【Information Security Weekly】September 5 to September 9, 2022

In this week’s information security news, the ransomware DeadBolt once again targeted QNAP NAS attacks. The ransomware targeted QNAP and ASUSTOR NAS devices in January this year. This time, it exploited the vulnerability of the photo management suite Photo Station; The Mirai variant botnet MooBot that appeared last year, Palo Alto Network, an information security company, said that the recent attack on the D-Link router by the botnet virus, in addition to using two known vulnerabilities patched in earlier years, also includes this year’s CVE-2022- 26258 and CVE-2022-28958 are two RCE vulnerabilities intrusion. Users should pay close attention to the related vulnerability fixes. In addition, the CVE-2022-3075 zero-day vulnerability affects all Chromium-based browsers. Google recently released a patch and explained that there has been an attack. Users should check for updates as soon as possible. In addition, Trend Micro, an information security company, pointed out that fraud attacks related to Taiwan’s epidemic prevention subsidies showed a substantial increase in August, which is a serious concern than the problem in the first half of the year.

In terms of threat landscape, changes in phishing attack kit services are of concern.exist2019In 2018, we saw some information security practitioners point out the prevalence of Phishing-as-a-Service (PaaS) and phishing suites, allowing amateur hackers to obtain evasive security detection capabilities at a low cost. phishing kits, and 80% of the kits contain at least one technology to evade detection. Recently, another information security industry has disclosed such information, exposing a phishing kit rental service called EvilProxy created by a hacker group, which not only It can attack accounts that attack services such as Apple, Microsoft, Google, Facebook, Twitter, etc. It can also attack GitHub, PyPI, and NPM accounts commonly used by developers. In addition, last monthMicrosoft has revealedLarge-scale phishing activities that can bypass multi-factor authentication, this EvilProxy service also provides similar capabilities, which can set up phishing websites as a proxy server between the user’s connection to the target website and steal the user’s credentials and period cookies. , was able to circumvent two-factor authentication and hijack the victim’s account.

Douyin and WeChat databases were hacked on September 5, and the suspected leaked information was posted on a hacker forum. The follow-up industry denied the news, and many experts gave their opinions. What is the situation? Follow-up news Also received international attention.

Major information security news this week

【Attack and Threat】

Information security industry exposed phishing attack kit rental service EvilProxy, which can bypass two-factor authentication of well-known services

In the past, hackers launched phishing attacks using phishing toolkits, but in the past few years, there have been related software tool subscription services, allowing low-level hackers to launch attacks without the need for relevant skills. The already quite popular two-factor authentication mechanism to launch the attack.

Information security firm Resecurity has exposed a phishing attack kit rental service (PhaaS) called EvilProxy. Sellers claim that their toolkit can be used not only to attack Apple, Microsoft, Google, Facebook, and Twitter accounts, but also to developers. Hostile man-in-the-middle (AiTM) attacks using GitHub, PyPI, and NPM accounts—this service provides reverse proxy servers and phishing sites, where victims are authenticated with the server, stealing money The required cookies allow hackers to hijack the victim’s account without requiring two-factor authentication.

Ransomware DeadBolt hits QNAP NAS again due to exploitation of flaw in photo management suite

On September 3, QNAP issued an information security notice that the ransomware DeadBolt locked NAS devices exposed on the Internet and penetrated through the vulnerability of the photo management suite Photo Station. The company also urgently released a new version of the software patch on the same day. But unlike previous attacks, they called on users to stop using Photo Station this time, and suggested switching to another software, QuMagie.

Since the attack took place over the weekend,It has been reported that many users have been recruited by NAS, they have publicized images of being blackmailed on the Internet, but everyone encounters different situations. For example, some people have upgraded the NAS operating system QTS to the latest version, but the Photo Station may still use a vulnerable version, and the NAS may still be compromised.

Botnet MooBot targets D-Link routers

The Mirai variant of the botnet MooBot emerged last year,Attacks targeting vulnerabilities in Hikvision’s network video surveillance system, but now the hackers have shifted their target. Information security firm Palo Alto Networks revealed the recent MooBot attack. Hackers targeted D-Link routers and exploited vulnerabilities such as CVE-2015-2051, CVE-2018-6530, CVE-2022-26258, and CVE-2022-28958. Hack the device. Most of these vulnerabilities can be used for RCE attacks, and the CVSS risk score reaches 9.8 to 10 points.

The researchers pointed out that D-Link has provided a new version of the firmware to patch (but no relevant announcement information can be found on the company’s website), and users should patch it as soon as possible to avoid being targeted.

The number of fraudulent websites for epidemic prevention subsidies in Taiwan has exploded in August, surpassing the total in the first half of the year

Trend Micro, an information security company, warned that they found that fraudulent attacks related to epidemic prevention subsidies in Taiwan increased significantly in August. The company pointed out that 665 variants of fake domains related to epidemic prevention subsidies appeared in August this year, such as: gov[.]com、wsflsgov[.]tw, etc., they call on the public to check the website first when they receive the relevant text messages, and apply for the relevant business directly through the government website, so as to reduce the chance of being deceived.

Japanese government website is reported to be paralyzed by Russian hacker group Killnet

The Russian hacker group Killnet has been launching DDoS attacks on European countries that support Ukraine for the past six months, and now they are also targeting Asian countries. According to Japanese media reports such as Kyodo News, NHK, and Nikkei, the Japanese government’s electronic service portal e-Gov was hit by a DDoS attack at about 4:30 p.m. on September 6 and was unable to be accessed until late at night. The local tax portal, eLTAX, was similarly paralyzed. Killnet then claimed on the Telegram channel that they were responsible, most likely because of Japan’s public support for Ukraine.

Linux malware Shikitega evades detection with multi-stage deployment

Malware targeting Linux computers is becoming more common and attacks are becoming more sophisticated. For example, AT&T’s security research team pointed out that they discovered a Linux malware suite called Shikitega. The process of deploying this malware by hackers is extremely secretive and complicated. First, it was extracted through an ELF executable file with only 370 bytes. Shell Code and execute it, then access C2 to download the Metasploit module, a penetration testing tool named Mettle, and finally Mettle downloads another ELF file and uses CVE-2021-4034 (also known as PwnKit) and CVE-2021-3493 to gain root privileges , deploy the mining software XMRig.

The researchers pointed out that the hackers also deployed five shell scripts to allow the mining software to continue to operate on the victim host.

Russian taxi-hailing system Yandex Taxi hacked, causing traffic chaos in Moscow

Independent journalist Russian Market found on September 1 that Yandex Taxi, a large Russian taxi-hailing system, was suspected of being hacked. The attackers called a large number of taxis to the same street in Moscow, causing local traffic chaos. Yandex also confirmed to the news website The Verge on the 3rd that this was indeed the case, and said that the congestion on the streets was cleared after about an hour.

As for the identity of the attackers in this accident, the hacker group Anonymous claimed that they were responsible, and said that the attack was part of the Operation Russia attack in conjunction with the IT army called by the Ukrainian government.

Mountaineering company The North Face suffers account stuffing attack, affecting 200,000 users

Mountaineering company The North Face has notified users that their website has been attacked by hackers from July 26 to August 19 by a massive Credential Stuffing attack. After investigation, 194,905 accounts were affected. Hackers are likely to have access to customers’ names, purchase history, shipping addresses, phone numbers, XPLR Pass loyalty points, etc., but not credit card information. They urge customers to change their passwords as soon as possible and keep an eye out for fraudulent credit cards.

Douyin and WeChat databases flow into hacker forums, exposing more than 2 billion records

According to the information security news website Bleeping Computer, a hacker group named AgainstTheWest successfully hacked into the databases of Douyin (TikTok) and WeChat (WeChat), stealing 790 GB of data, containing 2.05 billion records, type Involves user data, system platform analysis data, software code, and Token for identity verification. The hacker said that the data came from Alibaba Cloud’s Instance. In response, ByteDance, the parent company of Douyin, told Bleeping Computer that it had not been hacked, and that the source code obtained by the hackers had nothing to do with the platform.

Did the hackers leak the data from the two companies mentioned above? Researcher Bob Diachenko believes it is real information, but the source needs to be further investigated; Troy Hunt, an information security officer who runs the leaked password search website Have I Been Pwned, pointed out that he has seen valid information, but some may be fake information for testing. , and judged that hackers should be obtained through system vulnerabilities.

The Trojan program CodeRAT locks developers using a specific language, and sends commands between the software and the attacker through the API of the instant messaging software

Security firm SafeBreach has exposed a trojan called CodeRAT, which is aimed at targeting Persian-speaking software developers. The researchers pointed out that Iranian hackers distributed Trojans through Word files containing dynamic data exchange (DDE) vulnerabilities, and the contents of the files were mainly related to the hardware design programming language and the hardware description language (VHDL) for very high-speed integrated circuits.

The Trojan has about 50 commands, not only targeting emails, Office files, databases, but also monitoring the integrated development environment (IDE) used by victims. The communication method between this Trojan and the hacker is quite special, mainly using the API of the Telegram bot (Bot) instead of the C2 relay station, which may be difficult for researchers to discover.

It is worth noting that when the researchers contacted the hacker who developed CodeRAT, the other party uploaded the source code of the Trojan to GitHub, so it is likely that other hackers will use it to create new malware.

The IRS accidentally disclosed the personal information of 120,000 tax returners

On September 2, the IRS stated that some of the 990-T forms, which should be considered confidential, were accidentally exposed on the Tax Exempt Organization Search Service (TEOS). The Wall Street Journal (WSJ) pointed out that these sensitive information affects about 120,000 people. It is suspected that the US Internal Revenue Service began to provide electronic forms for 990-T last year. It is related to programming and has not been noticed by IRS employees until now. The unit began to remediate, remove files that should not be made public, and re-provide TEOS services.

Samsung U.S. branch hacked, customer personal data leaked

Samsung issued an information security notice on September 2. The internal network environment of their US branch was accessed by unknown persons in July, resulting in the leakage of personal information such as customer names, birthdays, and contact information, and emphasized the social security number (SSN). ), financial card data are not affected, however, the company did not disclose the number of leaked data, the number of victims, or the channels that the attackers invaded.

International hotel group IHG reportedly hit by ransomware LockBit

InterContinental Hotels Group (IHG) notified the London Stock Exchange of an information security incident on September 6 that had suffered “significant” damage to their IT systems, which affected online bookings. However, the group said its Hotels are operating normally. And what was the accident? According to the information security news site Bleeping Computer, it is very likely that the attack by the ransomware LockBit, because the hackers claimed to have attacked the Holiday Inn hotel in Turkey last month.

French clothing company Damart hit by ransomware Hive

On August 15, the online shopping mall of the French clothing chain brand Damart was suspended, and has not resumed operations so far. It has also affected the operation of physical stores-92 of 130 stores were forced to suspend business on the 24th. According to a report by local news site LeMagIT, the company was attacked by the ransomware Hive and demanded a ransom of $2 million, and it was rumored that the hackers did not intend to let parent company Damartex bargain.

Damart said that the hackers successfully invaded AD and encrypted some systems. In order to avoid the expansion of the disaster, they shut down some systems and caused related services to be affected.

Albania suffers from Iranian cyber attack, announces severing of diplomatic relations with Iran

Cyber-attacks are likely to lead to changes in relations between countries, and recently there have been cases where countries have decided to cut diplomatic ties due to attacks on their infrastructure. On September 7, Afabania, located in southern Europe, announced that it had severed diplomatic relations with Iran and asked relevant personnel of the Iranian embassy to leave the country within 24 hours. The reason is that the Iranian government has led a large-scale cyber attack since July 15. Destroying Albania’s infrastructure, paralyzing public services, and stealing data and communication records, it took Albania nearly a month to recover. In this regard, the United States also condemned Iran’s cyber attacks and called on other countries to jointly hold accountable such hackers.

800 million Chinese license plates and face data were exposed on the public Internet for several months

In June, the personal information of 1 billion Chinese people appeared on underground forums, and the information contained criminal records and medical treatment, which attracted global attention, and a large number of Chinese people’s information was exposed on the Internet. According to a report by news site TechCrunch, information security researcher Anurag Sen found a database exposed on the Internet on a server hosted by Alibaba Cloud, which was exposed for several months, and the relevant access was not blocked until August. The content includes photos of people’s faces and license plate numbers taken at road intersections, all of which are high-resolution photos. Among them, the reason why these personal information will be retained is mainly because the public enters the construction site or office to negotiate with the public for registration.

This database belongs to Xinai Electronics located in Hangzhou, with a total of more than 800 million records. The researcher said he also found that someone had left a ransom note in the database, but it was unclear whether the data was leaked or compromised. Following TechCrunch’s notification, the company has quietly shut down access.

China accuses NSA of massive cyberattack on local university

From time to time, there have been reports of global attacks by hacker groups funded by the Chinese government.The Chinese Ministry of Foreign Affairs stated on September 5, According to an investigation by the China National Computer Virus Emergency Response Center (CVERC) and local IT company Qihoo 360, the “Special Intrusion Operations Office (TAO)” under the US National Security Agency (NSA) used phishing emails to attack the Northwestern Polytechnical University in China. Teachers and students attacked and pointed out that 13 American personnel were involved in the accident. TAO used 41 types of weapons to conduct thousands of attacks, intending to steal the school’s core technology and related materials. Neither the U.S. embassy in Beijing nor the NSA has publicly stated this.

