Friday, July 29th, 2022
Cybersecurity Week in Review (29/7/22)
Security Giant ‘Entrust’ Hacked – Attackers Stole Data From Internal Systems
Online trust and identity management company, Entrust, announced recently on their website that it has been hacked. Hackers breached their firewalls and stole data from their internal systems through breaches in their network.
It is speculated that compromised Entrust credentials were purchased by a ransomware operation and used to breach the network. This led to the subsequent encryption and exfiltration exposure.
Entrust offer a variety of security services such as encrypted communications, secure digital payments and ID issuance solutions and work several critical government agencies and organisations in the US such as the Dept. of Homeland Security and Dept. of Energy.
The attack has been dated to June 18th, but it is only recently that Entrust’s customers were notified of the breach, following a screenshot taken by security researcher Dominic Alvieri.
It remains to be seen whether the data is completely corporate data only or whether it includes the data of customers and vendors also. It is also unclear of the type of encryption used or even if the devices were encrypted at all. However, it has been speculated to have been carried out by a well-known ransomware gang to extort money from the company.
Roaming Mantis Financial Hackers Targeting Android and iPhone Users in France
Compromises directed against French mobile phone users has been attributed to the mobile threat campaign known as Roaming Mantis.
70,000 Android devices are said to have been infected as part of the active malware operation that has continued its expansion in targeting European countries. Roaming Mantis, a financially motivated Chinese threat actor, deploy a piece of banking trojan named MoqHao (aka XLoader) or redirect iPhone users to credential harvesting landing pages that mimic the iCloud login page. MoqHao (aka Wroba, XLoader for Android) is an Android remote access trojan (RAT) with information-stealing and backdoor capabilities that likely spreads via SMS.
Utilising smishing techniques the malware entices users with package delivery-themed messages containing rogue links, that, when clicked, proceed to download the malicious APK file, but only after determining if a victim’s location is within French borders. Recipients outside of France or not using an Android or iOS system will receive a ‘’404 Not Found’’ message and will not be affected.
MoqHao typically uses domains generated through Duck DNS for its first-stage delivery infrastructure. It then masquerades as the Chrome web browser application to trick users into granting it invasive permissions. The spyware trojan, using these permissions, provides a pathway for remote interaction with the infected devices, enabling the adversary to stealthily harvest sensitive data such as iCloud data, contact lists, call history, SMS messages, among others.
CosmicStrand UEFI malware found in Gigabyte, ASUS motherboards
Cybersecurity company Kaspersky have dubbed a persistent threat commonly known as a UEFI rootkit as CosmicStrand.
Being used since 2016 by Chinese speaking hackers; CosmicStrand, or Spy Shadow Trojan as an earlier variant was named, is a malware that lies virtually undetected in the firmware images for some motherboards.
The Unified Extensible Firmware Interface (UEFI) software is what connects a computer’s operating system with the firmware of the underlying hardware. UEFI code is the first to run during a computer’s booting sequence, ahead of the operating system and the security solutions available.
Malware in this software is not only very difficult to identify but also extremely persistent as it cannot be removed by reinstalling the operating system or by replacing the storage drive.
A report from Kaspersky provides the technical details of CosmicStrand consisting of setting up hooks to modify the operating system loader and taking control of the entire execution flow to launch the shellcode that fetches the payload from the command-and-control server. The research explains that the compromised firmware images came with a modified CSMCORE DXE driver, which enables a legacy boot process.
Researchers have connected CosmicStrand to a Chinese-speaking actor based on code patterns that were also seen in the MyKings crypto mining botnet, where malware analysts at Sophos found Chinese-language artifacts.
The first widespread report about a UEFI rootkit found in the wild, LoJax, came in 2018 from ESET and it was used in attacks by Russian hackers in the APT28 group (a.k.a. Sednit, Fancy Bear, Sofacy). Almost four years later and accounts of UEFI malware attacks in the wild have grown more frequent.
Hackers Exploit PrestaShop Zero-Day to Steal Payment Data from Online Stores
Malicious skimmer code designed to swipe sensitive information is being used by attackers to exploit a previously unknown security flaw in the open source PrestaShop e-commerce platform.
PrestaShop is one of the leading open-source e-commerce solutions in Europe and Latin America, used by nearly 300,000 online merchants worldwide.
The prime targets seem to be merchants with outdated versions of the platform with the goal being to introduce malicious code capable of stealing payment information entered by customers on checkout pages. The PrestaShop maintainers also said they found a zero-day flaw in its service that they said has been addressed in version 22.214.171.124, although they cautioned that “we cannot be sure that it’s the only way for them to perform the attack.”
The issue in question is an SQL injection vulnerability affecting versions 126.96.36.199 or greater and is being tracked as CVE-2022-36408.
If successful, an attacker could submit a specially crafted request that grants the ability to execute arbitrary instructions such as inject a fake payment form on the checkout page to gather credit card information.
New Ducktail Infostealer Malware Targeting Facebook Business and Ad Accounts
An ongoing campaign known as Ducktail is targeting Facebook business and advertising accounts.
Beginning in the second half of last year, the attacks have targeted managerial, digital marketing and HR role in companies and have been attributed to a Vietnamese actor.
The malware is designed to trick individuals into downloading supposed Facebook advertising information hosted on Dropbox, Apple iCloud, and MediaFire. From there an information-stealing malware written in .NET Core, is engineered to use Telegram for command-and-control and data exfiltration.
It works by scanning for installed browsers such as Google Chrome, Microsoft Edge, Brave Browser, and Mozilla Firefox. Once successful it begins to extract all the stored cookies and access tokens before taking advantage of authenticated Facebook sessions to steal information from the victim’s Facebook account such as name, email address, date of birth, and user ID. Data from businesses and ad accounts connected to the victim’s personal account can also be obtained.
