A Microsoft Warning, Follina, Atlassian, and More

There is no such thing as a slow week for cybercrime, which means it is a difficult, if not impossible, task to cover the waterfront on all the threatening intelligence and interesting stories out there. This week was no exception and it actually seemed to offer a true crowd of important events that we would not fail to mention.

To know: Dangerous malware campaigns! Info theft! YouTube Account Transfers! Crypto under siege! Microsoft warns!

In light of this, Dark Reading debuts with a weekly “in case you missed it” (ICYMI) that collects important news from the week that our editors just didn’t have time to cover before.

This week you can read more about the following, ICYMI:

  • Smart factories face snowballing cyber activity
  • Lazarus Group probably behind $ 100M Crypto-Heist
  • 8220 Gang adds Atlassian Bug to Active Attack Chain
  • Critical infrastructure Cyber ​​professionals feel hopeless
  • Hacker mimics TrustWallet in cryptophishing scams
  • Cookie-stealing YTStealer takes over YouTube accounts
  • Follina Bug is used to spread XFiles spyware

Smart factories face snowballing cyber activity

As many as 40% of smart factories globally have experienced a cyber attack, according to a study published this week.

Smart factories – where industrial Internet of things IIoT) sensors and equipment are used to reduce costs, achieve telemetry and strengthen automation – are officially a thing, with the digitization of production well underway. But cyber attackers are also noticing it, according to the Capgemini Research Institute.

Among the sectors, heavy industry faced the largest amount of cyber attacks (51%). These attacks also take many forms: 27% of companies have experienced a 20% or more increase in users taking over IIoT endpoints for distributed denial-of-service (DDoS) attacks; and 28% of companies said they have seen a 20% or more increase in the number of employees or vendors bringing in infected devices, for example.

“As the smart factory is one of the emblematic technologies in the transition to digitization, it is also a primary target for cyber-attackers who smell new blood,” according to the report.

At the same time, the company also revealed that in almost half (47%) of the organizations, smart factory cyber security is not a C-level problem.

Lazarus Group probably behind $ 100M Crypto-Heist

Security researchers put $ 100 million hacked by Horizon Bridge cryptocurrency exchange at the feet of North Korea’s infamous Lazarus Group advanced persistent threat.

Horizon Bridge allows Harmony blockchain users to interact with other blockchains. The robbery took place on June 24, where the culprits set off with various cryptocurrencies, including Ethereum (ETH), Tether (USDT), Wrapped Bitcoin (WBTC) and BNB.

According to Elliptic, there are strong indications that Lazarus is behind the incident. The group not only carries out classic APT activity like cyber espionage, but also acts as a money-maker for the North Korean regime, researchers noted.

The thieves in this case have so far sent 41% of the $ 100 million in stolen cryptocurrencies into the Tornado Cash mixer, noted Elliptic, which essentially acts as a money launderer.

8220 Gang adds Atlassian Bug to Active Attack Chain

8220 Gang has added the latest critical security vulnerability affecting the Atlassian Confluence Server and Data Center to its suite of tricks to deploy cryptocurrencies and an IRC bot, Microsoft warned this week.

The Chinese-speaking threat group has been actively exploiting the flaw since it was revealed in early June.

“The group has been actively updating its techniques and payload over the past year. The latest campaign targets i686 and x86_64 Linux systems and uses RCE exploits for CVE-2022-26134 (Confluence) and CVE-2019-2725 (WebLogic ) for initial access, “Microsoft Security Intelligence Center tweeted.

Critical infrastructure Cyber ​​professionals feel hopeless

A staggering 95% of cybersecurity leaders at critical national infrastructure organizations in the UK say they could see themselves leaving their jobs over the next year.

According to a Bridewell survey, 42% feel that a breakup is inevitable and do not want to tarnish their careers, while 40% say they experience stress and burnout that affect their personal lives.

Meanwhile, more than two-thirds of respondents say the number of threats and successful attacks has increased over the past year – and 69% say it’s harder to detect and respond to threats.

Hacker mimics TrustWallet in cryptophishing scams

More than 50,000 phishing emails sent from a malicious Zendesk account have come to email boxes in recent weeks, to take over TrustWallet accounts and drain money.

TrustWallet is an Ethereum wallet and a popular platform for storing non-fungible tokens (NFTs). Researchers at Vade said the phish mimics the service by using a smart and compelling TrustWallet-branded website to request users’ password recovery phrases on a sleek TrustWallet phishing site.

In the meantime, emails are unlikely to trigger email gateway filters as they are sent from Zendesk.com, which is a highly reputable domain.

“As NFTs and cryptocurrencies in general have experienced a significant downturn in recent weeks, on-edge investors are likely to respond quickly to emails about their cryptocurrencies,” according to Vade’s analysis this week.

Cookie-stealing YTStealer takes over YouTube accounts

An unprecedented malware-as-a-service threat has surfaced on Dark Web forums, with the intent of taking over YouTube accounts.

Researchers at Intezer noted that the malware, which it even calls YTStealer, is working to steal YouTube authentication cookies from content creators in order to feed the underground demand for access to YouTube accounts. Cookies are extracted from the browser’s database files in the user’s profile folder.

“To validate cookies and obtain more information about the YouTube user account, the malware launches one of the web browsers installed on the infected machine in headless mode and adds the cookie to its cookie store,” according to the analysis. “[That way] the malware can operate the browser as if the threat actor sat on the computer without the current user noticing. “

From there, YTStealer navigates to the YouTube Studio content management page and nabs data, including the channel name, how many subscribers it has, how old it is, whether it is revenue-generated, whether it is an official artist channel, and if the name has been verified.

Follina Bug is used to spread X-Files spyware

A rash of cyber attacks is underway, seeking to exploit the Microsoft Follina vulnerability to lift dozens of sensitive information from victims.

Follina is a recently fixed bug of remote code execution (RCE) that can be exploited through malicious Word documents. It started life as an unspoken zero-day that quickly caught on among cybercrime groups.

According to a Cyberint Research Team report shared with Dark Reading via email, analysts found several XFiles theft campaigns in which Follina vulnerability was exploited as part of the delivery phase.

“The group that sells the thief is based in Russia and is currently seeking to expand,” said researchers. “Recent evidence points to worldwide threatening actor campaigns [underway]. “

The thief sniffs data from all Chromium-based browsers, Opera and Firefox, including history, cookies, passwords and credit card information. It also lifts FTP, Telegram and Discord credentials and searches for predefined file types located on the victim’s desktop along with a screenshot. It is also targeted at other clients, such as Steam and crypto-wallets.


Leave a Reply

Your email address will not be published.