Risky Biz News: Website defacements and CCTV hacks in Iran

In other news: Dutch intelligence agency used NSO spyware; new Confluence zero-day; and CYBERCOM shenanigans in Ukraine.

This newsletter is brought to you by Airlock Digital, Rumble Network Discovery, Proofpoint, and Thinkst Canary. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

The People's Mujahedin of Iran (MEK), one of the few political-militant organizations opposed to the current Iranian government, took credit on Thursday for the defacement of more than 150 Iranian government websites and the hacking of more than 5,100 CCTV cameras across Tehran.

In a statement posted on its website, the political group claimed they carried out the attack with the help of "a network of dissidents inside Iran."

MEK said they timed the attack to take place on the eve of Ayatollah Khomeini's death, mourned/celebrated each year across Iran on June 3.

As part of their intrusion, MEK said they also used the compromised servers of the Tehran municipality to send SMS messages to more than 585,000 Iranian phones. The messages read: "Damned be Khomeini, death to Khamenei and Raisi, Hail to Rajavi," according to a video the organization published on YouTube.

Photos of MEK leader Massoud Rajavi and his wife were also posted on the defaced websites, many of which were taken down on Thursday as officials worked to re-secure them.

MEK said this was the third cyber-attack the organization carried out this year, after also defacing government sites in March and hijacking TV streams in late January.

Iran was the target of several crippling cyberattacks last year, including incidents that targeted its national railway system, gas stations, and a prison complex that housed most of its political prisoners.

Breaches and hacks

Pegasus Airlines: Security researchers said this week that Pegasus Airlines, a Turkey-based low-cost airline, accidentally leaked more than 6.5 TB of internal files after it left an AWS bucket exposed online.

FBI thwarts Iranian attack: FBI Director Christopher Wray said that the FBI Boston office blocked a cyberattack orchestrated by Iranian hackers against the Boston Children's Hospital last year.

General tech and privacy

Apple App Store stats: Apple published a report on Wednesday summarizing its work in protecting the App Store. The company said that its safety systems blocked more than $1.5 billion in potentially fraudulent transactions, preventing the attempted theft of user funds, and also blocked more than 1.6 million risky and vulnerable apps and app updates. More stats are in the image below.

Microsoft Autopatch: Back in April, Microsoft teased a new product called Autopatch that could be used to automatically install updates on large fleets of PCs. A first public preview of this upcoming service has been released this week. The service will be offered to Windows 10/11 Enterprise E3 customers in July this year.

Firefox 101: Mozilla has released Firefox 101. Patch to fix a bunch of security bugs.

Some Mozilla VPN code goes FOSS: Mozilla has open-sourced this week the source code of its affiliate marketing component that is used to promote its Mozilla VPN service. Mozilla said the "affiliate marketing is a space rife with tons of data collection practices" and they wanted to be transparent about their system and what it collects from new users landing on its service.

ExpressVPN pulls out of India: ExpressVPN, one of the largest VPN providers in the world, has announced that it will pull servers from India after the local government passed a new cybersecurity law that would have mandated the company to collect and store information on all its users.

Voice privacy nightmare: Wired has an excellent report on the future troubles everyone is going to have with (re)securing their voices if voice biometrics and deep fake technology see broader adoption, especially after so many of us have uploaded our voice recordings on social media or have used tools based on voice recognition, such as Alexa or other smart assistants.

Government, politics, and policy

CyberCom operations against Russia: Gen. Paul Nakasone, the head of US Cyber Command, has told Sky News this week that the US has conducted offensive cyber operations in support of Ukraine before the war's start. The White House confirmed Nakasone's statements and said that the cyber operations didn't break its policy of avoiding direct military conflict with Russian forces.

Cyber standards for SATCOM providers: The US Space Force rolled out a cybersecurity standard for commercial satellite (SATCOM) providers. The Commercial Satellite Communications Office, or CSCO, is set to start cybersecurity assessments of third-party providers later this year, in September. SATCOM providers that pass its cybersecurity standard will be eligible for government contracts.

AIVD used NSO's Pegasus: Dutch newspaper De Volkskrant reported on Thursday that AIVD, the Dutch intelligence agency, used hacking tools developed by Israeli spyware vendor NSO Group in 2019 to catch drugs kingpin Ridouan Taghi. According to the report, the AIVD accessed Taghi's phone to determine his location. The suspect was later arrested in Dubai and is still on trial in the Netherlands.

Germany's BaFin: BaFin, the regulatory agency in charge of Germany's financial sector, issued an alert to German banks this week about an increase in cyberattacks targeting the nation's financial sector due to the war in Ukraine.

Russia: The Russian government has ordered government workers to stop using foreign instant messaging services and move to Russian-based alternatives. According to Kommersant, VK is currently developing an IM service specifically for Russian civil servants.

Chinese financial sector: Western companies operating in China's financial market are worried that China's upcoming cybersecurity rules pose a major security risk to their operations, as the new regulation will force them to share data with Beijing authorities, Reuters reported.

Cybersecurity workforce shortages: A report published on Thursday by the US Congress' Cyberspace Solarium Commission touches on the recent skilled cybersecurity personnel workforce shortages that have been plaguing the US private and public sectors for more than a decade. The report makes several recommendations for addressing the issue.

Cybercrime and threat intel

FluBot takedown: Law enforcement agencies from 11 countries have disrupted the operations of the FluBot Android malware gang, Europol announced on Wednesday. The malware, first spotted in December 2020, had built a reputation in recent months for carrying out large-scale SMS spam campaigns that redirected users to malicious sites hosting malicious Android apps infected with its trojan. Once it infected a new smartphone, it would use the contacts list to spread to send out new spam messages.

Karakurt warning: In a security advisory published on Wednesday, CISA warned US organizations that are being extorted by the Karakurt gang that paying the ransom will not always stop the hackers from leaking or secretly selling their data. Three reports in April 2022 [1, 2, 3] described the Karakurt gang as a subgroup of the larger Conti ransomware cartel. Researchers said that data stolen by Conti affiliates in attacks where they failed to encrypt files is usually passed to the group for a classic "data extortion" scheme.

DOJ seizures: The US Department of Justice seized on Wednesday three domains that hosted cybercrime services. Together with Dutch and Belgium police, officials seized ipstress.in and ovh-booter.com, the domains of two DDoS-for-hire services, and weleakinfo.to, a domain used to advertise and sell access to more than 10,000 hacked databases. This last domain was, in fact, a clone of an older service hosted at weleakinfo.com that the DOJ seized back in 2020.

Operation KillerBee: Trend Micro has published additional details regarding the recent arrests of three BEC scammers on Monday, announced by Interpol, as part of Operation KillerBee.

Elasticsearch ransom attacks: Cybersecurity firm Secureworks said that it detected a new wave of ransom attacks targeting Elasticsearch servers that have been left unsecured online. The attackers are demanding a ransom of $620 (paid in Bitcoin) to restore deleted files, and Secureworks said it found this particular ransom note on around 1,200 Elasticsearch databases so far.

Malicious npm package: ReversingLabs said it identified a malicious npm package that would install a cryptocurrency miner on infected systems. The package, named maintainancewebsite, has been removed in the meantime.

EvilCorp evading sanctions: Mandiant said in a report published on Thursday that the EvilCorp cybercrime cartel, which previously operated the Locky, Hades, and the BitPaymer ransomware strains, is now using the LockBit ransomware in recent intrusions. Mandiant said the group has stopped operating its own ransomware strains after sanctions from the US Treasury have made it impossible to receive ransom payments. By using ransomware developed by other gangs, Mandiant said EvilCorp may be trying to avoid US sanctions.

Faking malicious traffic: An unidentified entity has created malware samples that have the Xinjiang Police Files leak site (xinjiangpolicefiles.org) as the command-and-control domain in the hopes of getting the site blacklisted in web browsers.

Malware technical reports

Clipminer: The Broadcom Symantec security team has published a report on Clipminer, a malware strain that the company said has made at least $1.7 million worth of cryptocurrency for its operators. Symantec sais the trojan installed crypto-mining software on infected devices and hijacked transactions by replacing legitimate cryptocurrency addresses inside the infected computer's clipboard. The malware was first spotted in January 2021, and its operators have used game and pirated software cracks, P2P networks, torrent indexers, or YouTube videos to spread it to victims.

SMSFactory: Avast published a technical report on Wednesday on SMSFactory, a new Android malware strain. SMSFactory spreads via malvertising campaigns, and once it infects victims, it generates money for its operators by sending premium SMS and making calls to premium-rate phone numbers from compromised devices.

YourCyanide ransomware: Trend Micro's threat research team published a report on Thursday on YourCyanide, a new ransomware strain targeting Windows systems that relies on the CMD utility to spread and encrypt a victim's files.

R4IoT: Forescout has published a technical report [PDF] on how ransomware gangs could use IoT and OT devices for initial access and lateral movement.

WatchDog: Cado Security has an update on the recent TTPs used by the WatchDog crypto-mining botnet. Per the company, the group's recent antics have targeted Docker Engine API endpoints and Redis servers.

Conti goes after Intel firmware: The Eclypsium team has published a report on the Conti's gang use of Intel firmware vulnerabilities in their attacks, based on the gang's recently leaked internal chat logs.

Popping Eagle: Palo Alto Networks has published a report on a new malware strain called Popping Eagle. The malware is written in Go and is used as a late-stage backdoor in targeted attacks.

