Search This Blog

Showing posts with label Cyber Attacks. Show all posts

‘Evil PLC’ Could Turn PLCs Into Attack Vectors

 

When one thinks of someone hacking a programmable logic controller, one usually think of the PLC as the end objective of the assault. Adversaries use other systems to get at what will eventually allow them to cause industrial damage. 

However, a Claroty Team 82 DefCon presentation asks the following question: what if someone exploited a PLC as a vector rather than the destination? The researchers feel that the "Evil PLC" attack scenario is novel: infecting every engineer who interfaces with a PLC with malicious malware. 

Claroty revealed a series of 11 additional vendor-specific vulnerabilities that would allow the attack as proof of concept. These flaws have been discovered in Ovarro TBOX, B&R (ABB) X20 System, Schneider Electric Modicon M340 and M580, GE MarkVIe, Rockwell Micro Control Systems, Emerson PACSystems and Xinje XDPPro platforms. All but the Emerson were issued CVEs. Claroty came up with the notion after trying to learn more about the opponents that attack their honeypots.

“We asked ourselves, how can we actively attack the attackers? We don't know anything about them. We cannot find them,” said Claroty director of research Sharon Brizinov. “And then we kind of had a eureka moment and we thought, okay, what if the PLC was to be weaponized?”

Claroty used a ZipSlip attack against vendors (Emerson, Ovarro, B&R, GE, and Xinje), a heap overflow against Schneider, and a deserialization attack against Rockwell to create an Evil PLC. Evil PLC, according to Claroty, would be suited for two assault scenarios. The first scenario would be if the PLC was the only entry point into a secure facility. Waiting for an engineer to connect to the PLC allows the attacker to infect the engineer's workstation. This might be sped up by encouraging an early inspection using the newfound access to the PLC.

“Once the attacker weaponized the PLC, maybe they deliberately cause a fault on the PLC. The engineer would be lured to the PLC to check what's going on with it,” said Brizinov. 

Another possibility is to take use of the large number of PLCs maintained by outside professionals. One engineer is linked to one PLC could spread malicious code across several enterprises. 

“Usually PLCs are the crown jewel. When we're talking about classic attack vectors in ICS domains we're always seeing the PLC as the endpoint, the end goal; but if we're playing with those ideas and shifting our thoughts a bit, we can we can get to new ways of how to defend and attack both networks,” Brizinov said. 

Cloudflare Users Targeted by Hackers that Breached into Twilio


On Tuesday, the web infrastructure provider Cloudflare revealed that at least 76 of its staff members and their families had received texts on both personal and business phones that resembled the intricate phishing effort on Twilio.

Furthermore, Cloudflare said that its Cloudforce One threat intelligence team was able to do an analysis of the attack, despite the fact that its systems were not hacked.

The systems and officials of several firms are the targets of this sophisticated attack, as per analysts. Four phone numbers linked to SIM cards issued by T-Mobile were used in the attack, which exists around the same time Twilio was targeted and was ultimately unsuccessful.

Cloudflare said the rogue domain was built via Porkbun under 40 minutes before the wave of more than 100 smishing messages started. It also said the phishing page was created to quickly pass the data given by unwary customers to the attacker via Telegram.

The data was directly taken to the attacker via the messaging app Telegram once the message receiver input his credentials on the phishing site. Experts claim since the phishing page would request a Time-based One Time Password (TOTP) code, the real-time relay was essential for the hackers. Once they had this information, the attackers would access the actual login page for the victim company.

Only three employees, as per Cloudflare, clicked the link in the phishing email and submitted their credentials. However, the business does not use TOTP codes; rather, its staff members use a YubiKey security key that complies with FIDO2. This implies that even if an attacker has the credentials, they cannot access the firm systems without the hardware key.

As Cloudflare also disclosed, AnyDesk remote access software was immediately downloaded on their machines after providing their credentials on the phishing pages, enabling the hackers to remotely take control of their systems if installed.

The company stated it reset the affected employees' login passwords and tightened its access policy to block any logins from unidentified VPNs, residential proxies, and infrastructure providers in addition to working with DigitalOcean to shut down the attacker's server.



A New SolidBit Ransomware Variant Hit Famous Games

Cybersecurity researchers reported a new advanced SolidBit ransomware variant that is victimizing the audience of famous games and social media platforms. “The malware was uploaded to GitHub, where it is disguised as different applications and an Instagram follower bot to lure in victims,” cybersecurity solutions firm Trend Micro reported. 

Nathaniel Morales, Monte de Jesus, Ivan Nicole Chavez, Lala Manly, and Nathaniel Gregory Ragasa published technical details of their analysis of the new ransomware variant. “When an unsuspecting victim runs the application, it automatically executes malicious PowerShell codes that drop the ransomware into the system,” the analysis reads. 

