LockBit Bank Data Deception, Snowblind Evades Detection, FBI Warns Crypto Scams – Cybersecurity News [June 24, 2024]
This week’s cybersecurity bulletin is packed with news that’s making headlines around the world! We’ve got reports on a failed scare tactic by the LockBit ransomware gang, a new and sneaky Android malware called Snowblind, the FBI warning about fake law firms targeting crypto scam victims, a supply chain attack that backdoored WordPress plugins, and Chinese cyberspies using ransomware as a diversion. Read more below!
LockBit Misleads: Stolen Data Originates from a Bank, Not the US Federal Reserve
Ever since the disruption, the LockBit ransomware gang has been desperate to make a comeback, which they did this week by claiming they had breached the US Federal Reserve.
Lockbit announced on 23 June that they had breached the Federal Reserve and made away with 33 terabytes of sensitive information. LockBit posted this on their leak site and also suggested that they were engaged in negotiations and were offered $50,000 for not leaking the data. The gang also called the person a “clinical idiot” and asked that the agency hire another negotiator within 48 hours if they valued the stolen banking information of American citizens that were at risk.
When no response was given, LockBit began publishing the stolen data, but it turns out that the data they stole was not from the Federal Reserve but from an individual bank, apparently the American bank Evolve Bank & Trust. Evolve is still investigating the incident and is working with law enforcement authorities. They say they have contained the attack and will provide all impacted customers with complimentary credit monitoring and identity theft protection, even new account numbers if needed.
These baseless claims by the threat actor gang seem like a desperate attempt to gain relevance and ever since Operation Cronos where law enforcement took down LockBit’s infrastructure, LockBit hasn’t been able to recover.
Snowblind Malware Exploits Android Security Feature to Evade Detection
This week, a new Android attack vector, which comes from the Snowblind malware, was discovered. It abuses security features to bypass anti-tampering protections.
Snowblind abuses “seccomp,” which is short for secure computing and is a Linux kernel feature Android utilizes for application integrity checks. It is not leveraged by other malware, which makes it unique. Snowblind was analyzed by mobile app security enterprise Promon, who showed how the malware attacked one of i-Sprint’s Southeast Asian customers by targeting apps that handle sensitive data by injecting native libraries that load a seccomp filter before the anti-tampering code.
It does not allow the calls to process and triggers SIGSYS signals, indicating that there is a bad argument in the system call. It also installs a signal handler that can manipulate the thread’s registers. This new malware doesn’t impact performance much and leaves little operational footprint, which makes it highly challenging to detect. Threat actors can use this malware to steal login credentials, read sensitive information on the screen, control applications, bypass security measures, and exfiltrate info.
It’s still not clear how many applications this malware can bypass so it’s best to to use malware protection and download applications from only the official Play Store and not from other sources to stay safe.
FBI Alerts Public to Fake Law Firms Targeting Cryptocurrency Scam Victims
The FBI warned about threat actors that have been impersonating law enterprises and lawyers to carry out investment scams.
The fraudsters trick victims by claiming they’re collaborating with government agencies like the FBI and CFPB (Consumer Financial Protection Bureau) and build credibility by referencing genuine banks and money exchanges in their communication with the victims. Then, the threat actors request victims to provide personal or banking information to get their money back or to pay a portion of the fee upfront. They also state the judgment amount they seek from the initial fraudster and ask the victims to pay back taxes and other fees if they wish to recover their funds.
If you get an email or message asking you for the same, do not proceed and report it to the appropriate authorities. Many state-level authorities and federal intelligence organizations can track your stolen cryptocurrency, freeze it, and even divert it safely to safe wallets in some cases, but all of this is done without any charges or any personal information request other than what is required.
If you are approached by anyone who claims that they can recover your stolen crypto, you should research the organization online before you engage with them.
Supply Chain Attack Backdoors WordPress.org Plugins
A threat actor changed the source code of multiple plugins on WordPress.org, allowing them to include malicious PHP scripts, which they use to get admin privileges on new accounts that are created.
Wordfence Threat Intelligence analyzed the malicious injections that occurred between 21 and 22 June. Five plugins included the injections and were installed on over 35000 websites. They did not share exactly how the threat actor managed to gain access to said source code, but they are investigating the cause.
The malicious code that infected the plugins allows the threat actors to create new admin accounts and inject SEO spam into the websites. If you have a WordPress website that is using any of the following plugins, you need to update these to the latest patches and do a scan and cleanup for good measure.
- Blaze Widget 2.2.5 to 2.5.2 (Patch version 2.5.4)
- Social Warfare 4.4.6.4 to 4.4.7.1 (Patch version 4.4.7.3)
- Contact Form 7 Multi-Step Addon 1.0.4 to 1.0.5 (Patch version 1.0.7)
- Wrapper Link Element 1.0.2 to 1.0.3 (Patch version 1.0.5)
- Simply Show Hooks 1.2.1 to 1.2.2 (No Patch Yet)
Chinese Cyberspies Use Ransomware as Diversion Tactic
Many cyberespionage groups have been using ransomware to distract the defenders or for financial gains as a secondary reward or diversion.
SentinelLabs and Recorded Future have shared a joint report that shows the case of ChamelGang, a Chinese APT group that uses the CatB ransomware. ChamelGang has been targeting government enterprises and critical infrastructure using sophisticated techniques for reconnaissance and lateral movement so they can exfiltrate sensitive information.
However, in the observed attacks, it is seen that they deploy the CatB ransomware on the network on the devices when the exfiltration is complete and leave ransom notes along with ProtonMail and Bitcoin addresses for contact and payment.
There’s also a separate case of Jetico BestCrypt and Microsoft BitLocker ransomware that impacted 37 organizations. The former targeted server endpoints, and the latter was deployed against workstations. Strong ransomware protection solutions can effectively defend against these kinds of attacks.