AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 06/20/2023

US Offers $10m Reward For MOVEit Attackers 

The US Department of State has offered a $10m reward for information linking members of a Clop affiliate responsible for a recent data extortion campaign to a foreign government. Using the #StopRansomware hashtag, the department issued the announcement as part of its Rewards for Justice initiative. Launched in 1984, the program is designed to boost national security by soliciting information on terrorists, North Korean activity, cyber-threat actors and election interference. 

 

Researchers Discover New Sophisticated Toolkit Targeting Apple macOS Systems 

Cybersecurity researchers have uncovered a set of malicious artifacts that they say is part of a sophisticated toolkit targeting Apple macOS systems. “As of now, these samples are still largely undetected and very little information is available about any of them,” Bitdefender researchers Andrei Lapusneanu and Bogdan Botezatu said in a preliminary report published on Friday. The Romanian firm’s analysis is based on an examination of four samples that were uploaded to VirusTotal by an unnamed victim. The earliest sample dates back to April 18, 2023. Two of the three malicious programs are said to be generic Python-based backdoors that are designed to target Windows, Linux, and macOS systems. The payloads have been collectively dubbed JokerSpy. 

 

Guess what happened to this US agency using outdated software? 

Remember earlier this year, when we found out that a bunch of baddies including at least one nation-state group broke into a US federal government agency’s Microsoft Internet Information Services (IIS) web server by exploiting a critical three-year-old Telerik bug to achieve remote code execution? It turns out that this same gang of government-backed hackers used a different – and even older – Telerik flaw to break into another US federal agency’s Microsoft IIS web server, access the Document Manager component, upload webshells and other files, and establish persistence on the government network. 

 

Android spyware camouflaged as VPN, chat apps on Google Play 

Three Android apps on Google Play were used by state-sponsored threat actors to collect intelligence from targeted devices, such as location data and contact lists. The malicious Android apps were discovered by Cyfirma, who attributed the operation with medium confidence to the Indian hacking group “DoNot,” also tracked as APT-C-35, which has targeted high-profile organizations in Southeast Asia since at least 2018. In 2021, an Amnesty International report linked the threat group to an Indian cybersecurity firm and highlighted a spyware distribution campaign that also relied on a fake chat app. 

 

Man locked out of smart home for a week after delivery driver accuses him of being racist 

A man claims to have suffered a week-long smart home “lockout” after an Amazon delivery driver mistakenly accused him of being racist. Brandon Jackson, who works as an engineer at Microsoft, said the “unexpected and unwarranted” digital exile began the day after a package was delivered to his home in the US last month, when he found himself unable to interact with any of his smart devices. “This wasn’t just a simple inconvenience, though,” Mr Jackson wrote in a blog post detailing his ordeal. 

 

New Malware targets WhatsApp Backups, steals sensitive data 

Another day, another malware scare. This time, it’s targeting WhatsApp backups as well as some other sensitive data. It comes from a hacking group called SpaceCobra, who has developed an instant messaging app, which is able to steal a lot of sensitive information from the target device. And it appears that the threat actor also knows exactly who they want to target. Since researchers have been unable to download the app. The news comes from ESET, some of their cybersecurity researchers have recently discovered two messaging apps called BingeChat and Chatico, were actually serving GravityRAT, a remote access trojan. The RAT is able to exfiltrate plenty of sensitive information from compromised endpoints. This includes information like call logs, contact list, SMS messages, device location, basic device information and files with specific extensions for pictures, photos and documents. 

 

US confirms federal agencies hit by MOVEit breach, as hackers list more victims 

The U.S. government has confirmed that multiple federal agencies have fallen victim to cyberattacks exploiting a security vulnerability in a popular file transfer tool. In a statement shared with TechCrunch, CISA confirmed that “several” U.S. government agencies have experienced intrusions related to the exploitation of a vulnerability in MOVEit Transfer, an enterprise file transfer tool developed by Progress Software. The agency also attributed the attacks to the Russia-linked Clop ransomware gang, which this week started posting the names of organizations it claims to have hacked by exploiting the MOVEit flaw. CISA did not say how many agencies were impacted by the attacks, which CNN first reported, and didn’t name the agencies affected. However, the Department of Energy confirmed to TechCrunch that two of its entities were among those breached.  

 

Reddit says ransomware posting connected to February incident 

Social media giant Reddit said recent claims by a notorious ransomware group are connected to an incident they announced in February. On Saturday, the BlackCat/AlphV ransomware group threatened the company with claims that 80GB of stolen data would be released to the public if they were not paid $4.5 million. The gang also demanded the company end its controversial decision to charge third parties for using its API. A Reddit spokesperson declined to comment on the situation but told Recorded Future News that the claims are tied to a February security incident that they published a blog post about and discussed on their own platform. On February 9, the company said it experienced a “data security incident” where its internal systems were accessed through a “sophisticated phishing campaign.” 

 

Over 100,000 Stolen ChatGPT Account Credentials Sold on Dark Web 

Over 100,000 compromised OpenAI ChatGPT account credentials have found their way on illicit dark web marketplaces between June 2022 and May 2023, with India alone accounting for 12,632 stolen credentials. The credentials were discovered within information stealer logs made available for sale on the cybercrime underground, Group-IB said in a report shared with The Hacker News. “The number of available logs containing compromised ChatGPT accounts reached a peak of 26,802 in May 2023,” the Singapore-headquartered company said. “The Asia-Pacific region has experienced the highest concentration of ChatGPT credentials being offered for sale over the past year.” Other countries with the most number of compromised ChatGPT credentials include Pakistan, Brazil, Vietnam, Egypt, the U.S., France, Morocco, Indonesia, and Bangladesh. 

Related Posts