Risky Biz News: WinRAR zero-day used to hack stock and crypto traders

This newsletter is brought to you by Trail of Bits. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:

Hackers have used a zero-day vulnerability in the WinRAR file compression utility to install malware on user devices and steal funds from stock and cryptocurrency trading accounts.

The zero-day was discovered by security researchers from Group-IB, who spotted the attacks while investigating a DarkMe malware campaign.

Researchers tracked the earliest exploits to April this year.

All the attacks appear to have been focused on the brokerage and crypto-trading communities, with booby-trapped ZIP files uploaded on eight popular forums.

The zero-day allowed threat actors to modify how files were shown inside the WinRAR window when users wanted to decompress a file. It allowed attackers to run malicious batch or CMD scripts as benign files with innocuous JPEG or PDF file extensions.

When users executed any of these files, they were infected with malware.

Group-IB says it has tracked at least 130 users who got infected this way.

In most cases, the final payload was malware such as DarkMe, GuLoader, and Remcos RAT, which allowed threat actors to connect to infected devices and then siphon money from brokerage or cryptocurrency accounts.

Researchers say they can't tell how much money has been stolen with the zero-day.

A patch for this vulnerability was released earlier this week.

The zero-day is tracked as CVE-2023-38831 and should not be confused with CVE-2023-40477, another vulnerability that was also patched this week.

Breaches, hacks, and security incidents

FBI's TraderTraitor cash-out warning: The FBI has warned that a North Korean hacking group known as TraderTraitor may attempt to launder more than $40 million worth of crypto-assets it stole in hacks earlier this year. The agency published six cryptocurrency addresses where hackers moved some of the stolen funds and asked cryptocurrency platforms not to honor any transactions. The TraderTraitor group is believed to have stolen more than $60 million worth of assets from Alphapo, $37 million from CoinsPaid, and $100 million from Atomic Wallet users.

SIM swap incident: Blockchain Capital co-founder Bart Stephens has lost $6.3 million worth of cryptocurrency in a SIM swap incident earlier this year. Stephens says the hackers posed as his brother to gain control over his mobile operator account, from where they transferred his number to a new device. The exec says he learned of the SIM swap when the hackers tried to withdraw money from his company, where his employees received notifications of the withdrawal attempt. [Additional coverage in Blockworks]

Venus Protocol 2022 hack: DeFi platform Venus Protocol has invalidated $63 million worth of assets from the accounts of a hacker. The funds represent 10% of the roughly $600 million that were stolen from the company's systems in October 2022. The platform also lost another $200 million in May 2021. [Additional coverage in CryptoPotato]

Clop's MOVEit hacks: The number of companies who disclosed a security breach in connection to Clop's MOVEit hacks has now reached 963, according to Resecurity.

Fatal Model leak: A security researcher has found a cloud database containing sensitive information from Fatal Model, a website that claims to be the largest escort service in Brazil. Exposed data included more than 14 million records containing information about escorts, customers, and the company's backend infrastructure. The most sensitive information was ID scans and photos for 33,900 escorts who verified their identity on the site. Discovered by Jeremiah Fowler, the database has now been secured.

CloudNordic ransomware incident: Danish cloud hosting company CloudNordic says it lost all customer data in the aftermath of a ransomware attack that hit its systems last week. The company says that hackers have encrypted its backups, which prevents it from restoring customer data. CloudNordic says it does not intend to pay the hackers, meaning customers will have to rebuild infrastructure and websites from local backups or from scratch.

DEA gets scammed: Forbes' Thomas Brewster has a story on how the DEA fell for a scam and sent crypto seized from a narcotics bust to a scammer.

Tehtrans incident: A pro-Ukraine hacktivist group named Nebula claims to have breached and destroyed the website and internal network of Russian railway company TehTrans. The hackers also claim to have stolen 3.5TB of data, which they plan to release in the coming days. The group says it conducted the attack because TehTrans transported weapons and military equipment for Russia's war effort in Ukraine. [Additional coverage in the Kyiv Post]

General tech and privacy

Verisign revocation: Microsoft has revoked trust this week in a root Verisign certificate, causing many Windows 10 and Windows 11 apps to fail to execute. According to Airlock Digital—which contacted a Verisign spokesperson—the root cert was one of the certificates that got Symantec banned from all major browsers. The certificate was meant to be revoked in 2019, but Microsoft forgot and appears to have remembered this week.

Tor gets PoW-based anti-DDoS mitigation: The Tor Project has launched a new security feature to protect Tor infrastructure against DDoS attacks. The new feature uses proof-of-work mathematical computations to distinguish between legitimate clients and automated bots that may be participating in a DDoS attack. The new protection will kick in when the server is overloaded with requests and disable itself when activity is low.

Edge for Business: Microsoft has launched Edge for Business, a new mode (workspace) inside its web browser designed to be used in corporate networks. The new mode uses separate caches and storage locations, allowing users to separate work and personal data. It also uses a separate enterprise sync system that only saves work-related data.

