Recorded Future’s Insikt Group discovered a sophisticated cybercriminal campaign by Russian-speaking threat actors from the Commonwealth of Independent States (CIS). The attackers, tracked as GitCaught, used a GitHub profile to impersonate legitimate software applications, including 1Password, Bartender 5, and Pixelmator Pro, to distribute malware such as Atomic macOS Stealer (AMOS), Lumma, Octo, and Vidar. The campaign shows how attackers exploit trusted internet services to carry out cyberattacks that steal personal information.
The malware employed in the multi-faceted campaign shared the same C2 infrastructure, suggesting attackers coordinated efforts to maximize the impact of the attacks. The threat actors are suspected to be a highly organized group with substantial resources and sophisticated capabilities.
The threat actors behind this campaign use a free and web-based infrastructure, like FileZilla servers, to deliver malware. This tactic allows them to avoid detection. The researchers noticed the presence of Russian-language artifacts within the analyzed HTML code, a circumstance that provides evidence about the threat actors’s origin.
During the investigation, the researchers identified twelve websites that falsely advertised downloads of legitimate macOS applications, but instead directed victims to a GitHub profile to distribute the Atomic macOS Stealer (AMOS). Insikt Group monitored the profile for several weeks and discovered additional malicious payloads, including the Octo banking trojan and various Windows-based infostealers. Further analysis showed communications with a FileZilla server used as a dropper for infostealer variants like Lumma and Vidar, delivered through Python scripts and encrypted files with variable payloads. Insights from the FileZilla server and Recorded Future’s Network Intelligence led to the identification of four additional IP addresses linked to the threat actor’s network.
“Over the course of Insikt Group’s analysis of AMOS, twelve domains were discovered impersonating legitimate macOS applications such as CleanShot X, 1Password, and Bartender. All twelve identified domains redirected users to a GitHub profile belonging to a user named “papinyurii33” to download macOS installation media, resulting in an AMOS infostealer infection. As Insikt Group reported previously, the current AMOS version is capable of infecting both Intel-based and ARM-based Macs. According to GitHub, this profile was created on January 16, 2024.” reads the report published by the Recorded Future’s Insikt Group. “The last observed contribution by papinyurii33, as of this writing, occurred on March 7, 2024, and contained only two repositories, or “repos,” named “2132” and “22.””
The Insikt Group also spotted a website distributing AMOS malware along with Rhadamanthys by posing as legitimate software. Instead of hosting the malware directly, the fake application site redirects users to file-sharing services like Dropbox and Bitbucket. One of these malicious sites masqueraded as Rainway, a now-defunct remote desktop video game streaming service. While Rainway’s legitimate domain is rainway[.]com, the malicious domain is rainway[.]cloud. The researchers noticed that Google search for “Rainway” currently lists rainway[.]cloud as a top result above the legitimate rainway[.]com.
The report includes IndicatorsofCompromise and mitigations for this campaign.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, GitCaught)
CSC ServiceWorks is a company that provides laundry services and air vending solutions for multifamily housing, academic institutions, hospitality, and other commercial sectors. They manage and operate many internet-connected laundry machines and systems, offering services such as coin and card-operated laundry machines, mobile payment solutions, and maintenance support.
Two students, Alexander Sherbrooke and Iakov Taranenko, from UC Santa Cruz discovered a vulnerability impacting over a million internet-connected laundry machines used in residences and college campuses worldwide. A remote attacker can exploit this vulnerability to remotely send commands to the laundry machines, allowing laundry for free. The duo reported the flaw to the vendor earlier this year, but they claim the company has yet to fix it.
“UC Santa Cruz students Alexander Sherbrooke and Iakov Taranenko told TechCrunch that the vulnerability they discovered allows anyone to remotely send commands to laundry machines run by CSC and operate laundry cycles for free.” reported TechCrunch.
Sherbrooke explained that he was sitting in his basement laundry room in January when he ran a script from his laptop that instructed the laundry machine to start a cycle despite having no funds in his account. The machine immediately responded with a loud beep and displayed “PUSH START,” indicating it was ready to wash a free load of laundry.
