Hacker Pwns Uber Via Compromised VPN Account

(published: September 16, 2022)

Background:

On September 15, 2022, ride-sharing giant Uber started an incident response after discovering a data breach. According to Group-IB researchers, download file name artifacts point to the attacker getting access to fresh keylogger logs affecting two Uber employees from Indonesia and Brazil that have been infected with Racoon and Vidar stealers.

The attacker allegedly used a compromised VPN account credentials and performed multifactor authentication fatigue attack by requesting the MFA push notification many times and then making a social-engineering call to the affected employee.

Once inside, the attacker allegedly found valid credentials for privilege escalation: a PowerShell script containing hardcoded credentials for a Thycotic privileged access management admin account. On September 18, 2022, Rockstar Games’ Grand Theft Auto 6 suffered a confirmed data leak, likely caused by the same attacker.

Takeaway:

Network defenders can consider setting up alerts for signs of an MFA fatigue attack such as a large number of MFA requests in a relatively short period of time. Review your source code for embedded credentials, especially those with administrative privileges.

Self-Spreading Stealer Attacks Gamers via YouTube

(published: September 15, 2022)

Background:

Kaspersky researchers discovered a new campaign spreading the RedLine commodity stealer. This campaign utilizes a malicious bundle: a single self-extracting archive. The bundle delivers RedLine and additional malware, which enables spreading the malicious archive by publishing promotional videos on victim’s Youtube channel. These videos target gamers with promises of “cheats” and “cracks.”

Takeaway:

Kids and other online gamers should be reminded to avoid illegal software. It might be better to use different machines for your gaming and banking activities.

Opsec Mistakes Reveal COBALT MIRAGE Threat Actors

(published: September 14, 2022)

Background:

Secureworks researchers discovered multiple identities connected to Iran-sponsored group Cobalt Mirage (Dev-0270, Nemesis Kitten). The information was derived from the group’s infrastructure connections, leaked materials, and a June 2022 ransom note PDF file metadata. The group acts as a contractor for the Iranian government, so it is able to combine cyberespionage and ransomware for-profit operations.

Takeaway:

Keep your Microsoft Exchange Server updated to avoid exploitation including the ProxyShell exploits that Cobalt Mirage was seen using.

OriginLogger: A Look at Agent Tesla’s Successor

(published: September 13, 2022)

Background:

Palo Alto researchers analyzed OriginLogger (AgentTeslav3) and two of its leaked builders. OriginLogger is a commodity keylogger that is based on Agent Tesla code and is typically detected as Agent Tesla. It has been available since 2018 and became more prevalent in 2020. Out of all studied samples, 1,909 OriginLogger samples exfiltrated stolen data over email (SMTP protocol), 1,888 samples used file sharing servers (FTP), 1,866 samples used web uploads utilizing a PHP file, and 1,732 samples exfiltrated to Telegram channels.

Takeaway:

Signatures developed for Agent Tesla still mostly work for OriginLogger. Different actors using this keylogger can use additional obfuscation and different delivery methods. Keeping macros disabled in Microsoft Office documents downloaded from the Internet can dwarf one of the observed delivery vectors.

Learn about our Penetration Testing Services

Learn More

Magento Vendor Fishpig Hacked, Backdoors Added

(published: September 13, 2022)

Background:

Several Fishpig extensions for eCommerce Magento-WordPress integrations were compromised and served the Rekoobe remote access trojan. The file backdoored by the attackers was normally used to validate a Fishpig license, so the free Fishpig extensions that are hosted on Github were not affected. Once installed, Rekoobe removes all malware files and remains in memory only. It mimics a legitimate background process on the targeted Linux server.

Takeaway:

Fishpig users are advised to re-install all Fishpig extensions and restart the server. No attacker actions were observed past the installation of Rekoobe, but it is a good practice to audit the server for unauthorized files and accounts.

New Wave of Espionage Activity Targets Asian Governments

(published: September 13, 2022)

Background:

Symantec researchers discovered a new intelligence gathering campaign targeting government and state-owned entities in Asia. The attackers are likely associated with China-sponsored APT41 (Wicked Panda). They were observed switching from delivering the ShadowPad remote access trojan to delivering multiple payloads including previously unseen Infostealer.Logdatter. This new information stealer has additional capabilities to download files, inject processes, and query SQL databases.

Takeaway:

Defense-in-depth is an effective way to help mitigate potential APT activity. The layering of defense mechanisms can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities.

Chiseling In: Lorenz Ransomware Group Cracks MiVoice And Calls Back For Free

(published: September 12, 2022)

Background:

The Lorenz ransomware group has been active since at least February 2021. The group uses the double extortion tactic by exfiltrating data and encrypting systems using its custom Lorenz ransomware or Microsoft’s BitLocker Drive Encryption. Arctic Wolf researchers analyzed recent attacks by Lorenz that started with a Mitel MiVoice VoIP appliance vulnerability (CVE-2022-29499) exploitation.

Almost a month after the initial access, Lorenz proceeded with post-exploitation activity that relied heavily on open source and living off the land binaries (LOLBins): it downloaded TCP tunneling tool Chisel, used CrackMapExec for a full Local Security Authority Subsystem Service (LSASS) memory dump, and installed FileZilla to exfiltrate data.

Takeaway:

When attackers abuse legitimate tools, it is important to detect anomalies by establishing a baseline for the normal and expected activities inside your organization. Upgrade to MiVoice Connect Version R19.3 or older, if you have the vulnerable devices.

Learn about our Penetration Testing Services

Learn More