SAN MATEO, CA, April 22, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
Malware campaign targets gamers with fake cheat lures
Redline is a new info-stealing malware “capable of harvesting sensitive information from infected computers, including passwords, cookies, autofill information, and cryptocurrency wallet information.” Spread by threat actors in several ways, the versatile malware has been distributed through a campaign that lures gamers by posing as “Cheat Lab.” The fake also promises a free copy to anyone who gets a friend or two to install it, telling users, “To unlock the complete version, simply share this program with your friend. Once you do that, the program will automatically unlock.” It’s unknown how the malware is initially introduced to a victim’s system, “but information-stealers are typically spread via malvertising, YouTube video descriptions, P2P downloads, and deceptive software download sites.” Read more.
US election officials urged to prepare for foreign influence campaigns
An advisory from CISA, the FBI, and the Office of the Director of National Intelligence sent to election officials in the US warns that Russia, China, and Iran are engaging in influence campaigns that seek to undermine the perceived integrity of the 2024 elections. From creating fake media sources that appear to be local US sites to copying the voices of public figures, the joint advisory describes a number of ways that election interference can occur. The warning also recommends that election officials generate opportunities for the public to learn about the electoral process and how to identify fraudulent or influential media that may have the best interests of a foreign entity in mind. Since most election interference is effected via misinformation campaigns, educating the voter base is paramount. Read more.
Google Ads campaign spreads new backdoor malware
ThreatLabz researchers have reported that a new Google Ads malvertising campaign designed to look like a legitimate IP scanner is pushing MadMxShell, a previously unknown backdoor. Forty-five domains have been discovered to be associated with the campaign, tricking victims into believing they provide software from Advanced IP Scanner, Angry IP Scanner, IP scanner PRTG, and ManageEngine. “The threat actor registered multiple look-alike domains using a typosquatting technique and leveraged Google Ads to push these domains to the top of search engine results targeting specific search keywords, thereby luring victims to visit these sites.” There is currently no indication as to where the operators of the campaign are from or what their end goal is. Read more.
International authorities disrupt infrastructure of LabHost phishing service
In a year-long global campaign by global law enforcement agencies, the phishing-as-a-service platform LabHost has had its infrastructure compromised and 37 connected individuals arrested. LabHost has been around since 2021 and has since “enabled cybercriminals paying a monthly subscription fee to launch effective attacks using a variety of phishing kits for banks and services in North America.” In February of 2024, it was reported that LabHost had become the most popular phishing platform. Europol said, “The investigation uncovered at least 40,000 phishing domains linked to LabHost, which had some 10,000 users worldwide.” The takedown of LabHost is one of a handful of large-scale disruptions that criminal platforms and threat groups have experienced in the last few months. Yet, it remains to be seen how effective law enforcement is at keeping the criminals from resurfacing. Read more.
Researchers say Russian hackers breached of Texas water facility
According to research from Mandiant, the Russian hacking group Sandworm (APT44) is behind cyberattacks against water facilities in the US, Poland, and France. Sandworm is “A uniquely dynamic threat actor that is actively engaged in the full spectrum of cyber espionage, attack, and influence operations,” says Mandiant, reporting that the group operates using several personas and hacktivist pro-Russia groups. One such group targeted water tanks in Muleshoe, Texas, and posted a video where they appeared to turn on the pumps and cause an overflow. Dan Black, manager of cyber espionage analysis for Mandiant, described Sandworm as “the most brazen threat actor there is, in the midst of one of the most intense campaigns of cyber activity we’ve ever seen, in full-blown support of Russia’s war of territorial aggression.” He continued, “There is no other threat actor today that is more worthy of our collective attention, and the threat APT44 poses is evolving rapidly.” Read more.
Cisco releases patches for root escalation flaw
Cisco has issued patches for CVE-2024-20295, a severe Integrated Management Controller (IMC) vulnerability with public exploit code that could allow local threat actors to escalate privileges to root. A statement from the company says that “a vulnerability in the CLI of the Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root.” Cisco goes on to say that “to exploit this vulnerability, the attacker must have read-only or higher privileges on an affected device.” While proof-of-concept exploit code is available, threat actors do not yet appear to be exploiting the bug in the wild. Read more.
Change Healthcare data leaked
Change Healthcare, having been victimized by a ransomware attack at the hands of ALPHV, was hit with a second attack spearheaded by a threat actor, Notchy, in collaboration with another gang called RansomHub. Notchy was allegedly stiffed by ALPHV, which, after having their infrastructure compromised by law enforcement, made off with Change Healthcare’s original payment but left Notchy in possession of the company’s data. It would seem that the second attack has not yielded the payout Notchy was hoping for, as screenshots that “include data-sharing agreements between Change Healthcare and insurance providers, including CVS Caremark, Health Net, and Loomis,” as well as patient data, have begun to leak online. The threat actors have reportedly given Change Healthcare five days to respond to their demands. Read more.
Images weaponized with malware by TA558 hackers
A threat actor tracked as TA588 uses steganography to hide malware such as Agent Tesla, FormBook, Remcos RAT, LokiBot, GuLoader, Snake Keylogger, and XWorm. According to security firm Positive Technologies, “the group made extensive use of steganography by sending VBSs, PowerShell code, and RTF documents with an embedded exploit, inside images and text files.” The campaign, codenamed SteganoAmor, has thus far mainly been aimed at “industrial, services, public, electric power, and construction sectors in Latin American countries, although companies located in Russia, Romania, and Turkey have also been singled out.” TA558 has also been observed spreading Venom Rat through phishing attacks. Read more.
FBI releases PSA warning of toll service smishing campaign
A smishing campaign tricking victims into believing they owe money for road tolls has become so prolific that the FBI has issued a public service announcement warning people of the scam. According to the release, “the texts claim the recipient owes money for unpaid tolls and contain almost identical language. The ‘outstanding toll amount’ is similar to the complaints reported to the IC3. However, the link provided within the text is created to impersonate the state’s toll service name, and phone numbers appear to change between states.” Those who have received the text are urged to report it to the FBI’s Internet Crime Complaint Center and recipients that have clicked the link and provided any information should “take efforts to secure your personal information and financial accounts.” Read more.
Palo Alto Networks releases emergency patch for PAN-OS bug
A security flaw tracked as CVE-2024-3400 with a CVSS score of 10, the highest rating possible, has received an urgent update from Palo Alto Networks. Affecting PAN-OS software, “The critical vulnerability is a case of command injection in the GlobalProtect feature that an unauthenticated attacker could weaponize to execute arbitrary code with root privileges on the firewall.” The flaw is under active exploitation, although who may be behind the attacks is currently unknown. In an updated advisory, Palo Alto Networks said, “This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled.” Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles brought to you by NetworkTigers
