Juice jacking attack and State-funded attacks - April 15th - 21st - This Week in Security
Editor's introduction
TWIS editor is Lior Rotkovitch. Cyber incidents with country level funding are all over the news. They activate critical CVE hunting botnets that scan many sites for the specific critical CVE with active exploitation code. The concept is simple, find an un patch system and exploit it. the more you try the more you will find. Typically, those hunting campaign begin few hours from publication trying to take advantage of the time it takes to patch the vulnerable systems.
According to Wikipedia : Juice jacking is a theoretical type of compromise of devices like phones and tablets which use the same cable for charging and data transfer, typically a USB cable. A week ago, the FBI issue a warning on “Juice jacking” targeting Electric Vehicle charging station with malware infection. That makes you wonder how many more theoretical threats can become reality and how we didn’t see it coming.
And finally in the news, emotional scams with compelling text such as, hi mom, hi dad, your package arrived , tax refund etc. Those just activate your basic emotions to make you click the bait , and it is very tempting to do so. But don’t.
Keep it safe.
World cyber
Microsoft: Iranian Hackers Moved From Recon to Targeting US Critical Infrastructure
https://www.securityweek.com/microsoft-iranian-hackers-moved-from-recon-to-targeting-us-critical-infrastructure/
The nation-state group is known as TA453, Ajax Security Team, Charming Kitten, APT35, Magic Hound, NewsBeef, Newscaster, and Phosphorus, and now Mint Sandstorm, per Microsoft’s updated threat actor naming taxonomy.
Initially focused on performing reconnaissance, the subgroup transitioned to directly targeting critical infrastructure organizations in the United States in 2022, including energy companies, seaports, transit systems, and a major utility and gas company. These attacks were “potentially in support of retaliatory destructive cyberattacks,” Microsoft said.
“For example, Mint Sandstorm began exploiting CVE-2022-47966 in Zoho ManageEngine on January 19, 2023, the same day the POC became public. They later exploited CVE-2022-47986 in Aspera Faspex within five days of the POC being made public on February 2, 2023,” Microsoft reports.
In some attacks, the subgroup uses PowerShell scripts for account enumeration and RDP connections and an SSH tunnel for command-and-control (C&C), to steal the victim’s Active Directory database, compromise user credentials, and access user accounts.
Pakistani Hackers Use Linux Malware Poseidon to Target Indian Government Agencies
https://thehackernews.com/2023/04/pakistani-hackers-use-linux-malware.html
The Pakistan-based advanced persistent threat (APT) actor known as Transparent Tribe used a two-factor authentication (2FA) tool used by Indian government agencies as a ruse to deliver a new Linux backdoor called Poseidon.
"It is a general-purpose backdoor that provides attackers with a wide range of capabilities to hijack an infected host. Its functionalities include logging keystrokes, taking screen captures, uploading and downloading files, and remotely administering the system in various ways."
Transparent Tribe is also tracked as APT36, Operation C-Major, PROJECTM, and Mythic Leopard, and has a track record of targeting Indian government organizations, military personnel, defense contractors, and educational entities.
"When a user interacts with the malicious version of Kavach, the genuine login page is displayed to distract them," Sandapolla explained. "Meanwhile, the payload is downloaded in the background, compromising the user's system."
Google: Ukraine targeted by 60% of Russian phishing attacks in 2023
State-funded misinformation
Google reports that from January to March 2023, Ukraine received roughly 60% of the phishing attacks originating from Russia, making it the most prominent target.
In most cases, the campaign goals include intelligence collection, operational disruptions, and leaking sensitive data through Telegram channels dedicated to causing information damage to Ukraine.
The first is Sandworm, tracked by Google as “FrozenBarents,” which has focused its attacks on the energy sector across Europe since November 2022, with a highlighted case involving the Caspian Pipeline Consortium (CPC).
The threat group also creates multiple online personas to disseminate false information on YouTube and Telegram, often leaking parts of the data they steal through phishing or network intrusions.
Another highly-active Russian threat actor is APT28, tracked by Google as “FrozenLake.”
Between February and March 2023, APT28 sent out multiple large waves of phishing emails targeting Ukrainians. The hackers also used reflected cross-site scripting (XSS) on Ukrainian government websites to redirect visitors to phishing pages.
This week, a joint announcement by the UK NCSC, FBI, NSA, and CISA warned that APT28 is hacking Cisco Routers to install custom malware.
The third threat actor highlighted in Google’s report is “Pushcha,” which is believed to be based in Belarus, a country that is politically aligned with the Kremlin.
US, UK: Russia Exploiting Old Vulnerability to Hack Cisco Routers
https://www.securityweek.com/us-uk-russia-exploiting-old-vulnerability-to-hack-cisco-routers/
The threat actor in question is APT28 (aka Fancy Bear, Strontium, Pawn Storm, Sednit Gang and Sofacy), which has officially been linked by the US and UK to a Russian military intelligence unit.
An advisory released on Tuesday by the UK’s National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the NSA focuses on exploitation of CVE-2017-6742. Cisco informed customers about this and other similar vulnerabilities in 2017, when it made available patches and mitigations.
