A warning from Microsoft, Follina, Atlassian, etc.
There is no such thing as a slow week for cybercrime, which means covering the waterfront on all the threat intelligence and interesting stories is a difficult, if not impossible, task. This week was no exception and, in fact, seemed to offer a veritable wealth of important events that we would be remiss not to mention.
Namely: dangerous malicious campaigns! Theft of info! YouTube account takeovers! Crypto under siege! Microsoft Warnings!
In light of this, Dark Reading is launching a weekly “in case you missed it” (ICYMI) roundup, rounding up the week’s important news stories that our editors simply didn’t have time to cover before.
This week, read on to learn more about the following, ICYMI:
- Smart factories in the face of cyber snowballing
- Lazarus Group Likely Behind $100M Crypto Heist
- 8220 Gang adds Atlassian bug to active attack chain
- Critical infrastructure cyber pros feel hopeless
- Hacker impersonates TrustWallet in crypto phishing scam
- YTStealer, cookie thief, takes control of YouTube accounts
- Follina Bug used to spread XFiles spyware
Smart factories in the face of cyber snowballing
According to a survey published this week, 40% of smart factories worldwide have suffered a cyberattack.
Smart factories – in which sensors and industrial Internet of Things (IIoT) equipment are used to cut costs, get telemetry and boost automation – are officially a thing, with the digitization of manufacturing underway. . But cyberattackers notice it too, according to Capgemini Research Institute.
Among the sectors, heavy industry faced the highest number of cyberattacks (51%). These attacks also take many forms: 27% of enterprises saw a 20% or greater increase in the number of bot-herders taking control of IIoT devices for distributed denial-of-service (DDoS) attacks; and 28% of companies said they saw a 20% or more increase in the number of employees or vendors bringing in infected devices, for example.
“The smart factory being one of the emblematic technologies of the transition to digitalization, it is also a target of choice for cyberattackers, who smell new blood”, according to the report.
At the same time, the company also found that in nearly half (47%) of organizations, smart factory cybersecurity is not a C-level concern.
Lazarus Group Likely Behind $100M Crypto Heist
Security researchers lay the $100 million hack of crypto exchange Horizon Bridge at the feet of the notorious Lazarus Group Advanced Persistent Threat in North Korea.
Horizon Bridge allows Harmony blockchain users to interact with other blockchains. The heist took place on June 24, with the culprits making off with various cryptoassets, including Ethereum (ETH), Tether (USDT), Wrapped Bitcoin (WBTC), and BNB.
According to Elliptic, there are strong indications that Lazarus is behind the incident. The group not only conducts classic APT activities like cyber espionage, but also acts as a source of revenue for the North Korean regime, the researchers noted.
The thieves in the case have so far sent 41% of the stolen $100 million in crypto assets to the Tornado Cash mixer, noted Elliptic, which essentially acts as a money launderer.
8220 Gang adds Atlassian bug to active attack chain
The 8220 gang has added the latest critical security vulnerability affecting Atlassian Confluence Server and Data Center to its bag of tricks to distribute cryptominers and an IRC bot, Microsoft warned this week.
The Chinese-language threat group has been actively exploiting the bug since it came to light in early June.
“The group has been actively updating its techniques and payloads over the past year. The most recent campaign targets i686 and x86_64 Linux systems and uses RCE exploits for CVE-2022-26134 (Confluence) and CVE -2019-2725 (WebLogic) for initial access.”, Microsoft Security Intelligence Center tweeted.
Critical infrastructure cyber pros feel hopeless
In the UK, 95% of cybersecurity managers at national critical infrastructure organizations say they could see themselves quitting their jobs next year.
According to a survey by Bridewell, 42% believe that a breakup is inevitable and do not want to tarnish their career, while 40% say they experience stress and burnout, which has an impact on their personal life.
At the same time, more than two-thirds of respondents say the volume of successful threats and attacks has increased over the past year, and 69% say threats are harder to detect and respond to.
Hacker impersonates TrustWallet in crypto phishing scam
More than 50,000 phishing emails sent from a malicious Zendesk account have ended up in mailboxes in recent weeks, seeking to take over TrustWallet accounts and drain funds.
TrustWallet is an Ethereum wallet and a popular platform for storing non-fungible tokens (NFTs). Vade researchers said phishing impersonates the service, using a sleek and convincing TrustWallet-branded site to request users’ password recovery phrases on a sleek TrustWallet phishing page.
Emails, on the other hand, are unlikely to trigger email gateway filters, as they are sent from Zendesk.com, which is a trusted and highly reputable domain.
“While NFTs and cryptocurrencies as a whole have seen a significant downturn in recent weeks, edge investors are likely to react quickly to emails regarding their crypto accounts,” according to Vade’s analysis this week. .
YTStealer, cookie thief, takes control of YouTube accounts
A never-before-seen malware-as-a-service threat has appeared on Dark Web forums, aiming to take over YouTube accounts.
Intezer researchers noted that the malware, which it simply calls YTStealer, works to steal YouTube authentication cookies from content creators to meet the underground demand for access to YouTube accounts. Cookies are extracted from browser database files in the user’s profile folder.
“To validate cookies and obtain more information about the YouTube user account, the malware starts one of the web browsers installed on the infected machine in headless mode and adds the cookie to its cookie store,” according to analysis. “[That way] the malware can make the browser work as if the threat actor was sitting on the computer without the current user noticing.”
From there, YTStealer goes to YouTube Studio’s content management page and retrieves the data, including channel name, number of subscribers, age, whether it’s monetized, whether it’s from an official artist channel and if the name has been verified.
Follina Bug used to spread X-Files spyware
A wave of cyberattacks is underway, seeking to exploit the Microsoft Follina vulnerability to extract dozens of sensitive information from victims.
Follina is a recently patched Remote Code Execution (RCE) bug that is exploitable through malicious Word documents. It started life as an unpatched zero day which quickly spread among cybercriminal groups.
According to a Cyberint Research Team report shared with Dark Reading via email, analysts found multiple XFiles thieves campaigns where the Follina vulnerability was exploited as part of the delivery phase.
“The group selling the thief is based in Russia and is currently looking to expand,” researchers said. “Recent evidence suggests global campaigns by threat actors [underway].”
The thief sniffs data from all Chromium, Opera, and Firefox-based browsers, including history, cookies, passwords, and credit card information. It also lifts FTP, Telegram and Discord credentials and scans for predefined file types which are on victim’s desktop with screenshot. It also targets other clients, such as Steam, and crypto-wallets.