Cyber Briefing - 2023.05.29
The latest in cybersecurity: Bandit Stealer, AceCryptor, Cryptocurrencies, Phishing, DogeRAT, Jimbos, RaidForums, NHS, Facebook,PyPi, Sports Warehouse, Telegram.
Welcome to?Cyber Briefing , the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please?subscribe .
???Cyber Alerts
Cybersecurity researchers have discovered a new malware, known as Bandit Stealer, that specifically targets browsers and cryptocurrency wallets, posing a significant threat to Windows systems. What makes Bandit Stealer particularly dangerous is its ability to bypass Windows Defender, making it difficult for victims to detect. The malware, developed using the Go programming language, boasts advanced features and can steal a wide range of sensitive data, including usernames, IP addresses, computer details, and even compromise Telegram accounts.
AceCryptor, a crypter malware discovered by ESET, has been utilized since 2016 to pack various strains of malware. With over 240,000 detections in ESET's telemetry in 2021 and 2022, the crypter has gained popularity, averaging more than 10,000 hits per month. Notable malware families hidden within AceCryptor include SmokeLoader, RedLine Stealer, RanumBot, Raccoon Stealer, Stop ransomware, and Amadey, among others, with detections concentrated in countries like Peru, Egypt, Thailand, and Indonesia.
The Lazarus Group, a notorious North Korean state-backed hacking group, has shifted its focus to targeting vulnerable Windows Internet Information Services (IIS) web servers as a means to infiltrate corporate networks. This tactic was recently discovered by South Korean researchers, who believe that Lazarus engages in such malicious activities to finance North Korea's weapons development programs and espionage operations. The hackers exploit known vulnerabilities or misconfigurations in IIS servers, using sophisticated techniques involving DLL sideloading to execute their attacks and evade detection by antivirus tools.
Researchers from Georgia Tech, the University of Michigan, and Ruhr University Bochum have developed an innovative attack called "Hot Pixels" that can retrieve pixel information from a target's browser and infer their navigation history. By exploiting data-dependent computation times on modern system-on-a-chip (SoCs) and graphics processing units (GPUs), the attack can stealthily extract information from visited web pages, even with the latest side-channel countermeasures enabled. The study reveals that distinct behavior patterns exhibited by processors can be detected through internal sensor measurements, allowing for accurate discernment of viewed content with up to 94% accuracy.
A new phishing kit called "File Archivers in the Browser" utilizes ZIP domains to display fake WinRAR or Windows File Explorer windows in web browsers, tricking users into launching malicious files. Security researcher mr.d0x has developed this toolkit, which simulates a file archiver software like WinRAR directly in the browser and uses a .zip domain to appear legitimate. By embedding convincing pop-up windows that resemble WinRAR or File Explorer, the phishing toolkit aims to deceive users into providing credentials or downloading malware.
A new open-source remote access trojan (RAT) called DogeRAT has emerged, specifically targeting Android users in India as part of an intricate malware campaign. Disguised as legitimate applications like Opera Mini, OpenAI ChatGOT, and premium versions of popular platforms, the malware gains unauthorized access to sensitive data, controls the infected device, and performs malicious actions such as sending spam messages and making unauthorized payments. This sophisticated campaign serves as a reminder of scammers' evolving tactics, highlighting the need for constant vigilance and advanced security measures to protect against such threats.
Managed Care of North America (MCNA) Dental, a leading dental care and oral health insurance provider for government-sponsored programs in the U.S., has disclosed a significant data breach affecting nearly 9 million patients. Hackers gained unauthorized access to MCNA's computer systems and stole sensitive personal information, including names, addresses, Social Security numbers, and health insurance details. MCNA Dental has taken immediate action to address the breach, enhance system security, and provide affected individuals with identity theft protection services. Patients are urged to remain vigilant for potential fraud attempts and phishing attacks leveraging the stolen data.
