The "how" part of Storm-0558 mystery may have been solved
A crash dump holds clues to a recent China-linked hacking campaign
A roundup of some of the noteworthy developments in the cybersecurity landscape, encompassing the latest vulnerability discoveries and emerging attack trends. Here are this edition's top stories -
↘️ Microsoft said the corporate account of one of its engineers was hacked by a Chinese threat actor called Storm-0558 that made it possible to acquire an inactive signing key used to hack dozens of Azure and Exchange accounts belonging to high-profile users. The key is said to have been captured in a system crash in April 2021, a crash dump of which was subsequently moved to a debugging environment that the engineer had access to. Ultimately, the theft of the key from the crash dump through the breached account allowed the hackers to access the email accounts of several U.S. government agencies. That said, Microsoft is not completely sure that this is how the key was stolen but believes the crash dump file is the probable method given that it no longer has access to security logs that would have contained definitive evidence that the key was exfiltrated via the crash dump. Nevertheless, the latest development highlights the series of security missteps on Microsoft’s part that enabled the threat actor to forge authentication tokens and access user email from about 25 enterprise customers. [The Hacker News / Ars Technica / The Register / WIRED / TechCrunch]
↘️ Meta said it purged thousands of Facebook accounts that were part of sprawling online influence operations designed to favor China and Russia and undermine the West. The network originating from China, described as the “largest known cross-platform covert influence operation in the world,” was persistent and prolific but ultimately ineffective. It targeted Taiwan, the U.S., Australia, the U.K., Japan, and global Chinese-speaking audiences. The operation was the seventh from China that Meta has removed in the last six years. There are also indications that such influence campaigns might be learning from one another, with Meta uncovering similarities between Spamouflage and an actor linked to Russia known as Secondary Infektion. [The Hacker News / The New York Times / NPR / The Record / CyberScoop]
↘️ North Korean nation-state actors are said to be behind the insidious trend of penetrating open-source repositories with malicious packages and distributing malware, underscoring a new level of persistence and adaptability. [The Hacker News]
↘️ Fifteen of the 20 most-exploited software vulnerabilities are located in Microsoft software, making it an attack magnet for cyber crooks. This includes a six-year-old flaw CVE-2017-11882, a memory corruption vulnerability in Microsoft Office’s Equation Editor that has been repeatedly exploited by threat actors to gain control of an affected system. [Qualys]
↘️ A new research analyzing the security of text input fields in web browsers has found that extensions can steal plaintext passwords stored by websites within the HTML source code by abusing their permissions to access the DOM tree. “Once an extension is loaded on a webpage, it has unrestricted access to all elements on the page, including sensitive input fields,” the study said. “Such an extension, essentially a JavaScript program loaded into the DOM tree of the page, can access and potentially manipulate any data in the input fields on the page.” The findings come as an assessment of some 300,000 browser extensions found 50.53% had overly permissive access and could execute potentially malicious behaviors. What’s more, as many as 42,938 to be precise extensions have unknown authors. “This statistic is especially concerning as it underscores the significant risk to companies using apps from unknown or untrusted developers, given that anyone with malicious intent can publish an extension in the marketplace,” the analysis said. [arXiv / Spin.AI]
↘️ A sprawling cybercrime empire dubbed W3LL developed and sold phishing software that attackers have deployed in attempts to target an estimated 56,000 Microsoft 365 accounts over the last 10 months and successfully compromise at 8,000 of them. Besides continuously adding new functionalities and improving anti-detection mechanisms, the threat actor supports a complex phishing ecosystem with a fully compatible custom toolset that streamlines the process of orchestrating business email compromise attacks, thus lowering the bar to entry. “W3LL Store is a hidden underground marketplace offering managed phishing solutions for cybercriminals of any level of skill who want to conduct BEC phishing campaigns,” Group-IB said. “Cybercriminals can start and manage their phishing campaigns and stock up in W3LL Store alone, which makes it a phishing ecosystem for cybercriminals of all levels.” [The Hacker News / Bleeping Computer]
↘️ As many as 4,500 of the most visited websites in the world have publicly exposed their git directory, potentially revealing sensitive keys and source code. [Truffle Security]
