TeamViewer Detects IT Irregularity

Jul 01 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that reckons the scammers are having an absolute field day with #Wandsworth trending on twitter πŸ˜ˆπŸ’€πŸ’€Β β€œLatest viral video link πŸ‘‡πŸ˜„β€ If you know, you know β›”βŒπŸš§

Today’s hottest cybersecurity news stories:

  • πŸ‘¨β€πŸ‘¨β€πŸ‘¦β€πŸ‘¦ TeamViewer sensed a disturbance in the corporate intranet 🌐

  • 🐌 SnailLoad exploits net bottlenecks to spy your web activities πŸ•΅πŸ»β€β™‚οΈ

  • πŸš€ Kimsuky uses β€˜TRANSLATEXT’ extension to steal your data πŸ—ƒοΈ

Hackers: TeamWork makes the dream work πŸ™ƒπŸ’€πŸ’€

🚨 TeamViewer Detects IT Irregularity πŸ–₯️

On June 26, 2024, TeamViewer discovered an "irregularity" in its internal corporate IT environment. πŸ–₯οΈπŸ”

"We immediately activated our response team and procedures, started investigations together with a team of globally renowned cybersecurity experts, and implemented necessary remediation measures," the company said in a statement. πŸ›‘οΈπŸ‘¨β€πŸ’»

Customer Data Unaffected πŸ”’

TeamViewer assured that its corporate IT environment is separate from the product environment and there is no evidence of customer data being impacted. πŸ“Šβœ… An investigation is underway, and updates will be provided as new information becomes available. πŸ”„

TeamViewer, based in Germany, develops remote monitoring and management (RMM) software used by over 600,000 customers globally. πŸŒπŸ“ˆ

Health-ISAC Bulletin and APT29 Involvement ⚠️

The U.S. Health Information Sharing and Analysis Center (Health-ISAC) issued a bulletin about threat actors exploiting TeamViewer. πŸ₯🚨 APT29, a state-sponsored Russian threat actor, has been linked to this activity. πŸ•΅οΈβ€β™‚οΈ

Attack Attributed to APT29 πŸ•΅οΈβ€β™‚οΈ

On Friday, TeamViewer attributed the attack to APT29, targeting credentials associated with an employee account. πŸ§‘β€πŸ’ΌπŸ”‘

"Based on continuous security monitoring, our teams identified suspicious behaviour of this account and immediately put incident response measures into action," TeamViewer noted. "There is no evidence that the threat actor gained access to our product environment or customer data." πŸ›‘οΈβœ…

Ongoing Response and Recommendations πŸ”„

TeamViewer is working with Microsoft and has implemented stronger security measures. πŸ›‘οΈ Microsoft also revealed that some customer email inboxes were accessed by APT29 following a related breach. πŸ“§πŸ”“ TeamViewer continues to rebuild its internal IT environment to enhance security and has informed employees and relevant authorities. πŸ’πŸ”’ The situation remains under investigation. πŸ”

Just follow the Snail trail 🐌🐌🐌

🚨 New "SnailLoad" Attack Revealed by Researchers 🐌

Researchers from the Graz University of Technology have unveiled a novel side-channel attack named SnailLoad that can remotely infer a user's web activity. πŸŒπŸ”

"SnailLoad exploits a bottleneck present on all Internet connections," the researchers said in their study released this week. πŸ“„

How SnailLoad Works πŸ”

SnailLoad capitalises on the latency of network packets caused by this bottleneck, allowing attackers to deduce what websites a user visits or videos they watch. πŸ“½οΈπŸ”—

Unlike other attacks, SnailLoad doesn’t require an adversary-in-the-middle (AitM) setup or proximity to the victim's Wi-Fi connection. Instead, the attacker tricks the target into loading a harmless asset (like a file, image, or ad) from a malicious server. πŸ–ΌοΈπŸ“

The attacker then measures the latency of the victim's network connection as the content downloads. Using a convolutional neural network (CNN) trained with similar network traces, they can infer web activities with up to 98% accuracy for videos and 63% for websites. πŸ§ πŸ“‰

The Technical Details πŸ•ΈοΈ

Due to network bottlenecks, attackers can measure packet round trip time (RTT) to determine data transmission. Each video generates unique RTT traces, enabling classification of watched content. πŸ“ˆπŸŽ¬

