Thursday, August 31st, 2023
Cybersecurity Week in Review (01/09/2023)
Classiscam Fraud-as-a-Service Expands, now Targets Banks and 251 Brands
The “Classiscam” scam-as-a-service operation has broadened its reach worldwide, targeting many more brands, countries, and industries, causing more significant financial damage than before.
Like a ransomware-as-a-service operation, this Telegram-based operation recruits affiliates who use the service’s phishing kits to create fake ads and pages to steal money, credit card information, and, more recently, banking credentials. The developers then split any proceeds with the affiliate, with the devs receiving 20-30% of the revenue and the affiliate receiving the rest.
The criminal platform was first discovered in 2019, with researchers reporting it grew quickly, used by 40 cybercrime gangs that made $6.5 million throughout 2020. In 2021, Classiscam’s operational scale grew to include 90 Telegram channels selling the scam kits, 38,000 registered members, and an estimated total damage of $29 million. Classiscam has made $64.5 million in combined earnings from scamming users of classifieds sites and stealing their money and payment card details.
The number of targeted brands has also grown from 169 brands last year to 251 this year, and there are now 393 criminal gangs targeting users in 79 countries, coordinating in one of the operation’s 1,366 Telegram channels. The highest targeting focus is reserved for Europe, where Germany tops the list with the most prolific victims, followed by Poland, Spain, Italy, and Romania.
Internet users from the UK lost the highest average amount per Classiscam transaction, at $865, while the global average stands at $353.
Classiscam has become much more automated, using Telegram bots to create phishing and scam ad pages in just a few seconds. Moreover, the hierarchy of the gangs participating in the operation has become more intricate, and the phishing sites have been greatly enhanced.
Now, the Classiscam phishing sites also perform balance checks to assess the maximum charges they can incur on a victim and feature fake bank login pages to steal people’s e-banking account credentials.
Analysts have seen 35 scam groups using phishing sites that mimic the login pages of 63 banks in 14 countries, including financial institutes in Belgium, Canada, Czech Republic, France, Germany, Poland, Singapore, and Spain.
Credentials of NASA, Tesla, DoJ, Verizon, and 2K Others Leaked by Workplace Safety Organization
The National Safety Council has leaked nearly 10,000 emails and passwords of their members, exposing 2000 companies, including governmental organizations and big corporations.
The National Safety Council (NSC) is a non-profit organization in the United States providing workplace and driving safety training. On its digital platform, NSC provides online resources for its nearly 55,000 members spread across different businesses, agencies, and educational institutions.
However, the organization’s website was left vulnerable to cyberattacks for five months. Among a long list of leaked credentials were employees of around 2000 companies and governmental entities, including:
- Fossil fuel giants: Shell, BP, Exxon, Chevron
- Electronics manufacturers: Siemens, Intel, HP, Dell, Intel, IBM, AMD
- Aerospace companies: Boeing, Federal Aviation Administration (FAA)
- Pharmaceutical companies: Pfizer, Eli Lilly
- Car manufacturers: Ford, Toyota, Volkswagen, General Motors, Rolls Royce, Tesla
- Governmental entities: Department of Justice (DoJ), US Navy, FBI, Pentagon, NASA, The Occupational Safety and Health Administration (OSHA)
- Internet service providers: Verizon, Cingular, Vodafone, ATT, Sprint, Comcast
- Others: Amazon, Home Depot, Honeywell, Coca Cola, UPS
These companies likely held accounts on the platform to access training materials or participate in events organized by the NSC.
The vulnerability posed a risk not only to NSC systems but also to the companies using NSC services. Leaked credentials could have been used for credential stuffing attacks, which try to log into companies’ internet-connected tools such as VPN portals, HR management platforms, or corporate emails. Also, the credentials could have been used to gain initial access into corporate networks to deploy ransomware, steal or sabotage internal documents, or gain access to user data.
The discovery of the vulnerability was made on March 7th. It exposed the listing of its web directories to the public, enabling an attacker to access the majority of files crucial for the operation of the web server. Among the accessible files, researchers also discovered a backup of a database storing user emails and hashed passwords. The data was publicly accessible for 5 months, as the leak was first indexed by IoT search engines on January 31st, 2023.
In total, the backup stored around 9500 unique accounts and their credentials, with nearly 2000 different corporate email domains belonging to companies spreading across various industries.