Sherbrooke and Taranenko were also able to add several million dollars to their laundry account which can be managed through the CSC Go mobile app.
The duo sent the company several messages through its online contact form, but the vendor never contacted them.
Then the two students reported the issue to the CERT Coordination Center at Carnegie Mellon University.
The CERT notified affected vendors that addressed the issue. However, after the researchers reported their findings, CSC quietly reset their account balance of several million dollars.
The vulnerability resides in the API used by CSC’s mobile app, CSC Go. The two students discovered that the app lacks security checks and mutual authentication between the app and the CSC’s servers. The experts also discovered that it is possible to send commands to CSC’s servers that are unavailable through the app itself.
The access to the API allowed the researchers to enumerate the list of commands supported by CSC’s servers. Another aspect to consider is that it is quite simple for remote attackers to locate laundry machines and send commands to them.
Taranenko was disappointed that CSC did not acknowledge the vulnerability.
“CSC quietly wiped out the researchers’ account balance of several million dollars after they reported their findings, but the researchers said the bug remains unfixed and it’s still possible for users to “freely” give themselves any amount of money.” concludes TechCrunch.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, laundry machines)
IBM X-Force warns of a new Grandoreiro banking trojan campaign that has been ongoing since March 2024. Operators behind the Grandoreiro banking trojan have resumed operations following a law enforcement takedown in January.
The recent campaign is targeting over 1,500 banks in more than 60 countries across Central and South America, Africa, Europe, and the Indo-Pacific. The banking Trojan is likely operated as a Malware-as-a-Service (MaaS).
Grandoreiro is a modular backdoor that supports the following capabilities:
The latest version shows major updates within the string decryption and domain generating algorithm (DGA), it can also use Microsoft Outlook clients on infected hosts to spread further phishing emails.
Traditionally limited to Latin America, Spain, and Portugal, recent Grandoreiro campaigns have expanded their targets to include entities such as Mexico’s Tax Administration Service (SAT), Federal Electricity Commission (CFE), Secretary of Administration and Finance, the Revenue Service of Argentina, and the South African Revenue Service (SARS). The recent campaign demonstrates that operators are expanding the malware’s deployment globally, starting with South Africa.
In each attack observed by the experts, threat actors instructed recipients to click on a link to view an invoice, fee, account statement, or make a payment, depending on the impersonated entity. If the user is in a targeted country (Mexico, Chile, Spain, Costa Rica, Peru, or Argentina), they are redirected to an image of a PDF icon, while a ZIP file is downloaded in the background. These ZIP files contain a large executable disguised as a PDF icon, created the day before or the day of the email being sent.
The loader prevents the execution in a sandbox by verifying if the client is a legitimate victim, it enumerates basic victim data and sends it back to its C2. Finally the loader downloads, decrypts and executes the Grandoreiro banking trojan.
The malware doesn’t continue execution if the public IP associated with infected systems was from Russia, Czechia, Poland, or the Netherlands. It also prevented infections on Windows 7 machines in the US without antivirus.
The banking Trojan establishes persistence via the Windows registry, then it uses a reworked DGA to connect with a C2 server awaiting further instructions.
“One of Grandoreiro’s most interesting features is its capability to spread by harvesting data from Outlook and using the victim’s account to send out spam emails. There are at least 3 mechanisms implemented in Grandoreiro to harvest and exfiltrate email addresses, with each using a different DGA seed.” states the report. “By using the local Outlook client for spamming, Grandoreiro can spread through infected victim inboxes via email, which likely contributes to the large amount of spam volume observed from Grandoreiro.”
To interact with the local Outlook client, the malware relies on the Outlook Security Manager tool, preventing that the Outlook Object Model Guard triggers security alerts if it detects access on protected objects.
