Docker Hub is a cloud-based container library allowing people to freely search and download Docker images or upload their creations to the public library or personal repositories.

Docker images are templates for the quick and easy creation of containers that contain ready-to-use code and applications. Therefore, those looking to set up new instances often turn to Docker Hub to quickly find an easily deployable application.

Unfortunately, due to abuse of the service by threat actors, over a thousand malicious uploads introduce severe risks to unsuspecting users deploying malware-laden images on locally hosted or cloud-based containers.

Many malicious images use names that disguise them as popular and trustworthy projects, so threat actors clearly uploaded them to trick users into downloading them.

Researchers at Sysdig looked into the issue, trying to evaluate the scale of the problem, and reported on the found images that feature some form of malicious code or mechanism.

Docker Hub traps

Apart from images reviewed by the Docker Library Project, which are verified to be trustworthy, hundreds of thousands of images with an unknown status are on the service.

Sysdig used its automated scanners to scrutinize 250,000 unverified Linux images and identified 1,652 of them as malicious.

Types of malicious images on Docker Hub (Sysdig)

 

The largest category was that of crypto-miners, found in 608 container images, targeting server resources to mine cryptocurrency for the threat actors.

The second most-common occurrence were images hiding embedded secrets, measuring 281 cases. The secrets embedded in these images are SSH keys, AWS credentials, GitHub tokens, NPM tokens, and others.

Types of secrets left in Docker images (Sysdig)

 

Sysdig comments that these secrets may have been left on public images by mistake or intentionally injected by the threat actor who created and uploaded them.

“By embedding an SSH key or an API key into the container, the attacker can gain access once the container is deployed,” warns Sysdig in the report.

“For instance, uploading a public key to a remote server allows the owners of the corresponding private key to open a shell and run commands via SSH, similar to implanting a backdoor.”

Many malicious images discovered by Sysdig used typosquatting to impersonate legitimate and trusted images, only to infect users with crypto-miners.

This tactic lays the ground for some highly successful cases, like the two examples shown below, that have been downloaded almost 17,000 times.

Docker images containing coinminers (Sysdig)

 

Typosquatting also ensures that users mistyping the name of a popular project will download a malicious image, so while this doesn’t produce large victim counts, it still ensures a steady stream of infections.

Typosquatted images capturing random mistypes (Sysdig)

 

A worsening problem

Sysdig says that in 2022, 61% of all images pulled from Docker Hub come from public repositories, a 15% rise from 2021 stats, so the risk for users is on the rise.

Unfortunately, the size of the Docker Hub public library does not allow its operators to scrutinize all uploads daily; hence many malicious images go unreported.

Sysdig also noticed that most threat actors only upload a couple of malicious images, so even if a risky image is removed and the uploader is banned, it doesn’t significantly impact the platform’s threat landscape.

The high-severity flaw is tracked as CVE-2022-4135 and is a heap buffer overflow in GPU, discovered by Clement Lecigne of Google's Threat Analysis Group on November 22, 2022.

"Google is aware that an exploit for CVE-2022-4135 exists in the wild," reads the update notice.

As users need time to apply the security update on their Chrome installations, Google has withheld details about the vulnerability to prevent expanding its malicious exploitation.

In general, heap buffer overflow is a memory vulnerability resulting in data being written to forbidden (usually adjacent) locations without check.

Attackers may use heap buffer overflow to overwrite an application's memory to manipulate its execution path, resulting in unrestricted information access or arbitrary code execution.

Chrome users are recommended to upgrade to version 107.0.5304.121/122 for Windows and 107.0.5304.122 for Mac and Linux, which addresses CVE-2022-4135.

To update Chrome, head to Settings → About Chrome → Wait for the download of the latest version to finish → Restart the program.

Chrome's eighth zero-day fix in 2022

Chrome version 107.0.5304.121/122 fixes the eighth actively exploited zero-day vulnerability this year, indicating the high interest of attackers against the widely used browser.

The previous seven zero-day fixes are:

• CVE-2022-3723 – October 28th
• CVE-2022-3075 – September 2nd
• CVE-2022-2856 – August 17th
• CVE-2022-2294 – July 4th
• CVE-2022-1364 – April 14th
• CVE-2022-1096 – March 25th
• CVE-2022-0609 – February 14th

These flaws are typically leveraged by sophisticated hackers who use them in highly targeted attacks.

Nevertheless, all Chrome users are strongly advised to update their web browsers as soon as possible to block potential exploitation attempts.

The hackers posted a long list of documents on their Tor data leak site they claim was stolen from the college, indicating that a ransom was never paid.

The documents date from several years ago until November 24, 2022, possibly indicating that the threat actors maintain access to the breached systems, but this has not been verified.

All documents on the Vice Society site have been made freely accessible to visitors and contain PII (personally identifiable information) in the leaked files.

Cincinnati State listed as the most recent victim on the Vice Society site - (BleepingComputer)

 

Restoring operations

 

Cincinnati State college informed its 10,000 students and 1,000 staff members that they suffered a cybersecurity incident earlier in the month, warning that online services and restoration to regular operations will take time.

The latest update on the cyberattack came on Tuesday this week, announcing the restoration of on-campus networks and email, partial internet access, and classroom computers.

However, voicemail, network printing, VPN access, network and intranet shared drives are all unavailable, while a range of online application and registration portals are also offline.

The college has posted FAQs for the employees, current and new students, guiding them on how to interact with the administration until systems return to normal operations.

However, there aren't workarounds for all services, so the disruption from the cyberattack remains significant for the college.

Vice Society vs. education

Vice Society has a long history of targeting educational institutions ranging from K-12 school districts to universities.

A new report by Microsoft recently observed Vice Society using multiple ransomware families in attacks against the education sector, including BlackCat, QuantumLocker, Zeppelin, and RedAlert.

In addition to these families, BleepingComputer has seen Vice Society deploying the HelloKitty ransomware in attacks as well.

In September, the FBI warned about Vice Society's focus on schools and universities after seeing the threat group targeting the education sector disproportionately.

A notable Vice Society victim from the education sector is the Los Angeles Unified (LAUSD), the second-largest school district in the United States.

The threat group has also targeted educational institutes in other countries, like the Medical University of Innsbruck in Austria.

Source

GLYNN COUNTY, Ga. — Some cell phone users say they had an issue dialing 911 from their Google Pixel 6 models.
 

DIALING 911 Karen Macleod said she tried to call 911 when her 5-year-old son, Andrew, was having a seizure. “He was with a babysitter [while] I was at work,” she said. Macleod said she called Glynn County’s 911 center, but something went wrong with her line because she heard one click and then silence every time she dialed. “I was panic dialing over and over again,” said Macleod.

Fortunately, she was close by and was able to drive Andrew to the hospital where doctors diagnosed him with viral meningitis.

“This is a huge issue. Very scary. [It] could have cost him his life,” said Macleod. “[It could] cost other people their lives - not being able to dial 911 on your phone is a huge deal.”

Macleod is one of five million Google Pixel 6, 6 Pro, and 6a owners who purchased their phones in the past year according to the International Data Corporation. Action News Jax investigates found numerous complaints online from other Google Pixel 6 owners who say their phones have trouble calling 911 or emergency services. One person on Google’s support forum said, “I tried calling 911 twice from the car today, and it wouldn’t actually ring through to 911.” On Reddit, a person wrote, “I could not get my phone to connect to 911″ during an emergency at their home.

Macleod posted a video about her experience on TikTok showing the phone appearing not to connect to the 911 call center, “So this is what happens on my brand new $1,000 Google phone when I try to call 911.”

“It’s not connecting. There’s not a ring tone, a dial tone. There’s nothing,” said Macleod in another TikTok video.

THE TEST When she dialed 911 for that video, it was only a test. It’s legal because she dialed the non-emergency number first to warn dispatchers. “You shouldn’t have to test it,” said Craig Agranoff, a technology expert in South Florida. He said having access to 911 is not only essential, but it’s the law mandated by the Federal Communications Commission. “911 is not a favor to us. It’s required from the carriers,” he said.

Google’s own support page shows it created a “fix for the issue preventing emergency calls in certain conditions while some third-party apps are installed.” Agranoff said Google provided that fix last January. But based on Macleod’s experience in September, it’s not clear if that update fixed the issue. “It’s not enough to just fix it every time people find it,” said Agranoff.

RESPONSES

I contacted Glynn County emergency services about Macleod’s 911 issue. The county said it “did not find any record of these calls registering in our system during the time in question” despite Macleod’s phone log showing she called 911.

Also, I contacted Google about Macleod’s 911 issue. It responded, “we don’t have any comment to provide.”

The FCC told us it located 91 responsive records regarding issues that Google Pixel 6 has related to its services, but zero records located specifically regarding 911 or emergency contact numbers.

Google released its new Pixel 7 in October. To date, there’s no word of any issues with dialing 911.

Macleod said Google gave her a refund, and now she uses a different brand.

Source

With a userbase of around 2 billion people, WhatsApp is the biggest messaging platform. This means that the leaked database contains phone numbers of a quarter of all WhatsApp users.

Out of the 487 million contacts, over 32 million numbers are from the U.S., 45 million from Egypt, five million from Italy, 29 million from Saudi Arabia, 20 million (each) from France and Turkey, 10 million phone numbers from Russian users, and over 11 million are UK numbers.

Image Source - Cybernews

According to Cybernews, the seller did not specify how they obtained the database, and suggested they "used their strategy" to collect the data. It is possible that the hackers did not technically "hack" WhatsApp, but gathered the data via "web scraping" which involves running an automated script to confirm web pages that the numbers are being used for WhatsApp.

There's no way of finding out whether your phone number is in that database. Although Mark Zuckerberg says that WhatsApp is still super secure, you can stay safe from prying eyes by changing "Last seen and online", "Profile photo", and "About" to "Contacts only" in WhatsApp settings.

Source: Cybernews (via Sammobile)

Phone numbers of nearly 500 million WhatsApp users around the globe up for sale

Yesterday I was asked to allow the usage of location services for Google Maps seemingly out of nowhere. Of course I accepted. After all, I just wanted to check a route to a local business and I was in a hurry. Back home I opened Google Maps again, and noticed that maps.google.com now redirects to google.com/maps. This implies that the permissions I give to Google Maps now apply to all of Googles services hosted under this domain. So far I only identified Google Flights to have made the same switch (google.com/flights), though I'm sure they're just beginning to transfer their services to the main google.com domain.

Congratulations, you now have permission to geo-track me across all of your services.

Smart move, Google.

Source

In an analysis published on Tuesday, Microsoft researchers said they had discovered a vulnerable open-source component in the Boa web server, which is still widely used in a range of routers and security cameras, as well as popular software development kits (SDKs), despite the software’s retirement in 2005. The technology giant identified the component while investigating a suspected Indian electric grid intrusion first detailed by Recorded Future in April, where Chinese state-sponsored attackers used IoT devices to gain a foothold on operational technology (OT) networks, used to monitor and control physical industrial systems.

Microsoft said it has identified one million internet-exposed Boa server components globally over the span of a one-week period, warning that the vulnerable component poses a “supply chain risk that may affect millions of organizations and devices.”

The company added that it continues to see attackers attempting to exploit Boa flaws, which include a high-severity information disclosure bug (CVE-2021-33558) and another arbitrary file access flaw (CVE-2017-9833).

“The known [vulnerabilities] impacting such components can allow an attacker to collect information about network assets before initiating attacks, and to gain access to a network undetected by obtaining valid credentials,” Microsoft said, adding that this can allow the attackers to have a “much greater impact” once the attack is initiated.

Microsoft said the most recent attack it observed was the compromise of Tata Power in October. This breach resulted in the Hive ransomware group publishing data stolen from the Indian energy giant, which included sensitive employee information, engineering drawings, financial and banking records, client records, and some private keys.

“Microsoft continues to see attackers attempting to exploit Boa vulnerabilities beyond the timeframe of the released report, indicating that it is still targeted as an attack vector,” Microsoft said.

The company has warned that mitigating these Boa flaws is difficult due to both the continued popularity of the now-defunct web server and the complex nature of how it is built into the IoT device supply chain. Microsoft recommends that organizations and network operators patch vulnerable devices where possible, identify devices with vulnerable components, and to configure detection rules to identify malicious activity.

Microsoft’s warning again highlights the supply chain risk posed by flaws in widely-used network components. Log4Shell, a zero-day vulnerability that was last year identified in Log4j, the open-source Apache logging library, is estimated to have potentially affected upwards of three billion devices.

Source

A nascent and legitimate penetration testing framework known as Nighthawk is likely to gain threat actors' attention for its Cobalt Strike-like capabilities.

Enterprise security firm Proofpoint said it detected the use of the software in mid-September 2022 with a number of test emails sent using generic subject lines such as "Just checking in" and "Hope this works2."

However, there are no indications that a leaked or cracked version of Nighthawk is being weaponized by threat actors in the wild, Proofpoint researcher Alexander Rausch said in a write-up.

Nighthawk, launched in December 2021 by a company called MDSec, is analogous to its counterparts Cobalt Strike, Sliver, and Brute Ratel, offering a red team toolset for adversary threat simulation. It's licensed for £7,500 (or $10,000) per user for a year.

"Nighthawk is the most advanced and evasive command-and-control framework available on the market," MDSec notes. "Nighthawk is a highly malleable implant designed to circumvent and evade the modern security controls often seen in mature,

highly monitored environments."

According to the Sunnyvale-based company, the aforementioned email messages contained booby-trapped URLs, which, when clicked, redirected the recipients to an ISO image file containing the Nighthawk loader.

The obfuscated loader comes with the encrypted Nighthawk payload, a C++-based DLL that uses an elaborate set of features to counter detection and fly under the radar.

Of particular note are mechanisms that can prevent endpoint detection solutions from being alerted about newly loaded DLLs in the current process and evade process memory scans by implementing a self-encryption mode.

When reached for comment, MDSec told The Hacker News that it isn't aware of any instance of Nighthawk being used for illegitimate activity and that the licenses are distributed only to a handful of closely vetted customers.

With rogue actors already leveraging cracked versions of Cobalt Strike and others to further their post-exploitation activities, Nighthawk could likewise witness similar adoption by groups looking to "diversify their methods and add a relatively unknown framework to their arsenal."

