QA's practice director of Cyber Security, Richard Beck, rounds up the latest cyber security news.

Anonymous cripples Russian Fed Security Service (FSB) and other top sites

The Anonymous hacktivists collective are claiming to have targeted top Russian government websites in a series of DDoS attacks. As a result, the official website of the Federal Security Service (aka FSB, the principal security agency of Russia), the Stock Exchange, Analytical Center for the Government of the Russian Federation, and the Ministry of Sport of the Russian Federation have been forced to go offline.

The cyberattack, which was part of Anonymous’ ongoing operation called OpRussia, took place around 12:12 PM (GMT) on 15 March. The severity of the attack can be quantified by the fact that almost seven hours had passed since the attack took place, yet all targeted websites were still unreachable and offline for visitors. On Twitter, @YourAnonNews, one of the largest social media representatives of the Anonymous movement, shared several screenshots showing targeted domains and their current service status.

The group’s most significant attack took place last week when one of its affiliates hacked over 400 surveillance cameras in Russia. The hacktivists then defaced the compromised cameras with messages against President Putin and in support of Ukraine. The second attack, which is ongoing, is being set up by Squad303, a newly formed digital army comprising Anonymous-associated programmers. In the first stage of the attack, the group sent out 7 million text messages to random Russian citizens across the country urging them to protest against the Russian attack on Ukraine.

Russian hackers exploiting multi-factor authentication flaw

The FBI says Russian state-backed hackers gained access to a non-governmental organisation (NGO) cloud after enrolling their own device in the organisation's Duo MFA following the exploitation of misconfigured default multifactor authentication (MFA) protocols. To breach the network, they used credentials compromised in a brute-force password guessing attack to access an un-enrolled and inactive account, not yet disabled in the organisation's Active Directory.

"As Duo's default configuration settings allow for the re-enrolment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network. The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory," the federal agencies explained.

The next step was to disable the MFA service by redirecting all Duo MFA calls to localhost instead of the Duo server after modifying a domain controller file. This allowed them to authenticate to the NGO’s virtual private network (VPN) as non-administrator users, connect to Windows domain controllers via Remote Desktop Protocol (RDP), and obtain credentials for other domain accounts. With the help of these compromised accounts and without MFA enforced, the Russian-backed threat actors could move laterally and gain access to the cloud storage and email accounts and exfiltrate data.

The FBI and CISA urged all organisations today in a join cybersecurity advisory to apply the following mitigation measures:

  • Enforce MFA and review configuration policies to protect against “fail open” and re-enrolment scenarios.
  • Ensure inactive accounts are disabled uniformly across the Active Directory and MFA systems. 

Additional Wiper malware targeting Ukrainian organisations

Experts discovered a new wiper, tracked as CaddyWiper, that was employed in attacks targeting Ukrainian organisations. Experts at ESET Research Labs discovered a new data wiper, dubbed CaddyWiper, that was employed in attacks targeting Ukrainian organisations. The security firm has announced the discovery of the malware with a series of tweets.

“This new malware erases user data and partition information from attached drives,” ESET Research Labs reported. “ESET telemetry shows that it was seen on a few dozen systems in a limited number of organisations.”

CaddyWiper is the third wiper observed by ESET in attacks against Ukraine after HermeticWiper and IsaacWiper, experts pointed out that it does not share any significant code similarity with them. Similar to HermeticWiper deployments, CaddyWiper being deployed via GPO, a circumstance that suggests the attackers had initially compromised the target’s Active Directory server.

In order to maintain access to the target organisation while still disturbing operations, the CaddyWiper avoids destroying data on domain controllers. CaddyWiper uses the DsRoleGetPrimaryDomainInformation() function to determine if a device is a domain controller. The CaddyWiper sample analysed by ESET was not digitally signed, the malware was compiled.

Malware leveraging Telegram's infrastructure

Cybercriminals behind Raccoon Stealer have been found using a chat app to store and update C2 addresses to spread within infected machines. Recently, the stealer has added the ability to update its own actual C2 addresses on Telegram’s infrastructure. The Avast research report disclosed that the recent version of Raccoon Stealer communicates with its C2 within Telegram. The new variant has the capability to store and update its C2 addresses that are stored on Telegram’s infrastructure. So far, the stealer has spread clipboard crypto stealers, downloaders and WhiteBlackCrypt ransomware.

There are four crucial values for C2 communication, which are hardcoded in every sample. The values are MAIN_KEY, URLs of Telegram gates with a channel name, BotID, and TELEGRAM_KEY.  To hijack Telegram for C2, the malware decrypts MAIN_KEY that decrypts Telegram gates URLs and BotID. The stealer uses the Telegram gate to get to the actual C2 by using a string of queries that ultimately allow it to use the Telegram infrastructure for updating and storing real C2 addresses.

The exploitation of Telegram by cybercriminals is not new. Raccoon Stealer abuses it to operate in stealth mode. Experts think that the developers of this malware will continue to add new features to it to make it efficient. As a precaution, organisations should always use reliable anti-malware solutions.

Hundreds of GoDaddy-hosted websites compromised

Internet security analysts have spotted a spike in backdoor infections on WordPress websites hosted on GoDaddy's Managed WordPress service, all featuring an identical backdoor payload. The case affects internet service resellers such as MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress. The discovery comes from Wordfence, whose team first observed the malicious activity on 11 March, with 298 websites infected by the backdoor within 24 hours, 281 of which were hosted on GoDaddy.

The backdoor infecting all sites is a 2015 Google search SEO-poisoning tool implanted on the wp-config.php to fetch spam link templates from the C2 that are used to inject malicious pages into search results. The campaign uses predominately pharmaceutical spam templates, served to visitors of the compromised websites instead of the actual content. The goal of these templates is likely to entice the victims to make purchases of fake products, losing money and payment details to the threat actors.

Wordfence also reminds admins that while removing the backdoor should be the first step, removing spam search engine results should also be a priority.

Scam Royal Mail AI chatbot offers a new iPhone

Royal Mail scams, in which people receive a scam notification that a parcel could not be delivered for some reason, are always popular techniques for people up to no good. We’ve covered them several times over the last year or so. Here’s the latest scam, promising a new IPhone to victims, and what happens when people visit the site in question. Visitors are greeted by a “chatbot”, talking to them directly about a missing parcel. The chatbot cycles through some text, claiming the parcel is damaged in some way.

Essentially, the scammers came up with an idea for an evolving Royal Mail phish – AI chatbots – and then inexplicably undermined themselves with a completely unrelated landing page promoting mobile phone competitions. You’d hope this would lower the chances of people signing up, but you never know.

As for the chatbot itself, there’s no way to know for sure how it is operated. It may be like one of those pornography chatbots on spam sites that run through the same handful of replies no matter what you type. Perhaps it was coded to detect a handful of different responses. It might even have been the scammer themselves, for that added splash of interactivity.

The site sporting the competition itself informed Which? magazine that an affiliate is responsible for this one and they’ve refunded three people who fell for it. Hopefully this low number does indeed indicate that starting off with a Royal Mail delivery and ending with mobile phones is a bridge too far. This is a better result than if the landing page was a carefully crafted Royal Mail fake out, so it’s possible we’ve all scored a lucky break here.

As with all these scams: Should you find a mysterious text or mail telling you a parcel is waiting, contact your local Royal Mail depot. Sites asking for delivery fees should be viewed with skepticism, and that goes double for offers of a distinctly non-postal variety.

Actors bypassing Apple App Store security

Scammers are bypassing Apple’s App Store security, stealing thousands of dollars’ worth of cryptocurrency from the unwitting, using the TestFlight and WebClips programmes. For about a year now, crypto-traders and lovelorn singles alike have been losing their money to CryptoRom, a malware campaign that combines catfishing with crypto-scamming. According to research from Sophos, CryptoRom’s perpetrators have now improved their techniques. They’re leveraging new iOS features – TestFlight and WebClips – to get fake apps onto victims’ phones without being subject to the rigorous app store approval process.

Successful CryptoRom scams have resulted in five-, six- and even seven-figure losses for victims. The trading apps tend to be cryptocurrency-related, since, more so than with fiat currency, cryptocurrency payments are irreversible. A crucial component to the CryptoRom attack flow is those fake apps. Victims might receive a link to download what purports to be BTCBOX, for example, or Binance – perfectly legitimate cryptocurrency trading platforms. These apps appear to have professional user interfaces, and even come with customer-service chat options.

Apple and Google apply strict vetting to weed out malicious mobile apps like these from their official stores. But, as Threatpost has covered before, hackers have clever tricks to get around conventional security testing. In the past, for example, CryptoRom’s preferred method was to use the Apple Developer Program and Enterprise Signatures. Since it’s almost impossible for law enforcement to crack down on any one individual scam, app store providers have a responsibility to monitor for misuse of these developer tools, Mark Lambert, vice president of products at ArmorCode, told Threatpost.

Read more here