19th January, 2024
This week we observed a wide variety of news, one of the most notable being Inferno Drainer becoming defunct due to the work of Cyber Security Researchers of Group-IB. Unfortunately, it was not all good news; we have started to see a notable rise in Cryptomining and infostealers, with Phemedrone and their ilk providing just a small insight into the havoc caused by these types of malware.
Finally, and perhaps most crucially, we've noticed more exploits in critical infrastructure. The CISA leveled a warning about AndroxGh0st, a notorious botnet, due to its exploitation of known flaws. Multiple critical vulnerabilities being announced for UEFI firmware suggest that future exploitation of these systems isn't far off the horizon. We strongly advise that all companies continue with pursuing the latest and most up to date patches that they can. Keep safe.
The now-defunct Inferno Drainer, a notorious malware, wreaked havoc in the cryptocurrency world between 2022 and 2023. The operators behind this scheme, reportedly, created over 16,000 unique malicious domains, leveraging high-quality phishing pages to trick unsuspecting users into connecting their cryptocurrency wallets with the attackers’ infrastructure. This spoofed Web3 protocols, leading victims to authorise transactions unknowingly. Active for a year, Inferno Drainer is estimated to have scammed more than 137,000 victims, reaping over $87 million in illicit profits.
The malware was part of a broader set of offerings available to affiliates under the scam-as-a-service model, where customers could either upload the malware to their own phishing sites or use the developer’s service for creating and hosting phishing websites. The activity spoofed over 100 cryptocurrency brands via specially crafted pages hosted on unique domains. These sites propagated on platforms like Discord and X (formerly Twitter), enticing potential victims with free tokens and draining their assets once transactions were approved. Despite ceasing its activity, the prominence of Inferno Drainer throughout 2023 underscores the severe risks to cryptocurrency holders as similar threats continue to evolve.
A Flaw for Cryptomining: Phemedrone in Microsoft
Threat actors have been exploiting a now-patched security flaw in Microsoft Windows, known as CVE-2023-36025, to deploy an open-source information stealer called Phemedrone Stealer. This malware targets web browsers and data from cryptocurrency wallets and messaging apps such as Telegram, Steam, and Discord. It also takes screenshots and gathers system information, which is then sent to the attackers via Telegram or their command-and-control server. The attacks involve the threat actor hosting malicious Internet Shortcut files on Discord or cloud services like FileTransfer.io, with the links masked using URL shorteners.
Upon execution of the booby-trapped .URL file, it connects to an actor-controlled server and executes a control panel (.CPL) file, thereby circumventing Windows Defender SmartScreen by exploiting CVE-2023-36025. The malicious DLL acts as a loader that calls on Windows PowerShell to download and execute the next stage of the attack, hosted on GitHub. The follow-on payload is a PowerShell loader that acts as a launchpad for Donut, an open-source shellcode loader that decrypts and executes Phemedrone Stealer. Despite the patch, threat actors continue to find ways to exploit CVE-2023-36025 and evade Windows Defender SmartScreen protections to infect users with various malware types, including ransomware and stealers like Phemedrone Stealer.
Critical Vulnerabilities Expose Over 178,000 SonicWall Firewalls to Remote Exploits
Over 178,000 SonicWall firewalls exposed on the internet are susceptible to two security flaws, posing a risk of denial-of-service (DoS) and remote code execution (RCE). The vulnerabilities, namely CVE-2022-22274 and CVE-2023-0656, involve stack-based buffer overflow issues in SonicOS, potentially allowing unauthorised remote attackers to trigger crashes or execute malicious code. Although there are no reported exploits in the wild, a proof-of-concept (PoC) for CVE-2023-0656 was published in April 2023. Bad actors could weaponise these flaws to induce repeated crashes, forcing affected devices into maintenance mode. Notably, over 146,000 publicly-accessible devices remain vulnerable, emphasising the urgency of updating to the latest version and securing the management interface from internet exposure. WatchTowr Labs recently uncovered additional buffer overflow flaws in SonicOS, heightening the importance of proactive security measures.
AndroxGh0st Botnet: CISA's Newest Warning
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a warning about the AndroxGh0st botnet. This Python-based malware, first documented by Lacework in December 2022, is being used by threat actors for victim identification and exploitation in target networks.
AndroxGh0st infiltrates servers vulnerable to known security flaws, accessing Laravel environment files and stealing credentials for high-profile applications such as Amazon Web Services (AWS), Microsoft Office 365, SendGrid, and Twilio. The compromised AWS credentials are then used to create new users and user policies, and in several instances, set up new AWS instances for additional, malicious scanning activity. This makes AndroxGh0st a potent threat that can be used to download additional payloads and retain persistent access to compromised systems.
Nine Critical Security Flaws in UEFI Firmware TCP/IP Stack Pose Remote Exploitation Risks
Multiple vulnerabilities, collectively named PixieFail by Quarkslab, have been discovered in the TCP/IP network protocol stack of the open-source reference implementation of the Unified Extensible Firmware Interface (UEFI) specification. These nine issues, residing in the TianoCore EFI Development Kit II (EDK II), can lead to remote code execution, denial-of-service (DoS), DNS cache poisoning, and sensitive information leakage. UEFI firmware from AMI, Intel, Insyde, and Phoenix Technologies is affected. The vulnerabilities are present in the NetworkPkg, the TCP/IP stack incorporated within EDK II, used during the Preboot eXecution Environment (PXE) stage for remote device booting. Exploitation risks include DNS and DHCP poisoning attacks, information leakage, DoS, and data insertion attacks at the IPv4 and IPv6 layer. The impact varies based on firmware builds and PXE boot configurations.
100GB+ Password Dump: Time to Change Password
Nearly 71 million unique credentials for websites like Facebook, Roblox, eBay, and Yahoo have been circulating on the internet for at least four months. Troy Hunt, operator of the Have I Been Pwned? breach notification service, discovered the data dump on an underground market known for brokering sales of compromised credentials. What sets this dump apart is that nearly 25 million of the passwords had never been leaked before, indicating a significant volume of new data. The data, originating from ‘stealer logs’ or malware that has grabbed credentials from compromised machines, includes 319 files totaling 104GB and 70,840,771 unique email addresses.
The exposed credentials, collected by a ‘stealer’ malware, appear in plaintext and include account credentials for a variety of sites including Facebook, Roblox, Coinbase, Yammer, and Yahoo. Most of the exposed credentials are weak and would easily fall to a simple password dictionary attack. Data collected by Have I Been Pwned indicates this password weakness is widespread, with the 100 million unique passwords appearing 1.3 billion times. Hunt confirmed the authenticity of the dataset by contacting people at some of the listed emails and checking a sample of the credentials to see if the email addresses were associated with accounts on the affected websites.
VF Corp Discloses Ransomware Attack: Data of 35.5 Million Customers at Risk
VF Corp, the parent company of popular brands like The North Face and Timberland, disclosed a ransomware attack by the ALPHV group, potentially impacting millions of customers who made purchases from its high-street brands. The breach occurred in December 2023, causing disruptions to operations, including online order fulfillment during the crucial holiday season. The attackers, known as BlackCat, later claimed responsibility.
VF Corp reported that personal data of 35.5 million customers was stolen, but fortunately, no payment card details, bank account information, or social security numbers were compromised. Specific details about the stolen data were not disclosed, leaving consumers uncertain about the extent of the breach. While VF Corp reassured that customer passwords were not believed to be stolen, users are advised to consider changing passwords as a precaution. The company is cooperating with law enforcement and regulators, and although the financial impact is yet unknown, VF Corp intends to recover costs through cybersecurity insurance claims. The company's ecommerce sites and distribution centers are reportedly operating with minimal issues.