Fighting cybercriminals and staying safe demands the knowledge of cybersecurity’s latest. This week’s cybersecurity bulletin shares the latest cybersecurity news from around the world, sharing energy sector breaches, Sharkbot malware’s return via Android, $300,000 stolen in credential stuffing, crypto stealing chrome extensions, the arrest of Zeus gang leader, and North Korean hackers targeting European organizations for financial gains.
Energy Enterprises Breached due to Web Server Bugs
Malicious actors have breached multiple energy enterprises due to Microsoft web server bugs. Microsoft discontinued the web server in 2015, but the security vulnerabilities in the web server used by energy sector organizations have led to the breach.
The threat actors are believed to be Chinese state-sponsored cybercriminal groups that have targeted multiple electrical grid operators in India to compromise the country’s national emergency response system. They gained network entry utilizing Internet-facing DVR/IP camera devices for C2 (Command and Control) of malware infections and open-source tools. The attacks were discovered by Recorded Future in April 2022, which said that the threat actors compromised the Boa web server, a component used for login and access of IoT (Internet of Things) device consoles.
The servers are being compromised due to an arbitrary file access vulnerability, the CVE-2017-9833, and an information disclosure vulnerability, the CVE-2021-33558. These vulnerabilities allow the attack’s threat actors to carry out RCE (Remote Code Execution) without authentication requirements.
Microsoft has clarified that the Boa servers ran IP (Internet Protocol) addresses listed in the IOC (Indicators of Compromise) published by Recorded Future. One of the most significant attacks where the Boa server was compromised was the Hive ransomware attack on Tata Power last month, India’s largest power organization.
Sharkbot Malware Infecting Android File Manager Applications
The Sharkbot banking Trojan has been targeting devices posing as malicious Android File Manager applications on Google Play. The applications evade detection as they do not contain malware but fetch the malicious payload from remote sources after installation.
The Sharkbot malware has stolen financial information and login credentials by utilizing fake login forms over legitimate ones in banking applications. Analysts at Bitdefender have uncovered the latest File Manager disguise of the Sharkbot malware and have reported them to Google, which has removed the malicious applications from Google Play. Still, thousands of innocent individuals have these applications installed and may be in harm’s way. These malicious applications are:
- X-File Manager by Victor Soft Ice LLC – 10,000 downloads
- File Voyager by Julia Soft Io LLC – 5000 downloads
Both applications perform anti-emulation checks for evasion detection and load the Sharkbot malware on Italian or Great British SIMs, making the malware attack a targeted campaign. Individuals who have the applications installed should remove these immediately and stick to official applications from genuine vendors for security purposes.
$300,000 Stolen in Credential Stuffing Attack
DraftKings, a sports betting organization, was the victim of a credential-stuffing attack where hackers made away with $300,000. DraftKings is still investigating the reports of multiple customers experiencing the attack.
All the hijacked accounts had a common initial $5 deposit, following which the threat actor altered the password and enabled 2FA (Two Factor Authentication) using another number so the account holder could not access the account. Following the compromise, the threat actor withdrew as much finances as possible.The organization has revealed that they believe that the login information of compromised accounts was accessed from other websites where customers used the same passwords and has found no evidence that their own systems were breached.
Multiple affected customers have taken to social media channels to share their disdain. However, DraftKings has clarified that a little less than $300,000 were stolen by cybercriminals, and the organization will compensate the customers who have been victims of the account.
DraftKings has also recommended that unaffected customers should immediately implement 2FA on their accounts, remove their financial information such as card numbers, and unlink bank accounts linked to their accounts until the platform is safe.
Crypto Stealing Google Chrome Extension
VenomSoftX, a Google Chrome extension, is stealing information and cryptocurrency by copying the clipboard content while individuals browse the web. The extension has been stealing crypto since 2020 and has been disclosed by multiple security researchers before.
Fortinet’s researchers identified the Chrome extension installed by ViperSoftX Windows malware, a RAT (Remote Access Trojan) and a cryptocurrency stealer. Avast has stopped nearly 93,000 ViperSoftX infection attempts detected in Italy, Brazil, India, and the US. ViperSoftX is also distributed via torrent files linked to game cracks and software activators.
The extension downloads a malware loader that decrypts AES (Advanced Encryption Standard), creates various files to compromise devices and diverts cryptocurrency transactions to the threat actors’ wallet addresses that are hardcoded in the extension. The extension masquerades as “Google Sheets 2.1” or “Update Manager” to stay hidden on the victim’s devices and steals crypto by hooking API (Application Programming Interface) requests on popular exchanges that the victims have accounts on.
Individuals are advised to check extensions adequately before downloading them and should visit the browser’s extension page to determine if Google Sheets is installed as an extension and remove it. Cryptocurrency enthusiasts and investors should remove these extensions and clear the browsing data to ensure their removal.
Zeus Cybercriminal Ring Leader Arrested
Tank, the leader of the JabberZeus cybercriminal gang, has reportedly been arrested. The cybercriminal is awaiting extradition to the US but can still appeal the Swiss FOJ’s (Federal Office of Justice) decision.
Vyacheslav Igorevich Penchukov, known as Tank, was arrested last month in Geneva and has been attributed to multiple cyberattacks ranging from bank account theft to ransomware. The threat actor is also a manager of the Maze and Egregor ransomware that popularized double-extortion attacks. The threat actor stole valuable information and pursued victims to demand ransoms.
The Tank was also a prime suspect in 2021’s Ukrainian international law enforcement operation to target the ransomware gang’s members but evaded prosecution due to his political connections. As a leader of the Zeus cybercriminal gang, Tank has stolen financial information and has been charged with conspiring to participate in “racketeering activity, conspiracy to commit computer fraud and identity theft, aggravated identity theft, and multiple counts of bank fraud,” along with eight other individuals.
The threat actors conspirators were also apprehended earlier, who pleaded guilty in 2014, extradited from the UK and sentenced to 2 years and 10 months in prison.
European Organizations Targeted by North Korean Hackers
North Korean hackers are using a new and updated version of the DTrack backdoor to target European and Latin American organizations. The tool is a modular backdoor with advanced capabilities that can be used as spyware, performing file operations, and exfiltrating data.
The DTrack backdoor was analyzed by Kaspersky and had been increasing its activity in India, Brazil, Germany, Mexico, Switzerland, Turkey, the US, and Italy, targeting government research centers, policy institutes, IT and telecommunication service providers, and educational institutes.
DTrack is distributed disguised as files of authentic executables and is installed by breaching organizational networks using stolen credentials or exploiting Internet-exposed servers. The malware decrypts once installed, the payload is loaded by process hollowing and runs directly from the system’s memory. The new DTrack backdoor uses API hashing to load functions and libraries and has half the number of C2 servers as its predecessor at 3.
Kaspersky believes that Lazarus, a North Korean cybercriminal group is behind the DTrack backdoor and highlights that the threat actor uses the backdoor when there is potential for financial gains.