1 September 2023

Cyber Security Week in Review: September 1, 2023


Cyber Security Week in Review: September 1, 2023

The notorious Qakbot botnet dismantled in an international police operation

The US authorities and partners have dismantled the notorious Qakbot botnet that infected more than 700,000 computers globally and was linked to multiple attacks involving ransomware, financial fraud and other cybercriminal activity. The Qakbot operation is estimated to have caused nearly $60 million in losses from victims around the world.

Free decryptor released for Key Group ransomware victims

ElectricIQ researchers have released a free decryptor to restore files encrypted by the Key Group ransomware. It should be noted that the tool only works on a specific version of the ransomware built around August 3.

The Key Group ransomware family first appeared in January 2023 and is believed to be operated by a Russian-speaking “low-sophisticated threat actor.” Key Group ransomware uses CBC-mode Advanced Encryption Standard (AES) to encrypt files and sends personally identifiable information of victim devices to threat actors. The ransomware uses the same static AES key and initialization vector to recursively encrypt victim data and change the name of encrypted files with the keygroup777tg extension.

Kroll SIM-swapping attack exposes customer data of bankrupt crypto platforms

Business and legal services provider Kroll revealed it suffered a cyber incident, which saw some files containing personal data of customers of bankrupt crypto platforms FTX, BlockFi Inc. and Genesis Global Holdco exposed. Kroll said that a hacker gained access to a company employee’s T-Mobile account via a SIM-swapping attack, which took place on August 19, 2023. The attacker tricked T-Mobile into transferring the employee’s phone number to their phone. The advisory firm said it has no evidence that its other systems or accounts were impacted.

The National Safety Council leaked credentials of Nasa, Tesla and 2K other firms

The National Safety Council, a non-profit organization in the United States providing workplace and driving safety training, has leaked nearly 10,000 emails and passwords of its members, exposing 2000 companies, including governmental organizations and big corporations such as Shell, Intel, Siemens, Tesla, Toyota, Verizon, Vodafone and many others.

According to the Cybernews research team, a subdomain of the NSC website exposed the listing of its web directories to the public, enabling an attacker to access the majority of files crucial for the operation of the web server. The leaked files also contained a backup of a database storing user emails and hashed passwords. The data was publicly accessible for 5 months, as the leak was first indexed by IoT search engines on January 31, 2023.

Citrix NetScaler attacks linked to a ransomware campaign

Security researchers at Sophos shared some details along with Indicators of Compromise (IoCs) on a mass-exploitation campaign targeting vulnerable Citrix NetScaler instances.

The campaign observed in mid-August involves the attackers taking advantage of a remote code execution flaw (CVE-2023-3519) in unpatched Citrix NetScaler systems to drop PHP shells on victim machines. Sophos has linked the attacks to a threat actor it tracks as ‘STAC4663’ believed to be associated with the financially-motivated FIN8 cybercrime group.

Meta takes down massive pro-China disinformation campaign

Facebook parent company Meta dismantled a prolific Chinese disinformation campaign, which it describes as the largest known cross-platform covert influence operation it's tracked to date. Dubbed “Spamouflage,” the operation targeted multiple countries across the world, including Taiwan, the US, Australia, the UK, Japan, and global Chinese-speaking audiences.

Poland arrests two men in connection to railway hacking

The Polish authorities have detained two men allegedly involved in a recent series of railway hacks that caused an emergency stoppage of trains in northwestern Poland causing delays.

The two men, who are both Polish citizens, were apprehended in the eastern city of Bialystok at a private apartment. During searches, the radio transceivers were found. Local media reported that one of the suspects was a police officer. Police in Bialystok said their agency had opened a dismissal procedure against him.

Three malware loaders behind 80% of intrusions - research

QakBot, SocGholish, and Raspberry Robin are the top three malware loaders most favored by cybercriminals, accounting for about 80% of observed attacks, researchers at ReliaQuest have found.

During the first seven months of the year, the QakBot loader (aka QBot, QuackBot, and Pinkslipbot) was responsible for 30% of the attacks, followed by SecGholish (27%) and Raspberry Robin (23%). The remaining most popular malware loaders include Googloader (3%), Chromeloader (2%), Guloader (2%), and Ursnif (2%).

North Korea’s Labyrinth Chollima linked to malicious VMConnect PyPI campaign

North Korean government-backed threat actor Labyrinth Chollima (a unit of Lazarus Group) has been linked to a recent VMConnect supply chain campaign that involved two dozen malicious Python packages posted to the Python Package Index (PyPI) open-source repository. The packages mimicked popular open-source Python tools, including vConnector, a wrapper module for pyVmomi VMware vSphere bindings, a collection of tools for testing Ethereum-based applications named eth-tester, and databases - a tool that gives asynchronous support for a range of databases.

A more detailed technical analysis of this campaign can be found here.

Earth Estries espionage group targets government and technology industries

Trend Micro researchers published a report on a new well-resourced, sophisticated threat actor they track as Earth Estries that targets organizations in the government and technology industries based in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the US.

Earth Estries uses multiple backdoors and hacking tools to enhance intrusion vectors, and PowerShell to downgrade attacks to avoid detection from Windows Antimalware Scan Interface’s (AMSI) logging mechanism. In addition, the actors abuse public services such as Github, Gmail, AnonFiles, and File.io to exchange or transfer commands and stolen data.

The researchers said they found some overlaps between the tactics, techniques, and procedures (TTPs) used by Earth Estries and those used by another advanced persistent threat (APT) group, FamousSparrow, known for its attacks on hotels, governments, and private companies worldwide.

Chinese hackers were lurking in Japan’s NISC networks for months

Chinese hackers for nine months had undetected access to the networks of Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC). The intrusion is said to have started in the autumn of 2022 and lasted until June of this year.

In early August, Japan’s cybersecurity center admitted it suffered a security breach, which saw some personal data linked to email exchanges between October last year and June stolen. The leak came to light on June 13, when the agency detected unauthorized access to its systems.

Chinese Gref APT targets Android users via fake Signal and Telegram apps

A cyberespionage campaign is distributing spyware via trojanized Signal and Telegram apps on Google Play and Samsung Galaxy stores. The campaign believed to be orchestrated by a China-linked threat actor known as Gref, has been ongoing since July 2023 and involves a sophisticated espionage tool named BadBazaar, which targets Android users via fake versions of popular communication apps Signal and Telegram called Signal Plus Messenger and FlyGram. The purpose of these malicious apps is to exfiltrate data from infected Android devices.

Barracuda hackers anticipated ESG patch and deployed new backdoors to maintain access to targets

Google-owned Mandiant published an in-depth analysis of a worldwide cyber espionage campaign where suspected Chinese hackers exploited a then zero-day vulnerability to compromise Barracuda Email Security Gateway (ESG) appliances. The campaign targeted government, military, defense and aerospace, high-tech industry, and telecom sectors.

Mandiant said that the attackers anticipated remediation efforts and deployed additional malware to maintain a presence at a small subset of high-priority targets. The additional malicious tools include the Skipjack and Depthcharge backdoors, the Foxglove and Foxtrot keyloggers, as well as a new version of the Seaspy backdoor.

Sandworm’s Infamous Chisel malware used in attacks on Ukrainian military tablets

Western intelligence and cybersecurity agencies released a joint technical analysis of a new malware called Infamous Chisel used by the Russian military intelligence service in attacks targeting Ukrainian military personnel.

The campaign, which was publicly disclosed by Ukraine’s security services earlier this month, was attributed to Sandworm, a threat actor linked to military unit 74455, a cyberespionage unit of Russia's military intelligence service. The threat actor attempted to infect Ukraine’s military network with nearly ten variants of custom malware ranging from Android remote access trojans and Mirai variants to backdoors designed to collect data from Ukraine's Starlink satellite connections.

Kremlin-backed hackers intensify cyber espionage activities amid Ukrainian counter-offensive

Russian APT group Gamaredon has intensified its cyber espionage activities ahead of and during Ukraine’s counter-offensive operations, the National Security and Defense Council of Ukraine warned.

Gamaredon primary objectives include espionage and data theft. Their arsenal comprises a range of custom-developed malware, often delivered through spear-phishing campaigns. These campaigns deploy trojanized documents to compromise victims' systems. Once inside a target network, Gamaredon operators employ advanced techniques to maneuver stealthily, exfiltrate valuable data, and maintain persistence.

A stalkerware app hack exposes thousands of Android phones

WebDetetive, a Portuguese-language spyware company, has fallen victim to a hacker attack, with the attackers gaining access to its servers and databases. The company’s spyware was used to compromise over 76,000 Android phones across South America, mainly in Brazil.

The hackers claim to have exploited several vulnerabilities, including the security issues in the app’s dashboard that allowed them to breach WebDetetive’s servers and download every dashboard record. The intruders said they also deleted victim devices from the spyware network.


Back to the list

Latest Posts

Cyber Security Week in Review: September 6, 2024

Cyber Security Week in Review: September 6, 2024

In brief: the US charges Russian GRU hackers for attacks on Ukraine, Apache, Cisco, Zyxel patch high-risk flaws, Google fixes Android zero-day, and more.
6 September 2024
Threat actors using MacroPack Red Team framework to deploy Brute Ratel, Havoc and PhantomCore

Threat actors using MacroPack Red Team framework to deploy Brute Ratel, Havoc and PhantomCore

Some of the documents appeared to be part of legitimate Red Team exercises, while other were intended for malicious purposes.
5 September 2024
US seizes 32 domains linked to Russian Doppelganger influence campaign

US seizes 32 domains linked to Russian Doppelganger influence campaign

The domains, used to disseminate propaganda, were seized as part of a broader effort to disrupt Russia’s attempts to interfere in the 2024 US Presidential Election.
5 September 2024