18 November 2022

Cyber security week in review: November 18, 2022


Cyber security week in review: November 18, 2022

Google to pay a $391M privacy fine for illegal location data tracking

US-based tech giant Google has agreed to pay $391.5 million to settle a privacy lawsuit over charges the company misled users about the collection of personal location data.

The Google investigation was opened following a 2018 report that the company misled Android users and tracked their locations since at least 2014 even when they thought location tracking was disabled.

Hundreds of Amazon RDS snapshots found exposing users' data

Hundreds of databases hosted on the Amazon RDS (Relational Database Service) platform have been found leaking sensitive data like names, email addresses, phone numbers, dates of birth, marital status, car rental information, and business data due to a snapshot feature in Amazon RDS that is used to back up the hosted databases.

Iranian hackers breached US federal agency using the Log4Shell bug

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint security advisory detailing an attack by Iran-linked state-backed hackers on a US government agency, in which the attackers exploited the Log4Shell remote code execution bug (CVE-2021-44228) in an unpatched VMware Horizon server to install XMRig crypto mining software and set up reverse proxies on compromised servers to maintain persistence within the agency's network.

Ukraine continues to be a prime target of Russia-aligned APT groups

ESET released its APT Activity Report T2 2022, which summarizes the activities of selected advanced persistent threat (APT) groups originating from Russia, Iran, China, and North Korea that were observed, investigated, and analyzed by the researchers from May until the end of August 2022.

The report notes that even more than eight months after the Russian invasion, Ukraine continues to be a prime target of Russia-aligned APT groups such as the infamous Sandworm, but also Gamaredon, InvisiMole, Callisto, and Turla.

Botnets, trojans, DDoS from Ukraine and Russia have increased since the start of the war

Cyber threat activity from IP addresses in Ukraine and Russia has drastically increased since the beginning of the Russia’s invasion of Ukraine in February 2022. Trojan malware with bigger increases in activity from Ukraine and Russia IP addresses included Citadel (up 3,440% in July), CoreBot (activity from Ukraine IPs increased 126% in July), Wauchos (activity from Russian IPs increased 27% in July), Nivdort (activity from Ukraine IPs jumped 325% in September), Avalanche malware families. The report also notes that distributed-denial-of-service (DDOS) attacks originating from Ukraine surged 363% in March on average compared the average prior to February.

Ongoing supply chain attack targets Python developers with WASP Stealer

An ongoing supply chain attack is using malicious Python packages to distribute a polymorphic malware called W4SP Stealer able to steal the victim’s Discord accounts, passwords, crypto wallets, credit cards, and other sensitive data on the victim’s PC. The threat actors behind this attack have managed to infect hundreds of victims to date, while actively releasing new packages to continue the campaign.

Fake Twitter accounts are being sold on the dark web

Security researchers at Cybersixgill have published a report detailing how scammers sell bots, spam tools, and fake Twitter accounts on underground forums and the dark web.

Hive ransomware gang extorted over $100M from 1,300 victims worldwide

As of November 2022, Hive ransomware operators have targeted over 1,300 companies worldwide, receiving around $100 million in ransom payments, according to a joint advisory from the FBI and CISA. The agencies said that from June 2021 through at least November 2022, threat actors have used Hive ransomware to target a wide range of businesses and critical infrastructure sectors.

The threat actors gained initial access to victim networks by using single factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols (depending on which Hive affiliate targeted the network). In some cases the attackers bypassed multifactor authentication (MFA) and gained access to the network by exploiting a FortiOS vulnerability (CVE-2020-12812), or the Microsoft Exchange ProxyShell bugs (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).

New Somnia ransomware targets Ukrainian orgs

The Computer Emergency Response Team of Ukraine (CERT-UA) released details regarding recent attacks that targeted organizations in the country with a new ransomware strain called “Somnia.”