Exposed passwords were hashed using the SHA-512 algorithm, which is considered secure for password hashing. An additional level of security was also used – salts. However, the salts were stored together with password hashes and were only encoded using base64. This made it trivial for potential attackers to retrieve the plaintext version of the salt, subsequently easing the password cracking process.
Source – https://cybernews.com/security/national-safety-council-data-leak/
Phishing-as-a-Service Gets Smarter: Microsoft Sounds Alarm on AiTM Attacks
Microsoft is warning of an increase in adversary-in-the-middle (AiTM) phishing techniques, which are being propagated as part of the phishing-as-a-service (PhaaS) cybercrime model.
In addition to an uptick in AiTM-capable PhaaS platforms, the tech giant noted that existing phishing services like PerSwaysion are incorporating AiTM capabilities.
“This development in the PhaaS ecosystem enables attackers to conduct high-volume phishing campaigns that attempt to circumvent MFA protections at scale,” the Microsoft Threat Intelligence team said in a series of posts on X (formerly Twitter).
Phishing kits with AiTM capabilities work in two ways, one of which concerns the use of reverse proxy servers (i.e., the phishing page) to relay traffic to and from the client and legitimate website and stealthily capture user credentials, two-factor authentication codes, and session cookies.
A second method involves synchronous relay servers.
“In AiTM through synchronous relay servers the target is presented with a copy or mimic of a sign-in page, like traditional phishing attacks,” Microsoft said. “Storm-1295, the actor group behind the Greatness PhaaS platform, offers synchronous relay services to other attackers.”
Greatness was first documented in May 2023 as a service that lets cybercriminals target business users of the Microsoft 365 cloud service using convincing decoy and login pages. It’s said to have been active since at least mid-2022.
The ultimate goal of such attacks is to siphon session cookies, enabling threat actors to access privileged systems without reauthentication.
“Circumventing MFA is the objective that motivated attackers to develop AiTM session cookie theft techniques,” the tech giant noted. “Unlike traditional phishing attacks, incident response procedures for AiTM require revocation of stolen session cookies.”
Source – https://thehackernews.com/2023/08/phishing-as-service-gets-smarter.html
University of Michigan Shuts Down Network After Cyberattack
The University of Michigan has taken all of its systems and services offline to deal with a cybersecurity incident, causing a widespread impact on online services the night before classes started.
University of Michigan (U-M) is one of the oldest and largest educational institutes in the United States, employing over 30,000 academic and administrative staff and having roughly 51,000 students.
In a series of announcements published on the University’s website, starting on Sunday, a cybersecurity incident caused IT outages and disrupted access to vital online services, including Google, Canvas, Wolverine Access, and email.
Although U-M engaged its IT team to restore the impacted systems, the administration felt it was safest to disconnect the U-M network from the internet due to the severity of the incident.
“Sunday afternoon, after careful evaluation of a significant security concern, we made the intentional decision to sever our ties to the internet,” reads the status update from Sunday.
“We took this action to provide our information technology teams the space required to address the issue in the safest possible manner.”
This includes wired and WiFi campus internet, M-Pathways, eResearch, DART, and all systems used in student registration.
Zoom, Adobe Cloud, Dropbox, Slack, Google, Canvas, and Adobe Cloud services have been restored and can be accessed from outside networks, although their availability is unstable due to overload.
However, the timing of the incident should not be ignored, as the attack occurred on the eve of a new academic year as students and faculty were preparing to start classes. Due to this, the U-M administration has decided to waive late registration or disenrollment fees for August.
Students rely on the currently offline systems to access class information and to navigate the large campus, especially during the initial days of classes. Due to the lack of access, students will be given special consideration to students for attendance and assignments. The announcement also warns that some financial aid payments and refunds will be delayed due to the IT outage.
This has been a rough month for educational institutes in Michigan. Three weeks ago, Michigan State University disclosed that it had been impacted by the MOVEit data theft attacks.
Chinese Hacking Group Exploits Barracuda Zero-Day to Target Government, Military, and Telecom
A suspected Chinese-nexus hacking group exploited a recently disclosed zero-day flaw in Barracuda Networks Email Security Gateway (ESG) appliances to breach government, military, defense and aerospace, high-tech industry, and telecom sectors as part of a global espionage campaign.
The activity is being tracked under the name UNC4841, and is described as highly responsive to defensive efforts and capable of actively tweaking their modus operandi to maintain persistent access to targets. UNC4841 deployed new and novel malware designed to maintain presence at a small subset of high priority targets that it compromised either before the patch was released, or shortly following Barracuda’s remediation guidance.
