Thursday, September 14th, 2023
Cybersecurity Week in Review (15/09/2023)
Bank of Ireland warns of new ‘live chat’ scam
Bank of Ireland has issued a warning about a new scam in which fraudsters are duping customers into allowing remote access to their computers and bank accounts.
The customer gets a phone call from someone claiming to be from Bank of Ireland and they are asked to log into their online banking.
The fraudster then asks the customer to go to another new website address, saying that this is for a live chat service or to verify the customer’s PC, but in reality it allows the fraudster remote access to the customer’s computer.
Bank of Ireland is advising customers to hang up if they get a call from someone who asks them to go to a website or to click on a link that they are sent.
The bank said the fraudsters are mainly targeting business banking customers and that reports of this type of scam to its fraud line are increasing daily.
Bank of Ireland is launching a major national fraud awareness campaign to warn customers of the prevalence of fraud.
A survey has showed that 96% of consumers believe they will be targeted in the next six months, and 82% saying they are targeted at least once per month.
“This new scam is of particular concern as fraudsters are convincing people to allow access to their PCs via a fake ‘live chat’, where they can access business customers’ online banking, and other personal files and information,” said Nicola Sadlier, Head of Fraud at Bank of Ireland.
“We are urging customers to take extra care when logging into their online banking, to ensure it is a legitimate site,” Ms Sadlier said.
Source – https://www.rte.ie/news/business/2023/0914/1405158-boi-warning/
FBI Hacker Leaks Airbus Data, Threatens Lockheed and Raytheon
Airbus vendor data was posted on a popular English-language forum by supposedly the same attacker who infiltrated the FBI’s data-sharing network in 2022. The attacker, who goes by the moniker “USDoD,” said they accessed European aerospace giant Airbus’ site by exploiting employee access from a Turkish Airline.
“This month, I got access to Airbus site using employee access from some Turkish airline, and this got me inside of a lot of stuff, plus their vendors’ data, 3,200 records. It is their entire vendors’ data,” the attacker said.
The leaked data supposedly includes Airbus vendors’ sensitive data such as names, addresses, phone numbers, email addresses, job titles, departments, and other information.
The attacker said they would proceed to target US defense contractors such as Lockheed Martin and Raytheon.
An investigation discovered that the “USDoD” infected computer belonged to an employee of Turkish Airlines and contained third-party login credential details for Airbus.
The device was likely infected after the victim tried downloading a pirated version of the Microsoft .NET framework containing a RedLine info-stealer, which allowed attackers to obtain the credentials.
Interestingly, “USDoD” updated the original post about the Airbus leak, apologizing to US citizens for uploading information on an aerospace company on September 11th.
Late last year, an attacker using the same name posted an ad on a now-defunct hacker forum offering to sell the database of the FBI’s file-sharing system “InfraGard.”
Source – https://cybernews.com/news/airbus-data-leak-lockheed-raytheon/
Ransomware Gang Takes Credit for Disruptive MGM Resorts Cyberattack
A known ransomware gang has taken credit for the highly disruptive cyberattack on MGM Resorts, and the hospitality and entertainment giant has yet to restore many of the impacted systems.
It’s unclear for how long hackers had access to the company’s systems, but the attack came to light on September 10, and the next day MGM issued a statement saying it was forced to shut down many systems due to a cybersecurity issue.
The incident has impacted MGM’s website, casinos, and systems used for email, restaurant reservations, and hotel bookings, and even digital hotel room keys.
Vx-underground, a research organization providing malware samples and threat intelligence, reported on Wednesday that the ransomware group named ALPHV (aka BlackCat), specifically one of its subgroups, has taken credit for the attack. The hackers told Vx-underground that they gained initial access to MGM Resorts systems using social engineering.
“All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk. A company valued at $33,900,000,000 was defeated by a 10-minute conversation,” Vx-underground said in a message posted on X, formerly Twitter.
There is no mention of MGM on the ALPHV leak website, but victims are typically only named on the site when negotiations with the cybercriminals fail or stall.
In addition to encrypting files, the hackers typically steal valuable information from compromised systems in an effort to pressure the victim into paying up. A threat group tracked as Scattered Spider is thought to be behind the attack on MGM.
