The potential for a data breach is a key emerging threat that organizations must carefully consider when they plan a post-pandemic operating environment. Staying updated about the latest phishing-related news is their first step towards ensuring a cyber-safe environment. Here are the latest data breach and phishing-related updates of this week.
Research Find that Attackers Can Infiltrate Systems, Achieve Persistence Using Notepad++ Plugins
New research from Cybereason states that threat actors can abuse Notepad++ plugins to bypass security mechanisms and achieve persistence on the targets’ machines. The security firm issued an advisory recently, which contains a demonstration by a security researcher, “RastaMouse.” The researcher used Notepad++ Plugin Pack (an open–source project) to design a malicious plugin that hackers can use as a persistence mechanism.
The plugin pack is a .NET package for Visual Studio, providing a basic template for creating plugins. However, the APT (advanced persistent threat) groups have previously leveraged it for malicious purposes. The advisory adds that APT group StrongPity leveraged a legitimate Notepad++ installer in the past, accompanied by malicious executables, giving it persistence after a machine reboot.
“This threat actor uses the backdoor to install a keylogger on the compromised system and communicate with a Command and Control (C2) server to send the software’s output.” The advisory contains further information about how the researchers analyzed the Notepad++ plugin loading mechanism and created an attack scenario according to the vector.
Hackers Backdoor a Media Company by Trojanizing Putty SSH Client
In a malicious Amazon job assessment campaign, the North Korean hackers used PuTTY SSH client’s trojanized versions and deployed backdoors on the victims’ devices. A novel element in the campaign was threat actors using a trojanized version of the KiTTY and PuTTY SSH utility for deploying a backdoor, the ‘AIRDRY.V2’.
According to a Mandiant technical report, the threat group responsible for the campaign is ‘UNC4034’ (or “Labyrinth Chollima” or “Temp. Hermit”). The latest activities seem to continue the group’s ‘Operation Dream Job’ campaign from June 2020 and target media companies this time.
Using the PuTTY SSH client to inject malware:
- The threat actors approach their targets via email containing a lucrative job offer at Amazon.
- Then they continue their communication over WhatsApp, where the victims receive an ISO file (“amazon_assessment.iso”).
- The ISO contains a text file (“readme.txt”) with login credentials and IP address and a malicious version of PuTTY (PuTTY.exe), the popular open-source SSH console application.
- The discussions between the threat actors and victims are not confirmed. The malicious actors might have asked the victim to open the ISO using the enclosed SSH tool and credentials and perform a skills assessment after connecting to the host.
Pharmaceutical Giant IPCA Laboratories Suffers a Cyberattack, Loses 500 GB Crucial Data
One of the largest Indian pharmaceutical enterprises, IPCA Laboratories, became a victim of cybercrime, with the extortion group stealing 500 gigabytes of data from its systems. According to a TechCrunch conversation with the CEO of Technisanct, the RansomHouse cybercrime group accessed IPCA Laboratories’ infrastructure. Furthermore, it appears that the pharmaceutical giant is negotiating with the attackers.
Portions of the stolen data were published on RansomHouse’s leak site, which includes employee details and sensitive material concerning medical research. Additionally, the stolen data can consist of former employees’ information and internal audit reports.
The pharmaceutical company manufactures over 80 active pharmaceutical ingredients and 350 formulations for making medications and partners with over 120 organizations worldwide. Furthermore, IPCA holds approvals from drug regulatory authorities, including the World Health Organization, the United Kingdom, and the European Union, among others, according to its website. It is unclear if there was a ransom demand by the attackers.
Akamai: Eastern European Organization Targeted Second Time with a DDoS Attack
The CDN (content delivery network) services provider Akamai said it absorbed the largest-ever known distributed denial of service (DDoS) attack against an Eastern European organization that crossed 700 million packets per second. Although Akamai refused to name the customer, an article by the Register suggests that threat actors responsible for the record-setting DDoS attacks in July were behind the attack. The report further adds that the same Eastern European organization became a target the second time.
