Today, our personal lives, work lives, and finances are gravitating towards the world of electronic media, mobile computing, and the internet. However, the widespread phenomenon poses a greater risk of fraud, malicious attacks, and privacy invasions. Hence staying abreast of the latest phishing and breach-related news is the first step toward ensuring a strong cybersecurity posture. Here are this week’s updates.
Researchers Warn Iranian Hackers Are Spying On Journalists And Government Officials
Cybersecurity researchers recently discovered an Iranian state-sponsored hacking group that has been actively targeting journalists, government officials, academics, and opposition leaders worldwide for the last seven years.
Cybersecurity firm Mandiant published research that states that APT42, the advanced persistent threat group, has links to Iranian intelligence services. Researchers confirmed about 30 cyber operations by APT42 since 2015 (the exact number can be higher). In one of the operations, the hacking group targeted the pharmaceutical sector during the onset of COVID-19. At the same time, it pursued foreign and domestic opposition groups before the recent Iranian presidential elections.
While researchers cannot ascertain the size of the gang, they confirmed that it is well sourced because there is evidence of APT32 actors procuring new infrastructure frequently and carrying out surveillance and credential harvesting operations.
Interestingly, Albania announced (on the same day as the Mandiant report) that it was expelling Iranian embassy staff and cutting diplomatic ties with Iran. The Albanian government websites suffered a cyberattack two months ago, which they believe was carried out by Tehran.
After the announcement, Albania became the first NATO country to cut off diplomatic ties with Iran in response to a cyberattack.
Shopify Fails to Prevent Known Breached Passwords
According to a report, Shopify, the eCommerce provider, uses weak password policies on its website’s customer-facing portion. It states that Shopify requires its customers to create a password of at least five characters long, which does not contain a space at the beginning or end.
Specops researchers analyzed a billion passwords known to have suffered a breach and discovered that 99.7% of the passwords adhered to Shopify requirements. The report adds that while the findings do not suggest that Shopify customers’ passwords were breached, they underscore the dangers of using weak passwords. Thus, the fact that numerous passwords comply with Shopify’s minimum password requirements is a worrying reminder for Shopify customers.
A Hive Systems study echoed the dangers of creating weak passwords. Researchers examined the time required to brute force crack passwords of different lengths and with varying complexity levels. According to the findings, hackers can crack a five-character password instantaneously, regardless of complexity. Thus, the ease with which cybercriminals can decrypt shorter passwords using brute force must compel organizations to require complex passwords at least 12 characters long.
QNAP Warns About DeadBolt Attacks Which Exploit Zero-Day Vulnerabilities
QNAP warned customers about the DeadBolt ransomware attacks that exploit a zero-day vulnerability in the Photo Station and encrypt NAS devices connected to the internet.
About the attack
- The operators exploit the zero-day to encrypt the infected systems’ content.
- Once the device gets encrypted, the ransomware modifies the name of the excerpted files and removes the QNAP NAS login page, displaying a warning message.
- The hijacked QNAP login screen shows a ransom note that demands a $1,277 payment to receive a decryption key for recovering the files.
- The ransom note includes a link pointing to a webpage that asks for a $212,000 payment to display technical details of the zero-day vulnerability in QNAP NAS.
- Furthermore, the attackers have put the QNAP master decryption key on sale for 50 BTC, allowing the ransomware family’s victims to decrypt their files for a fee.
QNAP patched the security flaw, but the attacks continue. The widespread nature of the attacks was confirmed by the Taiwanese vendor, owing to an increased submission of ID ransomware samples.
Attackers Sell Classified NATO Documents On Dark Web After Stealing From Portugal
The Portuguese agency EMGFA (Armed Forces General Staff agency of Portugal) suffered a cyberattack recently in which attackers stole Classified NATO documents and offered them for sale on the dark web.
The Estado-Maior-General das Forças Armadas or EMGFA is Portugal’s supreme military body responsible for planning, controlling, and commanding the Portuguese Armed Forces. The Portuguese news outlet Diário de Notícias reported, “The EMGFA, commanded by Admiral Silva Ribeiro, the Chief of Staff, became a victim of an unprecedented and prolonged cyberattack, resulting in the exfiltration of classified NATO files.”
