9 December 2022

Cyber security week in review: December 9, 2022

Cyber security week in review: December 9, 2022

Scammers scam scammers on hacker forums

Cybercriminals devise various techniques to trick victims into handing over their money, login and banking credentials, infect them with malware and etc., but it appears that scammers are not immune to scams themselves. According to Sophos, cybercriminals, including prominent threat actors, have lost at least $2.5 million to scammers on just three underground sites in the past 12 months. A more detailed analysis is available in the company’s report.

North Korean hackers exploited IE zero-day to deploy malware

A North Korean state-backed threat actor known as APT37 has exploited a zero-day vulnerability in the Internet Explorer browser to infect targets in South Korea with malware. The said flaw (CVE-2022-41128) is a buffer overflow issue within the JScript9 engine in IE. Google’s TAG team said they weren’t able to identify the final payload the attackers delivered in this campaign, but noted that previously APT37 was observed deploying a variety of malware families like Rokrat, BlueLight, and Dolphin on the infected systems.

Google releases emergency security update to fix Chrome zero-day bug

Google released a new Chrome update to fix a zero-day vulnerability exploited in the wild. The zero-day bug is tracked as CVE-2022-4262 and is described as a type confusion error within the V8 engine in Google Chrome. It can be exploited by a remote hacker to achieve remote code execution on the vulnerable systems. To do this, an attackers needs to trick the victim into visiting a malicious web page. This marks ninth Chrome zero-day vulnerability Goggle addressed since the start of the year.

Suspected Chinese hackers hit Amnesty International Canada

The Canadian branch of Amnesty International, an international human rights non-governmental organization (NGO), it was a target of a sophisticated security breach in early October, which it believes to have been sponsored by China’s government. At present, no evidence has been found that any donor or membership data was exfiltrated.

In other news, the international non-governmental organization Human Rights Watch (HRW) said it discovered a cyber-espionage campaign aimed at human rights activists, journalists, researchers, academics, diplomats, and politicians working in the Middle East. The campaign is believed to be the work of an Iran-linked state-sponsored threat actor tracked by the cybersecurity community as APT42.

Iranian threat actor Agrius targets diamond industries with data wipers

Cybersecurity firm ESET released a report that links an Iranian advanced persistent threat (APT) actor known as Agrius to a series of supply-chain attacks targeting companies in diamond industries in South Africa, Israel, and Hong Kong. The attacks used a new data wiping malware called “Fantasy” said to have been build on the previously reported Apostle wiper, but unlike the latter, the new tool doesn’t masquerade as ransomware.

New COVID-bit attack allows to steal sensitive data from air-gapped systems

Israeli researchers discovered a new method to covertly exfiltrate sensitive information from air-gapped systems. Dubbed “COVID-bit,” the technique involves malware planted on an air-gapped computer that can generate radio waves by executing crafted code on the target system. The malicious code exploits the dynamic power consumption of modern computers and manipulates the momentary loads on CPU cores. This, in turn, allows the malware to control the computer's internal utilization and generate low-frequency electromagnetic radiation in the 0 - 60 kHz band. This way, sensitive information like files, encryption keys, or biometric data, can be modulated over the emanated signals and received by a nearby mobile phone.

Zombinder obfuscation service allows cybercriminals to bind malware to legitimate Android apps

Mobile security firm ThreatFabric discovered a new hybrid malware campaign that combines and deploys both Android and Windows-based banking trojans in order to reach as much victims as possible. The campaign, dubbed “Zombinder,” utilizes different banking trojans such as ERMAC, Erbium, Aurora, and Laplas, and has already claimed thousands of victims.

Webmail sale shops offer corporate emails for as little as $2

Israeli threat intelligence firm KELA released a detailed report on popular cybercrime marketplaces selling access to corporate webmail services, including xLeet, Odin, Lufix, and Xmina. Xleet and Lufix are said to be the largest shops offering webmail access, with average prices ranging from $2 to $25 for a single webmail. Many of these shops provide advanced functions, such as “proofs” that webmail access indeed works. These proofs include performing a live check on the email to verify the access or showing a screenshot of the compromised account inbox.

Russian hackers use western networks to attack Ukraine

A new report from the cybersecurity firm Lupovis revealed that Russia-linked threat actors are using compromised networks of organizations in the UK, US, France, Brazil, and South Africa, including a Fortune 500 firm, and more than a dozen healthcare organizations, to launch cyberattacks against Ukraine.

Chinese hackers reportedly stole at least $20M in US Covid benefits

Threat actors working on behalf of the Chinese government reportedly have stolen tens of millions of dollars in US Covid relief benefits, including Small Business Administration loans and unemployment insurance funds in over a dozen states, since 2020, the US Secret Service said, without providing additional details on the attacks. This is the first time the US government has acknowledged publicly the theft of taxpayer funds by the Chinese hackers in pandemic fraud.

French hospital halts operations, transfers patients after a ransomware attack

The André-Mignot hospital in the Parisian suburb of Versailles was hit with a ransomware attack over the weekend, which forced the facility to shut down its phone and computer systems and cancel all operations. According to officials, the threat actors behind the ransomware attack have demanded a ransom, but the hospital has refused to pay. Currently, there is no information on what ransomware group is responsible for the attack.

Microsoft: Russia combines missile and cyberattacks in Ukraine

Russia has intensified its multi-pronged hybrid technology approach, which includes both kinetic military operations and cyberattacks on Ukrainian civilian infrastructure to pressure the sources of Kyiv’s military and political support, Microsoft said.

The company has warned that the world should be prepared for several lines of potential Russian attack in the digital domain over the course of this winter, and that parallel with cyber threat activity Russia would likely conduct cyber-enabled influence operations targeting Europe to undermine military and humanitarian assistance to Ukraine.

Back to the list

Latest Posts

Chinese APTs increasingly using ORB networks to mask attack infrastructure

Chinese APTs increasingly using ORB networks to mask attack infrastructure

Mandiant reports that it is actively monitoring several ORB networks, with the most notable being SPACEHOP and FLORAHOX.
23 May 2024
Threat actors exploit vulnerable drivers to disable EDRs in cryptojacking attack

Threat actors exploit vulnerable drivers to disable EDRs in cryptojacking attack

Ghostengine deploys several modules to tamper with security tools, establish a backdoor, and ensure software updates are in place.
22 May 2024
Russia’s DoppelGänger campaign manipulates social media to undermine Western support for Ukraine

Russia’s DoppelGänger campaign manipulates social media to undermine Western support for Ukraine

The campaign uses typosquatted legitimate media outlets and independent news sites to publish disinformation articles.
22 May 2024