Thursday, August 3rd, 2023
Cybersecurity Week in Review (04/08/2023)
‘’Mysterious Team Bangladesh’’ Targeting India with DDoS Attacks and Data Breaches
A hacktivist group known as Mysterious Team Bangladesh has been linked to over 750 distributed denial-of-service (DDoS) attacks and 78 website defacements since June 2022.
The group most frequently attacks logistics, government, and financial sector organizations in India and Israel. The group is primarily driven by religious and political motives. Some of the other targeted countries include Australia, Senegal, the Netherlands, Sweden, and Ethiopia.
In addition, the threat actor is said to have gained access to web servers and administrative panels, likely by exploiting known security flaws or poorly-secured passwords. Mysterious Team Bangladesh, as the name indicates, is suspected to be of Bangladeshi origin. “We are working to protect Our Bangladesh Cyberspace,” the group’s Intro on Facebook reads.
The group has an active social media presence across Telegram and Twitter. Its LinkedIn profile lists “Operation Israel” as an ongoing project since June 2022, claiming it supports Palestine, that the “Israeli Government killing & torturing Palestine people’s,” and that “we will attacking their cyberspace until they stop killing Palestine People’s.”
Details about the threat actor first emerged in late 2022 when CloudSEK revealed its plans to attack entities in India. A December 2022 attack on India’s Central Board of Higher Education (CBHE) systems led to the exposure of personally identifiable information such as government identification numbers. It has since been attributed to DDoS attacks on several UAE government websites.
The very first attack campaign against India took place on June 22, 2022, with the group showcasing an affinity for government resources and the websites of banks and financial organizations.
The findings come as a pro-Russian hacktivist collective dubbed NoName057(16) has been linked to a fresh wave of disruptive DDoS attacks on Spanish and Italian websites in recent weeks.
CareSource Victim of Cl0p Attack, Patient Data Allegedly Leaked
Cl0p ransomware gang has leaked private patient data allegedly belonging to CareSource, one of the US’ largest Medicaid-managed healthcare plan providers.
The Russia-linked ransomware gang leaked a 40GB dataset that allegedly belongs to CareSource, an Ohio-based nonprofit organization providing public health care programs, including Medicaid, Medicare, and Marketplace.
The leaked dataset included a treasure trove of personal information, including full names, addresses, dates of birth, emails, and phone numbers. As well as this, the cybercriminals leaked sensitive healthcare information such as drugs prescribed, risk groups, and patients’ treatment details.
“The company doesn’t care about its customers, it ignored their security!!!” wrote Cl0p on their website, hosted on the dark web, where the dataset was released.
The company most likely fell victim to a ransomware attack, which occurs when malware is installed onto the company’s internal systems and encrypts the data. Subsequently, cybercriminals demand a ransom for the decryption and if their demands are not met, they leak private data to the public.
The alleged data leak is dangerous since it contains sensitive private data and personally identifiable information (PII), which allows threat actors to launch targeted phishing campaigns. CareSource has over 2.3 million members.
The Cl0p ransomware gang emerged in 2019 and quickly became a prominent player in the ransomware landscape. By November 2021, their earnings were estimated to have reached as high as $500 million.
Despite a hiatus prompted by the arrest of key members in late 2021, Cl0p’s activities resumed in March. Since then, the gang has been extremely active, adding numerous victims daily. Among their victims are well-known companies such as Shell, Hitachi, Bombardier, Stanford University, Rubrik, and more.
Phishers Exploit Salesforce’s Email Services Zero-Day in Targeted Facebook Campaign
A sophisticated Facebook phishing campaign has been observed exploiting a zero-day flaw in Salesforce’s email services, allowing threat actors to craft targeted phishing messages using the company’s domain and infrastructure. The phishing campaigns cleverly evade conventional detection methods by chaining the Salesforce vulnerability and legacy quirks in Facebook’s Web Games platform.
The email messages masquerade as coming from Meta, while being sent from an email address with a “@salesforce.com” domain. They seek to trick recipients into clicking on a link by claiming that their Facebook accounts are undergoing a “comprehensive investigation” due to “suspicions of engaging in impersonation.”
