SAN MATEO, CA, November 13, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- OpenAI ChatGPT disruptions the result of DDoS attacks
- Hackers are using fake Windows news portals in new malvertising campaign
- Farnetwork’s ransomware-as-a-service business model exposed by security researchers
- North Korea’s BlueNoroff hacker group targeting macOS users with new malware
- Threat actors taking advantage of Looney Tunables Linux bug
- Ransomware attackers exploiting critical flaw in Atlassian
- Hidden for 5 years, StripedFly malware infected 1 million devices
- New cybercrime service can bypass Android security and install malware
OpenAI ChatGPT disruptions caused by DDoS attacks
Outages plaguing OpenAI’s services are due to ongoing DDoS attacks, according to a statement from the company. OpenAI has not attributed the attacks, but Anonymous Sudan has claimed credit for the activity, citing the company’s “general biasness towards Israel and against Palestine” as the incentive behind their actions. Anonymous Sudan has also confirmed that the attacks have been carried out using the SkyNet botnet, which has recently added support for Layer 7 DDoS attacks. Anonymous Sudan launched in January of 2023 with the self-proclaimed mission to target any entities opposed to Sudan. Still, some security researchers feel that the group may be operating under a false flag and is associated with Russia. Read more.
Hackers are using fake Windows news portals in new malvertising campaign
An extensive malvertising campaign has been reported to use fake websites masquerading as Windows news portals to spread a “malicious installer for a popular system profiling tool called CPU-Z.” Malvertising campaigns typically create spoofed websites that advertise common software. Still, this campaign is different because it mimics WindowsReport.com to “trick unsuspecting users searching for CPU-Z on search engines like Google” into downloading malware. “This incident is a part of a larger malvertising campaign that targets other utilities like Notepad++, Citrix, and VNC Viewer as seen in its infrastructure (domain names) and cloaking templates used to avoid detection,” according to Malwarebytes’ Jérôme Segura. Read more.
Farnetwork’s ransomware-as-a-service business model exposed by security researchers
Farnetwork, a threat actor implicated in 5 different ransomware-as-a-service programs, has been “unmasked” by cybersecurity researchers. Group-IB, a Singapore-headquartered security firm, says to have undergone a “job interview” with the hacker in which they gained “valuable insights into their background and role within those RaaS programs.” Farnetwork has operated under multiple aliases across various underground hacking forums. The individual is also believed to have launched their own botnet service and served a critical recruitment role in the Nokoyawa RaaS program, “asking potential candidates to facilitate privilege escalation using stolen corporate account credentials.” Nokoyawa has ceased operations, though researchers fully expect farnetwork to continue to be a prolific participant in the cybercrime community. Read more.
North Korea’s BlueNoroff hacker group targeting macOS users with new malware
North Korean threat group BlueNoroff uses a new macOS malware called ObjCShellz to install backdoors on targeted systems. Findings from malware analysts at Jamf indicate that “ObjCShellz is an Objective-C-based malware” that has been “designed to open remote shells on compromised macOS systems after being dropped using an unknown initial access vector.” BlueNorOff has a reputation for attacking cryptocurrency exchanges and being financially motivated. North Korean state-backed hackers, according to a report from the United Nations four years ago, had stolen around $2 billion across approximately 35 cyberattacks. Read more.
Threat actors taking advantage of Looney Tunables Linux bug
The operators of Kinsing malware, known for their ability to breach cloud-based environments to deploy cryptominers, are currently targeting cloud systems vulnerable to a Linux security issue referred to as “Looney Tunables.” This flaw allows a local attacker access to root privileges within the system when exploited. Researchers at Aqua Nautilus report that the attack begins with “exploiting a known vulnerability in the PHP testing framework ‘PHPUnit’ to gain a code execution foothold, followed by triggering the ‘Looney Tunables’ issue to escalate privileges.” Researchers conclude that this Kinsing campaign was experimental, showing signs of evolution as it moved towards a Cloud Service Provider credential harvesting operation. Read more.
Ransomware attackers exploiting critical flaw in Atlassian
A critical Atlassian vulnerability in the Atlassian Confluence Data Center and Server for which a public exploit was recently found is already being leveraged by threat actors to launch ransomware, according to reports from security researchers at Rapid7. The exploit tracked as CVE-2023-22518 has been escalated to a 10.0 by Atlassian “due to the change in the scope of the attack.” Atlassian Cloud users are not affected by this bug, although other users are urged to update their software to the latest version immediately to stave off attack. More than 24,000 Confluence servers are online, but it’s unclear how many of those instances are still running vulnerable software versions. Read more.
Hidden for 5 years, StripedFly malware infected 1 million devices
StripedFly, an advanced malware strain masquerades as a crypto miner, has been operating unnoticed for five years, infecting a million devices worldwide. Kaspersky reports that StripedFly is an “intricate modular framework that supports both Linux and Windows” and is part of a “larger entity that employs a custom EternalBlue SMBv1 exploit attributed to the Equation Group to infiltrate publicly accessible systems.” StripedFly features “a built-in TOR network tunnel for communication with command servers, along with update and delivery functionality through trusted services such as GitLab, GitHub, and Bitbucket, all using custom encrypted archives.” StripedFly’s origins are still unknown, but its sophistication implies that a highly capable APT has developed it. Read more.
New cybercrime service can bypass Android security and install malware
SecuriDropper is a new dropper-as-a-service (DaaS) operation that uses a “method that bypasses the ‘Restricted Settings’ feature in Android to install malware on devices and obtain access to Accessibility Services.” To infect an Android device, SecuriDropper impersonates a legitimate app, usually a Google app, an Android app, a video player, or a game, and then installs a second payload containing a type of malware via “user deception and interface manipulation, prompting users to click a ‘Reinstall’ button after displaying bogus error messages about the dropper app’s installation. Read more.