At a glance.
- MOVEit file transfer vulnerability.
- Moonlighter will test cybersecurity in orbit.
- Criminal smishing campaign expands to the Middle East.
- New criminal campaign targets Android users who wish to install modified applications.
- Using vendor and contractor accounts to penetrate networks.
- Cyclops ransomware as a dual threat.
- NSA releases advisory on North Korean spearphishing campaigns targeting think tanks, universities, and media organizations.
- Backdoor-like issue found in Gigabyte firmware.
- Credential harvesting campaign impersonates Multimedia Software and Adobe.
- Mitiga discovers “significant forensic discrepancy” in Google Drive.
Cl0p claims responsibility for MOVEit file transfer vulnerability and subsequent data breaches.
Cl0p told BleepingComputer, on June 5th, that it was responsible for the employment of the MOVEit Transfer SQL Injection Vulnerability (CVE-2023-34362). The vulnerability, which was added to CISA’s known exploited vulnerability catalog last Friday, was first employed on May 27th BleepingComputer reported. Mandiant had associated exploitation of this vulnerability with Cl0p, as the gang had been searching for partners that use SQL injection. That attribution now seems confirmed. Sky News said that Cl0p had claimed responsibility for exploiting the vulnerability against several British and Irish companies (including the BBC, British Airways, Boots, and Aer Lingus) to steal customer information as well as national insurance numbers. The companies at present don’t believe their financial information was stolen. The data breaches are reminiscent of other supply chain attacks as the threat actors used the exploit to gain entry into a Zellis database For more on the MOVEit issue, see CyberWire Pro.
Moonlighter will test cybersecurity in orbit.
The launch of the Moonlighter satellite, a government funded satellite coined “the world's first and only hacking sandbox in space” was delayed from June 4th to June 5th due to high winds, Spaceflight Now reports. The launch was scheduled for lift off from the Kennedy Space Center aboard a SpaceX Falcon 9 on a resupply mission to the International Space Station. Earlier Sunday, the outlet reports, another Falcon 9 rocket saw a launch from the neighboring Cape Canaveral Space Force Station.
The Moonlighter was built by the Aerospace Corporation, the Register reports, “a federally funded research and development center in Southern California, in partnership with the US Space Systems Command and the Air Force Research Laboratory.” The satellite will support cybersecurity training and exercises in orbit, with software developed by those working in the infosecurity and aerospace engineering fields.
Criminal smishing campaign expands to the Middle East.
Group-IB warns that a Chinese-speaking phishing gang has expanded its targeting from the Asia-Pacific region to the Middle East, researchers at Group-IB have found. The gang, which the researchers call “PostalFurious,” impersonated a toll operator and a postal service in the Middle East. In the former cases, the scammers messaged victims with a request for immediate payment to avoid additional fines. In the other cases they send bogus package delivery notifications by SMS text. The gang's motivation seems to be financial, that is, straightforwardly criminal.
New criminal campaign targets Android users who wish to install modified applications.
Researchers at Bitdefender have discovered a “hidden malware campaign living undetected on mobile devices worldwide for more than six months.” The researchers explain that the campaign is designed to aggressively push adware, a type of malware that forces unwanted ads into the victim's online experience. The campaign is probably capable of switching tactics and transitioning to pushing Trojans or other malware to the devices already infected. Bitdefender has observed over 60,000 different samples that carry this adware, and the campaign, they believe, started in October of 2022. The applications that carry the malware are not available on any official app stores. Instead, they often pretend to be game cracks, free VPNs, Netflix, YouTube or TikTok without ads, and even fake security software. The most popular downloads seem to be modified legitimate applications that have, the scammers claim, been enhanced for better user experience. The applications, once installed, aren’t marked with an icon, which makes them more difficult to uninstall and which may mislead the user into thinking there was a problem during the installation process.
Using vendor and contractor accounts to penetrate networks.
Cisco Talos released a report detailing attackers’ targeting and abuse of compromised accounts belonging to vendors and contractors (VCAs). While the researchers highlight that recent software supply chain attacks, such as those affecting 3CX and MSI, have drawn attention, other links of the supply chain are easier to exploit and are often overlooked. Using and abusing VCAs allows for more access and privilege into systems that may not be identified in a timely manner, as trust in the third-party workforce provider may keep from a deep look into those accounts.
Cyclops ransomware as a dual threat.
The Uptycs threat intelligence team yesterday shared their discovery of a new threat actor called “Cyclops.” The Cyclops ransomware-as-a-service (RaaS) provider uses ransomware with the capability of infecting Windows, Linux, and macOS machines. The malware, researchers say, also contains a binary specifically for lifting sensitive data.
Cyclops has been seen shilling its RaaS offering on forums, and requests a cut of the profits if the malware is used. After the payload scans and identifies the processes that are running on the infected machine and retrieves all of the drive information, a ransom note is dropped. The “How To Restore Your Files” txt file redirects to an Onion site that promises to lead them on the road to recovery of their data if they pay up.
