Jan 22 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that’s your reinforced steel & and concrete bunker against the #StormIsha that is cybercrime ⛈️💨👀 Kidding, cybercrime is more like Katrina 💀💀
Today’s hottest cybersecurity news stories:
💻 Mac users beware! Backdoor hidden in popular pirated software 🏴☠️
👨💻 Russian hacking group ‘Midnight Blizzard’ target Microsoft HQ 🏢
🏧 Argentine ‘Payoneer’ users wake up to 2FA hacks, funds jacked 💸
🏴☠️ Warning to Apple macOS users: A malicious campaign targeting pirated applications has been identified, exposing a backdoor capable of granting attackers remote control over infected machines. Researchers from Jamf Threat Labs, Ferdous Saljooki, and Jaron Bradley, reveal that these rogue applications are hosted on Chinese pirating websites, specifically macyy[.]cn, to lure victims.
🔍 Attack Method
Once activated, the malware stealthily downloads and executes multiple payloads in the background, compromising victims’ machines without their knowledge. The backdoored disk image (DMG) files, modified to communicate with actor-controlled infrastructure, incorporate well-known software like Navicat Premium, UltraEdit, FinalShell, SecureCRT, and Microsoft Remote Desktop.
🔐 Infiltration Tactics
The unsigned applications utilise a dropper component called “dylib,” executed upon application opening. This dropper fetches a fully-featured backdoor (“bd.log”) and a downloader (“fl01.log”) from a remote server, establishing persistence and enabling the delivery of additional payloads.
🚪 Backdoor Features
The backdoor, located at “/tmp/.test,” is built on the Khepri post-exploitation toolkit, ensuring advanced capabilities. Though stored in the “/tmp” directory for temporary execution, it reappears upon reloading the pirated application.
🔗 Downloader Persistence
The downloader, written to the hidden path “/Users/Shared/.fseventsd,” creates a LaunchAgent for persistence and sends HTTP GET requests to an actor-controlled server. Though the server may no longer be accessible, the downloader writes the HTTP response to “/tmp/.fseventsds,” launching it.
🦠 Possible Successor
The researchers note similarities with the ZuRu malware, suggesting this threat could be a successor due to shared characteristics like targeted applications, modified load commands, and attacker infrastructure.
⚠️ Stay Protected
MacOS users should exercise caution when downloading applications from untrusted sources, avoiding pirated software to minimise the risk of falling victim to such sophisticated attacks. Vigilance is key! 🔒💻
Signup for Free
Learn AI in 5 minutes a day. We’ll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.
💻 Microsoft issued a warning on Friday revealing that some of its corporate email accounts fell victim to a breach orchestrated by a Russian state-sponsored hacking group known as Midnight Blizzard, also recognized as Nobelium or APT29. The attack, detected on January 12th, was traced back to November 2023 when threat actors used a password spray attack to compromise a legacy non-production test tenant account.
🛑 Breaching Method
The hackers gained access to the “test” account using a brute force attack, suggesting the account lacked two-factor authentication (2FA) or multi-factor authentication (MFA). Microsoft emphasises the importance of these security measures on all online accounts.
🔍 Targeted Access
Once infiltrated, the Nobelium hackers utilised the test account to access a “small percentage” of Microsoft’s corporate email accounts for over a month. The breached accounts included members of Microsoft’s leadership, as well as employees in cybersecurity and legal departments. Stolen data primarily consisted of emails and attachments.
🔄 Ongoing Investigation
Microsoft clarifies that the breach was not due to vulnerabilities in their products but rather a result of the brute force password attack. The investigation is ongoing, and Microsoft pledges to share additional details as appropriate.
🌐 Nobelium Background
Nobelium, affiliated with Russia’s Foreign Intelligence Service (SVR), gained notoriety for its involvement in the 2020 SolarWinds supply chain attack, impacting Microsoft. Known for cyberespionage and custom malware development, the group previously breached a Microsoft corporate account in 2021.
🌎 Global Impact
Microsoft, a coveted target controlling vast amounts of global data and services, underscores the persistent threat landscape faced by major corporations.
🔒 Security Assurance
Despite the breach, Microsoft reassures that its operations have not been materially impacted. As the investigation unfolds, vigilance remains crucial in the face of evolving cyber threats. Stay secure, stay informed! 💻🔐
🃏 The Motley Fool: “Fool me once, shame on — shame on you. Fool me — you can’t get fooled again.” Good ol’ George Dubya 😂 Let us tell who’s not fooling around though; that’s the Crüe 👀 at Motley Fool. You’d be a fool (alright, enough already! 🙈) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! 🐛 Kidding aside, if you check out their website they’ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets 🤑 (LINK)
🚵 Wander: Find your happy place. Cue Happy Gilmore flashback 🏌️⛳🌈🕊️ Mmmm Happy Place… 😇 So, we’ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, it’s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway 🏞️😍 (LINK)
🌊 Digital Ocean: If you build it they will come. Nope, we’re not talking about a baseball field for ghosts ⚾👻🍿 (Great movie, to be fair 🙈). This is the Digital Ocean who’ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website you’ll find yourself catching the buzz even if you can’t code (guilty 😑). But if you can and you’re looking for somewhere to test things out or launch something new or simply enhance what you’ve got, we’d recommend checking out their services fo’ sho 😉 And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! 🌿 (LINK)
🌐 Payoneer, a popular financial services platform, is facing a crisis as numerous users in Argentina report waking up to drained accounts and stolen funds despite having two-factor authentication (2FA) protection. Victims discovered the theft after receiving SMS one-time passcodes (OTPs) while they were asleep, leading to emptied wallets ranging from $5,000 to $60,000.
🔒 Breach Details
The breached accounts, safeguarded by 2FA, were compromised following a phishing SMS requesting approval for a password reset. Users, adamant about not clicking on URLs, found their funds sent to an unknown email address at the 163.com domain. Many affected users were customers of mobile service providers Movistar and Tuenti, with suspicions of a recent Movistar data leak being the root cause.
🤔 Theories and Responses
The breach mechanism remains unclear, with theories suggesting a potential breach in the SMS provider used for OTP delivery. Movistar denies responsibility but takes preventive measures. Payoneer blames users, alleging they fell for phishing texts. Users dispute this claim, pointing to the platform’s weaknesses.
🚨 Payoneer’s Weaknesses
The platform’s reliance on SMS-based 2FA and a password recovery process requiring only an SMS code raise concerns about system vulnerabilities. Payoneer’s blame-shifting approach irks affected users, prompting scepticism about the actual cause of the hacks.
🛡️ Ongoing Investigation
Payoneer acknowledges the issue, attributing it to phishing, and is collaborating with authorities. Despite blaming users, the platform faces questions about potential weaknesses. Users are advised to withdraw funds, disable SMS-based 2FA, and reset passwords until clarity is achieved.
🔍 User Discontent
The dispute between Payoneer and affected users adds complexity to the investigation. Users’ allegations of not falling for phishing attempts raise questions about the platform’s security measures and the accuracy of the breach’s attribution.
🔄 Recovery Efforts
Payoneer states it is actively working to protect funds and recover losses, emphasising fraud prevention measures and customer education. Specific details about the investigation’s progress and restitution plans remain pending.
🌎 Global Impact
While the situation unfolds, the incident underscores the global vulnerability of financial platforms and the imperative need for robust security measures. Stay vigilant and secure your accounts! 🔒💳
Until next time, cyber squad 🛡️🛡️🛡️
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.
Wealthy Primate: Want to earn over $100k a year in IT or cybersecurity? 20 year veteran ‘Wealthy Primate’ might be able to help you climb that tree 🐒🌴 with his stick and banana approach 🍌😏
Techspresso: Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)
Let us know what you think!
So long and thanks for reading all the phish!