Topic – Researchers Unveil ToddyCat’s New Set of Tools for Data Exfiltration
This article details the uncovering of a new set of malicious tools used by the Advanced Persistent Threat (APT) actor, ToddyCat. The tools are designed for data exfiltration, revealing insights into ToddyCat’s tactics. Previously linked to attacks on high-profile entities in Europe and Asia, ToddyCat employs the Ninja Trojan and Samurai backdoor. The new tools include loaders for launching the Ninja Trojan, a file-finding tool called LoFiSe, a DropBox uploader for stolen data, and Pcexter for exfiltrating data to Microsoft OneDrive. ToddyCat also uses custom scripts, a passive backdoor, Cobalt Strike, and compromised domain admin credentials for espionage activities. Additionally, Check Point revealed that government and telecom entities in Asia have been targeted by a related campaign using “disposable” malware with infrastructure overlap with ToddyCat.
This article is about Microsoft’s annual Digital Defense Report, which reveals a Gaza-based hacker-group, Storm-1133, allegedly linked to Hamas, and how the group has been engaging in cyber-attacks on Israeli entities. They employ social engineering, fake LinkedIn profiles, malware, and third-party infiltrations, aiming to establish backdoor access into systems while dodging network-based defenses. https://thehackernews.com/2023/10/gaza-linked-cyber-threat-actor-targets.html
New WordPress backdoor creates rogue admin to hijack websites
The newly discovered backdoor script in WordPress surreptitiously creates a covert administrator account, compromising the integrity of websites. This sophisticated piece of malicious code carries the potential to infiltrate and expropriate control from the legitimate owners of the website. This such way, it signifies a strong threat for website operators, emphasizing the growing need for proactive cyber defense mechanisms in an era of increasing digital vulnerabilities. As the intensity of cyber threats escalates, staying one step ahead is crucial for businesses and individuals operating online and using platforms like WordPress. Maintaining a constant vigil over security aspects becomes imperative in preventing such cunning and destructive interventions. The emergence of such backdoor serves as a critical reminder for web professionals to adopt and implement state-of-the-art security measures to circumvent potential subversion of their digital platforms. While it might seem unassuming at first, the ramifications of such intrusions could be very substantial, ranging from data theft to complete control over site operations. As the digital landscape continues to evolve, cyber-security measures must dynamically adapt to new threats and challenges like this rogue WordPress admin usurpation. Monitoring developments in the cyber-security space and regular updates of existing security infrastructure must become standard operating procedures for any entity operating digitally. By ensuring a consistent approach towards employing best practices in cybersecurity, the potential risks arising from WordPress backdoor threats such as these can be effectively mitigated. Taking the necessary steps now to fortify websites against such camouflaged invasions could save site owners from unprecedented data breaches, financial loss, and reputational damage in the future. https://www.bleepingcomputer.com/news/security/new-wordpress-backdoor-creates-rogue-admin-to-hijack-websites/
This article was shared on LinkedIn by one of my connections. A few things stood out to me that intrigued me to read the article. One is that I haven’t heard of CDW in years and LockBit. This article goes over how LockBit, a cybercriminal group that uses double extortion tactics where they encrypt the victim’s data, and they also threaten to leak said data if the demands are not met. LockBit has threatened to expose the stolen data from CDW this past week if their demands are not met. They went on to say, “As soon as the timer runs out you will be able to see all the information, the negotiations are over and are no longer in progress. We have refused the ridiculous amount offered”. The interesting thing is that CDW has provided zero statements on this situation. It also goes on to say that LockBit has used these tactics to force over other victims in their attacks to speed up ransom negotiations to ultimately pay up and with varying success. ESET Global Cybersecurity Advisor Jake Moore stated, “There is always a chance, however, that this is a tactic used to force their victims’ hands to act quickly yet no real substance is in the original claim.” It will be interesting to see what comes out, if any of this report and will keep an eye out on if there is a CDW response.
The California governor signed a bill that would enable residents to request that their personal information be deleted from the all the data brokers in the state.
The bill, SB 362, otherwise known as the Delete Act, was introduced in April 2023 in an attempt to give Californians more control over their privacy. Californians already have a right to request their data be deleted under current state privacy laws, but it requires filing a request with each individual company.
The new bill reinforces that all data brokers must register with the California privacy protection agency (CPPA), and it requires the CPPA to establish an easy and free way for Californians to request that all data brokers in the state delete their data through a single page, regardless of how they acquired that information. If data brokers don’t comply with these rules, the bill stipulates they be fined or otherwise penalized.
