Oct 04 2024
Welcome to Gone Phishing, your weekly cybersecurity newsletter that’s always phishing for compliments so feedback welcome y’all 🎣🎣🎣
Patch of the Week! 🩹
First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳
Congrats to Progress Software, the cybercriminals are no match… for your patch! 🩹
Check out this freshly hatched patch 🐣
‘Bout time we saw some Progress 😏
🚨 Critical WhatsUp Gold Updates – Patch Now! 🩹
Progress Software has dropped another round of updates for WhatsUp Gold to squash six security bugs, including two critical ones (CVSS 9.8)! 🐞⚠️
The latest version 24.0.1, released on September 20, 2024, fixes vulnerabilities like CVE-2024-46909 and CVE-2024-8785. Shoutout to researchers from Summoning Team, Trend Micro, and Tenable for spotting these! 👏💻
Trend Micro warns that hackers are actively exploiting old WhatsUp Gold flaws, so update ASAP to stay safe and avoid attacks! 💥🔒 Don’t let your network be the next target! 🚀🔥
Now, on to this week’s hottest cybersecurity news stories:
🚗 I could tell you about the ploy to control cars via number plates… 🕹️
🌄 South & SE Asia beware. Cloudflare says Indian hackers are on it 👨🏾💻
🕵 New KLogEXE, FPSpy malware deployed by N. Korean hackers 🚀
Talk about driving without a licence (plate) 💀 Cybersecurity researchers recently disclosed a set of vulnerabilities in Kia vehicles that could have been exploited to gain remote control over key vehicle functions using nothing more than a licence plate number. These vulnerabilities, which have since been patched, affected nearly all Kia models manufactured after 2013.
💥 Key Findings
Researchers Neiko Rivera, Sam Curry, Justin Rhinehart, and Ian Carroll discovered that attackers could remotely gain control over a Kia vehicle's functions such as unlocking doors, starting the engine, or honking, all in under 30 seconds. The attacks did not even require an active Kia Connect subscription, meaning any vehicle equipped with the hardware was at risk.
🛠️ How the Attack Worked
Dealer Infrastructure Exploit: The vulnerabilities centred around the Kia dealership infrastructure (kiaconnect.kdealer.com) used for vehicle activations. Attackers could create a fake account through a series of HTTP requests and generate an access token.
Extracting Sensitive Data: With the token, the attackers could send another HTTP request to the dealer's API gateway to retrieve sensitive data, such as the vehicle owner's name, phone number, email, and VIN (Vehicle Identification Number).
Taking Over Vehicle Control: By issuing only four HTTP requests, attackers could modify the owner’s permissions and add themselves as a "secondary user" on the vehicle. This allowed them to run commands on the vehicle without the owner's knowledge.
🔑 No User Alerts
Perhaps most concerning is that the vehicle owner was not notified that their permissions had been changed or that their vehicle had been accessed. Attackers could use a licence plate number to retrieve the VIN and send commands like unlock, start, or honk.
⚔️ Attack Example
In a hypothetical scenario, an attacker could use a custom dashboard to enter the licence plate of a Kia vehicle, retrieve the victim’s personal information in 30 seconds, and begin sending remote commands to the vehicle.
⚠️ Patched Vulnerabilities
After being responsibly disclosed in June 2024, Kia patched the vulnerabilities by August 2024. There is no evidence to suggest that these flaws were exploited in real-world attacks before the patches were deployed.
🛡️ Continued Risks in Automotive Security
The researchers noted that vulnerabilities in connected cars will continue to surface, likening them to software issues that could allow someone to take over online accounts. As cars become more integrated with technology, manufacturers must remain vigilant to prevent malicious actors from gaining unauthorised control of vehicles.
This discovery highlights the ongoing cybersecurity challenges in the automotive sector, especially as vehicles become more connected and reliant on digital infrastructure.
81% of M365 users fall victim to breaches. Download a complimentary copy of our eBook to gain a deeper understanding of safeguarding your Microsoft 365 environment. Partner with Rubrik and Microsoft to proactively defend against cyber threats and protect your critical business data.
Cybersecurity researchers have tracked an advanced threat actor, dubbed SloppyLemming, using cloud services to execute credential harvesting, malware delivery, and command-and-control (C2) operations. Cloudflare is monitoring this activity under multiple aliases, including Outrider Tiger and Fishing Elephant.