Almost a third of the identified affected organizations are government agencies. Interestingly enough, some of the earliest compromises appear to have taken place on a small number of devices geolocated to mainland China.
The attacks entail the exploitation of CVE-2023-2868 to deploy malware and conduct post-exploitation activities. In select cases, the intrusions have led to the deployment of additional malware, such as SUBMARINE (aka DEPTHCHARGE), to maintain persistence in response to remediation endeavors.
Further analysis of the campaign has revealed a distinct fall off in activity from approximately January 20 to January 22, 2023, coinciding with the beginning of the Chinese New Year, followed by two surges, one after Barracuda’s public notification on May 23, 2023, and a second one in early June 2023.
The latter is said to have involved the attacker attempting to maintain access to compromised environments via the deployment of the new malware families SKIPJACK, DEPTHCHARGE, and FOXTROT / FOXGLOVE.
While SKIPJACK is a passive implant that registers a listener for specific incoming email headers and subjects before decoding and running their content, DEPTHCHARGE is pre-loaded into the Barracuda SMTP (BSMTP) daemon using the LD_PRELOAD environment variable, and retrieves encrypted commands for execution.
The earliest use of DEPTHCHARGE dates back to May 30, 2023, merely days after Barracuda publicly disclosed the flaw. The malware was observed being rapidly deployed to a subset of targets, indicating a high level of preparation and an attempt to persist within high-value environments.
Roughly 2.64 percent of the total compromised appliances are estimated to have been infected with DEPTHCHARGE. This victimology spans U.S. and foreign government entities, as well as high-tech and information technology providers.
The third malware strain, also selectively delivered to targets, is FOXTROT, a C++ implant that’s launched using a C-based program dubbed FOXGLOVE. Communicating via TCP, it comes with features to capture keystrokes, run shell commands, transfer files, and set up a reverse shell.
What’s more, FOXTROT shares overlaps with an open-source rootkit called Reptile, which has been extensively used by multiple Chinese hacking crews in recent months. This also comprises UNC3886, a threat actor linked to the zero-day exploitation of a now-patched medium-severity security flaw in the Fortinet FortiOS operating system.
Another aspect that makes FOXGLOVE and FOXTROT stand out is the fact that they have been the most selectively deployed among all malware families used by UNC4841, exclusively using it to target government or government-related organizations.
The adversarial collective has also been detected performing internal reconnaissance and subsequent lateral movement actions within a limited number of victim environments. More than one case entailed utilizing Microsoft Outlook Web Access (OWA) to attempt to log in to mailboxes for users within the organizations.
As an alternative form of remote access, the advanced persistent threat (APT) actor created accounts containing four randomly generated characters within the etc/passwd file on roughly five percent of the previously impacted appliances.
UNC4841’s Chinese connections are further bolstered by the infrastructure commonalities between the group and another uncategorized cluster codenamed UNC2286, which, in turn, shares overlaps with other Chinese espionage campaigns tracked as FamousSparrow and GhostEmperor.
The latest disclosure comes against the backdrop of the U.S. Federal Bureau of Investigation (FBI) urging impacted customers to replace their ESG appliances with immediate effect, citing continued risk.
Source – https://thehackernews.com/2023/08/chinese-hacking-group-exploits.html
Mom’s Meals Discloses Data Breach Impacting 1.2 Million People
PurFoods, which conducts business in the U.S. as ‘Mom’s Meals,’ is warning of a data breach after the personal information of 1.2 million customers and employees was stolen in a ransomware attack. Mom’s Meals is a medical meal delivery service for self-paying customers or people eligible for government assistance through the Medicaid and Older Americans Act programs.
The firm warns that it identified suspicious activity on its networks on February 22nd, 2023, when files on its systems had been encrypted by ransomware.
“Upon identifying suspicious account behavior on February 22, 2023, we launched an investigation with the help of third-party specialists,” reads the notice.
“The investigation determined that we experienced a cyberattack between January 16, 2023, and February 22, 2023, that included the encryption of certain files in our network.”
Signs of network problems became evident in early March, 2023, while an anonymous Mom’s Meals employee tipped an Iowa news outlet that they had missed work and pay for a week due to “an internet issue.”
PurFoods’ investigation revealed that the company had been breached on January 16th, 2023, and tools commonly used to steal data were found on the network.