Indeed, the high detection rates associated with Cobalt Strike and Sliver have led Chinese criminal actors to devise alternative offensive frameworks like Manjusaka and Alchimist in recent months.

"Nighthawk is a mature and advanced commercial C2 framework for lawful red team operations that is specifically built for detection evasion, and it does this well," Rausch said.

"Historic adoption of tools like Brute Ratel by advanced adversaries, including those aligned with state interests and engaging in espionage, provides a template for possible future threat landscape developments."

Source

The tech behemoth's cybersecurity division said the vulnerable component poses a "supply chain risk that may affect millions of organizations and devices."

The findings build on a prior report published by Recorded Future in April 2022, which delved into a sustained campaign orchestrated by suspected China-linked adversaries to strike critical infrastructure organizations in India.

The cybersecurity firm attributed the attacks to a previously undocumented threat cluster called Threat Activity Group 38. While the Indian government described the attacks as unsuccessful "probing attempts," China denied it was behind the campaign.

The connections to China stem from the use of a modular backdoor dubbed ShadowPad, which is known to be shared among several espionage groups that conduct intelligence-gathering missions on behalf of the nation.

Although the exact initial infection vector used to breach the networks remains unknown, the ShadowPad implant was controlled by using a network of compromised internet-facing DVR/IP camera devices.

Microsoft said its own investigation into the attack activity uncovered Boa as a common link, assessing that the intrusions were directed against exposed IoT devices running the web server.

"Despite being discontinued in 2005, the Boa web server continues to be implemented by different vendors across a variety of IoT devices and popular software development kits (SDKs)," the company said.

"Without developers managing the Boa web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files."

The latest findings once again underscore the supply chain risk arising out of flaws in widely-used network components, which could expose critical infrastructure to breaches via publicly-accessible devices running the vulnerable web server.

Microsoft further said it detected more than one million internet-exposed Boa server components worldwide in a single week, with significant concentrations in India.

The pervasive nature of Boa servers is attributed to the fact that they are integrated into widely-used SDKs, such as those from RealTek, which are then bundled with devices like routers, access points, and repeaters.

The complex nature of the software supply chain means that fixes from an upstream vendor may not trickle down to customers and that unresolved flaws could continue to persist despite firmware updates from downstream manufacturers.

Some of the high-severity bugs affecting Boa include CVE-2017-9833 and CVE-2021-33558, which, if successfully exploited, could enable malicious hacking groups to read arbitrary files, obtain sensitive information, and achieve remote code execution.

Weaponizing these unpatched shortcomings could further enable threat actors to glean more information about the targeted IT environments, effectively making way for disruptive attacks.

"The popularity of the Boa web server displays the potential exposure risk of an insecure supply chain, even when security best practices are applied to devices in the network," Microsoft said.

"As attackers seek new footholds into increasingly secure devices and networks, identifying and preventing distributed security risks through software and hardware supply chains, like outdated components, should be prioritized by organizations."

Source

While safety and security are top priorities for businesses of all sizes, it is essential for those who operate in the e-commerce space. To deliver the experience customers crave, many websites embed third-party solutions at every stage of the customer journey. In fact, for certain e-commerce businesses, their suite of third-party plugins is how they create and sustain a competitive advantage.

Yet many e-commerce sites are inherently insecure and vulnerable to attack due to their reliance on untrustworthy third-party solutions. Consequently, client-side security is a weak point for many e-commerce sites, allowing security incidents to occur directly in the browser without the customer realizing it.

Attackers can take advantage of security vulnerabilities on the client side via e-skimming, formjacking, or cross-site scripting. These attacks can compromise customer data, such as credit card numbers, personal information, and login credentials. They can also sometimes lead to financial loss for the e-commerce business and potential regulatory compliance violations.

When an attack involves e-skimming, cybercriminals insert code to skim data from a page that processes a customer's credit card data. Since this attack occurs on the client side, e-commerce businesses cannot observe the attack firsthand and react quickly.

Many e-commerce sites rely heavily on forms to gather customer data. Formjacking inserts an attacker between the merchant, allowing the attacker to access and record any data that a customer shares via a compromised form.

Cross-site scripting embeds malicious code on the client side. The code runs when a customer visits the site, allowing the attacker to gather the customer's personal, financial, and session data.

The proliferation of insecure third-party apps and the inability to observe an attack perpetrated via the client side provides attackers with enticing targets to exploit. The fact that attackers use security weaknesses in third-party plugins and not the e-commerce site itself means little, if anything, to an individual who is victimized. Since the attack took place via the website, for most customers, the responsibility for securing the interaction rests with the site owner.

To improve client-side security, e-commerce companies should minimize their reliance on third-party code without impacting the user experience. Deploying well-known third-party solutions with a commitment to security can also help. And, as with every type of software, plugins and apps should receive patches as soon as they become available.

Additionally, simulating cyberattacks that target the e-commerce company's website can uncover potential attack vectors before criminals can exploit them. Deploying additional layers of customer authentication can add critical layers of security and make it harder for an attacker to compromise a session.

Security software and applications can also harden your defenses and make it harder for attackers to use client-side vulnerabilities to their advantage. These solutions can uncover security flaws and quickly deploy security measures to mitigate vulnerabilities. They can also detect attacks quickly and lessen a company's exposure to client-side security risks.

When security flaws exist, sophisticated criminals will eventually find and exploit them at a date and time of their choosing. The massive spike in e-commerce traffic during the holiday season provides attackers with the perfect cover to use these flaws in client-side security to steal personal and financial data with impunity.

Customers expect e-commerce sites to protect their personal and financial data. Client-side security is critical to delivering on that commitment. Third-party plugins and applications form the backbone of countless e-commerce sites. Given their prevalence, it's easy to overlook their inherent risks. Client-side attacks take advantage of flaws and vulnerabilities, yet to the consumer, the responsibility for security rests with the e-commerce site itself.

Yet, when client-side attacks occur via third-party apps, online merchants are often unaware of their flaws and cannot see when attackers use them to their advantage. For many e-commerce businesses, since the vulnerabilities are out of their direct line of sight, they do not receive the attention they deserve.

Attackers aren't so short-sighted. Where security flaws and vulnerabilities exist, it's often only a question of time before they are exploited. E-commerce companies must take proactive steps to understand and mitigate the risks of client-side security vulnerabilities. Otherwise, attackers will continue to take advantage of them, leading to a loss of customer trust and confidence and the potential for financial losses and an increase in regulatory oversight.

Source

Meta says it removed 39 Facebook accounts, 26 Instagram accounts, 16 Facebook Pages, and two Facebook groups for violating its 'coordinated inauthentic behavior' policy.

The most successful of these Facebook pages had 22,000 followers; the more extensive group counted 400 members, while one of the banned Instagram accounts had 12,000 followers.

"The U.S. network — linked to individuals associated with the U.S. military — operated across many internet services and focused on Afghanistan, Algeria, Iran, Iraq, Kazakhstan, Kyrgyzstan, Russia, Somalia, Syria, Tajikistan, Uzbekistan, and Yemen," reads the announcement.

Meta found the inauthentic accounts after an internal investigation was launched following information by independent researchers at Graphika and the Stanford Internet Observatory, who published a five-year overview of pro-Western covert influence operations in August 2022.

The disinformation network operated in clusters that promoted specific topics corresponding to audience interest from the mentioned countries.

The posters pretended to be locals in those countries, using fake photos generated by GAN (generative adversarial network) tools to evade exposure by reverse image searches.

Notably, some of the banned Pages used their own unique logos and visual style and linked to matching accounts on YouTube, Twitter, Vkontakte, and dedicated websites.

A giveaway that these were fake accounts was that they were posting during U.S. business hours and not in the time zones of the countries they were supposedly based in.

The people behind these clusters posted in Arabic, Farsi, and Russia to praise the U.S. military and raise terrorism concerns in regions of particular interest.

The fake accounts used $2,500 in advertising on Facebook to ensure their disinformation content would reach more users.

In many cases, the campaigns criticized Iran, China, and Russia, focusing on the Russian invasion of Ukraine, China's oppression of the Uyghur people, the two country's support of the Taliban regime in Afghanistan, and Iran's influence in the Middle East.

Previously, in September 2022, Facebook removed disinformation networks from China and Russia, with the latter using a staggering 1,633 fake accounts and 703 Pages.

BleepingComputer first reported on the Donut extortion group in August, linking them to attacks on Greek natural gas company DESFA, UK architectural firm Sheppard Robson, and multinational construction company Sando.

Strangely, the data for Sando and DESFA was also posted to several ransomware operations’ sites, with the Sando attack claimed by Hive ransomware and DESFA claimed by Ragnar Locker.

Unit 42 researcher Doel Santos also shared that the TOX ID used in ransom notes was seen in samples of the HelloXD ransomware.

This cross-posting of stolen data and affiliation leads us to believe the threat actor behind Donut Leaks is an affiliate for numerous operations, now trying to monetize the data in their own operation.

The Donut ransomware

This week, BleepingComputer found a sample [VirusTotal] of an encryptor for the Donut operation, aka D0nut, showing that the group is using its own customized ransomware for double-extortion attacks.

The ransomware is still being analyzed, but when executed, it will scan for files matching specific extensions to encrypt. When encrypting files, the ransomware will avoid files and folders containing the following strings:

Edge
ntldr
Opera
bootsect.bak
Chrome
BOOTSTAT.DAT
boot.ini
AllUsers
Chromium
bootmgr
Windows
thumbs.db
ntuser.ini
ntuser.dat
desktop.ini
bootmgr.efi
autorun.inf

When a file is encrypted, the Donut ransomware will append the .d0nut extension to encrypted files. So, for example, 1.jpg will be encrypted and renamed to 1.jpg.d0nut, as shown below.

Files encrypted by the Donut Ransomware - Source: BleepingComputer

 

The Donut Leaks operation has a flair for theatrics, using interesting graphics, a bit of humor, and even offering a builder for an executable that acts as a gateway to their Tor data leak site (see below).

This flair is especially shown in its ransom notes, where they use different ASCII art, such as the spinning ASCII donut below.

Donut ransom note

 

Another ransomware note seen by BleepingComputer pretends to be a command prompt displaying a PowerShell error, which then prints a scrolling ransom note.

The ransom notes are heavily obfuscated to avoid detection, with all strings encoded and the JavaScript decoding the ransom note in the browser.

These ransom notes include different ways to contact the threat actors, including via TOX and a Tor negotiation site. 

Donut ransom negotiation site - Source: BleepingComputer

 

The Donut ransomware operation also includes a "builder" on their data leak site that consists of a bash script to create a Windows and Linux Electron app with a bundled Tor client to access their data leak sites.

D0nut ransomware electron app

 

This app is currently "broken" as it uses HTTPS URLs, which are not currently operational.

Overall, this extortion group is one to keep an eye out for, not only for their apparent skills but their ability to market themselves.

The stolen credentials were for cryptocurrency wallets, Steam, Roblox, Amazon, and PayPal accounts, as well as payment card records.

According to a report from Group-IB, whose analysts have been tracking these operations globally, most victims are based in the United States, Germany, India, Brazil, and Indonesia, but the malicious operations targeted 111 countries.

Countries with most infections between January and July 2022 (Group-IB)

 

Rise of info-stealers

 

In 2022, information-stealing malware distribution reached unprecedented levels, now involving low-skilled hackers aspiring to make a larger profit from their illegal activities.

Group-IB says the cybercriminals fueling the growth of info-stealer deployment are low-level scammers who previously worked as "victim callers" in phishing campaigns known as "Classiscam."

"The influx of a huge number of workers into the popular scam Classiscam, [...] at its peak, comprised over a thousand criminal groups and hundreds of thousands of fake websites has led to criminals competing for resources and looking for new ways to make profits," comments Group-IB.

Currently, there are 34 active cybercrime groups on Telegram that operate as mass-scale information-stealing gangs, each with roughly 200 members.

23 of the groups use the Redline stealer, eight employ Raccoon, and three use their own custom malware.

SEKOIA also noted earlier this week that another info-stealer named 'Aurora' is gaining traction on underground forums and has already been adopted by seven prominent threat groups.

The increase in info-stealer activity is shown in statistics compiled by Group-IB report, who compared a 10-month period in 2021 to a seven-month period in 2022.

• Passwords stolen: 50,352,518 (up by 80%)
• Cookie files exfiltrated: 2,117,626,523 (up by 74%)
• Crypto wallets breached: 113,204 (up by 216%)
• Payment cards compromised: 103,150 (up by 81%)

Infostealer operation stats from first seven months of 2022 (Group-IB)

 

Group-IB also notes that in the first seven months of this year the actors focused on stealing of Steam, Epic Games, and Roblox accounts, recording a five-fold increase compared to last year.

Telegram-based operations

Telegram plays a vital role in the operation of these cybergangs, both in organizing their campaigns and maintaining a functional structure that accommodates their data-stealing activities.

These private Telegram channels offer support and technical guidance to operatives, can serve as data exfiltration points, host important announcements, act as bug-reporting portals, and also feature bots that can generate custom malware builds for clients 24/7.

The groups still abide by hierarchical rules, with the "administrators" sitting at the top of the rank, selling access to info-stealing malware to "workers" for a few hundred USD per month.

The workers are responsible for driving traffic to the malware-dropping sites, which they do by using YouTube videos, BlackSEO, SEO poisoning, laced torrent files, or malicious social media posts.

Users can minimize the chances of info-stealer infection by avoiding downloads from shady locations, checking all downloaded executables with an antivirus solution before opening, and keeping their system up to date.

BleepingComputer has been able to analyze the extension code which indicates the presence of a backdoor, introduced either intentionally by its developer or after a compromise.

Chrome extension targets Roblox players

The 'SearchBlox' extensions found on the Chrome Web Store appear to be compromised, BleepingCompuer has observed.

There are two search results for 'SearchBlox' on Chrome. These extensions claim to let you "search Roblox servers for a desired player... blazingly fast" but both contained the backdoor.

The IDs of these unsafe extensions are:

• blddohgncmehcepnokognejaaahehncd
• ccjalhebkdogpobnbdhfpincfeohonni

Malicious SearchBlox extension on Chrome (BleepingComputer)

 

Early morning hours of Wednesday, suspicions arose among the Roblox community members of SearchBlox containing malware.

