Jun 19 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that upsets cybercriminals like #EURO2024 has upset expectations!!! โฝ๐๐ฅ
Todayโs hottest cybersecurity news stories:
๐ณ Exposed Docker APIs targeted by hackers for crypto mining โ๏ธ
๐ฉโ๐ป Malaysian hackers extradited by Singapore police for fraud โ ๏ธ
๐ป ASUS patches critical bypass flaw in multiple router models ๐ก
Exposed Docker APIs Under Attack! ๐ณ๐ Cybersecurity researchers have discovered a new malware campaign targeting publicly exposed Docker API endpoints to deliver cryptocurrency miners and other malicious payloads.
Campaign Tactics and Tools ๐ ๏ธ๐ต๏ธ
Tools Deployed: Remote access tools capable of downloading more malware, and utilities for malware propagation via SSH.
Overlap: Shares tactics with the previous Spinning YARN campaign, which targeted Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services for cryptojacking.
Attack Sequence ๐ฏ๐
Target: Docker servers with exposed ports (port 2375).
Steps: Begins with reconnaissance and privilege escalation, followed by exploitation.
Payload Retrieval: Uses a shell script named "vurl" to fetch additional payloads.
Malicious Payloads ๐ฆ ๐ฆ
vurl: A binary that overwrites its shell script version, using hard-coded C2 domains.
ar.sh: Installs tools to scan for vulnerable hosts, disables firewalls, and fetches the next payload, "chkstart."
chkstart: Configures the host for remote access and fetches additional tools like "m.tar" (XMRig miner) and "top."
Exeremo: Moves laterally to spread the infection and drops the "s.sh" script for installing scanning tools.
fkoths: A Go-based binary to erase traces and resist analysis.
Evolving Threats ๐ก๏ธ๐
The campaign indicates continuous attacks on misconfigured Docker hosts for initial access. By porting functionalities from shell scripts to Go, attackers complicate the analysis process, pointing to experimentation with multi-architecture builds.
Stay Alert! ๐
Ensure your Docker configurations are secure to prevent falling victim to such sophisticated attacks!
Whether youโre starting or scaling your security program, Vanta helps you automate compliance across frameworks like SOC 2, ISO 27001, ISO 42001, HIPAA, HITRUST CSF, NIST AI, and more.
Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI.
Instantly calculate how much time you can save with Vanta.
Major Extradition! ๐จ๐ The Singapore Police Force (SPF) has extradited two men from Malaysia for their role in a mobile malware scam since June 2023.
Malware Scams Unveiled ๐ต๏ธโโ๏ธ๐ฒ
The suspects, aged 26 and 47, used phishing campaigns to trick users into downloading malicious Android apps. These apps stole personal data and banking details, leading to financial losses.
Seven-Month Investigation ๐๐ฎโโ๏ธ
SPF, in collaboration with the Hong Kong Police Force and Royal Malaysia Police, linked the men to a syndicate behind these scams. The duo operated servers to infect phones and control them, enabling bank account compromises.
How the Scam Worked ๐ฑ๐
Malicious apps posed as discount offers and, once installed, granted scammers remote access. They used the app to monitor SMS, track devices, and capture sensitive data.
Arrests and Consequences ๐โ๏ธ
One suspect faces up to 7 years in prison and a $50,000 fine, while the other faces up to 10 years and a $500,000 fine. Taiwan Police also arrested four others involved in similar scams.
Operation DISTANTHILL Success ๐๐
A total of 16 cyber criminals were arrested, and assets worth $1.33 million seized. Over 4,000 victims were defrauded.
US Dark Web Bust ๐ป๐ณ๏ธ
Separately, the U.S. Justice Department charged two men for operating Empire Market, a dark web marketplace trading $430 million in illegal goods. The operation ran from 2018 to 2020, leading to significant seizures and arrests.
Stay safe online! ๐ก๏ธ๐
Major Vulnerability Alert! โ ๏ธ๐ ASUS has released software updates to fix a critical security flaw (CVE-2024-3080) in its routers, which could allow hackers to bypass authentication. This flaw has a CVSS score of 9.8/10.
Whatโs the Issue? ๐ค๐ถ
Flaw: Authentication bypass
Impact: Remote attackers can log in without credentials
Reported by: Taiwan Computer Emergency Response Team (TWCERT/CC)
Additional Security Fixes ๐ ๏ธ๐ก๏ธ
ASUS also patched a high-severity buffer overflow flaw (CVE-2024-3079, CVSS score: 7.2). This flaw could let attackers with admin privileges execute arbitrary commands.
Potential Exploit Chain ๐จ๐
Attackers could combine CVE-2024-3080 and CVE-2024-3079 to bypass authentication and run malicious code.
Affected Models ๐๐ถ
ZenWiFi XT8 (Fixed in 3.0.0.4.388_24621)
ZenWiFi XT8 V2 (Fixed in 3.0.0.4.388_24621)
RT-AX88U (Fixed in 3.0.0.4.388_24209)
RT-AX58U (Fixed in 3.0.0.4.388_24762)
RT-AX57 (Fixed in 3.0.0.4.386_52303)
RT-AC86U (Fixed in 3.0.0.4.386_51925)
RT-AC68U (Fixed in 3.0.0.4.386_51685)
Previous Patch ๐จ๐ง
Earlier this year, ASUS fixed another critical flaw (CVE-2024-3912, CVSS score: 9.8) that allowed remote file uploads and command execution.
User Action Required ๐จ๐
Update your routers to the latest version to protect against these vulnerabilities!
Stay secure! ๐ก๏ธ๐ป
๐๏ธ Extra, Extra! Read all about it! ๐๏ธ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
๐ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐
๐ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐
๐ย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐พ
Let us know what you think.
So long and thanks for reading all the phish!