The goal is to direct users to a rogue landing page that’s designed to capture the victim’s account credentials and two-factor authentication (2FA) codes. What makes the attack notable is that the phishing kit is hosted as a game under the Facebook apps platform using the domain apps.facebook[.]com.
It’s worth pointing out that Meta retired the Web Games feature in July 2020, although it’s possible to retain support for legacy games that were developed prior to its deprecation.
While sending out emails using a salesforce.com entails a validation step, the scheme cleverly gets around these protective measures by configuring an Email-to-Case inbound routing email address that uses the salesforce.com domain and setting it up as the organization-wide email address.
Following responsible disclosure on June 28, 2023, Salesforce addressed the zero-day as of July 28, 2023, with new checks that prevent the use of email addresses from the @salesforce.com domain.
The development comes as increased phishing activity that employs Google Accelerated Mobile Pages (AMP) URLs to bypass security checks and conduct credential theft has been identified.
Ivanti Zero-Day Exploited by APT Since at Least April in Norwegian Government Attack
The recently patched zero-day vulnerability affecting Ivanti’s Endpoint Manager Mobile (EPMM) product has been exploited by an advanced persistent threat (APT) group since at least April 2023.
On Tuesday, the US Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) published a joint advisory describing Ivanti product vulnerabilities and their use in attacks aimed at Norwegian organizations.
The attacks came to light on July 24, when Norwegian authorities announced that a dozen government ministries had been targeted in a cyberattack involving exploitation of CVE-2023-35078, an Ivanti EPMM zero-day that allows an unauthenticated hacker to obtain personally identifiable information and make changes to impacted systems.
A few days later, Ivanti revealed that CVE-2023-35078 can be exploited in conjunction with a second vulnerability, tracked as CVE-2023-35081, to bypass authentication and access control list (ACL) restrictions. The company warned that both vulnerabilities had been exploited in attacks.
According to the new advisory published by CISA and NCSC-NO, unnamed APT actors “exploited CVE-2023-35078 as a zero day from at least April 2023 through July 2023 to gather information from several Norwegian organizations, as well as to gain access to and compromise a Norwegian government agency’s network.”
Chaining the two EPMM vulnerabilities allows hackers to gain privileged access to the system and execute uploaded files, including webshells. While it has yet to be confirmed, NCSC-NO believes the APT exploited CVE-2023-35081 to upload webshells on the EPMM device and run commands.
The attacker leveraged compromised SOHO routers — Asus routers have been named in the advisory — as a proxy.
EPMM, formerly known as MobileIron Core, is a mobile management software engine used by IT teams to set policies for mobile devices, applications, and content.
CISA and NCSC-NO said they are “concerned about the potential for widespread exploitation of both vulnerabilities in government and private sector networks because MDM systems provide elevated access to thousands of mobile devices.”
The advisory written by CISA and NCSC-NO includes indicators of compromise (IoCs), instructions for determining if a system is vulnerable, incident response steps, and mitigations.
Exploitation of the two zero-days could increase considering that there are thousands of potentially vulnerable internet-exposed systems and proof-of-concept (PoC) code for the flaws is becoming available.
European Bank Customers Targeted in SpyNote Android Trojan Campaign
Various European customers of different banks are being targeted by an Android banking trojan called SpyNote as part of an aggressive campaign detected in June and July 2023. The spyware is distributed through email phishing or smishing campaigns and the fraudulent activities are executed with a combination of remote access trojan (RAT) capabilities and vishing attack.
SpyNote, also called SpyMax, is similar to other Android banking Trojans in that it requires Android’s accessibility permissions in order to grant itself other necessary permissions and gather sensitive data from infected devices. What makes the malware strain notable is its dual functions as spyware and perform bank fraud.
The attack chains commence with a bogus SMS message urging users to install a banking app by clicking on the accompanying link, redirecting the victim to the legitimate TeamViewer QuickSupport app available on the Google Play Store.
The idea is to use TeamViewer as a conduit to gain remote access to the victim’s phone, and stealthily install the malware. The various kinds of information harvested by SpyNote include geolocation data, keystrokes, screen recordings, and SMS messages to bypass SMS-based two-factor authentication (2FA).
The disclosure comes as the hack-for-hire operation known as Bahamut has been linked to a new campaign targeting individuals in the Middle East and South Asia regions with the goal of installing a dummy chat app named SafeChat that conceals an Android malware dubbed CoverIm.
Delivered to victims via WhatsApp, the app houses identical features as that of SpyNote, requesting for accessibility permissions and others to collect call logs, contacts, files, location, SMS messages, as well as install additional apps and steal data from Facebook Messenger, imo, Signal, Telegram, Viber, and WhatsApp.
The tactics employed by this threat actor overlap with another nation-state actor known as the DoNot Team, which was recently observed utilizing rogue Android apps published to the Play Store to infect individuals located in Pakistan.
While the exact specifics of the social engineering aspect of the attack is unclear, Bahamut is known to rely on fictitious personas on Facebook and Instagram, pretending to be tech recruiters at large tech companies, journalists, students, and activists to trick unwitting users into downloading malware on their devices.
“Bahamut used a range of tactics to host and distribute malware, including running a network of malicious domains purporting to offer secure chat, file-sharing, connectivity services, or news applications,” Meta revealed in May 2023. “Some of them spoofed the domains of regional media outlets, political organizations, or legitimate app stores, likely to make their links appear more legitimate.”
Iran-Run ISP ‘Cloudzy’ Caught Supporting Nation-State APTs, Cybercrime Hacking Groups
Researchers have unmasked an Iranian-run company providing command-and-control services to more than 20 hacking groups, including ransomware operators, spyware vendors, and state-sponsored APT actors.
The company, identified as Cloudzy, is registered in the United States, but its believed that it is operated out of Tehran, Iran, by an individual named Hassan Nozari, likely in violation of US sanctions. The ISP acts like a command-and-control provider (C2P) for various types of threat actors, advertises its services as protecting user anonymity, and does not appear to respond when malicious activity is brought to its attention.
Cloudzy only requires a working email address for registration, never verifies the identity of customers, and accepts anonymous payment in cryptocurrencies. Although its terms and conditions prohibit the use of its services for illicit activities, it was found that the cloud provider asks abusers to pay a nominal fee to continue operations.
More than half of the servers hosted by Cloudzy appear to directly support malicious activities, mainly on infrastructure loaned from a dozen other ISPs.
During a 90-day analysis of Cloudzy’s services, researchers discovered attack infrastructure associated with hacking groups tied to Chinese, Iranian, Indian, North Korean, Pakistani, Russian, and Vietnamese governments, by the sanctioned Israeli spyware vendor Candiru, and by cybercrime rings and ransomware groups.
The investigation revealed the existence of two previous unreported ransomware groups that rely on Cloudzy as a C2P — Ghost Clown (seen deploying Cobalt Strike implants and Conti and BlackBasta ransomware) and Space Kook (relies on Cobalt Strike and the Quantum Locker and Royal ransomware).
It was also discovered that Cloudzy is a company registered in the United States, although it has no physical office in the country. Digging further, a connection was found with the Iranian firm abrNOC, also allegedly founded by Hannan Nozari, traced to Tehran, Iran.
Eight other individuals who appear to be employed at Cloudzy but are in Iran were identified, and a crossover between some of them and employees of abrNOC was discovered.
Cloudzy only exists on paper, with its so-called employees being the employees of abrNOC in Tehran. Some Cloudzy bloggers are either made up or employees of abrNOC.
Researchers Expose Space Pirates Cyber Campaign Across Russia and Serbia
The threat actor known as Space Pirates has been linked to attacks against at least 16 organizations in Russia and Serbia over the past year by employing novel tactics and adding new cyber weapons to its arsenal.
