Apr 29 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that cuts through the bull π©
Β Todayβs hottest cybersecurity news stories:
π¦ Fake npm packages trick devs into downloading python backdoor π
π 7-year-old MS Office flaw used to target Ukraine w/ Cobalt Strike β‘
π³ Proxy-driven credential stuffing attacks are exploding, says Okta ποΈ
An ongoing social engineering campaign dubbed DEV#POPPER is duping software developers with fake job interviews, leading to the unwitting installation of a Python backdoor. πΌπ
The Deceptive Scheme ππ
North Korean threat actors are behind the campaign, according to cybersecurity firm Securonix. Under the guise of employment opportunities, developers are tricked into downloading and executing malicious Node JS payloads disguised as legitimate software tasks. These payloads, including the BeaverTail malware, facilitate unauthorised access to victims' systems. π΅οΈββοΈπ
Recurring Threats π¬π»
This tactic mirrors previous activities like Contagious Interview, identified by Palo Alto Networks Unit 42, and Operation Dream Job by the Lazarus Group. Both involve luring victims with fake job offers and delivering malware, highlighting a persistent threat landscape in the cybersecurity realm. Contagious Interview, specifically targeting developers, utilises fake identities in freelance job portals and leverages npm packages to deploy malware such as BeaverTail and InvisibleFerret. π¨π°
Complex Attack Chain ππ
The attack begins with a ZIP archive hosted on GitHub, containing seemingly benign npm modules housing malicious JavaScript files. Once executed, these files deploy a Python backdoor named InvisibleFerret, allowing attackers to syphon sensitive data and execute commands remotely. The InvisibleFerret backdoor, retrieved from a remote server, grants the attackers access to the compromised system, enabling a range of malicious activities, including system information gathering, command execution, file enumeration and exfiltration, and clipboard and keystroke logging. ππ
Stay Vigilant π¨π
As threat actors continue to refine their tactics, vigilance during job interviews and other communications is crucial. Maintaining a security-focused mindset can help prevent falling victim to these sophisticated social engineering attacks. Stay informed and cautious when engaging in any online activities, especially those involving potential employment opportunities. πͺπ
A targeted cyber operation aimed at Ukraine has been uncovered, exploiting a nearly seven-year-old vulnerability in Microsoft Office to deploy the infamous Cobalt Strike tool. π΅οΈββοΈπΌ
Sneaky, Sneaky ππ
The attack, revealed by cybersecurity firm Deep Instinct, kicks off with a PowerPoint slideshow file, possibly distributed via Signal messaging app. While it's not confirmed, the filename implies a Signal origin. The file masquerades as a U.S. Army mine clearing manual but harbours a remote relationship to an external OLE object, leveraging the CVE-2017-8570 flaw in Microsoft Office for remote code execution. ππ
Intricate Execution ππ οΈ
Upon exploitation, a heavily obfuscated script loads an HTML file with JavaScript code, establishing persistence on the victim's system and dropping a malicious payload masquerading as the Cisco AnyConnect VPN client. This payload injects a cracked Cobalt Strike Beacon into system memory, awaiting commands from a remote server. π§©π
Uncertain Origins, Ambiguous Goals βπ―
Despite military-themed lures, the attacker's choice of domain names, like weavesilk[.]space and petapixel[.]fun, seems unrelated. It's unclear why these obscure sites were chosen to deceive military personnel. Moreover, the attack's exact purpose remains unknown. π€π
Sandworm Strikes Ukraine's Critical Infrastructure β‘
Meanwhile, CERT-UA disclosed attacks by the Russian state-sponsored group UAC-0133, a sub-cluster within Sandworm, targeting energy, water, and heating suppliers in Ukraine. The attacks, aimed at sabotaging critical operations, employ malware like Kapeka and its Linux variant BIASBOAT, along with GOSSIPFLOW and LOADGRIP. Sandworm, linked to Russian military intelligence, is known for disruptive and destructive operations against Ukraine since at least 2009. π¨π₯
Stay vigilant against cyber threats, and remember: even the oldest vulnerabilities can be exploited by skilled adversaries. Keep your systems updated and your cybersecurity defences strong. πͺπ
Identity and access management (IAM) services provider Okta has raised the alarm over a notable increase in credential stuffing assaults targeting online services. ππ»
Rising Threat Landscape ππ
Okta's alert, published Saturday, highlights a significant surge in the "frequency and scale" of credential stuffing attacks, fueled by the widespread availability of residential proxy services, combo lists, and automation tools. These attacks have intensified over the past month, signalling a concerning trend in cyber threats. ππ₯
Unprecedented Assaults π£π
The spike in attacks aligns with recent advisories from Cisco, shedding light on a global uptick in brute-force attacks targeting VPN services, web app authentication interfaces, and SSH services since March 18, 2024. These assaults, originating from TOR exit nodes and anonymizing tunnels, have targeted a wide range of devices, including VPN appliances and routers from various vendors. ππ
Okta's Discovery π΅οΈββοΈπ
Okta's Identity Threat Research unearthed a surge in credential stuffing activity from April 19 to April 26, 2024, with the attacks leveraging similar infrastructure. An alarming aspect of these assaults is their reliance on anonymizing services like TOR, routing millions of requests through residential proxies such as NSOCKS, Luminati, and DataImpulse. ππ
Understanding Credential Stuffing π€π
Credential stuffing attacks exploit credentials obtained from data breaches or phishing campaigns to gain unauthorised access to user accounts on unrelated services. The attackers leverage anonymizing services to obscure their malicious traffic, making detection and attribution challenging. π₯π
Mitigation Measures π‘οΈπ
To counter the threat of account takeovers, Okta recommends enforcing strong passwords, implementing two-factor authentication (2FA), blocking requests from suspicious locations or IP addresses with poor reputations, and supporting passkeys. These proactive measures can help organisations bolster their defences against credential stuffing attacks and safeguard user accounts. πͺπ
ποΈ Extra, Extra! Read all about it! ποΈ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
π‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday π
π΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for π
πΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πΎ
Let us know what you think.
So long and thanks for reading all the phish!