24 June 2022

Cyber security week in review: June 24, 2022

Cyber security week in review: June 24, 2022

Harmony Network's Horizon Bridge hacked for $100 million

Harmony, the operator of Horizon Bridge, a cross-chain interoperability platform between Ethereum, Binance Smart Chain (BSC) and Harmony blockchain networks, announced that the app has been hacked for $100 million worth of cryptocurrencies, making it one of the biggest crypto thefts in recent weeks.

The Harmony team said that the incident took place on Thursday morning (June 24), and that it has “begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.”

Italian spyware campaign targets Apple, Android users in Italy, Kazakhstan

Spyware developed by the Italian company RCS Labs was used in malicious campaigns targeting owners of iOS and Android devices in Italy and Kazakhstan, Google’s Threat Analysis Group (TAG) revealed. RCS Labs is just one of more than 30 spyware vendors whose activity is currently tracked by Google.

According to the TAG, RCS Labs’ spyware targeted the devices leveraging a combination of tactics including unusual “drive-by downloads” that happen without victims being aware. The team said that the Italian spyware vendor worked with undisclosed internet service providers to install malicious apps on victims’ phones.

The malicious iOS app observed in these attacks came with six different exploits. At the time of discovery, two of them (CVE-2021-30883 and CVE-2021-30983) were zero-day exploits, Google said.

NSO Group admitted that Pegasus spyware was used by at least 5 EU countries

NSO Group, the controversial Israeli cyber-intelligence firm behind the Pegasus spyware, admitted that at least five EU countries have used its product and the company has cancelled at least one contract with an EU member country following abuse of its surveillance software.

NSO Group stressed on the need to create an international body on spyware regulation, “something similar to a non-proliferation agreement,” where only countries that agree to the established rules will be able to use the technology.

Japanese auto hose maker Nichirin hit by a cyberattack

Nichirin-Flex, the US subsidiary of Japanese auto hose maker Nichirin, said it was hit with a cyberattack, due to which it was forced to shut down its computerized production controls and switch to manual operations.

The incident affected the company’s server, which was infected with ransomware. Nichirin did not reveal details about the attack, but said it is investigating the impact on its customers.

Russian cyber-espionage ops targeted 42 Ukraine allies

Russia has carried out dozens cyber-espionage campaigns that targeted governments, think tanks, businesses and aid groups in more than 40 countries supporting Ukraine, Microsoft said.

Nearly two-thirds of the cyber-espionage targets involved NATO members. While the US has been Russia’s primary target (12%), Russian state-backed hackers have also launched attacks on Poland (8%), which has become a hub for transporting military equipment to Ukraine, and Baltic countries of Latvia and Lithuania (14% combined).

RIG Exploit Kit now infects victims with the Dridex malware

Hackers are now using the RIG Exploit Kit to deliver the Dridex banking trojan instead of the Raccoon Stealer malware as they did before. According to Bitdefender Cyber Threat Intelligence Lab, the switch was caused by a temporary cessation of Raccoon Stealer’s activity in February when one of its developers was killed in the Russian invasion of Ukraine.

The Dridex malware first appeared in 2012, and by 2015 had become one of the most prevalent banking trojans. It operates from multiple modules, which are capable of capturing screenshots, acting as a virtual machine, or incorporating the victim machine into a botnet. Dridex can also steal data from browsers, detect access to online banking applications and websites, and inject keyloggers.

Europol busts a cybercrime gang behind lucrative phishing scams

European law enforcement agencies dismantled an organized crime group involved in phishing, fraud, scams and money laundering responsible for millions of euros in losses.

The fraudsters approached victims via email, text message or mobile messaging apps and sent them phishing links leading to a fake banking website, where users were tricked into providing their banking credentials to the scammers.

The police apprehended 9 alleged members of the gang and conducted 24 house searches in the Netherlands. During the raids the police officers also seized firearms, ammunition, jewellery, electronic devices, cash and cryptocurrency.

