Spa Email Compromised, X Malicious Redirect, CISA China Cyber – Cybersecurity News [March 18, 2024]

This week, we bring you the latest in cybersecurity that will help you stay a step ahead of the latest threats. From the phishing scam of the Spa Grand Prix and the malicious telegram links on X (Twitter) to the latest releases by CISA and the FTC on Chinese threats and impersonation scams. Plus, the details of the ‘Earth Krahang’ threat actor group that has compromised 70 organizations in 45 countries. Stay tuned!

Spa Grand Prix Email Compromised, Phishing Scam Targets Fans’ Bank Details

Threat actors hacked the official account for the Belgian Grand Prix and initiated a phishing scam for the fans, promising fake vouchers. 

The Spa Gran Prix will take place in the last week of July this year, and its tickets are sold on the official website. The organizer of the event shared a statement that the official email account was hijacked on 17 March, and the threat actor behind the attack sent fake emails to the fans. The email had a phishing link that the fans could follow to receive a €50 ($54.45) voucher.

However, they did not receive any such voucher and were redirected to a fake copy of the official Spa Grand Prix portal that asked for their banking information and personal details. The officials reacted to the situation within a few hours and sent emails asking the fans not to click on the links as it was a phishing attempt, but an undisclosed number of fans had already been duped. 

The officials say they will file a civil claim and have also initiated a criminal investigation for now.  

Malicious Links Circling X That Redirect You Elsewhere

You must have been left puzzled when clicking on X links (Twitter links) recently, taking you to websites that are different from the link shown in the post. 

Will Dormann, a security researcher, came across the suspicious links and shared how clicking on links will take you to other websites. He shared an example by following a link to “forbes.com” that instead took him to a Telegram account called “Crypto with Harry,” a channel that shared bad crypto advice.

So why has this been happening? External link previews usually show the preview of the first website a link takes you to, but when you click on a link on X, it tries to determine the final website that the link will redirect you to and shows that in the post, i.e., the opposite.

When you click on a link, it checks the HTTP (Hyper Text Transfer Protocol) header with the request and assesses it. If it’s from a web browser, the link redirects to the Telegram account, but if it’s from a bot or an automated tool, it takes you to the authentic forbes.com article. This is how threat actors behind such links trick users by displaying deceptive links that ultimately lead them to malicious or unexpected websites.

Image sourced from dlvrit.com

Threat actors have been using this trick, which could lead you to trojanize applications, phishing, scams, and even push malware, so it’s best to avoid such links if you’re using X on mobile. For PC, hover the cursor over them and check the browser’s status bar. 

CISA Offers Guidance on Protecting Critical Infrastructure from Chinese Cyber Threats

This week, CISA, the NSA, and the FBI warned leaders about critical infrastructures and shared tactics for protecting systems against the Chinese Volt Typhoon threat actor group. 

Multiple US government agencies and cybersecurity agencies from Canada, the UK, New Zealand, and Australia shared the report with defense tips against attacks of the Volt Typhoon. The threat actor group has targets and tactics that are different from typical ones, hinting that their goal is to steal OT (Operational Technology) and disrupt critical infrastructure.

The document shares guidance and tips for cybersecurity teams, including proper logging measures for access and security stored in central systems. Also, it’s best to check the logs that IT teams maintain, as the logs reveal the commands used by the threat actors and may help in detecting system compromise. You can find out the details in the report here. 

The Chinese threat actors have also deployed their KV botnets across offices in the US to evade detection. 

FTC Alert: Con Artists Posing as Agency Staff to Defraud Consumers

The CISA report was not the only thing that the government shared this week; another one was the US FTC’s (Federal Trade Commission) warning about threat actors impersonating its employees. 

The FTC has been getting reports from consumers falling victim to scams where the threat actors posed as FTC’s personnel to trick the consumers via email, text messages, and phone calls and steal their funds. The average amount scammed via these FTC impersonation scams has reached $7000 this year, a massive increase from the $3000 that was observed in 2019.

The agency shared guidelines that can help you stay safe, saying the FTC will never “send consumers to a Bitcoin ATM, tell them to go buy gold bars, or demand they withdraw cash and take it to someone in person.” The basics are never to share verification codes, not to move money under the garb of “protecting it,” never to answer calls from scammers that call regarding a suspicious Amazon purchase or activity in your account, and never talk to someone who asks you to go to a Bitcoin ATM. All of these signals mean you’re the target of a scam artist. 

They also shared information on identifying government imposters and reporting such individuals. You can read about all the guidelines shared by the FTC on their website. 

Chinese ‘Earth Krahang’ Group Targets 70 Organizations in 45 Nations

Earth Krahang is a Chinese APT (Advanced Persistent Threat) group that has breached nearly 70 organizations and targeted another 116 in 35 different countries. 

The gang is being monitored by Trend Micro, who highlighted the campaign that started at the beginning of 2022. The threat actors have successfully compromised 48 government enterprises, 10 of which are Foreign Affairs ministries. They use open-source tools to identify vulnerabilities (CVE-2023-32315 and CVE-2022-21587) in public-facing servers. Then, they exploit the flaws to gain unauthorized access and also use spear-phishing to lure the victims into opening malicious links and attachments.

Once they establish a network presence, the threat actors misuse organizational infrastructure for malicious payloads and target other accounts via spear phishing. The emails drop backdoors to victim systems, spreading their presence. They also build VPN (Virtual Private Network) servers to move laterally within these networks and deploy multiple malware like XDealer, RESHELL, and Cobalt Strike for data exfiltration. 

The report shows that the threat actor group might have ties with Earth Lusca since they both share the same C2 (Command and Control) structure. However, it is also possible that they just share the tools and have different encryption keys.

Every day, phishing tactics and techniques are advancing to new heights. It’s essential to implement effective phishing protection solutions and conduct phishing awareness training programs to stay ahead of the threat actors.