In this edition, discover vital cybersecurity updates: Google Looker Studio phishing, spyware-infested Telegram clones affect 60,000 Android users, the rise of HijackLoader as an unrefined yet popular malware loader, BlueShell malware’s impact across Windows, Mac, and Linux in Asia, Emsisoft’s guidance on updates and reboots for certificate concerns, and a nation-state cyberattack on an aerospace company exploiting dual vulnerabilities.
Furthermore, this newsletter delves into Dymocks’ cautionary note on a potential data breach, the Twitter hack affecting Vitalik Buterin, the Linktera data breach incident, cybersecurity challenges faced by a Kent secondary school, and the disruptive computer issues impacting Hinds County services.
You’ll also gain valuable insights on Google’s efforts to bolster user privacy through the Chrome Privacy Sandbox, China’s utilization of AI-driven misinformation campaigns targeting U.S. voters, the UK’s investigation into data privacy concerns related to fertility apps, and the FTC’s resolution of the 1Health.io privacy case.
Cybersecurity firm CheckPoint has uncovered a wave of phishing attacks utilizing Google Looker Studio to steal sensitive information and funds. This new breed of phishing attacks is adept at bypassing conventional security measures. Perpetrators create deceptive crypto-related pages using Google Looker Studio and send them to unsuspecting victims, appearing as legitimate messages from the tool itself. The victims are enticed to click on a link that redirects them to a Google Looker page, where they are coaxed into entering login credentials, leading to potential data theft. These attacks have been ongoing for several weeks, and while email authentication checks may be circumvented, recipient vigilance remains a critical defense.
Several malicious Telegram clones for Android on Google Play were installed over 60,000 times, infecting people with spyware that steals user messages, contacts lists, and other data. These apps appear tailored for Chinese-speaking users and the Uighur ethnic minority, raising concerns of potential ties to state monitoring and repression mechanisms. While Kaspersky discovered and reported these malicious apps to Google, some were still available for download on Google Play at the time of the report. Google has since removed them and banned the developers, emphasizing its commitment to app security and user protection.
Zscaler ThreatLabz has uncovered the emergence of a malware loader called HijackLoader, which, despite its lack of sophistication, is gaining popularity in the cybercriminal community. This loader stands out due to its modular structure, allowing for flexible code injection and execution. It has been observed delivering various malware families, including Danabot, SystemBC, and RedLine Stealer, using evasion techniques such as syscalls and delay tactics. While its code quality may be poor, the growing popularity of HijackLoader suggests potential future enhancements and broader adoption among threat actors.
Researchers at ASEC have issued a report spotlighting the growing prevalence of the BlueShell malware, which has been employed by various threat actors to infiltrate Windows, Mac, and Linux operating systems in South Korea and Thailand. BlueShell, in operation since 2020, uses TLS encryption to elude network detection and hinges on configuration parameters such as the C2 server’s IP address and port number. Recent findings indicate that the Dalbit Group, a Chinese threat actor, has used BlueShell in attacks on Windows systems, focusing on vulnerable servers to pilfer essential data for ransom demands.
Emsisoft, an endpoint security firm, has issued an urgent advisory to its users, recommending updates and system reboots following a certificate mishap. The company’s Extended Validation code signing certificate, which was renewed on August 23, was improperly issued by GlobalSign, the certificate authority. This affected all program files compiled after the renewal date, including the latest software version released on September 4. To resolve this issue, Emsisoft has re-signed all files with the correct certificate and is encouraging users to reboot their systems after updating their security products to ensure continued protection.
Multiple nation-state hackers exploited two vulnerabilities to target an undisclosed aerospace company, according to an advisory by the Cybersecurity and Infrastructure Security Agency (CISA). The security breach, detected as early as January, involved CVE-2022-47966, allowing hackers to access the company’s web server hosting the Zoho ManageEngine ServiceDesk Plus application. This enabled the intruders to gain control, create administrative privileges, download malware, collect user data, and move through the network.
Bookstore chain Dymocks has issued a warning to its customers regarding a potential data breach that could result in the exposure of their personal information on the dark web. Managing director Mark Newman informed customers via email that they detected signs of an unauthorized party possibly gaining access to customer records. While the investigation is ongoing, cybersecurity experts have already found discussions related to customer records on the dark web. Although the extent of the breach is uncertain, Dymocks assured customers that passwords and financial data appear to be secure, and they plan to report the incident to the Office of the Australian Information Commissioner upon completing their investigation.
Ethereum co-founder Vitalik Buterin fell victim to a Twitter hack that resulted in the theft of $691,000 from unsuspecting users who followed a malicious link on his feed. The hacker used Buterin’s account to announce the release of commemorative non-fungible tokens from Consensys, enticing users to connect their wallets to mint the tokens. Instead, the hacker exploited the connection to steal funds, with some victims reportedly losing access to their wallets. Despite efforts by vigilant users on Crypto Twitter to identify the fake link, the exact number of users affected remains unknown as Buterin has not yet commented on the incident.
A hacker group known as Ransomed VC has asserted responsibility for the Linktera data breach, gaining unauthorized access to the company’s database and deleting backups. The threat actors have demanded a $23,000 ransom, and a conspicuous “Pay” button redirects users to a dedicated page for payment. The Ransomed VC group remains largely enigmatic, employing an unconventional tactic involving European GDPR laws, raising concerns within the cybersecurity community about this new form of cyber threat.
A secondary school in Maidstone, Kent, known as St Augustine Academy, is grappling with the aftermath of a significant criminal cyber attack. Principal Jason Feldwick confirmed the breach, stating that an external criminal organization had encrypted school systems and data. While it remains unclear if a ransom demand was involved, the school is taking immediate steps to inform authorities and establish a backup solution. This incident serves as a stark reminder of the pervasive threat of cyberattacks, prompting calls for heightened vigilance against such threats from officials like Councillor Chris Passmore.
Hinds County, Mississippi, faces ongoing computer problems resulting from a cyberattack, causing the tax collector’s office to remain closed, along with jury duty cancellations at the Circuit Clerk Office. Hinds County Administrator, Kenny Wayne Jones, stated that their systems are under assessment, but the recovery process is complex and time-consuming. Residents affected by the closure express concerns about late fees and refunds for services disrupted by the attack.
Google has officially started implementing its Privacy Sandbox in the Chrome web browser for most users, with nearly three percent left unaffected initially for testing. Privacy Sandbox aims to replace third-party tracking cookies with privacy-preserving alternatives while still serving personalized content and ads. While Google touts this as an improvement in user privacy, it has faced criticism for collecting extensive user data through an opt-in process.
Microsoft has revealed that China is employing AI-generated images to influence American voters, particularly on divisive political topics like gun violence and political figures. These state-affiliated hacking groups aim to mimic voters from diverse backgrounds, inciting controversy along racial, economic, and ideological lines using diffusion-powered image generators. Clint Watts, the general manager of Microsoft’s Threat Analysis Center, emphasizes that this AI technology produces more engaging content than previous campaigns, making it effective despite image quality issues.
The UK’s Information Commissioner’s Office is launching an investigation into period and fertility tracking apps to address growing concerns among women. The ICO aims to scrutinize how these apps handle user data and is encouraging users to share their experiences. Many women prioritize data transparency and security over cost and ease of use, with some reporting distressing fertility-related ads after signing up for these applications. ICO’s review will focus on improving user privacy and understanding the apps’ benefits and drawbacks, with potential regulatory actions if necessary.
Copyright © 2023 CyberMaterial. All Rights Reserved.