Scattered Spider, also known as 0ktapus and UNC3944, was previously described by cybersecurity researchers as an ALPHV ransomware affiliate. The financially motivated group has been known to target mobile carriers, cryptocurrency firms, as well as Twilio, Cloudflare and many other organizations with SMS-based phishing messages.
Scattered Spider also hacked casino giant Caesars Entertainment, which has reportedly paid tens of millions of dollars to the cybercriminals.
The MGM Resorts website and many other systems that were taken offline in response to the attack have yet to be restored.
MGM has filed an 8-K form with the US Securities and Exchange Commission (SEC) regarding the cyberattack, which indicates that the incident may have a material impact on the company.
Rating agency Moody’s said the incident could have a negative effect on MGM’s credit rating. The breach has also had an impact on MGM shares.
Last year, MGM Resorts-owned online sports betting company BetMGM suffered a data breach, with hackers claiming to have stolen the information of 1.5 million customers.
Source – https://www.securityweek.com/ransomware-gang-takes-credit-for-highly-disruptive-mgm-resorts-attack/
CrelioHealth Leak Exposed 28M+ Log Records
CrelioHealth, a cloud-based laboratory information management system, left an open instance exposing the sensitive data of tens of thousands of people. The company recognized the issue and fixed it immediately.
CrelioHealth left an open Elasticsearch cluster containing millions of lab records. The exposed instance held CrelioHalth data concerning the National Reference Laboratory in the United Arab Emirates.
The National Reference Laboratory operates ten medical facilities nationwide, providing services to private and government hospitals, medical centers and clinics, corporate organizations, and other reference labs. ElasticSearch is a popular tool for managing large volumes of data.
Running a query for “firstname” returned 462,000 results. However, given there could be duplicates, it is believed the number of exposed people could range from 50,000 to 100,000.
CrelioHealth claims the ElasticSearch cluster was exposed due to a data migration process. The India-based company reportedly processes over four million reports every month and handles 110,000 individual lab records every day.
The exposed database held personal identifiable information (PII) such as:
- Passport or ID number
- Full name
- Gender
- Nationality
- Mobile (if specified)
- Address (if specified)
- Email (if specified)
- Date of birth
According to CrelioHealth, the company took “immediate action” to address the data leak and implement “necessary security measures” to “safeguard the non-public information, user data, and internal documents that were at risk.”
“The incident was a result of an accidental assignment of a public [internet protocol] IP address to the Elasticsearch log cluster during a data migration process. This temporary exposure occurred today – 29th August – as we were in the process of migrating data to a different cluster hosted,” the company stated.
According to the company, the incident took place on August 29, leading to “an unintentional exposure of our internal log server for system transactions of NRL specific instances.”
“Due to an oversight, our internal log server was temporarily assigned a public IP address, which inadvertently allowed public traffic to access the internal log system,” the company said.
However, the company denied any protected health information (PHI) was exposed. CrelioHealth said that the exposed logs were part of a separate monitoring cluster, adding all of the data were test log.
The company added that the actual number of leaked logs is far smaller, “ in the range of 1000-2000 NRL specific log records and the count of a search query is a keyword in log index which is misrepresenting the actual number of records.”
Exposing sensitive PII data can cause many issues for victims. Stolen data can be used to commit fraud: from identity theft and phishing attacks to opening new credit accounts, making unauthorized purchases, or obtaining loans under false pretenses.
Source – https://cybernews.com/news/creliohealth-data-leak-exposed-thousands/
Hackers Use New 3AM Ransomware to Save Failed LockBit Attack
A new ransomware strain called 3AM has been uncovered after a threat actor used it in an attack that failed to deploy LockBit ransomware on a target network. Researchers say in a report that the new malware “has only been used in a limited fashion” and it was a ransomware affiliate’s fallback when defense mechanisms blocked LockBit.
Attacks using 3AM ransomware are rare, with only a single incident identified where a ransomware affiliate switched to it because they could not deploy LockBit. 3AM ransomware extortion follows the common trend of stealing data before encrypting it and dropping a ransom note threatening to sell the stolen information unless the attacker gets paid.