Solidbit ransomware is a type of computer virus that executes malicious code into Windows to encrypt all personal files located on it and locks all personal files. “It’s possible that SolidBit’s ransomware actors are currently working with the original developer of Yashma ransomware and likely modified some features from the Chaos builder, rebranding it as SolidBit,” experts observed. 

The League of Legends account checker on GitHub uploaded a file that contains instruction tools, however, it does not include a graphic user interface (GUI) or any other behavior related to its supposed function it is only a lure to the users, Experts at Trend Micro claimed. 

Among the files bundled with the account checker, experts have discovered an executable file Rust LoL Accounts Checker.exe which is protected by Safengine Shielden, once the file is executed in the system, an error window appears and claims that debugging tools have been detected which could be of the malware’s anti-debugging capabilities and anti-virtualization. 

“If users click on this executable file, it will drop and execute a program with malicious codes that drop and execute the SolidBit ransomware. It will begin disabling Windows Defender’s scheduled scans and any real-time scanning of some folders,” Trend Micro said. 

Experts in conclusion have recommended that users use multifactor authentication (MFA) to prevent hacker groups from performing lateral movement inside a network.

Chinese Hackers Targeted Dozens of Industrial Enterprises and Public Institutions

 

Since January 2022, over a dozen military-industrial complex firms and governmental organisations in Afghanistan and Europe have been targeted in order to acquire private data via six distinct backdoors. The assaults were attributed "with a high degree of confidence" to a China-linked threat actor identified by Proofpoint as TA428, noting commonalities in tactics, techniques, and processes (TTPs). 

TA428, also known as Bronze Dudley, Temp.Hex, and Vicious Panda, has previously struck entities in Ukraine, Russia, Belarus, and Mongolia. It is thought to be linked to another hacker organisation known as Mustang Panda (aka Bronze President). The current cyber espionage effort targeted industrial units, design bureaus and research institutions, as well as government entities, ministries, and departments .departments in several East European countries and Afghanistan. 

Penetration of company IT networks is accomplished through the use of carefully prepared phishing emails, including those that mention non-public information about the companies, to fool recipients into opening rogue Microsoft Word documents. These decoy files include exploits for a 2017 memory corruption vulnerability in the Equation Editor component (CVE-2017-11882), which might allow arbitrary code to be executed in affected computers, eventually leading to the deployment of a backdoor known as PortDoor. 

In April 2021, Chinese state-sponsored hackers used PortDoor in spear-phishing efforts to breach into the computers of a defence firm that manufactures submarines for the Russian Navy. The use of six distinct implants, according to Kaspersky, is most likely an attempt by threat actors to develop redundant channels for managing infected hosts in the event that one of them should get recognised and removed from the networks.

The attacks culminate with the attacker hijacking the domain controller and taking total control of all of the organization's workstations and servers, using the privileged access to exfiltrate files of interest in the form of compressed ZIP packages to a remote server in China.

Other backdoors used in the assaults include nccTrojan, Cotx, DNSep, Logtu, and CotSam, a previously unreported malware named because of its resemblance to Cotx. Each offers significant capabilities for taking control of the systems and stealing sensitive data.

Ladon, a hacking framework that enables the adversary to scan for devices in the network as well as exploit security vulnerabilities in them to execute malicious code, is also included in the assaults.

"Spear-phishing remains one of the most relevant threats to industrial enterprises and public institutions," Kaspersky said. "The attackers used primarily known backdoor malware, as well as standard techniques for lateral movement and antivirus solution evasion."

"At the same time, they were able to penetrate dozens of enterprises and even take control of the entire IT infrastructure, and IT security solutions of some of the organizations attacked."

North Korean Hackers Target CryptoJob Seekers To Evade Western Countries Against Sections

North Korean state sponsors hackers are victimizing cryptocurrency workers with a new phishing campaign on LinkedIn and Indeed to plagiarize resumes and other people’s profiles to land remote work at crypto firms, security researchers at Mandiant said. 

Malwarebytes cyber security researcher, Hossein Jazi, published details of the attack on Twitter. Research analysis shows that the hackers leveraged a PDF containing information about the non-existent role of “engineering manager, product security” at crypto giant Coinbase. 

The objective behind this campaign is to get access to these firms’ internal operations, and projects and gather data about upcoming trends, including Ethereum network development, potential security lapses, and non-fungible tokens (NFTs). 

This information reportedly serves North Korean threat actors to launder cryptocurrencies that can later be used by the Pyongyang government to answer Western sanctions. 

Joe Dobson, a principal analyst at Mandiant, told the press that “It comes down to insider threats If someone gets hired onto a crypto project, and they become a core developer, that allows them to influence things, whether for good or not.” 