“The updates made to the malware, in addition to the significant increase in banking applications across several nations, indicate that the Grandoreiro distributors are seeking to conduct campaigns and deliver malware on a global scale.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, banking Trojan)
WebTPA is a third-party administrator that provides healthcare management and administrative services. The US company disclosed a data breach that impacted almost 2.5 million people. According to the report sent by the WebTPA to the U.S. Department of Health and Human Services on May 8, the incident affected 2,429,175 individuals.
According to the notice published by the company, WebTPA acts as an administrative services provider to certain benefit plans and insurance companies whose information was impacted in this incident.
WebTPA discovered suspicious activity on its network on December 28, 2023 and launched an investigation with the help of third-party cybersecurity experts. The investigation revealed that an
The company also notified federal law enforcement.
“On December 28, 2023, we detected evidence of suspicious activity on the WebTPA network that prompted us to launch an investigation. Upon detecting the incident, we promptly initiated measures to mitigate the threat and further secure our network.” reads the notice published by the company. “The investigation concluded that the unauthorized actor may have obtained personal information between April 18 and April 23, 2023.”
WebTPA promptly notified benefit plans and insurance companies about the incident and the potential exposure of personal information. They worked diligently to determine the extent of the impacted data and provided this information to the benefit plans and insurance companies on March 25, 2024.
Exposed information may include name, contact information, date of birth, date of death, Social Security number, and insurance information. The exposed data may vary for each individual. The company pointed out that financial account information, credit card numbers, and treatment or diagnostic information were not impacted.
WebTPA is offering individuals two years of complimentary identity monitoring services through Kroll. They have also implemented additional security measures to enhance their network’s security. The company added that it is not aware of any misuse of benefit plan member information due to this incident.
The company recommends the impacted individuals stay vigilant against identity theft or fraud and carefully review credit reports and Explanations of Benefits (EOBs) for suspicious activity.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)
Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.
International Press – Newsletter
Cybercrime
New LockBit Black Campaign Observed
Developer of Tornado Cash gets jail sentence for laundering billions of dollars in cryptocurrency
Boeing confirms attempted $200 million ransomware extortion attempt
Personal Information Stolen in City of Wichita Ransomware Attack
Attribution Matters!? Eight Names of Ransomware Actors Revealed, So What?
Malware
Linux maintainers were infected for 2 years by SSH-dwelling backdoor with huge reach
400,000 Linux Servers Hit by Ebury Botnet
To the Moon and back(doors): Lunar landing in diplomatic missions
Springtail: New Linux Backdoor Added to Toolkit
Hacking
Third Chrome Zero-Day Patched by Google Within One Week
Cyber Official Speaks Out, Reveals Mobile Network Attacks in U.S.
Hackers Moving To AI But Lacking Behind The Defenders In Adoption Rates
Kimsuky APT attack discovered using Facebook and MS management console
Intelligence and Information Warfare
Russian Hackers Accused of Cyberattacks on Kosovo Government Websites
OSINT overdose: Intelligence agencies seek new ways to manage surge of open-source intel
Russia directing hackers to attack UK and west, says director of GCHQ
AI spy: Microsoft launches covert chatbot for US intel agencies
U.S. elections face more threats from foreign actors and artificial intelligence
China-linked group uses malware to try to spy on commercial shipping, new report says
Cybersecurity
Helsinki suffers data breach after hackers exploit unpatched flaw
THE MAY 2024 SECURITY UPDATE REVIEW
Santander Data Breach Impacts Customers, Employees
Mysterious actor spills over 1.2B records on Chinese users
Charges and Seizures Brought in Fraud Scheme Aimed at Denying Revenue for Workers Associated with North Korea
U.S. elections face more threats from foreign actors and artificial intelligence
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
Symantec researchers observed the North Korea-linked group Kimsuky using a new Linux backdoor dubbed Gomir. The malware is a version of the GoBear backdoor which was delivered in a recent campaign by Kimsuky via Trojanized software installation packages.
Kimsuky cyberespionage group (aka Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, APT43) was first spotted by Kaspersky researcher in 2013.
In 2023 the state-sponsored group focused on nuclear agendas between China and North Korea, relevant to the ongoing war between Russia and Ukraine.
