Jump to content


  • Content Count

  • Joined

  • Last visited

Community Reputation

2 Neutral

1 Follower

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Our team has come across an advanced mobile attack campaign that uses a phishing technique to steal victims’ credit card details and infects them with a malware that impersonates the Android Google Chrome app. The malware uses victims’ devices as a vector to send thousands of phishing SMS. Pradeo’s researchers qualified it as a Smishing trojan. By combining an efficient phishing technique, a malware to propagate actively, and methods to bypass security solutions, this campaign is particularly dangerous. We evaluate that the speed at which it is spreading has enabled it to already target hundreds of thousands of people in the last weeks. A new sophisticated infection mechanism An SMS asks victims to pay custom fees to release a package delivery. When they open the link, they are first coaxed into updating their Chrome app, but the alleged update is a malware. Then, they are led to pay a small amount (usually 1 or 2 dollars at most). When they do, the cybercriminal behind this attack gets his hand on victims’ credit card details. Independently, once installed, the fake Chrome app sends more than 2000 SMS per week from its victims’ devices, every day during 2 or 3 hours, to random phone numbers that seem to follow one another. This mechanism ensures a successful propagation of the attack campaign. To stay undetected, the malware hides on mobile devices by using the official Chrome app’s icon and name, but its package, signature and version have nothing in common with the official app. For victims, banking fraud and massive phone bills may ensue. Attempt to have users install a fake chrome app Mix of techniques to bypass cybersecurity detection The cybercriminal behind this campaign is trying hard to stay under the radar of mobile security solutions. First, he uses his victims’ phone numbers to expedite phishing SMS, to make sure they are not blocked by messaging apps’ spam filter. Secondly, the malware uses obfuscation techniques and calls external code to hide its malicious behaviors, hence eluding most threat detection systems. Thirdly, as soon as the app is identified and referenced by most antivirus, the cybercriminal simply repackages it with a new signature to go back under the radar. Pradeo’s engine has yet identified two fake Chrome applications as part of the campaign. When comparing both apps we have analyzed, we see that they are 99% identical, with only a few file names that seem to have been changed randomly, and on the other hand their weight is the same. Native programing to conceal malicious activities, identified in both fake chrome apps Comparison of both apps’ folders and files Comparison of both apps’ weight Best practices to thwart the attack Mobile users should never provide credit card details when it is requested by an unknown sender. If uncertain of the source of the request, they should consult their package delivery with the tracking number provided by the carrier, on the official app or the website. Besides, they should exclusively download apps from official stores (Google Play on Android and the Apple store on iOS) and always update them from there. __________________
  2. Twitter scammers are jumping on Elon Musk's hosting of Saturday Night Live to push cryptocurrency scams to steal people's Bitcoin, Ethereum, and Dogecoin. For the past year, we have been reporting how scammers have been raking in hundreds of thousands of dollars by promoting fake giveaway scams from well-known people or companies, such as Elon Musk, Tesla, and Gemini Exchange. A more recent tactic has been to hack abandoned verified Twitter accounts to promote these scams to a larger base of followers. These tactics have been immensely successful for the scammers as they have stolen cryptocurrency worth over a million dollars from unsuspecting users. Using SNL as part of their scam With Elon Musk hosting tonight's Saturday Night Live episode, the Twitter scammers have been hacking into verified Twitter accounts and changing their profiles to impersonate SNL. Hacked site impersonating SNL The scammers use these hacked accounts to reply to tweets by Elon Musk where they pretend to be SNL promoting a cryptocurrency giveaway scam. A tweet promoting a fake Elon Musk giveaway When visiting these links, users will find themselves at a fake Medium post pretending to be a 5,000 BTC giveaway by Elon Musk. Fake Tesla cryptocurrency giveaway site These posts contain further links to Bitcoin, Ethereum, and Dogecoin giveaway pages where people can allegedly receive ten times the amount they send to a particular cryptocurrency address, as shown below. Fake Tesla Bitcoin giveaway page People continue to fall for these scams While you may be wondering how anyone