Hacker group Worok targets well-known companies in Asia and Africa to launch attacks

Security firm ESET has exposed a hacking group called Worok that spans Asia and Africa, but since February this year, the group has targeted energy companies in Central Asia and public sector entities in Southeast Asia as its main targets.

These hackers exploited the ProxyShell vulnerability to attack the victim’s Exchange server and implanted a Web Shell to continuously follow up in the network environment. Then, the hackers used Mimikatz, EarthWorm, ReGeorg, NBTscan for reconnaissance, and then deployed the PowerShell backdoor program PowHeartBeat , and the malware loader PNGLoad. Based on the timing of Worok’s attack, and the tools used, the researchers believe that the hackers are likely connected to China’s TA428.

Los Angeles school district LAUSD hit by ransomware attack

On September 5, the Los Angeles Unified School District (LAUSD), the second largest school district in the United States, said it detected unusual activity on its IT systems over the weekend, which was confirmed to be a ransomware attack. LAUSD said that teachers and students at its schools may lose access to email and some applications, but the district’s school emergency safety system or employee health care system will not be affected. As for the identity of the attacker, and whether any data has been stolen? LAUSD did not specify.

Hackers prefer to bury malware with video games Minecraft, Roblox

Kaspersky, an information security company, pointed out that in recent years, hackers often use the name of popular games to launch attacks by providing game main programs, cracking software, and cheating tools, and then distributing malicious programs, and then stealing secrets or mining on victim computers. mine. Among them, the game groups that hackers mainly target are mostly Minecraft and Roblox players, and users who play games through computers or mobile phones may become targets. Once downloaded software from unknown sources, players’ computers or mobile phones will be planted. into malware.

According to the researchers’ statistics, from July January 2021 to the end of June this year, a total of more than 90,000 files in the name of the game contain malware or unwanted programs, and at least more than 380,000 players worldwide have encountered related threats. . They called on gamers to be more vigilant.

North Korean hacker Lazarus uses MagicRAT trojan to launch attacks

Cisco revealed that the new Trojan program MagicRAT recently used by the North Korean hacking group Lazarus, hackers targeted the VMware Horizon server, a remote work platform exposed on the Internet, and then implanted the Trojan program after invading the victim organization. activity in an online environment.

The researchers pointed out that MagicRAT is built through the Qt application framework, which makes it more difficult for researchers to analyze, and it is difficult for the machine learning or heuristic detection mechanism of the information security system to detect its attack intention. In addition, the Trojan may also download a file with the extension GIF from the C2 server, but it is actually a network port scanning tool.

【Vulnerabilities and Patches】

Chrome, Edge browsers have been patched for exploits

Google released version 105.0.5195.102 update for Chrome computer version on September 2, which mainly fixes CVE-2022-3075. This vulnerability was reported on August 30. It is related to insufficient data verification of the Mojo library and has been Attack action occurs.

Since this vulnerability is likely to affect all web browsers built with Chromium, browsers such as Edge, Brave, Vivaldi have released corresponding update files to mitigate the vulnerability. CVE-2022-3075 is the sixth zero-day bug in Chrome this year.

【Vulnerabilities and Patches】

Zyxel Patches Critical RCE Vulnerability in NAS Devices

On September 6, Zxyel issued an information security notice for its NAS devices NAS326, NAS540, and NAS542. The company patched the major RCE vulnerability CVE-2022-34747, and the CVSS risk score reached 9.8. This vulnerability exists in a specific binary file in the NAS, which is related to the format string (Format String). Once exploited by an attacker, it is possible to launch a fake UDP packet without authentication. Remote execution of arbitrary code attacks. The company urged users to install the new firmware as soon as possible.

【Information Security Industry News】

Microsoft Antivirus Mistakes Chrome, Edge For Viruses

According to a report by the technology blog BornCity, the Microsoft Defender threat intelligence update version 1.373.1508.0 released by Microsoft on September 4 actually identified the browser Edge of the same brand as malicious software and marked it as Behavior:Win32/ Hive.ZY threat.

After discussions among users, it was found that Chrome and Chromium-based browsers, as well as software developed using the Electron application framework, such as WhatsApp, Spotify, and Discord, were considered malicious by Microsoft’s threat intelligence. Microsoft has released a new threat intelligence definition file to fix the above misjudgment.