The agency attributed the attacks to a Russia-linked hacker group FRwL (aka Z-Team), which it tracks as UAC-0118. To gain initial access to a victim network the treat actor used fake “Advanced IP Scanner” software spread via bogus websites mimicking official sites that, in reality, downloaded the Vidar stealer, which steals the victim's Telegram session data to take control of their account.

Magecart hackers target Magento and Adobe Commerce stores in 'TrojanOrders' attacks

Sansec researchers are warning of a rise n 'TrojanOrders' attacks targeting Magento 2 e-commerce websites using a critical flaw (CVE-2022-24086) that allows the threat actors to infect vulnerable sites with a remote access trojan.

US seizes 17 domains linked to online fraud

The FBI and the US Postal Inspection Service seized 17 domains involved a large-scale scam operation that tricked victims into becoming money mules.

The malicious websites posed as recruiting portals for work-at-home jobs, where US citizens were tricked into receiving stolen goods or stolen money and asked to reship the products or funds to another address controlled by the scammers.

Massive Fangxiao phishing campaign impersonates over 400 well-known brands

The China-based threat actor known as “Fangxiao” has created a massive network of phishing sites that impersonate well-known brands, such as Unilever, Coca-Cola, McDonald's, or Knorr, to trick users into visiting sites that deliver Android malware, or lead them to fake gift card imposter scams.

Fangxiao targets businesses in multiple verticals including retail, banking, travel, pharmaceuticals, travel and energy. The researchers found more than 42,000 unique Fangxiao-controlled domains used since 2019. Currently, over 400 organizations are being spoofed, and this figure continues to rise.

APT41’s new subgroup Earth Longzhi targets Ukraine and Asian countries with custom Cobalt Strike loader

A previously undocumented threat actor believed to be a subgroup of the well-known China-based APT41 cyber espionage group is using a custom Cobalt Strike loader in attacks targeting high-profile victims in Ukraine and Asian countries.

Dubbed “Earth Longzhi” by Trend Micro researchers, the group was first observed earlier this year when the cybersecurity firm investigated a breach at a company in Taiwan. The attackers employed a custom Cobalt Strike loader during the intrusion, and further analysis revealed that the same same threat actor used similar loaders in multiple attacks carried out since 2020.

Chinese hackers breached a certificate authority in an Asian country

China-based state-sponsored hackers compromised an unnamed certificate authority and several government and defense agencies in several Asian countries.

In at least one instance a large number of machines on the network belonging to a government agency were breached. Known as Billbug, Lotus Blossom, or Thrip, the group has been active since at least 2009 and is known to focus on targets in Asian countries. Symantec researchers said they found no evidence that the threat actors were successful in compromising digital certificates.

Swiss police arrest suspected Zeus hacker wanted by FBI for a decade

A suspected leader of the “JabberZeus Crew” cybercriminal gang, who has been wanted by the US authorities for over a decade, was arrested in Switzerland. Vyacheslav “Tank” Penchukov is accused of being a major player in a racketeering ring that allegedly drained millions of dollars from organizations in the US and Europe in the late 2000s and early 2010s using the “Zeus” malware. The suspect is expected to be extradited to the United States on 15 November 2022.


Back to the list

Latest Posts

New Ghost Tap cash-out technique exploiting mobile payment systems

New Ghost Tap cash-out technique exploiting mobile payment systems

The attack relies on a relay mechanism that connects a stolen card to a PPOS terminal via NFC.
21 November 2024
Ngioweb botnet and NSOCKS proxy service disrupted following over a year’s investigation

Ngioweb botnet and NSOCKS proxy service disrupted following over a year’s investigation

Since late 2022, Ngioweb has been providing residential proxies to both financially motivated groups and nation-state threat actors.
21 November 2024
Five alleged Scattered Spider members charged for phishing and crypto heists

Five alleged Scattered Spider members charged for phishing and crypto heists

The US authorities also disrupted the PopeyeTools marketplace for stolen financial data and cybercrime tools.
21 November 2024