could fall for these scams, unfortunately, these fake giveaways have been highly successful for the scammers. MalwareHunterTeam, who has been monitoring these scams, has told BleepingComputer that this SNL scam has been heavily pushed today with a constant stream of verified accounts promoting the giveaway URLs. From the list of example tweets shared with BleepingComputer, we have determined that the scammers have made at least $97,054.62 over the past two days. These earnings include 0.69515729 bitcoins, with at today's high prices is equal to $40,840. BleepingComputer gathered these cryptocurrency addresses from just two different scam sites, and as the scammers utilize numerous giveaway sites, the scammers likely made much more this week. It is important to remember that nobody is giving away their cryptocurrency for free, especially when they have become so valuable. If you see a giveaway scam on Twitter, especially one allegedly promoted by Musk, it is better to treat it as a scam rather than lose anything you send them. __________________
  3. Four individuals from Eastern Europe face 20 years in prison for Racketeer Influenced Corrupt Organization (RICO) charges after pleading guilty to running a bulletproof hosting service as a safe haven for cybercrime operations targeting US entities. The bulletproof hosting service was founded by Russian citizens Aleksandr Grichishkin and Andrei Skvortsov, who hired Lithuanian Aleksandr Skorodumov and Estonian Pavel Stassi as the organization's system admin and administrator, respectively. Grichishkin and Skvortsov were the ones overseeing marketing, personnel management, and client support, while Skorodumov and Stassi were responsible for keeping all systems running and helping clients behind malware and botnet operations to optimize their "services." A safe haven for malware operations According to a DOJ press release published today, their service provided multiple cybercrime-affiliated clients with the infrastructure needed in malicious campaigns running between 2008 and 2015. "The group rented Internet Protocol (IP) addresses, servers, and domains to cybercriminal clients, who used this technical infrastructure to disseminate malware used to gain access to victims’ computers, form botnets, and steal banking credentials for use in frauds," the DOJ said. "Malware hosted by the organization included Zeus, SpyEye, Citadel, and the Blackhole Exploit Kit, which rampantly attacked U.S. companies and financial institutions between 2009 and 2015 and caused or attempted to cause millions of dollars in losses to U.S. victims." Other services provided by their bulletproof hosting service included registering new infrastructure using false or stolen identities to help clients circumvent law enforcement efforts to block their attacks. A key service provided by the defendants was helping their clients to evade detection by law enforcement and continue their crimes uninterrupted; the defendants did so by monitoring sites used to blocklist technical infrastructure used for crime, moving “flagged” content to new infrastructure, and registering all such infrastructure under false or stolen identities. — DOJ Responsible for millions of dollars in losses "Over the course of many years, the defendants facilitated the transnational criminal activity of a vast network of cybercriminals throughout the world by providing them a safe-haven to anonymize their criminal activity," said FBI Special Agent in Charge Timothy Waters. "This resulted in millions of dollars of losses to U.S. victims. Today’s guilty plea sends a message to cybercriminals across the globe that they are not beyond the reach of the FBI and its international partners, and that anyone who facilitates or profits from criminal cyber activity will be brought to justice." All four defendants pleaded guilty to one count of RICO conspiracy in February, March, and May 2021. Stassi, Skorodumov, Grichishkin, and Skvortsov will receive their sentence on June 3, June 29, July 8, and Sept. 16. Each of the four defendants faces a maximum penalty of 20 years in prison that a federal district court judge will set after considering Sentencing Guidelines and other statutory factors. The FBI investigated the case with assistance from law enforcement partners from the United Kingdom, Germany, and Estonia. __________________
