Friday, November 4th, 2022
Cybersecurity Week in Review (4/11/22)
Over 250 US News Websites Deliver Malware via Supply Chain Attack
Hundreds of regional and national news websites in the United States are delivering malware as a result of a supply chain attack involving one of their service providers. A threat actor tracked as TA569 appears to be behind the attack. The hackers have targeted an unnamed media company that serves many news outlets in the US.
OPERA1ER hackers steal over $11 million from banks and telcos
A threat group operation has stolen at least $11 million from banks and telecommunication service providers in Africa using off-the-shelf hacking tools. Tracked as OPERA1ER the hackers launched more than 35 successful attacks between 2018 and 2022, about a third of them carried out in 2020. However, a change in the groups techniques, tactics, and procedures (TTPs) was noted last year.
The hacker group is formed of French-speaking members believed to operate from Africa. Apart from targeting companies in Africa, the gang also hit organizations in Argentina, Paraguay, and Bangladesh. OPERA1ER relies on open-source tools, commodity malware, and frameworks like Metasploit and Cobalt Strike to compromise company servers. They obtain initial access through spear-phishing emails leveraging popular topics like invoices or postal delivery notifications. The emails have attachments that deliver the first-stage malware, among them Netwire, bitrat, venomRAT, AgentTesla, Remcos, Neutrino, BlackNET, and Venom RAT.
The high-quality spear-phishing emails are written in French and impersonate either the government tax office or a hiring agent from the Central Bank of West African States (BCEAO). Using the stolen credentials, OPERA1ER accesses email accounts and performs lateral phishing, studies internal documentation to understand money transfer procedures and protection mechanisms, and carefully plans the final, cashing out step. Typically, the hackers targeted operator accounts that controlled large amounts of money and used stolen credentials to transfer the funds into Channel User accounts, eventually moving them into subscriber accounts under their control. The gang then withdraws the money from a network of ATM’s usually when on a holiday or over the weekend to minimize the chances of the compromised organizations responding to the situation in time.
On victimized banks, OPERA1ER targeted the SWIFT messaging interface software that communicates all details for financial transaction, and siphoned key information about the anti-fraud systems they needed to bypass.
LockBit ransomware claims attack on Continental automotive giant
Responsibility for a cyberattack against the German multinational automotive group Continental has been claimed by the LockBit group. Data from Continental’s systems was allegedly stolen by LockBit, and they are threatening to publish it on their data leak site if the company doesn’t give in to their demands within the next 22 hours.
Continental has not confirmed these claims as of yet but in response did link to a press release from August 24th regarding a cyberattack that led to a breach of Continental’s systems. According to the press release, the company detected a security breach in early August after attackers infiltrated parts of its IT systems, but it did not link it to LockBit. Furthermore, it stated that all necessary defensive measures to restore the full integrity of its IT systems were taken after the attack.
LockBit ransomware first surfaced in September 2019 as a ransomware-as-a-service (RaaS) operation. It relaunched as the LockBit 2.0 RaaS in June 2021 after ransomware groups were banned on cybercrime forums. in June of this year, the group released ‘LockBit 3.0’ and introduced Zcash cryptocurrency payment options, new extortion tactics, as well as the first ransomware bug bounty program. LockBit also claimed ransomware attacks on the Italian Internal Revenue Service and digital security giant Entrust. However, claims they breached Mandiant were dismissed by the cybersecurity company.
These Android Apps with a Million Play Store Installations Redirect Users to Malicious Sites
Four Android apps have been identified as directing victims to malicious websites as part of an adware and information-stealing campaign. The apps, all published by the same developer, Mobile apps Group, are currently available on the Play Store and have been collectively downloaded over one million times.
The websites victims are redirected to generate revenue through pay-per-click ads, and prompt users to install cleaner apps on their phones with the goal of deploying additional malware. A popular tactic adopted by threat actors is to introduce time-based delays to conceal their malicious behavior. The apps have been found to have approximately a four-day waiting period before opening the first phishing site in Chrome browser, before then proceeding to launch more tabs every two hours. The apps are part of a broader malware operation called HiddenAds, which has been active since at least June 2019 and has a track record of illicitly earning revenues by redirecting users to advertisements.
The list of apps is as follows –
- Bluetooth App Sender (com.bluetooth.share.app) – 50,000+ downloads
- Bluetooth Auto Connect (com.bluetooth.autoconnect.anybtdevices) – 1,000,000+ downloads
- Driver: Bluetooth, Wi-Fi, USB (com.driver.finder.bluetooth.wifi.usb) – 10,000+ downloads
- Mobile transfer: smart switch (com.mobile.faster.transfer.smart.switch) – 1,000+ downloads
Dropbox Breach: Hackers Unauthorizedly Accessed 130 GitHub Source Code Repositories
Dropbox disclosed on Tuesday, November 1st that it was the victim of a phishing campaign allowing unidentified threat actors to gain unauthorized access to 130 of its source code repositories on GitHub.
The file hosting service stated that the repositories included copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by their security team. The breach resulted in the access of some API keys used by Dropbox developers as well as a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors.
This comes a month after a similar phishing attack was warned by both Github and CircleCL. Dropbox disclosed that multiple Dropboxers received phishing emails impersonating CircleCI in early October, some of which slipped through its automated spam filters to land in employees’ email inboxes. The legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a One Time Password (OTP) to the malicious site.
The number of employees affected was not disclosed but the company did stress that there was no evidence that any customer data was stolen as a result of the incident, adding it’s upgrading its two-factor authentication systems to support hardware security keys for phishing resistance.
Bed Bath & Beyond Investigating Data Breach After Employee Falls for Phishing Attack
Bed Bath & Beyond revealed last week that it recently suffered a data breach after an employee fell victim to a phishing attack. The company explained that it became aware of unauthorized access to some data after an employee was targeted in a ‘phishing scam’ in October.
The hacker gained access to data on a hard drive and some shared drives the targeted employee had access to. However, there is no evidence at this point that the compromised drives stored sensitive or personally identifiable information.
News of the hack came to light in an SEC filing where the company announced an offer to sell up to $150 million worth of stock. A similar incident occurred in 2019 when the retailer revealed that some customer accounts had been breached. At the time, it said hackers had obtained username and password combinations from a breach at a different company and relied on the fact that many people use the same credentials for multiple online accounts.
Chinese Hackers Using New Stealthy Infection Chain to Deploy LODEINFO Malware
Stone Panda, a Chinese state-sponsored threat actor has been observed employing a new stealthy infection chain in its attacks aimed at Japanese entities. Media, diplomatic, governmental, and public sector organizations and think tanks in Japan were the primary targets.
Stone Panda, also called APT10, Bronze Riverside, Cicada, and Potassium, is a cyber espionage group known for its intrusions against organizations identified as strategically significant to China. The threat actor is believed to have been active since at least 2009. The group has also been linked to attacks using malware families like SigLoader, SodaMaster, and a web shell called Jackpot against multiple Japanese domestic organizations since April 2021.
The latest set of attacks involve the use of a bogus Microsoft Word file and a self-extracting archive (SFX) file in RAR format propagated via spear-phishing emails, leading to the execution of a backdoor called LODEINFO. While the maldoc requires users to enable macros to activate the killchain, the June 2022 campaign was found to drop this method in favor of an SFX file that, when executed, displays a harmless decoy Word document to conceal the malicious activities. The macro, once enabled, drops a ZIP archive containing two files, one of which (“NRTOLF.exe”) is a legitimate executable from the K7Security Suite software that’s subsequently used to load a rogue DLL (“K7SysMn1.dll”) via DLL side-loading. It was also discovered in June 2022 that another initial infection method was used wherein a password-protected Microsoft Word file acted as a conduit to deliver a fileless downloader dubbed DOWNIISSA upon enabling macros. The embedded macro generates the DOWNIISSA shellcode and injects it in the current process (WINWORD.exe). DOWNIISSA is configured to communicate with a hard-coded remote server, using it to retrieve an encrypted BLOB payload of LODEINFO, a backdoor capable of executing arbitrary shellcode, take screenshots, and exfiltrate files back to the server.
The malware, first seen in 2019, has undergone numerous improvements, with six different versions identified in March, April, June, and September 2022. The changes include enhanced evasion techniques to fly under the radar, halting execution on machines with the locale “en_US,” revising the list of supported commands, and extending support for Intel 64-bit architecture.
Accused ‘Raccoon’ Malware Developer Fled Ukraine After Russian Invasion
A recently unsealed indictment from the US Justice Department shows they are waiting on the extradition of a core developer of the Malware-as-a-Service operation, Raccoon. The 26 year old Ukrainian native, Mark Sokolovsky, was busted in March 2022, after fleeing mandatory military service in Ukraine in the weeks following the Russian invasion.