🔍 Key Insights
Active Since 2021: SloppyLemming has been operational since July 2021, with earlier campaigns linked to the deployment of malware like Ares RAT and WarHawk. These tools have been tied to threat groups SideWinder and SideCopy.
Espionage Focus: The group primarily targets government, law enforcement, telecommunications, energy, and education sectors across South and East Asia, including countries like Pakistan, Sri Lanka, Bangladesh, China, Nepal, and Indonesia.
📧 Spear-Phishing and Credential Harvesting
SloppyLemming’s campaigns often involve spear-phishing emails designed to instil a false sense of urgency. Victims are lured into clicking on malicious links that redirect them to credential harvesting pages.
CloudPhish Tool: The actor utilises a custom-built tool called CloudPhish, which uses Cloudflare Workers to handle the credential exfiltration process.
💻 Malware Delivery Techniques
The actor has been observed using booby-trapped RAR archives exploiting the WinRAR flaw (CVE-2023-38831). These RAR files contain executables that stealthily load malicious DLLs like CRYPTSP.dll to download remote access trojans hosted on services such as Dropbox.
Another tactic involves delivering malware through phishing campaigns impersonating legitimate entities like the Punjab Information Technology Board (PITB) in Pakistan.
🔗 Use of Cloudflare Workers and C2 Infrastructure
SloppyLemming's infrastructure relies on Cloudflare Workers to mediate requests between victims and the actual C2 domains. For example, they have used Cloudflare Workers to relay commands to their primary C2 domain, "aljazeerak[.]online."
🎯 Targeted Sectors
SloppyLemming has been heavily focused on Pakistani police departments, law enforcement, and entities tied to the nuclear power facility in Pakistan. Other targeted entities include Sri Lankan and Bangladeshi government and military organisations, as well as Chinese energy and academic sectors.
🔒 Security Concerns
The increasing use of cloud services by adversaries like SloppyLemming highlights the need for vigilant monitoring of cloud-based environments, as they can be easily leveraged for espionage campaigns. Organisations in targeted sectors should be aware of phishing tactics and take steps to safeguard their credentials and networks from such sophisticated attacks.
This discovery underscores the evolving complexity of state-sponsored cyber threats and the critical need for robust security measures across the Asia-Pacific region.
Cybersecurity researchers have detected two new malware strains, KLogEXE and FPSpy, attributed to the Kimsuky threat actor, also known as APT43, ARCHIPELAGO, and Velvet Chollima. This North Korean-linked group, active since at least 2012, is notorious for its spear-phishing tactics and is believed to be enhancing its malware arsenal with these new additions.
🔍 Key Insights
Kimsuky’s Evolving Toolkit: The two malware strains—KLogEXE and FPSpy—expand the group's already potent toolset. KLogEXE is a C++ variant of a previous PowerShell-based keylogger called InfoKey, while FPSpy is a backdoor with additional functionality for system reconnaissance and payload execution.
Spear-Phishing Tactics: The group continues to employ spear-phishing as its primary method of attack. Carefully crafted emails are used to lure targets into downloading malicious ZIP files, which then execute malware upon extraction.
Functionality of the Malware: KLogEXE: Monitors keystrokes, mouse clicks, and gathers data about applications running on compromised systems. FPSpy: Similar to older Kimsuky malware strains like KGH_SPY, it can collect system information, execute commands, and enumerate directories and files.
🎯 Targeted Regions
Kimsuky’s operations in this campaign seem focused on Japan and South Korea, aligning with their historical targeting patterns in the government, technology, and defence sectors.
🛡️ Growing Threat
The discovery of code similarities between KLogEXE and FPSpy suggests they are likely developed by the same group, indicating the evolving and sophisticated nature of Kimsuky’s operations.
This new campaign demonstrates North Korean threat actors' persistent ability to adapt and refine their tools for espionage and cyber operations in East Asia, posing a continued challenge for regional cybersecurity defences.
Take care, folks! 👍
🗞️ Extra, Extra! Read all about it! 🗞️
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅
💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓
📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾
Let us know what you think.
So long and thanks for reading all the phish!