The operation has a very basic negotiation site on the Tor network that only provides access to a negotiation chat window based on a passkey provided in the ransom note. 3AM is written in Rust and appears to be unrelated to any known ransomware family, making it a completely new malware.
Before starting to encrypt files, 3AM tries to stop multiple services running on the infected system for various security and backup products from vendors like Veeam, Acronis, Ivanti, McAfee, or Symantec. Once the encryption process completes, files have the .THREEAMTIME extension and the malware also attempts to delete Volume Shadow copies that could be used to recover the data.
The researchers say that a 3AM ransomware attack is preceded by the use of a “gpresult” command that dumps the system’s policy settings for a specific user. They observed the use of commands commonly used for reconnaissance (e.g. whoami, netstat, quser, and net share), enumerating servers (e.g. quser, net view), adding a new user for persistence, and the use of the old wput FTP client to copy files to the attacker’s server.
According to malware analysis, the 3AM Rust-based 64-bit executable recognizes the following command-line parameters:
- “-k” – 32 Base64 characters, the “access key” in the ransom note
- “-p” – unknown
- “-h” – unknown
- “-m” – method, where the code checks one of two values before running encryption logic:
- “local”
- “net”
- “-s” – determines offsets within files for encryption to control encryption speed, expressed as decimal digits.
Although researchers frequently see new ransomware families, few of them gain sufficient popularity to turn into a stable operation.
Because 3AM was used as an alternative to LockBit, it is likely to attract the interest of other attackers and be used more often. However, despite being a new threat, which is typically more likely to bypass defenses and run undetected, 3AM was only partially successful during the attack that Symantec investigated.
The researchers say that the threat actor was able to deploy the malware only on three machines of the targeted organization and its activity was blocked on two of the systems, showing that there already are defenses against it.
Microsoft Warns of New Phishing Campaign Targeting Corporations via Teams Messages
Microsoft is warning of a new phishing campaign undertaken by an initial access broker that involves using Teams messages as lures to infiltrate corporate networks.
The tech giant’s Threat Intelligence team is tracking the cluster under the name Storm-0324, which is also known by the monikers TA543 and Sagrid.
“Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats,” the company said, adding the development marks a shift from using email-based initial infection vectors for initial access.
Storm-0324 operates in the cybercriminal economy as a payload distributor, offering a service that allows for the propagation of various payloads using evasive infection chains. This includes a mix of downloaders, banking trojans, ransomware, and modular toolkits such as Nymaim, Gozi, TrickBot, IcedID, Gootkit, Dridex, Sage, GandCrab, and JSSLoader.
Attack sequences mounted by the actor in the past have employed invoice- and payment-themed decoy email messages to trick users into downloading SharePoint-hosted ZIP archive files distributing JSSLoader, a malware loader capable of profiling infected machines and loading additional payloads.
“The actor’s email chains are highly evasive, making use of traffic distribution systems (TDS) like BlackTDS and Keitaro, which provide identification and filtering capabilities to tailor user traffic,” Microsoft said.
“This filtering capability allows attackers to evade detection by certain IP ranges that might be security solutions, like malware sandboxes, while also successfully redirecting victims to their malicious download site.”
The access afforded by the malware paves the way for the ransomware-as-a-service (RaaS) actor Sangria Tempest (aka Carbon Spider, ELBRUS, and FIN7) to conduct post-exploitation actions and deploy file-encrypting malware.
The modus operandi has since received a facelift as of July 2023 wherein the phishing lures are sent over Teams with malicious links leading to a malicious ZIP file hosted on SharePoint.
This is accomplished by leveraging an open-source tool called TeamsPhisher, which enables Teams tenant users to attach files to messages sent to external tenants by exploiting an issue that was first highlighted by JUMPSEC in June 2023.
It’s worth noting that a similar technique was adopted by the Russian nation-state actor APT29 (aka Midnight Blizzard) in attacks targeting about 40 organizations globally in May 2023.
The company said it has made several security enhancements to block the threat and that it “suspended identified accounts and tenants associated with inauthentic or fraudulent behavior.”
“Because Storm-0324 hands off access to other threat actors, identifying and remediating Storm-0324 activity can prevent more dangerous follow-on attacks like ransomware,” Microsoft further pointed out.
