SAN MATEO, CA, November 21, 2022 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- CISA releases guide for customers on securing supply chain
- Microsoft: Royal ransomware being distributed through Google Ads by new threat group
- New Latin America-targeting ARCrypter ransomware expands worldwide
- US and UK Netflix users targeted in clever phishing campaign
- CISA: Log4Shell exploit used by Iranian hackers to breach US federal agency
- Amazon RDS instances leaking personal user data
- Malicious SEO campaign compromises 15,000 WordPress sites
- Chinese network of 42,000 imposter sites discovered
- Tech giant Thales has data stolen by LockBit gang
CISA releases guide for customers on securing supply chain
CISA, NSA and ODNI have released the final report in a three-part series that provides guidance on how to secure the supply chain. According to CISA, “the guidance released today, along with the accompanying fact sheet, provides recommended practices for software customers to ensure the integrity and security of software during the procuring and deployment phases.” The report follows previously released guides for suppliers and developers. Read more.
Microsoft: Royal ransomware being distributed through Google Ads by new threat group
A new cyber threat group, currently designated as DEV-0569, has been discovered to be distributed Royal ransomware through Google Ads. The group is using malvertising to direct victims to BATLOADER malware downloader links that pose as legitimate companies such as Adobe, Microsoft Teams or Zoom. The group uses SEO poisoning techniques to make their pages appear in search results as well as phishing links shared via emails, forums posts, blog comments and the contact forms provided by targeted sites. Read more.
New Latin America-targeting ARCrypter ransomware expands worldwide
ARCrypter, a ransomware variant that appeared to be completely new and not associated with any known families when it was discovered being used against a Chilean government agency in August, has gone global. Researchers at BlackBerry have warned that ARCrypter has been observed targeting victims in China and Canada while other instances have appeared in Germany, France and the US. Little is known about ARCrypter, including its origin and attack vector. The criminals using it claim to steal data from their victims, but no leak site associated with ARCrypter has yet appeared. Read more.
US and UK Netflix users targeted in clever phishing campaign
Phishing attacks impersonating Netflix have risen by 78% since October, according to findings from security researchers at Egress. Egress states that the threat actors spearheading the campaign are bypassing anti-phishing filters by using Unicode characters to conceal text that might give up the ruse. They are also using classic social engineering techniques, such as implying a sense of urgency, as well as white on white text and characters from various languages to further confuse natural language processing filters. A major concern associated with this campaign is that many victims may be using the same login credentials for Netflix as they do for work accounts, opening the door to major cyberattacks. Read more.
CISA: Log4Shell exploit used by Iranian hackers to breach US federal agency
Last year’s Log4Shell debacle continues to persist, as CISA reports that “threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence” at an unnamed Federal Executive Branch organization. CISA and the FBI have assessed that the attack was carried out by Iranian threat actors. The compromise further underscores the importance of patching VMware Horizon servers and treating those that remain out of date as already breached. Read more.
Amazon RDS instances leaking personal user data
Amazon RDS, a web service that facilitates relational databases in the Amazon Web Services (AWS) cloud and supports database engines including MySQL, Oracle, PostgreSQL, and SQL Server, has been found to be exposing user data that could be used by threat actors to stage attacks. According to researchers at Mitiga, a feature within the platform called RDS snapshots is to blame, as it creates a backup of all data within the cloud environment which can then be accessed by all AWS users. Amazon cautions users to be sure that shared snapshots do not include sensitive information, but Mitiga researchers had found that many publicly shared snapshots not only included said info, but had also been available for perusal for weeks, likely having been simply forgotten. Read more.
Malicious SEO campaign compromises 15,000 WordPress sites
Researchers at Sucuri have described a “clever black hat SEO” campaign that has been set up to direct users to a “handful of fake low quality Q&A sites” that generate ad revenue. The campaign also seeks to “boost the sites’ authority using fake search result clicks to make Google rank them better so that they get more real organic search traffic.” The compromise is widespread, affecting 15,000 sites, and effectively redirects users to websites of the threat actors’ choice. It achieves this by redirecting visitors to what appears to be a PNG image that is, in fact, a “Google search result URL of a spam Q&A domain.” Read more.
Chinese network of 42,000 imposter sites discovered
Security researchers at Cymax have discovered that a China-based threat actor group called Fangxiao has built a network of 42,000 websites that impersonate known brands such as Coca-Cola, McDonald’s, Knorr, Unilever, Shopee, Emirates and more. The sites contain detailed localization features and are part of a traffic generation campaign that generates ad revenue for the Fangxiao’s sites as well as for those who purchase traffic from the group. Fangxiao is said to register around 300 new domains on a daily basis. Victims are directed to the sites, which often feature a timed survey to add a sense of urgency, via ads or links sent through WhatsApp. Read more.
Tech giant Thales has data stolen by LockBit gang
Cybercrime gang LockBit 3.0 has begun posting data that it purports to have been stolen from global tech giant Thales in a ransomware attack after the company refused to pay up before a November 7th deadline. Thales has minimized the incident and provided assurances that the data leak will have no impact on its regular operations and the information posted has a low level of security risk and was taken from a repository outside of the company’s internal systems. This leak marks the second time this year that LockBit has successfully attacked Thales. Read more.