Staying a step ahead of cybercriminals means knowing their tactics and attack methods. Our news bulletin brings you the latest tactics and cybersecurity news to empower you so you can fight back and keep yourselves safe.
This week, we shed light on the latest sanctions on Russian FSB hacking group members, the Austal USA data breach, a new open-source library flaw that puts a risk to smart contracts and NFTs, and details of the novel Raccoon malware.
UK and Allies Reveal Russian FSB Hacking Group, Impose Sanctions on Members
The UK National Cyber Security Center (NCSC) is warning about a new attack campaign.
The attacks are being carried out by Seaborgium and are targeting organizations with spear phishing campaigns to make away with login credentials and data. Seaborgium also goes by Callisto and Star Blizzard. This is an Advanced Persistent Threat (APT) group that has been carrying out cyber attacks since 2015. The threat actors are launching spear phishing attacks on government organizations, politicians, and NGOs.
The threat actors make contact with the victims using social media platforms like LinkedIn. After that, they build a rapport with the victim and send malicious links that are hidden in PDF documents. These PDFs are hosted on Google Drive or OneDrive, taking the victim to a phishing site.
The sites are protected by CAPTCHA and the operation is backed by the EvilGinx proxy attack framework. The threat actors make away with credentials and session cookies and use the information to access email accounts, setting up email forwarding to target more individuals. It is advisable to remain vigilant by implementing essential spear phishing prevention strategies against such attacks.
An international law enforcement unit has already identified two members of Callisto (Aleksandrovich Peretuatko and Andrey Stanislavovich Korinets) and sanctioned them.
Austal USA, Navy Contractor, Affirms Cyberattack Following Data Leak
Austal USA, a shipbuilding organization that frequently contracts with the US Department of Defense (DOD) and the Department of Homeland Security (DHS) confirmed news of a cyberattack.
The Australian organization makes high-performance aluminum vessels and is under contract with many US Navy combat ship programs. Austal also has a $3.3 billion contract for making the US Coast Guard’s patrol cutters. The Hunters International ransomware gang claimed that they had breached the organization and also leaked proof of the attack.
Austal USA confirmed the attack, saying they discovered a data incident and were able to mitigate it without any impact on operations. Currently, regulatory authorities like the FBI and the Naval Criminal Investigative Service (NCIS) are investigating the situation.
Austal USA did share that no personal or classified information was stolen or accessed. On the other hand, Hunters International is threatening to publish more stolen data in the coming days. They claim they have compliance documents, finance details, engineering data, and more.
Open-Source Library Flaw Puts Numerous NFT Collections in Jeopardy
There is a vulnerability in a common open-source Web3 space library that can compromise pre-built smart contracts and NFT collections.
Thirdweb discovered the vulnerability and shared minimal details. The organization discovered the flaw on 20 November and pushed a fix two days later. They have not disclosed the name of the library or the type of vulnerability so threat actors cannot misuse it. Thirdweb also contacted the maintainers of the library and shared that the following smart contracts are affected by the flaw:
- AirdropERC20 (v1.0.3 and later), ERC721 (v1.0.4 and later), ERC1155 (v1.0.4 and later) ERC20Claimable, ERC721Claimable, ERC1155Claimable
- BurnToClaimDropERC721 (all versions)
- DropERC20, ERC721, ERC1155 (all versions)
- MarketplaceV3 (All versions)
- Multiwrap, Multiwrap_OSRoyaltyFilter
- OpenEditionERC721 (v1.0.0 and later)
- Pack and Pack_OSRoyaltyFilter
- TieredDrop (all versions)
- TokenERC20, ECRC721, ERC1155 (all versions)
- SignatureDrop, SignatureDrop_OSRoyaltyFilter
- Split (low impact)
- TokenStake, NFTStake, EditionStake (all versions)
People are complaining about the lack of transparency and asking for the CVE. Thirdweb has not shared anything but did advise individuals to lock vulnerable contracts, save a snapshot, and migrate it to a new one using the non-vulnerable version of the library.
Hackers Employ Fresh Agent Raccoon Malware to Backdoor US Targets
Threat actors are targeting US, Middle Eastern, and African organizations with a new malware called Agent Raccoon.
The cybercriminals are believed to be nation-state threat actors with espionage as the primary goal. Agent Raccoon is .NET malware. It disguises itself as a Google Update and uses the DNS (Domain Name Service) protocol to establish communication with the attacker’s C2 (Command and Control) server. The backdoor leverages Punycode-encoded subdomains and random values for evasion.
Unit 42 shared that the malware executes by scheduled tasks and can execute remote code, upload and download files, and provide remote access to the affected systems.
Furthermore, there are many samples of Agent Raccoon that have slight code changes and optimizations. The threat actor behind the malware is actively developing it for threat operations. Several available tools for malware protection can defend against these types of attacks.