Not a day goes by when one does not read a headline about an organization suffering a data breach, putting the business, customers, and partners at risk. Staying updated about the latest data breaches and using phishing protection can help prevent such incidents.. Here is a summary of the latest phishing and breach-related news this week.
SEO Poisoning Campaign Redirects Search Engine Visitors To Javascript Malware
Security researchers recently discovered a high-effort SEO poisoning campaign targeting employees from government sectors and multiple industries when they search for specific terms relevant to their work. When they click on the malicious search results (artificially pushed higher in ranking), the visitors get redirected to a JavaScript malware downloader.
According to a report by security firm Deepwatch, the campaign may be influenced by a foreign intelligence service. The researchers discovered that the threat actors created blog post titles that foreign intelligence services may be interested in, for example, “Confidentiality Agreement for Interpreters.”
How SEO poisoning works
Deepwatch researchers discovered the campaign while investigating an incident in which
- An employee Google searched “transition services agreement” and got redirected to a website that appeared to be a forum thread.
- A user shared a zip archive link on the malicious website with the victim that contained an “Accounting for transition services agreement”.js (JavaScript) file.
- The extension was a variant of a malware downloader, Gootloader, known to deliver remote access Trojan and other malware payloads.
APT41 Threat Actors Target Pharma, Healthcare With Spear-Phishing, And Supply Chain Campaigns
A new Cybersecurity Coordination Center alert by the Department of Health and Human Services warns that APT41 threat actors continue to target the healthcare sector. APT41 is a Chinese state-sponsored group with a history of targeting the pharmaceutical and high-tech industries and has been actively tracked by researchers since 2012.
The group frequently uses spear-phishing, supply chain attacks, water holes, and backdoors to gain unauthorized network access and insights into the specific industry. Researchers believe the group also uses keylogging screenshots to download files, code injection, connect and query SQL databases, and steal clipboard data.
APT41 uses various private and public malware to establish a foothold before escalating privileges using custom tools to steal credentials. Afterward, the actors use the credentials for internal reconnaissance and move laterally through weak RDP, stolen credentials, brute-forcing utilities, and adding admin groups. The group relies on backdoors to maintain a presence on the victim’s network and creates a RAR archive to exfiltrate and remove evidence.
NPM Packages Utilized by Crypto Exchange Compromised
Recent research suggests that various npm packages published by dYdX and used by around 44 cryptocurrency projects may have been compromised. dydX is a decentralized exchange platform powered by the Ethereum blockchain that offers trading options for more than 35 popular cryptocurrencies, including Ether (ETH) and Bitcoin (BTC).
Maciej Mensfeld, creator of Diffend.io and security researcher at the supply chain security firm Mend, reported encountering multiple compromised npm packages that were covertly installing info stealers. Although the exact cause of the compromise is not yet determined, a dYdX crypto platform employee might have published the packages in question. The packages are:
- @dydxprotocol/solo – versions 0.41.1, 0.41.2
- @dydxprotocol/perpetual – versions 1.2.2, 1.2.3
- An earlier advisory claimed that the ‘@dydxprotocol/node-service-base-dev’ package was also affected but withdrawn.
The affected packages comprise the “Ethereum TypeScript and Smart Contracts library utilized for the dYdX Solo Trading Protocol.”
Microsoft SQL Servers Hacked In FARGO Ransomware Attacks
Security researchers are warning that attackers are targeting Vulnerable Microsoft SQL servers with a new wave of attacks using the FARGO ransomware. MS-SQL servers are the popular database management systems storing data for internet apps and services. Disrupting them can cause serious business trouble.
Infection and execution
- The ransomware infection starts when the MS-SQL process on the victim’s machine downloads a .NET file using powershell.exe. and cmd.exe.
- The payload fetches additional malware and generates and runs a BAT file, thus terminating specific processes and services.
- Next, the malicious payload infects AppLaunch.exe, a legitimate Windows process, and tries deleting the registry key for the open-source ransomware called Raccine.
- Additionally, the malware runs the recovery deactivation command, terminating database-related processes and making their contents available for encryption.
- The FARGO ransomware strain excludes specific software and directories from encryption, preventing the infected system from becoming completely unusable.
- After the encryption, the locked files get renamed using the “.Fargo3” extension, and the FARGO malware generates the ransom note (“RECOVERY FILES.txt”).
- Victims are then threatened with leaking the compromised files on the threat actor’s social media profiles unless they pay the ransom.
TikTok Failed to Protect UK Children’s Privacy can Face £27 Million Fine
Social media platform TikTok is staring at a £27 million fine after the UK’s data protection watchdog noted it failed to protect children’s privacy.
On Monday, the Information Commissioner’s Office (ICO) announced that it had issued TikTok a “notice of intent,” a legal document that TikTok can respond to, ahead of a potential fine.
According to the notice, TikTok operated in breach of British data protection laws from May 2018 to July 2020. It processed data belonging to children younger than 13 without appropriate parental consent. Furthermore, the ICO also notified the social media platform that it processed special category data (sensitive user data covering ethnicity, sexuality, and political and religious beliefs) without any legal grounds.
The ICO said the notice’s findings are provisional, and the investigation is preliminary, adding it will carefully consider representations from TikTok before concluding.
John Edwards, UK’s Information Commissioner, said that children must experience the digital world with adequate privacy protections. “Social media companies providing digital services are legally bound to put the protections in place, but according to our provisional view, TikTok fell short of meeting the requirement,” he said in a statement.
Chinese Espionage Hackers Use New LOWZERO Backdoor to Target Tibetans
A China-aligned advanced persistent threat (APT) actor called TA413 targeted the recently disclosed flaws in Microsoft Office and Sophos Firewall to deploy a new backdoor called LOWZERO in an espionage campaign aimed at Tibetan entities.
Victims mainly consisted of businesses associated with the Tibetan community, including those related to the Tibetan government-in-exile. The threat actors exploited the CVE-2022-30190 (or “Follina”) and CVE-2022-1040, two remote code execution vulnerabilities in Microsoft Office and Sophos Firewall, respectively.
LOWZERO, the backdoor, can receive additional modules from its C2 (command-and-control) server, provided it fulfills the condition that the targeted machine is of interest to the threat actor.
TA413, also called LuckyCat, was previously linked to targeting individuals and organizations associated with the Tibetan community since 2020, using malware like Sepulcher, ExileRAT, and a malicious Mozilla Firefox extension dubbed FriarFox.
Threat Actor Leaks French Hospital Patient Data in a Ransom Fight
According to officials, cybercriminals who crippled a French hospital and stole a large amount of data last month recently released patients’ records online. The threat actors demanded a multi-million dollar ransom from the French Corbeil-Essonnes hospital a month ago, which the institution refused to pay.
The hospital said the malicious actors had dumped the patients’ lab analyses, medical scans, and national security numbers. After last month’s attack, the hospital shut down its emergency services and re-routed many patients to other institutions.
At one point, the hospital said the only technology working was the telephone. Rather than selling the confidential data, the hacker dumped some of it for download on the “dark web.” Analysts believe it may be a tactic to pressure the hospital authorities to pay the ransom. French law bans public institutions from paying ransoms.
Yukon Education Department Leaks Student Data Accidentally
An education department worker’s few errant keystrokes exposed the data of over 500 Yukon students, according to a notification accessed by CBC News.
The letter sent to the affected students reads that the breach involves significant risk of harm to their privacy. It further adds that names, email addresses, phone numbers, social insurance numbers, and dates of birth were present.
The leak started when a department employee added an unidentified person’s email address while forwarding a spreadsheet that contained students’ data who had applied for a post-secondary grant program. According to the letter, the staff tried to contact the person, but of little use.
Eventually, the education department contacted the person, said the department’s privacy officer, David McInnis. He added that the recipient got the email due to an auto-fill error. The recipient claims they never opened the email and agreed to delete it.