04-Mar-24: In Security News Today

GitHub Under Attack by Malicious Repositories

GitHub is facing an ongoing attack where millions of malware-laced repositories are being flooded onto the platform. These repositories contain obfuscated malware that steals passwords and cryptocurrency. The attack involves automated forking of legitimate repositories, making it challenging to distinguish the malicious ones. GitHub is working to remove these repositories, but the scale of the attack is significant, impacting over 100,000 repositories.

Threat of Morris II Worm Targeting GenAI Systems

Researchers have developed a computer worm named Morris II that targets generative AI (GenAI) applications to spread malware and steal personal data. The worm utilizes adversarial self-replicating prompts to infect GenAI ecosystems, leading to malicious activities. Countermeasures recommended by the researchers include rephrasing GenAI outputs, implementing measures against jailbreaking, and using techniques to detect malicious propagation patterns.

German Police Disrupt Crimemarket: A Dark Web Marketplace for Drugs and Cybercrime

German police have dismantled Crimemarket, an underground online marketplace where users traded drugs, weapons, and illicit services like money laundering and cybercrime. The operation involved executing 102 search warrants nationwide, resulting in arrests and seizure of evidence. This crackdown follows previous successful efforts by German authorities in dismantling other dark web marketplaces like Kingdom Market and Hydra.

Threat Actor TA577 Exploiting NTLM Authentication Information

Proofpoint researchers discovered cybercriminal threat actor TA577 utilizing an attack chain to steal NT LAN Manager (NTLM) authentication information, targeting hundreds of organizations globally. The group’s objective was to capture NTLM hashes for potential password cracking or ‘Pass-The-Hash’ attacks, using unique file hashes and tailored HTML attachments to initiate connections to external SMB resources. The delivery method employed, involving malicious HTML files within zip archives, bypasses security measures and poses a significant threat, urging organizations to block outbound SMB to prevent exploitation.

Analysis of NoName057(16) Cyber Threat Actor

NoName057(16) is a cyber threat actor involved in Project DDoSia, targeting entities supporting Ukraine, particularly NATO member states. The group has been observed updating their DDoS tool to enhance compatibility and encryption mechanisms, while facing challenges in maintaining the stability of their command-and-control servers. NoName057(16) strategically targets European countries like Ukraine, Finland, and Italy, with a focus on governmental, transportation, and banking sectors, indicating a persistent threat in the cybersecurity landscape.

Phobos Ransomware Targeting U.S. Critical Infrastructure

U.S. cybersecurity agencies have issued warnings about Phobos ransomware targeting government and critical infrastructure entities, with threat actors using various tactics to deploy the malware. Phobos, operating as a ransomware as a service (RaaS) model, has successfully targeted municipal and county governments, emergency services, education, healthcare, and critical infrastructure, ransoming millions of U.S. dollars. The ransomware strain is known for its sophisticated attack chains involving phishing, exploiting RDP services, process injection techniques, and utilizing open-source tools for reconnaissance and exfiltration.

Web-Based PLC Malware Enables Remote Stuxnet-Style Attacks

Researchers at the Georgia Institute of Technology have developed a web-based PLC malware, demonstrating the potential for remote Stuxnet-style attacks on industrial control systems (ICS). This malware, leveraging web APIs of modern PLCs, can disrupt industrial processes and remain undetected, highlighting an expanded attack surface for ICS environments. The researchers emphasize the ease of deployment and the challenge in detecting such malware, urging the need for robust security measures in the face of these evolving threats.

Sophisticated Phishing Campaign Targeting FCC Employees and Crypto Exchanges

Security researchers have discovered a sophisticated phishing campaign targeting employees of the US Federal Communications Commission (FCC) and popular crypto exchanges like Binance, Coinbase, Kraken, and Gemini. The threat actor behind this campaign is using a new phishing kit named CryptoChameleon to create believable login pages that harvest victims’ credentials. The phishing kit not only creates landing pages but also assists in sending convincing messages to victims, harvesting login credentials, and bypassing multi-factor authentication codes.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.