This phishing campaign also shares similarities with Operation In(ter)caption, in which hackers used LinkedIn phishing messages that were containing job offers for target working audiences in relevant sectors. Malicious files and data were sent either via email or LinkedIn in a OneDrive link, it was first exposed by ESET in June 2020. 

“Once the recipient opened the file, a seemingly innocent PDF document with salary information related to the fake job offer was displayed. Meanwhile, the malware was silently deployed on the victim’s computer. In this way, the attackers established an initial foothold and reached a solid persistence on the system,” ESET reported. 

Although, the government of North Korea denied its involvement in any cyber-related theft, however, the U.S. government federal agencies, such as the Department of State and the FBI, earlier this year released warnings to the organizations against randomly hiring freelancers from North Korea, as they were potentially misleading businesses with their true identities and state's (DPRK) backing in their activities. 

Twitter 5.4 Million Users Data is Up For Sale For $30,000

 

A Vulnerability in Twitter’s databases that allowed hackers group access to the personal data of 5.4 million Twitter users, has been patched. The report analysis said that the stolen data is up for sale at a $30,000 price. 

On Friday Twitter reported that a team of researchers has found that a now-patched zero-day bug was used to link phone numbers and emails to user accounts on the social media platform. 

“This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability,” Twitter reported.

In January 2020, various cyber security news platforms published a story on Twitter’s vulnerability that allowed hackers and other malicious actors to access sensitive data including phone numbers and email addresses of millions of users, leaving it susceptible to being accessed by anyone. 

What's even more threatening is that the data details could be accessed even if a user had enabled privacy settings to hide these details publicly. 

"As a result of the vulnerability, if someone submitted an email address or phone number to Twitter's systems, Twitter's systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any," the company said in an advisory. 

When vulnerabilities in the system are not discovered by the software or hardware manufacturer remain, they remain a potentially hazardous threat. In most incidents, zero-day vulnerabilities are noticed by security experts like white-hat hackers, and security analysts inside tech companies. The essential thing to be noted about a zero-day is that there is no patch or update yet created for it, so long as it remains zero-day. 

Twitter said that the company has started notifying users affected by the attack and urging its users to turn on two-factor authentication to protect data against unauthorized logins. 

GwisinLocker Ransomware Targets Linux Systems in South Korea

ReversingLabs cyber intelligence group discovered a brand ransomware family called 'GwisinLocker'. As per the analysis, this ransomware mainly victimizes South Korea’s infrastructures such as healthcare, pharmaceutical companies, and industries with Windows and Linux encryptors, including support for encrypting VMware ESXi servers and virtual machines. 

Dubbed as GwisinLocker, the malware was first detected on July 19 by ReversingLabs cyber intelligence group. GwisinLocker is an upgraded and advanced malware variant that was created by a previously lesser-known threat actor (TA) called “Gwisin” which translates in Korean as 'ghost' or 'spirit'. Also, the hacker’s origin is unknown but as per the technical data, it appears that the hacker has a good command of the Korean language. 

“In those incidents, it often launched attacks on public holidays and during the early morning hours (Korean time) – looking to take advantage of periods in which staffing and monitoring within target environments were relaxed,” ReversingLabs wrote in an advisory published on Thursday. 

“In communications with its victims, the Gwisin group claims to have deep knowledge of their network and claim that they exfiltrated data with which to extort the company.”

“In communications with its victims, the Gwisin group claim to have deep knowledge of their network and claim that they exfiltrated data with which to extort the company. Ransom notes associated with GwisinLocker.Linux contains detailed internal information from the compromised environment. Encrypted files use file extensions customized to use the name of the victim company”, the report reads.

Regarding the information on the payment system behind the ransomware, researchers said that GwisinLocker.Linux victims called for logging into the portal run by the group and creating private communications channels for completing ransom payments. “As a result, little is known about the payment method used and/or cryptocurrency wallets associated with the group,” the researchers further added.

CISA Adds One Known Exploited Vulnerability to Catalog


On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed in its findings that they have discovered a high-severity vulnerability in the Zimbra email. Based on the evidence of active exploitation, the new vulnerability has now been added to its Known Exploited Vulnerabilities Catalog. 

As of present, researchers are investigating CVE-2022-27924 (CVSS score: 7.5), a command injection flaw in the platform that could allow the execution of arbitrary Memcached commands and theft of important data. 

These kinds of Vulnerabilities are very frequent and are oftenly seen, as per the data these vulnerabilities pose a higher risk to the federal enterprise. 

“Zimbra Collaboration (ZCS) allows an attacker to inject Memcache commands into a targeted instance which causes an overwrite of arbitrary cached entries”, CISA added. 

The attack first was reported by SonarSource in June, with patches released by Zimbra on May 10, 2022, in versions 8.8.15 P31.1 and 9.0.0 P24.1. 