Cisco has warned customers about in-the-wild exploitation since 2018, but the company updated its original advisory this week to clarify that CVE-2017-6742 and seven other vulnerabilities patched in 2017 have been exploited.
According to the US and UK agencies, in some of the attacks aimed at unpatched Cisco routers, APT28 used SNMP exploits to deploy malware that allowed the attackers to obtain additional device information and enable backdoor access to the system.
Vulnerabilities
FBI warns of juice jacking at public charge stations
https://www.securitymagazine.com/articles/99227-fbi-warns-of-juice-jacking-at-public-charge-stations
Juice jacking is a theoretical type of compromise of devices like phones and tablets which use the same cable for charging and data transfer, typically a USB cable. The goal of the attack is to either install malware on the device, or to surreptitiously copy potentially sensitive data. To date there have been no credible reported cases of juice jacking outside of research efforts
The Wall of Sheep, an event at Defcon has set up and allowed public access to an informational juice jacking kiosk each year at DefCon since 2011. Their intent is to bring awareness of this attack to the general public.
A recent tweet by the FBI has brought new attention to the Federal Communications Commission’s (FCC) previously released guidance noting the potential dangers of “juice jacking”. According to the FCC, bad actors can load malware onto public USB charging stations to maliciously access electronic devices while being charged.
The malware installed through a corrupted USB could lock a device or export personal data and passwords which can then be used to access online accounts.
“In some cases, criminals may have intentionally left cables plugged in at charging stations,” the FCC site states. “There have even been reports of infected cables being given away as promotional gifts.”
Avoid using public USB charging stations. Instead, use an AC power outlet.
Lazarus hackers now push Linux malware via fake job offers
Search for a job and get a malware
Lazarus' Operation DreamJob, also known as Nukesped, is an ongoing operation targeting people who work in software or DeFi platforms with fake job offers on LinkedIn or other social media and communication platforms.
These social engineering attacks attempt to trick victims into downloading malicious files masqueraded as documents that contain details about the offered position. However, these documents instead drop malware on the victim's computer.
In the case discovered by ESET, Lazarus distributes a ZIP archive named "HSBC job offer.pdf.zip" through spearphishing or direct messages on LinkedIn.
Inside the archive hides a Go-written Linux binary that uses a Unicode character on its name to make it appear like a PDF.
"Interestingly, the file extension is not .pdf. This is because the apparent dot character in the filename is a leader dot represented by the U+2024 Unicode character," explains ESET.
Kubernetes RBAC abused to create persistent cluster backdoors
Misconfigure will lead hacking
Hackers use a novel method involving RBAC (Role-Based Access Control) to create persistent backdoor accounts on Kubernetes clusters and hijack their resources for Monero crypto-mining.
RBAC is a Kubernetes API access control system allowing admins to define which users or service accounts can access API resources and operations.
By abusing RBAC to enforce malicious access control policies, threat actors can persist on compromised clusters even if the misconfiguration that provided initial access is fixed in the future.
Aqua Security could record and analyze the attack after the threat actors breached one of its Kubernetes honeypots that were purposely misconfigured to expose APIs and access keys.
The initial access to the target Kubernetes cluster is achieved through unauthenticated requests from anonymous users with privileges, so the API server needs to be misconfigured.
Next, the attacker sends HTTP requests to list secrets and makes API requests to gather information about the cluster by listing entities in the 'kube-system' namespace.
At this stage, the attacker checks if the server was compromised already by their campaign, deployed as 'kube-controller,' or if other cybercrime competitors have already compromised the cluster. If it finds other attackers' deployments, it will delete them to take control of the device's resources for its own malicious use.
The next step is when the attacker gains persistence on the cluster by creating a new 'ClusterRole' with near admin-level privileges and a ServiceAccount 'kube-controller' in the 'kube-system' namespace.
Finally, the attacker creates a ClusterRoleBinding named 'system:controller:kube-controller,' binding the ClusterRole with the ServiceAccount to persist in the cluster even in the case that 'anonymous user access' is disabled.
Data breach
Australians lost a record $3.1 billion to scams last year
Less scam more money per scam, good ROI.
The Australian Competition & Consumer Commission (ACCC) says Australians lost a record $3.1 billion to scams in 2022, an 80% increase over the total losses recorded in 2021.
Most of the losses concern investment scams, which accounted for $1.5 billion, followed by remote access scams that resulted in losses of $229 million, and payment redirection scams that cost victims another $224 million.
According to ACCC, the number of scam reports submitted to Scamwatch last year was just under 240,000, 16.5% lower than in 2021. However, the financial losses per victim rose by 50% to an average of $20,000.
“We have seen alarming new tactics emerge which make scams incredibly difficult to detect,” commented Lowe.
“This includes everything from impersonating official phone numbers, email addresses, and websites of legitimate organizations to scam texts that appear in the same conversation thread as genuine messages.”
“Hi Mom” and “toll/Linkt” text scams had an explosive growth of 469% in 2022, tricking Australians into losing almost $25 million.
March 2023 broke ransomware attack records with 459 incidents
March 2023 was the most prolific month recorded by cybersecurity analysts in recent years, measuring 459 attacks, an increase of 91% from the previous month and 62% compared to March 2022.