Gomir and GoBear share a great portion of their code.
Researchers from South Korean security firm S2W first uncovered the compaign in February 2024, the threat actors were observed delivering a new malware family named Troll Stealer using Trojanized software installation packages. Troll Stealer supports multiple stealing capabilities, it allows operators to gather files, screenshots, browser data, and system information. The malicious code is written in Go, and researchers noticed that Troll Stealer contained a large amount of code overlap with earlier Kimsuky malware.
Troll Stealer can also copy the GPKI (Government Public Key Infrastructure) folder on infected computers. GPKI is the public key infrastructure schema for South Korean government personnel and state organizations, suggesting that government agencies were among the targeted by state-sponsored hackers.
The malware was distributed inside the installation packages for TrustPKI and NX_PRNMAN, software developed by SGA Solutions. Victims downloaded the packages from a page that was redirected from a specific website.
Symantec also discovered that Troll Stealer was also delivered in Trojanized Installation packages for Wizvera VeraPort.
The WIZVERA VeraPort integration installation program is used to manage additional security software (e.g., browser plug-ins, security software, identity verification software, etc.) that is requested to visit particular government and banking domains. WIZVERA VeraPort is used to digitally sign and verify downloads.
Wizvera VeraPort was previously reported to have been compromised by a supply chain attack conducted by North Korea-linked group Lazarus.
“Troll Stealer appears to be related to another recently discovered Go-based backdoor named GoBear. Both threats are signed with a legitimate certificate issued to “D2innovation Co.,LTD”. GoBear also contains similar function names to an older Springtail backdoor known as BetaSeed, which was written in C++, suggesting that both threats have a common origin.” reads the report published by Symantec.
When executed, the malware checks the group ID value to determine if it is running as group 0 (group is associated with the superuser or administrative privileges) on the Linux machine, and then copies itself to /var/log/syslogd to maintain persistence persistence.
It creates a systemd service named ‘syslogd’ and starts it, then deletes the original executable and terminates the initial process. The backdoor also attempts to configure a crontab command to run on system reboot by creating a helper file (‘cron.txt’) in the current directory. If the crontab list is successfully updated, the malware deletes the helper file without any command-line parameters before executing it.
The Gomir backdoor periodically communicates with its C2 via HTTP POST requests to http://216.189.159[.]34/mir/index.php
The malicious code pools the commands to execute, and the researchers observed it supporting multiple commands. including:
| Operation | Description |
|---|---|
| 01 | Pauses communication with the C&C server for an arbitrary time duration. |
| 02 | Executes an arbitrary string as a shell command (“[shell]” “-c” “[arbitrary_string]”). The shell used is specified by the environment variable “SHELL”, if present. Otherwise, a fallback shell is configured by operation 10 below. |
| 03 | Reports the current working directory. |
| 04 | Changes the current working directory and reports the working directory’s new pathname. |
| 05 | Probes arbitrary network endpoints for TCP connectivity. |
| 06 | Terminates its own process. This stops the backdoor. |
| 07 | Reports the executable pathname of its own process (the backdoor executable). |
| 08 | Collects statistics about an arbitrary directory tree and reports: total number of subdirectories, total number of files, total size of files |
| 09 | Reports the configuration details of the affected computer: hostname, username, CPU, RAM, network interfaces, listing each interface name, MAC, IP, and IPv6 address |
| 10 | Configures a fallback shell to use when executing the shell command in operation 02. Initial configuration value is “/bin/sh”. |
| 11 | Configures a codepage to use when interpreting output from the shell command in operation 02. |
| 12 | Pauses communication with the C&C server until an arbitrary datetime. |
| 13 | Responds with the message “Not implemented on Linux!” (hardcoded). |
| 14 | Starts a reverse proxy by connecting to an arbitrary control endpoint. The communication with the control endpoint is encrypted using the SSL protocol and uses messages consistent with https://github.com/kost/revsocks.git, where the backdoor acts as a proxy client. This allows the remote attacker to initiate connections to arbitrary endpoints on the victim network. |
| 15 | Reports the control endpoints of the reverse proxy. |
| 30 | Creates an arbitrary file on the affected computer. |
| 31 | Exfiltrates an arbitrary file from the affected computer. |
Gomir and GoBear Windows backdoor supports almost the same commands.