"Popular plug-in SearchBlox has been COMPROMISED / BACKDOORED - if you have it, your account may be at risk," tweeted RTC, an unofficial Roblox news and community account.

"Please change your passwords if you have it - and credentials, so that way your account is secure again."

We downloaded the Chrome extension for analysis and for the first extension (blddohgncmehcepnokognejaaahehncd) downloaded by over 200,000 users, the backdoor exists on line 3 of the 'content.js' file:

Backdoor within Chrome extension 'SearchBlox' (BleepingComputer)

 

For the second extension (ccjalhebkdogpobnbdhfpincfeohonni) with just 959 downloads, the backdoor resided within the 'button.js' file.

The offending URL in either case is:

As if the URL structure 'image.png/image.txt' itself wasn't already interesting, the page contains HTML code that pretends to display an image using the '<img>' tag, but instead loads obfuscated JavaScript that is further encoded as HTML character entities (using the '&' and '#' symbols):

Page pretends to contain HTML attempting to display an image (BleepingComputer) 

 

The code when decoded yields obfuscated code which further appears to be exfiltrating Roblox credentials to another domain: releasethen.site.

Another suspicious domain in use by the extension (BleepingComputer)

 

Of note is the fact that both 'searchblox.site' and 'releasethen.site' were registered this month and share a common web host, Hostinger.

The code also appears to survey a player's profile on Rolimons.com, a Roblox trading platform. This detail becomes relevant given today's account suspensions on the platform, as explained in the following section.

'SearchBlox' a repeat offender

Unfortunately, it doesn't seem like the first time a malicious 'SearchBlox' extension has targeted Roblox users either.

In October, Google reportedly took down another 'SearchBlox' sitting on the Chrome Web Store since at least Jun 28th, 2022.

As to whether the backdoor was injected in the extension after compromise by a threat actor or introduced intentionally by the developer is something that's yet to be authoritatively determined.

There is some speculation among Roblox community members [1, 2, 3, 4] who have noticed the inventory of user 'Unstoppablelucent', purportedly the extension's developer, multiply overnight whereas Rolimons user 'ccfont' has been terminated today over suspicious inventory trades.

Both the extension as well as the offending URLs have a clean VirusTotal reputation at the time of writing, making detection of these malicious extensions a whole lot harder.

Suffice to say, anyone who has installed 'SearchBlox' should remove the extension immediately, clear their cookies and change their passwords for Roblox, Rolimons, and other websites they may have logged into while the extension was in use.

BleepingComputer notified Google of the malicious extensions prior to publishing. A Google spokesperson later confirmed that these extensions were taken down and will automatically be removed from systems where these were installed.

"The identified malicious extensions are no longer available on the Chrome Web Store," Google told BleepingComputer.

"The extensions are blocklisted and will be automatically removed from any user machine that previously downloaded them."

Source

Devices from Google, Samsung, Xiaomi, Oppo, as well as other phone makers are currently impacted and waiting for a fix to reach users.

A report published by Google's Project Zero team highlights the "patch gap" that plagues the supply chain in Android, as it typically takes several months for firmware security updates to trickle downstream to affected devices.

Original Equipment Maker (OEM) partners need time to test the fixes and implement them into their devices, a process that extends the time to reach end user devices.

Flaws and impact

Project Zero discovered the vulnerabilities in June 2022. They are tracked as CVE-2022-33917 and CVE-2022-36449 (collective identifier for multiple security issues).

CVE-2022-33917 allows a non-privileged user to make improper GPU processing operations to gain access to free memory sections. The vulnerability impacts Arm Mali GPU kernel drivers Valhall r29p0 to r38p0.

The second identifier, CVE-2022-36449, comprises issues that allow a non-privileged user to gain access to freed memory, write outside of buffer bounds, and disclose details of memory mappings.

It impacts Arm Mali GPU kernel drivers Midgard r4p0 through r32p0, Bifrost r0p0 through r38p0 and r39p0 before r38p1, and Valhall r19p0 through r38p0 and r39p0 before r38p1.

Project Zero tracks these issues as 2325, 2327, 2331, 2333, and 2334 and has disclosed technical details for each of them, along with demo code.

While the severity score of the issues is medium, they are exploitable and impact a wide number of Android devices.

Valhall drivers are used in Mali G710, G610, and G510 chips found inside the Google Pixel 7, Asus ROG Phone 6, Redmi Note 11 and 12, Honor 70 Pro, RealMe GT, Xiaomi 12 Pro, Oppo Find X5 Pro and Reno 8 Pro, Motorola Edge, and OnePlus 10R.

Android devices using the Mali G710 chip (GSMArena)

 

Bifrost drivers are used in the older (2018) Mali G76, G72, and G52 chips used by Samsung Galaxy S10, S9, A51 and A71, Redmi Note 10, Huawei P30 and P40 Pro, Honor View 20, Motorola Moto G60S, and Realme 7.

Midgard drivers are used in even older (2016) Mali T800 and T700 series chips, most notably found inside Samsung Galaxy S7 and Note 7, Sony Xperia X XA1, Huawei Mate 8, Nokia 3.1, LG X, and Redmi Note 4.

There is nothing users can do to mitigate these flaws apart from waiting for the vendor to provide the appropriate patches and keep an eye out for potential threats.

Older models using Midgard drivers are extremely unlikely to receive a fixing patch, so these should be replaced altogether.

Mali GPU drivers are used by system-on-a-chip circuits from vendors such as MediaTek, HiSilicon Kirin, and Exyno, which power most Android devices on the market.

At the moment, the fix from Arm has not reached OEM partners and is being tested for Android and Pixel devices. In a few weeks, Android will be delivering the patch to its partners, who are reponsible for implementing the fix.

Source

European Parliament President confirmed the incident saying that the Parliament's "IT experts are pushing back against it & protecting our systems."

The Director General for Communication and Spokesperson of the European Parliament, Jaume Dauch, also stated after the website went down that the outage was caused by an ongoing DDoS attack.

"The availability of Europarl_EN website is currently impacted from outside due to high levels of external network traffic," Dauche said.

"This traffic is related to a DDOS attack (Distributed Denial of Service) event. EP teams are working to resolve this issue as quickly as possible."

European Parliament website down (BleepingComputer)

 

The attack came after the European Parliament recognized Russia as a state sponsor of terrorism and MEPs called for further international isolation of Russia.

The resolution was adopted on Wednesday following recent developments in Russia's war of aggression against Ukraine.

"Parliament calls on the European Union to further isolate Russia internationally, including when it comes to Russia's membership of international organisations and bodies such as the United Nations Security Council," a press release published today reads.

"MEPs also want diplomatic ties with Russia to be reduced, EU contacts with official Russian representatives to be kept to the absolute minimum and Russian state-affiliated institutions in the EU spreading propaganda around the world to be closed and banned."

Anonymous Russia claiming the attack on European Parliament (BleepingComputer)

 

Pro-Kremlin hacktivist groups have targeted European and U.S. websites since Russia invaded Ukraine. For instance, Killnet recently claimed large-scale distributed denial-of-service (DDoS) attacks targeting the websites of several major U.S. airports last month.

