Threat actors are leaving no quarter when it comes to carrying out malicious activities in the new year. This week’s headlines cover top cybersecurity news from around the world, from exploited CWP, Android TVs with pre-installed malware, new address poisoning crypto scams, vice society ransomware attacking Australian firefighters, custom info-stealing malware targeting APAC governments, and Ontario’s liquor control board being hacked. Let us get started.
Threat Actors Exploiting Control Web Panel Flaws for RCE
Threat actors are exploiting the CWP (Control Web Panel) using a critical vulnerability identified as CVE-2022-44877.
With a critical severity score of 9.8, the vulnerability gives threat actors the ability of RCE (Remote Code Execution) without the need to authenticate. Researchers at Gais Cyber Security were the first to report the issue in October 2022. The organizations released the CWP version 0.9.8.1147 to stop the threat actors from using this flaw for malicious purposes.
However, Shadowserver has recorded threat actors’ malicious activity, indicating that threat actors are still using the CVE-2022-44877 to spawn terminals for interaction with machines. Hackers are exploiting the CWP to start reverse shells with encoded payloads that call the threat actor’s machine and spawn the terminal on the victim’s machine using pty Module of Python.
Since the vulnerability is being exploited right now, it would be best to update to the latest version of CWP.
Android TV Boxes with Pre-Installed Malware
An Android TV box purchased from Amazon, delivered to a Canadian systems security consultant, came preloaded with malware.
Widely available on Amazon, a T95 Android TV box with an AllWinner T616 processor came pre-installed with malware. The device uses the ADB (Android Debug Bridge), which is a suspicious configuration that threat actors can use to connect to home devices for unrestricted access to the filesystem, execute commands, install malicious software, modify data, and control the device remotely.
Daniel Milisic, the individual who received the device, explains how he bought the device to run the Pi-hole DNS sinkhole. While analyzing the DNS (Domain Name System), Milisic discovered that his Android TV was connected to multiple IPs (Internet Protocols) associated with malware.
The malware on his device resembled CopyCat, an Android malware that has been around since 2017, which begs the question, “If the devices ordered from online services, which are supposed to be brand new, are coming with malware, how can any individual stay safe?”
Milisic has shared a detailed analysis of the experience and has shown steps you can follow to check if your devices contain malware.
Address Poisoning Cryptocurrency Scams on the Rise, Warns MetaMask
MetaMask, one of the most significant cryptocurrency wallet providers worldwide, has warned crypto enthusiasts and users of a new “Address Poisoning” scam being used by threat actors to trick individuals into sending funds to scammers.
Whenever crypto is traded, the transaction is added to the transaction list, allowing users to check its details, including the token, the crypto amount exchanged, and the shortened address of the third party. The new scam involves poisoning the wallet’s transaction history by replacing trusted addresses with scamming ones similar to the ones replaced so the threat actors can gain crypto.
The threat actors select a target, use vanity address creators to create a similar address, and send the target some crypto to get into the wallet history in the hope that the individual will send crypto to their wallet since the address would appear similar to that of previous contacts.
To steer clear of the scam, MetaMask has recommended that its users use the Address Book Feature to save genuine crypto addresses as contacts. You can access the feature by navigating to Settings > Contacts.
Vice Society Ransomware Attack on Australian Firefighters
Australia’s Fire Rescue Victoria was the victim of a cyberattack in December, the details of which have been recently disclosed. The Vice Society ransomware gang is claiming responsibility for the data breach.
FRVP (Fire Rescue Victoria) has over 4500 operational and corporate employees that operate over 85 stations in Victoria. The cyberattack on FRVP occurred on 15 December 2022, affecting the internal servers of the organization. The threat actors disrupted FRVP’s IT systems and stole significant data about current and former employees, job applicants, and contractors. The FRVP released a notice outlining the stolen information, which includes:
- Full Name
- Date of birth
- Health information
- Superannuation details
- Government-issued identity information
- Driver’s license details
- Passport details
- Tax File numbers
- Birth, death, and marriage certificates
- Residential Address (current and previous)
- Email address (current and previous)
- Phone number (current and previous)
- Bank account details (BSB, account name, and number)
- Sensitive information like sexual orientation, race, disability, religion, qualifications, employment history, criminal history, and political or religious views.
The threat actors also accessed FRVP’s email system, which is still offline, meaning they could have accessed or stolen email communications. FRVP has recommended that all its staff reset their passwords, implement MFA, and change reused passwords if any. On the other hand, Vice Society added an entry for FRVP on their Tor data leak site, with a link to the stolen information on 10 January 2023.
Dark Pink APT Targeting Governments with Custom Malware
Cyberattacks targeting military bodies and government agencies have been rising, with threat actors utilizing a new advanced custom malware designed to steal confidential data.
Called the Dark Pink by Group-IB’s researchers, the threat actors employ uncommon tactics with a custom toolkit that spreads malware via USB drives and steals information. Security researchers at Group IB have outlined that the threat actors behind the malware campaign steal information from the victim’s browsers, and messengers, exfiltrate documents and eavesdrop via microphones on infected devices.
Considered an APT (Advanced Persistent Threat), the threat actors utilize spear phishing emails as the initial compromise, deploying its two custom info-stealing malware dubbed Cucky and Ctealer, target governments in the APAC (Asia-Pacific) region. With DLL (Dynamic Link Library) sideloading, event-triggered execution methods, and leveraging MS Office documents inside ISO files, the threat actors are a significant threat.
The threat actor group has had seven successful attacks in the second half of 2022, and Anheng Hunting Labs, a Chinese cybersecurity enterprise, is also tracking the threat actor’s activities.
Liquor Control Board of Ontario Hacked to Steal Credit Cards
The LCBO (Liquor Control Board of Ontario), the largest alcohol retailer in Canada, was breached by threat actors trying to inject malicious code to steal customer credit card information.
LCBO revealed that threat actors hacked its website, and the third-party forensic investigators that the organization hired revealed that they found a credit card stealing script which stayed active on LCBO’s website for an alarming 5 days between January 5, 2023, and January 10, 2023.
The organization has clarified in its statement that the customers who entered their personal information on checkout pages between the above dates and proceeded for payments may have been a victim of the attack and had their information compromised.
However, LCBO is investigating the attack and finding out all affected customers. The malicious script was active on the site allowing threat actors to harvest both personal and financial information at checkout. The stolen information includes customer names, email addresses, credit card information, Aeroplan numbers, and account passwords.
LCBO has over 8000 employees, with 680 retail stores and 5 regional warehouses. An attack on the organization shows that threat actors target all industries in novel ways each time.