🚨 APT41 Targets Gambling Sector in Sophisticated, Persistent Cyber Attack 🎲💥

Oct 25 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s wishing y’all a happy cybersecurity awareness month. Honestly, it’s a thing 😂😂😂 Est. 2004 🛡️

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳 

Congrats to Cisco, the cybercriminals are no match… for your patch! 🩹

Check out this freshly hatched patch 🐣

Cisco fiasco 💥

🚨 Cisco ASA DoS Flaw Actively Exploited – Update Now! ⚠️

Cisco has issued patches to fix CVE-2024-20481 (CVSS 5.8), a denial-of-service (DoS) vulnerability in Cisco ASA and Firepower Threat Defense (FTD) affecting the Remote Access VPN (RAVPN) service. ⚠️ 

Exploited in a brute-force campaign, this flaw allows unauthenticated attackers to overload the VPN service, potentially requiring a device reboot to restore functionality. 🔧🔌 Cisco recommends enabling logging, applying threat detection, and hardening configurations to defend against attacks. 🛡️💥

Cisco has also patched three critical flaws in FTD Software, Firewall Management Center (FMC), and ASA (CVE-2024-20412, CVE-2024-20424, CVE-2024-20329), each with CVSS scores above 9.0. With network device exploits increasingly targeting major firms, it’s essential to update immediately to protect your infrastructure! 🌐🔥🔐

Now, on to this week’s hottest cybersecurity news stories: 

  • 👨🏻‍💻 Infamous Chinese APT41 tries it hand in gambling scams 🃏

  • 🦹🏿 The hidden risks of Legacy MFA: protect against phishing! 🎣

  • 🧟 Lazurus is back for Halloween. Google Chrome users beware! ⚠️

Chinese hackers roll the dice 🎲

🚨 APT41 Targets Gambling Sector in Sophisticated, Persistent Cyber Attack 🎲💥

⚠️ Security Alert! The prolific Chinese threat actor APT41 (also known as Brass Typhoon and Wicked Panda) has launched a stealthy, multi-stage cyber attack on the gambling and gaming industry. Over nine months, this skilled nation-state group collected sensitive data like network configurations, user passwords, and high-value administrative credentials from the targeted company.

🛠️ A Methodical Infiltration

APT41, tracked by Security Joes and Sophos under Operation Crimson Palace, managed to maintain persistent access by observing the defender’s responses and adapting its toolset and techniques accordingly. This adaptive approach has allowed them to dodge defences and keep their activities hidden over an extended period. 🕵️‍♂️🔐

🕹️ Intricate Attack Techniques

  • DCSync Attack: APT41 used this technique to grab password hashes from service and admin accounts to widen its network access.

  • Phantom DLL Hijacking & LOLBins: Leveraging techniques like Phantom DLL Hijacking and LOLBins (Living Off the Land Binaries), including wmic.exe, allowed the attackers to execute payloads without drawing attention.

  • Obfuscated Communication: When contacting their command-and-control (C2) server, APT41’s malware employs clever tactics, including GitHub scraping to update the C2 server address if the primary C2 fails, giving the operation resilience.

💻 Targeted Exploitation with JavaScript and XSL Files

After initial access, the attackers executed heavily obfuscated JavaScript through an XSL file ("texttable.xsl") to maintain access. This script was designed to fetch additional malware while precisely targeting devices within a specific IP range, 10.20.22.x, which helped them narrow down valuable assets within VPN subnets. 📡

💰 What’s the Endgame?

APT41’s end goals include intellectual property theft and financial gains through espionage, ransomware, and even cryptocurrency mining. According to Security Joes, the attack may have originated from spear-phishing emails, with the attackers likely after both data and financial leverage.

🛡️ Protect Yourself!

Companies in at-risk sectors can take these steps to help prevent attacks from nation-state actors:

  • Enforce multi-factor authentication (MFA) 🛡️

  • Regularly review administrator and service account privileges 🔒 

  • Patch known vulnerabilities promptly, especially in remote access tools 🔄

  • Conduct user training on phishing prevention 🎓

⚔️ APT41’s advanced tactics call for equally robust defence strategies—stay vigilant, and don’t let your security guard down in the high-stakes game of cybersecurity!

📈 Supercharge Your Bitcoin: 15%+ APY + Multiple Points Multipliers

🚀 Earn 15%+ APY on BTC + 3X Lombard Points
💥 MORE points: Babylon, Symbiotic & Corn, Etherfi Veda, and VCX
🔥 $300K VCX pool + 2X multiplier in week 1 – Act fast!

Join now!

Are you taking the phish? 🙃

🚨 The Critical Need for Phishing-Resistant MFA: A New Defense Against Ransomware and AI-Driven Attacks 🔒

⚠️ Cybersecurity Alert! As cyber threats continue to grow more sophisticated, traditional security methods are proving insufficient against evolving tactics like Generative AI-driven phishing and ransomware-as-a-service (RaaS). According to CISA and the FBI’s advisory (AA24-242A), implementing phishing-resistant multi factor authentication (MFA) is now critical, as reliance on outdated methods like SMS-based One-Time Passwords (OTP) is leaving organisations vulnerable to advanced attacks.

📉 Ransomware at Record Levels

This year alone, average ransomware payments have surged by a staggering 500%, hitting $2 million per incident according to Sophos’ "State of Ransomware 2024" report. Meanwhile, median ransomware payments escalated to $20 million in 2023 (up from $1.4 million in 2022) as cybercriminals have leveraged Generative AI to craft nearly undetectable phishing attacks. This rise in attack success underscores the limitations of traditional Multi Factor Authentication (MFA), which is regularly bypassed in ransomware attacks through SIM swapping, phishing, and Man-in-the-Middle (MitM) attacks.

🧠 Generative AI’s Role in Phishing Evolution

Generative AI is significantly enhancing cybercriminals' ability to create realistic phishing emails that evade detection. These AI-powered messages lack the typical spelling errors or awkward phrasing that employees are trained to recognize. Cybercriminals are also exploiting deepfake technology to impersonate trusted voices and video identities, making it easier than ever to trick employees into revealing sensitive data. This advancement, coupled with RaaS tools now readily available on the dark web, means that even low-skilled actors can orchestrate sophisticated attacks, further heightening the need for robust, next-gen security measures.

🔑 Why Phishing-Resistant MFA is Essential

To combat this surge in advanced threats, organisations need to adopt next-generation MFA solutions that are FIDO2-compliant and employ biometric authentication like facial recognition and fingerprints. This approach significantly reduces the risk of successful phishing attempts.

Hardware-Based MFA and Biometrics: These tools are unique to each user and are challenging to compromise. By integrating biometric identifiers, such as fingerprints or facial recognition, organisations can prevent unauthorised access and protect against social engineering attacks.

Seamless User Experience: Biometric MFA not only enhances security but also simplifies access, reducing the likelihood of human error that can lead to breaches.

📈 Protecting Your Organization from Future Threats

In light of today’s cyber landscape, outdated security practices must evolve. Shifting to phishing-resistant, biometric-driven MFA can safeguard organisations from ransomware and data breaches, especially as Generative AI and deepfake attacks become more common. Traditional methods, like SMS OTPs, have proven inadequate against these advanced tactics, and only next-generation, FIDO2-compliant MFA can offer the necessary protection.

Lazarus rises once more 🧟

🚨 Lazarus Group Exploits Zero-Day Chrome Flaw in Sophisticated Social Engineering Campaign 🔒

The notorious North Korean cyber actor, Lazarus Group, has leveraged a zero-day exploit in Google Chrome to execute a highly targeted attack campaign aimed at cryptocurrency sector insiders. In May 2024, cybersecurity vendor Kaspersky identified this elaborate chain of attack, which used a seemingly benign website, “detankzone[.]com,” as a lure to deploy the Manuscrypt backdoor on a targeted system. The campaign, believed to have started in February 2024, reveals the lengths Lazarus is willing to go for financial gain.

🕹️ Fake Game Website as Malware Trap

Disguised as a DeFi-based NFT game page for a tank battle game, the website invites users to download a trial version. However, the site secretly activates a zero-day vulnerability, CVE-2024-4947, in Chrome’s V8 JavaScript engine. By triggering this vulnerability, attackers gain full access to the visitor’s device, exploiting a type confusion bug that Google patched in mid-May 2024. This method of attack, which involves posing as game developers and reaching out to cryptocurrency influencers via email and messaging platforms, was previously noted by Microsoft, who attributed similar tactics to another North Korean cluster known as Moonstone Sleet. 

🕵️ Deep Social Engineering and AI-Driven Promotion

Lazarus Group's campaign extends beyond technical exploits. The actors built a well-maintained presence on social platforms like X (formerly Twitter) and LinkedIn, leveraging generative AI for consistent, realistic promotional content. They reached out to influential figures in the cryptocurrency community to advertise their malicious game, enhancing the credibility of their fake project. Lazarus also enticed targets to download a ZIP file containing a game setup, which included a custom YouieLoad loader, enabling further compromise of the victim’s system.

🔑 Takeaways and Future Threat Predictions

 Lazarus Group’s attack methods highlight their adaptability and technical expertise, combining zero-day exploits with complex social engineering to target victims. By incorporating generative AI into their promotional strategy, they increased the effectiveness of their ruse. As they continue to advance in sophistication, Kaspersky warns that we may see even more intricate schemes from Lazarus, particularly as generative AI empowers cybercriminals to tailor attacks in unprecedented ways.

 For organisations in the cryptocurrency and DeFi sectors, maintaining vigilance and enhancing browser security measures are critical steps in protecting against attacks of this nature.

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

  • 💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

  • 📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles