Espionage discovered on foreign embassies in Belarus

Aug 15 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s ‘terminally online’ so you don’t have to be 😵‍💫 Dw, we got you covered 😉

Today’s hottest cybersecurity news stories:

  • 🥸 ‘MoustachedBouncer’ espionage discovered on foreign embassies in Belarus 🏛️

  • 💰 Ransomware: Canadian dental firm fights tooth and nail to retrieve stolen data 😬

  • 🛒 Magento online shopping cart fails to patch 9.8 severity flaw. Enter ‘Xurum’ 💀

MoustachedBouncer: Sorry lads, not tonight 😂

🌟 MoustachedBouncer's Decade-Long Espionage! 🌟

So, there’s a new sheriff in town, codename: MoustachedBouncer, and he’s been causing a stir in the digital world. These cyber espionage wizards have been up to no good since 2014 (jeez nearly a decade undetected!), and they've been targeting foreign embassies in Belarus 🏢🕵️‍♂️.

Matthieu Faou, the security Sherlock at ESET, has dubbed them "skilled and advanced." Fancy lingo, but what does it mean? These folks are no amateurs! They've got a bag of tricks that includes NightClub and Disco 🕵️‍♀️💻. Think of it like a cyber dance-off, but with a twist.

NightClub and Disco 🌃🎉 are not your typical party starters. They're Windows malware frameworks with fancy spying plugins, like a screenshotter 📸, an audio recorder 🎙️, and a file stealer 🕵️‍♂️🕶️. These mischievous tools have been causing quite the commotion.

These elusive cyber ninjas are believed to be in cahoots with another shadowy character called Winter Vivern 🤝. This APT superstar has a reputation for targeting government officials in Europe and the U.S. 🌐👤.

So, what's their USP? They mess with internet access, pretending it's a captive portal, making Windows believe it's behind a legit Windows Update 🌐📡. Crafty, right? They've even got two ISPs, Unitary Enterprise A1 and Beltelecom, suspected to be in on the scheme! 😱🌐🔒

Victims landing on their bogus update page are in for a wild ride. They're encouraged to install "critical" updates, which turns out to be a Go-based installer that sets up more plugins.

These plugins capture screenshots, run PowerShell scripts, and set up a reverse proxy. Talk about high-tech trickery! 📊🔒

Here's the kicker: these cyber rascals are using Server Message Block (SMB) magic to exfiltrate data, making their infrastructure practically indestructible 💪📥.

Additionally, in the January 2020 attack, they whipped out a C# dropper called SharpDisco 📥🕵️‍♂️. It's like a Swiss Army knife for cyber mischief, helping them enumerate drives and sneakily exfiltrate files 🕵️‍♀️💻.

Oh, and there's a DNS-tunnelling backdoor too! It's like they're playing hide-and-seek with your data, slipping it into subdomains, making it hard to catch 🕵️‍♂️🌐.

🛡️Top Tips:

If you're in a foreign land where the internet isn't your buddy, get cosy with an end-to-end encrypted VPN 🌐🔒. It's the cyber equivalent of a secret passage, keeping your internet traffic safe and sound 🛡️🔒. A few we’d recommend are ExpressVPN, NordVPN, or AVG Secure VPN.

Stay safe out there, and keep your cyber shields up! 💻🔐

I came across ZZZ money club during the crypto market bull run when everyone’s a winner, even during the bear market this discord group has been amazing at giving information on projects and ways to make passive income in various ways.

The group is very active and everyone in this private discord group is very chatty and helpful.

Its run by Yourfriendandy and Decadeinvestor, you can find them here on YouTube, both top guys with great content.

If you are interested in joining the group you can through the link below.

Alberta Dental: Paying ransom was like pulling teeth 🦷🦷🦷

🔐 We DO negotiate with terrorists 🙈

Oh, Canada! 🇨🇦 The folks running government dental programs just had a wild ride with hackers 🦹‍♂️🦹‍♀️. Nearly 1.5 million people are getting the news that their data got snatched in a ransomware attack 😱💻.

The company, Alberta Dental Service Corp (ADSC), paid a chunky ransom for a decryption key and a pinky promise from the hackers at 8Base, who did the dirty deed, to delete the stolen data 🤝🔑. These 8Base folks are "Russian-based" and have been pulling this cyber trickery since 2022 🕵️‍♀️💻.

Luckily, ADSC had their backup game strong, and they were able to recover the data in about 12 hours. Phew! 😅

Now, some folks say paying ransoms is like giving a vial of blood to a vampire 🩸🧛 It doesn't really protect the folks whose info got swiped, and it doesn't change any legal stuff either. Experts say it's a bit of a head-scratcher. 🤔 ‘Damned if you do, damned if you don’t,’ kind of thing…

However, fair play to the Canadians. They’ve learnt their lesson and, as such, ADSC is beefing up its security like a boss, with shiny new monitoring tools and all that jazz 🌟🛡️. They even reported this cyber adventure to the law, and the investigation is still on 🔍🔦.

About 1.47 million people got caught up in this mess, and some of them had their banking info snatched too! 😱💸 ADSC is holding tight, but they're warning folks about potential phishing, fraud, or identity shenanigans 🎣🕵️‍♂️.

Keep your cyber-shields up, folks! 💻🛡️

🗞️ Extra, Extra! Read all about it! 🗞️

Each fortnite, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 💰 Daily Dough: Bite-sized investing ideas, wisdom, news, and trends you need to grow your dough!

  • 📈 ProductivityGlide: A bite-sized email for your most productive day yet!

  • 🏫 AI Marketing School: The latest AI Marketing tools, techniques, and news delivered biweekly.

Let us know what you think!

9.8/10 would patch 👀😂

🛡️ Ecommerce Alert: Magento 2 Exploitation 🛡️

Heads up, online store owners! 👀 If you're using Adobe's Magento 2 software, listen up! There's an exploitation campaign going on, targeting those who missed a crucial patch (CVE-2022-24086) released last year on Feb 13, 2022 😱💻.

Yes, the cyber tricksters are at it again, using a server-side template injection attack on Magento 2 shops that are still vulnerable 😈🦠. The security folks at Akamai noticed this campaign, which they've named "Xurum" because that's the attacker's server name 🕵️‍♂️🌐.

These attackers are hunting for payment stats from recent orders, the sneaky bastards 🕵️‍♀️💰.

Magecart is major threat!

Here's the deal: at least seven threat groups (called Magecart) have been messing with Magento shops since 2015. They're all about swiping transaction data from ecommerce sites using various tricks, including JavaScript data skimming 🛒🔒.

🛡️Top Tips:

Easy one: make damn sure you’ve updated your Magento 2 software to the latest version! This flaw was dealt with in February of 2022 so as long as your version is later than that, you’re in the clear.

That’s all for today, cyber-squad. Peace and love ✌️

So long and thanks for reading all the phish!

Recent articles