SAN MATEO, CA, December 25, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
Malicious VPN Chrome extensions taken down after being downloaded more than 1 million times
Google has removed three fake Chrome extensions posing as VPNs from the browser’s Web Store, but only after they had been downloaded a collective 1.5 million times. Called netPlus, netSave, and netWin, the extensions were spread through “an installer hidden in pirated copies of popular video games like Grand Theft Auto, Assassins Creed, and The Sims 4, which are distributed from torrent sites.” Discovered by ReasonLabs, the campaign primarily targets Russian-speaking users and employs a convincing VPN user interface with “some functionality and a paid subscription option to create a sense of authenticity.” Read more.
Scammers are abusing Twitter to impersonate accounts and steal crypto
Scammers are abusing a feature on Twitter, now known as “X,” to steal crypto from unsuspecting victims. Thanks to the ability to change the account name on a link shared on the platform, criminals can easily make a URL appear to originate from a legitimate account despite it leading to fraudulent peddling scams and directing users to sites that utilize wallet drainers. The possibility of the URL account name swap was flagged as a security risk in 2019, but the ability remains on the platform where it is, unsurprisingly, being leveraged for theft. Read more.
Hospitality industry under attack from new password stealing social engineering campaign
Researchers at Sophos X-Ops have discovered an operation deploying malware across the hospitality industry via social engineering techniques. The campaign sees a threat actor emailing a hotel with complaints that range from “alleged violent incidents or theft during a guest’s stay to requests for information on accommodating guests with specific needs.” Upon receiving a response from the hotel, the threat actor sends a message claiming proof of the incident described. However, the message contains a variant of Redline Stealer or Vidar Stealer that exfiltrates data and maintains persistence. Read more.
Newly exploited Chrome vulnerability requires immediate update
A high-severity flaw affecting Chrome users is exploited in the wild, allowing threat actors to execute arbitrary code and crash programs. The flaw, tracked as CVE-2023-7024, is a “heap-based buffer overflow bug in the WebRTC framework that could be exploited to result in program crashes or arbitrary code execution.” Google has issued an update to address the bug but has not released any further details regarding how it is exploited to help limit its abuse. This flaw marks the 8th critical bug patched in Google Chrome since the start of 2023. Read more.
Chameleon malware disables biometrics to steal data from Android users
Chameleon, an Android malware variant, has been updated with a feature that lets threat actors take over devices and steal PINs by disabling fingerprint and face-unlocking biometrics. It achieves this thanks to its “ability to display an HTML page on devices running Android 13 and later, prompting victims to give the app permission to use the Accessibility service,” thereby bypassing biometric security. Android users are urged only to download apps from official sources to avoid the malware. Read more.
ALPHV website back online in defiance of FBI
Whereas most ransomware operations fold and regroup after being compromised by law enforcement, the BlackCat/ALPHV gang is bucking tradition by taking back their leak site from the FBI and replacing their landing page with one that states that it has been “unseized.” According to Tim Mitchell, a senior threat researcher at the SecureWorks Counter Threat Unit, “We’re in a situation where law enforcement and the operators of BlackCat both have the private key to the Tor .onion site and can create different sites at the same URL. The site with the most recent changes is most likely the one visitors will be greeted with.” Mitchell thinks that the FBI will not be quick to engage in a “back-and-forth” with the gang, as it will make them appear ineffective. Read more.
More than 3K arrests made and $300 million seized in international law enforcement cybercrime operation
Under “Operation HAECHI IV,” law enforcement agencies from 34 countries, including the UK, the US, Japan, Hong Kong, South Korea, and India, have placed 3,500 cybercrime suspects under arrest and seized $300 million in illegal funds. Mainly low-tier criminals, the threat actors targeted are accused of being engaged in “voice phishing, romance scams, online sextortion, investment fraud, money laundering associated with illegal online gambling, business email compromise, and e-commerce fraud.” Interpol’s financial intelligence mechanism also froze 82,112 bank accounts across 34 countries. Read more.
US and Australia issue joint advisory regarding Play ransomware
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) have issued a joint cybersecurity advisory about the Play ransomware group. According to the advisory, Play has been behind around 300 successful ransomware attacks since June of 2022. The advisory details how the group’s malware operates and how they engage in double-extortion and contains mitigation measures organizations should take to help prevent an attack from the group. Read more.
36 million Xfinity customers have their sensitive data accessed
Comcast has disclosed that a vulnerability called “CitrixBleed” was used to breach the company and access the sensitive data of around 36 million Xfinity customers between October 16 and October 19. According to a filing with Maine’s attorney general, Comcast has over 32 million broadband customers, meaning that the breach will likely affect every Xfinity customer. Comcast said that data accessed may include names, the last four digits of customers’ Social Security numbers, contact information, and more. It is not currently known if Comcast has gotten a ransom demand, and the company has officially stated that it is “not aware of any customer data being leaked anywhere, nor of any attacks on our customers.” Read more.
FBI breaches ALPHV ransomware gang servers
An FBI operation that saw authorities gain access to the BlackCat/ALPHV ransomware gang’s infrastructure has been disclosed by the Department of Justice. According to the DOJ, the FBI has been lurking within the gang’s network to monitor their activities and siphon 946 decryption keys over the past several months. The keys have allowed 500 victims to recover their files without engaging with ALPHV hackers. The disruptions caused by the FBI’s intrusion have caused affiliates to abandon the gang’s infrastructure, sensing that it had been compromised. While any obstacle between criminals and their victims is positive, the LockBit ransomware operation has used ALPHV’s breached status as a means by which to encourage affiliates to use their infrastructure to continue to negotiate with victims. Read more.
QakBot returns to target the hospitality industry
QakBot malware has returned mere months after having its infrastructure dismantled by law enforcement in a campaign called Operation Duck Hunt. Microsoft discovered the malware’s resurgence in a “low-volume” phishing campaign that set its sights on the hospitality industry via emails purporting to have come from an IRS employee that contained a PDF with a link to a malicious URL. QakBot has a long way to go to regain its previous popularity. Still, its reemergence highlights the challenges authorities face when taking down criminal networks that have a habit of reappearing a short time later to continue wreaking havoc. Read more.
CISA recommends tech manufacturers ditch default passwords
Default login credentials on devices such as routers remain security liabilities, as these passwords are regularly published and shared across message boards and forums catering to hackers. CISA urges tech manufacturers to eliminate default passwords and instead opt for “instance unique” or “time-limited” set-up passwords that are disabled once the process has been completed. CISA’s alert, titled “How Manufacturers Can Protect Customers by Eliminating Default Passwords,” goes on to state that “years of evidence have demonstrated that relying upon thousands of customers to change their passwords is insufficient, and only concerted action by technology manufacturers will appropriately address severe risks facing critical infrastructure organizations.” Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles brought to you by NetworkTigers
