SAN MATEO, CA, November 28, 2022 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- Emergency Chrome update is browser’s 8th zero-day in 2022
- SharkBot malware hidden in Android file manager apps
- Microsoft: hackers are targeting energy grids that use decades-old Boa web server
- European Parliament website suffers cyberattack in response to Russia terrorism vote
- US tax filing websites have been sending sensitive financial information to Facebook
- Meta fires employees who accepted bribes from hackers
- Luna Moth criminal gang invests in call centers to facilitate social engineering scams
- Attackers steal $300K from DraftKings users in credential stuffing hack
- New AXLocker ransomware steals Discord accounts
Emergency Chrome update is browser’s 8th zero-day in 2022
Google has issued an update for the desktop version of its Chrome web browser, bringing its total zero-day exploits up to eight as 2022 nears its end. The high-severity flaw, labeled CVE-2022-4135, is currently mysterious outside of the fact that it is heap buffer overflow in GPU. To curtail the spread of the exploit, Google is opting to keep information about it thin until the majority of users have patched their software. Read more.
SharkBot malware hidden in Android file manager apps
SharkBot malware has been discovered hidden in Android file manage apps on the Google Play Store. “X-File Manager” and “FileVoyager,” the two apps found to install the malware, have been downloaded around 15,000 times in total. The apps have been removed from the store, but can still be downloaded via third party outlets. SharkBot targets victims’ banking credentials and has recently been found to have been modified to avoid detections. Whereas previous instances of SharkBot automatically installed malicious code, an upgraded version now requires the victim to download a fake update or follow some other instruction to infect their device. Read more.
Microsoft: hackers are targeting energy grids that use decades-old Boa web server
Microsoft warns that hackers are targeting organizations in the energy sector by exploiting a flaw within the Boa web server. In spite of Boa having been discontinued in 2005, it is still widely used in security cameras and routers. Microsoft reports that it has identified one million vulnerable Boa servers globally over the span of a week. The server’s popularity, as well as the complex nature of its incorporation into IoT devices, makes mitigating risk difficult. Microsoft recommends that users patch all outdated components, identify those that harbor vulnerabilities and be sure that their detection processes are properly configured. Read more.
European Parliament website suffers cyberattack in response to Russia terrorism vote
The European Parliament, almost immediately after voting to declare Russia to be a state sponsor of terrorism due to strikes on civilian targets in Ukraine, suffered a DDoS attack that resulted in a network collapse. While the attack has been labeled as “the most sophisticated attack that the Parliament has known so far” by a senior member, it has only affected external traffic to government websites and has resulted in no disruption to regular operations. It is suspected that Killnet, a prolific pro-Moscow hacker gang, is responsible for the attack. The affected sites are expected to be back online shortly. Read more.
US tax filing websites have been sending sensitive financial information to Facebook
A number of popular tax filing services, including H&R Block and TaxSlayer, have been found to have been sending sensitive personal information to Facebook via the use of Meta Pixel. The information transmitted includes income, refund amounts, filing status, scholarship data, names and email addresses and is used by Meta to target advertising and content algorithms. While the IRS is protective of sensitive tax data, US taxpayers are generally forced to file with for-profit companies that are less dedicated to customer privacy. Read more.
Meta fires employees who accepted bribes from hackers
Dozens of Meta employees have been fired or disciplined for allegedly using the company’s internal Online Operations tool, referred to as Oops, to access Facebook user accounts without authorization. Employees were found to have been using Oops in cooperation with third parties in exchange for thousands of dollars in bribes. In some cases, hackers paid employees to reset accounts for them. One terminated employee, who was working as a contracted security guard, claims that she was coerced into using Oops, whereas others have denied wrongdoing altogether. Read more.
Luna Moth criminal gang invests in call centers to facilitate social engineering scams
The Luna Moth cybercrime gang, also referred to as Silent Ransom, has been found to have invested in call centers to facilitate a callback phishing campaign that has been in motion for months and stolen hundreds of thousands of dollars from targeted retail and legal organizations. Luna Moth has been sending emails to victims that include a phone number to call to cancel a subscription or dispute a charge. Victims who call in are connected to a live agent who installs a remote access tool onto their computer to exfiltrate data that can be used for extortion. The campaign is resource intensive but is able to bypass detection due to its emails not containing any attachments. Read more.
Attackers steal $300K from DraftKings users in credential stuffing hack
Users of sports betting website DraftKings were frustrated to have seen hackers break into their accounts, change their passwords, assign two-factor authentication to a different device and then drain as much as possible from their linked bank accounts to the tune of $300,000. DraftKings remained mum on the issue, in spite of users attempting to contact them while seeing their accounts drain. 12 hours after the hack, the company made a statement that asserted that no breach had occurred within DraftKings and that the attackers likely used a credential stuffing attack to take over accounts using login credentials stolen from other websites. DraftKings intends to reimburse lost funds and encouraged users to maintain good password hygiene and enable two-factor authentication wherever possible. Read more.
New AXLocker ransomware steals Discord accounts
Security researchers at Cyble have recently discovered that a new ransomware variant, dubbed AXLocker, not only encrypts victims’ files and demands a ransom, but also steals the login credentials of their Discord account. The ransomware component of AXLocker is nothing remarkable, as it behaves in a standard manner. Curiously, however, the ransom demand it makes does not list an amount but tells the victim to contact the threat actors to purchase a decryption. Because Discord has become to go-to platform for crypto and NFT communities it has become a prime target for criminals. Read more.