↘️ Hackers can leverage Flipper Zero, a popular tool for hardware exploration, firmware flashing, debugging, and fuzzing, to spam Apple devices with incessant pop-ups prompting users to connect to a nearby AirTag, Apple TV, or AirPods, effectively leading to a denial-of-service. The technique, called a Bluetooth advertising assault, entails using Flipper Zero to broadcast spoofed Bluetooth advertisements that announce their presence to other devices and make it appear as if they are legitimate connection requests. [TechCrunch]
↘️ Implementation vulnerabilities in mTLS (i.e., mutual TLS) could render systems vulnerable to user impersonation, privilege escalation, and information leakages. [GitHub]
↘️ Human rights organizations and tech companies have raised concerns about a United Nations cybercrime treaty, warning that the rules could expand the surveillance power of governments and give authoritarian regimes more tools for repression. [Human Rights Watch / Microsoft / The Record]
↘️ Evidence has emerged that threat actors may be breaking into the LastPass vaults compromised in a data breach last year. An investigation from security journalist Brian Krebs showed that many security-conscious individuals who had a total of $35 million worth of cryptocurrency stolen from them had used LastPass to store their private key. “The common thread among nearly every victim was that they’d previously used LastPass to store their “seed phrase,” Krebs reported. The incident is the subject of an ongoing investigation by law enforcement. [KrebsOnSecurity]
↘️ Vladislav Klyushin, 42, of Moscow has been sentences to nine years in prison in the U.S. for an elaborate corporate hacking scheme that defrauded American businesses to the tune of approximately $93 million. He has also been ordered to forfeit $34,065,419 and pay restitution. Klyushin was found guilty in February 2023 and was previously extradited to the U.S. in 2021. “Klyushin hacked into American computer networks to obtain confidential corporate information that he used to make money illegally in the American stock market,” the DoJ said. [Department of Justice]
↘️ The hacker group Anonymous Sudan (aka Storm-1359) has launched an unsuccessful distributed denial-of-service (DDoS) attack against Telegram in retaliation to the messaging platform’s decision to suspend their primary account. [SocRadar]
↘️ Move over pig butchering scams. A large-scale investment scam has employed almost 900 scam pages, claiming to offer potential victims significant financial gains by investing in reputable companies. The most targeted region is the Middle East and Africa (MEA), as 60% of the scam pages created in this campaign to date impersonated companies from the region. The scammers’ core aim is financial gain, achieved by convincing the victim to click on bogus social media ads and voluntarily make a payment to enroll in the fake investment scheme. The development comes amid a spike in airline scams and giveaways that aim to convince users into giving their banking information under the pretext of making a flight reservation. “Along with stealing banking data, fraudsters try to take control of a victim’s PC by persuading them to install remote access Trojans (RAT),” Group-IB said. “Once they capture control, fraudsters can steal data stored on the PC.” [Group-IB]
↘️ Attackers are targeting Facebook Business accounts with malicious messages, sent via Facebook Messenger from a botnet of fake and hijacked personal Facebook accounts. The goal is to spread a Python-based stealer malware that can intercept browsing sessions and account cookies. As many as 100,000 Facebook Business accounts are being targeted per week. Such campaigns are designed to support a thriving business on Telegram markets where access to these hijacked accounts is offered for sale to cyber criminals to use for further nefarious activity. [The Hacker News]
↘️ U.S. cybersecurity and intelligence agencies are warning about the threats posed by synthetic media, such as deepfakes, that could be used to “influence the public and spread false information about political, social, military, or economic issues to cause confusion, unrest, and uncertainty.” The advances in computational power and easy access to such tools online have not only made it easier to create fake multimedia, but also less expensive to mass produce, they said, enabling threat actors to leverage them to orchestrate convincing phishing campaigns for financial gain and obtain access to proprietary information. [CISA]
↘️ A perfect maelstrom of geopolitical developments and technological advances is fueling financial and economic crimes, according to a new report from Europol. “Encrypted messaging apps, dark web marketplaces, cryptocurrencies, and other privacy-enhancing technologies protect [criminals’] identity, making law enforcement detection increasingly challenging,” the agency said. “Besides, illicit digital products and technical services can also be hired or purchased by criminals in a crime-as-a-service business model, allowing criminals who are not particularly tech-savvy to perform illicit activities that entail knowledge of technology. Machine learning, artificial intelligence (AI) and deepfake technology can be used for virtually all types of financial and economic crime. Chatbots based on AI, such as ChatGPT, could be easily used in online fraud schemes.” [Europol]
