Archive for February 28, 2021

Tibetan Organizations Targeted in a Chinese Sponsored Phishing Campaign

 

Cybersecurity experts from Proofpoint have unearthed a Chinese-sponsored phishing campaign and published a report on Thursday; as per the findings, Chinese state hackers targeted several Tibetan organizations in a low-volume phishing campaign using malicious malware on the systems of Tibetan organizations. The campaign was designed to hijack Gmail accounts via a malicious Firefox browser extension.

According to Proofpoint, Chinese sponsored phishing campaign started in January and continued throughout February and was managed by the TA413 APT group, a threat group that’s aligned with the Chinese Communist Party’s state interests.

Hackers Modus Operandi 

TA413 attackers targeted the organizations by sending a fraudulent email, once the victim opened the email it redirected the victim to the attacker-controlled you-tube[.] domain that displays a fake Adobe Flash Player Update landing page.

Threat actors specifically targeted the Firefox users and users with an active Gmail session were prompted to download the malicious add-on. If the potential target used any other web browser, they would get redirected to the legitimate YouTube login page.

According to Proofpoint, threat actors could exploit the following functions on infected browsers:

 Gmail:

• Search emails 
• Archive emails 
• Receive Gmail notifications 
• Read emails 
• Alter Firefox browser audio and visual alert features 
• Label emails • Marks emails as spam 
• Delete messages 
• Refresh inbox 
• Forward emails 
• Perform function searches 
• Delete messages from Gmail trash 
• Send mail from the compromised account

 Firefox (based on browser permissions): 

• Access user data for all websites 
• Display notifications 
• Read and modify privacy settings 
• Access browser tabs

Proofpoint stated that “the use of browser extensions to target the private Gmail accounts of users combined with the delivery of Scanbox malware demonstrates the malleability of TA413 when targeting dissident communities. These communities have a traditionally low barrier for compromise by threat actor groups and TA413 appears to be modulating their tools and techniques while continuing to rely on proven social engineering techniques.”

The Chinese state hackers also infected the victims with the Scanbox malware. A PHP and Java-script-based reconnaissance framework; this malware is an old tool used by Chinese cyber-criminal groups.

“Scanbox has been used in numerous campaigns since 2014 to target the Tibetan Diaspora along with other ethnic minorities often targeted by groups aligned with the Chinese state interests,” Proofpoint further stated.

American Telecommunications Firm, T-Mobile Confirmed Data Breach and Sim Swapping Attacks

 

After an undisclosed number of subscribers were reportedly hit by SIM swap attacks, American telecommunications company T-Mobile has announced a data breach. The organization believes that this malicious conduct has been detected very easily and that it has taken steps to stop it and discourage it from continuing in the future. 

SIM swap attacks (or SIM hijacking) permits scammers who use social engineering or bribing mobile operator workers to a fraudster-controlled SIM to gain a charge of their target telephone number. They then receive messages and calls from victims and enable users to easily bypass multi-factor authentication (MFA) through SMS, steal user identifiers, and take over the victims' Online Service Accounts. Criminals will enter the bank accounts of the victims and take money, swap passwords for their accounts, and even lock the victims out of their own accounts. 

T-Mobile disclosed that an anonymous perpetrator had access to customer account details, including contact information and personal id numbers- in the communication of violation sent to affected consumers on 9 February 2021. As the attackers have been able to port numbers, it is not known whether or not they have been able to access an employee's account by means of the affected account users.

"An unknown actor gained access to certain account information. It appears the actor may then have used this information to port your line to a different carrier without your authorization," T-Mobile said.
 
"T-Mobile identified this activity—terminated the unauthorized access, and implemented measures to protect against reoccurrence".

Client names, emails, e-mail addresses, account numbers, Social Security Numbers (SSN), PINs, questions and responses about account security, date of birth, schedule information, and a number of lines signed up to their accounts may have been used for the information stolen by hackers stated T-Mobile.
 
"T-Mobile quickly identified and terminated the unauthorized activity; however we do recommend that you change your customer account PIN."

Affected customers of T-Mobile are encouraged to update their name, PIN, and security questions and answers. Via 'myTrueIdentity' from Transunion, T-Mobile is providing two years of free surveillance and identity fraud prevention services. Details on how to log on to these systems are given to the recipient of the data breach notice that is sent to the compromised customers. Changing PIN and security concerns, since both have been weakened, should be a top priority at this time.

IBM: Cyber attacks on Linux systems of Russian government agencies will increase

The problem will also affect Russian government agencies, which are switching to domestic Linux operating systems as part of import substitution. Businesses that have started actively using the cloud against the background of the pandemic face increased costs: attackers can hack their cloud environments and use them for mining cryptocurrencies and DDoS attacks.

