SAN MATEO, CA, April 1, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- TheMoon botnet resurrected to compromise EoL devices
- Password spraying campaign targeting Cisco VPN services
- CISA: hackers are attacking Microsoft SharePoint vulnerability
- Darcula phishing service preys upon iMessage users
- Three crypto exchanges sanctioned by U.S.
- CISA admonishes software manufacturers
- Tycoon 2FA phishing kit upgrades alarm security experts
- U.S. cU.S. down on front company for Chinese hacking
- Nemesis underground market seized by German authorities
- Apple silicon CPUs vulnerable to GoFetch attack
- More cybersecurity news
TheMoon botnet resurrected to compromise EoL devices
A botnet believed to be dead has seemingly found a new life, as researchers at the Black Lotus Labs team at Lumen Technologies have observed “TheMoon” enslaving end-of-life small home/small office routers and IoT devices into a criminal proxy service called Faceless. TheMoon is reportedly operating in 88 countries with a network of 40,000 bots. Faceless is “a malicious residential proxy service that’s offered its anonymity services to other threat actors for a negligible fee that costs less than a dollar per day.” Used to route malicious traffic through tens of thousands of systems, Faceless allows criminals to hide their tracks. It is believed that TheMoon may be the only bot supplier for the Faceless service. Read more.
Password spraying campaign targeting Cisco VPN services
In response to a password-spraying campaign honing in on Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices, the company has issued recommendations for customers to help mitigate attacks. Cisco has provided a list of indicators to help detect an attack, such as the inability to establish VPN connections with Cisco Secure Client (AnyConnect) when Firewall Posture (HostScan) is enabled and the occurrence of an unusual amount of authentication requests in system logs. Cisco says password spraying attacks are part of reconnaissance activity and have also targeted other remote access VPN services. Read more.
CISA: hackers are attacking Microsoft SharePoint vulnerability
CISA has added a new bug to its Known Exploited Vulnerabilities catalog. CVE-2023-24955 “is a critical remote code execution flaw that allows an authenticated attacker with Site Owner privileges to execute arbitrary code” on a Microsoft SharePoint Server. While under active attack, CISA did not share any information regarding how threat actors exploit the bug. Users with automatic updates enabled in their Windows Update settings should be protected against this attack. Those who update manually are urged to do so as soon as possible to avoid being compromised, and federal agencies are mandated to apply fixes by April 16. Read more.
Darcula phishing service preys upon iMessage users
A new phishing-as-a-service provider called “Darcula” uses 20,000 domains to spoof legitimate brands and siphon credentials from Android and iPhone users around the globe. Unlike many message-based scams, this campaign “approaches the targets using the Rich Communication Services (RCS) protocol for Google Messages and iMessage instead of SMS for sending phishing messages.” Darcula has been growing in popularity, in part because of its convenience. The platform uses “modern technologies like JavaScript, React, Docker, and Harbor, enabling continuous updates and new feature additions without clients needing to reinstall the phishing kits.” Darcula’s ability to reach victims without resorting to SMS gives them a false sense of security. Read more.
Three crypto exchanges sanctioned by U.S.
BU.Sapa IC FZC LLC, Crypto Explorer DMCC, and Obshchestvo S Ogranichennoy Otvetstvennostyu Tsentr Obrabotki Elektronnykh Platezhey, three cryptocurrency exchange platforms, have been sanctioned by the U.S. gU.S.nment for providing services to Russia that have allowed the country to evade economic restrictions placed on it in response to the invasion of Ukraine. “Many of the individuals and entities designated today facilitated transactions or offered other services that helped OFAC-designated entities evade sanctions,” the U.S. TU.S.ury said. The sanctions aim to “target companies servicing Russia’s core financial infrastructure and curtail Russia’s use of the international financial system to further its war against Ukraine.” Russia has been turning to “alternative payment mechanisms” to continue to fund its war in Ukraine while avoiding U.S. sU.S.ions. Read more.
CISA admonishes software manufacturers
In a joint Secure by Design Alert, CISA and the FBI admonish software developers for continuing to develop and release products containing risky SQLi defects. “Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers continue to develop products with this defect, which puts many customers at risk. Vulnerabilities like SQLi have been considered by others an ‘unforgivable’ vulnerability since at least 2007.” The alert describes SQLi vulnerabilities and why they are so dangerous and details how software developers should build their products to avoid perpetuating this longstanding vulnerability. The alert is part of an ongoing campaign by the U.S. gU.S.nment and the Biden-Harris administration to encourage software developers to design with safety in mind from the ground up. Read more.
Tycoon 2FA phishing kit upgrades alarm security experts
Discovered in October of 2023 by the Sekoia Threat Detection & Research team, Tycoon 2FA is a phishing kit that focuses on Adversary-in-The-Middle attacks and is used by several threat actor groups. One of the most widespread kits of its kind, Tycoon 2FA is associated with more than 1,100 domain names and operates through a number of stages to perform with maximum effectiveness. Stages include an initial email containing malicious attachments and fake Microsoft authentication pages that act as credential stealers. A new version of the kit “features significant changes to its JavaScript and HTML codes, enhancing its phishing capabilities. Notably, it reorganizes resource retrieval and expands traffic filtering to thwart bot activity and analysis attempts.” Read more.
U.S. cU.S. down on front company for Chinese hacking
The U.S. Treasury Department has sanctioned Wuhan XRZ, a Wuhan-based company, for its use as a cover from which the Chinese Ministry of State Security (MSS) launched cyberattacks against U.S. infrastructure through APT31. The Justice Department has also unsealed indictments against seven individuals for their involvement in cyber operations executed through Wuhan XRZ over the last 14 years. “These allegations pull back the curtain on China’s vast illegal hacking operation that targeted sensitive data from U.S. elected and government officials, journalists, and academics; valuable information from American companies; and political dissidents in America and abroad,” said U.S. attorney Breon Peace. The State Department is offering rewards of up to $10 million for additional information about Wuhan XRZ, APT31, or the seven hackers indicted. Read more.
Nemesis underground market seized by German authorities
Nemesis Market, an illicit underground marketplace used to buy and sell stolen data, narcotics, and cybercrime services, has been taken down by the German police. The market’s digital infrastructure and $102,107 in cryptocurrency assets have been confiscated. The takedown was orchestrated with assistance from law enforcement in Lithuania and the U.S. and took place on March 20, the end result of an investigation that began in late 2022. No arrests have been made, but Germany’s Federal Criminal Police Office has stated that investigations into the users and sellers of Nemesis Market are underway. This takedown is the latest in high-profile operations on which international law enforcement agencies have collaborated. Read more.
Apple silicon CPUs vulnerable to GoFetch attack
Apple M1, M2, and M3 processors are vulnerable to a new side-channel attack called “GoFetch” that can steal secret cryptographic keys from the CPU’s cache. GoFetch targets “constant-time cryptographic implementations using data memory-dependent prefetchers (DMPs)” to “recreate the private cryptographic keys for various algorithms.” A team of US researchers developed the exploitrs, and their findings were delivered to Apple. Since the vulnerability is hardware-based, there is no way to remedy it other than through software fixes that would likely decrease CPU performance. Users are urged to practice caution to prevent becoming a victim. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles brought to you by NetworkTigers
