Jun 06 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter thatβs trending like #OnlyFans πππ¦
Todayβs hottest cybersecurity news stories:
β° TikTok celebrity accounts targeted by zero-click attacks βοΈ
βοΈ Knight ransomware 2.0 is hitting up healthcare, business π¨βπ»
π SE Asian governments targeted by Chinese-backed hackers π
TikTok has acknowledged a security flaw exploited by threat actors to hijack high-profile accounts. The breach involves a zero-click takeover, where malware spread via direct messages compromises accounts without user interaction.
π Scope and Response
The exact number of affected users is unknown. However, TikTok has implemented preventive measures to stop the attack and prevent future occurrences. The company is working with affected users to restore access, asserting that only a "very small" number of accounts were compromised. Details about the attack and mitigation techniques remain undisclosed.
π Past Security Issues
TikTok has faced several security challenges:
January 2021: Check Point identified a flaw enabling attackers to compile user databases and phone numbers.
September 2022: Microsoft discovered a one-click exploit in TikTok's Android app allowing account takeovers via specially crafted links.
Turkey Incident: 700,000 accounts compromised due to insecure SMS greyrouting, allowing adversaries to intercept one-time passwords.
π± Ongoing Concerns
Malicious actors continue to exploit TikTok, using challenges like the Invisible Challenge to distribute information-stealing malware. TikTokβs Chinese ownership raises concerns about data privacy and propaganda, prompting legislative actions and bans.
π Global Impact
Legal Actions: TikTok is challenging a U.S. law requiring divestment from ByteDance, citing free speech violations.
Bans: Countries like India, Nepal, and Kyrgyzstan have banned TikTok. The U.S., U.K., Canada, Australia, and New Zealand restrict its use on government devices.
TikTok continues to navigate security vulnerabilities and international scrutiny as it works to secure its platform and user data.
RansomHub, a rebranded version of Knight ransomware (formerly Cyclops), has been identified as an updated threat in the cybersecurity landscape. Knight ransomware first appeared in May 2023, using double extortion to steal and encrypt data across multiple platforms, including Windows, Linux, macOS, ESXi, and Android.
π Distribution and Evolution
Knight ransomware was initially promoted on the RAMP cybercrime forum and spread through phishing and spear-phishing campaigns. In February 2024, its source code was sold, likely leading to its rebranding as RansomHub. The new strain quickly launched attacks on Change Healthcare, Christieβs, and Frontier Communications, among others.
π Shared Characteristics and New Features
Both Knight and RansomHub ransomware are written in Go and use Gobfuscate for obfuscation. They share similar command-line help menus, ransom notes, and encryption techniques. RansomHub introduces a new "sleep" command, allowing the ransomware to remain dormant before execution, a feature seen in other ransomware families like Chaos/Yashma and Trigona.
βοΈ Tactics and Tools
RansomHub uses known security flaws like ZeroLogon to gain initial access, deploying remote desktop software such as Atera and Splashtop before executing ransomware. The strain has been linked to 26 confirmed attacks in April 2024, trailing behind other ransomware groups like Play and Black Basta.
πΌ Recruitment and Expertise
Google-owned Mandiant reports that RansomHub is recruiting affiliates from recently shut down groups like LockBit and BlackCat. Veteran cybercriminals with extensive experience are believed to be behind RansomHubβs rapid establishment and operations.
π Rising Ransomware Activity
Ransomware incidents surged in 2023, with many new variants like BlackSuit, Fog, and ShrinkLocker. One-third of these new families are variants of older ransomware, highlighting code reuse and rebranding trends. Most ransomware deployments occur outside work hours, with 76% happening early in the morning, and attackers increasingly use legitimate tools to evade detection.
π Advanced Techniques
ShrinkLocker, another emerging ransomware, uses VBScript and BitLocker for file encryption, targeting countries like Mexico, Indonesia, and Jordan. This strain manipulates partition sizes to create new boot partitions, demonstrating a deep understanding of Windows internals.
RansomHubβs emergence underscores the evolving and persistent threat posed by ransomware, necessitating robust cybersecurity measures and constant vigilance.
Stay ahead of the curve with Presspool.ai! π Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." π€π‘ Thatβs us, alright! π€΅ How about you? Visionary AI executive, much? π
And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business π€π©βπ»π
Rest assured, the process is very straightforward.
You simply:
π Sign Up & Create Campaign
π Define your audience, budget, and message to captivate your audience.
π Launch your campaign, as Presspoolβs AI matches it with ideal newsletter audiences for optimal reach and conversions. π―
π΅οΈ Finally, you leverage real-time analytics to track performance and refine future strategies. π Elevate your marketing game and stay informed with Presspool.ai! π Simples! π¦¦
Presspool.aiΒ π°ππ€ may just have what you need to succeed. And if the product isnβt for you, the newsletter alone is a gamechanger. And we know newsletters π
A high-profile government organisation in Southeast Asia has been the target of a "complex, long-running" Chinese state-sponsored cyber espionage operation, codenamed Crimson Palace. Sophos researchers detailed this sophisticated campaign aimed at cyberespionage to support Chinese state interests.
π Suspected Target and Objectives
While the exact country remains undisclosed, it's speculated to be the Philippines due to ongoing territorial conflicts with China. The campaign's goals include maintaining access to critical IT systems, performing reconnaissance on specific users, collecting sensitive military and technical information, and deploying various malware implants for command-and-control (C2) communications.
π Intrusion Clusters
Crimson Palace consists of three intrusion clusters with some activities dating back to March 2022:
βΒ Cluster Alpha (Mar 2023 – Aug 2023): Shares tactics with BackdoorDiplomacy, REF5961, Worok, and TA428.
βΒ Cluster Bravo (Mar 2023): Commonalities with Unfading Sea Haze.
βΒ Cluster Charlie (Mar 2023 – Apr 2024): Overlaps with Earth Longzhi, a subgroup within APT41.
Sophos believes these clusters are part of a coordinated campaign directed by a single organisation.
π‘οΈ Malware and Techniques
The attack features undocumented malware like PocoProxy and an updated EAGERBEE, alongside known families such as NUPAKAGE, PowHeartBeat, RUDEBIRD, DOWNTOWN (PhantomNet), and EtherealGh0st (CCoreDoor). Notable techniques include DLL side-loading and overwriting DLL in memory to evade detection.
π Cluster Activities
Cluster Alpha: Focused on mapping server subnets, enumerating admin accounts, and Active Directory reconnaissance.
Cluster Bravo: Used valid accounts for lateral movement and dropped EtherealGh0st.
Cluster Charlie: Used PocoProxy for persistence and HUI Loader to deliver Cobalt Strike.
These clusters reflect the coordinated operations of distinct actors with shared objectives and tools.
βοΈ Chinese Cyber Threats
The disclosure follows reports of APT41 (aka Brass Typhoon, HOODOO, Winnti) targeting Italian organisations with KEYPLUG malware, a potent tool supporting multiple network protocols for C2 traffic.
π¨ Global Implications
The Canadian Centre for Cyber Security has warned of increasing Chinese state-backed attacks targeting government, critical infrastructure, and R&D sectors. Chinese cyber threat activity is noted for its volume, sophistication, and broad targeting, utilising techniques like compromised SOHO routers and living-off-the-land tactics to avoid detection.
This detailed analysis of Crimson Palace underscores the persistent and evolving threat of state-sponsored cyber espionage, highlighting the need for robust cybersecurity measures and vigilant monitoring.
ποΈ Extra, Extra! Read all about it! ποΈ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
π‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday π
π΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for π
πΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πΎ
Let us know what you think.
So long and thanks for reading all the phish!