  4. Foxit Software, the company behind the highly popular Foxit Reader, has published security updates to fix a high severity remote code execution (RCE) vulnerability affecting the PDF reader. This security flaw could allow attackers to run malicious code on users' Windows computers and, potentially, take over control. Foxit claims to have more than 650 million users from 200 countries, with its software currently being used by over 100,000 customers. The company's extensive enterprise customer list contains multiple high-profile tech companies, including Google, Intel, NASDAQ, Chevron, British Airways, Dell, HP, Lenovo, and Asus. Use after free weakness exposes users to RCE attacks The high-severity vulnerability (tracked a CVE-2021-21822) results from a Use After Free bug found by Aleksandar Nikolic of Cisco Talos in the V8 JavaScript engine used by Foxit Reader to display dynamic forms and interactive document elements. Successful exploitation of use after free bugs can lead to unexpected results ranging from program crashes and data corruption to the execution of arbitrary code on computers running the vulnerable software. This security flaw is caused by how the Foxit Reader application and browser extensions handle certain annotation types, which attackers can abuse to craft malicious PDFs that will allow them to run arbitrary code via precise memory control. "A specially crafted PDF document can trigger the reuse of previously free memory, which can lead to arbitrary code execution," Nikolic explained. "An attacker needs to trick the user into opening a malicious file or site to trigger this vulnerability if the browser plugin extension is enabled." The vulnerability impacts Foxit Reader and earlier versions, and it was addressed with the release of Foxit Reader To defend against CVE-2021-21822 attacks, you have to download the latest Foxit Reader version and then click on "Check for Updates" in the app's “Help” dialog. More vulnerabilities fixed in Foxit Reader 10.1.4 Foxit fixed several other security bugs impacting previous Foxit Reader versions in the latest release, exposing users' devices to denial of service, remote code execution, information disclosure, SQL injection, DLL hijacking, and other vulnerabilities. The complete list of security fixes in the Foxit Reader 10.1.4 release includes: Issues where the application could be exposed to Memory Corruption vulnerability and crash when exporting certain PDF files to other formats. Issues where the application could be exposed to Denial of Service vulnerability and crash when handling certain XFA forms or link objects. Issues where the application could be exposed to Denial of Service, Null Pointer Reference, Out-of-Bounds Read, Context Level Bypass, Type Confusion, or Buffer Overflow vulnerability and crash, which could be exploited by attackers to execute remote code. Issue where the application could be exposed to Arbitrary File Deletion vulnerability due to improper access control. Issue where the application could deliver incorrect signature information for certain PDF files that contained invisible digital signatures. Issues where the application could be exposed to DLL Hijacking vulnerability when it was launched, which could be exploited by attackers to execute remote code by placing a malicious DLL in the specified path directory. Issues where the application could be exposed to Out-of-Bounds Write/Read Remote Code Execution or Information Disclosure vulnerability and crash when handling certain JavaScripts or XFA forms. Issue where the application could be exposed to Out-of-Bounds Write vulnerability when parsing certain PDF files that contain nonstandard /Size key value in the Trailer dictionary. Issue where the application could be exposed to Out-of-Bounds, Write vulnerability and crash when converting certain PDF files to Microsoft Office files. Issues where the application could be exposed to Arbitrary File Write Remote Code Execution vulnerability when executing certain JavaScripts. Issues where the application could be exposed to SQL Injection Remote Code Execution vulnerability. Issue where the application could be exposed to Uninitialized Variable Information Disclosure vulnerability and crash. Issues where the application could be exposed to Out-of-Bounds Read or Heap-based Buffer Overflow vulnerability and crash, which could be exploited by attackers to execute remote code or disclose sensitive information. Two years ago, Foxit disclosed a data breach stemming from unauthorized third parties accessing the personal information of 328,549 'My Account' service users, including customer and company names, emails, phone numbers, and passwords. __________________