NDSW/NDSX: The GoDaddy Sucuri team published a technical analysis of what the company calls the NDSW/NDSX malware, a collection of malicious JavaScript files inserted on hacked WordPress sites. According to the company, this is what Avast tracks as the Parrot TDS.

APTs and cyber-espionage

Polonium APT: Microsoft said on Thursday that it took down more than 20 OneDrive accounts that were being used by an advanced persistent threat actor operating out of Lebanon. Microsoft said this group, which it named Polonium, has targeted or compromised more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon over the past three months. Microsoft's security said that it appears that Polonium might have "coordinated with other actors affiliated with Iran's Ministry of Intelligence and Security (MOIS)."

LuoYu: Kaspersky has published a report on LuoYu, a Chinese APT, and its use of a new malware strain named WinDealer. The Russian security firm said LuoYu carried out rare man-on-the-side attacks, where it tried to respond to a victim's network traffic with trojanized application updates before the legitimate ISP could complete the request. These malicious app updates contained the WinDealer malware, which the attackers used as a backdoor on infected systems to search and exfiltrate sensitive data. Kaspersky said the vast majority of LuoYu victims were located in China.

SideWinder: Group-IB researchers have discovered a new malicious infrastructure and a custom tool of the APT group SideWinder (aka Rattlesnake, Hardcore Nationalist, RAZOR TIGER, T-APT-04, and APT-C-17), a threat actor that is believed to be originating from India and primarily targeting Pakistan. The newly discovered custom tool codenamed SideWinder.AntiBot.Script, is being used in the gang's phishing attack against Pakistani targets.

Chinese APTs and cybercrime: Recorded Future has published a report summarizing the different incidents where Chinese state-sponsored hacking groups have dabbled in cybercrime targeting neighboring countries. This includes cryptocurrency theft, romance scams, and the theft and trade of PII data.

Vulnerabilities and bug bounty

Backdoor stays in: Following a two-year-long vulnerability disclosure process, Korenix refused to remove a backdoor account from its JetPort serial devices. The vendor told SEC-Consult—the security that found the hardcoded backdoor account—that they "will not remove the hardcoded backdoor account as it is needed for customer support and it can't be cracked in a reasonable amount of time."

Confluence zero-day: Atlassian said that threat actors are using a new zero-day vulnerability (CVE-2022-26134) to compromise on-premises Confluence servers. The zero-day is an unauthenticated, remote code execution vulnerability in Confluence Server and Data Center systems. There is no patch at the time of writing. Security firm Volexity first identified the attacks, which it said were being used to install JSP web shells on the affected servers, and then a malicious server implant called BEHINDER.

New MSFT zero-day, same core problem: British security researcher Matthew Hickey said he found another zero-day vulnerability in the Office software suite where malicious documents can automatically open a Windows Search window containing remotely-hosted malware executables. The yet-to-be-formally-confirmed zero-day is in the same tune as this Positive Technologies reported bug and the recent Follina (CVE-2022-30190) issue, where attackers are abusing various Office protocol handlers to connect to remote sites and download and run malicious content. In this case, it was the Microsoft Office search-ms: URI handler, while the previous vulnerabilities abused the ms-officecmd: and ms-msdt: handlers.

OpenSSL vulnerability: Sophos security researcher Hardik Shah published a technical analysis of CVE-2022-0778, a denial of service vulnerability in the OpenSSL library. The vulnerability can be used to trigger an infinite loop by crafting a certificate that has invalid elliptic curve parameters. Because certificate parsing happens before verification of the certificate signature, any process that parses an externally supplied certificate may be subject to a denial of service attack if they don't use a patched version of the OpenSSL library.

UNISOC bugs: Check Point said it found vulnerabilities in UNISOC baseband chips that open modern smartphones to remote attacks. UNISOC is the fourth largest baseband chipset maker after MediaTek, Qualcomm, and Apple, and is widely used in low-cost Android devices sold across Africa and Asia.

Unpatched Horde webmail bug: Security firm SonarSource published a report this week detailing a vulnerability (CVE-2022-30287) in the Horde webmail application that can allow an authenticated Horde user to execute arbitrary code on the underlying server. The company said that the Horde team patched another bug but passed it as a fix for this issue, meaning the vulnerability remains unpatched.

Infosec industry

Digital Shadows: Cyber security firm ReliaQuest announced on Wednesday that it plans to acquire threat intelligence firm Digital Shadows for $160 million.

Tool release: Security firm XM Cyber has released a tool called VmwarePasswordDecryptor that can recover and decrypt passwords stored on a local PC and which are used to connect to remote VMWare systems such as ESXi, vSphere, and Workstation.

Amnesty fellowship: Amnesty has announced a Digital Forensics Fellowship for anyone interested in helping secure human rights activists and investigate attacks against civil societies across the world. Five positions are available.