While proponents of the bill have lauded it as a less tedious and more user-friendly way to reinforce existing California privacy laws, many advertising companies have argued it would undermine their industry.
Civil liberties and privacy advocates have long called for stronger regulations around the data broker industry, citing concerns about the lack of transparency into when and how consumer data is sold and shared and the ability for law enforcement to skip subpoenas or warrants by simply buying otherwise inaccessible personal information from a private company.
In the past, agencies like the US Immigration and Customs Enforcement Agency have used data brokers to get around local laws such as sanctuary policies that prohibit state or city agencies from aiding with immigration investigations.
The state will have until 2026 to implement the Delete Act.
https://cybernews.com/security/facebook-copyright-scam-intensifies/
Facebook copyright scam intensifies, users left stranded
According to a new report by Cybernews, there have been reports regarding Facebook users being targeted through a phishing scam. Users get fake copyright infringement messages from hackers pretending to be Facebook stating users have violated Facebook’s copyright infringement policies. Through the message, users would be provided with steps to recover their accounts. It was stated that the link provided was intended to steal users’ credentials. To avoid the scam, users are advised to activate MFA, report compromised accounts, and not click on unfamiliar links.
Microsoft has launched a new bug bounty program focused on artificial intelligence (AI) vulnerabilities. The program offers rewards of up to $15,000 for researchers who uncover and report security flaws in Microsoft’s AI systems. This initiative reflects Microsoft’s commitment to enhancing the security of AI technologies and encourages the research community to identify and help mitigate potential risks in AI systems. The bug bounty program aims to promote responsible disclosure and protect AI systems from potential threats and vulnerabilities.
Article: Bank account numbers & PINs leaked in cybersecurity attack at Charlotte-based AvidXchange
Around 7,000 customers from a billing and payments tool provider called AvidXchange have had personal info including bank info leaked due to a cybersecurity attack from April, 2023. The group first noticed the breach in April but did not notify customers until October after completing a full review of the data lost and confirming the identities of those impacted. AvidXchange has stated that they have removed the threat and are offering credit monitoring services for those impacted, but the damage done may already be impacting customers.
This example shows the general process for how companies handle data breaches, as we’ve seen previously in the target case. What I find unusual about this breach, however, is that the notifications sent to customers are going out now, 7 months after the initial breach and impact. Though credit monitoring is being offered, it is concerning that there is a possible 7 month period where customers could have been impacted and had no idea how or why.
Title: Pro-Russian Hackers Exploiting Recent WinRAR Vulnerability in New Campaign
Link: https://thehackernews.com/2023/10/pro-russian-hackers-exploiting-recent.html
Summary: Pro-Russian hacking groups have exploited a security vulnerability in the WinRAR archiving utility to launch a phishing campaign, targeting compromised systems. The attack uses archive files exploiting the WinRAR vulnerability to execute a Batch script, enabling remote access for attackers, then a powershell script steals data, including login credentials from Chrome and Edge, which is then exfiltrated via a legitimate web service. This incident is part of a broader increase in cyber threats, particularly from Russian nation-state actors, with evolving tactics observed in phishing operations, notably focusing on Ukraine. Ukrainian cybersecurity agencies reported active threat groups, including Turla and APT29. Despite a decrease in total cyber incidents, the sophistication and intensity of attacks remain concerning.
A data breach at Fairfax Oral and Maxillofacial Surgery, a dental surgery practice with several locations throughout Virginia, has exposed the medical records of over 200,000 patients. The breach was discovered in May 2023, and the company has notified affected patients and offered them a year of free identity protection services. The exposed data includes names, full dates of birth, driver’s licenses, Social Security numbers, health insurance information, and medical history details. Fairfax is investigating the breach and working with law enforcement to apprehend the perpetrators. This is the latest in a series of data breaches at healthcare organizations in recent years. These breaches highlight the importance of healthcare organizations taking steps to protect their patients’ personal and medical information.
Hospitals may have avoided the Y2k bug, but ransomware and phishing are still a MAJOR problem.
MGM is still in the news for the security attack in suffered between September 10 and September 20. It is estimated that the company has lost an estimated 100 million dollars due to it’s services being comprised, limited, and/or shutdown. MGM has yet to confirm whether or not it was the victim of a ransomware attack. If it was a ransomware attack , do you think MGM should have paid the ransom? Do you think companies should have the authority (alone)to risk client /customer data being exposed ?
Nation-state hacking groups have been using Discord’s CDN to host malware, pull sensitive data from the app and facilitate data exfiltration through webhooks. There was evidence found of an artifact targeting Ukrainian critical infrastructures but this is still speculation. The use of Discord for APT malware campaigns is still in its early stages and is limited to data grabbers that can be bought from online sites. An example of this threat is through a phishing attack via email using MS OneNote and once the file is opened and the link is clicked, VBS is executed extracting and running a PowerShell script then downloading another PowerShell script from a GitHub repository. Ultimately, PowerShell uses a Discord webhook to exfiltrate system metadata. Since the initial file is stored in the GitHub repository, a more advanced malware could be delivered at a later time… persistence
The scam dubbed ClearFake was used to ack WordPress sites tricking them into thinking they needed to update the browser before viewing content. The fake browser tells the hacker what browser you are using and the malware guides to a fake page informing you of an available update. There has been an updated version showing how the malware has evolved. Once stored on CloudFare, where the malicious code was once stored was blocked. The culprits then started storing file on the Binance Smart Chain (BSC) a technology designed to run decentralized apps and “smart contracts,” or coded agreements that execute actions automatically when certain conditions are met. This is how they were able to circumvent Cloudflare.
The scripts attached themselves to hacked WordPress sites and created a new smart contact on the BSC and had a starting with a unique, attacker-controlled blockchain address and a set of instructions that defines the contract’s functions and structure. When that contract is queried by a compromised website, it will return an obfuscated and malicious payload.
Topic – Researchers Unveil ToddyCat’s New Set of Tools for Data Exfiltration
This article details the uncovering of a new set of malicious tools used by the Advanced Persistent Threat (APT) actor, ToddyCat. The tools are designed for data exfiltration, revealing insights into ToddyCat’s tactics. Previously linked to attacks on high-profile entities in Europe and Asia, ToddyCat employs the Ninja Trojan and Samurai backdoor. The new tools include loaders for launching the Ninja Trojan, a file-finding tool called LoFiSe, a DropBox uploader for stolen data, and Pcexter for exfiltrating data to Microsoft OneDrive. ToddyCat also uses custom scripts, a passive backdoor, Cobalt Strike, and compromised domain admin credentials for espionage activities. Additionally, Check Point revealed that government and telecom entities in Asia have been targeted by a related campaign using “disposable” malware with infrastructure overlap with ToddyCat.
Article link – https://thehackernews.com/2023/10/researchers-unveil-toddycats-new-set-of.html?m=1
This article is about Microsoft’s annual Digital Defense Report, which reveals a Gaza-based hacker-group, Storm-1133, allegedly linked to Hamas, and how the group has been engaging in cyber-attacks on Israeli entities. They employ social engineering, fake LinkedIn profiles, malware, and third-party infiltrations, aiming to establish backdoor access into systems while dodging network-based defenses.
https://thehackernews.com/2023/10/gaza-linked-cyber-threat-actor-targets.html
New WordPress backdoor creates rogue admin to hijack websites
The newly discovered backdoor script in WordPress surreptitiously creates a covert administrator account, compromising the integrity of websites. This sophisticated piece of malicious code carries the potential to infiltrate and expropriate control from the legitimate owners of the website. This such way, it signifies a strong threat for website operators, emphasizing the growing need for proactive cyber defense mechanisms in an era of increasing digital vulnerabilities. As the intensity of cyber threats escalates, staying one step ahead is crucial for businesses and individuals operating online and using platforms like WordPress. Maintaining a constant vigil over security aspects becomes imperative in preventing such cunning and destructive interventions. The emergence of such backdoor serves as a critical reminder for web professionals to adopt and implement state-of-the-art security measures to circumvent potential subversion of their digital platforms. While it might seem unassuming at first, the ramifications of such intrusions could be very substantial, ranging from data theft to complete control over site operations. As the digital landscape continues to evolve, cyber-security measures must dynamically adapt to new threats and challenges like this rogue WordPress admin usurpation. Monitoring developments in the cyber-security space and regular updates of existing security infrastructure must become standard operating procedures for any entity operating digitally. By ensuring a consistent approach towards employing best practices in cybersecurity, the potential risks arising from WordPress backdoor threats such as these can be effectively mitigated. Taking the necessary steps now to fortify websites against such camouflaged invasions could save site owners from unprecedented data breaches, financial loss, and reputational damage in the future.
https://www.bleepingcomputer.com/news/security/new-wordpress-backdoor-creates-rogue-admin-to-hijack-websites/
Jeff Sullivan
Mis 5206
In the news Week 8
Temple University
LockBit warns leak of CDW data | SC Media (scmagazine.com)
https://www.scmagazine.com/brief/lockbit-warns-leak-of-cdw-data
This article was shared on LinkedIn by one of my connections. A few things stood out to me that intrigued me to read the article. One is that I haven’t heard of CDW in years and LockBit. This article goes over how LockBit, a cybercriminal group that uses double extortion tactics where they encrypt the victim’s data, and they also threaten to leak said data if the demands are not met. LockBit has threatened to expose the stolen data from CDW this past week if their demands are not met. They went on to say, “As soon as the timer runs out you will be able to see all the information, the negotiations are over and are no longer in progress. We have refused the ridiculous amount offered”. The interesting thing is that CDW has provided zero statements on this situation. It also goes on to say that LockBit has used these tactics to force over other victims in their attacks to speed up ransom negotiations to ultimately pay up and with varying success. ESET Global Cybersecurity Advisor Jake Moore stated, “There is always a chance, however, that this is a tactic used to force their victims’ hands to act quickly yet no real substance is in the original claim.” It will be interesting to see what comes out, if any of this report and will keep an eye out on if there is a CDW response.
Californians can scrub personal info sold to advertisers with first-in-US law
https://www.theguardian.com/technology/2023/oct/10/california-delete-act-signed-newsom
The California governor signed a bill that would enable residents to request that their personal information be deleted from the all the data brokers in the state.
The bill, SB 362, otherwise known as the Delete Act, was introduced in April 2023 in an attempt to give Californians more control over their privacy. Californians already have a right to request their data be deleted under current state privacy laws, but it requires filing a request with each individual company.
The new bill reinforces that all data brokers must register with the California privacy protection agency (CPPA), and it requires the CPPA to establish an easy and free way for Californians to request that all data brokers in the state delete their data through a single page, regardless of how they acquired that information. If data brokers don’t comply with these rules, the bill stipulates they be fined or otherwise penalized.
While proponents of the bill have lauded it as a less tedious and more user-friendly way to reinforce existing California privacy laws, many advertising companies have argued it would undermine their industry.
Civil liberties and privacy advocates have long called for stronger regulations around the data broker industry, citing concerns about the lack of transparency into when and how consumer data is sold and shared and the ability for law enforcement to skip subpoenas or warrants by simply buying otherwise inaccessible personal information from a private company.
In the past, agencies like the US Immigration and Customs Enforcement Agency have used data brokers to get around local laws such as sanctuary policies that prohibit state or city agencies from aiding with immigration investigations.
The state will have until 2026 to implement the Delete Act.
https://cybernews.com/security/facebook-copyright-scam-intensifies/
Facebook copyright scam intensifies, users left stranded
According to a new report by Cybernews, there have been reports regarding Facebook users being targeted through a phishing scam. Users get fake copyright infringement messages from hackers pretending to be Facebook stating users have violated Facebook’s copyright infringement policies. Through the message, users would be provided with steps to recover their accounts. It was stated that the link provided was intended to steal users’ credentials. To avoid the scam, users are advised to activate MFA, report compromised accounts, and not click on unfamiliar links.
Microsoft Offers Up to $15,000 in New AI Bug Bounty Program
https://www.securityweek.com/microsoft-offers-up-to-15000-in-new-ai-bug-bounty-program/
Microsoft has launched a new bug bounty program focused on artificial intelligence (AI) vulnerabilities. The program offers rewards of up to $15,000 for researchers who uncover and report security flaws in Microsoft’s AI systems. This initiative reflects Microsoft’s commitment to enhancing the security of AI technologies and encourages the research community to identify and help mitigate potential risks in AI systems. The bug bounty program aims to promote responsible disclosure and protect AI systems from potential threats and vulnerabilities.
Article: Bank account numbers & PINs leaked in cybersecurity attack at Charlotte-based AvidXchange
Around 7,000 customers from a billing and payments tool provider called AvidXchange have had personal info including bank info leaked due to a cybersecurity attack from April, 2023. The group first noticed the breach in April but did not notify customers until October after completing a full review of the data lost and confirming the identities of those impacted. AvidXchange has stated that they have removed the threat and are offering credit monitoring services for those impacted, but the damage done may already be impacting customers.