The latest Kimsuky campaign highlights that North Korean espionage actors increasingly favor software installation packages and updates as infection vectors. The experts noticed a shift to software supply chain attacks through trojanized software installers and fake software installers. A prominent example is the 3CX supply chain attack, stemming from the earlier X_Trader attack.
“This latest Springtail campaign provides further evidence that software installation packages and updates are now among the most favored infection vectors for North Korean espionage actors.” concludes the report. “Springtail, meanwhile, has focused on Trojanized software installers hosted on third-party sites requiring their installation or masquerading as official apps. The software targeted appears to have been carefully chosen to maximize the chances of infecting its intended South Korean-based targets.”
The report also provides indicators of compromise for artifacts employed in the latest campaign, including the Troll Stealer, Gomir, and the GoBear dropper.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, North Korea)
The Justice Department unsealed charges against an Arizona woman, a Ukrainian man, and three unidentified foreign nationals accused of aiding overseas IT workers, pretending to be U.S. citizens, to infiltrate hundreds of firms in remote IT positions. North Korea used this scheme to dispatch thousands of skilled IT workers globally, using stolen U.S. identities to infiltrate companies and raise revenue. The schemes defrauded over 300 U.S. companies, utilizing U.S. payment platforms, online job sites, and proxy computers. According to the DoJ, this is the largest scheme of this kind ever charged by US authorities.
The operations coordinated by the North Korean government took place between October 2020 and October 2023. Intelligence experts speculate the campaign was aimed at financing the government’s illicit nuclear program.
The defendant Christina Marie Chapman was arrested in May in Litchfield Park, Arizona, while Oleksandr Didenko was arrested in Poland a few days before. US authorities are requesting the extradition to the United States of Didenko.
Chapman faces charges of conspiracy to defraud the United States, wire fraud, bank fraud, aggravated identity theft, identity fraud, money laundering, operating an unlicensed money transmitting business, and unlawful employment of aliens.
She faces a maximum penalty of 97.5 years in prison, including a mandatory minimum of two years in prison on the aggravated identity theft count.
Didenko allegedly ran a multi-year scheme creating accounts on U.S.-based freelance IT job platforms and money service transmitters using false identities, including those of U.S. persons. Then the man sold these accounts to overseas IT workers. He is the administrator of a website called upworksell.com, which was used to advertise these services along with credit card and SIM card rentals. The investigation revealed that Didenko managed about 871 proxy identities and provided accounts for three freelance IT platforms and three U.S.-based money service transmitters. He facilitated at least three U.S.-based laptop farms, hosting around 79 computers, and received or sent $920,000 since July 2018. The man admitted to assisting North Korean IT workers and was interconnected with other cells within the DPRK IT worker network. If convicted, Didenko faces up to 67.5 years in prison, including a mandatory minimum of two years for aggravated identity theft.
DoJ also unsealed charges against three other individuals John Doe 1, alias Jiho Han; John Doe 2, alias Haoran Xu; John Doe 3, alias Chunji Jin.
“
Concurrent with DoJ’s announcement, the U.S. Department of State announced a reward of up to $5 million for information related to the above three individuals.
“Rewards for Justice is offering a reward of up to $5 million for information that leads to the disruption of financial mechanisms of persons engaged in certain activities that support North Korea (Democratic People’s Republic of Korea, DPRK), including money laundering, exportation of luxury goods to North Korea, specified cyber-activity and actions that support weapons of mass destruction (WMD) proliferation. Such activities include work by highly skilled North Korean nationals sent abroad whose income generates funds for the DPRK regime.” reads the the U.S. Department of State’s announcement.