Google Workspace updates: Google has announced a suite of security-related updates to its Workspace (formerly G-Suite) platform. Changes include making 2SV mandatory for selected admin accounts, requiring that multiple admins sign off on some account changes, new Gmail email filtering or forwarding protections, and the ability to select where to store encryption keys.

LinkedIn for the win: In the aftermath of Twitter's dive into right-wing politics, state propaganda, and online harassment, it appears that LinkedIn has benefited the most from the user exodus. [Additional coverage in Bloomberg/non-paywall]

FB Messenger E2EE: Meta says it started enabling end-to-end encryption by default for all Facebook Messenger users this week. The company expects to finish the procedure and have all users on E2EE chats by the end of the year. Meta has been working on E2EE for its Messenger service since 2019 and says it had to rebuild more than 100 features to accommodate encrypted chats.

Government, politics, and policy

Federal Cybersecurity Vulnerability Reduction Act: US lawmakers have introduced a new bill that will mandate all federal contractors establish vulnerability disclosure programs and policies. Named the Federal Cybersecurity Vulnerability Reduction Act, the bill is meant to improve the US government's resilience to vulnerability exploitation and supply chain attacks. CISA and the OMB had previously instructed federal agencies to establish a VDP back in 2020, but the new bill would make it mandatory. [Additional coverage in The Record]

Internet shutdowns in Kazakhstan: A group of human rights organizations has asked the Kazakhstan government to update its laws and remove the ability to block or throttle internet connections for its population. The organizations argue that besides impacting free speech and human rights, the practice is also damaging to the country's economy.

Scraping stance: Data protection agencies from 12 countries have published a joint statement [PDF] calling for the protection of people's personal data from unlawful data scraping taking place on social media sites. The statement warns companies that user data listed on public profiles is still considered personal information and should be safeguarded from scraping tools. Representatives from Argentina, Australia, Canada, China, Colombia, Mexico, Morocco, New Zealand, Norway, Switzerland, the UK, and the US have signed the statement.

Sponsor section

In this Risky Business News sponsor interview, Tom Uren talks to Dan Guido, CEO of Trail of Bits, about AI. Dan thinks AI technologies will be a "game changer." But he also thinks the conversation around AI is not very sophisticated just yet.

Cybercrime and threat intel

Two Lapsus$ hackers convicted: A UK court found two teenagers guilty of participating in intrusions carried out by the Lapsus$ group. Eighteen-year-old Arion Kurtaj and an unnamed 17-year-old were found guilty of hacking Uber, Revolut, and Rockstar Games. Both teenagers are diagnosed with autism, and none appeared in court. The two are scheduled to be sentenced at a later date. [Additional coverage in the BBC]

Tornado Cash founders charged/sanctioned: US authorities have formally charged the two founders of the Tornado Cash cryptocurrency mixing service. Officials say the duo allowed their service to be used to launder more than $1 billion in criminal proceeds, including crypto-assets stolen by North Korean hackers. Russian nationals Roman Storm and Roman Semenov were charged with money laundering, sanctions evasion, and operating an unlicensed money transfer business. Storm was arrested in the state of Washington. Semenov is still at large and was also added to the US sanctions list. A third Tornado Cash co-founder named Alexey Pertsev was arrested in the Netherlands in August of last year and is awaiting extradition.

Telegram hacker sentenced to prison: Brazilian authorities have sentenced a hacker named Walter Delgatti Neto to 20 years in prison in connection to the Vaza Jato Leaks. Delgatti is one of the four suspects detained in July 2019 for hijacking the Telegram accounts of government officials and leaking private conversations to reporters. The leaks exposed the Bolsonaro government's involvement in the prosecution of the country's former president, Lula da Silva. Although Delgatti was released during his trial, he was re-arrested earlier this month after allegedly hacking Brazil's Justice Ministry system and issuing a fake arrest warrant against one of the country's Supreme Court justices.

KittenSec: Cyberscoop has a profile on KittenSec, the pro-Russian hacktivist group exposing "cOrRuPtIoN" and "aTtAcKs On HuMaN rIgHtS" in NATO countries. This is the same group that claimed to have dropped USBs at DEFCON with their data leaks. Oh, brotha! Can these hacktivist groups stop being this cringe?

Facebook campaign: Trend Micro has spotted threat actors using malicious Facebook ads for AI and LLM topics to infect users with malicious Chrome extensions and hijack their Facebook profiles.

Telekopye service: ESET has a breakdown of Telekopye, a Telegram bot for building phishing pages for various Russian online marketplaces. The service is very popular with hackers from the former Soviet space.

Investment and crypto-investment scams: CERT NZ has published a list of 35 websites known to host investment or cryptocurrency scams.

