SAN MATEO, CA, June 5, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- Google removes malicious Chrome extensions with 75 million installs from store
- Hackers can exfiltrate data from free version of Google Workspace and leave no trace
- Kaspersky staff iPhones hacked, Russian government blames US intelligence
- RomCom RAT uses network of fraudulent sites to launch political and financial attacks
- PrinterLogic’s enterprise software full of vulnerabilities
- Hackers are selling human-led CAPTCHA-breaking services
- Data belonging to nearly 480,000 RaidForums members oddly leaked by admin of new hacker forum
- AceCryptor malware detected in more than 240,000 cyberattacks
- Lazarus Group sets sites on Windows IIS web servers
Google removes malicious Chrome extensions with 75 million installs from store
Thirty-two malicious Chrome web browser extensions have been removed from the Chrome Web Store by Google. The extensions, downloaded 75 million times, contain code allowing them to “alter search results and push spam or unwanted ads.” The extensions performed legitimate functionality, keeping victims unaware of hidden activity or features. While security researchers at Avast discovered the code and reported it to Google, they did not observe it being implemented. However, reviews posted in the Web Store contain claims of “redirections and search result hijacking.” Google suspects that the download count while worrying, is likely artificially inflated to make the extensions appear more popular. Read more.
Hackers can exfiltrate data from free version of Google Workspace and leave no trace
Researchers at Mitiga have stated that they discovered a “forensic security deficiency” within the free version of Google Workspace that allows attackers to exfiltrate data and leave no evidence behind upon completion. While paid versions of the platform include “drive log events” that record the copying, deleting, downloading, and viewing of files, free subscribers do not have access to these reports. As a result, victims of an intrusion are left with no indication of being attacked and no way to determine what data may have been accessed or stolen in the process. While Mitigate has contacted Google regarding the issue, the software giant reportedly “doesn’t recognize forensics deficiencies as a security problem,” leaving users mainly in the dark for the time being. Read more.
Kaspersky staff iPhones hacked, Russian government blames US intelligence
Russian cybersecurity firm Kaspersky has reported that several dozen iPhones belonging to employees have been subjected to malware at the hands of a foreign government. According to the company, the malware was delivered with “a zero-click exploit via an iMessage attachment.” While Kaspersky has not made any statement on the origin of the hacking, Russia’s Federal Security Service (FSB) accused the NSA of compromising “thousands” of iPhones to spy on Russian diplomats. Kaspersky has stated that they do not believe they were the “main target” of the attack. The US government banned the use of Kaspersky products in federal settings in 2017 over concerns related to national security. Read more.
RomCom RAT uses network of fraudulent sites to launch political and financial attacks
Research from Trend Micro has exposed a network of fake websites built by the threat actors responsible for RomCom Rat. Looking as though they offer legitimate software, the sites are laced with the trojan by the attackers to infiltrate targets. Trend Micro researchers say that “these lure sites are most likely only meant for a small number of targets, thus making discovery and analysis more difficult.” How RomCom Rat hackers use their malware blurs the line between tactics associated with financially motivated attackers and those engaging in the state-sponsored activity. RomCom RAT has been “complemented by significant improvements to the malware that scales up the number of supported commands from 20 to 49, enabling it to exert total control over the compromised hosts.” Read more.
PrinterLogic’s enterprise software full of vulnerabilities
Security researchers at Seek have determined that PrinterLogic’s SaaS platform harbors 18 vulnerabilities that hackers could exploit to penetrate organizations’ networks. The bugs run the gamut and could allow criminals to inject code, steal login credentials, bypass authentication, and more. The researchers have determined that these bugs exist because “the application lacks a central framework for authentication and authorization handling,” “uses a flawed mechanism for preventing SQL injection,” and contains “multiple XSS flaws.” Seek reached out to PrinterLogic in February to disclose their findings, but the company has yet to say when a patch closing these gaps will be available. Read more.
Hackers are selling human-led CAPTCHA-breaking services
CAPTCHA mechanisms designed to filter out bot traffic from legitimate human users are being targeted by hackers who have devised a manner to work around them and charge other criminals for the service. According to TrendMicro, “these CAPTCHA-solving services don’t use techniques or advanced machine learning methods; instead, they break CAPTCHAs by farming out CAPTCHA-breaking tasks to actual human solvers.” Just like the prevalence of social engineering techniques, this scheme shows that some of the most reliable security measures can be dismantled not by sophisticated hacking but by intrepid criminals using simple techniques to sidestep complex systems. Read more.
Data belonging to nearly 480,000 RaidForums members oddly leaked by admin of new hacker forum
A new hacker forum called “Exposed” has been launched to fill the void left behind after both RaidForums and Breached collapsed. The database is of great value to researchers, law enforcement, and other cybercriminals alike, as it contains “usernames, email addresses, hashed passwords, registration dates, and a variety of other information related to the forum software” as well as data related to 478,870 RaidForums members. Interestingly, however, a recent post made on it by a site admin account contains a trove of information about RaidForums members. The poster has stated that some members have been removed from the leak. The reason behind this drop is currently unknown. Read more.
AceCryptor malware detected in more than 240,000 cyberattacks
Cybersecurity firm ESET has reported that a piece of malicious software called AceCryptor has been used heavily by cybercriminals since 2016 to pack in malware strains. Victims become infected through trojanized installers, malicious email attachments, or malware from a compromised host. Researchers have detected over 240,000 instances of the cryptor in 2021 and 2022 alone, translating to more than 10,000 a month. AceCryptor has been found to incorporate “a three-layer architecture to progressively decrypt and unpack each stage and ultimately launch the payload while featuring anti-VM, anti-debugging, and anti-analysis techniques to fly under the radar.” Read more.
Lazarus Group sets sites on Windows IIS web servers
North Korea’s state-backed Lazarus Group hacking collective has been observed targeting poorly managed or outdated Windows Internet Information Services web servers to achieve access to corporate networks. They do so by “using known vulnerabilities or misconfigurations that allow the threat actors to create files on the IIS server using the w3wp.exe process.” They then “drop ‘Wordconv.exe,’ a legitimate file that is part of Microsoft Office, a malicious DLL (‘msvcr100.dll’) in the same folder, and an encoded file named ‘msvcr100.dat.'” After ‘Wordconv.exe’ is launched, the malicious code decrypts the Salsa20-encoded executable from msvcr100.dat and “executes it in memory where antivirus tools can’t detect it.” Lazarus has primarily focused on financially motivated campaigns but has also engaged in cyber espionage efforts. Read more.