The interplay between victim and attacker is like a cat-and-mouse game in which both perpetually learn and adapt, leveraging knowledge and creativity of the other’s motives to develop new effective phishing protection strategies and practices. Individuals and organizations can create a dynamic, intelligence-driven approach to cybersecurity by following the latest trends in the threat landscape. Here are this week’s phishing and data breach updates.
The ‘0ktapus’ Threat Group Launches a Phishing Campaign Targeting 130 Firms
Over 130 organizations were entangled in a sophisticated phishing campaign that spoofed multi-factor authentication systems. The phishing attacks that targeted Cloudflare and Twilio employees are related to a sophisticated campaign that compromised 9,931 accounts at over 130 enterprises. The campaigns targeted Okta, the identity and access management firm, getting the threat actors title ‘0ktapus.’
The threat actors sent text messages to victims containing links to phishing sites that resembled the Okta authentication page. Their primary goal was to obtain the victims’ multi-factor authentication (MFA) codes and Okta identity credentials. 114 US-based firms were impacted by the breach, with additional victims from 68 countries. The threat actors started targeting telecommunications companies and mobile operators earlier and might have collected the victim’s mobile numbers.
Chinese Hackers Carry Out Cyber Espionage Attacks Using ScanBox Framework
A Chinese nation-state group undertook a month-long cyber espionage campaign targeting several organizations with reconnaissance malware to gain sensitive information about the victims and meet its strategic goals.
Proofpoint, the enterprise security firm, said that the targets of the attack spanned Europe, Australia and Malaysia, including firms operating in the South China Sea. The campaign was broad-ranged, encompassing federal and local Australian Governmental agencies, Australian news media companies, and heavy industry manufacturers involved in wind turbine fleet maintenance in the South China Sea.
Researchers at Proofpoint linked the campaigns to a threat actor they tracked with names TA423 and Red Ladon, also called APT40 and Leviathan. APT40 is a China-based, espionage-motivated cybercriminal active since 2013, displaying a pattern of striking organizations in Asia-Pacific, focusing on the South China Sea. In July 2021, the U.S. government tied the adversarial collective to China’s MSS (Ministry of State Security).
The researchers added, “The threat actor posed as an employee of the fictional media house ‘Australian Morning News,’ offering a URL to the spoofed domain. It solicited the targets to view the website or send research content the website would publish.”
Attackers Use James Webb Space Telescope’s Image to Deliver Malicious Payload
A Golang-based malware campaign, GO#WEBBFUSCATOR, leveraged NASA’s deep field image taken with James Webb Space Telescope (JWST) as bait to deploy payloads on infected systems.
Securonix recently revealed that threat actors are increasingly adopting Go, owing to the programming language’s cross-platform support that allows them to leverage a common codebase and target various operating systems. Additionally, Go binaries can render reverse engineering challenging compared to other malware languages like C++ or C#.
Victims receive phishing emails that contain a Microsoft Office attachment that acts as an entry point for the attack. If the user opens it, the attachment retrieves an obfuscated VBA macro.
The execution of the macro downloads an image file “OxB36F8GEEC634.jpg” that resembles the image of the First Deep Field that JWST captured, but when inspected using a text editor, it is a Base64-encoded payload.
7.5M Users of a Russian Streaming Platform Become Victims of A Data Breach
‘START’ (start.ru), a Russian media streaming platform, recently confirmed rumors of a data breach that impacted millions of users.
The platform’s administrators said that the threat actors stole a 2021 database containing email addresses, usernames and phone numbers from its servers and are now publishing samples online. START believes it is useless to cybercriminals because they cannot use it to take over accounts.
There was no impact on Browsing history, financial information, user passwords or bank card data because they were not present in the database. START’s Telegram statement mentioned that they had fixed the vulnerability, and the access to compromised data was closed. The firm urged users to change their passwords as an additional safety measure. Reports suggest that at least 7.5 million user accounts got impacted in the breach.
CEO’s Email Hacked, Hackers Dupe Leading Firm in India of about $68,000
Cyber adversaries hacked a CEO’s email account and duped his company of about $68,000 between August 24 and August 26. The multinational company, a manufacturer of paper cup products, is located at Talegaon in Pune. The 46-year-old complainant is an employee of the firm and handles its financial transactions, according to police.
A cybercriminal hacked into the CEO’s email account and sent emails to the accounts department, transferring the amount to an unknown account. The complainant said he received an email from the CEO’s official email ID to transfer money from the firm’s bank account to another account. The employee followed orders and transferred the amount.
However, the police suspect that the CEO’s email account was hacked because when the complainant informed her regarding the payment, she denied sending the email and asked him to contact the bank to stop the transactions. The employee had transferred the amount in five separate bank transactions to the account number allegedly provided by the CEO.
Chrome Extensions Having 1.4 Million Installs Steal Browsing Data
McAfee Threat analysts recently found five Google Chrome extensions which track and steal users’ browsing activity. The extensions have been downloaded over 1.4 million times collectively.
The malicious extensions monitor the users’ activity, like when they visit an e-commerce website. Furthermore, they modify the visitor’s cookie and make it seem they came through a referrer link. The extensions’ authors get an affiliate fee for purchases at the electronic shops. Following are the five extensions:
- Netflix Party – 800,000 downloads
- Netflix Party 2 – 300,000 downloads
- Full Page Screenshot Capture – Screenshotting – 200,000 downloads
- FlipShope – Price Tracker Extension – 80,000 downloads
- AutoBuy Flash Sales – 20,000 downloads
All five extensions that McAfee discovered show a similar behavior:
- The web app manifest (“manifest.json” file) dictates how the extension behaves on the system
- It loads a multifunctional script (B0.js)
- The script sends the browsing data to a malicious domain controlled by attackers (“langhort[.]com”).
To evade detection and confuse vigilant users or researchers, some of the extensions have a 15 days delay from the installation time before they start forwarding the browser activity.
Malicious Actors Use ModernLoader And Infect Systems with Cryptominers and Stealers
Cisco Talos discovered at least three related campaigns from March to Jun 2022 that delivered a variety of malware like RedLine Stealer, ModernLoader, and cryptocurrency miners to the compromised systems.
Researcher Vanja Svajcer of Cisco Talos recently shared that the threat actors used .NET assemblies, HTA and VBS files and PowerShell to spread across a targeted network, injecting malware like SystemBC trojan and DCRat.
The malicious implant ModernLoader provides attackers with remote control of the victim’s machine and enables them to deploy additional malware or steal sensitive information. Cisco Talos attributed the infections to a Russian-speaking threat actor (previously undocumented), citing the use of unique tools. His potential targets included Eastern European users in Poland, Hungary, Bulgaria, and Russia.
Infection chains discovered by Cisco Talos involve attempts to compromise web applications like CPanel and WordPress to distribute the malware through files masquerading as fake Amazon gift cards.
Data of Over 2.5M Student Loan Accounts Exposed in Nelnet Servicing Breach
Data of over 2.5 million individuals having student loans from EdFinancial and the Oklahoma Student Loan Authority (OSLA) got exposed after cybercriminals breached the systems of Nelnet Servicing, a technology services provider.
OSLA and EdFinancial use technology services from Nelnet Servicing to give online access to students of their loan accounts.
The hackers compromised the organization’s network after exploiting a vulnerability. Nelnet servicing informed OSLA and EdFinancial about the breach, who are notifying their customers. Although Nelnet says it blocked the cyberattack as it discovered the breach, the investigation results show that hackers might have accessed student loan registration information. The exposed data includes:
- Full name
- Physical address
- Email address
- Phone number
- Social Security Number
However, no financial account numbers or payment information got exposed during the security incident. EdFinancial clarified that it does not host all its clients on Nelnet Servicing; hence not all students are impacted by the data breach. Attackers accessing the above information may engage in social engineering, impersonation, phishing attacks, and various scamming schemes.