The cybercriminals’ main goals are still espionage and theft of confidential information, but the group has expanded its interests and the geography of its attacks. Targets comprise government agencies, educational institutions, private security companies, aerospace manufacturers, agricultural producers, defense, energy, and healthcare firms in Russia and Serbia.
Space Pirates was first exposed in May 2022, highlighted by its attacks on the aerospace sector in the nation. The group, said to be active since at least late 2019, has links to another adversary tracked by Symantec as Webworm.
Analysis of the attack infrastructure has revealed the threat actor’s interest in harvesting PST email archives as well as making use of Deed RAT, a malware artifact exclusively attributed to the adversarial collective.
Deed RAT is said to be a successor to ShadowPad, which in itself is an evolution of PlugX, both of which are widely used by Chinese cyber espionage crews. Under active development, the malware comes in both 32- and 64-bit versions and is equipped to dynamically retrieve additional plug-ins from a remote server.
This includes a Disk plug-in to enumerate files and folders, execute commands, write arbitrary files to disk, and connect to network drives and a Portmap module that’s used for port forwarding.
Deed RAT also functions as a conduit to serve next-stage payloads such as Voidoor, a previously undocumented malware that’s is designed to contact a legitimate forum called Voidtools and a GitHub repository associated with a user named “hasdhuahd” for command-and-control (C2).
Voidtools is the developer of a freeware desktop search utility for Microsoft Windows called Everything, with its forum powered using an open-source forum software called MyBB. The primary goal of Voidoor is to login to the forum using hard-coded credentials and access the user’s personal messaging system to look for a folder matching a particular victim ID.
Evidence shows that the accounts on GitHub and voidtools were registered sometime in November 2022.
Retail Chain Hot Topic Discloses Wave of Credential-Stuffing Attacks
American apparel retailer Hot Topic is notifying customers about multiple cyberattacks between February 7 and June 21 that resulted in exposing sensitive information to hackers.
Hot Topic is a retail chain specialized in counter-culture clothing and accessories, and licensed music, that has 675 stores across the U.S. It also operates an online shop with nearly 10 million visitors every month.
In a data breach notification today, the company explained that hackers used stolen account credentials and accessed the Rewards platform multiple times, potentially stealing customer data, too.
“We recently identified suspicious login activity to certain Hot Topic Rewards accounts,” reads the notice.
“Following a careful investigation, we determined that unauthorized parties launched automated attacks against our website and mobile application on February 7, March 11, May 19-21, May 27-28, and June 18-21, 2023, using valid account credentials obtained from an unknown third-party source.”
The company says that the investigation determined that Hot Topic was not the source of the credentials but it could also not find the source. As part of the security measures implemented after the attacks, Hot Topic added “specific steps to safeguard our website and mobile application from” credential-stuffing attacks.
“Credential stuffing” is a type of cyberattack that relies on users employing the same credentials on multiple online services. When a leak or data breach occurs, threat actors typically test those username and password pairs on various online services, hoping they get a successful login.
Hot Topic said that it could not discern between unauthorized and legitimate logins. As a result, it will notify all customers that had their accounts accessed during the cyberattacks.
The information that may have been exposed to hackers includes:
- Full name
- Email address
- Order history
- Phone number
- Date of birth
- Shipping address
- Four last digits of saved payment cards
The company has clarified that malicious access or exfiltration of the above information has not yet been verified, but it is notifying potentially breached account holders out of an abundance of caution.
Hot Topic also sends emails to impacted customers containing instructions on resetting account passwords, advising them to pick a strong and unique password. If you are a Hot Topic customer, resetting your account credentials on other platforms where you might be using the same credentials would be wise.
China’s APT31 Suspected in Attacks on Air-Gapped Systems in Eastern Europe
A nation-state actor with links to China is suspected of being behind a series of attacks against industrial organizations in Eastern Europe that took place last year to siphon data stored on air-gapped systems.
The attacks are being attributed to hacking crew APT31, which is also tracked under the monikers Bronze Vinewood, Judgement Panda, and Violet Typhoon (formerly Zirconium), citing commonalities in the tactics observed.