A more in-depth investigation concluded on July 10th, 2023, confirming the hackers had accessed the following data:
- Date of birth
- Driver’s license
- State identification number
- Financial account information
- Payment card information
- Medical record number
- Medicare and Medicaid identification
- Health information
- Treatment information
- Diagnosis code
- Meal category and cost
- Health insurance information
- Patient ID number.
- Social Security Numbers (for >1% of the exposed people)
The data breach impacts individuals who have received Mom’s Meals packages, current and former employees, and independent contractors. According to the PurFoods data breach filing at the Office of the Maine Attorney General, the incident impacted 1,237,681 people.
Those people will receive free-of-charge coverage for 12 months of credit monitoring and identity protection services through Kroll.
The data exposed to cybercriminals is highly sensitive and can allow threat actors to conduct elaborate scams, phishing, and social engineering attacks.
10 Million Likely Impacted by Data Breach at French Unemployment Agency
The personal information of roughly 10 million individuals was likely compromised in a data breach at French governmental unemployment agency Pole Emploi. The agency, which registers unemployed individuals, provides them with financial aid, and helps them find new jobs, says it became aware of the incident just over a week ago.
The data breach, the agency says, was the result of a cyberattack on one of its service providers, and that no Pole Emploi system was affected. According to Pole Emploi, the data compromised during the attack belongs to individuals who registered with the agency until February 2022, and includes names and social security numbers.
Other personal information, such as email addresses, phone numbers, passwords, and bank credentials were not affected.
“Although there is no risk on the compensation and support offered by Pole Emploi, nor on access to the personal space of pole-emploi.fr, Pole Emploi advises jobseekers to remain vigilant faced with any type of approach or proposal that could appear fraudulent,” a translation of the agency’s notification reads.
Pole Emploi also says it will notify all impacted individuals of the incident, but has not provided information on how many people might have been affected. According to researchers, the data breach was the result of the May 2023 MOVEit hack, which has impacted roughly 1,000 organizations and more than 60 million people.
Data collected from various sources shows that roughly 10 million individuals might have been affected by the Pole Emploi data breach.
LeParisien reports that the data breach involved customer experience management firm Majorel, which was responsible for the digitalization and processing of documents provided by job seekers.
Responding to an inquiry, Majorel said that the incident was not related to the MOVEit hack and that no other customer was affected.
“We are currently working very closely with Pôle Emploi on the data issue they have reported. Naturally, data security is one of our top priorities and our specialist teams are fully engaged on this matter to support Pôle Emploi. After Pôle Emploi notified us of the issue, an investigation was immediately launched which is still ongoing. In the meantime, we can confirm that this topic only relates to Tech & Expert services (the management and digitization of documents) we provide to Pôle Emploi in France and that no other clients, services, systems, or countries are impacted,” a Majorel spokesperson said.
Spain Warns of LockBit Locker Ransomware Phishing Attacks
The National Police of Spain is warning of an ongoing ‘LockBit Locker’ ransomware campaign targeting architecture companies in the country through phishing emails.
“A wave of sending emails to architecture companies has been detected, although it is not ruled out that they extend their action to other sectors,” reads the police announcement. “The detected campaign has a very high level of sophistication since the victims do not suspect anything until they suffer the encryption of the terminals.”
Spain’s cyber police have detected that many emails are sent from the non-existent domain “fotoprix.eu” and impersonate a photographic firm.
The threat actors pretend to be a newly launched photography store requesting a facility renovation/development plan and a cost estimate for the work from the architecture firm.
After exchanging several emails to build trust, the LockBit operators propose to specify a meeting date to discuss the budget and details of the building project and send an archive with documents on the exact specifications of the renovation.
These archives contain a folder named ‘fotoprix’ that includes numerous Python files, batch files, and executables. The archive also contains a Windows shortcut named ‘Caracteristicas,’ that, when launched, will execute a malicious Python script.
Analysis shows that the executed Python script will check if the user is an admin of the device, and if so, make modifications to the system for persistence and then executes the ‘LockBit Locker’ ransomware to encrypt files. If the Windows user is not an admin on the device, it will use the Fodhelper UAC bypass to launch the ransomware encryptor with admin privileges.
The Spanish police underline the “very high level of sophistication” of these attacks, particularly noting the consistency of the communications that convince victims they interact with individuals genuinely interested in discussing architectural project details.
While the ransomware gang claims to be affiliated with the notorious LockBit ransomware operation, it is thought this campaign is conducted by different threat actors using the leaked LockBit 3.0 ransomware builder. The regular LockBit operation negotiates through a Tor negotiation site, while this ‘LockBit Locker’ negotiates via email at ‘lockspain@onionmail.org’ or via the Tox messaging platform.
