Sep 06 2024
Welcome toย Gone Phishing, your weekly cybersecurity newsletter that thinks hackers are about as innocent as Ricky Jones ๐๐๐ #NotGuilty lolย
Patch of the Week!ย ๐ฉน
First thingโs first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, thatโs itโฆ ๐ณย
Congrats to Cisco, the cybercriminals are no matchโฆ for your patch! ๐ฉน
Check out this freshly hatched patch ๐ฃ
๐จ Critical Cisco Flaws Patched! Update Now! โ ๏ธ
Cisco has released security updates for two critical vulnerabilities in its Smart Licensing Utility, both rated CVE-2024-20439 and CVE-2024-20440, with a CVSS score of 9.8! ๐ฒ These flaws allow unauthenticated, remote attackers to elevate privileges or access sensitive information. One involves an undocumented static user credential for an admin account, while the other leverages verbose debug logs accessible through crafted HTTP requests. ๐๐
These flaws are independent but only exploitable when the Cisco Smart Licensing Utility is actively running.ย Users of versions 2.0.0, 2.1.0, and 2.2.0 should update to version 2.3.0, which is not vulnerable. ๐ก๏ธโจ
Cisco also patched a command injection vulnerability in its Identity Services Engineย (CVE-2024-20469, CVSS 6.0), allowing authenticated attackers to elevate privileges to root. Affected versions include Cisco ISE 3.2 (3.2P7) and 3.3 (3.3P4). Although PoC exploit code exists, there's no known malicious exploitationโyet! Update now to stay safe! ๐๐๐ป
Now, on to this weekโs hottest cybersecurity news stories:ย
๐ง Bitcoin ATM scammers Madoff with $65M in 1st 1/2 of 2024 ๐ฐ
๐จ๐ปโ๐ป Ironic hackers spoof GlobalProtect VPN to deliver Wikiloader ๐พย
๐ Job seekers beware! N. Korean hackers are coming for you ๐ฏ
Bitcoin ATM scams are on the rise, with victims losing a staggering $114 million in 2023, nearly 10 times the $12 million lost in 2020, according to the Federal Trade Commission (FTC). Already, $65 million has been reported lost in just the first half of 2024. These scams are evolving, but the core tactic remains the same: tricking people into paying scammers under false pretences. ๐ฐ๐
๐ How Bitcoin ATM Scams Work
Bitcoin ATMs, found in places like gas stations and grocery stores, allow users to buy and sell cryptocurrency. Scammers exploit this by contacting victims via phone, text, or online pop-ups, often impersonating bank or government officials. They convince victims that their bank accounts have been compromised and urge them to withdraw cash to secure their funds in what the scammers misleadingly refer to as โsafety lockers.โ ๐จ๐ฒ
๐ The Scam Process
Once the victim arrives at a Bitcoin ATM, scammers instruct them to deposit their cash by scanning a QR code at the machine. This code directs the funds straight into the scammer's crypto wallet, leaving the victim with nothing. The FTC reports that the median loss from these scams is around $10,000, highlighting the devastating financial impact on individuals. ๐ง๐
๐จ Warnings and Regulations
The FBI flagged this scam in 2021, prompting states like Vermont and Minnesota to introduce daily transaction limits on crypto kiosks to curb these fraudulent activities. Despite these efforts, the scams continue to thrive, underscoring the importance of verifying any unexpected financial requests and never withdrawing money based on unsolicited instructions. ๐ซ๐
โ ๏ธ Other Rising Crypto Scams Bitcoin
ATM scams are just one piece of the larger fraud landscape. Deepfake crypto scams on platforms like YouTube, scammers impersonating journalists to drain digital wallets, and โpig butcheringโ scamsโwhere victims are groomed over time to invest in fake schemesโare also on the rise. Notably, a former bank CEO was recently arrested for stealing millions in a fraudulent crypto investment. ๐ท๐ฅ
๐ Stay Safe and Vigilantย
As cryptocurrency and related technologies become more mainstream, so do the scams. It's crucial to remain vigilant, verify the legitimacy of all financial communications, and be sceptical of anyone asking you to withdraw or deposit funds in unusual ways. Protect your wallet and your peace of mind! ๐๐ก
PayPal, Disney, and Nike all dropped 50-80% recently from all-time highs.
Are they undervalued? Can they turn around? Whatโs next? You donโt have time to track every stock, but should you be forced to miss all the best opportunities?
Thatโs why we scour hundreds of value stock ideas for you. Whenever we find something interesting, we send it straight to your inbox.
Subscribe free to Value Investor Daily with one click so you never miss out on our research again.