Data has shown a global targeting pattern spanning from a number of countries, including the Philippines, India, Saudi Arabia, Italy, Germany, Sweden, and Finland but the success of this campaign is yet to be fully determined.
New ‘Robin Banks’ phishing service targets BofA, Citi, and Wells Fargo
A new phishing as a service (PhaaS) platform named ‘Robin Banks’ has been launched, offering ready-made phishing kits targeting the customers of well-known banks and online services such as Citibank, Bank of America, Capital One, Wells Fargo, PNC, U.S. Bank, Lloyds Bank, the Commonwealth Bank in Australia, and Santander.
Robin Banks is already being deployed in large-scale campaigns that started in mid-June, targeting victims via SMS and email according to a recent IronNet report.
This is the latest variation of phishing tactics used by a cybercrime group believed to be active since at least March 2022. It is sold in two price tiers, one offering single pages and 24/7 support for $50 per month, and another is giving unlimited access to all templates and 24/7 support for $200 per month.
The Robin Banks dashboard contains reports on any operations, page creation and create custom phishing sites as well as adding options such as reCAPTCHA.
Despite being cheaper than other PhaaS platforms Robin Banks is more sophisticated and user friendly, adding and updating templates to reflect the targeted entities’ style and colour scheme changes making it extremely popular with attackers.
In one campaign spotted by IronNet last month, an operator of Robin Banks targeted customers of Citibank via SMS that warned them about “unusual usage” of their debit card. Upon landing on the phishing site, the phishing site sends one POST request for each web page the victim fills out, which works as a fail-safe to steal as many details as possible since the phishing process may stop at any time due to suspicion or other reasons.
Malicious IIS Extensions Gaining Popularity Among Cyber Criminals for Persistent Access
A new warning from the Microsoft 365 Defender Research Team stated that threat actors are increasingly abusing Internet Information Services (IIS) extensions to backdoor servers as a means of establishing a “durable persistence mechanism.”
“IIS backdoors are also harder to detect since they mostly reside in the same directories as legitimate modules used by target applications, and they follow the same code structure as clean modules.”
Attack chains taking this approach commence with weaponizing a critical vulnerability in the hosted application for initial access, using this foothold to drop a script web shell as the first stage payload. This web shell then becomes the conduit for installing a rogue IIS module to provide highly covert and persistent access to the server, in addition to monitoring incoming and outgoing requests as well as running remote commands.
They are similar to attacks observed earlier this month and year by Kaspersky such as IIS malware called SessionManager used by the Gelsemium Group as well as the deployment of a backdoor called “FinanceSvcModel.dll” between January and May.
The best methods to employ to combat these attacks include applying the latest security updates for server components as soon as possible, keep antivirus and other protections enabled, review sensitive roles and groups, and restrict access by practicing the principle of least-privilege and maintaining good credential hygiene.
U.S. Offers $10 Million Reward for Information on North Korean Hackers
A reward of up to $10m has been offered by the US State Department for information on any individuals associated with North Korean government-linked cyber groups. Information that could help combat cyber espionage activities is being sought on groups such as Andariel, APT38, Bluenoroff, Guardians of Peace, Kimsuky, or Lazarus Group and who are involved in targeting U.S. critical infrastructure.
A similar plea was made back in March of this year but this new reward is double that amount. The development comes a week after the Justice Department disclosed the seizure of $500,000 worth of Bitcoin from North Korean hackers who extorted digital payments by using a new ransomware strain known as Maui.
Andariel and Bluenoroff are said to be subgroups within the larger Lazarus Group and are known to target blockchain companies and conduct financially-driven crime through rogue cryptocurrency wallet apps. The Lazarus Group are linked to 7 attacks on cryptocurrency last year accounting for $400m. It has also been implicated in the hacks of Axie Infinity’s Ronin Network Bridge and Harmony Horizon Bridge in recent months.
Cyber-enabled financial theft and money laundering, ransomware, cryptojacking, and extortion operations are part of Pyongyang-aligned hackers’ tactical playbook to generate illegal revenue while mitigating the impact of sanctions.
Source – https://thehackernews.com/2022/07/us-offers-10-million-reward-for.html
Ince in emergency fund-raise with cost of cyber-attack put at £5m
Law firm Ince Group saw their share price drop to its lowest ever level this week after it was announced a £8.6m fund-raise was needed to ward off financial problems.
This is a reaction to the £5m cost of the ransomware attack suffered back in March coincided with the news that long standing chief executive Adrian Biles is to step down.
An accelerated book-build today raised more than £7m from a share placement, while Ince is also taking out a £1.6m loan from its funding bank. The firm’s shares, which reached a peak of 191p in September 2018, have been on a downward trajectory since spring 2021, when they were around 80p, and the news today saw the price more than halve to just 5.4p.
Almost £1m worth of shares will be bought by executive director Donald Brown who is to succeed Mr. Biles. Fellow Arden directors James Reed-Daunter and Christopher Yates bought £100,000 and £50,000 of shares respectively to combat the impact Covid and the unforeseen events in Ukraine have caused. The net proceeds will be used to strengthen the group’s balance sheet, provide additional working capital and implement a “cost-rationalisation programme”.
Principally targeting non-client data and internal systems the attack disrupted billings in the final weeks of FY22 with the recording of hours worked having to move to a manual process and the production of invoices by fee-earners being impossible for an extended period. The disruption to these systems were more prolonged than expected resulting in the negative impact that occurred.
This is an example of how a cyberattack not only costs you in the immediate aftermath in terms of downtime and loss of earnings but also the repercussions of negative publicity tanking your share price.