Raccoon was essentially a Web-based control panel, where — for $200 a month — customers could get the latest version of the Raccoon Infostealer malware and interact with infected systems in real time. Security experts say the passwords and other data stolen by Raccoon malware were often resold to groups engaged in deploying ransomware. More than 50 million unique credentials and forms of identification (email addresses, bank accounts, cryptocurrency addresses, credit card numbers, etc.) have been identified as stolen with the help of Raccoon.
U.S. authorities were able to zero in on an operational security mistake that Sokolovsky made early on in his posts to the crime forums, connecting a Gmail account for a cybercrime forum identity used by the Raccoon developer (“Photix”) to an Apple iCloud account. After the beginning of the Russian invasion of Ukraine authorities who were monitoring Sokolovsky’s iCloud account had spent weeks watching him shuttle between Kharkiv and the Ukrainian capital Kyiv, but on Mar. 18, 2022, his phone suddenly showed up in Poland. Investigators learned from Polish border guards that Sokolovsky had fled Ukraine in a Porsche Cayenne along with a young blond woman, leaving his mother and other family behind. Authorities soon tracked Sokolovsky’s phone through Germany and eventually to The Netherlands, with his female companion helpfully documenting every step of the trip on her Instagram account.
Sokolovsky’s extradition to the United States has been granted, but he is appealing that decision. He faces one count of conspiracy to commit computer fraud; one count of conspiracy to commit wire fraud; one count of conspiracy to commit money laundering, and one count of aggravated identity theft. If convicted, Sokolovsky faces a maximum penalty of 20 years in prison for the wire fraud and money laundering offenses, five years for the conspiracy to commit computer fraud charge, and a mandatory consecutive two-year term for the aggravated identity theft offense.
Hackers selling access to 576 corporate networks for $4 million
According to reports hackers are now selling access to 576 corporate networks worldwide for a total cumulative sales price of $4,000,000. The research comes from Israeli cyber-intelligence firm KELA which published its Q3 2022 ransomware report. The number of sales for network access remained about the same as in the previous two quarters but the cumulative requested price has now reached $4,000,000. This is a big jump when compared with the total value of initial access listings in Q2 2022 which was $660,000, recording a drop in value that coincided with the summer ransomware hiatus that hurt demand.
Initial access brokers (IABs) are hackers who sell access to corporate networks, usually achieved through credential theft, webshells, or exploiting vulnerabilities in publicly exposed hardware. After establishing a foothold on the network, the threat actors sell this corporate access to other hackers who use it to steal valuable data, deploy ransomware, or conduct other malicious activity.
Q3 ’22 numbers
- 110 threat actors posting 576 initial access offerings totaling a cumulative value of $4,000,000.
- The average selling price of these listings was $2,800, while the median selling price reached a record figure of $1,350.
- a single access being offered for purchase at the astronomical price of $3,000,000.
- The top three IABs operated a large-scale business, offering between 40 and 100 accesses for sale
- Average time to sell corporate access was just 1.6 days
- Most targeted country was the United States, accounting for 30.4% of all IAB offerings.
- Most targeted sectors were professional services, manufacturing, and technology with 13.4%, 10.8%, and 9.4%, respectively.
Fodcha DDoS Botnet Resurfaces with New Capabilities
The Fodcha distributed denial-of-service (DDoS) botnet has resurfaced with new capabilities. The changes include its communication protocol and the ability to extort cryptocurrency payments in exchange for stopping the DDoS attack against a target. The operation was first identified in April of this year with the malware propagating through known vulnerabilities in Android and IoT devices as well as weak Telnet or SSH passwords.
Fodcha has been seen to evolve into a large-scale botnet with over 60,000 active nodes and 40 command-and-control (C2) domains that can easily generate more than 1 Tbps traffic. The top countries singled out by the botnet since late June 2022 comprises China, the U.S., Singapore, Japan, Russia, Germany, France, the U.K., Canada, and the Netherlands. Some of the prominent targets range from healthcare organizations and law enforcement agencies to a well-known cloud service provider that was assaulted with traffic exceeding 1 Tbps. It has encompassed new stealth features that encrypt communications with the C2 server and embed ransom demands, reusing a lot of Mirai’s attack code with a total of 17 attack methods.
As preventive measures, enterprises are urged to identify critical assets, understand how users connect to the corporate networks, enroll in a DDoS protection service, and develop DDoS response and business continuity plans.