Notable examples of airport websites taken down following their attack include the Los Angeles International Airport (LAX), which was intermittently offline, and the Hartsfield-Jackson Atlanta International Airport (ATL), a large U.S. air traffic hub.

One week before, they attacked multiple U.S. government websites in Colorado, Kentucky, and Mississippi, with moderate success, managing to knock some of them offline for a short time.

Killnet also claimed to have taken down CISA's Protected Critical Infrastructure Information Management System website after its attacks on the U.S. Treasury in early October were thwarted before having a real effect on the agency's infrastructure.

They also previously targeted countries that sided with Ukraine, including Romania and Italy, while the Legion "sub-group" attacked key Norwegian and Lithuanian entities for similar reasons.

Earlier this month, the FBI said that DDoS attacks coordinated by pro-Russian hacktivists have a minor impact on their targets because they're attacking public-facing infrastructure like websites instead of the actual services, leading to limited disruption.

Source

The MSI Afterburner is a GPU utility that allows you to configure overclocking, create fan profiles, perform video capturing, and monitor your installed graphics cards' temperature and CPU utilization.

While created by MSI, the utility can be used by users of almost all graphics cards, leading to its use by millions of gamers worldwide who tweak settings to improve game performance, make their GPUs more silent, and achieve lower temperatures.

However, the tool's popularity has also made it a good target for threat actors, who are looking to target Windows users with powerful GPUs that can be hijacked for cryptocurrency mining.

Impersonating MSI Afterburner

According to a new report by Cyble, over 50 websites impersonating the official MSI Afterburner site have appeared online in the past three months, pushing XMR (Monero) miners along with information-stealing malware.

Malicious website pushing laced MSI Afterburner (Cyble)

 

The campaign used domains that could trick users into thinking they were visiting the legitimate MSI website and which are easier to promote using BlackSEO. Some of the domains spotted by Cyble are listed below:

• msi-afterburner--download.site
• msi-afterburner-download.site
• msi-afterburner-download.tech
• msi-afterburner-download.online
• msi-afterburner-download.store
• msi-afterburner-download.ru
• msi-afterburner.download
• mslafterburners.com
• msi-afterburnerr.com

In other cases, the domains did not resemble the MSI brand and were likely promoted via direct messages, forums, and social media posts. Examples include:

• git[.]git[.]skblxin[.]matrizauto[.]net
• git[.]git[.]git[.]skblxin[.]matrizauto[.]net
• git[.]git[.]git[.]git[.]skblxin[.]matrizauto[.]net
• git[.]git[.]git[.]git[.]git[.]skblxin[.]matrizauto[.]net

Stealthy mining while stealing your passwords

When the fake MSI Afterburner setup file (MSIAfterburnerSetup.msi) is executed, the legitimate Afterburner program will be installed. However, the installer will also quietly drop and run the RedLine information-stealing malware and an XMR miner in the compromised device.

The miner is installed through a 64-bit Python executable named 'browser_assistant.exe' in the local Program Files directory, which injects a shell into the process created by the installer.

This shellcode retrieves the XMR miner from a GitHub repository and injects it directly into memory in the explorer.exe process. Since the miner never touches the disk, the chances of being detected by security products are minimized.

The miner connects to its mining pool using a hardcoded username and password and then collects and exfiltrates basic system data to the threat actors.

One of the arguments the XMR miner uses is 'CPU max threads' set to 20, topping most modern CPU thread count, so it's set to capture all available power.

XMRminer argument details (Cyble)

 

The miner is set to mine only after 60 minutes since the CPU has entered idling, meaning that the infected computer is not running any resource-intensive tasks and is most likely left unattended.

Also, it uses the "-cinit-stealth-targets" argument, which is an option to pause mining activity and clear GPU memory when specific programs listed under "stealth targets" are launched.

These could be process monitors, antivirus tools, hardware resource viewers, and other tools that help the victim spot the malicious process.

In this case, the Windows applications from which the miner attempts to hide are Taskmgr.exe, ProcessHacker.exe, perfmon.exe, procexp.exe, and procexp64.exe.

While the miner is quietly hijacking your computer's resources to mine Monero, RedLine has already run in the background stealing your passwords, cookies, browser information, and, potentially, any cryptocurrency wallets.

Unfortunately, almost all of this fake MSI Afterburner campaign's components have poor antivirus software detection.

VirusTotal reports that the malicious 'MSIAfterburnerSetup.msi' setup file is only detected by three security products out of 56, while the 'browser_assistant.exe' is only detected by 2 out of 67 products.

To stay safe from miners and malware, download tools directly from official sites rather than sites shared in forums, social media, or direct messages.

In this case, the legitimate MSI Afterburner can be downloaded directly from MSI at www.msi.com/Landing/afterburner/graphics-cards.

Source

Thinking about taking your computer to the repair shop? Be very afraid

iCloud for Windows is displaying images from random people

A report by MacRumors mentions that a user from its community forums had discovered that they were unable to play videos recorded with their iPhone 14 Pro Max after downloading them to their PC. The user could access the media on their Mac, another Apple device, and via iCloud.com without any issues. But, when they tried syncing it to their computer with iCloud for Windows, the downloaded media was not playable, it ended up with a black screen with scan lines, i.e, the videos were corrupted.

In what seems to be a rather bizarre twist to an unusual problem, the video was not only playable, but also displayed an image (likely a thumbnail) from sources they didn't know. The user went on to explain that the issue only occurred with videos that were recorded with the HDR and HEVC setting enabled in their iPhone 14 Pro Max's camera. They weren't the only one facing this issue, other users with an iPhone 13 Pro reported a similar incident.

The bigger of the two issues is that the iCloud for Windows app seems to be picking up images from strangers. Can you imagine how it would be if you see photos taken by someone appears in your library randomly? And what about the photos that you take on your iPhone? Your pictures could end up with a random person, that is pretty creepy.

One user at the community forums speculated that the person could have downloaded a video belonging to someone else. The downloaded media may have been encrypted, which is why they couldn't play the video, since they don't have the decryption key for it. They also suggested that the thumbnail displayed in the folder may not have been encrypted, and that's the reason why the person could access it. That makes sense, doesn't it?  If true, this could mean that the thumbnails of images and videos uploaded to the cloud are not end-to-end encrypted. That could be a serious privacy issue.

Could this problem actually have something to do with the recent iCloud Photos integration in the Windows 11 Photos app? That seems unlikely, because the user says that they were able to replicate the issue on both Windows 10 and Windows 11. Since photos from other iPhone users are showing up in the iCloud library, this is likely an Apple related issue, maybe something related to the authentication on its servers, which in turn affects the syncing process on Windows PCs. 9to5Mac suggests that this bug could be due to a rendering issue in the iCloud app for certain file types.

Apple Insider also received similar reports about the issue. I haven't experienced such problems with media from my Macbook and iPad. It does seem scary, and not just in terms of privacy. If the videos are corrupted and synced to the cloud, you could lose access to the original videos. This is why it is better to rely on good old local backups.

This news comes in the wake of allegations that Apple is able to identify what users are accessing on its App Store via telemetry (analytics).

Have you experienced a similar issue with your iPhone and Windows PC?

Users claim that iCloud for Windows is showing photos from strangers in their library

Pig butchering, also called Sha Zhu Pan, is a type of scam in which swindlers lure unsuspecting investors into sending their crypto assets. The criminals encounter potential victims on dating apps, social media sites, and SMS messages.

These individuals initiate fake relationships in an attempt to build trust, only to trick them into making a cryptocurrency investment on a bogus platform.

"Once the money is sent to the fake investment app, the scammer vanishes, taking all the money with them, often resulting in significant losses for the victim," the DoJ said.

The seven seized portals all mimicked the Singapore International Monetary Exchange (SIMEX), the agency pointed out.

But once the funds were transferred into wallet addresses supposedly provided by these domains, the digital currencies are said to have been immediately moved through an array of private wallets and swapping services to conceal the trail.

"Pig Butchering fraud highlights the lengths actors will go to socially engineer a target into falling victim to crime perpetuated by large cybercrime ecosystems," Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, previously told The Hacker News.

"The emotional manipulation, friendly tone, and sheer duration of the pre-exploitation phase allows genuine feelings to develop, and the actor exploits that emotion for financial gain, to the loss of sometimes millions of dollars."

An advisory released by the U.S. Federal Bureau of Investigation (FBI) last month noted how when the victims attempted to withdraw their investments, they were asked to pay extra taxes or penalties, leading to more losses.

The intelligence agency, in April, revealed it received more than 4,300 complaints related to crypto-romance scams in 2021, resulting in more than $429 million in losses.

A recent report from Proofpoint also detailed some of the other tactics adopted by the fraudsters, including suggesting shifting the conversation to Telegram or WhatsApp for a "more private chat" and encouraging the victims to send compromising photos.

"In addition to cryptocurrency-based lures, these criminal enterprises have used gold, forex, stocks, and other subjects to exploit their victims," researchers Tim Kromphardt and Genina Po said.

"Such schemes are successful due to the intimate nature of the conversations leading up to the 'slaughter.' Causing shame and embarrassment are key goals for threat actors that leverage this type of social engineering to exploit victims, similar to romance fraud."

Source

The attacks are notable for employing a technique called callback phishing or telephone-oriented attack delivery (TOAD), wherein the victims are social engineered into making a phone call through phishing emails containing invoices and subscription-themed lures.

Palo Alto Networks Unit 42 said the attacks are the "product of a single highly organized campaign," adding, "this threat actor has significantly invested in call centers and infrastructure that's unique to each victim."

The cybersecurity firm described the activity as a "pervasive multi-month campaign that is actively evolving."

What's notable about callback phishing is that the email messages are completely devoid of any malicious attachment or booby-trapped link, allowing them to evade detection and slip past email protection solutions.

These messages typically come with an invoice that includes a phone number that the users can call to cancel the supposed subscription. In reality, however, the victims are routed to an actor-controlled call center and connected to a live agent on the other end, who ends up installing a remote access tool for persistence.

"The attacker will then seek to identify valuable information on the victim's computer and connected file shares, and they will quietly exfiltrate it to a server they control using a file transfer tool," Unit 42 researcher Kristopher Russo said.

The campaign may be resource intensive, but is also technically less sophisticated and likely to have a much higher success rate than other phishing attacks.

On top of that, it enables extortion without encryption, permitting malicious actors to plunder sensitive data sans the need to deploy ransomware to lock the files after exfiltration.

The Luna Moth actor, also known as Silent Ransom, has become an expert of sorts when it comes to pulling off such schemes. According to AdvIntel, the cybercrime group is believed to be the mastermind behind the BazarCall attacks last year.

To give these attacks a veneer of legitimacy, the adversaries, instead of dropping a malware like BazarLoader, take advantage of legitimate tools like Zoho Assist to remotely interact with a victim's computer, abusing the access to deploy other trusted software such as Rclone or WinSCP for harvesting data.

Extortion demands range from two to 78 Bitcoin based on the organization targeted, with the threat actor creating unique cryptocurrency wallets for each payment. The adversary is also said to offer discounts of nearly 25% for prompt payment, although there's no guarantee that the data is deleted.

"The threat actors behind this campaign have taken great pains to avoid all non-essential tools and malware, to minimize the potential for detection," Russo said. "Since there are very few early indicators that a victim is under attack, employee cybersecurity awareness training is the first line of defense."

Source

"These infection chains leveraged phishing pages impersonating download pages of legitimate software, including cryptocurrency wallets or remote access tools, and the 911 method making use of YouTube videos and SEO-poised fake cracked software download websites," cybersecurity firm SEKOIA said.

First advertised on Russian cybercrime forums in April 2022, Aurora was offered as a commodity malware for other threat actors, describing it as a "multi-purpose botnet with stealing, downloading and remote access capabilities."

In the intervening months, the malware has been scaled down to a stealer that can harvest files of interest, data from 40 cryptocurrency wallets, and applications like Telegram.

Aurora also comes with a loader that can deploy a next-stage payloading using a PowerShell command.

The cybersecurity company said at least different cybercrime groups, called traffers, who are responsible for redirecting user's traffic to malicious content operated by other actors, have added Aurora to their toolset, either exclusively or alongside RedLine and Raccoon.

"Aurora is another infostealer targeting data from browsers, cryptocurrency wallets, local systems, and acting as a loader," SEKOIA said. "Sold at a high price on market places, collected data is of particular interest to cybercriminals, allowing them to carry out follow-up lucrative campaigns, including Big Game Hunting operations."

The development also comes as researchers from Palo Alto Networks Unit 42 detailed an enhanced version of another stealer called Typhon Stealer.

The new variant, dubbed Typhon Reborn, is designed to steal from cryptocurrency wallets, web browsers, and other system data, while removing previously existing features like keylogging and cryptocurrency mining in a likely attempt to minimize detection.

"Typhon Stealer provided threat actors with an easy to use, configurable builder for hire," Unit 42 researchers Riley Porter and Uday Pratap Singh said.

"Typhon Reborn's new anti-analysis techniques are evolving along industry lines, becoming more effective in the evasion tactics while broadening their toolset for stealing victim data."

Source

As cybersecurity company Recorded Future revealed in a report published in April, state-backed Chinese hacking groups (including one traced as RedEcho) targeted multiple Indian electrical grid operators, compromising an Indian national emergency response system and the subsidiary of a multinational logistics company.

The attackers gained access to the internal networks of the hacked entities via Internet-exposed cameras on their networks as command-and-control servers.

"In addition to the targeting of power grid assets, we also identified the compromise of a national emergency response system and the Indian subsidiary of a multinational logistics company by the same threat activity group," Recorded Future said.

"To achieve this, the group likely compromised and co-opted internet-facing DVR/IP camera devices for command and control (C2) of Shadowpad malware infections, as well as use of the open source tool FastReverseProxy"

Attacks linked to Boa web server flaws

While Recorded Future didn't expand on the attack vector, Microsoft said today that the attackers exploited a vulnerable component in the Boa web server, a software solution discontinued since 2015 that's still being used by IoT devices (from routers to cameras).

Boa being one of the components used for signing in and accessing the management consoles of IoT devices, significantly increases the risk of critical infrastructure being breached via vulnerable and Internet-exposed devices running the vulnerable web server.

The Microsoft Security Threat Intelligence team said today that Boa servers are pervasive across IoT devices mainly because of the web server's inclusion in popular software development kits (SDKs).

According to Microsoft Defender Threat Intelligence platform data, more than 1 million internet-exposed Boa server components were detected online worldwide within a single week.

Exposed Boa servers worldwide (Microsoft)

 

"Boa servers are affected by several known vulnerabilities, including arbitrary file access (CVE-2017-9833) and information disclosure (CVE-2021-33558)," the Microsoft Security Threat Intelligence team said.

"Microsoft continues to see attackers attempting to exploit Boa vulnerabilities beyond the timeframe of the released report, indicating that it is still targeted as an attack vector."

Attackers can exploit these security flaws without requiring authentication to execute code remotely after stealing credentials by accessing files with sensitive information on the targeted server.

Tata Power breached using Boa web server vulnerabilities

In one of the most recent attacks abusing these vulnerabilities observed by Microsoft, Hive ransomware hacked India's largest integrated power company, Tata Power, last month.

"The attack detailed in the Recorded Future report was one of several intrusion attempts on Indian critical infrastructure since 2020, with the most recent attack on IT assets confirmed in October 2022," Redmond said.

"Microsoft assesses that Boa servers were running on the IP addresses on the list of IOCs published by Recorded Future at the time of the report's release and that the electrical grid attack targeted exposed IoT devices running Boa."

Tata Power disclosed a cyber attack on its "IT infrastructure impacting some of its IT systems" in a stock filing on October 14th without sharing additional details regarding the threat actors behind the incident.

The Hive ransomware gang later posted data they claimed to have stolen from Tata Power's networks, indicating the ransom negotiations failed.

The Government Accountability Office said in a new report that the network of over 1,600 offshore facilities that produces a significant portion of U.S. domestic oil and gas are at a growing risk of cyberattacks. The warning comes more than a year after ransomware actors targeted Colonial Pipeline, bringing the U.S. oil pipeline system relied on by millions of Americans to a standstill.

The watchdog warned that not only has the government identified the offshore oil and gas sector as a target of malicious state actors, particularly those backed by China, Iran, North Korea, and Russia, but said operational technology (OT) — often used by these facilities to monitor and control physical equipment — contains multiple security flaws that could allow attackers to remotely take control of various functions, including as those critical to safety.

U.S. cybersecurity agency CISA has released several advisories about OT vulnerabilities this year alone, detailing issues like weak encryption and insecure firmware updates, and urged impacted users to identify baseline mitigations for reducing potential risks.

The GAO noted in its new report that legacy OT infrastructure still in use at many facilities is also vulnerable due to a lack of both built-in cybersecurity measures and software security patches. The report notes that older devices “do not have the capability to log commands sent to the devices, making it more difficult to detect malicious activity.”

The U.S. watchdog is calling on the Department of the Interior’s Bureau of Safety and Environmental Enforcement (BSEE), which oversees offshore oil and gas operations, to address these growing security risks. It says that the agency had initiated efforts to address these cybersecurity risks as far back as 2015, but has yet to take any “substantial” action almost a decade later.

The GAO notes that the BSEE started another such initiative earlier this year and hired a cybersecurity specialist to lead it, but the agency later said the effort was put on hold until the specialist is “adequately versed in the relevant issues.”

“Absent the immediate development and implementation of an appropriate strategy, offshore oil and gas infrastructure will continue to remain at significant risk,” the GAO said, noting that a successful cyberattack on offshore oil and gas infrastructure could have catastrophic consequences, including “deaths and injuries, damaged or destroyed equipment, and pollution to the marine environment.”

The U.S. watchdog is urging the BSEE to urgently develop and implement a cybersecurity strategy that includes risk assessments, objectives, activities, and performance measures; roles, responsibilities, and coordination; and the identification of required resources and investments.

BSEE “generally concurred” with the report and its recommendations. TechCrunch contacted BSEE for comment but did not hear back.

Source

The threat actors abuse the Microsoft Azure Web Apps service to host a network of phishing sites and lure victims to them via phishing messages impersonating bogus transaction confirmation requests or suspicious activity detection.

For example, one of the phishing emails seen in the attacks pretended to be from Coinbase, which says they locked the account due to suspicious activity.

Phishing email impersonating Coinbase - Source: PIXM

 

When the targets visit the phishing site, they are presented with a chat window supposedly for 'customer support,' controlled by a scammer who directs visitors through a multi-step defrauding process.

PIXM has been tracking this campaign since 2021 when the threat group targeted only Coinbase. Recently, PIXM's analysts noticed an expansion in the campaign's targeting scope to include MetaMask, Crypto.com, and KuCoin.

Bypassing 2FA

The first phase of the attack in the fake crypto exchange phishing sites involves a bogus login form followed by a two-factor authentication prompt.

Regardless of the credentials entered during this stage, they will still be stolen by the threat actors. The page then proceeds to a prompt asking for the 2FA code needed to access the account.

2FA step of the phishing site - Source: PIXM

 

The attackers try out the entered credentials on the legitimate website, triggering the sending of a 2FA code to the victim, who then enters a valid 2FA on the phishing site.

The threat actors then attempt to use the entered 2FA code to log in to the victim's account as long as they act before the timer runs out.

It should be noted that the MetaMask phishing attacks are targeting recovery phrases, rather than credentials or 2FA codes.

Chatting with scammers

Regardless of whether a 2FA code works, the researchers say that the scammers trigger the next attack stage, which is to launch on-screen chat support.

This is done by displaying a fake error message stating the account has been suspended due to suspicious activity and asking the visitor to contact support to resolve the matter.

Generating a fake login error - Source: PIXM

 

In this support chat, the threat actors start a conversation with the targeted victim to keep them around in case different credentials, recovery phrases, or 2FA codes are needed for the threat actors to log in to the account.

"They will prompt the user for their username, password, and 2-Factor authentication code directly in the chat," explains the new PIXM report.

"The criminal will then take this directly to a browser on their machine and again try to access the users account."

For successfully breached accounts, the victim is still engaged with customer support in case they need to confirm fund transfers while the crooks empty their wallets.

However, for accounts they cannot breach through the support chat, the threat actors switch to an alternative method to authenticate their device as "trustworthy" for the cryptocurrency platform.

Remote trickery

To overcome the authenticated device obstacle, the attackers convince the victim to download and install the 'TeamViewer' remote access app.

Next, the scammers ask the victims to log in to their cryptocurrency wallet or exchange accounts, and while they do so, the threat actors add a random character in the password field to cause a login failure.

The attacker then asks the victim to paste the password on the TeamViewer chat, uses the password (minus the random character) to login on to their device, and then snatches the device confirmation link sent to the victim to authenticate their device as trusted.

Stealing the device authentication link - Source: PIXM

 

Once they gain access to the account or wallet, the threat actors drain it of all funds while still keeping the victim engaged in the support chat. 

To avoid getting scammed in attacks like these, it is essential to always pay attention to the sender's email address and any sent URLs.

If these URLs do not match the cryptocurrency platform, you should immediately treat the email as suspicious and delete it.

Unfortunately, if you fall for one of these scams, there is nothing that a crypto exchange can due to recover your funds once they are transmitted from your wallet.