From ransomware attacks to freejacking, Apple getting fined, WhatsApp releasing a proxy feature, signed Windows drivers spreading malware, and captcha bypasses, this week’s cybersecurity bulletin brings you the top cybersecurity news of the first week of the year from around the world. Let’s get into it.
Customer Email Data Accessed in Rackspace Ransomware Attack
Rackspace revealed that threat actors attacked its systems and accessed some of its PST (Personal Storage Table) files containing multiple data forms.
Rackspace is a Texas-based cloud computing organization that suffered a ransomware attack by Play ransomware that took down the enterprise’s Microsoft Exchange environments. The threat actors targeted critical flaws, allowing them to remotely escalate their privileges on the organization’s Exchange servers and gain RCE (Remote Code Execution) capabilities. Rackspace revealed that Crowdstrike, a cybersecurity enterprise, investigated the attack and also highlighted that threat actors accessed the data of 27 Rackspace customers.
However, there is no evidence that the threat actors have misused the accessed information.
Rackspace said, “Of the nearly 30,000 customers on the Hosted Exchange email environment at the time of the attack, the forensic investigation determined the threat actor accessed a Personal Storage Table (‘PST’) of 27 Hosted Exchange customers.”
The data accessed by the threat actors contained emails, calendar data, contacts, and tasks, and Rackspace has provided affected customers download links to recover mailbox data, and customers are notified when over 50% of their data is available.
Apple Fined for Targeting App Store Advertisements without Consent
CNIL, France’s data protection authority, has fined one of the most significant tech giants in the world, Apple, for $8.5 million.
Apple was collecting user data for targeting advertisements on Apple’s App Store but did not request or secure the user’s content, which is a clear violation of Article 82 of the French DPA (Data Protection Act). The DPA is a national directive that also aligns with the GDPR (General Data Protection Regulation) and outlines that any action in which an electronic communication service enters or accesses information using a user’s terminal equipment, like cookies, requires the user’s consent.
Article 82 has not been violated just by Apple as Facebook and Google also violated it in the past, where they made it challenging for website visitors to reject cookies for tracking. CNIL fined Facebook $68 million and Google $170 million. CNIL explained that the setting to disable persistent identifiers is enabled by default in iOS settings.
Apple released a statement following CNIL’s decision, highlighting its disappointment, stating, “We are disappointed with this decision given the CNIL has previously recognized that how we serve search ads in the App Store prioritizes user privacy, and we will appeal.”
Threat Actors use Windows Error Reporting Tools to Deploy Malware
Hackers have been abusing WerFault.exe, a Windows Problem Reporting tool, to load malware onto the memory of victims’ devices using a DLL (Dynamic Link Library) sideloading technique.
K7 Security Labs identified the attack campaign, but the threat actors were not recognized. The threat actors sent emails with ISO attachments that mounted as a new driver letter containing a genuine copy of the WerFault.exe executable and other files.
Antivirus programs do not stop the file as they trust it as the executable is signed by Windows, and once launched, the file uses a DLL sideloading flaw to load the DLL contained in the ISO. Once the DLL is loaded, it creates a pair of threads to load the Pupy RAT and an XLS spreadsheet decoy. Pupy RAT is a remote access Trojan that allows the threat actors to access the victim’s devices, execute commands, exfiltrate data, and install malware or spyware.
It would be best to look out for such emails with ISO file attachments and refrain from opening or interacting with them.
Proxy Support for Whatsapp, Internet Blocks can be Bypassed
WhatsApp has released a new feature, allowing all users to connect via proxy servers if they cannot access the application in their country due to governments banning it or Internet shutdowns.
WhatsApp’s new proxy support connection is available to both Android and iOS users and has stated that connecting the proxy will maintain the privacy of its users as all the chats will still be protected by its end-to-end encryption meaning that the proxy server, Meta, WhatsApp, or any third party will not be able to see the conversations.
Users can look for the “Use Proxy” option by navigating to Settings > Storage and Data. WhatsApp will also provide the option to set up private proxies so they can stay connected to their family and friends even when the connection is disrupted.
Releasing the new feature, WhatsApp said, “Our wish for 2023 is that these internet shutdowns never occur. Disruptions, like we’ve seen in Iran for months on end, deny people’s human rights and cut people off from receiving urgent help.”
The step taken by WhatsApp will serve a great purpose and aid many individuals worldwide since the application is used by over 2 billion users in over 180 countries.
Bluebottle Hackers Attacking Banks with Signed Windows Drivers
Threat actors have been using a signed Windows driver in attacks on French-speaking financial institutions and have taken away over $11 million.
Symantec’s researchers revealed details of the cybercriminal group behind the attack, which they dubbed Bluebottle. Bluebottle shares similarities with the OPERA1ER gang and its tactics which have been documented before, with the researchers highlighting that the hackers lack custom malware and utilize open-source tools and frameworks for malicious purposes.
Bluebottle uses the GuLoader tool for loading the malware and uses a signed driver in the kernel mode, allowing the threat actor to kill processes for security products that run on the victim network. The malware has two primary components:
- A controlling DLL file to read all processes from another file.
- A signed driver for “help” terminates the processes in the list and is controlled by the first one.
Multiple hacker groups have employed the malicious driver, and Mandiant tracked the driver as POORTRY, saying that it first appeared in June 2022. Symantec backs the same and highlights that the latest version of the driver contains new TTPs and also includes dual-use tools such as Quser, Ping, Ngrok, Fortinet VPN client, and more.
While analysis suggests that OPERA1ER and Bluebottle are names of the same cybercriminal group, these could be different ones. Regardless, organizations and individuals are advised to stay vigilant.
CAPTCHA Bypass Utilized by Hackers to Make 20,000 GitHub Accounts
Automated Libra, a South African threat actor group, has been making significant strides in advancing its malicious activities, the latest of which involves generating profit from cryptocurrency mining by utilizing cloud platform resources.
The threat actors have been using a new CAPTCHA-solving system and following an aggressive CPU (Central Processing Unit) resource utilization for mining. The threat actors have been making headlines for running automated campaigns abusing service providers such as GitHub, Heroku, Togglebox, and more.
In the latest attacks, the threat actors have engaged in a “Freejacking” campaign where they exploit all resources available to new free accounts and utilize “Play and Run.” Play and Run is a term used to describe threat actors that utilize paid resources for profit and refuse to pay the costs, resulting in frozen accounts.
Automated Libra has been following a “Play and Run” campaign where they utilize a CAPTCHA-solving system, allowing them to create multiple GitHub accounts without manual intervention and using account resources for cryptocurrency mining.
Automated Libra’s approach to creating multiple accounts in a minute is a novel approach and shows how far cybercriminals go for malicious purposes and profits.