According to the IBM report on the main information security risks in 2021, the number of attacks on cloud environments and open-source Linux operating systems will increase this year. Users of Russian operating systems on Linux can also suffer, said Oleg Bakshinsky, a leading information security adviser for IBM in Russia.

The attackers began using the extensible computing power of Linux-based cloud environments, said Mr. Bakshinsky.

The customer can enable the service in their cloud settings, and at times of peak loads, their resources will be expanded for an additional fee. Attackers take advantage of this by gaining unauthorized access to the victim's cloud environment, increasing the company's costs for paying for cloud services.

The authorities have already acknowledged the problem. So, to check the security of operating systems based on Linux, the Federal Service for Technical and Export Control of Russia will create a research center for 300 million rubles ($4 million).

Cybersecurity experts also confirmed the growing interest of hackers in Linux systems. Check Point records about 20 attacks on Linux-based cloud environments in Russia, which is 3.45% of the total number of such attacks worldwide.

The main targets of the attackers, according to Nikita Durov, technical director of Check Point in Russia, are the financial industry and the government.

Alexander Tyurnikov, head of software development at Cross Technologies, is convinced that attacks on cloud environments "will not be so large-scale as to lead to the collapse of state and commercial systems."

Alexa Skills can Easily Bypass Vetting Process

 

Researchers have uncovered gaps in Amazon's skill vetting process for the Alexa voice assistant ecosystem that could permit a threat actor to publish a misleading skill under any arbitrary developer name and even make backend code changes after approval to fool clients into surrendering sensitive data. The discoveries were introduced on Wednesday at the Network and Distributed System Security Symposium (NDSS) meeting by a group of scholastics from Ruhr-Universität Bochum and the North Carolina State University, who examined 90,194 skills accessible in seven nations, including the US, the UK, Australia, Canada, Germany, Japan, and France.

 “While skills expand Alexa’s capabilities and functionalities, it also creates new security and privacy risks,” said a group of researchers from North Carolina State University, the Ruhr-University Bochum and Google, in a research paper. 

Amazon Alexa permits third-party developers to make additional functionality for gadgets, for example, Echo smart speakers by configuring "skills" that run on top of the voice assistant, along these lines making it simple for clients to start a conversation with the skill and complete a particular task. Chief among the discoveries is the worry that a client can actuate a wrong skill, which can have serious results if the skill that is set off is designed with a treacherous aim. 

Given that the actual criteria Amazon uses to auto-enable a particular skill among several skills with the same invocation names stay obscure, the researchers advised it's conceivable to actuate some wrong skill and that an adversary can get away with publishing skills utilizing notable organization names. "This primarily happens because Amazon currently does not employ any automated approach to detect infringements for the use of third-party trademarks, and depends on manual vetting to catch such malevolent attempts which are prone to human error," the researchers explained. "As a result users might become exposed to phishing attacks launched by an attacker." 

Far more terrible, an attacker can make code changes following a skills approval to persuade a client into uncovering sensitive data like telephone numbers and addresses by setting off a torpid purpose.

Steris Corporation, The Latest Victim of Ransomware Gang Called ‘Clop’.

 

Data related to a customer of a recently targeted California-based private cloud solutions firm Accellion is being published online for sale by threat actors. Accellion is a file-transfer platform that is used by Steris Corporation. Many other firms were targeted by hackers a few weeks ago, threat actors exploited the security loopholes in the server of the company.

Ransomware gang ‘Clop’ has taken responsibility for the attack and is claiming to have critical information in their possession belonging to Steris Corporation. Steris Corporation is an American Irish-domiciled medical equipment firm specializing in sterilization and a leading provider of surgical products for the American healthcare system. Documents that are missing from the sever system of Steris Corporation include a confidential report regarding a phenolic disinfectant comparison study dating from 2018. This report bears the signatures of two Steris employees – technical services manager David Shields and quality assurance analyst Jennifer Shultz. 

Threat actors also managed to lay their hands on another critical document containing the formula for CIP neutralizer, a highly confidential trade secret owned by Steris Corporation.

Threat analyst Brett Callow stated to Infosecurity Magazine that “Clop is known to use data stolen from one organization to attack (spear phish) others. This is why, for example, there was a cluster of cases in Germany. So, any organization that has had dealings with one of the compromised entities should be on high alert.”

“It really makes no sense for companies to pay to prevent the publication of their data. There have been multiple instances in which threat actors have published or otherwise misused information after the victims have paid the ransom. In some cases, actors have even used the same data to extort companies a second time. And this is really not at all surprising”, he further added.

Apart from Steris Corporation, the Clop ransomware gang has targeted several clients of Accellion including Jones Day, Inrix, Singtel, ExecuPharm, Plantol, Software Ag, Fugro, Nova Biomedical, Amey Plc, Allstate Peterbit, Danaher, and the CSA Group.