SAN MATEO, CA, September 18, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- Facebook business accounts targeted by new NodeStealer malware
- A social engineering phone call appears to be at the heart of the ransomware attack against MGM Resorts
- New 3AM ransomware variant discovered
- Fraudulent Cisco Webex Google Ads pushing malware
- Microsoft: Storm-0324 phishing campaign targets corporate systems via Teams Message
- New malware variant targets Intel-based macOS users
- Phishing campaign infecting victims with Agent Tesla, OriginBotnet, and RedLine Clipper
- Major Github vulnerability leaves repositories exposed to repojacking
- Google patches actively exploited Chrome zero-day bug
Facebook business accounts targeted by new NodeStealer malware
A variant of the Python-based NodeStealer malware has been making the rounds on Facebook with criminals looking to take over Business accounts for nefarious purposes. NodeStealer can exfiltrate victims’ cookies and passwords to break into Gmail, Facebook, and Outlook accounts. According to a researcher from Guardio Labs, ” compared to earlier variants, the new NodeStealer variant uses batch files to download and run Python scripts and steal credentials and cookies from multiple browsers and for multiple websites.” It is being spread by fraudulent messages sent from botted and hijacked accounts purporting to be customer complaints about defective products. Read more.
A social engineering phone call appears to be at the heart of the ransomware attack against MGM Resorts
The recent cyberattack against MGM Resorts was reportedly sparked by a phone call to the company’s IT help desk in which an employee was asked to turn over sensitive information that allowed the threat actor to wreak havoc and steal a trove of sensitive customer data, including home addresses and Social Security numbers. According to unverified reports, Scattered Spider, an affiliate of ALPHV, gathered information about an MGM employee via their LinkedIn profile and impersonated them. ALPHV is known for its adeptness at social engineering schemes, although the group has denied making official statements regarding the hack. Read more.
New 3AM ransomware variant discovered
A new ransomware variant called “3AM” has been discovered by Symantec’s Threat Hunter Team. According to their findings, “3AM is written in Rust and appears to be a completely new malware family. The ransomware attempts to stop multiple services on the infected computer before it encrypts files.” The 3AM ransomware was deployed after an attempted LockBit attack failed. Symantec states that this strategy of using more than one ransomware variant in an attack has been observed before and that “ransomware affiliates have become increasingly independent from ransomware operators.” Instances of 3AM are currently minimal, but Symantec expects the variant to raise its head in future attacks. Read more.
Fraudulent Cisco Webex Google Ads pushing malware
A report from Malwarebytes describes a campaign that sees Mexico-based threat actors using malicious Google Ads that impersonate the official Webex download portal but direct victims to sites that infect them with the BatLoader malware. The threat actors can perform the bait and switch by exploiting a loophole within the Google Ads tracking template while still complying with Google’s rules. The malicious ads rank in the highest position in Google search results for “Webex,” making them appear legitimate. It is recommended that, when using Google to search for software, users ignore the promoted results and seek out the developer’s official site. Read more.
Microsoft: Storm-0324 phishing campaign targets corporate systems via Teams message
A campaign that Microsoft’s Threat Intelligence Team has called Storm-0324 is using Teams messages as “lures to infiltrate corporate networks.” The messages are loaded with links that direct victims to a malicious ZIP file hosted on SharePoint. From ransomware to banking trojans and toolkits, researchers warn that “Storm-0324 operates in the cybercriminal economy as a payload distributor, offering a service that allows for the propagation of various payloads using evasive infection chains.” Microsoft has made security enhancements to help block this activity and notes that “because Storm-0324 hands-off access to other threat actors, identifying and remediating Storm-0324 activity can prevent more dangerous follow-on attacks like ransomware.” Read more.
New malware variant targets Intel-based macOS users
A new Go-based malware variant called “MetaStealer” that can evade Apple’s anti-virus tech XProject has been observed stealing data from Intel-based macOS computers. Distributed via social engineering, the malware is deployed through emails sent to businesses that purport to be from clients. “Attached to the phishing emails are disk image files that, when mounted on the filesystem, contain deceptively named executables that appear as PDF files to trick the victim into opening them.” Once embedded, MetaStealer exfiltrates passwords, files, and app data. It also targets Telegram and Meta services to steal saved passwords. Read more.
Phishing campaign infecting victims with Agent Tesla, OriginBotnet, and RedLine Clipper
A phishing campaign is infecting victims with Agent Tesla, OriginBotnet, and RedLine Clipper via emails containing a malicious Microsoft Word document, according to a report from Fortinet FortiGuard Labs. RedLine Clipper is a .NET executable used to steal cryptocurrency. Agent Tesla is a “.NET-based remote access trojan (RAT) and data stealer for gaining initial access and exfiltrating sensitive information such as keystrokes and login credentials used in web browsers to a command-and-control (C2) server over SMTP protocol.” OriginBotnet “packs in a wide range of features to collect data, establish communications with its C2 server, and download supplementary plugins from the server to execute keylogging or password recovery functions on compromised endpoints.” Read more.
Major Github vulnerability leaves repositories exposed to repojacking
A security researcher from Checkmarx has reported on a GitHub flaw that may have exposed more than 4,000 repositories to the risk of repojacking attacks. As described in the researcher’s report, the bug “could allow an attacker to exploit a race condition within GitHub’s repository creation and username renaming operations… Successful exploitation of this vulnerability impacts the open-source community by enabling the hijacking of over 4,000 code packages in languages such as Go, PHP, and Swift, as well as GitHub actions.” The flaw was disclosed to GitHub in March but was finally addressed on September 1st and “underlines the persistent risks associated with the ‘popular repository namespace retirement’ mechanism.” Read more.
Google patches actively exploited Chrome zero-day bug
Google has fixed a critical zero-day bug in its Chrome web browser, making it the fourth vulnerability to have received a patch since the start of the year. CVE-2023-4863 is “caused by a WebP heap buffer overflow weakness whose impact ranges from crashes to arbitrary code execution.” Because the bug is being actively exploited in the wild, Google has been tightlipped, saying that “access to bug details and links may be kept restricted until most users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but haven’t yet fixed.” Read more.