The July attack targeted the organization’s primary data center 75 times and peaked at 659.6 Mpps. However, the recent one targeted six global locations 201 times and peaked at 704.8 Mpps, according to Akamai. Primarily, the packets were UDP in both incidents, with 512 IP addresses getting targeted in July and 1,813 in September.
“The escalated in 60 seconds, with the attackers’ command-and-control (C2) system quickly activating the multi-destination attack.” As Russia’s invasion of Ukraine continues, it is evident that Russian teams enjoy launching DDoS attacks against their enemy corporations and governments.
Phishers Target Facebook Page Owners
Malicious actors are trying to trick Facebook page owners with fake notices from Meta (the parent company of Facebook, Instagram, and WhatsApp), attempting to lure them into parting with sensitive information.
They are using a clever method to harvest information: Creating a lead generation form using the Meta Ads Manager and including its link inside the phishing email. Such links do not raise suspicion, and email security solutions do not flag the email as potentially malicious, giving the victims a false sense of security.
A cybersecurity researcher at Avanan said their team tracks phishing emails from legitimate sources. Cybercriminals leverage websites on the Allow lists of email security services, like Facebook. So a link from Facebook will appear legitimate and does not get scanned for other malicious content.
If one is aware, many discrepancies confirm the emails are not sent by Meta or “Facebook’s Media Operations Team”:
- Stylistic and grammatical mistakes,
- The emails come from an Outlook domain, addressed to “Dear User” (and the specific user),
- Attempt to create a sense of urgency,
- The threat of account disabling.
Buenos Aires Legislature: We Suffered a Ransomware Attack
Argentina’s capital city announced it suffered a ransomware attack, saying WiFi connectivity was down and its internal operating systems compromised. In several tweets, the Buenos Aires legislature said the attack started on Sunday (Sep 11, 2022) and compromised the building’s WiFi network and other systems.
According to the statement, the legislature took necessary measures to ensure continuity of work and not interrupt parliamentary work. IT teams were working to restore the WiFi network and bring other systems back online.
The incident was reported to several Argentinean law enforcement agencies. However, the legislature’s website was down as of Tuesday afternoon, and the affected government agencies did not answer about the state of the restoration effort.
Although No ransomware group took credit for the incident, Central and South American governments have become a target of several gangs in the past year.
Chinese-Linked Cyber Criminals Siphon off with $529 Million From Indian Nationals
According to the police, Chinese scammers reportedly stole $529 million from Indian nationals using lures of part-time jobs, instant lending apps, and bogus cryptocurrency trading schemes.
Local media reports suggest that the threat actors targeted users through bulk TXT messages that the cops traced to the Middle Kingdom. Some operators were located in Nepal, working under the direction of Chinese cyber criminals, who set up fake websites and crypto apps to lure in investors.
“The part-time job offers, The instant loan apps, and the crypto trading fraud all have their links to the same hackers from China. Furthermore, they are fully supported by the SMS aggregators,” said a senior police officer.
The threat actors first transferred money from the victims’ accounts to digital wallets and local Indian bank accounts before moving it to Zebpay, the Indian cryptocurrency exchange platform, and Binance. The threat actors withdrew stolen money in China, alleges the Police officer.
New Attack Unlocks and Starts Tesla Model Y in Seconds: Researchers
Discovered by Josep Pi Rodriguez, principal security consultant, IOActive, the sophisticated relay vulnerability involves an NFC relay attack and requires two threat actors working in tandem. One thief must be near the car owner and the other near the car. The owner must have the mobile phone with a Tesla virtual key or an NFC keycard in their pocket.
NFC keycards allow Tesla owners to unlock and start their vehicles by tapping the card against an NFC reader. The reader is embedded in the driver-side chassis of the car. Owners can also use a virtual key or a key fob on their mobile phone for unlocking, but the car manual advises always carrying the NFC keycard if they lose the key fob or their phone’s battery dies.
In Rodriguez’s scenario, cybercriminals can steal a Tesla Model Y if they position themselves within two inches of the owner’s mobile phone or NFC card. For example, while in someone’s purse or pocket as they walk down the street, sit at a restaurant or stand in line at Starbucks.