  5. A new ransomware gang known as 'N3TW0RM' is targeting Israeli companies in a wave of cyberattacks starting last week. Israeli media Haaretz reported that at least four Israeli companies and one nonprofit organization had been successfully breached in this wave of attacks. Like other ransomware gangs, N3TW0RM has created a data leak site where they threaten to leak stolen files as a way to scare their victims into paying a ransom. Two of the Israeli businesses, H&M Israel and Veritas Logistic's networks, have already been listed on the ransomware gang's data leak, with the threat actors already leaking data allegedly stolen during the attack on Veritas. From the ransom notes seen by Israeli media and BleepingComputer, the ransomware gang has not been asking for particularly large ransom demands compared to other enterprise-targeting attacks. Haaretz reports that Veritas' ransom demand was three bitcoin, or approximately $173,000, while another ransom note shared with BleepingComputer shows a ransom demand of 4 bitcoins, or roughly $231,000. N3TW0RM ransom note A WhatsApp message shared among Israeli cybesrecurity researchers also states that the N3TW0RM ransomware shares some characteristics with the Pay2Key attacks conducted in November 2020 and February 2021. WhatsApp message shared among security researchers Pay2Key has been linked to an Iranian nation-state hacking group known as Fox Kitten, whose goal was to cause disruption and damage to Israeli interests rather than generate a ransom payment. The N3TW0RM attacks have not been attributed to any hacking groups at this time. Due to the low ransom demands and lack of response to negotiations, one source in the Israeli cybersecurity industry has told BleepingComputer that they believe N3TW0RM is also being used for sowing chaos for Israeli interests. However, Arik Nachmias, CEO of incident response firm Honey Badger Security, told BleepingComputer that he believes that in N3TW0RM's case, the attacks are motivated by money. Unusual client-server model to encryption When encrypting a network, threat actors will usually distribute a standalone ransomware executable to every device they wish to encrypt. N3TW0RM does it a bit differently by using a client-server model instead. From samples [VirusTotal] of the ransomware seen by BleepingComputer and discussions with Nachmias, the N3TW0RM threat actors install a program on a victim's server that will listen for connections from the workstations. Nachmias states that the threat actors then use PAExec to deploy and execute the 'slave.exe' client executable on every device that the ransomware will encrypt. When encrypting files, the files will have the '.n3tw0rm' extension appended to their names. While BleepingComputer does not have access to the server executable, we set up NetCat to listen and wait for connections on port 80. We then launched the slave.exe client, so it connects back to our IP address on that port. As you can see below, when the client connects back to port 80 on our device running NetCat, it will send an RSA key to the server. Sending an RSA key back to the N3TW0RM server Nachmias told BleepingComputer that the server component would save these keys in a file and then direct the clients to begin encrypting devices. This approach allows the threat actor to keep all aspects of the ransomware operation within the victim's network without being traced back to a remote command & control server. However, it also adds complexity to the attack and could allow a victim to recover their decryption keys if all of the files are not removed after an attack. __________________
  6. Bank holding company First Horizon Corporation disclosed the some of its customers had their online banking accounts breached by unknown attackers earlier this month. First Horizon is a regional financial services company with $84 billion in assets that offers banking, capital market, and wealth management services. First Horizon Bank, the company's banking subsidiary, operates a network of hundreds of bank locations in 12 states across the Southeast. Attackers accessed personal info, stole funds First Horizon discovered the attack in mid-April 2021 and said that it only impacted a limited number of customers. As discovered during the investigation, the unknown threat actors could breach the customers' online bank accounts using previously stolen credentials and by exploiting a vulnerability in third-party software. "Using the credentials and exploiting a vulnerability in third-party security software, the unauthorized party gained unauthorized access to under 200 on-line customer bank accounts," First Horizon added in an 8-K form filed with the U.S. Securities and Exchange Commission (SEC) on Wednesday. The attackers were also able to gain access to customer information stored in the breached accounts and drain funds from some of them before their intrusion was discovered. The financial services firm revealed that they "fraudulently obtained an aggregate of less than $1 million from some of those accounts." Customers reimbursed after breach The bank holding firm reimbursed all the impacted customers for their stolen funds after discovering the data breach. First Horizon also notified relevant data regulators and law enforcement agencies and opened new banking accounts for affected customers. The company also remediated the software vulnerability exploited by the attackers during the incident and reset the passwords for impacted accounts. "Based on its ongoing assessment of the incident