The disclosure comes as the tactics, techniques and procedures of the notorious ransomware group known as Cuba (aka COLDDRAW and Tropical Scorpius) have been identified, alongside discoveringg a new alias named “V Is Vendetta” that’s suspected to have been used by a sub-group or affiliate.
The group, like RaaS schemes, employs the double extortion business model to attack numerous companies around the world and generate illicit profits.
Ingress routes entail the exploitation of ProxyLogon, ProxyShell, ZeroLogon, and security flaws in Veeam Backup & Replication software to deploy Cobalt Strike and a custom backdoor dubbed BUGHATCH, which is then used to deliver updated versions of BURNTCIGAR in order to terminate security software running on the host.
Ransomware attacks have witnessed a major spike in 2023, with the U.K. National Cyber Security Centre (NCSC) and National Crime Agency (NCA) noting that they are “reliant on a complex supply chain.”
Source – https://thehackernews.com/2023/09/microsoft-warns-of-new-phishing.html
New ‘MetaStealer’ Malware Targets Intel-based MacOS Systems
A new information stealer malware named ‘MetaStealer’ has appeared in the wild, stealing a wide variety of sensitive information from Intel-based macOS computers. MetaStealer, not to be confused with the ‘META’ info-stealer that saw some popularity last year, is a Go-based malware capable of evading Apple’s built-in antivirus tech XProtect, targeting business users with an unusual involvement of social engineering in its distribution.
Although the malware has some similarities with Atomic Stealer, another Go-based macOS targeting info-stealer, the code overlap is limited, and the delivery methods are different.
Researchers found a malware sample on VirusTotal with a comment stating the MetaStealer threat actors are contacting businesses and impersonating the company’s clients to distribute the malware.
“I was targeted by someone posing as a design client, and didn’t realize anything was out of the ordinary. The man I’d been negotiating with on the job this past week sent me a password protected zip file containing this DMG file, which I thought was a bit odd,” reads the VirusTotal comment.
“Against my better judgement I mounted the image to my computer to see its contents. It contained an app that was disguised as a PDF, which I did not open and is when I realized he was a scammer.”
Attached to the phishing emails are disk image files that, when mounted on the filesystem, contain deceptively named executables that appear as PDF files to trick the victim into opening them.
Analysts observed DMGs named after Adobe software or client work, including the following:
- Advertising terms of reference (MacOS presentation).dmg
- CONCEPT A3 full menu with dishes and translations to English.dmg
- AnimatedPoster.dmg
- Brief_Presentation-Task_Overview-(SOW)-PlayersClub.dmg
- AdobeOfficialBriefDescription.dmg
- Adobe Photoshop 2023 (with AI) installer.dmg
The malware’s application bundles contain the bare essentials, namely an Info.plist file, a Resources folder with an icon image, and a macOS folder with the malicious Mach-O executable. None of the samples were signed, despite some versions featuring an Apple Developer ID.
MetaStealer attempts to steal information stored on the compromised systems, including passwords, files, and app data, and then attempts to exfiltrate them via TCP over port 3000.
Specifically, the malware features functions allow for exfiltrating the keychain and extracting saved passwords, stealing files from the system, and targeting Telegram and Meta (Facebook) services.
The keychain is a system-level password management system for macOS, managing credentials for websites, applications, WiFi networks, certificates, encryption keys, credit card information, and even private notes. Hence, the exfiltration of keychain contents is a powerful feature that could give the attackers access to sensitive data.
In its current version, MetaStealer only runs on Intel x86_64 architecture, which means it cannot compromise macOS systems running on Apple Silicon processors (M1, M2) unless the victim uses Rosetta to run the malware. This mitigates the threat and limits it to an ever-reducing number of potential victims as Intel-based Apple computers are being phased out.
However, MetaStealer might release a new version that adds native support for Apple Silicon, so it’s a threat to watch out for.
Critical GitHub Vulnerability Exposes 4,000+ Repositories to Repojacking Attack
A new vulnerability disclosed in GitHub could have exposed thousands of repositories at risk of repojacking attacks, new findings show. The flaw could allow an attacker to exploit a race condition within GitHub’s repository creation and username renaming operations.
