TA577 Strikes Again: New Phishing Attack Emerges! πŸŽ£πŸ”’πŸ’₯

Mar 06 2024

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that brings more cyber fire than Airman Aaron Bushnell πŸ”₯πŸ™ˆπŸ’€ That Aaron is so hot right now #Zoolander #Goingtohell

Today’s hottest cybersecurity news stories:

  • πŸ”« Thread hijack attack is stealing NTLM hashes from IT networks πŸ€“

  • 🌐 Novel DNS hijacking technique used by hackers for investment scams πŸ€‘

  • 🦈 TODDLERSHARK: Exploiting ConnectWise ScreenConnect flaws galore πŸ‘¨β€πŸ’»

Hijack attack gypsy cab holla back πŸŽΆπŸ’ΈπŸ’ΏπŸŽ€πŸ”₯

 

giphy.com

 

🚨 TA577 Strikes Again: New Phishing Attack Emerges! πŸŽ£πŸ”’πŸ’₯

The notorious threat actor known as TA577 has resurfaced, this time employing ZIP archive attachments in phishing emails to pilfer NT LAN Manager (NTLM) hashes, according to a report by enterprise security firm Proofpoint. πŸ˜±πŸ”’πŸ“§

A Sophisticated Attack Chain πŸ›‘οΈπŸ”—πŸ’Ό

The newly observed attack chain is crafted for sensitive information gathering, with the ultimate goal of facilitating follow-on malicious activities. At least two campaigns leveraging this approach were detected on February 26 and 27, 2024, targeting hundreds of organisations globally through thousands of messages. πŸŒπŸ“…πŸ’Ό

Thread Hijacking Tactics πŸ”„πŸŽ£πŸ›‘οΈ

Utilising the tactic of thread hijacking, the phishing emails masquerade as responses to previous correspondence, aiming to boost the likelihood of success. The ZIP attachments, acting as the primary delivery mechanism, harbour HTML files designed to establish contact with an actor-controlled Server Message Block (SMB) server. πŸ“ŽπŸ“§πŸ”—

The Objective: NTLM Hashes πŸ”πŸ’»πŸ’°

TA577’s primary objective is to capture NTLMv2 Challenge/Response pairs from the SMB server, enabling them to pilfer NTLM hashes for subsequent pass-the-hash (PtH) attacks. This sophisticated manoeuvre allows adversaries to authenticate sessions without the underlying password, granting unauthorised access to critical data within networks. πŸ˜ˆπŸ”‘πŸŒ

A Stealthy Cybercrime Group πŸ•΅οΈβ€β™‚οΈπŸ’ΌπŸ”

Known for its sophistication, TA577 has been associated with distributing malware families like QakBot and PikaBot in the past. The group demonstrates a keen understanding of the evolving cyber threat landscape, swiftly adapting its tactics, techniques, and procedures (TTPs) to evade detection and deploy various payloads. πŸ”„πŸ”πŸ’Ό

Cybersecurity Recommendations πŸ›‘οΈπŸ”’πŸ’Ό

In light of this threat, organisations are strongly advised to block outbound SMB traffic to thwart exploitation attempts and bolster their defences against such malicious activities. Vigilance and proactive measures are crucial to mitigating the risks posed by sophisticated threat actors like TA577. πŸš«πŸ›‘οΈπŸ”’

 

Signup for Free

 

Learn AI in 5 minutes a day. We’ll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.

Hackers: Don’t try and test the rebel DNS 🎢 #WuTang

🚨 Beware of Savvy Seahorse: DNS Threat Actor Targets Investors! πŸŒŠπŸ”πŸ’°

A new DNS threat actor dubbed Savvy Seahorse has emerged on the cyber threat landscape, employing sophisticated tactics to lure victims into fake investment platforms and abscond with their hard-earned funds, according to a recent report by Infoblox. πŸ•΅οΈβ€β™‚οΈπŸ’»πŸ’Έ

The Modus Operandi πŸŽ£πŸŒπŸ’Ό

Savvy Seahorse operates by persuading unsuspecting individuals to create accounts on counterfeit investment platforms, enticing them with promises of lucrative returns. Once victims make deposits into a personal account, the funds are swiftly transferred to a bank in Russia, leaving investors in financial distress. πŸ˜±πŸ’³πŸ’°

Wide Net of Targets 🎯🌐🌍

The threat actor’s campaigns cast a wide net, targeting individuals across various regions, including Russian, Polish, Italian, German, Czech, Turkish, French, Spanish, and English speakers. This broad scope indicates a concerted effort to ensnare victims on a global scale. 🌐🌍🎯

Social Media Snares and Fake Bots πŸ“²πŸŽ£πŸ€–

Victims are ensnared through enticing advertisements on social media platforms like Facebook, enticing them with the allure of high-return investment opportunities. Additionally, fake ChatGPT and WhatsApp bots are employed to dupe users into divulging personal information in exchange for purported investment prospects. πŸ“²πŸŽ£πŸ€–

