Apr 10 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that surfs the treacherous waves of cybercrime and weathers the wipeouts so you donβt have to πππ€
Β Todayβs hottest cybersecurity news stories:
πΊ LG Smart TVs have vulnerabilities that allows root access πͺ
βΒ Human rights activists targeted in Morocco, Western Sahara πͺ
π Romanian RUBYCARP botnet returns after 10-year absence π
Romanian cybersecurity firm Bitdefender uncovered multiple security vulnerabilities in LG webOS, found in its smart TVs. These flaws, reported in November 2023, could bypass authorization, granting unauthorised access to the devices.
LG swiftly responded, addressing the issues in updates rolled out on March 22, 2024.
Affected Models and Versions πΊ
The vulnerabilities, tracked from CVE-2023-6317 to CVE-2023-6320, impact various webOS versions, including those on popular LG TV models like LG43UM7000PLA and OLED55CXPUA.
Description of Vulnerabilities π
The flaws range from bypassing PIN verification to injecting authenticated commands, potentially leading to unauthorised root access and control of the device.
Global Impact π
Bitdefender revealed that despite the service being intended for LAN access, over 91,000 devices, mostly in South Korea, Hong Kong, the U.S., Sweden, Finland, and Latvia, expose the vulnerability to the internet, according to Shodan.
Stay Safe! π‘οΈ
Ensure your LG Smart TV is updated to the latest firmware to protect against these vulnerabilities. Always prioritise security to safeguard your devices and personal data.
Learn how to make AI work for you.
How do you stay up-to-date with the insane pace of AI? Join The Rundown β the worldβs fastest-growing AI newsletter with over 500,000+ readers learning how to become more productive using AI every morning.
1. Our team spends all day researching and talking with industry experts.
2. We send you updates on the latest AI news and how to apply it in 5 minutes a day.
3. You learn how to become 2x more productive by leveraging AI.
Human rights activists in Morocco and the Western Sahara face a new threat known as Starry Addax. Cisco Talos reveals that this malicious actor uses phishing tactics to lure victims into installing fake Android apps and harvests credentials from Windows users.
Targeted Victims π―
Primarily focusing on activists associated with the Sahrawi Arab Democratic Republic (SADR), Starry Addax poses a significant risk to those fighting for human rights in the region.
How It Works π²π»
Utilising infrastructure like ondroid[.]site and ondroid[.]store, the attacker sends spear-phishing emails containing decoy apps related to the Sahara Press Service. Depending on the operating system, victims are either tricked into installing a malicious Android app or directed to counterfeit social media login pages to steal credentials.
Meet FlexStarling: The Malware π¦
FlexStarling, the novel Android malware employed by Starry Addax, is highly adaptable and capable of deploying additional malicious components. Once installed, it gains extensive permissions to execute nefarious actions, communicating with a Firebase-based command-and-control (C2) to operate discreetly.
Stay Vigilant! π‘οΈ
Campaigns like Starry Addax's aim to remain undetected, emphasising stealth and long-term infiltration on devices. Amidst this threat, a new commercial Android remote access trojan (RAT) named Oxycorat is also on the rise, offering diverse information gathering capabilities.
Protect Yourself! π«
Remain cautious of suspicious emails and apps, ensure regular software updates, and deploy reliable security measures to safeguard against such threats. Stay informed to stay safe!
πΒ The Motley Fool: βFool me once, shame on β shame on you. Fool me β you can't get fooled again.β Good olβ George Dubya π Let us tell whoβs not fooling around though; thatβs the CrΓΌe π at Motley Fool. Youβd be a fool (alright, enough already! π) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! π Kidding aside, if you check out their website theyβve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets π€Β (LINK)
π΅Β Wander: Find your happy place. Cue Happy Gilmore flashback ποΈβ³πποΈ Mmmm Happy Placeβ¦ π So, weβve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, itβs easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway ποΈπΒ (LINK)
πΒ Digital Ocean: If you build it they will come. Nope, weβre not talking about a baseball field for ghosts βΎπ»πΏ (Great movie, to be fair π). This is the Digital Ocean whoβve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website youβll find yourself catching the buzz even if you canβt code (guilty π). But if you can and youβre looking for somewhere to test things out or launch something new or simply enhance what youβve got, weβd recommend checking out their services foβ sho π And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! πΏΒ (LINK)
A notorious threat group named RUBYCARP, suspected to originate from Romania, has been detected orchestrating a persistent botnet operation for over a decade. Sysdig, a cloud security firm, reveals that this group engages in crypto mining, DDoS, and phishing attacks for financial gain.
Botnet Tactics π€
RUBYCARP relies on a diverse range of public exploits and brute-force techniques to deploy their botnet, communicating via public and private IRC networks for coordination.
The Outlaw Connection βοΈ
Evidence suggests a potential link between RUBYCARP and the Outlaw threat cluster, indicating a history of crypto mining, brute-force, and phishing campaigns.
Meet the Malware: ShellBot π¦
RUBYCARP employs ShellBot, alongside exploiting vulnerabilities like CVE-2021-3129 in the Laravel Framework, to infiltrate target systems and expand their botnet.
Expanding Arsenal π‘οΈ
The group broadened its attack methods by compromising WordPress sites and installing backdoors, connecting victim servers to IRC-based command-and-control servers.
Botnet Scale and Coordination π
With over 600 hosts estimated in their botnet, RUBYCARP heavily relies on IRC for communication, management, and coordination of crypto mining operations.
The Threat Actors Behind the Curtain π
Key members of the group, known by aliases like juice_, Eugen, Catalin, MUIE, and Smecher, communicate via IRC channels like #cristi and utilize mass scanning tools to identify new targets.
Illicit Income Streams π°
RUBYCARP's operations span from crypto mining to phishing, utilising stolen credit card data for attack infrastructure or potentially selling it on the cybercrime black market.
Unprecedented Sophistication π
Sysdig highlights RUBYCARP's involvement in developing and selling cyber weapons, showcasing a vast arsenal of tools accumulated over the years, granting them unparalleled flexibility in their operations.
Stay Alert! π‘οΈ
Remain vigilant against phishing attempts, ensure robust security measures, and stay informed to protect against evolving cyber threats like RUBYCARP.
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
π‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday π
π΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for π
πΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πΎ
Let us know what you think!
So long and thanks for reading all the phish!