Before Installing Patch 9.0.0 Patch 24.1, users are recommended to consider the following: 

• Patches are accumulative. 
• Zimlet patches remove existing Zimlets and redeploy the patched Zimlet. 
• Before applying the patch, a full backup should be performed. 
• There is no automated roll-back. 
• Before using ZCS CLI commands Switch to Zimbra user. 
• Must note that you will not be able to revert to the previous ZCS release after you upgrade to the patch.  
• Understand that the installation process has been upgraded. Additional steps to install Zimbra-common-core-libs, Zimbra-common-core-jar and Zimbra-mbox-store-libs packages have been included for this patch release. 

“Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the specified criteria”, CISA further told.

Taiwanese Government Sites Suffered DDoS Attacks Following Nancy Pelosi Visit

 

Multiple Taiwanese government sites were disrupted by distributed denial-of-service (DDoS) attacks following the much-publicized arrival of U.S. House Speaker Nancy Pelosi who became the first high-ranking U.S. official in 25 years to visit the democratic island nation. 

Pelosi reportedly met Taiwanese President Tsai Ing-wen and reiterated America’s support for the country of 24 million. 

The cyber attacks caused intermittent outages across the government English portal, some websites of the presidential office, foreign ministry, and defense ministry. 

According to Taiwan's foreign ministry, the attacks on its website and the government's English portal were linked to Chinese and Russian IP addresses that tried to access the websites up to 8.5 million times per minute. 

A separate statement from a Tsai spokesperson on Facebook said the attack had funneled 200 times more traffic than usual to the site. However, it was back up and running just 20 minutes later, it added. 

“While the PRC is more than capable of this type of attack, DDoS is fairly unsophisticated and somewhat brutish, and it's not a tool they are known to deploy,” explained Casey Ellis, founder, and CTO at Bugcrowd. China has an enormous population of very clever technologists, large security research and hacking community, and a large government-sponsored team with offensive capability ranging from information warfare to targeted exploit development and R&D.” 

Experts believe that the attacks were likely launched by Chinese activist hackers rather than the Chinese government as retaliation for the visit of Nancy Pelosi. 

Taiwan has accused China of ramping up cyber assaults since the 2016 election of President Tsai Ing-wen, who views the island as a sovereign nation and not a part of China. In 2020, Taiwanese authorities said China-linked hackers breached at least 10 Taiwan government agencies and secured access to nearly 6,000 email accounts in an attempt to exfiltrate data. 

Earlier this year in February, Chinese APT group APT10 (aka Stone Panda, Bronze Riverside) targeted Taiwan’s financial trading sector with a supply chain attack. The malicious campaign was launched by the threat actors in November 2021, but it hit a peak between February 10 and 13 2022, Taiwanese cybersecurity firm CyCraft reported.

Ransomware Hit European Pipeline & Energy Supplier Encevo Linked to BlackCat

 

BlackCat ransomware gang claimed responsibility for the attack that occurred last week on Creos Luxembourg S.A., a company that owns and provides electricity networks and natural gas pipelines in the Grand Duchy of Luxembourg. 

In the wake of the news, cyber security researchers reported that they are currently investigating the extent of the damage done. 

Encevo, the parent company of Creos and energy that facilitates five EU countries confirmed on July 25 that the firm suffered a cyberattack over the weekend of July 22–23. The cyberattack had rendered Encevo and Creos’ customer portals inaccessible however, the services themselves remained unaffected. 

According to the reports, the BlackCat ransomware group uploaded 150GB of data on its exaction site stolen from Encevo, including contracts, bills, passports, and emails. The gang is now threatening to release and sell the data within hours if the ransom isn't paid. 

The attack majorly affected the natural gas pipeline and the energy supplier Enovos, however, Encevo assured its users that the supply would not be disrupted. The firm recommended its users update their login credentials as soon as possible, alongside, customers should also change their passwords on other websites if they are the same. 

"For now, the Encevo Group does not yet have all the information necessary to inform personally each potentially affected person. This is why we ask our customers not to contact us at the moment. Once again we apologize to our customers for the inconvenience and we do our best to restore full service as soon as possible. Creos and Enovos emphasize once again that the supply of electricity and gas are not affected and that the breakdown service is guaranteed’’, the company added. 

Reportedly, Creos has been contacted by many cyber news portals enquiring about more technical details and the consequences of the cyberattack, however, the representatives of the company did not share any information on the matter.

Kimsuky Makes E-Mails Hacking Browser Extensions

A hacking group that is believed to work from North Korea is loading harmful browser extensions for Edge and Chrome. It tries to steal email info from open AOL and Gmail sessions and interchange browser preference files. 

About SHARPEXT

Volexity experts found the malicious extension, known as SHARPEXT, it is active for almost a year by Kimsuky (aka SharpTongue). It uses the extension after the attack has been launched, for keeping its presence. 

"SharpTongue's toolset is well documented in public sources; the most recent English-language post covering this toolset was published by Huntress in 2021. The list of tools and techniques described in that post is consistent with what Volexity has commonly seen for years. However, in September 2021, Volexity began observing an interesting, undocumented malware family used by SharpTongue," reports Volexity.

Kimsuky's Attack

Unlike other harmful browser extensions, SHARPEXT isn't made for stealing user credentials. On the contrary, the extension steals information from the e-mail inboxes of the victims.

The hackers deploy the extension manually via a VBS script once the initial breach of the victim system has been done. 

How SHARPEXT is installed

To install SHARPEXT, the hackers replace the Preferences and Secure Preferences files, for the aimed Chromium-based browser, which is generally said to be a difficult task to execute. 

• To interchange the Secure Preferences file, the hackers obtain some details from the browser and make a new file running on browser start-up.

• After that, the attackers use a secondary script to conceal some of the extension's features and any other windows that can surface and alarm the users about suspicious activities. 

• Lastly, the extension uses a pair of listeners for a particular type of activity in the browser tabs. Installation is then modified for different respective targets. 

Volexity says "the purpose of the tabs listeners is to change the window title of the active tab in order to add the keyword used by dev.ps1, the PowerShell script described previously. The code appends the keyword to the existing title (“05101190” or “Tab+”, depending on the version). The keyword is removed when DevTools is enabled on the tab." 












Social Media Used to Target Victims of Investment Scams

Security researchers have discovered a huge investment scam effort that uses online and telephone channels to target victims across Europe. Since fake investment scams have been around for a while, people are familiar with them.

Over 10,000 malicious websites tailored for consumers in the UK, Belgium, the Netherlands, Germany, Poland, Portugal, Norway, Sweden, and the Czech Republic are included in the "gigantic network infrastructure" spotted by Group-IB.

The scammers work hard to promote the campaigns on numerous social media sites, or even compromise Facebook and YouTube to get in front of as many users as they can.

The firm's aim is to mislead consumers into believing they have the chance to invest in high-yield chances and persuade them to deposit a minimum of 250 EUR ($255) to join up for the phony services.

Scam operation

  • Posts promoting phony investment schemes on hacked social media accounts, such as Facebook and YouTube, are the first to entice victims.
  • Images of regional or international celebrities are frequently used to give the illusion that the scam is real.
  • The scammers then demand contact information. In a sophisticated social engineering scam, a 'customer agent' from a call center contacts the victim and offers the investment terms and conditions.
  • Eventually, the victim is persuaded to make a deposit of at least 250 EUR, and the information they provided on the false website is either saved and utilized in other attacks or sold on the dark web.
  • After the victim deposits the money, they are given access to a fictitious investment dashboard that claims to allow them to monitor daily earnings.
  • When the victim tries to use the site to withdraw funds but is first asked for final payment, the fraud is discovered.

Over 5000 of the 11,197 domains used in the campaign were still operational as of this writing.

It is advisable to check that an investment platform is from a reputable broker when it interests you. It may also be possible to spot the fraud by searching for user evaluations and looking for patterns in a large number of comments. 


Novel Phishing Campaign Employs Countdown Timer to Pressurize Victims

 

A new phishing campaign is forcing victims into entering their credentials by claiming their account will be deactivated and it employs a countdown timer to build the pressure. 

The malicious campaign begins with a text which claims to warn the recipient that an attempt to log in to their account from a location they haven't used before has been blocked and is offered a solution in the form of email verification, cybersecurity researchers at Cofense explained in a blog post. 

Ransomware attackers frequently employ fear tactics because sending victims into a state of panic means they're more likely to follow instructions, particularly if they've been told something is wrong with their accounts. 

What sets this phish apart from other campaigns is the countdown clock displayed to the recipient once the malicious link is accessed. The timer ticks down for an hour, claiming the user must enter their username and password to 'validate' their account before the countdown clock hits zero. 

The real scenario is completely different because nothing will be deleted even if the countdown timer reaches zero. The phishing campaign can only be successful if the targeted user falls into a trap and enters login credentials. 

Phishing attacks are one of the most common techniques hackers employ to steal usernames and passwords. Earlier this year in May, researchers at Zscaler's ThreatLabz identified a phishing campaign employing fake voicemails to exfiltrate data of US organizations across various industries, including software security, security solution providers, the military, healthcare, and pharmaceuticals. 

Tips to mitigate phishing attacks 

1. Employ MFA 

Using multi-factor authentication (MFA) can help protect accounts because even if the attacker knows the correct login credentials, the need for extra verification prevents them from being able to access the account, as well as providing a warning that something could be wrong. 

2. Get free anti-phishing add-ons 

Most browsers nowadays will enable you to download add-ons that spot the signs of a malicious website or alert you about known phishing sites. They are usually completely free so there’s no reason not to have them installed on every device in your organization. 

3. Don’t enter your credentials on an unsecured site 

If the URL of the website doesn’t start with “https”, or you cannot see a closed padlock icon next to the URL, do not enter any sensitive information or download files from that site. Sites without security certificates may not be intended for phishing scams, but it’s better to be safe than sorry.

Ducktail Spear-Phishing Campaign Targets Facebook Business Accounts Via LinkedIn

 

An ongoing spear-phishing campaign dubbed “Ducktail” is targeting admin profiles of enterprise networks via LinkedIn, with the motive of taking over Facebook Business accounts and exploiting the Ads function to run malvertising campaigns. 

According to researchers at WithSecure, a popular global IT-security firm, the hackers are of Vietnamese origin and have been active since 2018. 

Modus operandi 

The Ducktail operators have a limited targeting scope and carefully choose their victims, seeking those with administrative access to their employer's social media accounts. The hacker contacts employees on LinkedIn who may have access to Facebook business accounts, such as those described as working in "digital media" and "digital marketing." 

Subsequently, the hacker lures the potential victim to download a file hosted on legitimate cloud hosting services like Dropbox or iCloud. The downloaded file contains JPEG image files and a PDF document relevant to the topic discussed between the hacker and the potential victim during the convincing stage.

Security researchers reported that the entire file is a .NET Core malware that can infect any operating system by running on computers without having to install the .NET runtime. Once it has compromised the system the malware collects browser cookies from Chrome, Edge, Firefox, and additional sensitive information to steal Facebook credentials. 

“The malware directly interacts with various Facebook endpoints from the victim’s machine using the Facebook session cookie (and other security credentials that it obtains through the initial session cookie) to extract information from the victim’s Facebook account,” researchers explained. 

The malware is then deployed to other Facebook pages owned by the victim and collects multiple tokens, IP addresses, account information, geolocation data, and other valuables to disguise itself as a legitimate admin. 

After getting access to the victim’s business profile the malware steals advertising limits, credit card details, client lists, currency, payment cycle, and more sensitive details, and finally, the stolen data is exfiltrated through Telegram bots when the malware exits or crashes. 

The phishing campaign operates on an infinite loop in the background which allows continuous exfiltration of new cookies and any update to the victim’s Facebook account. The motive is to interact with the victim’s account, and ultimately create an email account managed by the hacker with the highest privilege role; that is, admin access and finance editor roles.

Cyber-attacks on Port of Los Angeles Doubled Since Pandemic

 

According to recent research, one of the world's biggest ports has witnessed an unusual spike in cyber-attacks since the outbreak began. The Port of Los Angeles' executive director, Gene Seroka, told the BBC World Service over the weekend that the facility receives roughly 40 million attacks every month. 

"Our intelligence shows the threats are coming from Russia and parts of Europe. We have to stay steps ahead of those who want to hurt international commerce. We must take every precaution against potential cyber-incidents, particularly those that could threaten or disrupt the flow of cargo,” he further added. 

Ransomware, malware, spear phishing, and credential harvesting attacks appear to be among the threats aimed against the facility, which is the busiest in the Western Hemisphere. The goal seems to harm the US economy in many situations, however, profits through extortion and data theft will also be a factor. 

Such dangers, if not adequately managed, can potentially exacerbate COVID-era supply chain snarls. Seroka said that port blockages will not be cleared completely until next year, even though the number of container ships waiting more than two days to offload has reportedly reduced from 109 in January to 20 today. 

"The past two years have proven the vital role that ports hold to our nation's critical infrastructure, supply chains and economy. It's paramount we keep the systems as secure as possible," Seroka expressed. 

The challenge is so acute that the port established one of the world's first Cyber Resilience Centers in collaboration with the FBI. It provides a single site for port stakeholders such as shipping corporations to receive, evaluate, and exchange threat intelligence. 

Ports have become such a popular target for cyber-criminals, particularly those aiming to undermine operations and extort businesses, due to their strategic significance to global trade.

Google Drive & Dropbox Targeted by Russian Hackers

The Russian state-sponsored hacking collective known as APT29 has been attributed to a new phishing campaign that takes advantage of legitimate cloud services like Google Drive and Dropbox to deliver malicious payloads on compromised systems.

In recent efforts targeting Western diplomatic stations and foreign embassies globally between early May and June 2022, the threat group APT29 also known as Cozy Bear or Nobelium has embraced this new strategy. However, the phishing documents included a link to a malicious HTML file that was used as a dropper for other harmful files, including a Cobalt Strike payload, to enter the target network.

Google and DropBox were alerted about the operation by Palo Alto Networks, and they took measures to restrict it. Organizations and governments have been cautioned by Unit 42 researchers to maintain a high state of alert. Organizations should be cautious about their capacity to identify, inspect, and block undesirable traffic to legitimate cloud storage providers in light of APT 29's new methods.

APT29, also known as Cozy Bear, Cloaked Ursa, or The Dukes, is a cyber espionage organization that seeks to gather information that supports Russia's geopolitical goals. It also carried out the SolarWinds supply-chain hack, which resulted in the compromising of several US federal agencies in 2020.

The use of cloud services like Dropbox and Google Drive to mask their activity and download further cyberespionage into target locations is what has changed in the most recent versions. According to reports, the attack's second version, seen in late May 2022, was further modified to host the HTML dropper in Dropbox.

According to reports, the attack's second version, seen in late May 2022, was further modified to host the HTML dropper in Dropbox.

The findings also line up with a recent statement from the Council of the European Union that "condemns this appalling behavior in cyberspace" and highlights the rise in hostile cyber actions carried out by Russian threat actors.

In a news release, the EU Council stated that "this increase in harmful cyber actions, in the context of the war against Ukraine, presents intolerable risks of spillover effects, misinterpretation, and possible escalation."







Albania's Government Networks Were Disabled Amid Cyberattack

 

According to a report from the Albanian National Agency for the Information Society, a cyberattack from an anonymous source led the Albanian government to shut down the websites of the prime minister's office and the parliament. 

Most Albanian nationals and tourists from other countries utilize the e-Albania website, which currently acts as a hub for several formerly operational civil state offices. 

According to the Albanian National Agency for the Information Society (AKSHI), "we have been compelled to shut down government systems to survive these unprecedented and dangerous strikes until the enemy attacks are neutralized."

Only a few crucial services, like online tax filing, are still operating since they are provided by servers that were not targeted in the attack, while the majority of desk services for the public were disrupted.

Both the duration of the government systems' downtime and the identity of the cyberattack's perpetrator are unknown. According to Albanian media, the attack was comparable to those targeting critical systems in Ukraine, Belgium, Malta, Netherland, Germany, Lithuania, and Belgium.

While there have been instances of 'independent hacker groups' attacking countries in the past, Oliver Pinson-Roxburgh, CEO of cybersecurity platform Defense.com, said it is unlikely that such a group would be able to operate on this scale.

The report states that due to the early detection, the government's essential systems were able to shut down safely and they are all "backed-up and safe."

It said that to resolve the issue and 'restore normalcy,' Albanian officials were working with Microsoft and Jones Group International experts.



Proofpoint Analysis : APT Groups Target Journalists


APT organizations that are allegedly affiliated with China, North Korea, Iran, and Turkey are described in detail by researchers in a Proofpoint report released on Thursday. Attacks started in early 2021 and are still happening, according to researchers.

Targeted phishing attacks are linked to several threat actors who have independently focused on acquiring journalist credentials and sensitive data as well as tracking their locations. 

Targeting journalist

Proofpoint monitored the activities of the APT group TA412 also known as Zirconium, which attacked journalists based in the US. The nation-state hackers implanted a hyperlinked invisible item within an email body by using phishing emails that contained web beacons such as tracking pixels, tracking beacons, and web bugs.

Journalists based in the US who were being targeted were investigating matters of domestic politics and national security and writing about subjects that favored Beijing.
  • By February 2022, Zirconium had resumed its operations against journalists using the same tactics, with a particular emphasis on those who were reporting the Russia-Ukraine conflict.
  • Proofpoint discovered another Chinese APT organization known as TA459 in April 2022 that was targeting journalists with RTF files that, when viewed, released a copy of the Chinoxy malware. These hackers specifically targeted journalists covering Afghan foreign affairs.
  • Early in 2022, the TA404 group, also known as Lazarus, targeted a media company with a base in the United States. As lures, the attackers utilized phishing messages with job offers.
  • Finally, Turkish threat actors identified as TA482 planned campaigns to harvest credentials from journalists' social media accounts.
Not all hackers, however, are motivated to work hard to breach journalist data. This strategy has mostly been used by Iranian actors, like TA453 or Charming Kitten, who had sent emails to academics and Middle East policy experts while pretending to be reporters.

Finally, Proofpoint draws attention to the activities of Iranian hackers TA457, who initiated media-targeting efforts every 2 to 3 weeks between September 2021 and March 2022.

It's also essential to understand the wide attack surface—all the various web channels used for information and news sharing—that an APT attacker can exploit. Finally, exercising caution and confirming an email's identity or source can stop an APT campaign in its early stages.

Mantis Botnet Behind Largest HTTPS DDoS Attack Targeting Cloudflare Users

 

A botnet called Mantis has been linked to record-breaking assaults targeting nearly 1,000 Cloudflare customers. 

In June 2022, DDoS mitigation firm Cloudflare disclosed that it successfully thwarted a record-breaking DDoS attack of 26 million requests per second. Just a couple of months earlier in April, Cloudflare also mitigated a previous record-breaking attack of 15.3 million requests per second. Mantis has now been linked to both attacks. 

For the attacks, the majority of traffic originated from Indonesia, the US, Brazil, and Russia with the French OVH (Autonomous System Number 16276), the Indonesian Telkomnet (ASN 7713), the US-based iboss (ASN 137922), and the Libyan Ajeel (ASN 37284) being the top source networks. In the past month alone, over 3,000 HTTP DDoS attacks have been launched against Cloudflare customers.

While previous record-setting DDoS attacks have predominately been generated from botnets that have exploited the rapid proliferation of IoT devices, the latest assaults have increased their intensity by exploiting far more powerful devices. 

Cloudflare’s Product Manager Omer Yoachimik stated that the attack last month “originated mostly from cloud service providers as opposed to residential internet service providers, indicating the use of hijacked virtual machines and powerful servers to generate the attack—as opposed to much weaker Internet of Things devices.” 

In one attack on an unnamed customer last month, more than 212 million HTTPS requests were generated from over 1,500 networks across 121 countries in under 30 seconds. 

The most impacted industry verticals include internet and telecom, media, gaming, finance, business, and shopping, of which over 20% of the attacks targeted U.S. firms, followed by Russia, Turkey, France, Poland, Ukraine, the U.K., Germany, the Netherlands, and Canada. 

According to Cloudflare researchers, the botnet is identical to the shrimp and is less than 10cm in length. Despite being so small, the claws of mantis shrimps can generate a shock wave with a force of 1,500 Newtons at speeds of 83 km/h from a standing start. 

“The Mantis botnet operates a small fleet of approximately 5,000 bots, but with them can generate a massive force — responsible for the largest HTTP DDoS attacks we have ever observed,” explained Yoachimik.

North Korean Hackers Employ H0lyGh0st Ransomware to Target Businesses

 

Researchers from Microsoft’s Threat Intelligence Center (MSTIC) this week claimed that the North Korean hackers are employing the H0lyGh0st ransomware to target small and midsize businesses worldwide. 

The hacking group, which calls itself H0lyGh0st and is tracked by Microsoft as DEV-0530, has been employing ransomware since at least June 2021 and has successfully exploited multiple businesses since September 2021. 

The activities of DEV-0530 are similar to other ransomware gangs out there. The group engages in double extortion, threatening to publish personal data stolen from victims unless a ransom is paid. 

In recent years, North Korean hackers have siphoned hundreds of millions of dollars from foreign businesses to help their country which is struggling economically due to the U.S. sanctions and the COVID-19 pandemic. However, it is equally possible that the hackers are employing ransomware for personal gain, which could explain an “often-random selection of victims.” 

According to Microsoft, the activities of DEV-0530 are partially linked to a group known as Plutonium (also known as DarkSeoul or Andariel). Both groups have been spotted operating from the same infrastructure, employing custom malware controllers with similar names, and emailing accounts belonging to each other. 

“MSTIC has observed known DEV-0530 email accounts communicating with known PLUTONIUM attacker accounts. MSTIC has also observed both groups operating from the same infrastructure set, and even using custom malware controllers with similar names,” Microsoft says. 

The researchers also identified that the hacker’s activities are consistent with the UTC+9 time zone employed in North Korea. DEV-0530’s first malicious payload was spotted in June last year, BLTC_C.exe, which was classified as SiennaPurple, despite its lack of complexity compared to other variants in the same ransomware family. More powerful derivatives of the malware were released later, between October 2021 and May 2022, and were based on the Go programming language. 

In November 2021 DEV-0530 successfully exploited several small-to-midsized businesses in the manufacturing, finance, education, and event and meeting planning sectors in multiple nations. Likely opportunistic, the attacks exploited vulnerabilities such as CVE-2022-26352 on public-facing web assets for initial access. 

Subsequently, the hackers would steal “a full copy of the victims’ files” and then shift to encrypt the contents on the system, appending the .h0lyenc extension to impacted files. In addition to dropping a ransom note, the attackers emailed the victim to inform them that their data was stolen and encrypted by H0lyGh0st. 

“Based on our investigation, the attackers frequently asked victims for anywhere from 1.2 to 5 Bitcoins. However, the attackers were usually willing to negotiate and, in some cases, lowered the price to less than one-third of the initial asking price. As of early July 2022, a review of the attackers’ wallet transactions shows that they have not successfully extorted ransom payments from their victims,” Microsoft researchers explained.