This week’s latest cybersecurity bulletin will take you through the top cybersecurity news, sharing how Microsoft has been sued, the UK government’s scanning of all Internet devices, the evolution of Robin Banks phishing, malicious phishing applications on Google Play, how hackers stole $11 million from African banks, and a fresh clipboard stealer replacing crypto wallet addresses.
Microsoft Sued for Open-Source Code Piracy
Microsoft, along with GitHub and OpenAI, has been sued by Matthew Butterick, a lawyer and programmer. Butterick has argued that GitHub’s Copilot programming aid violates open-source licensing terms.
GitHub’s Copilot is an AI (Artificial Intelligence) based tool to aid programmers by generating real-time source codes for Microsoft Visual Studio. Released in June 2022, the tool does speed up writing code. However, since it uses OpenAI Codex, which utilizes public open-source code, there have been questions regarding the tool and whether it violates licensing limitations. Where open-source licenses like Apache and MIT require attribution to the original author, Copilot takes code snippets and does not give any attribution.
Butterick hired the law firm Joseph Saveri to represent him, who commented, “It appears Microsoft is profiting from others’ work by disregarding the conditions of the underlying open-source licenses and other legal requirements.”
Furthermore, Butterick has also reported evidence of Copilot leaking secrets such as API (Application Programming Interface) keys from public repositories.
Butterick has submitted his complaint to the US District Court of the Northern District of California and is demanding a whopping $9,000,000,000.
UK’s Government Scanning all Internet Devices in the Country
NCSC (National Cyber Security Centre), UK’s government agency leading the cybersecurity mission, is scanning all Internet-exposed devices hosted in the nation to assess the country’s vulnerability to cyberattacks.
The NCSC is carrying out scanning activities as part of its mission to convert the country into the safest place. NCSC’s website also outlines the objectives of the scanning procedure, which is being carried out to assess the vulnerability and security of the country, helping system owners understand security postures and effective incident response.
The NCSC scans all internet-accessible systems hosted in the UK and interacts with systems as a network client. The NCSC collects and stores all data responses that return to its request, including the data and time of the request and the IP (Internet Protocol) addresses of both endpoints. The NCSC has clarified that it does not store personal data. If discovered, the data is removed, and steps are taken, so a similar scenario will not occur.
If you wish to opt out of having servers that are being scanned, you can contact scanning@ncsc.gov.uk and share a list of IP addresses that will be excluded from future scanning.
Robin Banks Phishing Service Returns with Russian Servers
Robin Banks’s PhaaS (Phishing as a Service) platform has struck once again, changing to a Russian server and adding a cookie stealer.
Robin Banks emerged as a PhaaS platform in March 2022, where threat actors could utilize the service to create phishing pages. The platform was notorious for attacking the US, UK, Canadian, and Australian financial sectors. Still, it was disturbed by Cloudfare’s disassociation when the organization discovered the malicious platform targeting Citibank, Capital One, PNC, Wells Fargo, and other banks.
However, the Robin Banks platform is back after a brief dry spell. It has shifted its operations to DDoS Guard, a Russian service provider infamous for its controversial business partners such as Hamas, Parler, and Kiwi Farms. The platform has also introduced a cookie-stealing tool that threat actors can purchase as an add-on that allows the platform’s phishing kit to bypass MFA (Multi-Factor Authentication).
Researchers at IronNet have analyzed Robin Banks and claim the platform’s phishing kit results from open-source code. Its cookie-stealing feature is mainly a way of attracting significant cybercriminals to utilize the platform for phishing kits.
Organizations and individuals should educate themselves on phishing, utilize MFA for all accounts, and be alert.
Malicious Google Play Application Gets Over 1 Million Downloads
The official application store for android smartphones, Google Play, has four malicious applications that are directing victims to websites designed to steal information and generate revenue via a “pay-per-click” scheme.
The malicious sites ask victims to download fake updates and security tools, so they install the files manually. The developer account, Mobile apps Group, is behind the malicious applications and has an install count of over 1 million. Malwarebytes investigated the malicious developer who has already been exposed twice for distributing adware. Still, the account is present and distributing four malicious applications, which are:
- Bluetooth Auto Connect (1,000,000 installs)
- Bluetooth App Sender (50,000 installs)
- Driver: Bluetooth, Wi-Fi, USB. (10,000 installs)
- Mobile transfer: Smart Switch (1,000 installs)
Android users have been complaining and commenting on these applications, and the account has even replied to these, offering aid to resolve the advertising issues. Malwarebytes highlighted that the applications have a 72-hour delay and only show the ads or open phishing links 72 hours after the installation, and keep repeating it every two hours. The phishing pages open even with the device locked.
Google Play has banned the developer and taken the applications down. Still, he could be back via another account, so it would be best to stick to official applications to stay protected.
Hackers Steal $11 Million from Banks and Telcos
OPERA1ER, a cybercriminal group, has stolen over $11 million from African financial institutions and telecommunication organizations.
The threat actor performed over 35 successful attacks between 2018 and 2022 and evolved its TTP (Techniques, Tactics, and Procedures) in 2021. The threat group has members fluent in French who operate from Africa and target Argentinian, Paraguayan, and Bangladeshi enterprises. Using open-source tools and frameworks like Metasploit and Cobalt Strike, OPERA1ER gains initial access via spear phishing campaigns, sending invoices and postal delivery notifications that deliver the first-stage malware via email attachments.
The threat actors have been known to drop Netwire, bitrat, venomRAT, AgentTesla, Remcos, Neutrino, BlackNET, and Venom RAT malware and compromise the organizational infrastructure, staying inside the network for 3 to 12 months. The threat actor steals credentials to access email accounts to perform lateral phishing. The group steals money by studying the internal documentation, targeting operator accounts with large deposits, and utilizing the stolen credentials to channel the money into subscriber accounts.
OPERA1ER makes away with cash via various ATMs and has a network of over 400 subscriber accounts, according to Group IB’s report. Individuals should avoid opening malicious email documents and invest in good anti-virus and anti-malware programs.
Clipboard Stealer Replacing Crypto Wallet Addresses
Laplas Clipper, a new clipboard stealer with multiple features was identified in the wild. The tool gives threat actors control and insights for better operations and is being used to change crypto wallet addresses.
The tool is provided as a subscription that threat actors can access via a web portal. The clipper samples to 55 from 20 within a month and are distributed via Racoon Stealer 2.0 and Smoke Loader, showcasing how it is enticing the cybercriminal community.
The Laplas Clipper follows the footsteps of standard clipboard stealers but replaces the crypto wallet address with similar addresses that can escape even keen-eyed individuals. The tool generates new addresses within a second and can generate wallets for Bitcoin, Bitcoin Cash, Litecoin, Ethereum, Dogecoin, Monero, Algorand, Ravecoin, Ripple, Zcash, Dash, Ronin, Tron, Tezos, Solana, Cardano, Cosmos, Qtum, and Steam Trade URLs.
It is recommended that individuals avoid downloading executables from questionable websites and avoid opening unsolicited email attachments, so the malware does not strike them. For investors, it would be best to validate recipient addresses before sending cryptocurrencies.