Two new malicious campaigns target Ukraine

Ukrainian cybersecurity authorities warned of two malicious campaigns targeting government bodies and organizations in the country’s critical infrastructure sector that exploit the recently patched Follina (CVE-2022-30190) vulnerability to deliver Cobalt Strike Beacon and CredoMap malware.

Both hacking campaigns involve phishing emails distributing malicious Microsoft Word documents. In the first case the malicious document was ostensibly sent by the State Tax Service of Ukraine, while in the second campaign (which was attributed to the Russia-linked APT28 hacker group) attackers distributed a malicious Word document purported to contain information about nuclear terrorism.

Germany indicts Russia-linked APT28 hacker who targeted NATO think tank

German authorities issued an arrest warrant for the Russian hacker Nikolaj Kozachek (aka “blabla1234565” and “kazak”) accused of carrying out cyber-espionage operations against a NATO think tank in Germany on behalf of the Russian military intelligence service.

According to German officials, Kozachek compromised the IT systems of the Joint Air Power Competence Center, a think tank in North Rhine-Westphalia in April 2017, and planted the X-Agent spyware on the organization’s computers. The hacker is said to have compromised at least two systems and gained access to internal information from NATO, however, at this time the extent of the attack is not clear.

OT:Icefall vulnerabilities put industrial devices at risk of cyberattacks

Cybersecurity researchers at Forescout's Vedere Labs published a report detailing a set of 56 vulnerabilities impacting industrial equipment used in critical infrastructure environments.

Dubbed “OT:Icefall,” vulnerabilities, said to be caused by insecure-by-design practices in OT, affect products from Honeywell, Motorola, Omron, Siemens, Emerson, JTEKT, Bently Nevada, Phoenix Contract, ProConOS, and Yokogawa.

The discovered issues fall into four main categories: insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware updates, and remote code execution via native functionality.

Of the flaws, 38% allow for compromise of credentials, 21% allow firmware manipulation, and 14% are remote code execution vulnerabilities.

Hackers exploit Log4Shell vulnerability in attacks on VMware Horizon servers

Although the infamous Log4Shell vulnerability (CVE-2021-44228) was patched six months ago, hackers are still exploiting the flaw to attack VMware Horizon and Unified Access Gateway servers and gain initial access to a victims’ networks.

According to a recent joint advisory published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Coast Guard Cyber Command (CGCYBER), since December 2021, multiple threat actor groups, including the state-sponsored ones, have been exploiting Log4Shell on unpatched, public-facing VMware Horizon and Unified Access Gateway servers. In these attacks threat actors were observed planting malware on compromised systems with embedded executables enabling remote command-and-control.

Cybersecurity authorities share advice on securing Windows systems with PowerShell

Although PowerShell is often abused by malicious actors, system administrators should not switch off the Windows command-line tool, the US National Security Agency and partners advised in a Cybersecurity Information Sheet released this week.

The NSA and cyber security centers in the US (CISA), New Zealand (NZ NCSC), and the UK (NCSC-UK) have provided a set of recommendations for using PowerShell to mitigate cyber threats instead of removing or disabling it, which would lower defensive capabilities. The security advisory outlines features in PowerShell that help with protecting credentials, remote management configurations, anti-virus scanning and logging.

Back to the list

Latest Posts

Suspected Chinese hackers hit Amnesty International Canada

Suspected Chinese hackers hit Amnesty International Canada

The organization said that there is no evidence that any donor or membership data was exfiltrated during the attack.
7 December 2022
Russian hackers use western networks to attack Ukraine

Russian hackers use western networks to attack Ukraine

The researchers planted various Ukraine-themed documents and websites to lure Russian threat actors.
7 December 2022
EU funds a cyber lab in Ukraine

EU funds a cyber lab in Ukraine

The cyber lab will allow Ukraine to train military cyber defense professionals.
7 December 2022