At a glance.
- TroubleGrabber appears in Discord.
- Insurance software breach exposes Texas driver data.
- ShinyHunters hack PlutoTV.
- CERT-IN warns users of old WhatsApp versions.
- Infostealer Jupyter attacks browser data.
TroubleGrabber harvests credentials via Discord.
Netskope has described TroubleGrabber, a credential stealer that infests the Discord gaming community platform. The malware spreads through Discord attachments and reports stolen data back to its masters through Discord messaging. Netskope sees this as another instance of an inevitable trend: criminals abusing cloud apps. There’s a social engineering dimension to the phenomenon, since users tend to repose trust in such apps, and it’s precisely such trust the attackers seek to exploit.
Millions of Texas drivers exposed in insurance software breach.
US insurance software company Vertafore experienced a data breach that exposed the personal data of 27.7 million Texas residents, reports Infosecurity Magazine. The breach, which occurred sometime between March and August of this year, was the result of human error: three files were accidentally placed in an unprotected storage database. No social security numbers or payment info were included, but driver’s license numbers and vehicle registration histories were compromised, and Vertafore has confirmed that the data was accessed by an unauthorized source. As soon as the exposure was discovered, Vertafore secured the data and began an investigation assisted by law enforcement and a cybersecurity consultant. However, they delayed notifying the public at the request of police.
PlutoTV hacked by ShinyHunters.
Free online television service PlutoTV was the victim of a hacking operation by infamous cybercriminal group ShinyHunters, reports Android Police. As the Cyberwire covered last week, ShinyHunters was also involved in an attack on online game Animal Jam, and the group has stolen data from over seventeen other companies as well, including Microsoft’s private GitHub. Now, Security Affairs reports, the data of 3.2 million PlutoTV users was leaked for free on a hacker forum, and ShinyHunters has been credited for the theft. As PlutoTV is a free service, fortunately no financial data was compromised, but IP addresses, dates of birth, and account login info were at risk.
CERT-In warns of WhatsApp vulnerabilities.
India’s Computer Emergency Response Team (CERT-In) has issued a warning stating that WhatsApp versions older than 2.20.111 and WhatsApp Business versions older than 2.20.100 have two security vulnerabilities, reports the India Times. An Improper Access Control Vulnerability would allow a threat actor to use Siri to communicate with the phone even if the device is locked, while a Use-After-Free Vulnerability allows the hacker to send a malicious animated sticker to the victim while placing a call on hold. The issues have already been patched in more recent versions of the apps, and CERT-In included instructions for users of the older versions to remedy the security flaws.
Life on Jupyter.
Morphisec reports discovering a new .NET infostealer variant called "Jupyter." The Trojan targets data on Chromium, Firefox, and Chrome browsers, and the attack chain begins with an installer hidden in a downloaded zip file. Highly effective at bypassing security scans, the infostealer impersonates legitimate software like Docx2Rtf. Evidence indicates that Jupyter probably has Russian ties: first, command-and-control infrastructure from multiple versions of Jupyter (dating back to May 2020) was mapped back to Russia, second, a reverse image search of the admin panel found matches on Russian-language fora, and, finally, the eccentric spelling of “Jupyter” suggests a Russian-to-English translation error.
We heard from Red Canary, whose Intelligence Analyst Tony Lambert wrote:
“Jupyter is an excellent example of the issues that can arise when end users install software from untrustworthy sources. In some instances, end users searched Google for templates or types of documents before getting led to malicious downloads. Jupyter uses legitimate tools like Inno Setup--which is free and widely used for software packaging and installation on Windows--to facilitate deployment.
"In every case of Jupyter we’ve seen, there has been a liberal amount of PowerShell use and this presents the best point of detection for Jupyter. A lot of defense evasion happens here, because the malware binary itself is obfuscated while at rest on disk. During malware execution, PowerShell reads the obfuscated malware into memory, deobfuscates it, and loads the malware for execution.
"Security teams should monitor for evidence of Powershell execution by Jupyter. If evidence is present, be mindful of PowerShell instances within your organization's network that use `frombase64string` and `[System.Reflection.Assembly]::Load` code in their command lines.”