Thursday, March 30th, 2023
Cybersecurity Week in Review (31/03/2023)
UK Sets Up Fake Booter Sites To Muddy DDoS Market
The National Crime Agency (NCA) of the United Kingdom has established fake DDoS-for-hire websites that aim to gather information on users, caution them about the illegality of launching DDoS attacks, and generally increase the level of suspicion among individuals seeking to employ such services. According to the NCA, all of its bogus “booter” or “stresser” sites, which have been accessed by several thousand individuals so far, have been designed to resemble legitimate sites that provide the tools and services required by cybercriminals to carry out these attacks. The NCA has not disclosed how many fake booter sites it has established or how long they have been operational. In the United Kingdom, hiring or launching attacks intended to disrupt websites or users is a criminal offence punishable under the Computer Misuse Act 1990. This campaign by the NCA follows closely on the heels of an international law enforcement operation that shut down four dozen websites, making powerful DDoS attacks as simple as point-and-click.
MacStealer Malware Plucks Bushels of Data From Apple Users
There is a new malware on the loose that steals information from Apple’s macOS operating system, taking documents, iCloud keychain data (such as passwords), browser cookies, and other data from unsuspecting users. Dubbed “MacStealer,” the malware is available for only $100 per build on the cyber underground, which explains why there has been a surge in the number of MacStealer samples detected recently, according to a recent analysis by Uptycs. The malware affects the Catalina version of macOS as well as subsequent versions that use Intel M1 and M2 CPUs. The researchers also discovered that the malware uses the encrypted Telegram messaging platform for command-and-control (C2). To spread the malware, the operators are targeting users who can easily be duped into downloading .DMG files, which are containers for macOS applications. Fake apps in app stores, piracy websites, or email attachments are all potential ways for the malware to infect victims. This is only the latest malware to target Macs in recent months, with pirated versions of Apple’s Final Cut Pro software and the previously-unknown, highly-targeted macOS spyware “CloudMensis” being two other examples.
WiFi protocol flaw allows attackers to hijack network traffic
OpenAI, the creator of ChatGPT, has confirmed that a data breach occurred due to a bug in an open source library, while a cybersecurity firm detected an actively exploited vulnerability in a newly introduced component. The issue was caused by a change made on March 20, which affected ChatGPT’s use of Redis-py, an open source Redis client library that serves as a Python interface. As a result of the bug, chat data belonging to other users was displayed to ChatGPT users. The data breach exposed the titles of active users’ chat history, the first message of a newly created conversation, and payment-related information belonging to 1.2% of ChatGPT Plus subscribers. OpenAI has notified affected users and assured them that there is no ongoing risk to their data. In addition to the data breach, a newly introduced ChatGPT feature that expands the chatbot’s information collecting capabilities through the use of plugins was found to have a potentially serious information disclosure vulnerability, which GreyNoise has already seen attempts to exploit in the wild.
Mélofée: Researchers Uncover New Linux Malware Linked to Chinese APT Groups
According to a paper published by researchers Domien Schepers, Aanjhan Ranganathan, and Mathy Vanhoef this week, exploiting a vulnerability in power-save mechanisms in endpoint devices can allow attackers to intercept client and web traffic or hijack TCP connections. The technique involves tricking access points into leaking data frames in plaintext or encrypting them using an all-zero key. This is achieved by taking advantage of the fact that most Wi-Fi stacks do not adequately purge their transmit queues when the security context changes. Attackers can manipulate the security context to leak frames from the queue and override the client’s security context used by an access point to receive packets intended for the victim. It is important to note that this attack requires the targeted party to be connected to a hotspot-like network.
New AlienFox toolkit steals credentials for 18 cloud services
It’s concerning to hear the AlienFox toolkit and its ability to scan for misconfigured servers to steal authentication secrets and credentials for cloud-based email services. The toolset targets popular services like online hosting frameworks and collects lists of misconfigured cloud endpoints to search for sensitive configuration files commonly used to store secrets, such as API keys, account credentials, and authentication tokens. The targeted secrets are for cloud-based email platforms like 1and1, AWS, Google Workspace, and Zoho, among others. Additionally, AlienFox includes separate scripts to establish persistence and escalate privileges on vulnerable servers. The latest version of the toolkit, v4, features better code and script organization and targeting scope expansion, including targeting for popular content management systems and an automated cryptocurrency wallet seed cracker. This toolkit is sold to cybercriminals via a private Telegram channel, which is becoming a typical funnel for transactions among malware authors and hackers. It’s essential to secure your servers and cloud-based services and implement strong access control measures to prevent unauthorized access and data theft.
3CX Desktop App Supply Chain Attack Leaves Millions at Risk
The 3CX desktop app, a popular voice and video conferencing software, is being targeted in an active supply chain attack. The attackers are using digitally signed and rigged installers of the software to target downstream customers, with cybersecurity researchers tracking the activity under the name SmoothOperator. The attackers registered a massive attack infrastructure in February 2022, using the trojanized 3CX desktop app as the first stage in a multi-stage attack that pulls ICO files appended with Base64 data from GitHub and ultimately leads to a third-stage infostealer DLL. The final payload is an information stealer capable of gathering system information and sensitive data stored in several popular web browsers. The attack appears to be confined to the Windows Electron client and macOS versions of the PBX phone system. 3CX has more than 600,000 customers and 12 million users in 190 countries, including well-known names such as American Express, BMW, Honda, Ikea, Pepsi, and Toyota. 3CX is working on a software update for its desktop app, and cybersecurity firm CrowdStrike suspects the attack to be linked to a North Korean nation-state actor it tracks as Labyrinth Chollima (aka Nickel Academy), a sub-cluster within the notorious Lazarus Group.
Malicious links still on EU Commission website as hackers change tactics
It has been reported that cybercriminals used the European Commission’s European School Education Platform to spread hundreds of malicious links for illegal streaming links, money, and premium account generators. The attack was detected on March 10 but said that 20 days on, the EU executive is still struggling to regain control of the situation. The Commission has reportedly removed most of the fake profiles on the website, but malicious actors have found a new way to exploit it by uploading PDF files with malicious links. Criminals impersonated educational institutions to fill their profiles with keywords associated with illicit content and to leave malicious links at the bottom of the profile.
North Korea Is Now Mining Crypto to Launder Its Stolen Loot
North Korean hacking group APT43, also known as Kimsuky or Thallium, has reportedly started using hashing services to launder stolen cryptocurrency. These services allow anyone to buy and sell computing power to calculate the mathematical strings necessary to mine most cryptocurrencies, resulting in newly mined coins with no apparent links to criminal activity. Cybersecurity firm Mandiant has seen tens of thousands of dollars’ worth of crypto flow into hashing services that it believes have been paid in by APT43 crypto wallets. The payments should be clean, however, there have been some instances of funds being commingled with crypto in wallets that Mandiant previously identified from years of tracking APT43 hacking campaigns.