领英推荐
Jimbos Protocol, an Arbitrum-based DeFi project, fell victim to a flash loan attack resulting in the loss of over 4000 ETH tokens worth $7.5 million. The attack occurred just days after the launch of the V2 protocol, causing a significant collapse in the price of the jimbo token. The company is working with security professionals and has notified law enforcement to address the situation, while also appealing to the perpetrators to return a portion of the stolen funds to avoid legal consequences.
A leaked database from RaidForums exposes crucial information about its members, offering an inside look into the activities of this notorious hacking and data leak forum. The database leak reveals registration details, usernames, email addresses, hashed passwords, and more for nearly 480,000 RaidForums members. While law enforcement may already have access to the database, security researchers can utilize the leaked information to gain insights and potentially connect threat actors to other malicious activities.
Several NHS trusts in the UK have been found to share patients' sensitive medical information with Facebook through a covert tracking tool embedded in their websites, in violation of privacy promises. The tool, called Meta Pixel, collected browsing data and transmitted it to the tech giant, including granular details of pages visited, buttons clicked, and keywords searched, linked to users' IP addresses and Facebook accounts. The data could potentially be used for targeted advertising, raising concerns about data protection and patient confidentiality.
???Cyber News
In a move to bolster security and safeguard the software supply chain, the Python Package Index (PyPI) has announced that every account maintaining a project on its platform will be required to enable two-factor authentication (2FA) by the end of the year. PyPI will begin enforcing this requirement, gradually gating access to certain site functionalities based on 2FA usage. This measure aims to mitigate the risks of account takeover attacks, which can lead to the distribution of malicious versions of popular packages and the deployment of malware. With over 700,000 users and 450,000 projects on PyPI, this mandatory security step is a crucial defense against potential threats and reinforces the platform's commitment to maintaining a safe and trusted ecosystem.
According to a study by UK Finance, fraud losses reported by Britain's financial services sector surpassed $1.5 billion in 2022, marking an 8% decline from the previous year. The industry recorded approximately 3 million cases of fraud, with unauthorized fraud accounting for nearly two-thirds of the reported losses. While the sector prevented around $1.5 billion worth of fraud, the actual amount is believed to be higher due to the challenges in measuring fraud prevention. The prevalence of invoice and CEO fraud highlights the importance of implementing robust preventive measures, such as multi-factor authentication and staff training, to combat sophisticated fraudulent activities.
Sports Warehouse, the online sports retailer, has been slapped with a $300,000 fine by the attorney general of New York following a significant data breach affecting over 1 million U.S. consumers. The breach was attributed to the company's inadequate security measures, including storing payment card data in plaintext format on its e-commerce server protected only by a password that was easily guessed by the attacker. The settlement agreement requires Sports Warehouse to overhaul its security program and implement encryption, strong passwords, anti-malware tools, and regular vulnerability reviews to prevent future breaches.
NCC Group, a leading cybersecurity firm, has launched two new open source tools designed to support application developers and penetration testers. The first tool, Code Credential Scanner (css), enables developers to scan repository configuration files, identify stored credentials, and remove them to prevent potential leaks. The second tool, CowCloud, offers workload distribution across AWS for tasks such as recon, vulnerability scans, and password cracking, while also facilitating centralized tool access and management. These tools provide valuable resources for enhancing security practices in the development and testing processes.
A man with a history of violent crimes, including attempted murder, has pleaded guilty to using social media platforms like Instagram and Telegram to provide instructions on committing check fraud. Meshach Samuels charged thousands of dollars on Telegram for his "masterclass," where he taught followers how to recruit accomplices and steal money from banks through fraudulent checks. The case highlights the convergence of digital and analog fraud methods, with Telegram being identified as a popular platform for cybercriminals. Samuels is now facing up to 30 years in prison for the bank fraud charges.
Subscribe ?and Comment.
Copyright ? 2023?CyberMaterial . All Rights Reserved.
Follow CyberMaterial on: