Cyber Pulse: Edition 187 | 18 July 2022

Lithuania experienced geopolitical motivated cyber attacks

A state-controlled energy holding company in Lithuania experienced a cyberattack disrupting online services amid mounting geopolitical tensions caused by Russia's invasion of Ukraine. No critical infrastructure systems were damaged by the distributed denial-of-service event, Ignitis Group stated in a weekend social media post. Even as the attack has subsided, the Ignitis Group warned that threat actors continued to probe for an opening. Cloudflare is providing DDoS protection to the company. Lithuania has faced a spate of intensive DDoS attacks over the past few weeks from Russia-supporting hacktivist groups (see: Lithuanian Government Issues DDoS Attack Alerts). A top Ministry of National Defense official earlier this month tweeted that Russia has placed his country under intensive DDoS pressure, saying Lithuania will "give a diplomatic response and … hold those responsible accountable."

The Baltic country is a main supply chain chokepoint for the Russian exclave of Kaliningrad. Last month, it banned the transit of materials sanctioned by the European Union, including coal, metals and advanced technologies, leading to angry accusations from Russia that Kaliningrad is under siege. EU and Lithuanian officials say that passengers and non-sanctioned goods may continue to transit Lithuania and call the accusations part of larger pattern of Kremlin disinformation.

The attack was a "publicity" stunt, Margiris Abukevicius, vice minister at the Ministry of National Defense of the Republic of Lithuania, reportedly told local news radio station Žinių Radijas, reports Baltic online portal Delfi.

"Publicity is a very important part of these attacks. If we don't talk about them, the other side will lose motivation. When we talk about alleged victories, about alleged punishment of Lithuania, it's motivating the other side," Abukevicius said.

A group of hackers has targeted multiple Lithuanian government websites. Operating under the name of Killnet, one of it’s cyberattacks at a Latvian broadcasting center lasted for 12 hours. On the basis of a video message posted on the group’s Telegram channel, the attacks are a response to Lithuanian sanctions on Russia after the country’s military invasion of the Ukrainian region. The video made a demand that Lithuania must allow transit of goods to Kaliningrad if they wanted to avoid more attacks on their government institutions and private businesses. One of the targeted websites belongs to Lithuania’s State Tax Inspectorate (STI) and B1.lt (an accounting service provider). The websites of both of these entities are still down. Edited: Original source – Data breach

Germany bolsters defences against Russian cyber threats

Berlin is upping its cybersecurity defences to counter the threat of Russian online attacks. Experts warn Germany is vulnerable to sabotage attempts and efforts to sow disinformation as war rages in Ukraine. The German government on Tuesday announced plans to shore up cyber defences in light of possible new threats from Russia. Several major cyberattacks around the world have been traced to Russian intelligence-linked hackers in recent years. Amid worsening relations with Moscow, Germany's government fears the war in Ukraine will exacerbate the threat.

The new measures involve promoting cyber resilience among small- and medium-sized enterprises. That would apply to "critical infrastructure," businesses involved in transport, food, health, energy and water supply. Also included is the introduction of a secure central video conferencing system for the federal government. There will also be a centralized platform for the exchange of information on cyberattacks between state and federal structures, based at the Federal Office for Information Security (BSI). Meanwhile, the IT infrastructure of Germany's domestic intelligence agency and police is to be modernised.

A Microsoft report in April said destructive cyberattacks by state-backed Russian hackers had been targeted against critical infrastructure as part of the war in Ukraine itself. Many times, the report noted, these were simultaneous to physical attacks. Ahead of the invasion, the US tech giant highlighted the presence of dangerous malware on dozens of Ukrainian government computers. Germany has in recent years repeatedly accused Russia of state-sanctioned hacking attempts, something the Kremlin denies. Edited: Original source - DW

Hackers Nab $8M in Crypto via Phishing Attack

After gaining access to Uniswap LPs via a malicious airdrop contract, hackers stole more than 7,500 in Ethereum. A phishing scam offering a fraudulent airdrop managed to rob Uniswap users of nearly $8 million in funds. The phishing scam promised a free airdrop of 400 UNI tokens (worth approximately $2,200). Users were asked to connect their crypto wallets and sign the transaction to claim the malicious airdrop. Upon connection, the unknown hacker grabbed user funds through a malicious smart contract.  To date, more than 74,000 wallets have interacted with the phishing scam smart contract, according to data from Etherscan. On July 11, the hacker deployed a malicious smart contract, according to Etherscan.

Notably, the code was not verified for the smart contract deployed on Etherscan—something most legitimate projects do.  After deployment, for collecting their airdropped tokens, the hacker tricked users into signing a transaction. Instead, this transaction served as an approval transaction, giving the hacker access to all the Uniswap LP (Liquidity Pool) tokens held by the user. Whenever users add liquidity to Uniswap, they receive LP tokens in return as a representation of their liquidity positions. These tokens are transferable and use the ERC-721 token standard, like all other NFTs.

Hence through an approval transaction, a third- party (the hacker wallet in this case) could spend funds on behalf of the user. After gaining access from the previous approval transaction, the hacker transferred all the LP tokens to their wallet and withdrew all the liquidity from Uniswap. The hacker wallet gained nearly 7,573.94 Ethereum from the exploit, according to analytics info from Etherscan. The price of UNI has plummeted more than 10% post incident. UNI is a governance token launched in 2020 that lets holders vote on and propose various changes made to the Uniswap protocol. Edited: Original source - Etherscan

New Android malware on Google Play installed 3 million times

A new Android malware family on the Google Play Store that secretly subscribes users to premium services was downloaded over 3,000,000 times. The malware, named 'Autolycos,' was discovered by Evina's security researcher Maxime Ingrao to be in at least eight Android applications, two of which are still available on the Google Play Store at the time of this writing. The two apps still available are named 'Funny Camera' by KellyTech, which has over 500,000 installations, and 'Razer Keyboard & Theme' by rxcheldiolola, which counts over 50,000 installs on the Play Store. The remaining six applications have been removed from the Google Play Store, but those who still have them installed risk being charged with costly subscriptions by the malware's activities.

• Vlog Star Video Editor (com.vlog.star.video.editor) – 1 million downloads
• Creative 3D Launcher (app.launcher.creative3d) – 1 million downloads
• Wow Beauty Camera (com.wowbeauty.camera) – 100,000 downloads
• Gif Emoji Keyboard (com.gif.emoji.keyboard) – 100,000 downloads
• Freeglow Camera 1.0.0 (com.glow.camera.open) – 5,000 downloads
• Coco Camera v1.1 (com.toomore.cool.camera) –1,000 downloads

In many cases, the malicious applications requested permission to read SMS content upon installation on the device, allowing the apps to access a victim's SMS text messages. Also, while some malicious applications suffered from inevitable negative reviews on the Play Store, those with fewer downloads maintain a good user rating due to bot reviews. Edited: Original source - Bleeping

Call-back Phishing Campaign Impersonating Cyber Firm

A call-back phishing campaign has been impersonating cybersecurity firms, including CrowdStrike, to lure its victims. The email claims that the recipient’s firm has been breached and urges them to call the provided phone number to stay protected. According to CrowdStrike, this is for the first time that a call-back campaign has been discovered impersonating well-known cybersecurity entities.  The recent campaign is believed to use legitimate RATs for initial access, off-the-shelf penetration testing tools for lateral movement, data extortion, and ransomware deployment.

At present, the team of researchers cannot confirm the variant used in the campaign. However, the call-back operators are believed to be using ransomware for monetization. In such campaigns, a phishing email is sent to cybersecurity firms conveying that their organization has been breached, and insists into calling a phone number included in the message. If the targeted user calls the number, attackers misguide the potential victim to visit a website containing malware, which could be a RAT providing them initial access, perform lateral movement using penetration testing tools, and deploy ransomware. 

This campaign has made use of similar social engineering tactics to those utilized in other previous call-back campaigns such as Wizard Spider’s 2021 Bazar Call campaign. Researchers further spotted a similar call-back campaign in March 2022. In that campaign, the attackers installed Atera RMM followed by Cobalt Strike for lateral movement and deployed additional malware. Edited: Original source - CrowdStrike

Microsoft fixes dozens of Azure Site Recovery privilege escalation bugs

Microsoft has fixed 32 vulnerabilities in the Azure Site Recovery suite that could have allowed attackers to gain elevated privileges or perform remote code execution. The Azure Site Recovery service is a disaster recovery service that will automatically fail-over workloads to secondary locations when a problem is detected.  As part of the July 2022 Patch Tuesday, Microsoft fixed 84 flaws, with Azure Site Recovery vulnerability accounting for more than a third of the bugs fixed today. Of the thirty-two vulnerabilities fixed in Azure Site Recovery, two allow remote code execution, and a whopping thirty vulnerabilities allow for elevation of privileges. In an advisory released today, Microsoft states that SQL injection vulnerabilities caused most of the privilege escalation bugs. 

The DLL hijacking flaw is tracked as CVE-2022-33675 and has a CVSS v3 severity rating of 7.8. It was discovered by researchers at Tenable, who disclosed it to Microsoft on April 8, 2022. DLL hijacking attacks exploit vulnerabilities caused by insecure permission on folders that a Windows OS searches and loads DLLs required when an application is launched. According to Tenable, the “cxprocessserver” service of ASR runs with SYSTEM level privileges by default, and its executable lies in a directory that has been incorrectly set to allow 'write' permissions to any user. This makes it possible for normal users to plant malicious DLLs (ktmw32.dll) in the directory. Now, when the 'cxprocessserver' process is started, it will load the malicious DLL and execute any of its commands with SYSTEM privileges.

"DLL hijacking is quite an antiquated technique that we don’t often come across these days. When we do, the impact is often quite limited due to a lack of security boundaries being crossed," explains Tenable's James Sebree in a writeup about the bug.

By acquiring admin-level privileges on a target system, an attacker would be free to change the OS security settings, make changes to user accounts, access all files on the system without restrictions, and install additional software. Considering how widely ASR is used in corporate environments that rely on uninterrupted cloud applications and services, it could serve as a crucial weak point in network intrusions. Tenable highlights the scenario of ransomware attacks where the threat actors could leverage CVE-2022-33675 to wipe backups and make free data restoration impossible. However, this is just one of the many examples. Edited: Original source - Tenable

New threat actor launches large-scale crypto attack

CuteBoi. Trust us, there’s nothing cute about this. This new threat actor has launched a large-scale crypto mining campaign targeting the NPM JavaScript package repository. The name comes from the ‘cute’ username hardcoded in many packages and a non-random NPM username of an attacker ‘cloudyboi12’. The campaign involves 1,283 malicious modules, published via more than 1,000 automated user accounts. The automation included the capability to bypass the NPM 2FA challenge. The packages contain almost identical source code, sourced from an existing package, named eazyminer. It is used to mine Monero by using unused resources on web servers. The campaign uses a disposable email service - mail[.]tm. The researchers surmise that the package cluster is part of experimentation by the attacker. The packages contain XMRig miners, whose binaries are shipped with the packages. The binaries are modified to match the random package names. The automation technique used is pretty unique and CuteBoi launches the attack without registering domains and hosting a custom server. Edited: Original source - Checkmarx

Online Payment Fraud Set to Exceed $343bn Globally

A new study from Juniper Research suggests that total losses to online payment fraud will exceed $343bn globally over the next five years, driven largely by fraudster innovation in areas such as account takeover fraud and identity theft. This is despite widespread use of identity verification measures. Online payment fraud includes losses across the sales of digital goods, physical goods, money transfer transactions and banking, as well as purchases like airline ticketing. Fraudster attacks can include phishing, business email compromise and socially engineered fraud. The research also found that to combat rising fraud, fraud prevention vendors must orchestrate the right mix of verification tools, at the most effective point in the customer journey, to best protect users. However, this will require significant capabilities to achieve.

“Fundamentally, no two online transactions are the same, so the way transactions are secured cannot follow a one-size-fits-all solution. Payment fraud detection and prevention vendors must build a multitude of verification capabilities and intelligently orchestrate different solutions depending on circumstances, to correctly protect both merchants and users,” said report author Nick Maynard, head of research, Juniper Research.

The research identified physical goods purchases as the largest single source of losses, expecting this to account for 49% of cumulative online payment fraud losses globally over the next five years, growing by 110%. Lax address verification processes in developing markets are also a major fraud risk, with fraudsters targeting physical goods specifically due to their resale potential.  As such, it recommends merchants adopt strong anti-fraud measures, including multiple sources of address verification and multi-factor authentication, to reduce fraudulent incidents for physical goods merchants. Edited: Original source - Juniper

20+ Security Patches Released for SAP

German software maker SAP on Tuesday announced the release of 20 new security notes and three updates to previous security notes as part of its July 2022 Security Patch Day. Of the new security notes, four deal with high-severity vulnerabilities, one impacting SAP BusinessObjects and three found in Business One. The most severe of these issues is CVE-2022-35228 (CVSS score of 8.3), an information disclosure vulnerability in the central management console of the BusinessObjects Business Intelligence Platform.

The issue “allows an unauthenticated attacker to gain token information over the network,” but the attack “would require a legitimate user to access the application,” software security firm Onapsis explains.

The first of the high-severity bugs that impact Business One is an information disclosure flaw (CVE-2022-32249) that allows a highly privileged attacker to access sensitive information that can be used in subsequent attacks, such as credentials. The second issue is a missing authorization check (CVE-2022-28771) that allows an unauthenticated attacker to break an application using malicious HTTP requests sent over the network. The third bug in Business One is a code injection vulnerability (CVE-2022-31593) that allows a low privileged attacker to control application behaviour. The remaining medium-severity security notes deal with vulnerabilities in SAPS/4HANA, EA-DFPS, ABAP Platform, and Business One. Edited: Original source - SAP