SAN MATEO, CA, February 19, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
Leader of Zeus and IcedID malware gangs faces 40 years in prison
Arrested in Switzerland in October of 2022 and extradited to the US in 2023, Ukrainian national Vyacheslav Igorevich Penchukov faces up to 40 years in prison for his role in the Zeus malware operation and the theft of millions of dollars using credentials stolen from compromised devices. Penchukov was arrested previously in Ukraine in 2021 for his involvement in the Egregor ransomware gang but was able to evade prosecution thanks to political connections. A fugitive on the FBI’s most wanted list for almost a decade, he has pleaded guilty to the charge of conspiracy related to racketeering and to a charge of conspiracy to commit wire fraud, both carrying a maximum sentence of 20 years. “Vyacheslav Igorevich Penchukov was a leader of two prolific malware groups that infected thousands of computers with malicious software. These criminal groups stole millions of dollars from their victims and even attacked a major hospital with ransomware, leaving it unable to provide critical care to patients for over two weeks,” said Acting Assistant Attorney General Nicole M. Argentieri. Read more.
New RustDoor macOS backdoor found to be targeting crypto firms
BitDefender has reported that a new Apple macOS malware strain called RustDoor targets companies operating in the crypto sector. The backdoor, delivered via fake job offers posing as PDFs but containing scripts that download the malware, is Rust-based and can exfiltrate files and gather data about the targeted computer. The campaign appears to be made up of targeted attacks as opposed to relying on “shotgun distribution.” Bitdefender says that they uncovered “four new Golang-based binaries that communicate with an actor-controlled domain (“sarkerrentacars[.]com”), whose purpose is to ‘collect information about the victim’s machine and its network connections using the system_profiler and network setup utilities, which are part of the macOS operating system.'” Read more.
Gold Pickaxe iOS and Android malware steals face data for financial fraud
Group-IB researchers have discovered a new iOS and Android malware called GoldPickaxe. It uses social engineering to convince people to scan their faces and ID documents, supposedly to create deepfakes for breaking into financial accounts. Developed by Chinese threat group GoldFactory, the trojan began spreading in October of 2023, sending victims phishing messages that impersonate government services and trick them into installing malicious apps. Once GoldPickaxe is installed, “it operates semi-autonomously, manipulating functions in the background, capturing the victim’s face, intercepting incoming SMS, requesting ID documents, and proxying network traffic through the infected device.” An infection on an Android device allows the malware to perform more malicious activity than on iOS due to Apple’s stricter security permissions. Read more.
New Qbot malware variant uses fake Adobe installer window to stay out of sight
A Qakbot variant dubbed Qbot has been observed in email campaigns, leading researchers to believe that the developers behind the malware are experimenting with new tactics. Qbot uses a fake Adobe product installer to fool the intended victim into launching the malware. Qakbot’s infrastructure was dismantled in an August 2023 law enforcement campaign called Operation Duck Hunt, and researchers assumed that the threat actors behind it would be back in action soon with new attacks and distribution strategies. That appears to be the case, as Qakbot variants now have “enhanced obfuscation techniques, including advanced encryption to hide strings and command-and-control (C2) communication.” Read more.
State-sponsored threat actors are using generative AI to enhance their campaigns
Research by Microsoft and OpenAI has confirmed that state-sponsored threat actors heavily employ generative AI and language learning models. While the research suggests that they are not using AI to build attacks from the ground up, the new technology is being used to support campaigns and “is attractive for threat actors with continuous focus on social engineering and other techniques relying on false, deceptive communications tailored to their targets’ jobs, professional networks, and other relationships.” LLMs are primarily being used to craft ever more convincing phishing emails, translate technical data, and generate “code snippets that appear intended to support app and web development.” Read more.
Bank of America warns of data breach affecting 57,000 customers
Bank of America is alerting customers that they may be at risk due to a breach in November 2023. Exposing the names, addresses, Social Security numbers, dates of birth, and financial information of around 57,000 customers, the breach occurred through Infosys McCamish Systems, one of Bank of America’s service providers. The breach has been attributed to LockBit, as they named Infosys McCamish Systems as a victim of their ransomware, and is the second security incident to have affected Bank of America customers in the last year. May of 2023 saw Ernst & Young, another of Bank of America’s third-party service providers, fall victim to the Clop ransomware gang’s attack on the MOVEit Transfer platform. Read more.
Microsoft SmartScreen zero-day opens stock traders to DarkMe malware attacks
Trend Micro has reported on a newly disclosed zero-day bug in Microsoft Defender SmartScreen under active exploitation by a threat actor group called Water Hydra. According to Trend Micro, targeting financial market traders, “the threat actor leveraged CVE-2024-21412 to bypass Microsoft Defender SmartScreen and infect victims with the DarkMe malware.” Operating stealthily in the background, Water Hydra’s attack sees a stock graph displayed to keep victims unaware of the exploitation, with the end goal being to deliver the DarkMe trojan that is equipped with the ability “to download and execute additional instructions, alongside registering itself with a command-and-control (C2) server and gathering information from the compromised system.” Microsoft has issued a patch for the exploit, and all users are urged to update immediately. Read more.
200K Facebook Marketplace user records uploaded to hacker forum
200,000 Facebook Marketplace records said to include phone numbers, email addresses, and other information belonging to platform users have been uploaded to a hacker forum by a threat actor called IntelBroker. According to IntelBroker, “in October 2023 a cyber criminal by the name of ‘algoatson’ on Discord breached a contractor that manages cloud services for Facebook and stole its partial user database of 200,000 entries.” The exposed data could expose users to phishing attacks and SIM swaps that may allow criminals to intercept multi-factor authentication codes sent via SMS. IntelBreach is not new to the scene, having gained notoriety via their breach of DS Health Link, which saw the personal data of US House of Representatives members leaked onto the internet. Read more.
FTC report indicates that US consumers lost a record $10 billion to fraudsters in 2023
Data from the Federal Trade Commission indicates that US adults lost a record $10 billion to online fraud throughout 2023, with investment scams being the number one income generator for internet fraudsters. This is a 14% increase over 2022, with the other highest reported fraud types being imposter fraud, e-commerce fraud, fake prize fraud, and employment scams. The FTC report says it received scam reports from 2.6 million consumers in 2023, roughly the same as in 2022, indicating that the monetary amount lost per victim has seen an uptick. Email was the most popular vector for scams in 2023, with phone calls coming in second and text messages third. Read more.
US Department of State offers $10 million bounty for Hive Ransomware leaders
Hive, a ransomware outfit that materialized in 2021 to target more than 1,500 organizations across over 80 countries, has been in the crosshairs of the US government since law enforcement dismantled the group’s dark web infrastructure in 2023. The US Department of State is currently offering a bounty of up to $10 million for information about individuals in leadership positions within Hive, in addition to $5 million for information that could lead to the arrest of individuals “conspiring to participate in or attempting to participate in Hive ransomware activity.” While ransomware activity declined in 2022, it surged in 2023 and continues to be a persistent threat, with international government agencies collaborating and forming alliances to minimize chaos and get financially motivated threat actors under control. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles brought to you by NetworkTigers
