Hive ransomware disrupted after FBI hacks gang’s systems

The Hive ransomware operation’s Tor payment and data leak sites were seized as part of an international law enforcement operation after the FBI infiltrated the gang’s infrastructure last July.

Today, the US Department of Justice and Europol announced that an international law enforcement operation secretly infiltrated the Hive ransomware gang’s infrastructure in July 2022, when they secretly began monitoring the operation for five months. Since late July 2022, the FBI penetrated Hive’s computer networks, captured its decryption keys, and offered them to victims worldwide, preventing victims from having to pay $130 million in ransom demanded.

The ransomware gang’s Tor web sites now display a seizure notice listing a wide range of other countries involved in the law enforcement operation, including Germany, Canda, France, Lithuania, Netherlands, Norway, Portugal, Romania, Spain, Sweden, and the United Kingdom. Unlike previous seizure messages used by law enforcement, this image is an animated GIF rotating between a message in English and Russian, warning other ransomware gangs about the operation.

The Hive cybercriminal gang is run as a ransomware-as-a-service (RaaS) operation that launched in June 2021. They are known to breach organisations through phishing campaigns, exploiting vulnerabilities in internet-exposed devices, and through purchased credentials.

Once they gain access to a corporate network, the threat actors spread laterally to other devices while stealing unencrypted data to be used in double-extortion demands. When they gain admin access to a Windows domain controller, they deploy their ransomware throughout the network to encrypt all devices. Unlike many ransomware operations that claim to avoid emergency services and healthcare entities, Hive is not particular about who they target.

The ransomware group is responsible for many victims, including attacks on the non-profit Memorial Health System, retail giant MediaMarkt, Bell Technical Solutions (BTS), and Tata Power, the New York Racing Association. In November 2022, the FBI stated that the ransomware operation generated approximately $100 million from over 1,500 companies since June 2021.

Source – https://www.bleepingcomputer.com/news/security/hive-ransomware-disrupted-after-fbi-hacks-gangs-systems/

U.S. Federal Agencies Fall Victim to Cyber Attack Utilizing Legitimate RMM Software

At least two federal agencies in the U.S. fell victim to a widespread cyber campaign that involved the use of legitimate remote monitoring and management (RMM) software to perpetuate a phishing scam. This was announced as a joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC).

The attacks, which took place in mid-June and mid-September 2022, have financial motivations, although threat actors could weaponise the unauthorised access for conducting a wide range of activities, including selling that access to other hacking crews. Specifically, cyber-criminal actors sent phishing emails that led to the download of legitimate RMM software – ScreenConnect (now ConnectWise Control) and AnyDesk – which the actors used in a refund scam to steal money from victim bank accounts.

Usage of remote software by criminal groups has long been a concern as it offers an effective pathway to establish local user access on a host without the need for elevating privileges or obtaining a foothold by other means. In one instance, the threat actors sent a phishing email containing a phone number to an employee’s government email address, prompting the individual to a malicious domain. The emails, CISA said, are part of help desk-themed social engineering attacks orchestrated by the threat actors since at least June 2022 targeting federal employees.

The subscription-related missives either contain a first-stage rogue domain or engage in a tactic known as callback phishing to entice the recipients into calling an actor-controlled phone number to visit the same domain. Irrespective of the approach used, the malicious domain triggers the download of a binary that then connects to a second-stage domain to retrieve the RMM software in the form of portable executables. The end goal is to leverage the RMM software to initiate a refund scam. This is achieved by instructing the victims to login to their bank accounts, after which the actors modify the bank account summary to make it appear as though the individual was mistakenly refunded an excess amount of money.

In the final step, the scam operators urge the email recipients to refund the additional amount, effectively defrauding them of their funds.