News agency sources consider the security breach grave because numerous confidential documents forwarded by NATO to Portugal were up for sale on the darknet. “It was an undetectable and prolonged cyberattack, using bots designed to detect such documents, which got removed in several stages later,” explained a source.
The Cybercriminals published samples of the documents online as proof of the hack. US Information Services spotted the documents and alerted the US embassy in Lisbon immediately, which alerted the Portuguese authorities.
The US Recovers $30 Million that Lazarus Hackers Stole from Axie Infinity
The US government seized cryptocurrency tokens worth $30 million stolen by ‘Lazarus,’ the North Korean threat group. The attackers stole it from Axie Infinity, the token-based ‘play-to-earn’ game, earlier in the year.
The US government took the help of FBI agents and blockchain analysts and announced the retrieval during the AxieCon event. The event hosts described it as a community achievement completed through collaboration between private entities and multiple law enforcement agencies. The Chainalysis report said that it was the first time any agency had seized stolen cryptocurrency from a North Korean hacking group.
The Chainalysis Crypto Incident Response team played a key role in the seizures, using advanced tracing techniques and following stolen funds to the cash-out points. Furthermore, it liaised with industry players, law enforcement, and industry players to quickly freeze the funds.
The seized money will move into Axie Infinity’s treasury and, eventually, to the players’ community. But, the game’s publishers said the process might take several years.
Snake Keylogger Attacks IT Firm in the US.
Researchers spotted a new malspam campaign containing Snake Keylogger that used phishing emails sent to corporate IT organizations’ managers.
How does the campaign work?
According to Bitdefender, Hackers used IP addresses from Vietnam in the attack. The phishing emails targeted thousands of people’s inboxes in the US Cybercriminals spoofed the corporate profile of Qatar’s cloud and IT service provider and fooled the victims into clicking on a ZIP archive contained in the emails. The archive had an exe file (CPMPANY PROFILE[.]exe) that installed the payload on the host system and exfiltrated the data using SMTP.
About Snake Keylogger
Snake Keylogger (or 404 Keylogger) is an information-stealer that steals sensitive documents from clipboard contents and compromised systems. It is also capable of keyboard logging and taking screenshots. Security researchers spotted the stealer in late 2020, which was available on underground marketplaces for a small price, based on the level of service demanded by the customer.
Latest Phishing Campaign Spoofs Avanan
Spoofing brands is a common phishing form. Also called Brand impersonation, it aims to exploit an organization’s recognition and goodwill to accomplish two things:
- Fool security protocols and enter the inbox.
- Fool victims into sharing personal credentials.
Researchers at Avanan recently discovered a malicious campaign that spoofed their brand. The email contained a link that led to a credential harvesting page. Some of the emails were more convincing than others, but aware users could have easily spotted the campaign because the email address had nothing to do with Avanan. The email address mentioned “unread aviation emails,” which doesn’t make sense in the context.
Although brand impersonation is rising these days, if you get a similar email from Avanan, it is a good idea to double-check, the company’s post reads.
Chinese Attackers Target Government Officials in Europe, Middle East, and South America
A Chinese hacking group was linked to a phishing campaign infecting government officials‘ systems in Europe, the Middle East, and South America with a sophisticated malware called PlugX.
According to the Cybersecurity firm Secureworks, the intrusions started in June and July 2022, demonstrating the adversary’s continued focus on infiltrating government systems worldwide.
“PlugX, the modular malware, contacts a C2 (command and control) server for tasking and downloads additional plugins to enhance the capability beyond information gathering,” Secureworks’ CTU (Counter Threat Unit) said in a report. The researchers estimate that the China-based threat actor has been active since July 2018 and likely leverages publicly available and proprietary tools to collect data and compromise its targets.
It’s also known by other names like HoneyMyte, Red Lich, Mustang Panda, and Temp. Hex. One of the primary tools it uses is PlugX, a remote access trojan widely shared among Chinese adversaries.