17-Jul-23: In Security News Today

BreachForums Admin “Pompompurin” Pleads Guilty to High-Level Hacking Charges

Conor Brian Fitzpatrick, known by his online alias “Pompompurin,” pleaded guilty to multiple hacking-related charges in the US District Court, including conspiracy to commit access device fraud and unauthorized solicitation of unauthorized access devices. As the owner and administrator of the cybercrime marketplace, BreachForums, Fitzpatrick facilitated the trade of stolen data and other illicit activities, impacting numerous US entities and multiple breached organizations globally. Besides the hacking offenses, Fitzpatrick also pleaded guilty to a separate count of possession of child pornography, all of which collectively carry heavy penalties including a substantial fine and a possible prison term of up to 40 years.

Gamaredon’s Rapid Data Theft Techniques Revealed by Ukraine’s CERT-UA

Ukraine’s Computer Emergency Response Team (CERT-UA) has shed light on the advanced persistent threat (APT) group, UAC-0010, also known as Gamaredon, exposing their swift data exfiltration methods. Comprising former Ukrainian Security Service officers now serving the Russian FSB, the group leverages malware like GammaSteel to rapidly steal files from compromised systems within 30-50 minutes, primarily targeting specific document extensions. CERT-UA has provided indicators of compromise (IoCs) and urged the installation of endpoint detection and threat response (EDTR) software, especially on systems outside the protection perimeter, to defend against Gamaredon’s evolving tactics that include PowerShell script use to bypass two-factor authentication and frequent IP address changes.

Google Firebase Hosting Exploited in Sorillus RAT and Phishing Attacks

Attackers have been found exploiting Google Firebase Hosting infrastructure using the Sorillus remote access trojan (RAT) and phishing attacks, as detected by eSentire’s Security Operations Center (SOC) in a manufacturing client’s network. The threat actors have been leveraging Firebase Hosting’s ability to hide malicious content, deploying the Sorillus RAT through a tax-themed phishing email attachment, and hosting a convincingly disguised Microsoft 365 login page for their phishing campaign. eSentire emphasizes the importance of maintaining up-to-date antivirus signatures, deploying next-generation antivirus or endpoint detection and response (EDR) tools, removing Java from non-essential systems, and handling potentially dangerous files with caution to combat such threats.

Android’s WebAPK Exploited by Hackers to Distribute Malicious Apps

Hackers are exploiting Android’s WebAPK technology to deceive users into installing malicious apps that steal sensitive information, with victims being led to install these apps via SMS messages purportedly about banking application updates. The malicious app impersonates PKO Bank Polski, asking users to enter their credentials and two-factor authentication (2FA) tokens, hence facilitating theft. Counteracting such threats is difficult due to WebAPK applications generating unique package names and checksums on each device, making the use of this data as Indicators of Compromise (IoC) challenging; blocking websites using the WebAPK mechanism for phishing is recommended.

Surge in USB Drive Attacks Highlights Global Cyber Espionage Campaigns

Mandiant Managed Defense has recorded a threefold increase in attacks leveraging infected USB drives to steal secrets in the first half of 2023, majorly attributed to several active USB-based operation campaigns targeting both public and private sectors worldwide. Notably, the SOGU malware campaign, linked to China-based TEMP.Hex, is a widespread attack using USB flash drives to infiltrate a broad range of sectors across Europe, Asia, and the US. Simultaneously, the SNOWYDRIVE campaign, attributed to UNC4698, targets Asian oil and gas organizations, using USB flash drives to deliver malware that creates a backdoor into systems, spreading across networks.

Quantum Cybersecurity Preparedness: Urgent Call for EU Coordinated Action Plan

According to a new discussion paper from the European Policy Centre, the European Union (EU) must urgently prepare a coordinated action plan to counter quantum-enabled cyber-attacks, potentially imminent within five to 10 years. Lead Digital Policy Analyst Andrea G. Rodríguez underlined the significant risk posed by quantum computers, which are predicted to break existing cryptographic algorithms, thereby leaving all digital information exposed to cyber-threat actors. The paper offered six recommendations, including creating an expert group for post-quantum encryption, assisting in setting priorities for the transition, facilitating political and technical coordination, addressing research gaps, and utilizing sandboxes to hasten the development of quantum information technologies.

FSB Agent Charged in US for Technology Smuggling and Money Laundering

Vadim Konoshchenok, a Russian security agent, has been extradited to the U.S. from Estonia and charged with smuggling ammunition and dual-use technology, thereby aiding Russian military capabilities. Konoshchenok allegedly violated U.S. export controls and sanctions, shipping U.S.-sourced goods to Russia via Estonia, with the aid of a front company called Stonebridge Resources. The indictment accused him of involvement in a global procurement and money laundering network operating on behalf of the Russian government, and if found guilty, he could face a sentence of up to 30 years.

LokiBot Malware Campaign Exploits Microsoft Office Vulnerabilities

A recent investigation by FortiGuard Labs has revealed a LokiBot malware campaign exploiting known vulnerabilities in Microsoft Office documents. Specifically, the remote code execution vulnerabilities CVE-2021-40444 and CVE-2022-30190 were used to implant malicious macros into Microsoft documents, which then installed the LokiBot malware on victims’ systems when opened. The information-stealing Trojan, active since 2015, primarily targets Windows systems and uses sophisticated evasion techniques, making it a significant threat to users, and underscoring the importance of regular software updates and cautious handling of suspicious documents or files.

Microsoft ‘Logging Tax’ Hampers Incident Response, Needs Abolition, Warn Experts

Microsoft’s lack of security logging for non-E5-level license holders is impeding incident response, as underscored by a recent email breach attributed to the Chinese APT group, Storm-0558. While investigating an affected human rights organization, cybersecurity firm Volexity discovered that ‘MailItemsAccessed’ operation logs, crucial for detecting unauthorized access, were available only with cost-prohibitive E5/G5 plans. This discrepancy between logging access for different license tiers, termed as “Logging Tax”, is a longstanding issue and must be addressed, argue experts, who believe it’s vital for incident responders and maintaining consistent visibility across all user activities.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.