The attack is named SnailLoad because the malicious server sends the file slowly, monitoring connection latency over time. "SnailLoad requires no JavaScript, no form of code execution on the victim system, and no user interaction but only a constant exchange of network packets," the researchers explained. πŸ’πŸ“‘

The root cause lies in buffering in the transport path node, typically the last node before the user's modem or router, linked to a quality-of-service issue called bufferbloat. πŸ“ΆπŸš¦

🎣 Catch of the Day!! 🌊🐟🦞

Stay ahead of the curve with Presspool.ai! πŸš€ Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." πŸ€“πŸ’‘ That’s us, alright! 🀡 How about you? Visionary AI executive, much? πŸ‘€

And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business πŸ€–πŸ‘©β€πŸ’»πŸŒ

Rest assured, the process is very straightforward.

You simply:

πŸ†• Sign Up & Create Campaign

πŸ“Š Define your audience, budget, and message to captivate your audience.

πŸš€ Launch your campaign, as Presspool’s AI matches it with ideal newsletter audiences for optimal reach and conversions. 🎯

πŸ•΅οΈ Finally, you leverage real-time analytics to track performance and refine future strategies. πŸ“ˆ Elevate your marketing game and stay informed with Presspool.ai! 🌟 Simples! 🦦

Presspool.aiΒ πŸ“°πŸŠπŸ€– may just have what you need to succeed. And if the product isn’t for you, the newsletter alone is a gamechanger. And we know newsletters πŸ˜‰

It’s the LATEXT threat from Kimsuky 😬

🚨 Kimsuky Uses New Chrome Extension for Cyber Espionage 🎯

It’s disguised as Google Translate! 😲 The North Korea-linked threat actor, Kimsuky, has been linked to a new malicious Google Chrome extension designed to steal sensitive information as part of an ongoing intelligence collection effort. πŸ•΅οΈβ€β™‚οΈπŸ”

TRANSLATEXT: The Malicious Extension πŸš€

Zscaler ThreatLabz observed this activity in early March 2024, naming the extension TRANSLATEXT. This tool gathers email addresses, usernames, passwords, cookies, and browser screenshots. πŸ–₯οΈπŸ”

The campaign targets South Korean academia, focusing on experts in North Korean political affairs. πŸŽ“

Kimsuky's Notorious History 🎭

Kimsuky, active since at least 2012, is known for cyber espionage and financially motivated

attacks against South Korean entities. Part of the Reconnaissance General Bureau (RGB), it’s also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Springtail, and Velvet Chollima. πŸŒπŸ“Š

Recently, the group exploited a Microsoft Office flaw (CVE-2017-11882) to distribute a keylogger and used job-themed lures to target aerospace and defence sectors, deploying an espionage tool called Niki. πŸ› οΈβœˆοΈ

Chrome Extension Attack Vector πŸ•ΆοΈ

The initial access method for TRANSLATEXT is unclear, but Kimsuky typically uses spear-phishing and social engineering. The attack starts with a ZIP file containing a Hangul Word Processor document and an executable. πŸ“„πŸ’»

Running the executable retrieves a PowerShell script from an attacker-controlled server, exports victim information to a GitHub repository, and downloads more PowerShell code via a Windows shortcut (LNK) file. πŸ’ΎπŸ“‘

Zscaler found a GitHub account, created on February 13, 2024, briefly hosting TRANSLATEXT under "GoogleTranslate.crx". Files were present on March 7, 2024, but deleted the next day, suggesting short-term targeting. πŸ”β³

TRANSLATEXT's Capabilities πŸ”’

Disguised as Google Translate, TRANSLATEXT includes JavaScript code to bypass security measures for services like Google, Kakao, and Naver. It can syphon email addresses, credentials, and cookies, capture browser screenshots, and exfiltrate stolen data. πŸ“§πŸ“Έ

It fetches commands from a Blogger Blogspot URL to take screenshots of newly opened tabs and delete all browser cookies. 🌐🧹

"One of the primary objectives of the Kimsuky group is to conduct surveillance on academic and government personnel to gather valuable intelligence," said security researcher Seongsu Park. πŸŒπŸ•΅οΈβ€β™‚οΈ

Kimsuky's continued evolution in cyber espionage tools highlights the persistent threat they pose to targeted entities. Stay vigilant! πŸ›‘οΈπŸ”

πŸ—žοΈ Extra, Extra! Read all about it! πŸ—žοΈ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • πŸ›‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday πŸ“…

  • πŸ’΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for πŸ†“

  • πŸ“ˆΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πŸ‘Ύ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles