Information Security News 11-4-2024

Microsoft Warns of Chinese Botnet Exploiting Router Flaws for Credential Theft

Article Link: https://thehackernews.com/2024/11/microsoft-warns-of-chinese-botnet.html

• Microsoft’s Threat Intelligence Team reported that Chinese-linked group Storm-0940 has used the Quad7, aka 7777, botnet (CovertNetwork-1658) for credential theft, targeting Microsoft 365 users in North America and Europe.
• Active since 2021, the botnet’s activity surged in 2024 and was analyzed recently by Sekoia and Team Cymru.
• Quad7, enables espionage and data theft by compromising routers from brands like TP-Link and NETGEAR. Quad7 uses password spray attacks to access Microsoft 365 accounts, with 8,000 compromised devices involved, 20% of which are actively attacking.
• Microsoft advises securing devices, limiting failed login attempts, and monitoring login anomalies to combat these widespread credential theft risks.
• Link to Microsoft’s Threat Analysis: https://www.microsoft.com/en-us/security/blog/2024/10/31/chinese-threat-actor-storm-0940-uses-credentials-from-password-spray-attacks-from-a-covert-network/

FBI, Partners Disrupt RedLine, Meta Stealer Operations

Article Link: https://www.darkreading.com/threat-intelligence/fbi-partners-disrupt-redline-meta-stealer-operations

• The FBI, alongside law enforcement from Europe, the UK, and Australia, led Operation Magnus to disrupt RedLine and Meta malware operations. As a result, one RedLine developer, Maxim Rudometov, faces serious charges for computer-related crimes.
• Over 1200 servers were discovered in dozens of countries, including in the Netherlands, Belgium, and the United States, where RedLine and Meta infrastructure ran information stealers and shared stolen credentials via Telegram and hacker forums.
• Operation Magnus dismantled these malware services by seizing source code, command-and-control (C2) servers, and distribution tools, shutting down operations responsible for stealing millions of credentials and payment details worldwide.
• The malware was typically embedded in phishing links, fake Facebook ads, and AI chatbot promotions, exploiting users’ data by collecting browser-saved credentials and account details. Organizations are strongly encouraged to improve credential management, conduct regular security audits, and train staff to identify phishing scams to prevent future incidents.

FakeCall Malware Employs Vishing to Gain Full Control Over Mobile Devices

Article Link: https://cybersecuritynews.com/fakecall-malware-employs-vishing/

• Zimperium’s research team detected a new variant of FakeCall malware targeting Android users, using sophisticated voice phishing (vishing) to gain nearly complete control of devices.
• This latest variant, discovered in October 2024, demonstrates an evolution in FakeCall’s capabilities, revealing increasingly advanced and hard-to-detect attack methods.
• FakeCall initiates its attack by tricking users into downloading a malicious Android Package Kit (APK) file. Once installed, it connects to a command-and-control (C2) server, allowing attackers to exploit Android’s Accessibility Services, intercept calls, take control of the device, and steal sensitive data.
• FakeCall’s evolving sophistication emphasizes the need for users to download apps from trusted sources, keep devices updated, and employ mobile security software to combat these threats.
• Link to Zimperium’s Research: https://www.zimperium.com/blog/mishing-in-motion-uncovering-the-evolving-functionality-of-fakecall-malware/

Over 80% of U.S. Small Businesses Have Been Breached

Article Link: https://www.infosecurity-magazine.com/news/80-us-small-businesses-breached/

• The Identity Theft Resource Center’s (ITRC) 2024 Consumer & Business Impact Report surveyed 551 small business owners, leaders, and employees, revealed that 81% of U.S. small businesses (under 500 employees) have experienced a data breach.
• The report, based on data from July 2023 to June 2024, showed breaches surged by 8% compared to the previous year, with average financial losses per business doubling to $500,000.
• To combat these breaches, 80% of small businesses are implementing preventive measures like employee training (88%), security tools (65%), and budget increases (67%). More trained consumers are enhancing their cyber hygiene with strategies like credit freezes and passkeys.
• Organizations are advised to sharpen their information security programs, invest in regular risk assessments, and provide mental health resources as, sadly, breaches also impact victim well-being, with 12% considering self-harm after identity-related incidents.
• Link to the ITRC’s Report: https://www.idtheftcenter.org/publication/itrc-2024-consumer-and-business-impact-report/

LastPass Warns of Fake Support Centers Trying to Steal Customer Data

Article Link: https://www.bleepingcomputer.com/news/security/lastpass-warns-of-fake-support-centers-trying-to-steal-customer-data/

• LastPass recently warned its users about scammers promoting a fake support number via 5-star Chrome extension reviews to fool customers into granting remote access to their devices.
• The scam is ongoing, with fake support numbers linked to various companies posted across Chrome reviews, forums, and social media, targeting LastPass and other major services such as Amazon, Netflix, YouTube, and Verizon to name a few.
• Scammers use the phoney numbers to social engineer users into downloading a remote access tool, gaining control over devices to steal data.
• LastPass advises users never to share master passwords and verify support sources, while organizations can actively monitor and remove fraudulent content promoting fake support.

The Story Behind the Health Infrastructure Security and Accountability Act

Article Link: https://www.theregister.com/2024/10/29/hold_the_story_behind_the/

• The Health Infrastructure Security and Accountability Act (HISAA) was introduced by Senators Ron Wyden (D-OR) and Mark Warner (D-VA), in September 2024, driven by the severe ransomware attack on Change Healthcare, a UnitedHealth Group subsidiary, in early 2024.
• Following the February 2024 attack that exposed personal health information (PHI) of up to 110 million people, Senate hearings and subsequent findings led to the bill’s proposal in September 2024.
• The HISAA mandates standardized information security measures for critical healthcare requiring risk assessments, continuity planning, CEO/CISO compliance certification, and third-party audits. Penalties for non-compliances range from $500 to $250,000 based on severity.
• Sparked by inadequate cyber practices at Change Healthcare, the act stresses resilience and accountability, allocating $1.3 billion to help hospitals strengthen security, reduce breaches, and ensure patient access.
• Link to HISAA’s Full Text: https://www.congress.gov/bill/118th-congress/senate-bill/5218/all-actions

Exchange Online Adds Inbound DANE with DNSSEC for Everyone

Article Link: https://www.bleepingcomputer.com/news/microsoft/exchange-online-adds-inbound-dane-with-dnssec-for-everyone/

• Microsoft has rolled out DNS-based Authentication of Named Entities (DANE) for Simple Mail Transfer Protocol (SMTP) with Domain Name System Security Extensions (DNSSEC) for Exchange Online, enhancing email security for both personal and business users globally.
• Initially delayed, the feature became generally available in late 2024, with a roadmap aiming to secure all Outlook and Hotmail domains by March 2025.
• DANE verifies server identities and encrypts communication, ensuring only the intended recipient receives emails securely. This new capability, DNSSEC and DANE for SMTP, ensures secure delivery by blocking spoofing, downgrade, and man-in-the-middle (MiTM) attacks, protecting users’ emails from interception and tampering.
• Organizations benefit from added email integrity, while Microsoft recommends strengthening internal DNSSEC policies and educating teams on these security protocols.

Shopping Scam Sprawled Across Thousands of Websites, Bilked ‘Tens of Millions of Dollars’

Article Link: https://therecord.media/shopping-scam-thousands-sites-phishing

• Cybercriminals behind the “Phish ‘n’ Ships” scheme defrauded hundreds of consumers through hacked shopping sites, redirecting them to fake stores and collecting payments for unshipped items.
• The same, dating back to at least 2019, was publicly detailed by Satori Threat Intelligence in October 2024, revealing massive financial losses for unsuspecting shoppers.
• Using malicious code, scammers created fake listings for hard-to-find items, placing them high in search results. Victims were directed to 121 fraudulent sites where they paid via third-party processors, leading to “tens of millions” in consumer losses.
• The scheme leveraged search rankings and payment systems to appear legitimate. HUMAN researchers disrupted parts of it by notifying law enforcement and payment processors, but the threat persists, urging site security measures and consumer caution.

Ex-Disney Employee Charged with Hacking Menu Database

Article Link: https://www.darkreading.com/cyberattacks-data-breaches/ex-disney-employee-charged-hacking-menu-database

• Michael Scheuer, former menu production manager at Disney, allegedly retaliated after a contentious firing by hacking Disney’s restaurant menu database using his still-active credentials.
• Scheuer is charged with altering fonts to Wingdings symbols and deleting allergen data, creating considerable risks to customer safety and system usability. Evidently, he also engaged in DDoS attacks against Disney employees.
• Disney’s internal restaurant menu database and employee systems were targeted remotely, using access still granted through a third-party contracted menu system.
• Scheuer’s purported actions were driven by unresolved tension post-termination. Disney faced weeks of operational downtime and potentially severe liability concerns, necessitating information security audits and stricter credential controls to prevent similar incidents.