This Week in Cyber 27th January 2023

Mailchimp Hit with Another Security Breach Following Social Engineering Attack

Email marketing service Mailchimp has disclosed a 3rd major security breach within 12 months, as a result of a social engineering attack on its employees. The breach was identified on the 11th of January after an unauthorised actor was able to gain access to select Mailchimp accounts using valid employee credentials that were compromised in the attack. According to the company, 133 customer accounts were breached and there is no evidence to suggest that any other systems or accounts were affected. The incident allegedly exposed user names, URL's, addresses and email addresses, but no payment data, passwords or other sensitive information. The aftermath of this attack proves that social engineering is still an effective way to gain access to sensitive information and Mailchimp have temporarily disabled the employee accounts where suspicious activity was detected.

Emotet Has Resurfaced and Now Comes with New Evasion Techniques

Emotet, which officially re-emerged in late 2021 after a coordinated takedown of its infrastructure by authorities earlier that year, has remained a persistent threat distributed through phishing emails. An SMB spreader that uses a list of hard-coded usernames and passwords to facilitate lateral movement and a credit card stealer that targets the Chrome web browser are the two most recent additions to Emotet's module arsenal. Recent botnet campaigns have used generic lures with weaponized attachments to start the attack chain. However, as macros have become an obsolete method of payload distribution and initial infection, the attacks have shifted to other methods to avoid detection by malware detection tools. The method instructs victims to move the decoy Microsoft Excel files to Windows' default Office Templates folder, a location trusted by the operating system, in order to execute malicious macros embedded within the documents and deliver Emotet. The development highlights Emotet's ongoing efforts to retool itself and spread other malware, such as Bumblebee and IcedID.

Git Security Audit Highlights Supply Chain Security Issues

Git's source code includes multiple flaws, including two major overflow problems, according to a recent security audit. Git is widely used, and it is integrated into well-known packaging methods, therefore the flaws could have a significant effect on software supply chain security. The most severe flaw the researchers discovered was a memory corruption bug that could be triggered when Git parses the .gitattributes file of a repository. Developers use .gitattributes to customize how Git handles different files and file paths in repositories, such as line endings, file encodings, and more. The managing director of X41 D-SEC stated ‘If attackers could stage it on a popular library, they could have an impact on the git clients using it, which might also involve anyone using common package systems to install software.’ Supply chain attacks are expected to rise in 2023 as it’s a less defended attack vector for attackers to use and exploit many organisations at once.

DragonSpark Threat Actor Evading Detection with Golang Malware

Chinese speaking threat actor DragonSpark have been named the likely attackers against a string of organisations in eastern Asia recently. This campaign was discovered by SentinelLabs and they remarked that this spate of attacks was different, due to the use of 'little-known open-source SparkRAT alongside malware tools to evade detection via source code interpretation techniques based on the Go programming language.' SparkRAT is constantly being updated and is currently able to conduct various activities including exfiltration of sensitive data, gaining control of the victim system, and running powershell commands. Initial access is carried out through compromised and web facing MySQL servers, where the China Chopper web shell is dropped. Through this shell, the group is able to carry out lateral movement and privilege escalation to spread across the network and deploy the malware through opensource tools SharpToken, BadPotato and GotoHTTP. Although the link to this being a Chinese threat actor stems from the groups use of the China Copper web shell, the C2 servers themselves are based in Hong Kong and the US.

FBI Says North Korean Hackers are Behind $100 Million Crypto Heist

On Monday 23rd the FBI confirmed that North Korean threat actors were responsible for the theft of $100 million in cryptocurrency from Harmony Horizon Bridge back in June 2022. They attributed the attack to the Lazarus Group and APT38, who are thought to be state backed by the North Korean government.

"On Friday, January 13, 2023, North Korean cyber actors used RAILGUN, a privacy protocol, to launder over $60 million worth of ethereum (ETH) stolen during the June 2022 heist. A portion of this stolen ethereum was subsequently sent to several virtual asset service providers and converted to bitcoin (BTC)."

The FBI, in conjunction with the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Treasury Department, previously published a joint Cybersecurity Advisory describing a malware campaign dubbed "TraderTraitor" that the DPRK used in the Harmony intrusion.