Successful exploitation of this vulnerability impacts the open-source community by enabling the hijacking of over 4,000 code packages in languages such as Go, PHP, and Swift, as well as GitHub actions.
Following responsible disclosure on March 1, 2023, the Microsoft-owned code hosting platform has addressed the issue as of September 1, 2023.
Repojacking, short for repository hijacking, is a method whereby a malicious actor can circumvent a security mechanism known as ‘popular repository namespace retirement,’ ultimately gaining control of a repository.
What the protection measure does is prevent other users from creating a repository with the same name as a repository with more than 100 clones at the time its user account is renamed. In other words, the combination of the username and the repository name is considered “retired.”
Should this safeguard be trivially circumvented, it could enable threat actors to create new accounts with the same username and upload malicious repositories, potentially leading to software supply chain attacks.
The new method takes advantage of a potential race condition between the creation of a repository and the renaming of a username to achieve repojacking. Specifically, it entails the following steps –
- Victim owns the namespace “victim_user/repo”
- Victim renames “victim_user” to “renamed_user”
- The “victim_user/repo” repository is now retired
- A threat actor with the username “attacker_user” simultaneously creates a repository called “repo” and renames the username “attacker_user” to “victim_user”
The last step is accomplished using an API request for repository creation and a renamed request interception for the username change. The development comes nearly nine months after GitHub patched a similar bypass flaw that could open the door to repojacking attacks.
Source – https://thehackernews.com/2023/09/critical-github-vulnerability-exposes.html
‘Redfly’ Hackers Infiltrated Power Supplier’s Network For 6 Months
An espionage threat group tracked as ‘Redfly’ hacked a national electricity grid organization in Asia and quietly maintained access to the breached network for six months.
These new findings come as researchers found evidence of ShadowPad malware activity in the organization’s network between February 28 and August 3, 2023, along with keyloggers and specialized file launchers. Although ShadowPad is a widely available trojan that multiple APT groups use, the recent attacks were tracked separately, reporting that Redfly appears to have an exclusive focus on critical national infrastructure.
The ShadowPad variant seen in the attacks masquerades its components (exe and dll) as VMware files, dropping them on the victim’s filesystem. The program also achieves persistence by creating services named after VMware again, set to launch the malicious executable and DLL upon system boot. In general, ShadowPad is a versatile modular RAT that supports data exfiltration to the C2, keystroke recording, file searching and file operations, and remote command execution.
Multiple APTs use it because it is not associated with a single actor, making attribution and tracking harder for analysts. In the observed attacks, Redfly used a separate keylogging tool that captured keystrokes in log files on the breached system, which the attackers retrieved manually.
Another tool the espionage hackers use is Packerloader, employed for loading and executing shellcode inside AES encrypted files capable of evading AV detection.
The attackers were seen using this tool to execute code that modified a driver file’s permissions, subsequently used for creating credential dumps in the Windows registry (for future retrieval) and wiping Windows security event logs.
Redfly also uses PowerShell to execute commands that help them gather details about specific storage devices on the compromised system. For lateral movement, the hackers use DLL side-loading and legitimate executables, scheduled tasks executing legitimate binaries, and stolen credentials.
Redfly also employed renamed versions of known tools, like ProcDump, to dump credentials from LSASS and then use them to authenticate on adjacent systems.
The lengthy dwell period seen in this attack is characteristic of espionage actors who infect systems and keep a low profile to collect as much intelligence as possible. While the attackers’ intent to disrupt the power supply remains uncertain, the potential risk poses a significant threat.
New HijackLoader Modular Malware Loader Making Waves in the Cybercrime World
A new malware loader called HijackLoader is gaining traction among the cybercriminal community to deliver various payloads such as DanaBot, SystemBC, and RedLine Stealer.
Even though HijackLoader does not contain advanced features, it is capable of using a variety of modules for code injection and execution since it uses a modular architecture, a feature that most loaders do not have.
First observed in July 2023, the malware employs a number of techniques to fly under the radar. This involves using syscalls to evade monitoring from security solutions, monitoring processes associated with security software based on an embedded blocklist, and putting off code execution by as much as 40 seconds at different stages.
The exact initial access vector used to infiltrate targets is currently not known. The anti-analysis aspects notwithstanding, the loader packs in a main instrumentation module that facilitates flexible code injection and execution using embedded modules.
Persistence on the compromised host is achieved by creating a shortcut file (LNK) in the Windows Startup folder and pointing it to a Background Intelligent Transfer Service (BITS) job.
The disclosure comes as details emerged of an updated version of an information-stealing malware known as RisePro that was previously distributed via a pay-per-install (PPI) malware downloader service dubbed PrivateLoader.
The seller claimed in their ads that they have taken the best aspects of ‘RedLine’ and ‘Vidar’ to make a powerful stealer, and this time, the seller also promises a new advantage for users of RisePro: customers host their own panels to ensure logs are not stolen by the sellers.
RisePro, written in C++, is designed to harvest sensitive information on infected machines and exfiltrate it to a command-and-control (C&C) server in the form of logs. It was first offered for sale in December 2022.
It also follows the discovery of a new information stealer written in Node.js that’s packaged into an executable and distributed via malicious Large Language Model (LLM)-themed Facebook ads and bogus websites impersonating ByteDance’s CapCut video editor.
When the stealer is executed, it runs its main function that steals cookies and credentials from several Chromium-based web browsers, then exfiltrates the data to the C&C server and to the Telegram bot. It also subscribes the client to the C&C server running GraphQL. When the C&C server sends a message to the client, the stealing function will run again. Targeted browsers include Google Chrome, Microsoft Edge, Opera (and OperaGX), and Brave.
This is the second time fake CapCut websites have been observed delivering stealer malware. In May 2023, two different attack chains leveraged the software as a lure to trick unsuspecting users into running Offx Stealer and RedLine Stealer.
The developments paint a picture of a constantly evolving cybercrime ecosystem, with stealer infections acting as a primary initial attack vector used by threat actors to infiltrate organizations and conduct post-exploitation actions.
It’s therefore not surprising that threat actors are jumping on the bandwagon to spawn new stealer malware strains such as Prysmax that incorporate a Swiss Army knife of functionalities that enable their customers to maximize their reach and impact.
Source – https://thehackernews.com/2023/09/new-hijackloader-modular-malware-loader.html
Charming Kitten’s New Backdoor ‘Sponsor’ Targets Brazil, Israel, and U.A.E.
The Iranian threat actor known as Charming Kitten has been linked to a new wave of attacks targeting different entities in Brazil, Israel, and the U.A.E. using a previously undocumented backdoor named Sponsor.
The cluster is being tracked under the name Ballistic Bobcat. Victimology patterns suggest that the group primarily singles out education, government, and healthcare organizations, as well as human rights activists and journalists. At least 34 victims of Sponsor have been detected to date, with the earliest instances of deployment dating back to September 2021.
The Sponsor backdoor uses configuration files stored on disk. These files are discreetly deployed by batch files and deliberately designed to appear innocuous, thereby attempting to evade detection by scanning engines.
The campaign, dubbed Sponsoring Access, involves obtaining initial access by opportunistically exploiting known vulnerabilities in internet-exposed Microsoft Exchange servers to conduct post-compromise actions, echoing an advisory issued by Australia, the U.K., and the U.S. in November 2021.
In one inciden, an unidentified Israeli company operating an insurance marketplace is said to have been infiltrated by the adversary in August 2021 to deliver next-stage payloads such as PowerLess, Plink, and a Go-based open-source post-exploitation toolkit called Merlin over the next couple of months.
The Merlin agent executed a Meterpreter reverse shell that called back to a new [command-and-control] server. On December 12th, 2021, the reverse shell dropped a batch file, install.bat, and within minutes of executing the batch file, Ballistic Bobcat operators pushed their newest backdoor, Sponsor.
Written in C++, Sponsor is designed to gather host information and process instructions received from a remote server, the results of which are sent back to the server. This includes command and file execution, file download, and updating the list of attacker-controlled servers.
Source – https://thehackernews.com/2023/09/charming-kitens-new-backdoor-sponsor.html
Contact Us
The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.