🚨 T-Mobile Confirms Targeting in Chinese Cyber-Espionage Campaign 🕵

Nov 22 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that casts a wide old net and never pulls any punches cough Mike Tyson 🙈🥊🎣👀😁 

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳 

Congrats to PAN-OS, the cybercriminals are no match… for your patch! 🩹

Check out this freshly hatched patch 🐣

Don’t PANic! 😏

🚨 Palo Alto Networks Alert! ⚠️

A critical zero-day vulnerability (9.3 CVSS) in PAN-OS is under active exploitation. Attackers are deploying web shells to gain unauthorised remote access through vulnerable PAN-OS firewall management interfaces 🌐.

🔎 Indicators of Compromise (IoCs) IP addresses:

  • 136.144.17[.]*

  • 173.239.218[.]251

  • *216.73.162[.]

👇 Immediate Actions Needed:

1. Restrict Access: Limit management access to known IPs.

2. Update PAN-OS: Patch to 10.1.14-h6 through 11.2.4-h1 to resolve:

■ CVE-2024-9474 🚀 Privilege Escalation 

■ CVE-2024-0012 🔓 Auth Bypass

Palo Alto Networks is monitoring this as Operation Lunar Peek 👀. Remember, CISA mandates patching for Federal agencies by Dec 9.

💻 Patch now to stay protected! 🛡️

Now, on to this week’s hottest cybersecurity news stories: 

  • 🐉 Chinese hackers Salt Typhoon shakes up T-Mobile w/ espionage 🕵

  • 🐍 WhiteSnake and Meduza stealers delivered via BabbleLoader 👾

  • 👨🏻‍💻 Hackers exploit Black Friday shopping frenzy w/ fake discount sites 🛒FBI, Robot… 🤖

Salt Typhoon is T-ing up 🏌

🚨 T-Mobile Confirms Targeting in Chinese Cyber-Espionage Campaign 🕵

T-Mobile, a major U.S. telecom company, has confirmed that Chinese threat actors, Salt Typhoon (aka Earth Estries), targeted it in a months-long cyber-espionage campaign aiming to access sensitive communications from high-profile targets. This espionage effort appears focused on harvesting private data across major U.S. telecoms, including AT&T and Verizon.

Attack Details 🕵️‍♂️

Salt Typhoon, known for advanced persistence techniques, has been active since 2020 and recently intensified attacks on government and telecom sectors worldwide. 🌍

In this campaign, vulnerable software and misconfigured services were exploited to install custom backdoors and Cobalt Strike malware, enabling attackers to infiltrate networks undetected. 🚨

T-Mobile’s Response 🛡️

T-Mobile states that, so far, there’s no evidence of customer data being impacted. They are closely monitoring the situation and collaborating with authorities to prevent further breaches.

Salt Typhoon’s Tactics 🎩

Salt Typhoon’s attack strategies are known for their stealth and sophistication:

  • Access Techniques: They exploit vulnerabilities in systems like Microsoft Exchange and employ the China Chopper web shell to plant malware, then use cURL to download backdoor programs.

  • Persistence & Evasion: Using programs like NinjaCopy and PortScan, they maintain a foothold in compromised networks and obscure traffic through compromised servers.

Broader Implications 🌐

The U.S. government has warned of “broad and significant” attacks on American telecom infrastructures by the PRC, stressing the severity of potential data exposure and espionage risks.

This serves as a crucial reminder for industries to strengthen cybersecurity and continually monitor for vulnerabilities.

Novaxidil Triple Action Hair Regrowth Treatment

Novaxidil is a Premium OTC Triple Action hair loss treatment that stimulates hair regrowth, prevents further loss, AND nourishes your scalp with a combination of clinically proven ingredients: 5% Minoxidil, 2% K-Conazole, 1% Nicotinamide, Vitamin K, Biotin, and Collagen Peptides.

Our team of MD/PhD's formulated Novaxidil to maximize results while minimizing side effects.

MINOXIDIL 5%: Minoxidil is the Gold Standard for hair regrowth. It achieves this by shortening the telogen phase, extending the anagen phase, increasing blood flow to the scalp, and increasing dermal papilla cell activity.

K-CONAZOLE™ 2%: Studies have shown that K-Conazole™, a proprietary version of the popular compound, blocks the production of dihydrotestosterone (DHT), a hormone linked to male pattern baldness, as effectively as prescription alternatives like FINA without the side effects. It works by inhibiting the 5-alpha reductase (5AR) enzyme, which converts testosterone into DHT.

NICOTINAMIDE 1%: Nicotinamide, also known as niacinamide, has potent effects on hair regrowth. In studies, it has been shown to increase blood flow, and reduce inflammation to the scalp, as well as prevent premature catagen entry, and increase hair thickness. Nicotinamide works in synergy with Minoxidil, and K-Conazole™ to maximize hair regrowth, and minimize loss like no other product on the market!

Before you give up, and start rocking the "bald look," give Novaxidil a try. We're confident you won't regret it.

Learn More

Hackers: Here I go again on my own 🎶

 🚨 New Malware Loader, BabbleLoader, Evades Detection with Stealthy Tactics ♟️ 

Cybersecurity experts have identified BabbleLoader, a highly evasive malware loader that bypasses antivirus and sandbox detection to install data-stealing malware like WhiteSnake and Meduza. Designed to avoid traditional and AI-based defenses, BabbleLoader is being deployed in multiple campaigns, specifically targeting individuals searching for cracked software as well as finance and administrative professionals.

Key Features of BabbleLoader 🛡️

  • Dynamic Evasion: BabbleLoader can change its structure on the fly, adding junk code and unique control flows with each build to elude detection by altering its code and metadata every time. These variations make it hard for traditional antivirus and AI to detect it. 🧩

  • Runtime Function Resolution: To avoid static detection, BabbleLoader only resolves required functions during runtime, making it tougher to identify through signature-based approaches. ⚙️

  • Sandbox Resistance: It’s designed to detect and thwart sandboxing tools, causing software like IDA and Ghidra to crash, impeding analysts' efforts to inspect it.

BabbleLoader in Action 🕵️‍♂️

Once executed, BabbleLoader instals shellcode that decrypts the payload, handing over control to the Donut loader to initiate malware like WhiteSnake and Meduza. BabbleLoader is part of an increasing trend of “loaders,” joining similar tools like Dolphin Loader and FakeBat that cybercriminals use to propagate information stealers, ransomware, and RATs (Remote Access Trojans) by skirting around traditional detection.

Wider Malware Landscape 🌐

BabbleLoader’s emergence follows a series of malware findings, including LodaRAT, a RAT capable of stealing cookies, credentials, and sensitive data, recently spotted alongside Cobalt Strike and Donut loader infections. There’s also Mr.Skeleton RAT, which allows hackers to remotely control victims’ systems, manipulate files and registries, and even access webcams.

Implications for Security 🔍

As BabbleLoader and similar loaders become more common, businesses and users alike need to update and diversify defence tactics to address increasingly evasive cyber threats.

Learn AI in 5 Minutes a Day

AI Tool Report is one of the fastest-growing and most respected newsletters in the world, with over 550,000 readers from companies like OpenAI, Nvidia, Meta, Microsoft, and more.

Our research team spends hundreds of hours a week summarizing the latest news, and finding you the best opportunities to save time and earn more using AI.

Sign up with 1-Click

Hack Friday 💀 

🚨 New Phishing Campaign Targets Holiday Shoppers w/ Fake Brand Discounts 🎣 

As Black Friday approaches, a phishing campaign is preying on online shoppers in Europe and the U.S., posing as well-known brands to steal personal and financial information. The SilkSpecter group, a Chinese threat actor, has been mimicking major brands like IKEA, North Face, and Wayfair to lure users into fake discount deals on phishing sites.

How the Scam Works 🕵️‍♀️

  • Fake Discounted Products 🎁: Sites, often under domains like .shop and .vip, appear to offer Black Friday deals. Victims are encouraged to provide credit card data (CHD), sensitive authentication details (SAD), and personal information (PII).

  • Geolocation Language Detection 🌎: Using Google Translate, the phishing pages change language based on visitors' regions, adding credibility.

  • Tracking Pixels 📊: Trackers like OpenReplay and TikTok Pixel monitor user activity to refine targeting.

The Payment Trap 💳

These fake sites use Stripe to create a legitimate-looking checkout. However, any card details entered are stolen. Users are also asked for their phone numbers—a setup for follow-on attacks, such as smishing and vishing, to steal more information, like 2FA codes.

SEO Tactics and Social Media 🚀

To increase visibility, SEO poisoning tactics may push these sites to the top of search results. Attackers could also share links via social media to catch unsuspecting shoppers.

Related Black Hat Operations 🎩

Other phishing campaigns, such as Phish ‘n’ Ships, employ similar tactics, infecting real websites to sell fake products. In these scams, users make payments, but the items never arrive. 

As online shopping surges this season, shoppers should stay vigilant—verify site URLs, avoid pop-up discounts, and prioritise secure payment methods!

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

  • 💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

  • 📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles