RedLine stealer variant delivers Lua bytecode by disguising as game cheat
According to McAfee Labs, this off-the-shelf variant of RedLine malware gathers saved credentials, autocomplete data, credit card information, and geolocation information from cryptocurrency wallets, VPN software, and web browsers. It uses malicious Lua bytecode for added stealth and sophistication. It was being spread through an abused Microsoft GitHub repository which has since been closed. The ZIP archive that had been placed there appears to be a game cheat, indicating that gamers were the likely target.
GitHub comments abused to push malware via Microsoft repo URLs
The Redline stealer story brings to light the issue of the GitHub flaw that was abused by the threat actors behind RedLine. According to BleepingComputer, the use of the Microsoft GitHub repository makes the files appear trustworthy and the flaw itself “could be abused with any public repository on GitHub, allowing threat actors to create very convincing lures.” Their research shows that the malware zip files are uploaded as part of a comment left on a commit or issue in the project. “When leaving a comment, a GitHub user can attach a file. Instead of generating the URL after a comment is posted, GitHub automatically generates the download link which allows threat actors to attach their malware to any repository without them knowing.”
MITRE’s breach was through Ivanti zero-day vulnerabilities
The MITRE Corporation is a not-for-profit organization that oversees federally funded research. In a blog post released on Friday the organization stated that it had been breached and reconnoitered by nation-state hackers in January. The group exploited one of its VPNs through two vulnerabilities in Ivanti Connect Secure. In the blog post, MITRE explained that the hackers used a “combination of sophisticated backdoors and webshells to move laterally and harvest credentials.” The organization said, “it followed advice from the government and Ivanti to upgrade, replace, and harden our Ivanti system, but we did not detect the lateral movement into our VMware infrastructure,” adding, “at the time we believed we took all the necessary actions to mitigate the vulnerability, but these actions were clearly insufficient.”
(The Record and MITRE blog post)
UK cyber agency NCSC announces Richard Horne as its next CEO
Richard Horne, who has a PhD from the University of London, in mathematics and cryptography will become the third permanent chief executive of Britain’s National Cyber Security Centre. He currently works for the accountancy and professional services firm PwC UK as its head of cybersecurity practice, and before that he served as managing director of cybersecurity for Barclays Bank, during which time he assisted the British government in developing the country’s 2011 Cyber Security Strategy. Hornes will start in the NCSC position in the autumn.
Huge thanks to this week’s episode sponsor, Veracode
Researchers find dozens of fake E-ZPass toll websites following FBI warning
Researchers from cybersecurity firm DomainToolsat have found almost 30 phishing websites that spoof the electronic toll collection service E-ZPass. The sites are connected to a smishing campaign that sends fake text messages to get victims to download malware, share sensitive information, or send money. “The messages use a state toll service name and say the victim has an outstanding balance on their account. To avoid a late fee, the texts say victims need to visit a website to settle the balance.”
The art of penetrating a business without touching the endpoint
Experts from Push Security are presenting detailed information in The Hacker News about the practice of “networkless” attack techniques targeting cloud apps and identities. Describing them as the new perimeter, the article describes techniques such as Adversary-in-the-Middle AiTM phishing, Instant Messaging IM phishing, SAMLjacking is where an attacker makes use of SAML SSO (Security Assertion Markup Language), and Oktajacking, in which an attacker can set-up their own Okta tenant to be used in highly convincing phishing attacks. A link to the report is available in the show notes to this episode.
Last week in ransomware
Last week saw a new operation called RansomHub which is apparently derived from an affiliate of BlackCat whose ransom from Change HealthCare was stolen during the ALPHV/BlackCat exit scam. This affiliate claims to have kept the stolen data and is now extorting the company again through RansomHub. This is according to BleepingComputer who adds the Change Healthcare attack has cost UnitedHealth Group $872 million, with losses expected to continue. Last week also saw the Daixin operation claiming the cyberattack on Omni Hotels. “Other attacks targeted chipmaker Nexpira, the United Nations Development Programme (UNDP), Octapharma Plasma, and the Atlantic States Marine Fisheries Commission (ASMFC). We also reported last week on the Michigan healthcare group Cherry Health, self-propagating ransomware from LockBit 3.0 and the fact that Change Healthcare data has now been announced as for sale.