to date, the Company does not believe that this event will have a material adverse effect on its business, results of operations or financial condition," First Horizon concluded. While First Horizon did not provide any info on the exploited third-party software, massive collections of stolen user credentials potentially reused on multiple sites have been sold or leaked for free by various threat actors for years. The most recent examples are tens of millions of user records containing personal data and credentials belonging to ParkMobile, BigBasket, and Nitro PDF customers shared for free on hacking forums. First Horizon Bank division IBERIABANK Mortgage disclosed another data breach spanning almost two years and exposing customers' personal info a day after its parent company merged with First Horizon Bank on July 3rd, 2020. A First Horizon spokesperson was not available for comment when contacted by BleepingComputer earlier today for more details regarding the breach disclosed earlier this week. __________________
  7. Cybercriminals have created a fake Microsoft DirectX 12 download page to distribute malware that steals your cryptocurrency wallets and passwords. Even though the site comes complete with a contact form, privacy policy, a disclaimer, and a DMCA infringement page, there is nothing legitimate about the website or the programs it distributes. Fake Microsoft DirectX 12 download page When users click on the Download buttons, they will be redirected to an external page that prompts them to download a file. Depending on whether you click on the 32-bit or 64-bit version, you will be offered a file named '6080b4_DirectX-12-Down.zip' [VirusTotal] or '6083040a__Disclaimer.zip' [VirusTotal]. What both of these files have in common is that they lead to malware that tries to steal victims' files, passwords, and cryptocurrency wallets. First discovered by security researcher Oliver Hough, when the fake DirectX 12 installers are launched, they will quietly download malware from a remote site and execute it This malware is an information-stealing malware that attempts to harvest a victim's cookies, files, information about the system, installed programs, and even a screenshot of the current desktop. Harvesting data from the infected computer With the cryptocurrency craze in full swing, the malware developers also attempt to steal a wide variety of cryptocurrency wallets for Windows software, such as Ledger Live, Waves.Exchange, Coinomi, Electrum, Electron Cash, BTCP Electrum, Jaxx, Exodus, MultiBit HD, Aomtic, and Monero. Stealing cryptocurrency wallets All of the data is collected into a %Temp% folder, which the malware will zip up and send back to the attacker. The attack can then analyze the data and use it for other malicious activities. Threat actors are increasingly creating fake websites, and in many cases far more convincing websites, to distribute malware. In the past, BleepingComputer has reported on malware distributors creating fake sites promoting ProtonVPN, Windows system cleaners, and BleachBit that push password-stealing Trojans on unsuspecting visitors. With the web continuing to be the wild west, it is vital to take a paranoid approach to download software and only install software from trusted sites or the developer's site. As DirectX is a Microsoft feature, it makes sense that you should only install it from Microsoft and that downloading it from anywhere else can likely lead you to trouble. __________________
  8. A threat actor has leaked approximately 20 million BigBasket user records containing personal information and hashed passwords on a popular hacking forum. BigBasket is a popular Indian online grocery delivery service that allows people to shop online for food and deliver it to their homes. This morning, a well-known seller of data breaches known as ShinyHunters posted a database for free on a hacker forum that he claims was stolen from BigBasket. BigBasket database leaked for free In November 2020, BigBasket confirmed to Bloomberg News that they had suffered a data breach after ShinyHunter had previously tried to sell the stolen data in private sales. “There’s been a data breach and we’ve filed a case with the cybercrime police,” BigBasket CEO Hari Menon told Bloomberg News. “The investigators have asked us not to reveal any details as it might hamper the probe.” As is typical for older breaches privately sold by ShinyHunters, the threat actor has now released the whole database for free, which reportedly contains more than 20 million user records. The database includes BigBasket customer information, including email addresses, SHA1 hashed passwords, addresses, phone numbers, and other assorted information. Sample of records in the database The passwords are hashed using the SHA1 algorithm, and forum members have claimed to crack 2 million of the listed passwords already. Another