Cyclops ransomware is said to share attributes with the Babuk and LockBit ransomware families. The ransomware encryption logic in Cyclops is said to be similar to that of Babuk, using Curve25519 and HC-256 for encryption on Windows. The encoding and storing of executable strings as a stack string that is “dynamically decoded through computations that involve addition, subtraction, shifting, XORing,” and the like, was observed in v2 of LockBit.
NSA releases advisory on North Korean spearphishing campaigns targeting think tanks, universities, and media organizations.
The U.S. National Security Agency (NSA) stated in a press release that it has partnered with five U.S. and Republic of Korea agencies to release a cybersecurity advisory (CSA) titled “North Korea Using Social Engineering to Enable Hacking of Think Tanks, Academia, and Media.” In the advisory, the agencies note that North Korea’s primarily intelligence agency, the Reconnaissance General Bureau (RGB), is responsible for spear phishing campaigns writing “These North Korean cyber actors are known to conduct spearphishing campaigns posing as real journalists, academics, or other individuals with credible links to North Korean policy circles. The DPRK employs social engineering to collect intelligence on geopolitical events, foreign policy strategies, and diplomatic efforts affecting its interests by gaining illicit access to the private documents, research, and communications of their targets.”
The statement named the threat actors associated with these attacks as: Kimsuky, Thallium, APT43, Velvet Chollima, and Black Banshee. In many cases the threat actors will pretend to be real journalists to build rapport with their targets, typically the actors will then ask questions regarding current events and U.S. expert opinion on North Korean affairs. The actors will also masquerade as scholars, think tank advisors and officials from the government in email correspondence. Eventually, they will send a fake email pretending to be the target’s email service provider requesting that they reset their password, threatening to permanently delete the target's account if they fail to follow the instructions. NSA advises all potential targets to consider the risks before clicking on links sent over email from unverified sources. Additionally, they suggest training employees on spearphishing awareness writing “Implement a user training program and phishing exercises to raise awareness among users about the risks of visiting websites, clicking on links, and opening attachments. Reinforce the appropriate user response to phishing and spearphishing emails.”
Backdoor-like issue found in Gigabyte firmware.
Researchers at Eclypsium have discovered a firmware backdoor in motherboards sold by Taiwanese hardware manufacturer Gigabyte. The feature appears to be intended to automate firmware updates, but Eclypsium says it could be abused by threat actors via man-in-the-middle attacks. The researchers compare the vulnerability to other firmware backdoors such as LoJax, MosiacRegresser, MoonBounce, and Vector-EDK.
The researchers explain, “The firmware does not implement any cryptographic digital signature verification or any other validation over the executables. The dropped executable and the normally-downloaded Gigabyte tools do have a Gigabyte cryptographic signature that satisfies the code signing requirements of Microsoft Windows, but this does little to offset malicious use, especially if exploited using Living-off-the-Land techniques (like in the recent alert regarding Volt Typhoon attackers). As a result, any threat actor can use this to persistently infect vulnerable systems either via MITM or compromised infrastructure.” For more on this firmware issue, see CyberWire Pro.
Credential harvesting campaign impersonates Multimedia Software and Adobe.
On June 1st, Armorblox reported detecting and stopping an email attack impersonating Adobe that evaded email security measures. The threat actor used social engineering to target law firms by sending emails from a compromised third-party account. Legal documents were the phishbait. The phish hooks were malicious hyperlinks leading to pages mimicking Adobe Acrobat. The landing page of those hyperlinks led to a faux Adobe File Sharing page with another link leading to a credential harvesting page that requested the victim’s Microsoft login. The threat actors both leveraged the legitimacy of Adobe to reel in unsuspecting victims, but they were also able to bypass certain Microsoft security measures, since the manipulation and use of Adobe’s legitimate domain bypassed email security checks.
Mitiga discovers “significant forensic discrepancy” in Google Drive.
Mitiga released a comprehensive report regarding a “significant forensic deficiency in Google Workspace.” This deficiency allows threat actors to exfiltrate data using Google Drive with no trace. The problem lies in the fact that Google Drive logs, which would allow these activities to be traced, are only active in its premium service “Google Workspace Enterprise Plus.” If an organization is not paying for the service, or an employee is not using a paid license, then the logs remain inactive allowing threat actors to move data without notice. Mitiga writes “All users can access the Workspace and complete actions with the files inside their private company drive. They simply do so without generating any logs, making organizations blind to potential data manipulation and exfiltration attacks. When incidents occur, this standard prevents organizations from efficiently responding, as they have no chance to correctly assess what data has been stolen or whether it has been stolen at all.” Mitiga has alerted Google to this discrepancy but, as of the publishing of their report, Google had not yet responded. For more on Mitiga's report, see CyberWire Pro.