This Week in Security
July 13 2022
"The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage"
Your editor for this issue of This Week in Security is Lior Rotkovitch.
Every now and then there is a major data leak. Those data leaks are ever increasing in size and the new record, according to security news sites, belongs to China with 1 billion peoples' data leaked.
Reading the news, it feels like a full scale battle is underway where everyone attacks anything that can be attacked.
It also seems that all known attack vectors are fully implemented against new technologies. A recent example is the NFT market phishing attack.
But as always not all hope is lost and there are always people who will fight cyber-attacks. So, we will keep on fixing the damage, restoring the configurations, and patching our systems over and over because this is what security personnel do; this is the job, and we enjoy being the protector. Until next time, stay safe!
“Whether the first six months of 2022 have felt interminable or fleeting—or both—massive hacks, data breaches, digital scams, and ransomware attacks continued apace throughout the first half of this complicated year.”
“The malware, dubbed Orbit, is unlike other Linux threats in that it steals information from different commands and utilities and then stores them in specific files on the machine, researchers from security automation firm Intezer discovered. In fact, the malware’s name comes from one of the filenames it to temporarily store the output of executed commands.”
“The malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands.”
“The latest investigation indicated that a Chinese state-sponsored cyber espionage group launched a “cluster” of phishing emails to deliver remote access Trojan (RAT) malware, most commonly Bisonal, against Russian targets in recent weeks.”
“Believes that these documents were built with the Royal Road builder and dropped the Bisonal backdoor, both of which are strongly associated with Chinese APT groups: Royal Road is a malicious document builder used widely by such groups, while Bisonal is a backdoor RAT unique to Chinese threat actors.”
“The report comes from the publication The Block, which said on March 23rd hackers took control of private keys tied to four validator nodes. Those nodes, according to the report, belong to the Ronin Network – which Axie runs on. The second node belongs to the Axie DAO – a decentralized organization that supports the game’s ecosystem.”
"All evidence points to this attack being socially engineered, rather than a technical flaw.” The disclosure did not elaborate further. Now two anonymous sources have come forward who claim “direct knowledge of the matter” are share with reporters at The Block the unconfirmed inside story about what happened.”
“The group is believed to have orchestrated at least six phishing campaigns aimed at targets that align with Russian state interests, with the emails acting as lures for delivering malicious software such as IcedID, CobaltStrike, AnchorMail, and Meterpreter.”
"In one of the most expansive and impactful breaches of personal data of all time, attackers grabbed data of almost 1 billion Chinese citizens from a Shanghai police database and attempted to extort the department for about $200,000. The trove of data contains names, phone numbers, government ID numbers, and police reports. Researchers found that the database itself was secure, but that a management dashboard was publicly accessible from the open internet, allowing anyone with basic technical skills to grab the information without needing a password.“
"LockBit ransomware attacks are known to employ several avenues for initial infection: Exploiting publicly-exposed RDP ports, relying on phishing emails to download malicious payloads, or leveraging unpatched server flaws that allow the affiliates to gain remote access to the targeted network."
"Following this step are reconnaissance and credential theft activities, which enable the actors to move laterally across the network, establish persistence, escalate privileges, and launch the ransomware. This is also accompanied by running commands to delete backups and subvert detection by firewalls and antivirus software."
“Malware protection specialist Emsisoft has released free decryption tools for the AstraLocker and Yashma ransomware variants.
By default, the AstraLocker decryptor pre-populates locations selected for decryption from network and connected drives, but users can add other locations before initiating the decryption process.
The decryptor also defaults to leaving encrypted files in place, although users can enable automatic deletion if disk space is an issue.
“Since the ransomware does not save any information about the unencrypted files, the decryptor can’t guarantee that the decrypted data is identical to the one that was previously encrypted,” the guide warns. “
Lior Rotkovitch | Senior Security Engineer – F5 SIRT