Source – https://thehackernews.com/2023/01/us-federal-agencies-fall-victim-to.html

PY#RATION: New Python-based RAT Uses WebSocket for C2 and Data Exfiltration

A new Python-based attack campaign has been identified that leverages a Python-based remote access trojan (RAT) to gain control over compromised systems since at least August 2022. The malware, dubbed PY#RATIO, comes with a host of capabilities that allows the threat actor to harvest sensitive information. Later versions of the backdoor also sport anti-evasion techniques, suggesting that it’s being actively developed and maintained.

The malware is unique in its utilisation of WebSockets to avoid detection and for both command-and-control (C2) communication and exfiltration. The attack commences with a phishing email containing a ZIP archive, which, in turn, harbors two shortcut (.LNK) files that masquerade as front and back side images of a seemingly legitimate U.K. driver’s license.

Opening each of the .LNK files retrieves two text files from a remote server that are subsequently renamed to .BAT files and executed stealthily in background, while the decoy image is displayed to the victim. Also downloaded from a C2 server is another batch script that’s engineered to retrieve additional payloads from the server, including the Python binary (“CortanaAssistance.exe”). The choice of using Cortana, Microsoft’s virtual assistant, indicates an attempt to pass off the malware as a system file.

Two versions of the trojan have been detected (version 1.0 and 1.6), with nearly 1,000 lines of code added to the newer variant to support network scanning features to conduct a reconnaissance of the compromised network and concealing the Python code behind an encryption layer using the fernet module. Other noteworthy functionalities comprise the ability to transfer files from host to C2 or vice versa, record keystrokes, execute system commands, extract passwords and cookies from web browsers, capture clipboard data, and check for the presence of antivirus software.

PY#RATION also functions as a pathway for deploying more malware, which consists of another Python-based info-stealer designed to siphon data from web browsers and cryptocurrency wallets.

The origins of the threat actor remain unknown, but the nature of the phishing lures posits that the intended targets could likely be the U.K. or North America.

Source – https://thehackernews.com/2023/01/pyration-new-python-based-rat-utilizes.html

Zacks Investment Research data breach affects 820,000 clients

Hackers breached Zacks Investment Research (Zacks) company last year and gained access to personal and sensitive information belonging to 820,000 customers. Zacks discovered at the end of last year that some customer records had been accessed without authorisation. An internal investigation into the incident determined that a threat actor gained access to the network somewhere between November 2021 and August 2022.

It is unclear if any data was stolen but the information exposed during the breach includes full names, addresses, phone numbers, email addresses, and user passwords for the Zacks.com website. Such details might have made it possible for unauthorised users to access Zacks accounts and, by extension, any additional information stored on them.

It appears that the data set belongs to a specific set of customers. In the data breach notice delivered to affected individuals, the company clarifies that the incident impacted only customers of the Zacks Elite product that joined between November 1999 and February 2005.

Also, the investment research firm says it has no evidence that financial data has been exposed due to the security breach. The company says that it also implemented extra security measures on the network and is actively working with an external cybersecurity specialist to develop and install additional protection systems in the immediate future. Users impacted by this security incident are advised to remain vigilant against incoming communications, as scammers can now use their phone numbers and email addresses.

Source – https://www.bleepingcomputer.com/news/security/zacks-investment-research-data-breach-affects-820-000-clients/

North Korean Hackers Turn to Credential Harvesting in Latest Wave of Cyberattacks

A North Korean nation-state group notorious for crypto heists has been attributed to a new wave of malicious email attacks as part of a sprawling credential harvesting activity targeting a number of industry verticals, marking a significant shift in its strategy.

The state-aligned threat actor is being tracked under the name TA444, and by the larger cybersecurity community as APT38, BlueNoroff, Copernicium, and Stardust Chollima. The advanced persistent threat is something of an aberration among state-sponsored groups in that its operations are financially motivated and geared towards generating illicit revenue for the Hermit Kingdom as opposed to espionage and data theft.