member claims that 700k of the customers used the password 'password' for their accounts. In the past, ShinyHunters has been responsible for or involved in other data breaches, including Tokopedia, TeeSpring, Minted, Chatbooks, Dave, Promo, Mathway, Wattpad, and many more. What should BigBasket customers do now? As BleepingComputer has confirmed that some of the records are accurate, including information specific to the BigBasket service, customers should play it safe and assume that their customer info has been leaked as well. It is strongly suggested that all BigBasket users immediately change their passwords on BigBasket and at any other sites using the same password. A password manager is recommended to help you manage the unique passwords you use at different sites. __________________
  9. Cybercriminals have used fake and hacked accounts to trick social media users. Facebook experts have neutralized the operations of two Palestinian-sponsored hacker groups. The criminals used the social network to distribute malware for espionage purposes. According to representatives of the tech giant, the first group was associated with the Preventive Security Service of the Palestinian National Authority (PNA), and the second, known as Arid Viper (Desert Falcon or APT-C-23), is believed to be associated with the Palestinian Islamist movement Hamas. Cyber espionage campaigns took place in 2019 and 2020. The first grouping targeted users in Palestine. Another group attacked users in the Palestinian territories, in Syria, as well as in Turkey, Iraq, Lebanon and Libya. The hackers used specially designed Android malware disguised as secure chat apps. The program secretly hijacked device metadata, tracked keystrokes, and uploaded the data to the Firebase platform. The attacks also used SpyNote malware to track calls and gain remote access to hacked phones. Cybercriminals used fake and hacked accounts to create fictitious persons, often posing as young women, as well as supporters of Hamas, Fatah, various military groups, journalists and activists in order to forge relationships with potential victims and direct them to phishing pages. Arid Viper used the new Phenakite spyware in campaigns to steal sensitive data from iPhone users without jailbreak. The Phenakite malware was distributed under the guise of a full-featured chat application called MagicSmile. The group also managed 179 domains that were used to host malware or act as C&C servers. __________________
  10. The malware spoofed ad views. Fraudsters have installed software on more than a million Android devices that simulates ad views and makes money on it, researchers from the human cybersecurity company have found. The fraudulent scheme emerged in 2019, when 29 official apps from Google Play were infected with a new virus. Infected apps simulated displaying ads that users didn't actually see. Mobile devices under the influence of malware were perceived as smart TVs (such as Roku players and Apple TVs), which allegedly processed 650 million ad requests per day. As a result, ad providers paid cybercriminals allegedly to display ads because they were confident in the reality of the views. Among the infected were the Any Light application for changing the backlight color (over 10,000 downloads), as well as the Sling Puck 3D Challenge game (over 100,000 downloads). Now all applications have been removed from the store, and the data has been transferred to law enforcement agencies, the researchers say. A Google spokesman said it appreciates Human's help in uncovering the scheme. __________________
  11. The REvil ransomware gang asked Apple to "buy back" stolen product blueprints to avoid having them leaked on REvil's leak site before today's Apple Spring Loaded event. The ransomware gang wants Apple to pay a ransom by May 1st to prevent its stolen data from being leaked and added that they are also "negotiating the sale of large quantities of confidential drawings and gigabytes of personal data with several major brands." REvil tried to extort Apple only after Quanta Computer, a leading notebook manufacturer and one of Apple's business partners, refused to communicate with the ransomware gang or pay the ransom demanded after they allegedly stole "a lot of confidential data" from Quanta's network. Quanta is a Taiwan-based original design manufacturer (ODM) and an Apple Watch, Apple Macbook Air, and Apple Macbook Pro maker. Quanta has a long list of high-profile customers, including Apple, Dell, Hewlett-Packard, Alienware, Lenovo, Cisco, and Microsoft. Based on the number of ODM laptop units sold, Quanta is the world's second-largest original design manufacturer of laptops, only behind Compal who was also targeted by ransomware last year. According to the Tor payment page shared with BleepingComputer, Quanta has to pay $50 million until April 27th, or $100 million after the countdown ends. Quanta ransom demand So far, REvil leaked over a dozen schematics and diagrams of MacBook components on its dark web leak site, although there is no indication that any of them are new Apple products. In a negotiation chat on REvil's payment site seen by BleepingComputer, REvil warned that "drawings of all Apple devices and all personal data of employees and customers will be published with subsequent sale" if Quanta did not begin negotiating a ransom. After that time frame expired, REvil published the schematics on their data leak site. Quanta payment page chat REvil is a ransomware-as-a-service (RaaS) operation known for recruiting affiliates to breach corporate networks, steal unencrypted data, and encrypt devices. Once a ransom payment is made, the REvil core developers and the affiliates split the payment, with the affiliates generally getting the larger share. REvil has been on a hacking spree over the last month, demanding extremely high ransom demands in attacks targeting Acer ($50 million), Pierre Fabre ($25 million), and Asteelflash ($24 million). Cybersecurity researchers have told BleepingComputer that they believe REvil has been making extremely high demands to start at a higher negotiation price. Apple and Quanta spokespersons were not available for comment when contacted by BleepingComputer earlier today. __________________
  12. More details have emerged on the recent Codecov system breach which is now being likened to the SolarWinds hack. Sources state hundreds of customer networks have been breached in the incident, expanding the scope of this system breach beyond just Codecov's systems. As reported by BleepingComputer last week, Codecov had suffered a supply-chain attack that went undetected for over 2-months. In this attack, threat actors had gained Codecov's credentials from their flawed Docker image that the actors then used to alter Codecov's Bash Uploader script, used by the company's clients. By replacing Codecov's IP address with their own in the Bash Uploader script, the attackers paved a way to silently collect Codecov customers' credentials—tokens, API keys, and anything stored as environment variables in the customers' continuous integration (CI) environments. Codecov is an online software testing platform that can be integrated with your GitHub projects, to generate code coverage reports and statistics, which is why it is favored by over 29,000 enterprises building software. Hundreds of customer networks breached in Codecov incident Codecov's initial investigation revealed that from January 31, 2021, periodic unauthorized alterations of Bash Uploader script occurred which enabled the threat actors to potentially exfiltrate information of Codecov users stored in their CI environments. But, it was not until April 1st that the company became aware of this malicious activity when a customer noticed a discrepancy between the hash (shashum) of the Bash Uploader script hosted on Codecov's domain and the (correct) hash listed on the company's GitHub. Soon enough, the incident got the attention of U.S. federal investigators since the breach has been compared to the recent SolarWinds attacks that the U.S. government has attributed to the Russian Foreign Intelligence Service (SVR). Codecov has over 29,000 customers, including prominent names like GoDaddy, Atlassian, The Washington Post, Procter & Gamble (P&G), making this a noteworthy supply-chain incident. According to federal investigators, Codecov attackers deployed automation to use the collected customer credentials to tap into hundreds of client networks, thereby expanding the scope of this system breach beyond just Codecov's systems. "The hackers put extra effort into using Codecov to get inside other makers of software development programs, as well as companies that themselves provide many customers with technology services, including IBM," a federal investigator anonymously told Reuters. By abusing the customer credentials collected via the Bash Uploader script, hackers could potentially gain credentials for thousands of other restricted systems, according to the investigator. U.S. government and Codecov clients investigating the impact The list of companies and GitHub projects using Codecov is extensive, as seen by BleepingComputer. A simple search for the link to Codecov's compromised Bash Uploader script revealed thousands of projects that were or are using the script. Note, this does not necessarily mean each of these projects was compromised, but rather that the complete impact of this incident is unclear and yet to be known in the upcoming days. U.S. federal government investigators have therefore stepped in and are thoroughly investigating the incident. Thousands of projects use Codecov Bash Uploader Codecov clients including IBM have said that their code has not been modified, but