SAN MATEO, CA, January 30, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- FBI infiltrates Hive ransomware gang for six months, shuts down websites
- CISA: federal agencies hacked via legitimate remote monitoring and management (RMM) software
- WordPress redirect campaign hacks 4,500 sites
- Emotet malware continues to circulate with new features
- GoTo/LastPass hack worse than initially disclosed, encryption key exfiltrated
- FBI: North Korea responsible for $100 million Horizon Bridge theft
- XLL add-in blocker coming to Microsoft365 to end Excel malware delivery
- CISA: critical ManageEngine RCE flaw exploited
- Samsung Galaxy store exploit allows for remote app installation
- FanDuel: user data exposed in MailChimp breach
FBI infiltrates Hive ransomware gang for six months, shuts down websites
A statement from the US Department of Justice (DOJ) has revealed that the FBI had infiltrated the Hive ransomware gang some six months ago with officers within the collective informing victims of impending attacks and providing decryption keys. To close the operation, the FBI took down Hive’s websites and communication networks with assistance from Germany and the Netherlands. While all agencies involved are pleased with the results of the operation, no news of any arrests has been disclosed and experts agree that Hive’s members are sure to rebuild and reconnect, possibly under a different name. Read more.
CISA: federal agencies hacked via legitimate remote monitoring and management (RMM) software
CISA, the NSA, and MS-ISAC have created a joint advisory warning that hackers are turning to legitimate remote monitoring and management (RMM) software to infiltrate networks, including those belonging to the federal government. The preferred vector appears to be help desk-themed phishing emails that either contain a link or a phone number to call to cancel a fraudulent high-priced subscription. Once on the hook, the targeted victim clicks a link that opens their default web browser and automatically downloads malware that connects to a second-stage domain from which portable versions of AnyDesk and ScreenConnect are downloaded. This lets the attackers, believed to be mostly financially motivated, gain access to the network as a local user, bypassing security. Read more.
WordPress redirect campaign hacks 4,500 sites
Emotet malware continues to circulate with new features
Emotet, the seemingly impossible to kill malicious software that emerged as a banking trojan in 2014 and has evolved into a malware distributor, continues to plague the cyber landscape in spite of a 2021 takedown of its infrastructure. Emotet is modular, making it an ideal platform for a range of attacks. Its two newest modifications include an SMB spreader “designed to facilitate lateral movement using a list of hard-coded usernames and passwords” and a Chrome web browser-based credit card stealer. Emotet is circulated via phishing emails and is attributed to cybercrime gang Gold Crestwood AKA Mummy Spider. Read more.
GoTo/LastPass hack worse than initially disclosed, encryption key exfiltrated
GoTo, affiliate of LastPass, has revealed that an August 2022 hack that affected both platforms did more damage than the company initially disclosed. While GoTo stated that no user data was accessed when first commenting on the attack, a statement from LastPass in December revealed that more intrusion took place and that customer data was exposed. In new emails sent to affected customers, GoTo is now alerting customers that backup data had been accessed in addition to “an encryption key for a portion of the encrypted data.” GoTo is mandating password resets for affected accounts, but the shifting description of the severity of last year’s breach has called GoTo and LastPass’s credibility into question with regard to user privacy. Read more.
FBI: North Korea responsible for $100 million Horizon Bridge theft
The FBI has reported that it has confirmed that North Korean hackers are behind the June 2022 theft of $100 million in crypto from Harmony Horizon Bridge. Lazerus and APT38 have been implicated in the hack, which used social engineering tactics to convince crypto platform employees to download malicious apps. North Korea has been responsible for a number of high profile crypto hacks in recent years, as the rogue nation uses state-sponsored hacking groups to steal from financial institutions in response to sanctions. Read more.
XLL add-in blocker coming to Microsoft365 to end Excel malware delivery
Microsoft is in the progress of adding XLL add-in protection to Microsoft365 to stymy the rise of malware being spread via Excel. XLL files are used to customize and extend the abilities of Excel by adding more functions to the base platform. However, hackers have discovered them to be ripe for phishing campaigns, as they can be used to deliver malicious code and are easily disguised as innocuous documents sent from trusted sources. The new protections, expected to begin rolling out in March, signal the company’s desire to make Microsoft365 a less appealing vector for attackers. Read more.
CISA: critical ManageEngine RCE flaw exploited
Security flaw CVE-2022-47966, a remote code execution exploit affecting Zoho ManageEngine products, has been added to CISA’s catalog of bugs seen actively exploited by hackers. While the bug was patched in a series of updates that began in October of 2022, researchers at Horizon3 have observed that 10% of vulnerable systems remain unpatched. Rapid7 security researchers have observed that, after a successful exploitation, “attackers are disabling real-time malware protection to backdoor compromised devices by deploying remote access tools.” Federal agencies have until February 13th to patch their systems. Private organizations are urged to do the same. Read more.
Samsung Galaxy store exploit allows for remote app installation
Samsung’s Galaxy store, formerly Smsung Apps and Galaxy, Apps has been found to harbor two vulnerabilities that allow attackers to “stealthily install arbitrary apps or direct prospective victims to fraudulent landing pages on the web.” One flaw, CVE-2023-21433, allows a previously installed rogue app to install a different application from the Galaxy store. The second flaw, CVE-2023-21434, can be exploited to enable a threat actor to bypass filters and push victims to domains under their control where they may be subject to malicious links. Users are urged to update all Samsung devices to themes current OS. Read more.
FanDuel: user data exposed in MailChimp breach
Sports betting platform FanDuel has warned users that their data was exposed in the recent breach affecting MailChimp. While critical data was not stolen, FanDuel has stated that names and addresses had been exposed and that users should remain vigilant against phishing attacks that may be created using that information. Customers are also urged to change their passwords frequently and set up multifactor authentication on their accounts. Read more.