Mar 26 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that has cybercriminals running for the hills or the private jet to Antigua like Puff Daddyย P. Diddyย Diddy P. Dophile #FIFY ๐๐คฎ๐
ย Todayโs hottest cybersecurity news stories:
๐ช Iranian threat MuddyWaters is phishing w/ Atera for surveillance
๐ป Mac users beware! GoFetch vulnerability could leak secret codes ๐
๐ค Top-gg and others affected by Github hijack via supply chain attack โ๏ธ
Recent intelligence reveals that the Iran-affiliated threat actor known as MuddyWater has launched a phishing campaign in March 2024, aiming to deploy the legitimate Remote Monitoring and Management (RMM) solution called Atera. ๐ฃ
๐ March Campaign: Spanning from March 7 through the week of March 11, MuddyWater's activity targeted Israeli entities across global manufacturing, technology, and information security sectors, according to Proofpoint.
๐ Phishing Tactics: MuddyWater sent emails with PDF attachments containing malicious links, showcasing a shift towards embedding links directly in email message bodies instead of using PDF attachments.
๐ Attack Chains: The phishing messages include links to files hosted on file-sharing sites like Egnyte, Onehub, Sync, and TeraBox. Clicking on the link leads to a ZIP archive containing an MSI installer file that instals the Atera Agent on compromised systems.
๐ก๏ธ Legitimate Tools: MuddyWater's reliance on legitimate remote desktop software aligns with its strategic goals, having previously utilised tools like ScreenConnect, RemoteUtilities, Syncro, and SimpleHelp.
โ ๏ธ Growing Risks: The shift in tactics coincides with Iranian hacktivist group Lord Nemesis targeting the Israeli academic sector through a software supply chain attack on Rashim Software. The breach highlights the significant risks posed by third-party vendors and the growing threat of nation-state actors targeting smaller companies.
๐ Cybersecurity Concerns: This incident underscores the need for robust security measures, including multi-factor authentication (MFA), to mitigate the risks posed by supply chain attacks and nation-state adversaries. Vigilance and proactive security measures are essential to safeguard against evolving threats in the cyber landscape. ๐ก๏ธ๐
With rising costs for Amazon S3 storage and potentially devastating business consequences from data loss, you need a holistic approach to cutting unnecessary spending and guarding against risks. Lawrence Miller, a consultant to multinational corporations who holds numerous networking certifications, has authored a concise volume that lays out the path to success in managing backup and compliance for S3 data lakes.
Security researchers have uncovered a critical vulnerability in Apple M-series chips called GoFetch, which could allow threat actors to extract secret keys used during cryptographic operations. ๐ Apple has known about the threat since December.
๐ฅ Microarchitectural Side-Channel Attack: GoFetch leverages a feature known as data memory-dependent prefetcher (DMP) to target constant-time cryptographic implementations and capture sensitive data from the CPU cache. Prefetchers predict memory access patterns to reduce latency.
๐ How It Works: DMP prefetches data from memory based on observed access patterns, making it susceptible to cache-based attacks that reveal contents associated with a victim process. GoFetch exploits this behaviour to leak sensitive data speculatively.
๐ฅ Attack Scenario: The attacker and victim must be co-located on the same CPU cluster. The threat actor could trick the victim into downloading a malicious app that exploits GoFetch. Even if the victim follows the constant-time programming paradigm, DMP generates secret-dependent memory access on the victim's behalf.
๐จ Implications: GoFetch nullifies security protections offered by constant-time programming against timing side-channel attacks, presenting serious security risks. Existing Apple CPUs cannot be fixed, necessitating preventive measures by cryptographic library developers and system updates for users.
๐ง Mitigation: Enabling data-independent timing (DIT) on Apple M3 chips disables DMP. However, this is not possible on M1 and M2 processors. Developers are advised to avoid conditional branches and memory access locations based on secret data. Users should keep systems up-to-date.
๐๏ธ Cybersecurity Landscape: Meanwhile, researchers have demonstrated a GPU cache side-channel attack affecting browsers and graphics cards, enabling inference of sensitive information like passwords via specially crafted JavaScript code. Countermeasures include requiring user permission for GPU access in browsers. ๐ก๏ธ๐
๐ย The Motley Fool: โFool me once, shame on โ shame on you. Fool me โ you can't get fooled again.โ Good olโ George Dubya ๐ Let us tell whoโs not fooling around though; thatโs the Crรผe ๐ at Motley Fool. Youโd be a fool (alright, enough already! ๐) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! ๐ Kidding aside, if you check out their website theyโve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets ๐คย (LINK)
๐ตย Wander: Find your happy place. Cue Happy Gilmore flashback ๐๏ธโณ๐๐๏ธ Mmmm Happy Placeโฆ ๐ So, weโve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, itโs easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway ๐๏ธ๐ย (LINK)
๐ย Digital Ocean: If you build it they will come. Nope, weโre not talking about a baseball field for ghosts โพ๐ป๐ฟ (Great movie, to be fair ๐). This is the Digital Ocean whoโve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website youโll find yourself catching the buzz even if you canโt code (guilty ๐). But if you can and youโre looking for somewhere to test things out or launch something new or simply enhance what youโve got, weโd recommend checking out their services foโ sho ๐ And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! ๐ฟย (LINK)
A complex attack campaign has targeted individual developers and the GitHub organisation account associated with Top.gg, a Discord bot discovery site, according to Checkmarx.
๐ก๏ธ Multiple Tactics Deployed: The adversaries used various tactics, including account takeover via stolen browser cookies, contributing malicious code with verified commits, setting up a custom Python mirror, and publishing tainted packages to the PyPI registry.
๐ผ Impact: Sensitive information, including passwords and credentials, was stolen. Malicious versions of well-known packages like Colorama were hosted on a typosquatted domain "files.pypihosted[.]org."
๐ฆ Propagation: Rogue packages were spread via GitHub repositories containing a requirements.txt file. The malicious Colorama was inserted within these repositories, leading to the compromise of multiple systems.
โ ๏ธ GitHub Account Hijack: The verified GitHub account "editor-syntax" associated with Top.gg's python-sdk was hijacked, allowing the threat actor to make malicious commits. This account takeover was facilitated through stolen cookies.
๐ Ongoing Threat: The attackers pushed multiple changes to rogue repositories, concealing alterations to the requirements.txt file. The campaign, dating back to November 2022, exploited trust in the open-source package ecosystem.
๐จ Malware Payload: The counterfeit Colorama package activates a multi-stage infection sequence, stealing data such as Discord tokens and crypto wallets. Captured data is transferred to the attackers via anonymous file-sharing services.
๐ Mitigation: Vigilance is crucial when installing packages and repositories, even from trusted sources. Thoroughly vet dependencies, monitor for suspicious network activity, and maintain robust security practices to mitigate risks.
๐ Update: The repository "github[.]com/whiteblackgang12/Discord-Token-Generator" is now inaccessible on GitHub, indicating a response to the attack.
This incident underscores the need for heightened security measures in the software supply chain and serves as a reminder to remain vigilant against evolving threats. ๐ก๏ธ๐
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
๐ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐
๐ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐
๐ย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐พ
Let us know what you think!
So long and thanks for reading all the phish!
๐ฃ