Jun 28 2024
Welcome to Gone Phishing, your favourite cybersecurity newsletter thatโs missing the Euros like hackers miss the Silk Road ๐๐๐ Roll on Saturday!! ๐๐๐
Itโs Friday, folks, which can only mean one thingโฆ Itโs time for our weekly segment!
It goes by many names. Patch of the Week, Tweak of the week. Okay, thatโs it.
Congrats, the cybercriminals are no matchโฆ for your patch! ๐ฉน๐ฉน๐ฉน
Check out this freshly hatched patch ๐ฃ
๐จ Apple AirPods Update: Security Alert! โ ๏ธ
Apple has issued a firmware update fixing a critical flaw (CVE-2024-27867) that could let hackers hijack your AirPods ๐ง! Affected models include AirPods (2nd gen+), AirPods Pro, AirPods Max, Powerbeats Pro, and Beats Fit Pro. When your headphones seek a connection, attackers nearby could spoof the source and gain unauthorised access, potentially eavesdropping on private conversations.
Thanks to Jonas Dreรler, the flaw is now patched in updates 6A326 and 6F8ย ๐. This follows Apple's visionOS update addressing 21 issues, including a major web content DoS vulnerability (CVE-2024-27812) discovered by Ryan Pickren, marking the "world's first spatial computing hack" ๐ก๏ธ.
Stay secure and update your devices now! ๐โจ
Now, todayโs hottest cybersecurity news stories:
๐ป Russian indicted for pre-war cyberattacks on the Ukraine ๐๏ธ
๐ค Botnet evolution: Rust-based P2PInfect intros miner payloads ๐ฐ
๐ฅ P2P users infected with malware via Korean telco. Oh no! ๐ ๐ปโโ๏ธ
๐จ Russian National Indicted for Cyber Attacks on Ukraine and Allies ๐ฐ
A 22-year-old Russian national, Amin Timovich Stigal, has been indicted in the U.S. for allegedly staging destructive cyber attacks against Ukraine and its allies in the lead-up to Russia's military invasion of Ukraine in early 2022. Stigal is believed to be affiliated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU) and remains at large. If convicted, he faces a maximum sentence of five years in prison.
๐ฐ U.S. Offers Reward for Information
The U.S. Department of State's Rewards for Justice program is offering up to $10 million for information on Stigal's whereabouts or his involvement in the cyber attacks. Attorney General Merrick B. Garland emphasised the severity of the actions, stating that Stigal conspired with Russian military intelligence to launch cyberattacks targeting the Ukrainian government and its allies, including the U.S.
๐ฆ WhisperGate Malware Attacks
The cyberattacks involved the deployment of a wiper malware named WhisperGate (also known as PAYWIPE), which targeted government, non-profit, and IT entities in Ukraine. These attacks began around mid-January 2022. WhisperGate was designed to masquerade as ransomware but could render infected systems inoperable if activated by the attacker. Microsoft has been tracking the malware under the name Cadet Blizzard.
๐ Data Exfiltration and Website Defacement
Court documents reveal that Stigal and his associates used services from an unnamed U.S.-based company to distribute WhisperGate and exfiltrate sensitive data, including patient health records. They also defaced websites and sold the stolen information on cybercrime forums, aiming to create panic among the Ukrainian populace regarding the safety of government systems and data.
๐ Probing U.S. Government Systems
Between August 2021 and February 2022, the conspirators used the same infrastructure for the Ukrainian attacks to probe computers belonging to a federal government agency in Maryland, mirroring their initial probing of Ukrainian government networks.
๐ Related Conviction: Florida Man and Crypto Thefts
In a related development, the U.S. Department of Justice announced the conviction of Remy St Felix, a 24-year-old Florida man, for a series of violent home invasion robberies aimed at stealing cryptocurrency. St Felix and his accomplices kidnapped and assaulted victims in their homes, forcing them to drain their cryptocurrency accounts. In one incident in April 2023, St Felix and a co-conspirator zip-tied a victim and their spouse at gunpoint, transferring over $150,000 in cryptocurrency using AnyDesk remote desktop software.