Furthermore, automated analysis identifies the ransomware executable as being BlackMatter, a ransomware operation that shut down in 2021 and later rebranded as ALPHV/BlackCat. However, this is expected, as the leaked LockBit 3.0 builder, also known as LockBit Black, is also identified by Intezer as BlackMatter for its use of BlackMatter source code.
It is likely that the threat actors behind this campaign are using different lures for companies in other sectors. Phishing actors have extensively used the “call to bid” bait in campaigns impersonating private firms or government agencies and using well-crafted documents to convince of the legitimacy of their messages.
Notorious ransomware gangs adopting similar practices for initial compromise is a worrying development, as posing as legitimate customers could help them overcome obstacles like their targets’ anti-phishing training.
KmsdBot Malware Gets an Upgrade: Now Targets IoT Devices with Enhanced Capabilities
An updated version of a botnet malware called KmsdBot is now targeting Internet of Things (IoT) devices, simultaneously branching out its capabilities and the attack surface.
The latest iteration, observed since July 16, 2023, comes months after it emerged that the botnet is being offered as a DDoS-for-hire service to other threat actors. The fact that it’s being actively maintained indicates its effectiveness in real-world attacks.
KmsdBot was first documented in November 2022. It’s mainly employed to target private gaming servers and cloud hosting providers, although it has since set its eyes on some Romanian government and Spanish educational sites.
The malware is designed to scan random IP addresses for open SSH ports and brute-force the system with a password list downloaded from an actor-controlled server. The new updates incorporate Telnet scanning as well as allow it to cover more CPU architectures commonly found in IoT devices.
Like the SSH scanner, the Telnet scanner calls a function that generates a random IP address. It then attempts to connect to port 23 on that IP address. The Telnet scanner doesn’t stop at a simple port 23 is listening/not listening decision, however; it verifies that the receiving buffer contains data.
The attack against Telnet is accomplished by downloading a text file (telnet.txt) that contains a list of commonly used weak passwords and their combinations for a wide range of applications, mainly taking advantage of the fact that many IoT devices have their default credentials unchanged.
The ongoing activities of the KmsdBot malware campaign indicate that IoT devices remain prevalent and vulnerable on the internet, making them attractive targets for building a network of infected systems.
Source – https://thehackernews.com/2023/08/kmsdbot-malware-gets-upgrade-now.html
Kroll Suffers Data Breach: Employee Falls Victim to SIM Swapping Attack
Risk and financial advisory solutions provider Kroll on Friday disclosed that one of its employees fell victim to a “highly sophisticated” SIM swapping attack.
The incident, which took place on August 19, 2023, targeted the employee’s T-Mobile account, the company said.
“Specifically, T-Mobile, without any authority from or contact with Kroll or its employee, transferred that employee’s phone number to the threat actor’s phone at their request,” it said in an advisory.
This enabled the unidentified actor to gain access to certain files containing personal information of bankruptcy claimants in the matters of BlockFi, FTX, and Genesis.
SIM swapping (aka SIM splitting or simjacking), while generally a benign process, could be exploited by threat actors to fraudulently activate a SIM card under their control with a victim’s phone number. This makes it possible to intercept SMS messages and voice calls and receive MFA-related messages that control access to online accounts.
Fraudsters accomplish this by often using phishing or social media to collect personal information about their targets, such as birthdays, mother’s maiden names, and the high schools they went to, so that they can convince the cellular carrier to port the victims’ phone numbers to one of their own SIM cards.
The company noted that it took immediate steps to secure the three affected accounts and that it has notified impacted individuals by email. While an investigation is underway, Kroll said it found no evidence to indicate that other systems or accounts have been affected.
The disclosure arrives days after Bart Stephens, the co-founder of Blockchain Capital, filed a lawsuit against an anonymous hacker who stole $6.3 million worth of crypto in an alleged SIM swap attack.
Earlier this month, the U.S. Department of Homeland Security’s Cyber Safety Review Board (CSRB) urged telecommunications providers to employ stronger security protocols to prevent SIM swapping, including by providing options for customers to lock their accounts and enforcing stringent identity verification checks.
If anything, the frequency of SIM swapping attacks is a reminder for users to move away from SMS-based two-factor authentication (2FA) and switch to phishing-resistant methods to secure online accounts.
Source – https://thehackernews.com/2023/08/kroll-suffers-data-breach-employee.html
Contact Us
The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.