Traditional cybersecurity measures cannot protect organizations against today’s phishing attacks as they are getting increasingly sophisticated. Thus, enterprises must take a layered approach to prevent cyber-attacks and lessen their impact when they occur. Additionally, they can learn from the latest trends in the cyber threat landscape. Here are this week’s phishing and data breach-related headlines.
Twilio Blames Voice Phishing For Another Hack From June
Cloud communications provider Twilio disclosed another data breach stemming from a security incident in June 2022, where the same cybercriminals behind the August hack accessed their customers’ information.
Twilio, referring to it as a “brief security incident” on June 29, said the threat actor used social engineering to lure employees into sharing their credentials through a voice phishing attack. The attackers used the stolen credentials “to access contact information for a few customers.” Twilio recently revealed that they identified and eradicated the threat actor within 12 hours. Furthermore, they notified the customers whose information got impacted by the June incident on July 2, 2022.
Twilio added that attackers behind the August breach accessed the personal data of over 209 customers and 93 Authy end users. “They breached an internal non-production system using credentials stolen in an earlier SMS phishing attack.” Twilio has a total customer base of over 270,000 and approximately 75 million Authy end users. After concluding the investigation, Twilio found no evidence of hackers accessing its customers’ API keys, console account credentials, or authentication tokens.
Apple: iOS and macOS Flaw Might Have Allowed Apps to Eavesdrop on Your Siri Conversations
Apple recently patched a flaw in its iOS and macOS operating systems which potentially enabled Bluetooth access apps to eavesdrop on Siri conversations. Apple said in a statement, “an app might record audio using a connected AirPods pair,” adding it patched the Core Bluetooth issue in the latest iOS 16.1 updates with improved entitlements.
App developer Guilherme Rambo discovered and reported the bug in August 2022, dubbed SiriSpy, which later got the identifier CVE-2022-32946.
Rambo shared in a blog, “Any app with Bluetooth access can record your audio from the iOS keyboard dictation and conversations with Siri when you are using Beats headsets or AirPods.”
“It can happen without the app requesting you for microphone access permission and without leaving any trace that it was listening to your conversations.”
While the hack requires that the app has Bluetooth access, hackers can bypass this restriction as users granting Bluetooth access will not expect it to open the door to access their audio from dictation and conversations with Siri.
LinkedIn Phishing Campaign Bypasses Google Workspace Security
A phishing email reportedly from LinkedIn targeted users at a travel organization to steal their credentials on the social media platform. The email had the subject line, “We noticed an unusual activity from your account.”
The phishing campaign cheated advanced email authentication checks like SFP and DMARC and slipped past Google’s email security protocols, claims Armorblox. The email security provider’s system in the victim enterprise discovered and stopped the phishing campaign pointing to 500 user inboxes.
“The main Secure my account (call-to-action) button included in the email contained a malicious URL and took users to a fake landing page. The fake landing page mimicked a genuine LinkedIn sign-in page and included LinkedIn logos, illustrations, and language that mirrored actual LinkedIn branding,” Armorblox shared.
Attackers Launch a New Cryptojacking Campaign Targeting Kubernetes, Docker Cloud Servers
Researchers at CrowdStrike recently discovered a global hacking campaign targeting cloud infrastructure in service of a cryptojacking scheme. The “Kiss-a-Dog” campaign dates back to September when a CrowdStrike honeypot started gathering signs of attacks targeting vulnerable Kubernetes and Docker instances. The name of the campaign gets inspiration from the domain name that attackers used to fetch kiss[.]a-dog[.]top: the Python-coded malware payload.
It leverages multiple command and control (C2) servers to evade containerized environments and get root privileges while using user and kernel rootkits for obfuscation, making lateral movement, creating backdoors, and persistence. After gaining a foothold in a compromised container, the attackers compiled network scanning tools to search for additional cloud servers running Kubernetes and Docker. Researchers said the ultimate goal was to harness users’ computing power for installing XMRig and mining cryptocurrency.
Wisconsin School District Attacked by Snatch Ransomware Group
The Snatch ransomware gang recently claimed responsibility for the attack against Wisconsin’s Kenosha Unified School District, which caters to over 20,000 students, according to The Record, a cybersecurity firm Recorded Future subsidiary.
The group did not divulge the details about the types of files or amount of data stolen in the attack. The Kenosha Unified School District got impacted by the attack on September 25. However, the officials noted that the school district restored systems it had taken down as a precaution and sought assistance from a cybersecurity firm and law enforcement in investigating the incident.
Snatch ransomware gang’s claims on the Kenosha Unified breach come as the Government Accountability Office recently reported that attacks aimed at K-12 schools usually disrupt learning for three days or weeks and result in recovery times ranging from two to nine months.
POS Malware Steals Credit Card Numbers Worth $3.3 Million
Cybercriminals used two strains of POS (point-of-sale) malware to steal the personal details of over 167,000 credit cards from the payment terminals. If they sell the details on underground forums, the hack can net the attackers upwards of $3.3 million.
The backend C2 (command-and-control) server operating the Treasure Hunter and MajikPOS malware remain active, according to Group-IB’s Said Khamchiev and Nikolay Shelekhov, and “the victims’ number keeps growing.”
The security firm’s researchers identified the C2 server in April and discovered the operators stealing payment information of numerous credit card holders from February 2021 to September 8, 2022. Incidentally, Americans are the majority of victims with US banks’ issued credit cards.
After discovery, the investigators handed the information to US-based law enforcement agencies and a threat-sharing organization. However, they did not attribute the malware to a specific crime group. The Treasure Hunter and MajikPOS malware infect Windows POS terminals, scanning them to exploit the events when it reads and stores card data in plain text in memory.
Treasure Hunter performs the so-called RAM scraping: it snoops over the memory of the running processes on the register to get the magnetic-stripe data freshly swiped by a shopper payment. MajikPOS also scans the infected PCs for credit card data.
Hackers Target a Cybersecurity Conference in Australia
The AIDC (Australian Institute of Company Directors) recently hosted an event to launch its latest “cybersecurity governance principles” – a widely debated topic considering the recent Medibank Private and Optus hack. The federal minister, Clare O’Neil, and Cyber Security Cooperative and Research Centre CEO, Rachael Falk, were among the big names supporting the launch.
No one expected that a highly debated online conference would become the victim of a hack, leaving LinkedIn and the institute’s boss Mark Rigotti with a PR problem. Thousands of participants began to get restless when they tried to log in for the 1 pm start of the event, and the conference did not go live on schedule.
As the waiting participants began pouring in comments, the LinkedIn chat function posted a fake Eventbrite link, which many users clicked. The link asked users for their credit card details, and the institute had to intervene and request participants not to open any links posted in the chat.
An official-looking AICD link again appeared for the event, and users tried to follow it, complaining later that it was not working. Eventually, after 30 – minutes, the institute canceled the event. Rigotti said in the evening that they were unsure if any credit card details were handed over and urged affected users to contact their card issuers.
Typosquat Campaign Spoofing 27 Brands to Push Android, and Windows Malware
A massive malicious campaign is underway, which uses over 200 typosquatting domains impersonating twenty-seven brands to trick users into downloading various Android and Windows malware. Typosquatting is the method threat actors utilize to trick people into visiting fake websites by registering a similar domain name that looks like a genuine brand. The hackers used domains in the campaign closely resembling the authentic ones. They featured an additional “s” or a single letter position swap, making them easy for unsuspecting users to miss.
BleepingComputer reported that the victims end up on these websites by mistyping the site name in the browser’s URL bar, a common mistake when typing on mobile. However, users can also reach these sites if they click on embedded links in phishing emails or SMS, malicious social media posts, direct messages, and other ways. Some of the domains used in the campaign are:
- payce-google[.]com – impersonates Google Wallet
- snanpckat-apk[.]com – impersonates Snapchat
- paltpal-apk[.]com – impersonates PayPal
- m-apkpures[.]com – impersonates APKPure
- vidmates-app[.]com – impersonates VidMate
- tlktok-apk[.]link – imitates download portal for TikTok app
In all the cases, the malware attempts to download the ERMAC APKs, a banking trojan targeting cryptocurrency wallets and banking accounts from 467 apps.