Apr 16, 2024NewsroomSupply Chain / Software Security

Security researchers have uncovered a “credible” takeover attempt targeting the OpenJS Foundation in a manner that evokes similarities to the recently uncovered incident aimed at the open-source XZ Utils project.

“The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails,” OpenJS Foundation and Open Source Security Foundation (OpenSSF) said in a joint alert.

According to Robin Bender Ginn, executive director of OpenJS Foundation, and Omkhar Arasaratnam, general manager at OpenSSF, the email messages urged OpenJS to take action to update one of its popular JavaScript projects to remediate critical vulnerabilities without providing any specifics.

The email author(s) also called on OpenJS to designate them as a new maintainer of the project despite having little prior involvement. Two other popular JavaScript projects not hosted by OpenJS are also said to have been at the receiving end of similar activity.

That said, none of the people who contacted OpenJS were granted privileged access to the OpenJS-hosted project.

The incident brings into sharp focus the method by which the lone maintainer of XZ Utils was targeted by fictitious personas that were expressly created for what’s believed to be a social engineering-cum-pressure campaign designed to make Jia Tan (aka JiaT75) a co-maintainer of the project.

This has raised the possibility that the attempt to sabotage XZ Utils may not be an isolated incident and that it’s part of a broader campaign to undermine the security of various projects, the two open source groups said. The names of the JavaScript projects were not disclosed.

Jia Tan, as it stands, has no other digital footprints outside of their contributions, indicating that the account was invented for the sole purpose of gaining the credibility of the open-source development community over years and ultimately push a stealthy backdoor into XZ Utils.

It also serves to pinpoint the sophistication and patience that has gone behind planning and executing the campaign by targeting an open-source, volunteer-run project that’s used in many Linux distributions, putting organizations and users at risk of supply chain attacks.

The XZ Utils backdoor incident also highlights the “fragility” of the open-source ecosystem and the risks created by maintainer burnout, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said last week.

“The burden of security shouldn’t fall on an individual open-source maintainer — as it did in this case to near-disastrous effect,” CISA officials Jack Cable and Aeva Black said.

“Every technology manufacturer that profits from open source software must do their part by being responsible consumers of and sustainable contributors to the open source packages they depend on.”

The agency is recommending that technology manufacturers and system operators that incorporate open-source components should either directly or support the maintainers in periodically auditing the source code, eliminating entire classes of vulnerabilities, and implementing other secure by design principles.

“These social engineering attacks are exploiting the sense of duty that maintainers have with their project and community in order to manipulate them,” Bender Ginn and Arasaratnam said.

“Pay attention to how interactions make you feel. Interactions that create self-doubt, feelings of inadequacy, of not doing enough for the project, etc. might be part of a social engineering attack.”

Feb 28, 2024NewsroomRansomware / Healthcare

The U.S. government is warning about the resurgence of BlackCat (aka ALPHV) ransomware attacks targeting the healthcare sector as recently as this month.

“Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized,” the government said in an updated advisory.

“This is likely in response to the ALPHV/BlackCat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.”

The advisory comes from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS).

The BlackCat ransomware operation suffered a major blow late last year after a coordinated law enforcement operation led to the seizure of its dark leak sites. But the takedown turned out to be a failure after the group managed to regain control of the sites and switched to a new TOR data leak portal that continues to remain active to date.

It has also ramped up against critical infrastructure organizations in recent weeks, having claimed responsibility for attacks on Prudential Financial, LoanDepot, Trans-Northern Pipelines, and UnitedHealth Group subsidiary Optum.

The development has prompted the U.S. government to announce financial rewards of up to $15 million for information leading to the identification of key members as well as affiliates of the e-crime group.

BlackCat’s ransomware spree coincides with the return of LockBit after similar disruption efforts led by the U.K. National Crime Agency (NCA) last week.

According to a report from SC Magazine, threat actors breached Optum’s network by leveraging the recently disclosed critical security flaws in ConnectWise’s ScreenConnect remote desktop and access software.

The flaws, which allow for remote code execution on susceptible systems, have also been weaponized by the Black Basta and Bl00dy ransomware gangs as well as by other threat actors to deliver Cobalt Strike Beacons, XWorm, and even other remote management tools like Atera, Syncro, and another ScreenConnect client.

Attack surface management firm Censys said it observed more than 3,400 exposed potentially vulnerable ScreenConnect hosts online, with most of them located in the U.S., Canada, the U.K., Australia, Germany, France, India, the Netherlands, Turkey, and Ireland.

“It’s clear that remote access software like ScreenConnect continues to be a prime target for threat actors,” Censys security researcher Himaja Motheram said.

The findings come as ransomware groups like RansomHouse, Rhysida, and a Phobos variant called Backmydata have continued to compromise various organizations in the U.S., U.K., Europe, and the Middle East.

In a sign that these cybercrime groups are shifting to more nuanced and sophisticated tactics, RansomHouse has developed a custom tool dubbed MrAgent to deploy the file-encrypting malware at scale.

“MrAgent is a binary designed to run on [VMware ESXi] hypervisors, with the sole purpose of automating and tracking the deployment of ransomware across large environments with a high number of hypervisor systems,” Trellix said. Details of MrAgent first came to light in September 2023.

Another significant tactic adopted by some ransomware groups is the sale of direct network access as a new monetization method via their own blogs, on Telegram channels, or data leak websites, KELA said.

It also follows the public release of a Linux-specific, C-based ransomware threat known as Kryptina, which surfaced in December 2023 on underground forums and has since been made available for free on BreachForums by its creator.

“The release of the RaaS source code, complete with extensive documentation, could have significant implications for the spread and impact of ransomware attacks against Linux systems,” SentinelOne researcher Jim Walter said.

“It is likely to increase the ransomware builder’s attractiveness and usability, drawing in yet more low-skilled participants to the cybercrime ecosystem. There is also significant risk that it will lead to the development of multiple spin-offs and an increase in attacks.”

Feb 05, 2024NewsroomSpyware / Surveillance

The iPhones belonging to nearly three dozen journalists, activists, human rights lawyers, and civil society members in Jordan have been targeted with NSO Group’s Pegasus spyware, according to joint findings from Access Now and the Citizen Lab.

Nine of the 35 individuals have been publicly confirmed as targeted, out of whom had their devices compromised with the mercenary surveillanceware tool. The infections are estimated to have taken place from at least 2019 until September 2023.

“In some cases, perpetrators posed as journalists, seeking an interview or a quote from victims, while embedding malicious links to Pegasus spyware amid and in between their messages,” Access Now said.

“A number of victims were reinfected with Pegasus spyware multiple times — demonstrating the relentless nature of this targeted surveillance campaign.”

The Israeli company has been under the radar for failing to implement rigorous human rights safeguards prior to selling its cyber intelligence technology to government clients and law enforcement agencies for “preventing and investigating terrorism and serious crimes.”

NSO Group, in its 2023 Transparency and Responsibility Report, touted a “significant decrease” in reports of product misuse during 2022 and 2023, attributing the downturn to its due diligence and review process.

“Cyber intelligence technology enables government intelligence and law enforcement agencies to carry out their basic duties to prevent violence and safeguard the public,” the company noted.

“Importantly, it allows them to counter the widespread deployment of end-to-end encryption applications by terrorists and criminals without engaging in mass surveillance or obtaining backdoor access to the devices of all users.”

It further sought to “dispel falsehoods” about Pegasus, stating it is not a mass surveillance tool, that it’s licensed to legitimate, vetted intelligence and law enforcement agencies, and that it cannot take control of a device or penetrate computer networks, desktop or laptop operating systems.

“It is technologically impossible for Pegasus to add, alter, delete, or otherwise manipulate data on targeted mobile devices, or perform any other activities beyond viewing and/or extracting certain data,” NSO Group said.

Despite these assurances, the invasive spyware attacks targeting Jordan civil society members underscores the continued pattern of abuse that run counter to the company’s claims.

Access Now said the victims’ devices were infiltrated with both zero-click and one-click attacks using Apple iOS exploits like FORCEDENTRY, FINDMYPWN, PWNYOURHOME, and BLASTPASS to breach security guardrails and deliver Pegasus via social engineering attacks.

The attacks were characterized by the propagation of malicious links to victims via WhatsApp and SMS, with the attackers posing as journalists to increase the likelihood of success of the campaign.

The non-profit further said that enabling Lockdown Mode on the iPhones likely prevented some of the devices from being re-infected again with the spyware. It also called on world governments, including Jordan’s, to halt the use of such tools and enforce a moratorium on their sale until adequate countermeasures are adopted.

“Surveillance technologies and cyberweapons such as NSO Group’s Pegasus spyware are used to target human rights defenders and journalists, to intimidate and dissuade them from their work, to infiltrate their networks, and to gather information for use against other targets,” Access Now said.

“The targeted surveillance of individuals violates their right to privacy, freedom of expression, association, and peaceful assembly. It also creates a chilling effect, forcing individuals to self-censor and cease their activism or journalistic work, for fear of reprisal.”

A new piece of JavaScript malware has been observed attempting to steal users’ online banking account credentials as part of a campaign that has targeted more than 40 financial institutions across the world.

The activity cluster, which employs JavaScript web injections, is estimated to have led to at least 50,000 infected user sessions spanning North America, South America, Europe, and Japan.

IBM Security Trusteer said it detected the campaign in March 2023.

“Threat actors’ intention with the web injection module is likely to compromise popular banking applications and, once the malware is installed, intercept the users’ credentials in order to then access and likely monetize their banking information,” security researcher Tal Langus said.

Attack chains are characterized by the use of scripts loaded from the threat actor-controlled server (“jscdnpack[.]com”), specifically targeting a page structure that’s common to several banks. It’s suspected the malware is delivered to targets by some other means, e.g., via phishing emails or malvertising.

When the victim visits a bank website, the login page is altered to incorporate malicious JavaScript capable of harvesting the credentials and one-time passwords (OTPs). The script is obfuscated to conceal its true intent.

“This web injection doesn’t target banks with different login pages, but it does send data about the infected machine to the server and can easily be modified to target other banks,” Langus said.

“The script’s behavior is highly dynamic, continuously querying both the command-and-control (C2) server and the current page structure and adjusting its flow based on the information obtained.”

The response from the server determines its next course of action, allowing it to erase traces of the injections, and insert fraudulent user interface elements to accept OTPs to bypass security protections as well as introduce an error message saying online banking services will be unavailable for a time period of 12 hours.

IBM said it’s an attempt to dissuade the victims from logging in to their accounts, providing the threat actors with a window of opportunity to seize control of the accounts and perform unauthorized actions.

While the exact origins of the malware are presently not known, the indicators of compromise (IoCs) suggest a possible connection to a known stealer and loader family known as DanaBot, which has been propagated via malicious ads on Google Search and has acted as acted an initial access vector for ransomware.

“This sophisticated threat showcases advanced capabilities, particularly in executing man-in-the-browser attacks with its dynamic communication, web injection methods and the ability to adapt based on server instructions and current page state,” Langus said.

The development comes as Sophos shed more light on a pig butchering scheme in which potential targets are lured into investing in a fake liquidity mining service, uncovering a broader set of scams that has netted the actors nearly $2.9 million worth of cryptocurrency this year as of November 15 from 90 victims.

“They appear to have been run by three separate threat activity groups using identical fraudulent decentralized finance (‘DeFi’) app sites, suggesting that they are part of or affiliated with a single [Chinese] organized crime ring,” security researcher Sean Gallagher said.

According to data shared by Europol in its Internet Organized Crime Threat Assessment (IOCTA) earlier this week, investment fraud and business email compromise (BEC) fraud remain the most prolific online fraud schemes.

“A concerning threat around investment fraud is its use in combination with other fraud schemes against the same victims,” the agency said.

“Investment fraud is sometimes linked to romance scams: criminals slowly build a relationship of trust with the victim and then convince them to invest their savings on fraudulent cryptocurrency trading platforms, leading to large financial losses.”

On a related note, cybersecurity company Group-IB said it identified 1,539 phishing websites impersonating postal operators and delivery companies since the start of November 2023. They are suspected to be created for a single scam campaign.

In these attacks, users are sent SMS messages that mimic well-known postal services and are prompted to visit the counterfeit websites to enter their personal and payment details, citing urgent or failed deliveries.

The operation is also notable for incorporating various evasion methods to fly under the radar. This includes limiting access to the scam websites based on geographic locations, making sure that they work only on specific devices and operating systems, and shortening the duration for which they are live.

“The campaign affects postal brands in 53 countries,” Group-IB said. “Most of the detected phishing pages target users in Germany (17.5%), Poland (13.7%), Spain (12.5%), U.K. (4.2%), Turkey (3.4%) and Singapore (3.1%).”