The attacks employ phishing emails, typically tailored to the victim’s interests, that are laden with malware-laced attachments such as LNK files and ISO optical disk images to trigger the infection chain. Among other tactics include the use of bogus and compromised LinkedIn accounts belonging to legitimate company executives to approach and engage with targets prior to delivering booby-trapped links.

More recent campaigns in early December 2022, however, have witnessed a significant deviation, wherein the phishing messages prompted the recipients to click on a URL that redirected to a credential harvesting page. The email blast, which abused email marketing tools like SendGrid to distribute the phishing links, targeted several verticals besides the financial sector, including education, government, and healthcare, in the U.S. and Canada.

The experimentation aside, TA444 has also been observed expanding the functionality of CageyChameleon (aka CabbageRAT) to further aid in victim-profiling, while also maintaining a wide arsenal of post-exploitation tools to facilitate theft. It’s not immediately clear what prompted TA444 to branch out its attack repertoire, although it’s suspected that it could be a moonlighting effort undertaken to pivot beyond its traditional targets. Alternatively, there is the possibility of a different threat actor hijacking TA444’s infrastructure.

The findings come as the U.S. Federal Bureau of Investigation (FBI) accused the BlueNoroff actors of carrying out the theft of $100 million in cryptocurrency from Harmony Horizon Bridge in June 2022.

Source – https://thehackernews.com/2023/01/north-korean-hackers-turn-to-credential.html

Riot Games confirms ransomware

Riot Games have refused to pay the ransom demanded by hackers who targeted the gaming company in an unexpected social engineering attack last week. The popular game developer shared the news about a ransom email they received, while also reiterating that player data had not been compromised in the attack. The attack had shut down production offices late Friday interfering with the company’s scheduled patch releases for multiple games.

It was also revealed to followers that hackers were able to steal sensitive source code from two fan-favorite games, League of Legends and Teamfight Tactics, as well as from one of their legacy anti-cheat platforms. The illegally obtained source code also includes a number of experimental features, although some of the features were still in development and not necessarily guaranteed to be part of future releases.

The California-based firm confirmed both in-house security teams and outside consultants were actively working with law enforcement, while substantial progress in the investigation had been made. Riot Games said they plan to release a full report detailing the attacker’s techniques, the areas where Riot’s security controls failed, and the steps taken to ensure it doesn’t happen again.

Source –  https://cybernews.com/news/riot-games-ransom-demand/

Over 4,500 WordPress Sites Hacked to Redirect Visitors to Sketchy Ad Pages

A massive campaign has infected over 4,500 WordPress websites as part of a long-running operation that’s been believed to be active since at least 2017.

According to GoDaddy-owned Sucuri, the infections involve the injection of obfuscated JavaScript hosted on a malicious domain named “track[.]violetlovelines[.]com” that’s designed to redirect visitors to unwanted sites. The latest operation is said to have been under way since December 26, 2022, with a prior wave seen in early December 2022 impacting more than 3,600 sites. Another set of attacks recorded in September 2022 ensnared more than 7,000 sites.

The rogue code is inserted in the WordPress index.php file, with Sucuri noting that it has removed such changes from more than 33,000 files on the compromised sites in the past 60 days. In recent months, this malware campaign has gradually switched from the notorious fake CAPTCHA push notification scam pages to black hat ‘ad networks’ that alternate between redirects to legitimate, sketchy, and purely malicious websites. Thus when unsuspecting users land on one of the hacked WordPress sites, a redirect chain is triggered by means of a traffic direction system, landing the victims on pages serving sketchy ads about products that ironically block unwanted ads.

The website for one such ad blocker named Crystal Blocker is engineered to display misleading browser update alerts to trick the users into installing its extension depending on the web browser used. The browser extension is used by nearly 110,000 users spanning Google Chrome (60,000+), Microsoft Edge (40,000+), and Mozilla Firefox (8,635). While the extensions have ad blocking functionality, there is no guarantee that they are safe to use — and may contain undisclosed functions in the current version or in future updates. Some of the redirects also fall into the outright nefarious category, wherein the infected websites act as a conduit for initiating drive-by downloads.

This also includes retrieving from Discord CDN an information-stealing malware known as Raccoon Stealer, which is capable of plundering sensitive data such as passwords, cookies, autofill data from browsers, and crypto wallets. The findings come as threat actors are setting up lookalike websites for a variety of legitimate software to distribute stealers and trojans through malicious ads in Google search results.

To mitigate such threats, WordPress site owners are advised to change passwords and update installed themes and plugins as well as remove those that are unused or abandoned by their developers.

Source – https://thehackernews.com/2023/01/over-4500-wordpress-sites-hacked-to.html

Emotet Malware Makes a Comeback with New Evasion Techniques

The Emotet malware operation has continued to refine its tactics in an effort to fly under the radar, while also acting as a conduit for other dangerous malware such as Bumblebee and IcedID. Emotet, which officially re-emerged in late 2021 following a coordinated takedown of its infrastructure by authorities earlier that year, has continued to be a persistent threat that’s distributed via phishing emails.

Attributed to a cybercrime group tracked as TA542 (aka Gold Crestwood or Mummy Spider), the virus has evolved from a banking trojan to a malware distributor since its first appearance in 2014. The malware-as-a-service (MaaS) is also modular, capable of deploying an array of proprietary and freeware components that can exfiltrate sensitive information from compromised machines and carry out other post-exploitation activities.

Two latest additions to Emotet’s module arsenal comprise an SMB spreader that’s designed to facilitate lateral movement using a list of hard-coded usernames and passwords, and a credit card stealer that targets the Chrome web browser. Recent campaigns involving the botnet have leveraged generic lures with weaponised attachments to initiate the attack chain. But with macros becoming an obsolete method of payload distribution and initial infection, the attacks have latched on to other approaches to sneak Emotet past malware detection tools.

The method involves instructing victims to move the decoy Microsoft Excel files to the default Office Templates folder in Windows, a location trusted by the operating system, to execute malicious macros embedded within the documents to deliver Emotet. The social engineering twist makes it possible to bypass Mark of the Web (MotW) protections, which load the Office files downloaded from the internet in Protected View, a read-only mode with macros and other content disabled.

The development points to Emotet’s steady attempts to retool itself and propagate other malware, such as Bumblebee and IcedID.

Source – https://thehackernews.com/2023/01/emotet-malware-makes-comeback-with-new.html

Hackers use Golang source code interpreter to evade detection

A Chinese-speaking hacking group tracked as ‘DragonSpark’ was observed employing Golang source code interpretation to evade detection while launching espionage attacks against organisations in East Asia. DragonSpark relies on a little-known open-source tool called SparkRAT to steal sensitive data from compromised systems, execute commands, perform lateral network movement, and more.

The threat actors leverage compromised infrastructure in China, Taiwan, and Singapore to launch their attacks. The threat actors access vulnerable MySQL and web server endpoints by deploying webshells through SQL injection, cross-site scripting, or web server vulnerabilities. Next, the attackers deploy SparkRAT, a Golang-based open-source tool that can run on Windows, macOS, and Linux, offering feature-rich remote access functionality.

SparkRAT supports 26 commands received from the C2 to perform the following functions:

• Remotely execute PowerShell and Windows system commands.
• Manipulate Windows functions and force shutdown, restart, or suspension.
• Perform file actions like download, upload, or deletion.
• Steal system information or capture screenshots and exfiltrate them to the C2.

SparkRAT uses the WebSocket protocol to communicate with the C2 server, and can automatically upgrade itself, constantly adding new features. Besides SparkRAT, ‘DragonSpark’ also uses the SharpToken and BadPotato tools for privilege escalation and the GotoHTTP tool for establishing persistence on the breached system.

