5 August 2022

Cyber security week in review: August 5, 2022

Cyber security week in review: August 5, 2022

Nomad bridge drained of nearly $200 million in one of the largest DeFi hacks

Nomad, a bridge protocol for transferring crypto tokens across different blockchains, has suffered a cybersecurity incident, which saw hackers made off with almost all the funds in the wallet. A total value of cryptocurrency stolen in the attack is estimated to be around $190 million. The funds were drained over hours and in small batches by various accounts. According to blockchain security firm PeckShield, more than 41 IP addresses were identified involved in the theft.

A day after the attack hackers returned $9 million to Nomad.

Thousands of Solana wallets drained in yet another multimillion exploit

Just a few hours after the Nomad hack came to light, another crypto project, Solana, has shared the same fate, with users reporting that their funds have been stolen from internet-connected Solana “hot” wallets, including Phantom, Slope and TrustWallet.

Over 9,000 hot wallets were reportedly affected in the hack, with a total loss estimated to be more than $4 million. The exact cause of the hack is still unclear at this point, but some facts point to accounts tied to the Slope mobile wallet app. Furthermore, experts found evidence that the company’s mobile apps were transmitting users’ private keys unencrypted as part of their logging and telemetry.

In its turn, Solana said that there is no evidence the Solana protocol or its cryptography was compromised.

Threat actors exploit an Atlassian Confluence bug to install a never-before-seen backdoor

Analysts from the DeepWatch threat intelligence team have discovered a malicious campaign, which has “highly likely” exploited a vulnerability in Atlassian Confluence Server software.

The bug suspected to have been exploited is CVE-2022-26134, a remote code execution flaw affecting out-of-date versions of Confluence Server and Data Center. The attackers have also planted a never-before-seen backdoor, dubbed “Ljl Backdoor,” onto the compromised server.

Luxembourg natural gas pipeline operator, German chipmaker targeted by ransomware

A cybercrime gang behind the AlphV ransomware said it successfully attacked Creos Luxembourg, an operator of electricity networks and natural gas pipelines in the Grand Duchy of Luxembourg. On their dark web data leak site the AlphV (better known as BlackCat) operators claimed to have breached Creos Luxembourg and stolen more than 150 GB of corporate data, including sensitive information such as contracts, agreements, copies of IDs, invoices, emails and more.

In a separate incident, German power electronics maker Semikron has been hit with an LV ransomware attack that partially encrypted the company’s systems, with perpetrators behind it claiming to have stolen 2TB worth of documents from the manufacturer.

Raspberry Robin malware linked to Russian cybercrime syndicate Evil Corps

Microsoft’s cybersecurity team said they found a potential connection between the recent Raspberry Robin malware attacks and Evil Corp, an infamous Russia-linked cybercrime syndicate sanctioned by the US government.

According to the tech giant, an access broker it tracks as DEV-0206 has been observed using malvertising to trick victims into downloading a loader for additional malware previously linked to Evil Corps tracked as DEV-0243. Microsoft said that it discovered the FakeUpdates malware (SocGholish) being delivered via existing Raspberry Robin infections.

North Korea-linked hackers use malicious extensions to spy on victims’ email

A hacker group acting on behalf of the North Korean government has been observed using malicious Google Chrome or Chromium-based Microsoft Edge browser extensions to spy on user email accounts. Over the past year, the group has been using a malicious Google Chrome or Microsoft Edge extension called SHARPEXT. The malware doesn’t attempt to steal usernames and passwords, but rather directly inspects and exfiltrates data from a victim's webmail account.

Hackers claim to have breached European missiles maker MBDA

A group calling themselves Adrastea have claimed they have stolen 60 GB worth of files from the European multinational developer and manufacturer of missiles MBDA. The stolen files allegedly include documents related to the design of air defense, missile systems, and systems of coastal protection, presentations, correspondence with other defense contractors, and other sensitive information.

Shortly after Adrastea’s announcement, MBDA said that claims of a breach of its systems are false, and that “the stolen” data was acquired from an external hard drive. “So far, the company’s internal verification processes indicate that the data made available online are neither classified data nor sensitive,” MBDA said in a statement.

LockBit ransomware sideloads Cobalt strike via Windows Defender

The LockBit ransomware operation is taking advantage of a Microsoft security tool to install Cobalt Strike payloads. According to security researchers at SentinelOne who spotted the latest developments, the gang is abusing the Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike beacons.

Hackers caught using Manjusaka offensive framework similar to Cobalt Strike

Security researchers discovered a new attack tool similar to the Cobalt Strike and Sliver frameworks, which has been utilized in malicious campaigns. Dubbed “Manjusaka” (meaning "cow flower") by its authors, the framework uses implants written in the cross-platform Rust programming language, while its binaries are written in GoLang. Manjusaka comes in versions for Windows and Linux operating systems, which offer a set of RAT functionalities and communication mechanisms.

An RCE bug in DrayTek Vigor routers exposes thousands of SMBs to cyberattacks

Thousands of small and medium-sized businesses (SMBs) could be at risk of cyberattacks due to a remote code execution vulnerability in DrayTek Vigor routers used by many organizations.

Tracked as CVE-2022-32548, the bug impacts 29 DrayTek Vigor router models and can lead to a complete compromise of the device and can enable a malicious actor to access internal resources of the breached networks. Firmware updates for affected routers has already been made available for download on the vendor’s website.

A Shodan search shows that there are more than 760,000 DrayTek routers exposed on the internet.

Meta disrupted a cyber-espionage operation leveraging Apple’s legitimate TestFlight service

Meta, Facebook’s parent company, says it disrupted two separate cyber-espionage campaigns orchestrated by the Bitter APT and APT36 state-sponsored hacker groups.

In the Bitter APT (operates out of South Asia) campaign the attackers attempted to trick victims into downloading an iOS chat application via Apple’s legitimate TestFlight service, designed to help developers beta-test new applications. The operation targeted users in New Zealand, India, Pakistan and the United Kingdom.

The second cyber-espionage campaign conducted by APT36, which is believed to be a Pakistani state-backed threat actor, involved a modified version of the XploitSPY Android malware called LazaSpy, and trojanized versions of WhatsApp, WeChat and YouTube delivering the Mobzsar or CapraSpy malware. The campaign targeted people in Afghanistan, India, Pakistan, UAE, and Saudi Arabia, including military personnel, government officials, employees of human rights and other non-profit organizations and students.

VirusTotal: Adobe Reader, Skype, and VLC Player are most impersonated software in malware attacks

Google’s VirusTotal released an interesting report detailing various techniques used by malware to bypass defenses and make social engineering attacks more effective. More specifically, threat actors increasingly impersonate legitimate applications like Skype, Adobe Reader, and VLC Player to take advantage of trust relationships, as well as 7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom, and WhatsApp.

Another commonly used attack method involves stealing legitimate signing certificates from software vendors and using them to sign their malware. 87% of the more than one million signed malicious samples uploaded to VirusTotal since January 2021 have a valid signature, the report says.

Cybersecurity authorities share a list of of 2021’s 'top' malware strains

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) have released a joint security advisory that provides details on the top malware strains (RATs, banking trojans) observed in 2021, including Agent Tesla, AZORult, Formbook, Ursnif, LokiBot, MOUSEISLAND, NanoCore, Qakbot, Remcos, TrickBot and GootLoader. The advisory also offers mitigations to help organizations improve their cybersecurity posture.

German Chambers of Industry and Commerce hit by a cyberattack

The Association of German Chambers of Industry and Commerce (DIHK) has been a target of a cyberattack that prompted it to shut down all of its IT systems, as well as digital services, telephones, and email servers as a precaution.

Michael Bergmann, the General Manager of DIHK, described the cyberattack as “massive.” While the incident appears to bear signs of a ransomware attack, there has been no official confirmation and no announcements have been made by major ransomware groups.

Threat actors are increasingly using Dark Utilities “C2aaS” platform in malware campaigns

A new service called Dark Utilities has been discovered that offers malicious actors an easy and inexpensive way to establish command and control communication for their malware campaigns.

Established in early 2022, Dark Utilities offers a variety of services such as remote system access, DDoS capabilities and cryptocurrency mining. The operators of the service also established Discord and Telegram communities where they provide technical support and assistance for their customers. Dark Utilities offers premium access to the platform, associated payloads and API endpoints for just 9.99 euros. At present, the service has roughly 3,000 active subscribers.

Back to the list

Latest Posts

Cyber security week in review: September, 30

Cyber security week in review: September, 30

Unpatched Microsoft Exchange zero-days exploited in hacker attacks, Meta dismantles a sprawling Russia-linked disinformation network, and more.
30 September 2022
Covert hacker attack targets military contractors

Covert hacker attack targets military contractors

The campaign reportedly targeted a strategic supplier to the F-35 Lightning II fighter aircraft.
29 September 2022
Leaked LockBit 3.0 builder is already being used in ransomware attacks

Leaked LockBit 3.0 builder is already being used in ransomware attacks

The builder includes a configuration file that can easily be customized to use different ransom notes, statistics servers, and features, allowing anyone to create their own ransomware.
28 September 2022