declined to comment on whether their systems had been breached. However, an Atlassian spokesperson got back to BleepingComputer stating, so far there was no indication of system compromise: "We are aware of the claims and we are investigating them." "At this moment, we have not found any evidence that we have been impacted nor have identified signs of a compromise," Atlassian told BleepingComputer. Hewlett Packard Enterprise (HPE), which is another one of Codecov's 29,000 customers, said they were continuing their investigation into the incident: "HPE has a dedicated team of professionals investigating this matter, and customers should rest assured we will keep them informed of any impacts and necessary remedies as soon as we know more,” an HPE spokesman Adam Bauer told Reuters. The Federal Bureau of Investigation (FBI) and the U.S. Department of Homeland Security (DHS) have not commented on the investigation at this time. Codecov customers who, at any point in time used Codecov's uploaders (the Codecov-actions uploader for Github, the Codecov CircleCl Orb, or the Codecov Bitrise Step), are advised to reset credentials and keys that may have been exposed as a result of this attack, and to audit their systems for any signs of malicious activity. __________________
  13. Criminals distribute a fake document in Korean disguised as an application form for a fair in a South Korean city. Security researchers at Malwarebytes have reported a malicious campaign by North Korean hackers, in which criminals conduct targeted phishing attacks on users in South Korea. The malicious code resides inside bitmap (.BMP) image files and allows attackers to download a remote access Trojan to the victim's computer that can steal confidential information. Experts associate the attacks with the cybercriminal group Lazarus Group, based on similarities with previous operations. The phishing campaign began on April 13 this year by sending out emails containing a malicious document. “The attackers used a clever method to bypass security mechanisms. The hackers embedded a malicious zlib-compressed HTA file into a PNG image, which was then converted to BMP format, ”the experts explained. The fake document, written in Korean, is an application form for a fair in a South Korean city and prompts users to enable macros the first time they open it. After the macros are run, the executable file AppStore.exe is loaded onto the victim's system. The payload then proceeds to retrieve the encrypted malware, which is decoded and decrypted at runtime and communicates with the remote C&C server for additional commands and data transfers. __________________
  14. Gift certificates belong to Airbnb, Amazon, American Airlines, Chipotle, Marriott, Nike, Subway, Target, Walmart, etc. 895 thousand gift certificates with a total value of $ 38 million were put up for sale on one of the largest cybercriminal forums. The database contains certificates from several thousands of brands, most likely derived from a long-standing leak from the now defunct Cardpool gift card store. The seller did not specify the origin of the stolen certificates, but it is known that they belong to 3,010 companies, including Airbnb, Amazon, American Airlines, Chipotle, Dunkin Donuts, Marriott, Nike, Subway, Target and Walmart. As is often the case with massive sales of data on hacker forums, the seller announced an auction with a starting price of $ 10,000. For $ 20,000, it was possible to purchase the entire database without bargaining. Not surprisingly, a buyer was found very quickly. According to Gemini Advisory, cybercriminals typically sell stolen gift certificates for 10% of their true value. However, in this case, the price was much lower - only 0.05% of the original value. This low price could be due to the fact that not all of the leaked certificates are valid, or because they have a low balance. The day after the sale of the gift certificates, the same seller put up incomplete details of 330,000 debit cards for auction. The starting price is $ 5 thousand, and the cost without bargaining is $ 15 thousand. For this amount, the buyer will receive billing addresses, card numbers, their validity periods and the names of issuing banks. The leak does not contain the names of the cardholders, nor the CVV codes required for transactions without presenting a card (for online purchases). As the experts of Gemini Advisory found out, the card data was obtained as a result of hacking of the Cardpool.com website from February to August 2019. Based on this, it can be assumed that the gift certificates were obtained as a result of the same leak. Attackers could gain access to the online store using various methods, including exploiting vulnerabilities in the site's content management system (CMS) and brute-forcing the administrator's credentials. __________________
  • Create New...