↘️ Two e-crime groups known as ALPHV and Scattered Spider have claimed responsibility for a cyber attack on hospitality giant MGM Resorts. It’s likely that the latter functioned as an affiliate and an initial access broker to facilitate the ransomware attack. But the threat actor denied any involvement with the attack on casino company Caesars Entertainment, which is said to have paid $15 million in ransom. Okta said that Scattered Spider broke into other companies as well, echoing an alert issued by the company at the start of the month. Not much is known about the group other than that it’s largely made up of 17-22 years-olds. That said, the name Scattered Spider may be a misnomer owing to the fact that multiple disparate and sometimes rival groups are said to be leveraging similar tactics, an emerging ecosystem that’s referred to as the Com. [The Hacker News / vx-underground / TechCrunch / Bleeping Computer / Reuters / The Wall Street Journal / Reuters / CyberScoop]
↘️ The iPhone belonging to Russian journalist Galina Timchenko was infected with Pegasus spyware using a zero-click exploit called PWNYOURHOME, which combines the HomeKit functionality in iOS and iMessage to breach device protections and deploy the surveillance tool without requiring any user interaction. The exploits are among a growing number targeting iPhone users, with Apple recently rushing to patch two other zero-days that have been exploited in a similar fashion to deliver Pegasus. The flurry of exploits and vulnerabilities discovered in iOS suggests that adversaries have multiple ways to get the spyware on targeted devices. [The Hacker News]
↘️ Russian hacker Dariy Pankov, 28, has pleaded guilty to computer fraud and now faces a maximum penalty of five years in federal prison for developing a malicious software program named “NLBrute” and for making over $350,000 in illicit proceeds. “Pankov used NLBrute to obtain the login credentials of tens of thousands of computers located all over the world,” the U.S. government said. “He marketed and sold, and had others sell on his behalf, NLBrute to other cybercriminals for a fee. Pankov sold the stolen login credentials on a dark web website that specialized in the purchase and sale of access to compromised computers. Once sold, those credentials were used to facilitate a wide range of illegal activity, including ransomware attacks and tax fraud.” Pankov was extradited to the U.S. from Georgia in October 2022. [Department of Justice]
↘️ China has blamed the U.S. National Security Agency (NSA) for orchestrating an April 2022 cyberattack on the Northwestern Polytechnical University, which runs aeronautics, astronautics, and marine technology engineering programs. China’s National Computer Virus Emergency Response Center claimed that the malware used in the attack was developed by the NSA and that it has identified the real identities of the hackers. [China Daily]
↘️ Threat actors can jailbreak AI systems by issuing specific commands, “evading the inherent safety measures and ethical guidelines” that chatbots such as OpenAI ChatGPT follow, which could lead to “the creation of uncensored content without much consideration for the potential consequences.” This falls under the category of an adversarial attack called prompt engineering that involves cleverly asking chatbots questions aimed at manipulating them, making them break their programmed rules against, say, creating malware, without the models knowing it. One prominent method in this space is “Anarchy,” which uses a commanding tone to trigger an unrestricted mode in AI chatbots, specifically targeting ChatGPT. [SlashNext]
↘️ Industrial control system (ICS) computers in Australia and New Zealand, the U.S. and Canada, Western Europe, and Northern Europe have been increasingly attacked in the first half of 2023. [Kaspersky]
↘️ Telecommunications providers across the Middle East are being targeted with a new malware family that researchers are calling “HTTPSnoop.” The campaign, codenamed ShroudedSnooper, does not correlates with any previously identified groups, implying it’s either a new group or likely new activity with divergent tactics of an existing actor. HTTPSnoop is a backdoor that enables actors to listen to incoming requests for specific URLs and execute that content on the infected machine, offering the adversary a “huge degree of sophistication and stealth in their operations.” Telecommunication companies have a huge amount of visibility into national and global internet traffic and are of high value, especially for state sponsored groups, so it’s not surprising to see a growing number of attacks targeting the sector. [The Hacker News]