SAN MATEO, CA, April 8, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- New JSOutProx malware zeroes in on financial organizations
- Oil and gas companies targeted with updated data stealer
- Breach of SurveyLama exposes data of 4.4 million
- Threat actor allegedly stole classified data from US government
- Government blames “cascade of security failures at Microsoft” for breaches
- LayerSlider WordPress plugin has critical security bug
- Google to purge billions of data records from users while in Incognito Mode
- 250 Indian citizens rescued from Cambodian cybercrime gang
- MacOS users targeted with malicious ads spreading stealer malware
- New Vultur Android malware variant poses as McAfee Security app
- More cybersecurity news
New JSOutProx malware zeroes in on financial organizations
Credit card company Visa is warning that detections for a new version of the JsOutProx malware have been spiking as threat actors target financial organizations and their customer base. JSOutProx is a RAT and “highly obfuscated JavaScript backdoor that allows its operators to run shell commands, download additional payloads, execute files, capture screenshots, establish persistence on the infected device, and control the keyboard and mouse.” It is spread via phony emails spoofing financial institutions warning victims that payments have been made using their accounts without their knowledge. The emails have an attachment that contains .js files that download JSOutProx from a GitLab repository. Read more.
Oil and gas companies targeted with updated data stealer
Researchers at Cofense have discovered a phishing campaign targeting the oil and gas sector. The campaign directs victims to a link hosting what appears to be a PDF document originating from the FBI. However, it is a ZIP archive containing Rhadamanthys, a stealer payload “designed to establish connections with a command-and-control (C2) server to harvest sensitive data from the compromised hosts.” Rhadamanthys shows signs of recent development, as it now features “a combination of an information stealer and a LockBit ransomware variant.” The phishing campaign appeared days after a law enforcement takedown of LockBit’s infrastructure, leading some researchers to believe there may be a connection. Read more.
Breach of SurveyLama exposes data of 4.4 million
SurveyLama, an online platform that rewards people for completing surveys, suffered a data breach in February that exposed information belonging to 4.4 million users. According to Have I Been Pwned (HIBP), data exposed includes dates of birth, email addresses, IP addresses, full names, passwords, phone numbers, and physical addresses. SurveyLama said that breached passwords were “stored either in salted SHA-1, bcrypt, or argon2 hashes form” but could still be vulnerable to brute force hacking. SurveyLama stated that impacted users have been notified via email, and all users are strongly encouraged to change their passwords. The stolen data has not yet been leaked online, although private exploitation could still happen. Read more.
Threat actor allegedly stole classified data from US government
A threat actor known as IntelBroker has claimed to have breached Acuity, Inc., an IT modernization, DevSecOps, cybersecurity, data analytics, and operations support government contractor, and stolen classified government data belonging to the Five Eyes Intelligence Oversight and Review Council (FIORC). According to IntelBroker, the data contains full names, government and military email addresses, office and personal phone numbers, and “classified information and communications between the Five Eyes, 14 Eyes and US allies.” IntelBroker has a reputation for legitimate claims, as they are responsible for breaching DC Health Link and obtaining the personal data of US House of Representatives members. The Five Eyes comprises non-political intelligence entities from the US, Australia, Canada, New Zealand, and the UK. Read more.
Government blames “cascade of security failures at Microsoft” for breaches
In a blistering report, the US Cyber Safety Review Board called out Microsoft’s failure to prioritize security as the reason hackers linked to China’s Storm-0558 threat group were able to read emails belonging to Commerce Secretary Gina Raimondo. “The Board concludes that this intrusion should never have happened,” the report reads. “Storm-0558 was able to succeed because of a cascade of security failures at Microsoft.” A series of significant breaches at the company have put it in the crosshairs of federal investigators concerned that using Microsoft products may pose a risk to national security. The company is also accused of misleading the public about how the breach of Raimondo’s emails occurred and straying from a previously touted philosophy of putting security at the forefront of all product development. “The Board concludes that Microsoft has drifted away from this ethos and needs to restore it immediately as a top corporate priority.” Read more.
LayerSlider WordPress plugin has critical security bug
LayerSlider, a popular visual web content editor that allows users to create animated content for their sites, has been found to harbor a critical security bug that can be exploited to “extract sensitive information from databases, such as password hashes.” The flaw “stems from a case of insufficient escaping of user-supplied parameters and the absence of wpdb::prepare(), enabling unauthenticated attackers to append additional SQL queries and glean sensitive information.” With a 9.8 CVSS score, CVE-2024-2829 was addressed in a recent update for the plugin. The exploit, when successfully executed in the context of an administrator’s browsing session, “can be used to create rogue user accounts, redirect site visitors to other malicious sites, and carry out other attacks.” Read more.
Google to purge billions of data records from users while in Incognito Mode
To settle a class action lawsuit, Google will delete billions of data records that reflect the tracked browsing activities of users while using the Chrome browser’s supposedly private and anonymous Incognito Mode. The data giant must also “delete information that makes private browsing data identifiable by redacting data points like IP addresses, generalizing User-Agent strings, and remove detailed URLs within a specific website.” Other terms include blocking cookies within Chrome’s Incognito Mode and deleting Chrome’s X-Client-Data header field. Google employees have described Incognito mode as a “confusing mess,” “effectively a lie,” and a “problem of professional ethics and basic honesty.” Read more.
250 Indian citizens rescued from Cambodian cybercrime gang
250 Indian citizens have been rescued from “cyber slavery” in Cambodia, according to the Indian government. The citizens were lured with promises of high-paying data entry job positions but were instead forced into illegal cyber work carried out against other Indian citizens and coordinated by a team of Chinese and Malaysian scammers. India Today reports that at least 5,000 more individuals are being held against their will and that the scam operation has generated around $60,000,000 in the last six months alone. The kidnapped individuals are forced to create fake social media profiles used to commit fraud and have to meet daily financial quotas or face physical violence. The rescue highlights the real-world pain and suffering behind common internet scams. Read more.
MacOS users targeted with malicious ads spreading stealer malware
Stealer malware variants are being spread through malicious fake websites to infect macOS. A report from Jamf Threat Labs researchers says that the two stealers being circulated are Atomic Stealer and Realst, both designed to harvest sensitive data such as system passwords, browser data, and crypto-wallets. “These attacks are often focused on those in the crypto industry as such efforts can lead to large payouts for attackers,” the researchers said. “Those in the industry should be hyper-aware that it’s often easy to find public information that they are asset holders or can easily be tied to a company that puts them in this industry.” The macOS environment is becoming increasingly threatened as hackers and threat actors have made progress in creating exploits and techniques that can peel back the layers of Apple’s security. Read more.
New Vultur Android malware variant poses as McAfee Security app
Researchers at Fox-IT have discovered a new variant of Vultur malware that “spreads to victims through a hybrid attack that relies on smishing (SMS phishing) and phone calls that trick the targets into installing a version of the malware that masquerades as the McAfee Security app.” Vultur is a banking trojan affecting Android users discovered in 2021. It continues to be one of the top 10 most active banking trojans types, targeting 122 banking apps in 15 countries. The current campaign sees a threat actor convince a victim over the phone to open a link directing them to download a trojanized version of the McAfee Security app hiding the “Bruhnhilda” malware dropper. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles brought to you by NetworkTigers
