SAN MATEO, CA, March 27, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- FBI has access to BreachForums criminal database following arrest of Pompompurin
- CISA releases “Untitled Goose Tool” to detect suspicious activity within Microsoft cloud services
- Threat actors can snoop on Okta user passwords using post-exploitation technique
- A weaponized ChatGPT Chrome extension is hijacking Facebook accounts
- Newly discovered PowerMagic and CommonMagic malware used to steal data
- Hackers steal $1.6 million in Bitcoin from General Bytes ATMs by exploiting zero-day vulnerability
- Poorly managed Linux servers in the crosshairs of new ShellBot DDoS malware variants
- .NET developers targeted with weaponized NuGet packages in crypto stealing campaign
- CatB ransomware uses tricky methods to evade detection
- New HintaBot botnet could deploy huge DDoS attacks
FBI has access to BreachForums criminal database following arrest of Pompompurin
The FBI has issued a statement confirming that they have gained access to the database of notorious cybercrime site BreachForums after arresting Pompompurin (20-year-old Conor Brian Fitzpatrick) for his involvement in the stealing and selling of data belonging to “millions of U.S. citizens and hundreds of U.S. and foreign companies, organizations, and government agencies” on site. BreachForums was shut down by its admin after Fitzpatrick’s arrest when the site administrator suspected that law enforcement had accessed the site via his computer. Read more.
CISA releases “Untitled Goose Tool” to detect suspicious activity within Microsoft cloud services
A new tool from CISA allows administrators to detect hacking activity taking place within Microsoft cloud environments. Called Untitled Goose Tool, CISA goes on to say that the utility is “a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments.” The open-source tool was built in collaboration with developed with Sandia, a U.S. Department of Energy national laboratory, and is available for free on the agency’s GitHub account. Read more.
Threat actors can snoop on Okta user passwords using post-exploitation technique
Security researchers at Mitigate have uncovered a flaw within Okta that can allow threat actors to read user passwords. They found that the IAM system saves said, “passwords to audit logs if a user accidentally types them in the ‘username’ field when logging in.” If a criminal gains access to an organization’s system, the passwords are easy pickings and can be used to gain further administrative access. Okta says the behavior is expected and designed to allow platform administrators, who “should be trusted not to engage in malicious activities,” access to audit logs. While the issue is not a bug or flaw within Okta, is does contribute to concerns about the ways in which Okta handles user passwords. Read more.
A weaponized ChatGPT Chrome extension is hijacking Facebook accounts
A version of the legitimate ChatGPT Chrome browser extension that contains a Facebook-hijacking trojan has racked up more than 9,000 downloads in the Chrome Web Store. The malicious extension communicates with the same infrastructure that similarly weaponized Chrome extensions used earlier in this month, making researchers believe that it was designed as a backup for when they were discovered and taken down. The extension is especially devious because it does perform the advertised function of inserting ChatGPT functionality into search results while also harboring malicious code designed to steal session cookies for Facebook accounts. The hijacked accounts are then used for malvertising campaigns or, oddly, to “promote banned material like ISIS propaganda.” Read more.
Newly discovered PowerMagic and CommonMagic malware used to steal data
Researchers at Kaspersky have observed threat actors using CommonMagic, a “previously unseen malicious framework,” and a new backdoor called PowerMagic in attacks that “target organizations in the administrative, agriculture, and transportation sectors for espionage purposes.” Once a system is infected, threat actors can steal files and documents and take screenshots using the Windows Graphics Device API. According to Kaspersky, “the limited victimology and Russian-Ukrainian conflict-themed lures suggest that the attackers likely have a specific interest in the geopolitical situation in that region.” Read more.
Hackers steal $1.6 million in Bitcoin from General Bytes ATMs by exploiting zero-day vulnerability
General Bytes is on high alert after unknown hackers exploited a zero-day vulnerability in their Bitcoin ATMs and made off with over $1.6 million worth of crypto. According to an advisory posted by General Bytes, the bug allowed hackers to upload a “java application remotely via the master service interface used by terminals to upload videos, and run it using batm user privileges.” Upon completion of this step, hackers were then able to “read and decrypt API keys used to access funds in hot wallets and exchanges, send funds from hot wallets, and download usernames, password hashes” and disable two-factor authentication. This is the second attack the company has faced in less than a year. Read more.
Poorly managed Linux servers in the crosshairs of new ShellBot DDoS malware variants
A range of ShellBot malware variants has been discovered targeting poorly managed Linux SSH servers. AhnLab Security Emergency response Center has identified three variants being deployed in the campaign: “LiGhT’s Modded perlbot v2, DDoS PBot v2.0, and PowerBots (C) GohacK – the first two of which offer a variety of DDoS attack commands using HTTP, TCP, and UDP protocols.” Once compromised, the targeted system can be used to form part of a botnet, used to stage other attacks or be infected with crypto stealers or other malware types. Read more.
.NET developers targeted with weaponized NuGet packages in crypto stealing campaign
JFrog security researchers have discovered an ongoing campaign in which .NET developers are being infected with “cryptocurrency stealers delivered through the NuGet repository and impersonating multiple legitimate packages via typosquatting.” Three of the malicious payloads have been downloaded more than 150,000 times in a single month, signaling that a huge number of infections have taken place or that the threat actors are inflating their download numbers to appear legitimate. After being downloaded, the included malware picks victims’ crypto wallets “using Discord webhooks, extracting and executing malicious code from Electron archives, and auto-updating by querying the attacker-controlled command-and-control (C2) server.” Read more.
CatB ransomware uses tricky methods to evade detection
SentinelOne researchers have provided clarity with regard to how CatB ransomware is so effective at evasion. CatB, also known as Baxtoy or CatB99, is believed to be an advancement of Pandora ransomware, a conclusion drawn due to similarities in their coding. Using a technique called DLL search hijacking, CatB ransomware uses “a legitimate service called Microsoft Distributed Transaction Coordinator to extract and launch” its payload. To further avoid detection, CatB does not send its victim a ransom note, opting to insert a message into each encrypted file instructing the target to pay up in Bitcoin. Read more.
New HintaBot botnet could deploy huge DDoS attacks
Researchers at Akamai have discovered a new botnet that targets Realtek SDK, Huawei routers and Hadoop YARN servers to recruit them for potentially huge attacks. Called HintaBot, researchers have determined that the malware’s operators first distributed it via Mirai binaries. HintaBot appears to be under robust active development and will likely continue to advance in sophistication. Experts warn that it could be used to deploy massive 3.3 Tbps DDoS attacks. Read more. Read more.
More cybersecurity news
- Last week’s news
- All cybersecurity news and articles are brought to you by NetworkTigers.