๐๏ธ Sentencing and Charges
St Felix, convicted of nine counts including conspiracy, kidnapping, Hobbs Act robbery, wire fraud, and brandishing a firearm, faces a minimum of seven years and a maximum of life in prison. He is scheduled for sentencing on September 11, 2024.
The P2PInfect botnet, previously considered dormant, has resurfaced with ransomware and cryptocurrency mining capabilities, targeting misconfigured Redis servers. This development indicates a shift towards financially motivated operations.
๐ป Malware Evolution
P2PInfect, discovered nearly a year ago, now targets MIPS and ARM architectures. Originally spreading by exploiting Redis server vulnerabilities, the botnet turns victim systems into follower nodes, allowing attackers to issue arbitrary commands.
๐ ๏ธ New Capabilities
The Rust-based worm has added features like internet scanning for vulnerable servers and an SSH password sprayer module to log in using common passwords. It also changes passwords, restarts SSH services with root permissions, and performs privilege escalation to prevent other attackers from hijacking the same server.
๐ค Peer-to-Peer Network
As a peer-to-peer botnet, P2PInfect forms a mesh network where each infected machine acts as a node. This structure allows the botnet to efficiently propagate updates across the network using a gossip mechanism.
๐ค Financial Motivations
Recent updates include miner and ransomware payloads. The ransomware encrypts files with specific extensions and demands 1 XMR (~$165) in ransom. The miner, configured to use maximum processing power, often interferes with ransomware operations.
๐ต๏ธโโ๏ธ Rootkit and Evasion Techniques
P2PInfect now includes a usermode rootkit that hides malicious processes and files using the LD_PRELOAD environment variable. This technique, also used by groups like TeamTNT, aims to evade detection by security tools.
๐ผ Botnet-for-Hire?
The botnet may be a botnet-for-hire service, deploying other attackers' payloads for payment. Different wallet addresses for miner and ransomware support this theory.
โ ๏ธ Broader Threat Landscape
This revelation aligns with findings from AhnLab Security Intelligence Center (ASEC) and Fortinet FortiGuard Labs, which report similar botnet activities exploiting vulnerable web servers and cloud services for malware distribution and updates.
๐จ Security Recommendations
Given the rise in such attacks, it's crucial for organisations to secure Redis servers, update software regularly, and monitor for suspicious activities to mitigate the risk of infection by botnets like P2PInfect.
South Korean telco KT is under fire for allegedly infecting customers with malware to curb excessive use of peer-to-peer (P2P) downloading tools, affecting around 600,000 users of "web hard drives"โonline storage services for uploading and sharing content. ๐๐พ
๐ต๏ธโโ๏ธ Police Investigation Unfolds
The malware, inserted into KT's Grid Program, disrupted file exchange services, leading to user complaints. ๐ก This activity reportedly began in May 2020 and lasted nearly five months, originating from within KT's datacenters. ๐ข
A police investigation is underway, with searches conducted at KT's headquarters and datacenters for evidence of violations of South Korea's Communications Secrets Protection Act (CSPA) and Information and Communications Network Act (ICNA). โ๏ธ Thirteen KT employees have been identified for potential prosecution. ๐ฎโโ๏ธ
๐ฃ KT's Defense and Public Outcry
KT defends its actions by labelling the P2P service as malicious. However, distributing malware and disrupting customer files have raised serious ethical concerns about privacy and consent. ๐ค
Given the notorious targeting of P2P-shared files by malware distributors, KT might have assumed its users wouldn't notice an extra virus or two. But the public outcry suggests otherwise. ๐ ๐
Have a good weekend yโall!
๐๏ธ Extra, Extra! Read all about it! ๐๏ธ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
๐ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐
๐ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐
๐ย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐พ
Let us know what you think.
So long and thanks for reading all the phish!