“The Department is seeking information on North Korean information technology (IT) workers using aliases Jiho Han, Chunji Jin, and Haoran Xu, and their manager Zhonghua. These individuals engaged in a scheme that enabled Han, Jin, and Xu to obtain illicit telework employment with U.S. companies using false identities belonging to more than 60 real U.S. persons. The illicit scheme generated at least $6.8 million for the DPRK.
The FBI also issued an advisory warning of the public and private sector of the threat posed to U.S. businesses by Information Technology (IT) workers from the Democratic People’s Republic of Korea (North Korea).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, North Korea)
ESET researchers discovered two previously unknown backdoors named LunarWeb and LunarMail that were exploited to breach European ministry of foreign affairs.
The two backdoors are designed to carry out a long-term compromise in the target network, data exfiltration, and maintaining control over compromised systems.
The two backdoors compromised a European ministry of foreign affairs (MFA) and its diplomatic missions abroad. The experts speculate the Lunar toolset has been employed since at least 2020. ESET attributes the two backdoors to Russia-linked APT group Turla, with medium confidence.
The Turla APT group (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has been active since at least 2004 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.
The exact method of initial access in the compromises observed by ESET is still unclear. However, evidence suggests possible spear-phishing and exploitation of misconfigured Zabbix network and application monitoring software. The researchers noticed a LunarWeb component mimicking Zabbix logs and a backdoor command retrieving Zabbix agent configuration. The experts also spotted spear-phishing messages, including a weaponized Word document installing a LunarMail backdoor.
“LunarWeb, deployed on servers, uses HTTP(S) for its C&C communications and mimics legitimate requests, while LunarMail, deployed on workstations, is persisted as an Outlook add-in and uses email messages for its C&C communications.” reads the report published by ESET.
LunarWeb uses multiple persistence methods, including creating Group Policy extensions, replacing System DLL, and deploying as part of legitimate software.
ESET reported that the execution chain starts with a loader they tracked as LunarLoader. It uses the RC4 symmetric key cipher to decrypt the payloads.
Once the Lunar backdoor has compromised a system, it waits for commands from the C2 server. The cyberspies also used stolen credentials for lateral movement.
LunarWeb can also execute shell and PowerShell commands, gather system information, run Lua code, and exfiltrate data in AES-256 encrypted form.
“Our current investigation began with the detection of a loader decrypting and running a payload, from an external file, on an unidentified server. This led us to the discovery of a previously unknown backdoor, which we named LunarWeb. Subsequently, we detected a similar chain with LunarWeb deployed at a diplomatic institution of a European MFA. Notably, the attacker also included a second backdoor – which we named LunarMail – that uses a different method for command and control (C&C) communications.” continues the report. “During another attack, we observed simultaneous deployments of a chain with LunarWeb at three diplomatic institutions of this MFA in the Middle East, occurring within minutes of each other. The attacker probably had prior access to the domain controller of the MFA and utilized it for lateral movement to machines of related institutions in the same network.”
LunarMail is deployed on workstations with Microsoft Outlook, using an email-based communication system (Outlook Messaging API (MAPI)) to evade detection in environments where HTTPS traffic is monitored. The backdoor communicates with the C2 server via email attachments, often hidden in .PNG images. LunarMail can create processes, take screenshots, write files, and execute Lua scripts, allowing it to run shell and PowerShell commands indirectly.
“We observed varying degrees of sophistication in the compromises; for example, the careful installation on the compromised server to avoid scanning by security software contrasted with coding errors and different coding styles (which are not the scope of this blogpost) in the backdoors. This suggests multiple individuals were likely involved in the development and operation of these tools.” concludes the report. “Although the described compromises are more recent, our findings show that these backdoors evaded detection for a more extended period and have been in use since at least 2020, based on artifacts found in the Lunar toolset.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Turla APT)
On May 5th, 2024, the City of Wichita, Kansas, was the victim of a ransomware attack and shut down its network to contain the threat. The city immediately started its incident response procedure to prevent the threat from spreading and announced an investigation into the attack.
