Jun 04 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter thatβs cybercrime-a-phobic πππ
Todayβs hottest cybersecurity news stories:
π¨βπ» Emotetβs got authorities running scared #shook π°
π Flaws in Cox modems could impact millions π
π² Gulp! RAT-Droppings found in npm package π¦Β
Gif by tvland on Giphy
Law enforcement authorities involved in Operation Endgame are seeking information about an individual known as "Odd," who is allegedly the mastermind behind the infamous Emotet malware.
Who is "Odd"? π°
Aliases: Aron, C700, Cbd748, Ivanov Odd, Mors, Morse, Veron
Authorities believe Odd may not be working alone and could be collaborating with others on different malware projects.
Background on Emotet π
Aliases in the Cybersecurity Community: Gold Crestwood, Mealybug, Mummy Spider, TA542
Evolution: Originally a banking trojan, Emotet evolved into a multipurpose tool capable of delivering other malware such as TrickBot, IcedID, and QakBot.
Recent Activity: An updated version of Emotet was found in March 2023 using Microsoft OneNote email attachments to bypass security. No new activity has been seen since April 2023.
Operation Endgame's Efforts π
Recent Actions: The operation has resulted in four arrests and the takedown of over 100 servers linked to malware operations like IcedID, SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot.
Target: The aim is to disrupt the Initial Access Broker (IAB) ecosystem that facilitates ransomware attacks.
Germany's Federal Criminal Police Office (BKA)
Revelation: Identified eight cybercriminals involved in SmokeLoader and Trickbot operations, adding them to the E.U. Most Wanted List.
Impact on Cybercrime π¨βπ»
Affected Groups: The crackdown has impacted Russian cybercrime organisations like BlackBasta, Revil, and Conti, which have used these malware services to attack Western companies, including medical institutions.
Community Reaction π€―
Underground Forums: Cybercriminals on forums like XSS.IS are on high alert. The forum moderator "bratva" advised members to check their virtual private servers (VPSes) for disruptions between May 27 and 29, 2024.
Speculation: Users are speculating about the possibility of an insider ("rat") working with law enforcement, especially in light of leaked Conti ransomware logs.
What to Watch For
Potential Threats: Be aware of compromised accounts and malicious emails that use stolen credentials from RATs and info stealers to gain initial access to networks.
Takeaway
Stay Vigilant: As authorities continue their efforts to dismantle cybercriminal networks, itβs crucial to remain vigilant against potential cyber threats. ππ
Recently patched authorization bypass issues in Cox modems could have been exploited to gain unauthorised access and execute malicious commands on these devices.
Key Points π
Research Findings: Security researcher Sam Curry discovered vulnerabilities that allowed external attackers to execute commands, modify modem settings, and access personal information of business customers.
Potential Impact: Attackers could gain permissions equivalent to an ISP support team, affecting millions of modems.
Disclosure and Response: The vulnerabilities were responsibly disclosed to Cox on March 4, 2024, and were addressed within 24 hours. There is no evidence of exploitation in the wild.
Behind the Scenes π¬
ISP Access: ISPs like Cox have extensive access to customer devices for remote management, including changing settings and viewing connected devices.
Internal Infrastructure: ISPs use internal infrastructures, such as Xfinity, that bridge consumer devices to exposed APIs. Vulnerabilities in these systems could compromise millions of devices.
Research Details π¬
API Endpoints: Curry's analysis found about 700 exposed API endpoints. Some could be exploited to gain administrative access and execute unauthorized commands by replaying HTTP requests.
Example Exploit: The "profilesearch" endpoint could search for a customerβs business account details using their name, retrieve hardware MAC addresses, and modify accounts.
Potential Attack Scenario βοΈ
Hypothetical Attack: An attacker could:
Look up a Cox customer and get complete account details.
Query the hardware MAC address to retrieve Wi-Fi passwords and connected devices.
Execute arbitrary commands to take over accounts.
Underlying Issues π
Complex Management: Managing a wide range of customer devices via a REST API is complex. This complexity likely contributed to the security flaws.
Authorization Mechanism: The issues arose from relying on a single internal protocol for access, highlighting the need for better authorization mechanisms.
Curry's Perspective π
Insight: Curry was surprised by the level of access ISPs have to customer devices. He noted that better authorization mechanisms could prevent such vulnerabilities.
Past Research
Curry's team previously disclosed vulnerabilities in vehicles and points.com that could unlock, start, and track cars, and access and manage customer rewards points.
Conclusion π
The patching of these vulnerabilities highlights the importance of secure management practices for customer devices by ISPs. It underscores the need for robust authorization mechanisms to prevent unauthorised access and potential misuse.
Stay ahead of the curve with Presspool.ai! π Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." π€π‘ Thatβs us, alright! π€΅ How about you? Visionary AI executive, much? π
And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business π€π©βπ»π
Rest assured, the process is very straightforward.
You simply:
π Sign Up & Create Campaign
π Define your audience, budget, and message to captivate your audience.
π Launch your campaign, as Presspoolβs AI matches it with ideal newsletter audiences for optimal reach and conversions. π―
π΅οΈ Finally, you leverage real-time analytics to track performance and refine future strategies. π Elevate your marketing game and stay informed with Presspool.ai! π Simples! π¦¦
Presspool.aiΒ π°ππ€ may just have what you need to succeed. And if the product isnβt for you, the newsletter alone is a gamechanger. And we know newsletters π
Cybersecurity researchers have discovered a new malicious package uploaded to the npm package registry, designed to deploy a remote access trojan (RAT) on compromised systems. Here's a breakdown of what was found:
Package Details π¦
Name: glup-debugger-log
Target: Users of the gulp toolkit, disguised as a "logger for gulp and gulp plugins."
Downloads: 175 times to date.
Malware Analysis πΎ
Discovery: Software supply chain security firm Phylum identified the package.
Obfuscated Files: The package contains two obfuscated files working together to deploy the RAT.
Initial Dropper: Sets the stage for the malware campaign by compromising the target machine if it meets specific criteria, then downloads additional malware components.
Remote Access Mechanism: Provides persistent control over the compromised machine.
Technical Breakdown βοΈ
Manifest File: The library's package.json file contains a test script running a JavaScript file ("index.js") which, in turn, calls an obfuscated JavaScript file ("play.js").
Checks and Persistence: The "play.js" file functions as a dropper that:
Performs checks for network interfaces, specific Windows OS types (Windows NT), and the number of files in the Desktop folder (seven or more).
Ensures the target is an active developer machine, avoiding deployment on VMs or new installations.
If criteria are met, launches another JavaScript ("play-safe.js") to set up persistence.
Persistence and Command Execution β‘
HTTP Server Setup: "play-safe.js" establishes an HTTP server listening on port 3004 for incoming commands.
Command Execution: Executes commands and sends the output back to the client as plaintext.
Phylum's Insights π‘
Nature of the RAT: Described as both crude and sophisticated due to its minimal functionality, self-contained nature, and heavy reliance on obfuscation.
Evolving Threats: Highlights the growing complexity and cleverness of malware in open-source ecosystems, with attackers developing compact, efficient, and stealthy malware designed to evade detection while maintaining powerful capabilities.
This discovery underscores the importance of vigilant monitoring and security practices in the software supply chain to protect against evolving threats.
ποΈ Extra, Extra! Read all about it! ποΈ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
π‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday π
π΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for π
πΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πΎ
Let us know what you think.
So long and thanks for reading all the phish!