Jul 01 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that reckons the scammers are having an absolute field day with #Wandsworth trending on twitter πππΒ βLatest viral video link ππβ If you know, you know ββπ§
Todayβs hottest cybersecurity news stories:
π¨βπ¨βπ¦βπ¦ TeamViewer sensed a disturbance in the corporate intranet π
π SnailLoad exploits net bottlenecks to spy your web activities π΅π»ββοΈ
π Kimsuky uses βTRANSLATEXTβ extension to steal your data ποΈ
On June 26, 2024, TeamViewer discovered an "irregularity" in its internal corporate IT environment. π₯οΈπ
"We immediately activated our response team and procedures, started investigations together with a team of globally renowned cybersecurity experts, and implemented necessary remediation measures," the company said in a statement. π‘οΈπ¨βπ»
Customer Data Unaffected π
TeamViewer assured that its corporate IT environment is separate from the product environment and there is no evidence of customer data being impacted. πβ An investigation is underway, and updates will be provided as new information becomes available. π
TeamViewer, based in Germany, develops remote monitoring and management (RMM) software used by over 600,000 customers globally. ππ
Health-ISAC Bulletin and APT29 Involvement β οΈ
The U.S. Health Information Sharing and Analysis Center (Health-ISAC) issued a bulletin about threat actors exploiting TeamViewer. π₯π¨ APT29, a state-sponsored Russian threat actor, has been linked to this activity. π΅οΈββοΈ
Attack Attributed to APT29 π΅οΈββοΈ
On Friday, TeamViewer attributed the attack to APT29, targeting credentials associated with an employee account. π§βπΌπ
"Based on continuous security monitoring, our teams identified suspicious behaviour of this account and immediately put incident response measures into action," TeamViewer noted. "There is no evidence that the threat actor gained access to our product environment or customer data." π‘οΈβ
Ongoing Response and Recommendations π
TeamViewer is working with Microsoft and has implemented stronger security measures. π‘οΈ Microsoft also revealed that some customer email inboxes were accessed by APT29 following a related breach. π§π TeamViewer continues to rebuild its internal IT environment to enhance security and has informed employees and relevant authorities. π’π The situation remains under investigation. π
Researchers from the Graz University of Technology have unveiled a novel side-channel attack named SnailLoad that can remotely infer a user's web activity. ππ
"SnailLoad exploits a bottleneck present on all Internet connections," the researchers said in their study released this week. π
How SnailLoad Works π
SnailLoad capitalises on the latency of network packets caused by this bottleneck, allowing attackers to deduce what websites a user visits or videos they watch. π½οΈπ
Unlike other attacks, SnailLoad doesnβt require an adversary-in-the-middle (AitM) setup or proximity to the victim's Wi-Fi connection. Instead, the attacker tricks the target into loading a harmless asset (like a file, image, or ad) from a malicious server. πΌοΈπ
The attacker then measures the latency of the victim's network connection as the content downloads. Using a convolutional neural network (CNN) trained with similar network traces, they can infer web activities with up to 98% accuracy for videos and 63% for websites. π§ π
The Technical Details πΈοΈ
Due to network bottlenecks, attackers can measure packet round trip time (RTT) to determine data transmission. Each video generates unique RTT traces, enabling classification of watched content. ππ¬
The attack is named SnailLoad because the malicious server sends the file slowly, monitoring connection latency over time. "SnailLoad requires no JavaScript, no form of code execution on the victim system, and no user interaction but only a constant exchange of network packets," the researchers explained. π’π‘
The root cause lies in buffering in the transport path node, typically the last node before the user's modem or router, linked to a quality-of-service issue called bufferbloat. πΆπ¦
Stay ahead of the curve with Presspool.ai! π Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." π€π‘ Thatβs us, alright! π€΅ How about you? Visionary AI executive, much? π
And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business π€π©βπ»π
Rest assured, the process is very straightforward.
You simply:
π Sign Up & Create Campaign
π Define your audience, budget, and message to captivate your audience.
π Launch your campaign, as Presspoolβs AI matches it with ideal newsletter audiences for optimal reach and conversions. π―
π΅οΈ Finally, you leverage real-time analytics to track performance and refine future strategies. π Elevate your marketing game and stay informed with Presspool.ai! π Simples! π¦¦
Presspool.aiΒ π°ππ€ may just have what you need to succeed. And if the product isnβt for you, the newsletter alone is a gamechanger. And we know newsletters π
Itβs disguised as Google Translate! π² The North Korea-linked threat actor, Kimsuky, has been linked to a new malicious Google Chrome extension designed to steal sensitive information as part of an ongoing intelligence collection effort. π΅οΈββοΈπ
TRANSLATEXT: The Malicious Extension π
Zscaler ThreatLabz observed this activity in early March 2024, naming the extension TRANSLATEXT. This tool gathers email addresses, usernames, passwords, cookies, and browser screenshots. π₯οΈπ
The campaign targets South Korean academia, focusing on experts in North Korean political affairs. π
Kimsuky's Notorious History π
Kimsuky, active since at least 2012, is known for cyber espionage and financially motivated
attacks against South Korean entities. Part of the Reconnaissance General Bureau (RGB), itβs also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Springtail, and Velvet Chollima. ππ
Recently, the group exploited a Microsoft Office flaw (CVE-2017-11882) to distribute a keylogger and used job-themed lures to target aerospace and defence sectors, deploying an espionage tool called Niki. π οΈβοΈ
Chrome Extension Attack Vector πΆοΈ
The initial access method for TRANSLATEXT is unclear, but Kimsuky typically uses spear-phishing and social engineering. The attack starts with a ZIP file containing a Hangul Word Processor document and an executable. ππ»
Running the executable retrieves a PowerShell script from an attacker-controlled server, exports victim information to a GitHub repository, and downloads more PowerShell code via a Windows shortcut (LNK) file. πΎπ‘
Zscaler found a GitHub account, created on February 13, 2024, briefly hosting TRANSLATEXT under "GoogleTranslate.crx". Files were present on March 7, 2024, but deleted the next day, suggesting short-term targeting. πβ³
TRANSLATEXT's Capabilities π
Disguised as Google Translate, TRANSLATEXT includes JavaScript code to bypass security measures for services like Google, Kakao, and Naver. It can syphon email addresses, credentials, and cookies, capture browser screenshots, and exfiltrate stolen data. π§πΈ
It fetches commands from a Blogger Blogspot URL to take screenshots of newly opened tabs and delete all browser cookies. ππ§Ή
"One of the primary objectives of the Kimsuky group is to conduct surveillance on academic and government personnel to gather valuable intelligence," said security researcher Seongsu Park. ππ΅οΈββοΈ
Kimsuky's continued evolution in cyber espionage tools highlights the persistent threat they pose to targeted entities. Stay vigilant! π‘οΈπ
ποΈ Extra, Extra! Read all about it! ποΈ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
π‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday π
π΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for π
πΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πΎ
Let us know what you think.
So long and thanks for reading all the phish!