Wichita is the most populous city in the U.S. state of Kansas and the county seat of Sedgwick County. As of the 2020 census, the population of the city was 397,532
The investigation was conducted with the help of third-party security experts and the city also notified federal and local law enforcement authorities.
“We regret to report that certain online City services may be unavailable as we thoroughly review and assess an incident that affected some of our computer systems. As part of this assessment, we turned off our computer network.” reads the initial security breach notification. “This decision was not made lightly but was necessary to ensure that systems are securely vetted before returning to service.”
The City warned that some services may be temporarily unavailable while systems are offline, it did not disclose the family of ransomware that infected its systems and the name of the extortion gang behind the attack.
However, the LockBit ransomware gang claimed responsibility for the cyberattack on the City of Wichita.
A new update provided by the City of Wichita revealed that threat actors copied certain files containing personal information from its network. Copied files included incident and traffic information.
Copied files included incident and traffic information.
“As part of our thorough review and assessment of this matter, we identified that certain files were copied from our computer network without permission between May 3 and 4, 2024. These files contained law enforcement incident and traffic information, which include names, Social Security numbers, driver’s license or state identification card numbers, and payment card information.” reads the Notice of Data Event updated on May 14, 2024.
“We identified that this matter is related to a recently disclosed security vulnerability that affects organizations throughout the world.”
The notice also revealed that threat actors exploited a recently disclosed vulnerability to gain access to the city’s network.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Kimsuky)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following D-Link router vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix these vulnerabilities by June 6, 2024.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added [1,2] the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:
CVE-2024-4761 Google Chromium V8 Engine contains an unspecified out-of-bounds memory write vulnerability via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. The vulnerability was reported by Vasily Berdnikov (@vaber_b) and Boris Larin (@oct0xor) of Kaspersky on May 13, 2024.
“Google is aware that an exploit for CVE-2024-4947 exists in the wild,” reads the advisory published by Google.
CVE-2024-4671 Google Chromium Visuals contains a use-after-free vulnerability that allows a remote attacker to exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
The flaw was reported by an anonymous researcher on May 7, 2024.
“Google is aware that an exploit for CVE-2024-4671 exists in the wild.” reads the advisory published by Google. As usual, the IT giant has not revealed details about the attacks exploiting this vulnerability.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix these vulnerabilities by:
CVE-2024-4671 June 3rd, 2024.
CVE-2024-4761 June 6, 2024.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
Researchers at Genians Security Center (GSC) identified a new attack strategy by the North Korea-linked Kimsuky APT group and collaborated with the Korea Internet & Security Agency (KISA) for analysis and response. The nation-state actor attack used a fake account posing as a South Korean public official in the North Korean human rights sector. The APT group aimed at connecting with key individuals in North Korean and security-related fields through friend requests and direct messages.
The attack chain starts with the theft of the identity of a real person in South Korea, then the victims were contacted via Facebook Messenger.
Threat actors pretended to share private documents they had written with the victims.
“The initial individual approach is similar to an email-based spear phishing attack strategy. However, the fact that mutual communication and reliability were promoted through Facebook Messenger shows that the boldness of Kimsuky APT attacks is increasing day by day.” reads the report published by GSC. “The Facebook screen used in the actual attack has a background photo that appears to have been taken at a public institution. Threat actors disguised as public officials try to win the favor of their targets by pretending to share private documents they have written.”
The messages included a link to a decoy document hosted on OneDrive. The file is a Microsoft Common Console document that masquerades as an essay or content related to a trilateral summit between Japan, South Korea, and the U.S. One of the decoy documents (‘NZZ_Interview_Kohei Yamamoto.msc’) employed in the attacks was uploaded to the VirusTotal from Japan on April 5, 2024.
The malware had zero detection rate on VT at the upload time.
The experts speculate the APT group was targeting people in Japan and South Korea.
“This is the first time that a suspected attack against Japan was first observed, and then a variant was detected in Korea shortly after.” reads the analysis. “And if you compare the two malicious file execution screens, you can see the same pattern. Although the file name leading to execution is different, both used the name ‘Security Mode’.”
Upon launching the MSC file and allowing it to open it using Microsoft Management Console (MMC), victims are displayed a console screen containing a Word document. If the victims launch it the multi-stage attack chain starts.
The malicious file, named “Console Root task window ‘Security Mode’,” hid certain window styles and tabs. It misled users by labeling a task as “Open” with a description “My_Essay.docx,” making it appear as a document execution screen. Clicking “Open” triggers a malicious command. This command line involves ‘cmd.exe’ with various parameters and attempts to connect to the C2 host ‘brandwizer.co[.]in,’ registered by Whiteserver hosting in India and linked to the IP address ‘5.9.123.217’ in Germany.
The malware maintains persistence by registering a scheduled task named ‘OneDriveUpdate,’ which repeats every 41 minutes indefinitely. This interval is consistent with the timing used in previous Kimsuky group campaigns, such as ‘BabyShark‘ and ‘ReconShark.’
The malware gathered information and exfiltrated it to the C2 server, it can also harvest IP addresses, User-Agent strings, and timestamp information from the HTTP requests. The malware can also drop additional payloads on the infected machines.
“Among the APT attacks reported in Korea in the first quarter of this year, the most representative method is spear phishing attack. In addition, the method of combining shortcut (LNK) type malicious files is steadily becoming popular. Although not commonly reported, covert attacks through social media also occur.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Kimsuky)
MediSecure is a company that provides digital health solutions, particularly focusing on secure electronic prescription delivery services in Australia.
The company was forced to shut down its website and phone lines following a cyber attack, but it did not mention a ransomware attack.
Threat actors gained access to the personal and health information of an undisclosed number of individuals.
“MediSecure has identified a cyber security incident impacting the personal and health information of individuals. We have taken immediate steps to mitigate any potential impact on our systems.” reads the statement published by the company. “While we continue to gather more information, early indicators suggest the incident originated from one of our third-party vendors.”
The company is still investigating the security breach with the help of the National Cyber Security Coordinator, however, it revealed that early indicators suggest the incident originated from one of its third-party vendors.
Yesterday afternoon I was advised by a commercial health information organisation that it was the victim of a large-scale ransomware data breach incident.
— National Cyber Security Coordinator (@AUCyberSecCoord) May 16, 2024
I am working with agencies across the Australian Government, states and territories to coordinate a whole-of-government… pic.twitter.com/mool7LNLRZ
The electronic prescription provider also notified the Office of the Australian Information Commissioner and other relevant authorities.
The Australian broadcaster ABC reported that MediSecure “is the health organisation at the centre of the large-scale ransomware data breach announced by the national cyber security coordinator on Thursday.”
“MediSecure was one of two companies awarded contracts by the federal government to provide PBS e-script services until late last year, when the tender was granted exclusively to another company, eRx.” reported ABC. “In October last year, the ACCC granted authorisation for MediSecure to transfer all publicly- funded electronic prescriptions and data to eRx.”
In November 2022, Medibank announced that personal data belonging to around 9.7M of current and former customers were exposed due to a ransomware attack that occurred in October 2022.
Medibank is one of the largest Australian private health insurance providers with approximately 3.9 million customers.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ransomware)
Google has released a new emergency security update to address a new vulnerability, tracked as CVE-2024-4947, in the Chrome browser, it is the third zero-day exploited in attacks that was disclosed this week.
The vulnerability CVE-2024-4947 is a type confusion that resides in V8 JavaScript engine. The vulnerability was reported by Vasily Berdnikov (@vaber_b) and Boris Larin (@oct0xor) of Kaspersky on May 13, 2024.
“Google is aware that an exploit for CVE-2024-4947 exists in the wild,” reads the advisory published by Google.
This week the IT giant fixed other two actively exploited Chrome zero-day issues, respectively tracked CVE-2024-4671 and CVE-2024-4761.
Below is the list of actively exploited zero-day vulnerabilities in the Chrome browser that have been fixed this year:
Google also addressed the following vulnerabilities:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Google)
Login
Threat Model