Cybersecurity researchers have uncovered a new malware campaign that spoofs Palo Alto Networks' GlobalProtect VPN software to deliver a variant of the WikiLoader (also known as WailingCrab) loader via a search engine optimization (SEO) campaign. This activity, observed in June 2024, marks a shift from the previously known phishing-based propagation methods used by the malware. ๐ฆ ๐
๐ SEO Poisoning as Initial Access
The campaign employs SEO poisoning, a tactic where attackers manipulate search engine results to lure victims into visiting malicious websites that spoof legitimate results. In this case, the attackers cloned websites and relabeled them as GlobalProtect, leveraging cloud-based Git repositories to host the fake software. When users search for GlobalProtect, they are shown Google ads that redirect them to these malicious pages, initiating the infection process. ๐ฅ๏ธ๐
โ๏ธ How the Malware Operates
Victims who download the fake GlobalProtect software are tricked into running an MSI installer containing an executable named "GlobalProtect64.exe." This executable is actually a renamed version of a legitimate share trading application from TD Ameritrade (now part of Charles Schwab) that is used to sideload a malicious DLL called "i4jinst.dll." This sequence ultimately leads to the execution of shellcode that downloads and launches the WikiLoader backdoor from a remote server. ๐ฅ๐
๐ก๏ธ Evading Detection
To enhance its effectiveness and evade detection, the malware employs various anti-analysis techniques. It checks if it's running in a virtualized environment and terminates itself if processes related to virtual machine software are detected. Additionally, the campaign uses spoofed, compromised, and legitimate infrastructure to bolster the operational security and robustness of the loader, featuring multiple command-and-control (C2) configurations. ๐ก๏ธ๐ซ
โ ๏ธ Fake Error Messages and Deceptive Tactics
To further deceive victims and create an illusion of legitimacy, the installer displays a fake error message at the end of the process, claiming that certain libraries are missing from the user's Windows computer. This tactic helps mask the true nature of the malware and reduces suspicion among victims. ๐ฅ๏ธโ ๏ธ
๐ Shift from Phishing to SEO Poisoning
The reason behind the shift from phishing emails to SEO poisoning as the malware's delivery mechanism remains unclear. Researchers from Unit 42 speculate that this could be the work of a new initial access broker (IAB) or a strategic move by existing groups in response to public disclosures of previous tactics. The malware, first documented by Proofpoint in August 2023, is known to be linked to the threat actor TA544 and has been used to deploy other malware like Danabot and Ursnif. ๐งโก๏ธ๐
๐ Global Reach
The disclosure of this campaign comes shortly after Trend Micro identified a similar campaign targeting users in the Middle East with backdoor malware through fake GlobalProtect VPN software. This highlights the broad and evolving threat landscape as attackers continuously adapt their strategies to bypass security measures and reach more victims globally. ๐๐ฉ
๐ก๏ธ Stay Vigilantย
Users are advised to be cautious when downloading software and ensure they are accessing official websites. Always double-check URLs, avoid clicking on suspicious ads, and consider using reputable cybersecurity tools to detect and block malvertising threats. ๐ก๏ธ๐
North Korean threat actors, identified as part of the Lazarus Group (also known as Famous Chollima), have launched a new malware campaign dubbed "Contagious Interview" that leverages fake video conferencing software to compromise developer systems. This campaign, also tracked as DEV#POPPER, involves impersonating FreeConference.com with a phony application that instals malware on targeted devices. ๐๐ป
๐ Spoofing Legitimate Software
Detected by Singaporean cybersecurity firm Group-IB in mid-August 2024, this campaign marks a continuation of Lazarus Group's tactics, including distributing malware through native installers for both Windows and macOS. Initially, the attackers used fictitious job interviews to lure victims into downloading and running Node.js projects containing BeaverTail, a downloader malware that deploys InvisibleFerretโa cross-platform Python backdoor with capabilities for remote control, keylogging, and browser data theft. ๐ฅ๏ธ๐
โ ๏ธ Recent Developments
Starting in July 2024, the malware distribution method evolved to include Windows MSI installers and macOS disk images (DMG) disguised as the legitimate MiroTalk video conferencing software. However, the latest attack wave replaced MiroTalk with FreeConference.com, using an installer named "FCCCall.msi" hosted on a malicious website, freeconference[.]io, which shares the same registrar as the fraudulent mirotalk[.]net site. ๐จ๐
๐งโ๐ป Social Engineering Tactics
The attack often begins on job search platforms like LinkedIn, We Work Remotely (WWR), Moonlight, and Upwork, where Lazarus Group scouts for potential victims. After establishing initial contact, the attackers typically move conversations to Telegram, where they persuade job seekers to download a video conferencing app or a Node.js project under the guise of a technical task required for a job interview. ๐ฏ๐ฒ
๐ก Expanding Infection Vectors
The attackers have been diversifying their infection vectors by injecting malicious JavaScript into cryptocurrency- and gaming-related repositories, retrieving BeaverTail JavaScript code from domains like ipcheck[.]cloud and regioncheck[.]net. This approach was also noted by security firm Phylum in connection with a malicious npm package called helmet-validate, suggesting a broadening of their propagation methods. ๐ฆ๐
โ๏ธ Continuous Refinement and Expansion
The emergence of CivetQ and other modular updates highlight the active development and evolving sophistication of Lazarus Group's tools. These enhancements reflect the group's ongoing commitment to refining their tactics, with no indication of slowing down as their campaign extends into late 2024. The Lazarus Group has adapted their strategies to exploit new platforms and targets, showing increased creativity and reach. ๐ ๏ธ๐งโ๐ป
๐ก๏ธ Stay Vigilant
Job seekers, developers, and companies should exercise caution when downloading software or engaging with unsolicited job opportunities. Verify the legitimacy of all communications and software downloads, particularly those involving unfamiliar platforms or requests to install additional applications during the hiring process. Ensure robust cybersecurity measures are in place to detect and mitigate these sophisticated threats. ๐ก๏ธ๐ซ
Thatโs all for this week, folks! ๐๐ป
๐๏ธ Extra, Extra! Read all about it! ๐๏ธ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
๐ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐
๐ตCrypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐
๐Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐พ
Let us know what you think.
So long and thanks for reading all the phish!