SAN MATEO, CA, August 7, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- Highly active hacktivist collective “Mysterious Team Bangladesh” exposed
- IT pros in the crosshairs of fake VMware vSphere vConnect modules
- Recently patched critical Ivanti EPMM flaw still vulnerable to attack via bypass
- Scammers exploit Salesforce zero-day, target Facebook users with advanced phishing campaign
- Canon issues security warning regarding disposed of printers
- NodeStealer targets Facebook and crypto wallets with new Python variant
- New WikiLoader malware remains hidden under layers of obfuscation
- Fake Android chat app used to steal Signal and WhatsApp user data
- Abyss Locker ransomware now has Linux capabilities
- Barracuda hack used new Submarine backdoor
Highly active hacktivist collective “Mysterious Team Bangladesh” exposed
Researchers at Group-IB have pulled back the curtain on a hacktivist collective called “Mysterious Team Bangladesh.” The group has been present since 2020 but only came into focus in 2022 after a series of attacks targeting high-profile victims in India, Israel, and other nations. Research shows that the group has carried out more than 750 DDoS attacks and over 70 website defacements within a year. The group’s leader is a threat actor who goes by D4RK_TSN and the collective is linked to several other like-minded hacktivist groups. With a focus on disrupting “financial and government entities,” researchers predict that the group will continue its high activity level and expand its targeting to include victims in Europe and beyond. Read more.
IT pros in the crosshairs of fake VMware vSphere vConnect modules
Research has revealed that IT professionals are being targeted by a threat actor that uploaded a malicious package that mimics the VMware vSphere connector module “VMConnect” to the Python Package Index. The package had been downloaded 237 times before its removal on August 1st. An investigation into the matter unveiled two other malicious packages. “All three malicious packages featured the functionality of the projects they mimicked, which could trick victims into believing they are running legitimate tools and prolong the duration of an infection.” The packages were expertly crafted to the point that “developers would’ve only been able to discover the illicit activity if they had noticed the projects’ short history, low download counts, hidden code within some files, and package names resembling, but not exactly matching those of the legitimate projects.” Read more.
Recently patched critical Ivanti EPMM flaw still vulnerable to attack via bypass
A vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that was recently fixed has been found to still be accessible via a bypass discovered by security researchers at Rapid7. According to Ivanti, “this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users’ personally identifiable information and make limited changes to the server.” The issue has received a CVSS score of 10.0 and makes for three critical security flaws issued by Ivanti over two weeks. The bypass has not been witnessed in the wild and users are urged to update their systems immediately. Read more.
Scammers exploit Salesforce zero-day, target Facebook users with advanced phishing campaign
Guardio Labs researchers have shared a report regarding their observation of a Facebook phishing campaign that uses a zero-day bug in Salesforce’s email services that allows “threat actors to craft targeted phishing messages using the company’s domain and infrastructure.” The emails look as though they come from Meta but are sent from a @salesforce.com domain and intend to fool victims into clicking a link related to their account being investigated. “What makes the attack notable is that the phishing kit is hosted as a game under the Facebook apps platform using the domain apps.facebook[.]com.” The campaign succeeds because it slips through detection using a legitimate email address and links to Facebook. Read more.
Canon issues security warning regarding disposed of printers
A security advisory from Canon warned users about the sensitive information and wifi settings preset on printers that do not have their data wiped adequately before disposal or sale. “There is always some risk when a third party is working on hardware, or hardware is sold or repurposed, that some sensitive data may be recovered from the device,” Mike Parkin, senior technical engineer at Vulcan Cyber, wrote in an emailed statement. Canon has provided a list of affected printers and instructions on how to adequately wipe your settings from their devices before leaving them in the possession of a third party. Read more.
NodeStealer targets Facebook and crypto wallets with new Python variant
New WikiLoader malware remains hidden under layers of obfuscation
Proofpoint has discovered a malware called “WikiLoader,” used in multiple campaigns since December 2022. The loader gets its name from an “evasive play” it initiates in which it makes an HTTPS request to Wikipedia.com to “prevent it working in an automated environment.” Proofpoint explains that “the first stage of WikiLoader is highly obfuscated. Most of the call instructions have been replaced with a combination of push/jmp instructions to recreate the actions of a return without having to use the return instruction explicitly.” They report that WikiLoader also uses “indirect syscalls” to prevent endpoint detection as well as “packed downloaders.” At least three versions of the malware are under development. Read more.
Fake Android chat app used to steal Signal and WhatsApp user data
Researchers at CYFIRMA have stated that Indian APT hacking group Bahamut is behind a campaign in which a fake Android app, ironically called “SafeChat,” is being used to infect devices with spyware. The malicious software is a variant of Coverlm designed to steal data from apps such as Telegram, Signal, WhatsApp, Fiber, and Facebook Messenger. The app is carefully designed, with multiple registration processes that lend credit to its legitimacy. “One critical step in the infection is the acquisition of permissions to use the Accessibility Services, which are subsequently abused to grant the spyware more permissions automatically.” CYFIRMA believes that Bahamut is working in a state-sponsored capacity. Read more.
Abyss Locker ransomware now has Linux capabilities
Abyss Locker is a new ransomware operation, having only been launched in March of this year, but it has already been observed growing in capabilities. A Linux ELF encryptor for Abyss Locker has been discovered by MalwareHunterTeam security researchers, showing that the operators are now targeting VMware ESXi servers. The encryptor is believed to be based on one called Hello Kitty, although it is not known yet if Abyss Locker is a rebrand of that operation or if they are piggybacking their malware. Abyss Locker threat actors claim to have stolen as much as 700 GB from one of their victims. Read more.
Barracuda hack used new Submarine backdoor
CISA has reported that a recent attack on Barracuda security appliances used a newly discovered backdoor. Original findings by Mandiant called out Seaside, Saltwater, and Seaspy backdoors used in the hack. CISA, however, has revealed that a backdoor dubbed “Submarine” was also employed to “establish and maintain persistence.” The malware is said to be a “novel persistent backdoor executed with root privileges,” tucked away in a Structured Query Language database on the targeted Barracuda Email Security Gateway appliances. CISA says that “Submarine comprises multiple artifacts – including a SQL trigger, shell scripts, and a loaded library for a Linux daemon – that together enable execution with root privileges, persistence, command and control, and cleanup” and that it is a “severe threat for lateral movement.” Read more.