AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 03/30/2022

Log4Shell exploited to infect VMware Horizon servers with backdoors, crypto miners

The Log4Shell vulnerability is being actively exploited to deliver backdoors and cryptocurrency miners to vulnerable VMware Horizon servers. On Tuesday, Sophos cybersecurity researchers said the attacks were first detected in mid-January and are ongoing. Not only are backdoors and cryptocurrency miners being deployed, but in addition, scripts are used to gather and steal device information. Log4Shell is a critical vulnerability in Apache Log4J Java logging library. The unauthenticated remote code execution (RCE) vulnerability was made public in December 2021 and is tracked as CVE-2021-44228 with a CVSS score of 10.0. Researchers have warned that Log4Shell is likely to continue for years, especially considering the bug’s simple exploitation. Microsoft previously detected Log4Shell attacks conducted by state-sponsored cybercriminals, but most appear to focus on cryptocurrency mining, ransomware, and bot activities. A patch was released in December 2021, but as is often the case with internet-facing servers, many systems have not been updated.

 

School of Hard Knocks: Job Fraud Threats Target University Students

Proofpoint researchers regularly identify and block employment fraud threats that attempt to entice victims with an easy, work-from-home job. These threats disproportionately impact people at colleges and universities, especially students. An employment fraud threat occurs when a threat actor attempts to recruit someone under the premise of a legitimate job offer. Threat actors will craft fraudulent job offers hoping to steal money, personal information, or to recruit an individual to unknowingly comply with illegal activities such as money laundering. Threat actors will typically pose as recruiters or employers and try to entice victims with a variety of opportunities. 

 

Hackers Gaining Power of Subpoena Via Fake “Emergency Data Requests”

There is a terrifying and highly effective “method” that criminal hackers are now using to harvest sensitive customer data from Internet service providers, phone companies and social media firms. It involves compromising email accounts and websites tied to police departments and government agencies, and then sending unauthorized demands for subscriber data while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death. In the United States, when federal, state or local law enforcement agencies wish to obtain information about who owns an account at a social media firm, or what Internet addresses a specific cell phone account has used in the past, they must submit an official court-ordered warrant or subpoena.

 

LAPSUS$ returns with Globant breach, leaking trove of data on top global businesses

The LAPSUS$ hacking group has announced another breach that has led to the source code belonging to the likes of Facebook and Apple being dumped via its Telegram channel. The group announced the trove of data belonging to some of the world’s top companies in the early hours of Wednesday morning, days after UK law enforcement arrested a number of individuals connected with the group, with investigations still ongoing. Among the other companies affected by the breach include healthcare giant Abbott, beverages multinational AB InBev, BNP Paribas Cardiff, and DHL. It’s believed the companies’ code was lifted as a result of a hack on Argentine-headquartered software development company Globant since LAPSUS$ also leaked the administrator credential for the company’s GitHub, Jira, and Confluence accounts.

 

Crypto Hackers Exploit Ronin Network for $615 Million

Ronin Network, a sidechain tied to blockchain game Axie Infinity, announced it was breached by hackers that hijacked 173,600 Ethereum and $25.5 million – totaling nearly $615 million in stolen funds. Attackers breached Ronin Network security by gaining access to private keys used to forge fake withdrawals. Ronin Network announced the breach on Tuesday, five days after a user reported an inability to withdraw 5,000 in Ethereum from its bridge, or the port that allows inter-blockchain asset transfers. The investigation is currently ongoing, however, developments in the case are rapidly unfolding.

 

Apple Just Made It Harder to Get a Lost or Stolen iPhone Repaired

Apple has implemented a new policy that means any iPhone reported as missing will no longer be serviced or repaired at either an Apple Store or Apple Authorized Service Provider (AASP). As MacRumors reports, an internal memo sent out by Apple explains how technicians will now be able to see a message on either the internal MobileGenius or GSX systems flagging an iPhone as missing. After that, the technician must decline to carry out the repair, but it seems Apple isn’t going any further than that so the customer will be able to leave with the iPhone (still broken). Apple is relying on the GSMA Device Registry for information regarding iPhones reported as missing. It’s a global registry allowing individuals to report their devices as either missing or stolen, in response the mobile industry and associated sectors can react accordingly, assuming they look at the registry.

Related Posts