In today’s edition: SapphireStealer Malware, SuperBear, Phishing, South Korea, Classiscam’ Scam-as-a-service, VMConnect, PyPI Campaign, Anonymous Sudan, Twitter, Elon Musk, Starlink, Forever 21, LockBit Ransomware, Montreal, Canada, LogicMonitor, DDoS Attack, Pro Civis, Slovakya, NSA, X, Biometrics, Apple SRD Program. SapphireStealer, SuperBear, Phishing, South Korea, Classiscam’ Scam, VMConnect, Twitter, Forever 21, Biometrics, Apple, NSA.
The open-source .NET-based malware known as SapphireStealer is being harnessed by multiple entities to not only enhance their capabilities but also create customized variants. This information-stealing malware holds the potential to acquire sensitive data, including corporate credentials, which are often sold to other threat actors for further malicious operations, such as espionage or ransomware attacks. Cisco Talos researcher Edmund Brumaghin highlights the worrisome ecosystem surrounding such malware, allowing both financially motivated and nation-state actors to leverage stolen data for a range of malicious cyber activities.
In late August 2023, a concerning phishing attack aimed at civil society groups in South Korea unveiled a brand-new remote access trojan known as SuperBear, as revealed in a report by the non-profit entity Interlabs. The attack singled out an unidentified activist who received a malicious LNK file masquerading as an organization member’s email. Upon execution, the LNK file triggered a chain reaction involving PowerShell commands and a compromised WordPress website, ultimately leading to the deployment of SuperBear—a never-before-seen RAT that communicates with a remote server for data exfiltration and executing various malicious actions.
The scam-as-a-service operation known as “Classiscam” has expanded its operations to a global scale, posing a significant threat to various brands, countries, and industries. Operating through Telegram-based channels, the operation recruits affiliates to utilize phishing kits for crafting fraudulent ads and pages aimed at stealing sensitive financial information, including credit card details and banking credentials. The scheme involves revenue-sharing between the developers and affiliates, with the latter receiving a substantial portion of the ill-gotten gains.
ReversingLabs has been revealed that the VMConnect campaign, involving the upload of malicious packages to the PyPI repository, has been orchestrated by North Korea state-sponsored hackers from the Lazarus group. Among these packages, one masquerading as the VMware vSphere connector module vConnector managed to garner 237 downloads before being removed. This operation, attributed to the Labyrinth Chollima subgroup of Lazarus, showcases their strategic use of fake software projects to infiltrate and gather data from targeted machines.
CISA is advising heightened vigilance against malicious cyber activities targeting disaster victims and concerned citizens. These attackers employ social engineering tactics, including phishing, to deceive individuals by posing as trustworthy sources like disaster-relief charities. CISA underscores the importance of exercising caution with emails, attachments, and links related to disasters, as well as being cautious of social media and text messages associated with severe weather events.
A hacking group known as Anonymous Sudan targeted X in over a dozen countries, causing a two-hour outage, to push Elon Musk to launch Starlink in Sudan. The hackers flooded X’s servers using a Distributed Denial of Service attack. The group’s motive was to raise awareness about the civil war in Sudan and the challenges Sudanese people face due to internet disruptions.
Fashion retailer Forever 21 has sent out breach notifications to over 539,000 employees, revealing an 8-week breach that occurred from January to March. The cybersecurity communication has drawn attention for its seemingly contradictory language, claiming a dedication to privacy and security while leaving questions unanswered. The breach, spotted in March and confirmed in August, exposed personal information of victims, including Social Security numbers and health plan details, prompting concerns about potential fraud and identity theft risks.
The LockBit ransomware gang has been making headlines for targeting critical organizations, governments, and businesses. One of their latest victims is the Commission des services electriques de Montréal, an organization responsible for managing the electrical infrastructure in Montreal. The CSEM confirmed that it fell victim to ransomware on August 3 but chose not to pay the ransom. Despite the attack, the organization has rebuilt its IT infrastructure and emphasized that the data leaked by the gang poses a low risk to both public security and its operations.
Network monitoring company LogicMonitor has acknowledged that a subset of its SaaS platform users has fallen victim to cyberattacks associated with ransomware. While the company describes the number of affected users as small, it is diligently collaborating with those impacted to minimize the repercussions of the attacks. Although specific details regarding the attacks are not fully disclosed, anonymous sources suggest that threat actors exploited vulnerabilities in customer accounts and used the platform’s features to deploy ransomware. LogicMonitor is currently investigating the incident and working towards a resolution, as well as addressing concerns over account security.
The website mennyiterek.sk, belonging to the minority advocacy group Pro Civis, came under a DDoS attack. The attack aimed to render the site inaccessible and disrupt the sharing of information about the discriminatory nature of the Slovakian settlement-support system against the Hungarian community. Despite the attack’s intent to slow down or crash the website, Pro Civis managed to restore access, but concerns linger about the motives behind the assault.
Wendy Noble, a seasoned civilian leader with extensive experience at the National Security Agency (NSA) and the Defense Department, has been named the successor to NSA Deputy Director George Barnes. Having previously served as the NSA’s executive director from 2019 to 2022, Noble brings a wealth of knowledge to her new role. As the agency’s deputy director, Noble will assume the role of chief operating officer, overseeing strategy execution, policy formulation, operations, and senior civilian leadership supervision. Her appointment marks a significant milestone as she becomes the third woman in the agency’s history to hold this position.
Apple has opened applications for its 2024 Security Research Device Program. This program offers specially designed iPhone 14 Pros with disabled security features and shell access, allowing security researchers to explore vulnerabilities in an otherwise locked environment. Successful applicants will receive a 12-month renewable loan of the SRD, enabling them to conduct research, run custom code, and even customize the kernel, with any discovered vulnerabilities considered for Apple Security Bounty rewards. The program aims to collaborate with researchers and bolster iPhone security while maintaining strict eligibility guidelines, and applications are open until October 31.
The Department of Energy has initiated a competition offering $9 million in funding and technical support. The Advanced Cybersecurity Technology (ACT) 1 Prize Competition, part of the Biden administration’s Rural and Municipal Utility Cybersecurity Program, aims to enhance cybersecurity at cooperative, municipal, and small investor-owned electric utilities. The competition spans three phases, focusing on commitment, planning, and implementation, with winners receiving cash prizes and technical assistance for their efforts in improving cybersecurity technologies, staff training, and governance processes.
A detailed investigation by WIRED has uncovered the secrets of Trickbot, a notorious Russian cybercrime syndicate responsible for numerous global cyberattacks. The investigation unveils the identity of a key member, Maksim Sergeevich Galochkin, known by his online handles Bentley and Manuel. Through leaked chat logs and extensive analysis, researchers link Galochkin to the Bentley moniker, shedding light on Trickbot’s inner workings and its connections to other criminal gangs and even the Russian government. The investigation highlights the challenges of unmasking cybercriminals while revealing their significant impact on global cybersecurity.
Subscribe and Comment.
Copyright © 2023 CyberMaterial. All Rights Reserved.
Follow CyberMaterial on: