Friday, September 23rd, 2022
Cybersecurity Week in Review (23/9/22)
Hackers Targeting Unpatched Atlassian Confluence Servers to Deploy Crypto Miners
A now-patched critical security flaw had been affecting the Atlassian Confluence Server having come to light a few months ago. Any unpatched installations are still being actively exploited for illicit cryptocurrency mining.
Tracked as CVE-2022-26134 the vulnerability could be used for multiple and more malicious attacks, such as a complete domain takeover of the infrastructure and the deployment of information stealers, remote access trojans (RATs), and ransomware if left unremedied.
In one of the infection chains observed, the flaw was leveraged to download and run a shell script (“ro.sh”) on the victim’s machine, which, in turn, fetched a second shell script (“ap.sh”).
The malicious code is designed to update the PATH variable to include additional paths such as “/tmp”, download the cURL utility (if not already present) from a remote server, disable iptables firewall, abuse the PwnKit flaw (CVE-2021-4034) to gain root privileges, and ultimately deploy the hezb crypto miner.
The command-and-control (C2) server used to retrieve the cURL software as well as the hezb miner also distributed a Golang-based ELF binary named “kik” that enables the malware to kill processes of interest.
Users are advised to prioritize patching the flaw as it could be abused by threat actors for other nefarious purposes.
Crypto Trading Firm Wintermute Loses $160 Million in Hacking Incident
Digital assets worth around $160 million from crypto trading firm Wintermute have been stolen by hackers.
The hack involved a series of unauthorized transactions that transferred USD Coin, Binance USD, Tether USD, Wrapped ETH, and 66 other cryptocurrencies to the attacker’s wallet. The company said that its centralized finance (CeFi) and over-the-counter (OTC) operations have not been impacted by the security incident. It did not disclose when the hack took place.
Details surrounding the exact exploit method used to perpetuate the hack is unknown at the moment, although Wintermute say the attack was likely caused by a “Profanity-type exploit” in its trading wallet.
The Wintermute breach is the latest attack on DeFi protocols, including that of Axie Infinity, Harmony Horizon Bridge, Nomad, and Curve.Finance in the past few months. Some of these thefts have been attributed to the North Korea-backed Lazarus Group.
LinkedIn Smart Links abused in evasive email phishing attacks
A feature on LinkedIn known as Smart Link is being abused by attackers to bypass email security products and successfully redirect targeted users to phishing pages that steal payment information.
Smart Link is a feature reserved for LinkedIn Sales Navigator and Enterprise users, allowing them to send a pack of up to 15 documents using a single trackable link.
Due to the analytics Smart Link provides, threat actors can gain insight into the effectiveness of their campaigns, allowing them to optimize their lures.
The phishing email sent to targets supposedly originates from Slovenská pošta, the state-owned postal service provider in Slovakia, informing the recipient of the need to cover costs for a parcel that’s pending shipment.
Using email header trickery, the address appears legitimate to the recipient, but if examined closely, it becomes clear that the sender is actually “firstname.lastname@example.org”, entirely unrelated to the postal service. The embedded “confirm” button contains a LinkedIn Smart Link URL, with added alphanumeric variables at its end to redirect the victim to a phishing page. Visitors who enter the information and click on “submit” will be informed that their payment has been received and eventually redirected to a final SMS code confirmation page with the sole purpose of sprinkling legitimacy in the process.
While this still-ongoing campaign targets Slovakians, the abuse of LinkedIn Smart Link by phishing actors with a broader scope may be just a matter of time.
Record DDoS Attack with 25.3 Billion Requests Abused HTTP/2 Multiplexing
A distributed denial-of-service (DDoS) attack with a total of over 25.3 billion requests was observed on June 27, 2022.
The attack, which targeted an unnamed Chinese telecommunications company, is said to have lasted for four hours and peaked at 3.9 million requests per second (RPS). The attackers used HTTP/2 multiplexing, the combining of multiple packets into one, to send multiple requests at once over individual connections.
The attack was launched from a botnet that comprised nearly 170,000 different IP addresses spanning routers, security cameras, and compromised servers located in more than 180 countries, primarily the U.S., Indonesia, and Brazil.
A similar DDoS assault was aimed at a customer based in Eastern Europe on September 12, with attack traffic spiking at 704.8 million packets per second (pps). The same victim was previously targeted on July 21, 2022, in a similar fashion in which the attack volume ramped up to 853.7 gigabits per second (Gbps) and 659.6 million pps over a period of 14 hours.
Both the disruptive attempts were UDP flood attacks where the attacker targets and overwhelms arbitrary ports on the target host with User Datagram Protocol (UDP) packets.
Hive ransomware claims attack on New York Racing Association
An attack on the New York Racing Association (NYRA) has been attributed to the Hive ransomware operation. The attack impacted IT operations and website availability and compromised member data.
NYRA is the operator of the three largest thoroughbred horse racing tracks in New York, namely the Aqueduct Racetrack, the Belmont Park, and the Saratoga Race Course.
The member information that may have been compromised included social security numbers (SSNs), driver’s license identification numbers, health records and health insurance information.
From what seems to be the case, horse racing hasn’t been impacted by the incident because there have been no changes in the calendar, and race betting continues as usual. However, the association’s website remains out of reach, which sends the message that the effects of the attack haven’t been wholly mitigated yet.
The Hive ransomware gang took responsibility for the attack on NYRA by listing them as a victim on their extortion site. They also published a link to freely download a ZIP archive containing all of the files they allegedly stole from NYRA’s systems, so we can assume that negotiations for a ransom payment reached a dead end.
Revolut Breach May Have Hit 50,000+ Customers
Over 50,000 customers’ personal information may have been compromised in a serious breach of Revolut’s services.
The fintech giant, licensed in Lithuania, was highly targeted but the attacker was only able to access 0.16% of customers’ data for a short period of time.
Although it is thought no money was stolen, the Lithuanian data protection regulator the State Data Protection Inspectorate (VDAI) estimate that 50,150 global customers, including 20,687 in the European Economic Area (EEA), may have had personal data stolen. That information includes names, postal and email addresses, telephone numbers, partial card details and account information.
Affected customers are urged to be on high alert for follow-on phishing and fraud scams using these details.
American Airlines discloses data breach after employee email compromise
Affected customers of American Airlines were notified of a recent data breach after attackers compromised an undisclosed number of employee email accounts and gained access to sensitive personal information.
The breach was discovered on July 5th but the compromised accounts were secured and a cybersecurity firm was hired to investigate the incident. American Airlines says that it has no evidence that the exposed data was misused.
Personal information exposed in the attack and potentially accessed by the threat actors may have included employees’ and customers’ names, dates of birth, mailing addresses, phone numbers, email addresses, driver’s license numbers, passport numbers, and/or certain medical information.
The breach occurred as the result of a phishing campaign but the exact number of affected employee accounts and customer’s information has not been disclosed.
Microsoft 365 phishing attacks impersonate U.S. govt agencies
US Government contractors have been the target of an ongoing phishing campaign that has expanded its operation to push higher-quality lures and better-crafted documents.
The phishing emails are effective as they include a request for bids for lucrative government projects, taking them to phishing pages that are clones of legitimate federal agency portals.
This is the same operation from January 2022, where the threat actors attached PDFs with instructions on going through the bidding process for the U.S. Department of Labor projects. There’s now a plethora of different lures used in the messages such as better phishing web page behavior, and the removal of artifacts that revealed the signs of fraud in previous versions of the attached PDFs.
The phishing emails feature more consistent formatting, larger logos, and prefer to include a link to the PDF instead of attaching the file. The PDF files used to contain detailed instructions on how to bid, with overly technical information included. Now, they have been simplified and reduced in size, featuring more prominent logos and a link to the phishing page. The phishing websites have also received targeted improvements, using HTTPS on all web pages in the same domain.
The only way to defend against this is to examine all details like the sending address, the landing URL, and eventually visit the bidding portal through a search engine instead of following provided links.
Russian Sandworm hackers pose as Ukrainian telcos to drop malware
The Russian state-sponsored hacking group known as Sandworm has been observed masquerading as telecommunication providers to target Ukrainian entities with malware.
Sandworm is a state-backed threat actor attributed by the US government as part of the Russian GRU foreign military intelligence service. The APT hacking group is believed to have been behind numerous attacks this year, including an attack on Ukrainian energy infrastructure and the deployment of a persistent botnet called Cyclops Blink.
Recent observations have seen a rise in Sandworm command and control (C2) infrastructure that uses dynamic DNS domains masquerading as Ukrainian telecommunication service providers. Recent campaigns aim to deploy commodity malware like Colibri Loader and the Warzone RAT (remote access trojan) onto critical Ukrainian systems.
The attack begins by luring victims to visit the domains, typically via emails sent from these domains, to make it appear like the sender is a Ukrainian telecommunication provider. The language used in these sites is Ukrainian, and the topics presented concern military operations, administration notices and reports. The most common web page seen is one containing the text which translates to “Odesa Regional Military Administration.” The HTML of the webpage contains a base64-encoded ISO file that is auto-downloaded when the website is visited using the HTML smuggling technique.
The payload contained in the image file is Warzone RAT, a malware created in 2018 and reached peak popularity in 2019. Sandworm uses it to replace the DarkCrystal RAT they deployed in previous months.
Possibly, the Russian hackers want to make tracking and attribution harder for security analysts by using widely available malware and hoping that their tracks are “lost in the noise.”
Source – https://www.bleepingcomputer.com/news/security/russian-sandworm-hackers-pose-as-ukrainian-telcos-to-drop-malware/