This example shows the general process for how companies handle data breaches, as we’ve seen previously in the target case. What I find unusual about this breach, however, is that the notifications sent to customers are going out now, 7 months after the initial breach and impact. Though credit monitoring is being offered, it is concerning that there is a possible 7 month period where customers could have been impacted and had no idea how or why.
https://www.wsoctv.com/news/local/financial-information-leaked-cybersecurity-attack-charlotte-based-avidxchange/OGHER6JD6ZBTRENMV4DMNCEUXA/
Title: Pro-Russian Hackers Exploiting Recent WinRAR Vulnerability in New Campaign
Link: https://thehackernews.com/2023/10/pro-russian-hackers-exploiting-recent.html
Summary: Pro-Russian hacking groups have exploited a security vulnerability in the WinRAR archiving utility to launch a phishing campaign, targeting compromised systems. The attack uses archive files exploiting the WinRAR vulnerability to execute a Batch script, enabling remote access for attackers, then a powershell script steals data, including login credentials from Chrome and Edge, which is then exfiltrated via a legitimate web service. This incident is part of a broader increase in cyber threats, particularly from Russian nation-state actors, with evolving tactics observed in phishing operations, notably focusing on Ukraine. Ukrainian cybersecurity agencies reported active threat groups, including Turla and APT29. Despite a decrease in total cyber incidents, the sophistication and intensity of attacks remain concerning.
Title: Fairfax data breach exposes medical records
Link: https://cybernews.com/news/fairfax-data-breach-exposes-medical-records
A data breach at Fairfax Oral and Maxillofacial Surgery, a dental surgery practice with several locations throughout Virginia, has exposed the medical records of over 200,000 patients. The breach was discovered in May 2023, and the company has notified affected patients and offered them a year of free identity protection services. The exposed data includes names, full dates of birth, driver’s licenses, Social Security numbers, health insurance information, and medical history details. Fairfax is investigating the breach and working with law enforcement to apprehend the perpetrators. This is the latest in a series of data breaches at healthcare organizations in recent years. These breaches highlight the importance of healthcare organizations taking steps to protect their patients’ personal and medical information.
Hospitals may have avoided the Y2k bug, but ransomware and phishing are still a MAJOR problem.
MGM is still in the news for the security attack in suffered between September 10 and September 20. It is estimated that the company has lost an estimated 100 million dollars due to it’s services being comprised, limited, and/or shutdown. MGM has yet to confirm whether or not it was the victim of a ransomware attack. If it was a ransomware attack , do you think MGM should have paid the ransom? Do you think companies should have the authority (alone)to risk client /customer data being exposed ?
Article: https://abcnews.go.com/Business/wireStory/cyberattack-mgm-resorts-expected-cost-casino-giant-100-103784725
Discord as a Medium for Payloads
Nation-state hacking groups have been using Discord’s CDN to host malware, pull sensitive data from the app and facilitate data exfiltration through webhooks. There was evidence found of an artifact targeting Ukrainian critical infrastructures but this is still speculation. The use of Discord for APT malware campaigns is still in its early stages and is limited to data grabbers that can be bought from online sites. An example of this threat is through a phishing attack via email using MS OneNote and once the file is opened and the link is clicked, VBS is executed extracting and running a PowerShell script then downloading another PowerShell script from a GitHub repository. Ultimately, PowerShell uses a Discord webhook to exfiltrate system metadata. Since the initial file is stored in the GitHub repository, a more advanced malware could be delivered at a later time… persistence
Article Link: https://thehackernews.com/2023/10/discord-playground-for-nation-state.html
Erskine Payton
In the News Article- Week 8
MIS 5206
Temple University
The Fake Browser Update Scam Gets a Makeover
https://krebsonsecurity.com/2023/10/the-fake-browser-update-scam-gets-a-makeover/
The scam dubbed ClearFake was used to ack WordPress sites tricking them into thinking they needed to update the browser before viewing content. The fake browser tells the hacker what browser you are using and the malware guides to a fake page informing you of an available update. There has been an updated version showing how the malware has evolved. Once stored on CloudFare, where the malicious code was once stored was blocked. The culprits then started storing file on the Binance Smart Chain (BSC) a technology designed to run decentralized apps and “smart contracts,” or coded agreements that execute actions automatically when certain conditions are met. This is how they were able to circumvent Cloudflare.
The scripts attached themselves to hacked WordPress sites and created a new smart contact on the BSC and had a starting with a unique, attacker-controlled blockchain address and a set of instructions that defines the contract’s functions and structure. When that contract is queried by a compromised website, it will return an obfuscated and malicious payload.