What makes the campaign stand out is the use of Golang source code interpretation to execute code from Go scripts embedded in the malware binaries. This Go script is used to open a reverse shell so that threat actors can connect to it using Metepreter for remote code execution. This malware uses the Yaegi framework to interpret the embedded, base64-encoded source code stored within the compiled binary during runtime. This allows the code to execute without compiling it first to evade static analysis. This technique is a rather complex but effective static analysis hindering technique, as most security software only evaluates the behavior of compiled code rather than source code.

Also, all of the open-source tools used by DragonSpark were developed by Chinese authors, which strongly indicates that the threat actors have ties to the country. DragonSpark used compromised networks in Taiwan, Hong Kong, China, and Singapore belonging to gambling-related companies, art galleries, travel agencies, and schools.

Source – https://www.bleepingcomputer.com/news/security/hackers-use-golang-source-code-interpreter-to-evade-detection/

LastPass owner GoTo says hackers stole customers’ backups

LastPass’ parent company GoTo — formerly LogMeIn — has confirmed that cybercriminals stole customers’ encrypted backups during a recent breach of its systems.

The breach was first confirmed by LastPass on November 30. At the time, LastPass chief executive Karim Toubba said an unauthorised party had gained access to some customers’ information stored in a third-party cloud service shared by LastPass and GoTo. The attackers used information stolen from an earlier breach of LastPass systems in August to further compromise the companies’ shared cloud data. GoTo, which bought LastPass in 2015, said at the time that it was investigating the incident.

Now, almost two months later, GoTo said in an updated statement that the cyberattack impacted several of its products, including business communications tool Central; online meetings service Join.me; hosted VPN service Hamachi, and its Remotely Anywhere remote access tool. GoTo said the intruders exfiltrated customers’ encrypted backups from these services — as well as the company’s encryption key for securing the data.

The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of multi-factor authentication (MFA) settings, as well as some product settings and licensing information. While Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.

Despite the delay, GoTo provided no remediation guidance or advice for affected customers. GoTo said the company does not store customers’ credit card or bank details, or collect personal information, such as date of birth, home address, or Social Security numbers. That’s in sharp contrast to the hack affecting its subsidiary, LastPass, during which attackers stole the contents of customers’ encrypted password vaults, along with customers’ names, email addresses, phone numbers, and some billing information.

GoTo did not say how many customers are affected. The company has 800,000 customers. They are contacting affected customers directly and advising those impacted to reset passwords and reauthorise MFA settings out of caution.

Source – https://techcrunch.com/2023/01/24/goto-customer-backups-stolen-lastpass/

FanDuels warns of data breach after customer info stolen in vendor hack

The FanDuel sportsbook and betting site is warning customers that their names and email addresses were exposed in a January 2023 MailChimp security breach, urging users to remain vigilant against phishing emails. On January 13th, MailChimp confirmed they suffered a breach after hackers stole an employee’s credentials using a social engineering attack.

Using these credentials, the threat actors accessed an internal MailChimp customer support and administration tool to steal the audience data for 133 customers. This audience data is different for each MailChimp customer but commonly contains the email addresses and names of customers, or potential customers, that are used to send marketing emails.

Last Thursday, FanDuel emailed customers to warn them that the threat actors acquired their names and email addresses during the MailChimp breach. No customer passwords, financial account information, or other personal information was acquired in the incident. FanDuel urges customers to remain vigilant against phishing attacks and attempted account takeovers after their data was exposed in this recent breach.

FanDuel accounts are in high demand, with threat actors actively performing credential-stuffing attacks to hack customers’ accounts. These accounts are sold on cybercrime marketplaces for as little as $2, depending on an account’s balance or linked payment information. Enabling MFA on a FanDuel account using an authentication app will make it much harder for accounts to be stolen, even if a threat actor gains access to a customer’s credentials.

Source – https://www.bleepingcomputer.com/news/security/fanduels-warns-of-data-breach-after-customer-info-stolen-in-vendor-hack/