The attacks entailed the use of more than 15 distinct implants and their variants, broken down into three broad categories based on their ability to establish persistent remote access, gather sensitive information, and transmit the collected data to actor-controlled infrastructure.
One of the implant types appeared to be a sophisticated modular malware, aimed at profiling removable drives and contaminating them with a worm to exfiltrate data from isolated, or air-gapped, networks of industrial organizations in Eastern Europe. The other type of implant is designed for stealing data from a local computer and sending it to Dropbox with the help of the next-stage implants.
One set of backdoors includes various versions of a malware family called FourteenHi that have been put to use since at least mid-March 2021 and which come with a broad spectrum of features to upload and download arbitrary files, run commands, start a reverse shell, and erase their own presence from the compromised hosts.
A second first-stage backdoor used for remote access and initial data gathering is MeatBall, which possesses capabilities to list running processes, enumerate connected devices, perform file operations, capture screenshots, and self-update itself.
Also discovered is a third type of first-stage implant that makes use of Yandex Cloud for command-and-control, mirroring similar findings from Positive Technologies in August 2022 detailing APT31 attacks targeting Russian media and energy companies.
APT31 has also been observed utilizing dedicated implants for gathering local files as well as exfiltrating data from air-gapped systems by infecting removable drives.
The latter malware strain consists of at least three modules, with each component responsible for different tasks, such as profiling and handling removable drives, recording keystrokes and screenshots, and planting second-step malware on newly connected drives.
While the aforementioned attack chains are expressly engineered for the Windows environment, there is evidence that APT31 has set its sights on Linux systems as well.
Earlier this month, attacks likely carried out by the adversary against South Korean companies were identified with the goal of infecting the machines with a backdoor called Rekoobe.
Israel’s Largest Oil Refinery Website Offline After DDoS Attack
The website of Israel’s largest oil refinery operator, BAZAN Group is inaccessible from most parts of the world as threat actors claim to have hacked the Group’s cyber systems.
The Haifa Bay-based BAZAN Group, formerly Oil Refineries Ltd., generates over $13.5 billion in annual revenue and employs more than 1,800 people. The company boasts to have a total oil refining capacity of about 9.8 million tons of crude oil per year.
Over the weekend, incoming traffic to BAZAN Group’s websites, bazan.co.il and eng.bazan.co.il is either timing out, with HTTP 502 errors, or being refused by the company’s servers. The website was, however accessible from within Israel, possibly after imposition of a geo-block by BAZAN in an attempt to thwart an ongoing cyber attack.
In a Telegram channel, Iranian hacktivist group, ‘Cyber Avengers’ aka ‘CyberAv3ngers’ claimed that it had breached BAZAN’s network over the weekend.
On Saturday evening, the group additionally leaked what appeared to be screenshots of BAZAN’s SCADA systems, which are software applications used to monitor and operate industrial control systems. These included diagrams of “Flare Gas Recovery Unit,” “Amine Regeneration” system, a petrochemical “Splitter Section,” and PLC code, as seen by BleepingComputer.
In a statement from a spokesperson for BAZAN, they dismissed the leaked materials as “entirely fabricated.”
“We are aware of recent false publications regarding a hostile group’s attempt to carry out a cyber-attack on Bazan. Please note that the information and images being circulated are entirely fabricated and have no association with Bazan or its assets. While our image website briefly experienced disruption during a DDoS attack, no damage was observed to the company’s servers or assets. This appears to be an act of propaganda aimed at spreading misinformation and causing a consciousness effect.”
“Our cybersecurity measures are vigilant, we are working closely with the Israeli National Cyber Directorate and our partners to monitor any suspicious activity to ensure the safety and integrity of our operations.”
The hacktivist group further implied that it had breached the petrochemicals giant via an exploit targeting a firewall at the company.
Lastly, CyberAvengers boasts that they are responsible for the 2021 fires at the Haifa Bay petrochemical plants caused by a pipeline malfunction. In 2020, the same group of threat actors also claimed attacks on 28 Israeli railway stations by targeting more than 150 industrial servers.