Ransomware gangs prefer the nights: Most (81%) ransomware attacks take place at night, outside of normal business hours when IT and security teams are likely to be out of the office. The very few times an attack takes place during regular hours are during weekends when security teams are likely to be out as well. According to intrusion data gathered by Sophos, adversary dwell times in the first half of the year have been roughly eight days, in line with observations made by other security firms. For ransomware, in particular, the dwell time is smaller, at just five days, meaning companies need to react even faster.

Malware technical reports

Spacecolon: ESET researchers have analyzed Spacecolon, a malware framework that has been used in recent campaigns to deploy the Scarab ransomware. The framework was developed in 2020, is written in Delphi, and appears to be managed by a Turkish-speaking developer. ESET says it tracks the gang behind the Spacecolon toolset as CosmicBeetle, and clues suggest the group may be preparing its own ransomware strain named ScRansom.

Whiffy Recon: The operators of the Smoke Loader malware are dropping a new component on infected systems. Named Whiffy Recon, the component is used to geolocate the user's approximate location using WiFi data instead of an IP address. The component works by collecting information of nearby WiFi networks and then triangulating the user's position using Google's Geolocation API.

XWorm: ANY.RUN researchers have published a breakdown of a new version of the XWorm malware.

Silver Fox: Security firm Antiy has a report on the Silver Fox cybercrime group and its malware. The group, also known as Snake, is known to target Chinese companies using SEO poisoning attacks to classic email phishing operations. Qihoo 360 also has a report on the group as well.

Remcos RAT: CyFirma has a report on the good ol' Remcos RAT.

Akira directory leak: Security firm Stairwell says it was able to stop some Akira attacks after it found a server that contained tools used by the ransomware gang. The tools contained IP addresses of systems the gang was attacking. Stairwell says it worked with CISA to notify targeted companies and prevent their data from being stolen and encrypted.

Sponsor Section

Trail of Bits co-founder and CEO Dan Guido was asked to provide feedback on the effects of AI on modern technology at a meeting of the Commodity Futures Trading Commission's Technology Advisory Committee (TAC) on July 18. His comments are summarized in the company's blog here and are available in full in the video below.

APTs and cyber-espionage

China's Barracuda hacks still going: The FBI says that Chinese hackers are still exploiting a Barracuda zero-day (CVE-2023-2868) to compromise email servers across the world. The agency published this week a security alert [PDF] with new IOCs related to these attacks.

Andariel: AhnLab researchers have published a report on Andariel's latest campaigns and operations.

Lazarus Group ManageEngine hacks: The Lazarus North Korean hacking group has used a vulnerability in the Zoho ManageEngine platform (CVE-2022-47966) to breach companies and infect their systems with a new malware strain known as QuiteRAT. Cisco's Talos security division says the attacks began in February this year, five days after proof-of-concept code was published online for the Zoho vulnerability. Talos says they spotted Lazarus successfully compromise an internet backbone and healthcare companies in Europe and the US. Cisco's investigation into the attacks also allowed it to identify another new malware strain created by the group, named CollectionRAT.

Vulnerabilities, security research, and bug bounty

AMD WDM vulnerability PoC: Taiwanese security researcher Zeze has published details and a PoC for a vulnerability in AMD's Windows kernel driver—tracked as CVE-2023-20562. The vulnerability was disclosed at the HITCON security conference earlier this month. AMD released patches as well.

Balancer vulnerability: The Balancer cryptocurrency platform has asked users to withdraw funds stored on certain pools after it discovered a vulnerability in its platform. The company has released a web tool to allow users to determine which and how much of their funds are at risk of theft. So far, reports indicate that users have withdrawn more than $100 million worth of assets, while Balancer has locked another $10 million to prevent exploitation.

XWiki vulnerability: The XWiki project has addressed an arbitrary code injection vulnerability (CVE-2023-35150) in its code.

SonicWall vulnerabilities: NCC Group researchers have discovered and helped patch 15 vulnerabilities in SonicWall GMS (Global Management System) devices.

Cisco security updates: Cisco has released six security updates for various products. Only high and medium-rated bugs in the updates this week.

Windows zero-day PoC: Security researcher Filip Dragović has published proof-of-concept code for CVE-2023-36874, a zero-day in the Windows WER component that was exploited in the wild earlier this year.

Ivanti Sentry PoC: Horizon3 researchers have published a root cause analysis and PoC for the recent Ivanti Sentry zero-day (CVE-2023-38035).

Infosec industry

New tool—SWAT: Elastic's security team has released SWAT, a tool for simulating malicious behavior against Google Workspace in reference to the MITRE ATT&CK framework.

New tool—Bitwarden Secrets Manager: Password management company Bitwarden has launched a new tool/service named Secrets Manager that can let developers securely store access tokens and other app secrets.

Risky Business Podcasts

In this joint Risky Business and Geopolitics Decanted feature interview, Patrick Gray and Dmitri Alperovitch talk to Illia Vitiuk, the Head of the Department of Cyber and Information Security of the Security Service of Ukraine (SBU), about the cyber dimension of Russia's invasion of Ukraine.