New Zealand-based cloud storage service MEGA’s decade-long promises of privacy and user-controlled encryption keys were negated by new research from cryptography experts at ETH Zurich, who disclosed five different attacks that can completely compromise the confidentiality of users’ files by leaking the private keys used to encrypt the files and even insert controversial, illegal, or compromising material into their file storage. MEGA has rolled out fixes to address a majority of them following responsible disclosure on March 24, 2022. [The Hacker News / Ars Technica / MEGA AWRY]
💬 A social-engineering campaign bent on stealing Facebook account credentials and victim phone numbers is targeting business pages via a savvy campaign that incorporates Facebook’s Messenger chatbots to impersonate the social media company’s support team. The attacks start with emails, as they often do, informing recipients that their Facebook pages have violated Community Standards and that they will be terminated in 48 hours unless they opt to appeal the decision by clicking on a link that takes the users to the rogue conversation with a chatbot. [Trustwave]
⚡ Political turmoil over controversial remarks made on Prophet Mohammed by the Bharatiya Janata Party (BJP) spokesperson in India reached cyberspace, with a Malaysia-linked hacktivist group named DragonForce defacing and launching denial-of-service attacks against numerous government, tech, financial services, manufacturing, and education sectors as part of a retaliatory campaign named OpsPatuk. Over 102 websites are said to be compromised. As if that weren’t enough, the collective has also hinted at plans to evolve into a ransomware group. [Radware / CloudSEK]
🗓️ India’s Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect on June 28. Organizations in the country are now expected to adhere to the new norms by September 25, 2022. The laws, which also require VPN operators to log users’ activities and maintain their personal information, prompting companies like ExpressVPN, Surfshark VPN, and Pure VPN to move their servers offshore. [CERT-In]
😑 The U.S. Federal Bureau of Investigation (FBI) warned of an increase in the use of deepfakes and stolen Personally Identifiable Information (PII) to apply for a variety of remote work and work-at-home positions. [FBI]
🦝 The operators of the Raccoon Stealer malware have returned with a completely revamped version after a short hiatus following the death of one its core team members during Russia’s invasion of Ukraine earlier this year. [Bleeping Computer]
📄 Despite steps taken by Microsoft to disable macros in Office, threat actors are continuing to rely on malicious macro-laden Office documents to deploy Emotet aimed at users who are using outdated versions of Office. “The fact that attackers are still using Excel 4.0 Macros indicates that outdated Office versions and users who have this protection disabled are still common,” the researchers said. [Netskope]
🚩 Several security vulnerabilities have been discovered in USB flash drives with AES hardware encryption that could be exploited by an actor with physical access to the hardware to successfully brute-force the device passcode and gain unauthorized access to the stored encrypted data, extract information even from encrypted data due to the use of an insecure encryption AES mode, unlock the passcode via an undocumented IOCTL command, and execute malicious firmware code. [SySS Part 1 / Part 2]
🗄️ The last two weeks in data breaches, leaks, and ransomware: AMD, Eye Care Leaders, Fast Shop, Flagstar Bank, Indiana University Health, Macmillan, Medical University of Innsbruck, Nichirin, OpenSea, Yodel, and Lithuanian and Norwegian government websites.