Evading Detection with DNS Tricks πŸ›‘οΈπŸ”πŸ•΅οΈβ€β™‚οΈ

Savvy Seahorse employs DNS canonical name (CNAME) records to construct a traffic distribution system (TDS), enabling threat actors to evade detection since at least August 2021. By leveraging a domain generation algorithm (DGA) to create short-lived subdomains sharing CNAME records, the threat actor maintains a resilient infrastructure resistant to takedown efforts. πŸ›‘οΈπŸ”πŸ•΅οΈβ€β™‚οΈ

Cybersecurity Recommendations πŸ›‘οΈπŸ”’πŸ’Ό

Potential victims are cautioned against providing personal information or making financial transactions on suspicious platforms advertised on social media. Vigilance is paramount, and individuals should exercise caution when presented with investment opportunities that seem too good to be true. Additionally, cybersecurity measures should be bolstered to detect and mitigate threats posed by DNS-based attacks. πŸ›‘οΈπŸ”πŸ’Ό

Stay alert, stay safe! πŸš¨πŸ”πŸ‘€

🎣 Catch of the Day!! 🌊🐟🦞

πŸƒΒ The Motley Fool: β€œFool me once, shame on β€” shame on you. Fool me β€” you can’t get fooled again.” Good ol’ George Dubya πŸ˜‚ Let us tell who’s not fooling around though; that’s the CrΓΌe πŸ‘€ at Motley Fool. You’d be a fool (alright, enough already! πŸ™ˆ) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! πŸ› Kidding aside, if you check out their website they’ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets πŸ€‘Β (LINK)


🚡 Wander: Find your happy place. Cue Happy Gilmore flashback πŸŒοΈβ›³πŸŒˆπŸ•ŠοΈ Mmmm Happy Place… πŸ˜‡ So, we’ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, it’s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway 🏞️😍 (LINK)


🌊 Digital Ocean: If you build it they will come. Nope, we’re not talking about a baseball field for ghosts βšΎπŸ‘»πŸΏ (Great movie, to be fair πŸ™ˆ). This is the Digital Ocean who’ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website you’ll find yourself catching the buzz even if you can’t code (guilty πŸ˜‘). But if you can and you’re looking for somewhere to test things out or launch something new or simply enhance what you’ve got, we’d recommend checking out their services fo’ sho πŸ˜‰ And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! 🌿 (LINK)

You’re gonna need a bigger boat πŸ‘€πŸ¦ˆπŸ˜³

🚨 North Korean Threat Actors Unleash TODDLERSHARK Malware! πŸ¦ˆπŸ”’

Security experts have uncovered a concerning development in the cyber threat landscape, as North Korean threat actors exploit recently disclosed security vulnerabilities in ConnectWise ScreenConnect to deploy a new malware strain dubbed TODDLERSHARK. πŸš¨πŸ”πŸ’»

The Malicious Manoeuvre πŸ¦ˆπŸ’»πŸ›‘οΈ

According to a report shared by Kroll, TODDLERSHARK shares similarities with known Kimsuky malware variants such as BabyShark and ReconShark. The threat actors capitalised on vulnerabilities CVE-2024-1708 and CVE-2024-1709 in ConnectWise ScreenConnect, leveraging the exposed setup wizard to gain access to victim workstations and execute the malicious payload. πŸ¦ˆπŸ’»πŸ›‘οΈ

A New Weapon in the Cyber Arsenal πŸ›‘οΈπŸ”πŸ€–

TODDLERSHARK represents the latest evolution of Kimsuky malware, designed to capture sensitive information from compromised hosts while exhibiting polymorphic behaviour to evade detection. This sophisticated malware leverages scheduled tasks for persistence and employs unique C2 URLs, making it a formidable reconnaissance tool in the hands of threat actors. πŸ›‘οΈπŸ”πŸ€–

Escalating Cyber Tensions πŸ“ˆπŸ›‘οΈπŸŒ

Amidst these revelations, South Korea’s National Intelligence Service (NIS) has accused North Korea of compromising servers belonging to two domestic semiconductor manufacturers, highlighting the escalating cyber tensions between the two nations. The intrusions, characterised by sophisticated living-off-the-land (LotL) techniques, underscore the growing threats posed by state-sponsored cyber operations. πŸ“ˆπŸ›‘οΈπŸŒ

Stay Vigilant, Stay Secure! πŸ›‘οΈπŸ”’πŸ’»

As cyber threats continue to evolve and proliferate, organisations and individuals must remain vigilant against emerging threats and ensure robust cybersecurity measures are in place. Timely patching of software vulnerabilities, employee awareness training, and deployment of advanced threat detection mechanisms are crucial steps in safeguarding against malicious actors’ nefarious activities. πŸ›‘οΈπŸ”πŸ’»

Stay safe in the digital realm, cyber squad! πŸš¨πŸ”’πŸŒ

πŸ—žοΈ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • πŸ›‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday πŸ“…

  • πŸ’΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for πŸ†“

  • πŸ“ˆΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πŸ‘Ύ

Let us know what you think!

So long and thanks for reading all the phish!

Recent articles