In recent months, a surge in cryptodrainer phishing attacks has been observed, targeting cryptocurrency holders with sophisticated schemes aimed at tricking them into divulging their valuable credentials.

Tuesday, July 9, 2024 08:00

_By_ _Teoderick Contreras_ _and_ _Jose Hernandez_ _of Splunk, with contributions from the Splunk Threat Research Team._  

Cryptodrainer scams have emerged as a significant threat in the cryptocurrency ecosystem, targeting unsuspecting individuals with the promise of easy profits while covertly siphoning their digital assets.  

Initially, cryptodrainer scams primarily manifested as fraudulent investment schemes, promising high returns on investments in dubious projects or fake initial coin offerings (ICOs). These scams exploited the speculative nature of cryptocurrency markets, luring investors with the allure of quick riches and revolutionary technology. However, instead of delivering on their promises, scammers absconded with investors' funds. 

An example of a cryptodraining scam spread on a Jamaican news outlet’s X account in 2023 after the account was hacked. 

Cryptodrainer phishing scams targeting cryptocurrency holders have become increasingly sophisticated, with scammers employing social engineering techniques to trick users into divulging their private keys or login credentials. These stolen assets were then swiftly drained from victims' wallets, often leaving them with little recourse for recovery. 

In recent months, a surge in cryptodrainer phishing attacks has been observed, targeting cryptocurrency holders with sophisticated schemes aimed at tricking them into divulging their valuable credentials. These tactics involve deceptive URLs, carefully crafted to resemble legitimate cryptocurrency platforms, enticing unsuspecting users to input their sensitive login information. 

One particularly concerning trend is the emergence of phishing campaigns proliferating across various social media platforms, including X (Twitter). In these instances, compromised accounts, likely hijacked by cybercriminals, are used as unwitting conduits to deliver the malicious URLs to a wider audience. The compromised accounts lend an air of legitimacy to the fraudulent scheme, thereby increasing the likelihood of unsuspecting users falling victim to the scam. 

These types of platforms have long been rife for abuse and scams. Cisco Talos has previously highlighted how various aspects of “Web 3” such as the metaverse and smart contracts have been abused to trick users into emptying their cryptocurrency wallets. Malicious Google Forms documents have also been used as an attack vector for these scams.  

**Anatomy of a crytodrainer attack **

Splunk researchers used the Splunk Attack Analyzer to gain insights into the anatomy of this phishing campaign, which we believe follows the same general infection method and attack pattern of cryptodrainer scams. 

Below are a few examples of phishing website pages designed to mimic legitimate cryptocurrency platforms, enticing users to disclose their cryptocurrency login credentials. 

Phishing site web pages. 

Splunk expanded our repository of potential cryptodrainer phishing URLs using the Attack Analyzer. One such example is _hxxp\[://\]nfts-manta\[.\]network/_, a site identified and flagged as a phishing site by several anti-virus products, according to VirusTotal. 

A phishing site in VirusTotal. 

Splunk Attack Analyzer also provides a comprehensive overview, including the landing page screenshot of the phishing site, potential URL link redirections, detections and related artifacts, facilitating further in-depth analysis. 

A screenshot of Splunk Attack Analyzer. 

Upon accessing this phishing site, users are prompted to connect their cryptocurrency wallets to purportedly claim tokens. A common method observed for wallet connection involves scanning a QR code using a mobile phone. This QR code may seemingly link to the desired cryptocurrency wallet app, offering the illusion of a seamless login process. In reality, this action grants the phishing site access to the user's login credentials, enabling the unauthorized draining of their cryptocurrency wallet. 

A phishing website posing as Manta, a cryptocurrency application.

A QR code displayed on the Manta phishing site. 

**Why should you care? **

Understanding and staying vigilant against cryptodrainer scams is important for safeguarding your financial well-being and data security.  

These scams, often executed through phishing tactics, pose significant risks to individual's finances and personal information if they are invested at all in cryptocurrency.  

By remaining informed about the tactics employed by scammers, you can take proactive measures to protect yourself and prevent potential financial losses. Additionally, spreading awareness about these scams helps mitigate their impact by empowering others to recognize and avoid falling victim to fraudulent schemes.  

Here are a few tips for spotting possible cryptocurrency scams like the ones outlined above: 

*   Carefully consider and thoroughly research before registering for, or investing, in any cryptocurrency that promises quick and significant returns. High-reward opportunities often come with high risks, and many such promises may be scams. As always, if it seems too good to be true, it probably is. 
*   Always verify the legitimacy of the website before providing your personal information or registering your cryptocurrency accounts or wallet. Look for signs of credibility such as secure URLs (https), professional design and positive reviews from trusted sources. 
*   Ensure that your security products are consistently updated to detect and block known malicious websites that employ these deceptive tactics. Regular updates provide the latest protection against evolving threats and scams in the cryptocurrency space. 

By following these guidelines, you can better protect yourself from the risks associated with investing in cryptocurrencies and engaging with online platforms. 

**Coverage **

The following Splunk SOAR playbooks integrate with Splunk Attack Analyzer and other sandbox tools, allowing users and admins to easily triage and identify this type of activity in a given environment. 

Accepts URL link, domain or vault\_id (hash) to be detonated using Splunk Attacker (SAA) API connector. This playbook produces a normalized output for each user and device. 

Leverages Splunk technologies to determine if a .eml or .msg file in the vault is malicious, whether or not it contained suspect URLs or Files, and who may have interacted with the IoCs (emails, URLs or files). 

Automatically dispatches input playbooks with the 'sandbox' tag. This will produce a merge report and indicator tag for each input. 

Below is a list of other IOCs related to cryptodrainer scams.  

    hxxps://123-bti[.]pages[.]dev/ 
    hxxps://giveaway-omnicat[.]pages[.]dev/ 
    hxxps://visit-ait[.]pages[.]dev/ 
    hxxps://enrol-manta[.]network/ 
    hxxp://nfts-manta[.]network/ 
    hxxp://nftbonus-manta[.]network/ 
    hxxps://sea-manta[.]network/ 
    hxxps://sale-starknet[.]io/ 
    hxxps://gain-manta[.]pages[.]dev/ 
    hxxps://frame-343[.]pages[.]dev/ 
    hxxps://gainsatoshi[.]pages[.]dev/ 
    hxxps://visit-dymension[.]pages[.]dev/ 
    hxxps://manta11[.]pages[.]dev/ 
    hxxps://explore-satoshi[.]pages[.]dev/ 
    hxxps://governance-mantanetwork[.]pages[.]dev/ 
    hxxps://accept-satoshivmio[.]pages[.]dev/ 
    hxxps://preregistration-satoshivmio[.]pages[.]dev/ 
    hxxps://receive-altlayerio[.]pages[.]dev/ 
    hxxps://bonus-8u0[.]pages[.]dev/ 
    hxxps://reveal-manta[.]pages[.]dev/ 
    hxxp://acquire-satoshivm[.]io/ 
    hxxps://farcana123[.]pages[.]dev/ 
    hxxps://enlist-jup[.]app/ 
    hxxps://distributedymension[.]pages[.]dev/ 
    hxxps://visit-lineabuild[.]pages[.]dev/ 
    hxxps://1-67c[.]pages[.]dev/ 
    hxxps://registryzetachain[.]pages[.]dev/ 
    hxxps://gratitude-satoshivm[.]pages[.]dev/ 
    hxxps://whitelist-woo[.]pages[.]dev/ 
    hxxps://join-jupapp[.]pages[.]dev/ 
    hxxps://million-satoshivmio[.]pages[.]dev/ 
    hxxps://achieve-altlayer[.]pages[.]dev/ 
    hxxps://follow-satoshivm[.]io/

How do cryptocurrency drainer phishing scams work?

A China-nexus cyber espionage group named Velvet Ant has been observed exploiting a zero-day flaw in Cisco NX-OS Software used in its switches to deliver malware.
The vulnerability, tracked as CVE-2024-20399 (CVSS score: 6.0), concerns a case of command injection that allows an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected

Cyber Espionage / Vulnerability

A China-nexus cyber espionage group named Velvet Ant has been observed exploiting a zero-day flaw in Cisco NX-OS Software used in its switches to deliver malware.

The vulnerability, tracked as CVE-2024-20399 (CVSS score: 6.0), concerns a case of command injection that allows an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device.

"By exploiting this vulnerability, Velvet Ant successfully executed a previously unknown custom malware that allowed the threat group to remotely connect to compromised Cisco Nexus devices, upload additional files, and execute code on the devices," cybersecurity firm Sygnia said in a statement shared with The Hacker News.

Cisco said the issue stems from insufficient validation of arguments that are passed to specific configuration CLI commands, which could be exploited by an adversary by including crafted input as the argument of an affected configuration CLI command.

What's more, it enables a user with Administrator privileges to execute commands without triggering system syslog messages, thereby making it possible to conceal the execution of shell commands on hacked appliances.

Despite the code execution capabilities of the flaw, the lower severity is due to the fact that successful exploitation requires an attacker to be already in possession of administrator credentials and have access to specific configuration commands. The following devices are impacted by CVE-2024-20399 -

*   MDS 9000 Series Multilayer Switches
*   Nexus 3000 Series Switches
*   Nexus 5500 Platform Switches
*   Nexus 5600 Platform Switches
*   Nexus 6000 Series Switches
*   Nexus 7000 Series Switches, and
*   Nexus 9000 Series Switches in standalone NX-OS mode

Velvet Ant was first documented by the Israeli cybersecurity firm last month in connection with a cyber attack targeting an unnamed organization located in East Asia for a period of about three years by establishing persistence using outdated F5 BIG-IP appliances in order to stealthily steal customer and financial information.

"Network appliances, particularly switches, are often not monitored, and their logs are frequently not forwarded to a centralized logging system," Sygnia said. "This lack of monitoring creates significant challenges in identifying and investigating malicious activities."

The development comes as threat actors are exploiting a critical vulnerability affecting D-Link DIR-859 Wi-Fi routers (CVE-2024-0769, CVSS score: 9.8) – a path traversal issue leading to information disclosure – to gather account information such as names, passwords, groups, and descriptions for all users.

"The exploit's variations \[...\] enable the extraction of account details from the device," threat intelligence firm GreyNoise said. "The product is End-of-Life, so it won't be patched, posing long-term exploitation risks. Multiple XML files can be invoked using the vulnerability."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Exploiting Cisco Switches Zero-Day to Deliver Malware

PRESS RELEASE

SAN FRANCISCO, June 26, 2024 /PRNewswire/ -- Ballistic Ventures, the venture capital firm dedicated exclusively to funding and incubating entrepreneurs and innovations in cybersecurity, is pleased to announce that co-founder Kevin Mandia is now General Partner.

Mandia is one of the world's most recognized experts in cybersecurity, known for his relentless efforts to fight cyber threats for more than 30 years. In 2004, he founded renowned cybersecurity firm Mandiant, serving as CEO from 2004 to 2013, when Mandiant Corporation was acquired by FireEye. Mandia took the helm as CEO of FireEye in 2016, guiding the company through a divestiture and corporate name change to Mandiant, Inc. in 2021, and through a successful acquisition by Google in 2022. Mandia recently transitioned to an advisory role within Google Cloud, and he continues to sit on the Google Public Sector board.

In 2023, Mandia was appointed by President Biden to serve as a member of the National Security Telecommunications Advisory Committee (NSTAC). He is also a member of the Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity Advisory Committee. Previously, he held senior positions in the security consulting divisions of Sytex, acquired by Lockheed Martin, and Foundstone, acquired by McAfee. He also served in the United States Air Force as a computer security officer at the Pentagon, and later as a special agent in the Air Force Office of Special Investigations.

"I am very excited to dedicate more of my energy to Ballistic Ventures, and I especially look forward to working with the entrepreneurs who are shaping the future of cybersecurity," said Mandia.

Ballistic Ventures was co-founded in 2021 by Mandia and General Partners Barmak Meftah, Ted Schlein, Jake Seid and Roger Thornton. While CEO of Mandiant (now part of Google Cloud), Mandia jointly served as Co-founder and Strategic Partner at Ballistic, leading the firm's investment in SpecterOps, the Attack Path Management company, where he is an Observer to the company's Board of Directors. Mandia also served as the second investing partner for five of the VC firm's 18 investments to date, and is a Board Observer to portfolio company Alethea, the disinformation detection and mitigation company.

"We're excited to have Kevin as a General Partner at Ballistic," said Schlein. "Kevin's expertise in the cybersecurity industry is unparalleled, and his knowledge of the market and customer set is unmatched."

As General Partner, Mandia will draw from his extensive knowledge of the threat landscape and expertise as a successful founder and CEO to expand his investments within the firm and continue to mentor entrepreneurs and scale companies across the Ballistic portfolio.

Mandia's move to General Partner comes on the heels of Ballistic Ventures announcing the close of its $360 million oversubscribed second fund. The firm is actively looking to deploy the new capital in novel innovations led by passionate cybersecurity entrepreneurs.

About Ballistic Ventures  
Ballistic Ventures is a venture capital firm solely dedicated to early-stage cybersecurity and cyber-related companies. The partners have spent their entire careers defending against every cyber threat conceivable. Members of the firm have founded, operated, and funded over 100 successful cybersecurity firms – including Abnormal Security, AlienVault, ArcSight, Fortify, Mandiant, and Shape Security – led over 10,000 security professionals globally, and have 40+ years of experience in venture capital. The Ballistic portfolio includes Aembit, Alethea, ArmorCode, AuthMind, Codezero, Concentric AI, Mimic, Nudge Security, Oligo, Pangea, Perygee, Reach Security, SpecterOps, Talon (PANW), Veza and WitnessAI. Our experience provides entrepreneurs impactful support from people focused on the same mission. Our networks and relationships open doors for our founders. Learn more at ballisticventures.com.

Cybersecurity Veteran Kevin Mandia Named General Partner of Ballistic Ventures

A report in March found that 72% of cryptocurrency projects had died since 2020, with crypto trading platform FTX’s downfall taking out many of them in one fell swoop.

Thursday, June 27, 2024 14:00

AI has since replaced “cryptocurrency” and “blockchain” as the cybersecurity buzzwords everyone wants to hear. 

We're not getting as many headlines about cryptocurrency miners, the security risks or promises of the blockchain, or non-fungible tokens being referenced on “Saturday Night Live.” 

A report in March found that 72% of cryptocurrency projects had died since 2020, with crypto trading platform FTX’s downfall taking out many of them in one fell swoop. This, in turn, means there are fewer instances of cryptocurrency mining malware being deployed in the wild — if cryptocurrencies aren’t as valuable, the return on investment for adversaries just isn’t there.  

But that still hasn’t stopped bad actors from using the cryptocurrency and blockchain spaces to carry out other types of scams that have cost consumers millions of dollars, as a few recent incidents highlight. 

In place of major cryptocurrencies, many bad faith actors are creating “memecoins,” which are cryptocurrencies usually themed around a particular internet meme or character meant to quickly generate hype. The most famous example, Dogecoin, themed after the “Doge” meme, was 72% below its peak value as of Wednesday. 

At one point, Dogecoin was at least worth something, which is more than can be said for most other memecoins launched today. Cryptocurrency news site CoinTelegraph found that one in six newly launched meme-themed cryptocurrencies are outright scams, primarily centered around getting users to spend real-world money to invest in currency before the creator just takes off with their funds. 

And 90% of the memecoins they studied contained at least one security vulnerability that could leave users open to abuse or theft. 

Singer Jason Derulo is even facing allegations that his “JASON” memecoin on the Solana blockchain platform is a scam after it hit a market cap of $5 million on June 23, and then the value fell almost immediately later that day. Separately, someone hacked rapper 50 Cent’s Twitter account to promote the “$GUINT” memecoin. Upon regaining control of his account, 50 Cent said that whoever committed the scam made $3 million in 30 minutes, with consumers putting money into the memecoin thinking it was legitimate, before the creator took off with the money almost immediately, leaving users unable to access their funds. 

Another popular scam still going around in this space is called the “rug pull,” where a cryptocurrency or NFT developer starts to hype up a new project to attract investor funds, only to completely shut down the project days or weeks later, taking investors’ assets with them. 

Blockfence, a Web3 security firm, found a collection of these scammers earlier this year, claiming they had stolen the equivalent of $32 million from more than 42,000 people across multiple rug pull scams. Unmoderated social media platforms have been rife for abuse for these types of scams, with semi-anonymous users with large followings finding it fairly easy to get a large amount of interest in whatever their latest “project” is in a short amount of time.  

The last example, I’m still not sure if it’s a scam yet. A new video game called “Banana” recently blew up on the Steam online store, even though it’s barely a video game. Users can open the game at fixed intervals and click a button to receive a “banana” in their Steam account. Some of these bananas, usually different artists' renderings of an image of the fruit, are extraordinarily rare and can be re-sold on Steam’s internal marketplace for real-world money. 

Some of these bananas have sold for more than $1,000, but most of the basic ones are only worth a few cents. To me, this looks and smells like an NFT. A former cryptocurrency scammer was once even connected to the project before the creators parted ways with him.  

I have no way of knowing any of this for sure, but there doesn’t seem to be any safeguards in place to ensure the creators of the game could rig it for themselves and give only themselves or close friends copies of the rarer items. And I’m not fully sure what the endgame is for the developers, since “Banana” is free to download and “play.”  

Thankfully, I’m not getting as many questions as I used to about NFTs and “the crypto” from extended family members. But just because it’s disappeared from mainstream consciousness doesn’t mean scammers have forgotten about this space, too. 

**The one big thing **

Cisco Talos recently discovered an ongoing campaign from SneakyChef, a newly discovered threat actor using SugarGh0st malware. SneakyChef uses lures that are scanned documents of government agencies, most of which are related to various countries’ Ministries of Foreign Affairs or embassies. Talos recently revealed SneakyChef’s continuing campaign targeting government agencies across several countries in EMEA and Asia, delivering the SugarGh0st malware, however, we found a new malware we dubbed “SpiceRAT” was also delivered in this campaign.   

**Why do I care? **

SneakyChef has already targeted more than a dozen government ministries across the Eastern Hemisphere. Based on the lure documents Talos discovered the actor using, like targets for the campaign could include the Ministries of Foreign Affairs from Angola, India, Kazakhstan, Latvia, and Turkmenistan and the Saudi Arabian embassy in Abu Dhabi. This actor doesn’t seem to be deterred by much, either, as their actions have largely continued in the same manner since Talos first disclosed the existence of SugarGh0st several years ago, using the same TTPs and C2.  

**So now what? **

Talos could not find any of the lure documents used in the wild, so they were very likely stolen through espionage and slightly modified. This could make it more difficult to spot lure documents and spam emails, so users should pay closer attention to the sender’s email address if they are suspicious of any messages. We also released OSQueries, Snort rules and ClamAV signatures that can detect and block SneakyChef’s activities and the SpiceRAT malware.  

**Top security headlines of the week **

**A cyber attack that is stalling communication and sales at car dealerships around the U.S. is unlikely to be restored by the end of the month.** CDK Global, the victim of the campaign, reportedly told customers that they should prepare alternative methods for preparing month-end financial statements. Car dealerships use CDK to conduct sales, process financial information, and look up vehicles’ warranties and recalls. The outage is affecting more than 60 percent of Audi dealerships in the U.S. and about half of Volkswagen’s locations, forcing them to switch to pen-and-paper transactions and contracts or to drop sales altogether. One sales manager of an affected dealership told CNN it could take “months to correct, if not years,” the financial fallout of the outage. CDK first disclosed two back-to-back cyber attacks last week, both of which occurred on June 19. There are already two class action lawsuits against CDK, with plaintiffs alleging that the breach may have exposed customers’ and employees’ names, addresses, social security numbers and other financial information. (Reuters, CNN) 

**The list of victims resulting from a data breach at cloud storage provider Snowflake continues to grow.** Australian ticket sales platform Tiketek informed customers this week of a potential data breach, though it was not immediately clear if it was connected to Snowflake. Retailer Advance Auto Parts also said this week that said employee and applicant data — including social security numbers and other government identification information — were stolen during the breach. Clothing chain Neiman Marcus also filed regulatory documents in Maine and Vermont disclosing that the personal information of more than 64,000 people was potentially accessed because of the Snowflake breach. This information could include names, contact information, dates of birth and gift card numbers for the retailer. Security researchers at Mandiant first estimated that as many as 165 Snowflake customers could be affected. Snowflake says that internal investigations found that the breach was not caused by “a vulnerability, misconfiguration, or breach of Snowflake’s platform." (The Register, The Record by Recorded Future) 

**Adversaries quickly started exploiting another vulnerability in the MOVEit file transfer software, just hours after it was disclosed.** The high-severity vulnerability, CVE-2024-5806, could allow an attacker to authenticate to the file-transfer platform as any valid user with the accompanying privileges. The vulnerability exists because of an improper authentication issue in MOVEit’s SFTP module, which Progress, the creator of the software, says “can lead to authentication bypass in limited scenarios.” A different vulnerability in MOVEit was targeted in a rash of Clop ransomware attacks that eventually affected more than 160 victims, including the state of Maine, the University of California Los Angeles, and British Airways. Managed file transfer software (MFT) like MOVEit are popular targets for threat actors because they contain large amounts of sensitive information, which adversaries will steal and then use to extort victims. The Shadowserver Foundation posted on Twitter on Tuesday that they began seeing exploitation attempts shortly after details emerged about CVE-2024-5806. (Dark Reading, SecurityWeek) 

**Can’t get enough Talos? **

*   Cisco Talos: How Threat Actors Target MFA 
*   MFA plays a rising role in major attacks, research finds 
*   SpiceRAT: Cisco Talos Sound Alarm Over New Trojan 
*   Hack your water and electricity! Myth or Reality? 
*   Multiple vulnerabilities in TP-Link Omada system could lead to root access 
*   Talos Takes Ep. #188: Everything we know about denial-of-service attacks in 2024 

**Upcoming events where you can find Talos **

**_BlackHat USA_** **_(Aug. 3 – 8)_** 

_Las Vegas, Nevada_ 

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201 

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0   
**MD5:** b4440eea7367c3fb04a89225df4022a6   
**Typical Filename:** Pdfixers.exe   
**Claimed Product:** Pdfixers   
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201 

**SHA 256:** 484c74d529eb1551fc2ddfe3c821a7a87113ce927cf22d79241030c2b4a4aa74  
**MD5:** dc30cfd21bbb742c10e3621d5b506780  
**Typical Filename:** KMS-R@1nHook.exe  
**Claimed Product:** N/A  
**Detection Name:** W32.File.MalParent

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202  
**MD5:** e4acf0e303e9f1371f029e013f902262  
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe  
**Claimed Product:** FileZilla  
**Detection Name:** W32.Application.27hg.1201

We’re not talking about cryptocurrency as much as we used to, but there are still plenty of scammers out there

The attacks infiltrate enterprise networks through browsers, and show an evolution in evasive and adaptive tactics from well-resourced state-sponsored actors.

Source: Rawpixel.com via Shutterstock

Three novel credential-phishing campaigns have emerged from state-sponsored actors that have compromised at least 40,000 corporate users — including top-level executives — in just three months' time, researchers have found.

The attacks target a range of industries and enter corporate environments through browsers, allowing them to get past network infrastructure security controls and cloud network services and demonstrating an evolution in capabilities on the part of adversaries, according to researchers from Menlo Security who discovered them.

The campaigns — called LegalQloud, Eqooqp, and Boomer — are characterized by their deployment of what the researchers call highly evasive and adaptive threat (HEAT) attack techniques that can circumvent controls such as multifactor authentication (MFA) and URL filtering.

Tactics used by the campaigns include bypassing MFA and using phishing kits and adversary-in-the-middle (AitM) tactics to take over user sessions; impersonating entities, primarily Microsoft, familiar to or associated with the organizations targeted; and using dynamic phishing links that make it hard for filtering technologies to track and thus detect.

"These are challenging new tactics, and security practitioners must augment controls and take care to address them immediately," according to the report. "These sophisticated attacks magnify concerns about the effectiveness of traditional network security controls such as secure service Edge (SSE), secure Web gateways (SWG), and endpoint detection and response (EDR)."

**State-Sponsored Actors Get Aggressive**

The campaigns are aimed exclusively at credential phishing, with evidence to connect them to China-sponsored threat actors who are targeting the US and private enterprise in "aggressive cyber espionage efforts, posing an alarming risk to national security and pilfering innovation," according to the report. However, though researchers have established some attribution to a group previously tracked by Microsoft as Storm-1101/DEV-1101 — known for its development of AitM tactics that are used in the campaigns — it's not entirely clear exactly to which nation the attacks are linked.

All told, the campaigns targeted more than 3,000 unique domains across more than 10 industries and government institutions, and six out of 10 malicious links that users clicked on were connected to some kind of phishing campaign or fraud, with one of four of phishing links getting past legacy URL filtering, the researchers found.

Overall, this activity demonstrates how "nation-state cyber actors are constantly refining their methods to make their attacks more sophisticated and adaptable," notes Patrick Tiquet, vice president, security and architecture, at Keeper Security. This, in turn, means enterprises must accept that "adapting cybersecurity strategies is an ongoing process that demands flexibility and agility," he says.

**Specific Credential-Stealing Campaigns**

Though the campaigns have similarities, each has its own unique set of targets and tactics, all with the ultimate goal of extracting credentials from corporate users for further malicious purposes, primarily cyber-espionage.

LegalQloud, so-named because it impersonates legal firms to steal Microsoft credentials, targeted 500 enterprises in 90 days and is exclusively hosted on Tencent Cloud, which is from the largest Internet company in China. This hosting enables the URLs to bypass traditional categorization and allow-list controls, the researchers said.

Eqooqp has been targeting multiple government and private sector organizations — including logistics, finance, petroleum, manufacturing, higher education, and research firms — with AitM attacks that can defeat MFA. Menlo found nearly 50,000 attacks associated with the campaign, which uses malicious HTML attachments or links to pages that mimic Microsoft to phish credentials.

Another phishing campaign, Boomer, is especially intricate, targeting the government and healthcare sectors with advanced evasive techniques that include dynamic phishing sites, custom HTTP headers, tracking cookies, bot-detection countermeasures, encrypted code, and server-side generated phishing pages.

"Boomer uses server-side generated phishing pages for rapid campaign deployment and modification, enhancing the campaign’s ability to evade traditional security tools, indicating a higher level of skill," according to the report. "Boomer also includes properly configured security headers, such as X-XSS-Protection, and uses legitimate libraries, like Font Awesome for icons."

The campaign's Web application also employs a hidden iframe that's designed to detect bots and scan automation as a further advanced evasion tactic, the researchers found.

**Demand for Stronger Defense**

What all this amounts to is that organizations continue to have their work cut out for them to keep up with the evolving nature of attacks, especially from well-resourced state-sponsored actors, security experts say.

AitM attacks in particular — in which attackers deploy a proxy server between a target user and the website the user wishes to visit — "are the future of cybercrime," notes one security expert, and will be a particular thorn in the side of organizations' security strategies going forward.

"\[They\] are extremely effective and much harder to trace and prevent compared to traditional social engineering attacks," says Mika Aalto, co-founder and CEO at human risk management platform firm Hoxhunt.

And while they historically have been technically difficult to achieve for attackers, their recent prevalence shows that threat actors are quickly navigating this barrier, which will bring on "a wave of serious breaches from AitM-integrated credential harvesters, BECs, and ransomware," he says.

"The bottom line is, you have to accept that some attacks will get through to your users and thus you must do your best to prepare them for that fateful moment," Aalto says. "Security awareness and phishing training must keep pace with the latest threats so that people understand AitM and dynamic phishing, and they know how to spot these attacks and stay safe. Indeed, as cybersecurity is now a matter of national security and not just about protecting an organization's own data, it must be treated with the highest priority," Tiquet observes.

This requires organizations to embrace a zero-trust framework that "must evolve alongside technological advancements, workflow changes and shifts in the threat landscape," Tiquet says, and be continually refined and adapted "to ensure it remains effective in mitigating risks and protecting sensitive information."

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

China-Sponsored Attackers Target 40K Corporate Users in 90 Days

By Nick Biasini with contributions from Kendall McKay and Guilherme Venere
Headlines continue to roll in about the many implications and follow-on attacks originating from leaked and/or stolen credentials for the Snowflake cloud data platform.

Adversaries obtained stolen login credentials for Snowflake accounts acquired via information-stealing malware and used

Thursday, June 27, 2024 08:01

_By Nick Biasini with contributions from Kendall McKay and Guilherme Venere_

Headlines continue to roll in about the many implications and follow-on attacks originating from leaked and/or stolen credentials for the Snowflake cloud data platform.

  
Adversaries obtained stolen login credentials for Snowflake accounts acquired via information-stealing malware and used those credentials — which weren’t protected by multi-factor authentication (MFA) — to infiltrate Snowflake customers’ accounts and steal sensitive information. However, Snowflake isn’t the issue here. This incident is indicative of a much larger shift we’ve seen on the threat landscape for a while — and it focuses on identity.

  
Over the past few decades, we’ve seen the criminal threat landscape collapse under the ransomware / data extortion umbrella, which is generating so much revenue everyone is trying to grab their piece of the pie. This has been a stark transformation from a loosely associated group of criminals searching for credit card numbers to steal, and spam messages to send to large syndicates that generate, according to the FBI, more than a billion dollars in revenue annually.

**Infostealer logs are a gold mine**

As part of our regular intelligence discussions, Talos reviews all Cisco Talos Incident Response (Talos IR) engagements. Ransomware/data extortion typically dominate engagements, with business email compromise (BEC) periodically rising to the top, but more broadly, we’ve seen the ways these actors gain initial access continue to diversify.

  
Early on, active exploitation of known vulnerabilities or other critical misconfigurations would dominate the initial compromise leading to the breach. Lately, the sources have broadened with a focus on compromised, legitimate credentials. These credentials originate from a wide array of sources from generic phishing campaigns and infostealers to insider threats, valid credentials are the ideal cover for malicious activities. This is further supported with information from the most recent Talos IR Quarterly Trends report, where the top infection vector was valid accounts. This problem extends far beyond compromised credentials with large-scale brute force and password spraying attacks occurring regularly.

  
Infostealers specifically are commonly cited as a source of credentials for these breaches and have been reportedly involved in the recent wave. Many defenders think the infostealers landscape is a monolith with individual actors compromising victims and gathering credentials, but the truth is these are highly organized widely distributed campaigns. The groups have congregated online in Telegram chat rooms where credentials are sold by the thousands or tens of thousands. These actors operate large scale campaigns, gather, vet, and organize the credentials they harvest ready to sell to the highest bidder. This ecosystem includes providing tooling for searching and extracting specific types of data from the logs and validating the credentials before offering.

Advertisement for one of the infostealer log services.

Cisco Talos has sat in these channels and seen thousands of personal credentials for things like Google, Facebook, Netflix, etc. posted for free as a teaser to the larger services they offer. For a fee, actors can get timed access to a repository of credentials to search and use freely. The cost to access these tools varies, but considering a compromised set of enterprise credentials could result in a multi-million-dollar ransom, it’s a minute price to pay.

Free infostealer log offering in Telegram channel.

These channels are full of would-be criminals trying to gain the foothold necessary for their nefarious activities. So far, the focus has been on ransomware and data extortion, but BEC actors can also earn payouts from valid enterprise credentials — even the basic accounts tied to organizations like Google can be a windfall. The Cisco breach from several years ago originated with Google credentials and a password vault that contained their corporate credentials.

  
Today in many enterprises, the credentials alone aren’t enough, as organizations worked diligently to deploy MFA to improve their security baselines. The challenge is that the application isn’t consistent, and the focus has largely been on the enterprise (domain) itself.

**Protect data with MFA, not just assets**

Organizations have heeded the constant drone of security professionals pushing for deployment of MFA across the organization and its helped. We’ve seen a huge increase in attacks designed to defeat the protections MFA provides. We constantly observe things like MFA fatigue and social engineering to defeat MFA. This is further supported from the IR Quarterly Trends report, where for the first time, MFA push notifications was the top observed security weakness. Improper MFA implementation was also found in nearly as many engagements. Likewise, MFA itself has gone through some iterations with basic push notifications being insufficient for modern attackers. Now, challenge-based authentication is recommended for all MFA deployments. Actors have noticed, and this recent issue with Snowflake credentials has shown you need to protect data, not just assets, and corporate data is everywhere.

  
Software as a service (SaaS) has revolutionized business and provided advanced sales tools and analytics to a wide array of industries, facilitating growth and expansion. The problem is it requires data to leave the organization’s safe haven. Most medium- to large-sized organizations today are heavily invested in the cloud, if not multi-tenet cloud environments, with data and resources spread across multiple vendors around the globe. This creates many points of entry for attackers that might be more focused on data exfiltration than unauthorized encryption in 2024.

  
We’ve noticed a marked shift over the last year or two with larger cartels increasingly focusing on the data they can exfiltrate over the data they can encrypt. There are a variety of factors driving this shift, most importantly technology is catching up. We are seeing more pre-ransomware engagements that are detected and stopped before deployment in our emergency responses (ERs), an important shift from the years prior. Organizations are prepared and ready to respond to ransomware and have solid, practiced recovery processes to minimize any effects of data encryption. This has driven actors to focus on the data they can steal over the data they can encrypt.

  
Actors running large scale infostealer campaigns have compromised tens of thousands, if not millions, of accounts and the breadth of accounts is extensive. Modern infostealers will gather credentials from web browsers, applications, and the system themselves to even include crypto wallets. For many organizations, this includes the SaaS applications that house sensitive data that, when stolen, can result in financial damage. It’s obvious criminals have taken notice — the recent activity was linked to Snowflake, but all SaaS providers and other organizations that house business-critical data for organizations are at risk.

**What can defenders do?**

The solution to this problem isn’t going to sound novel, in fact it's going to sound quite familiar. Primarily, anywhere critical data is housed, it needs to be protected with MFA. Organizations should conduct audits of all external data houses and ensure that the vendor supports MFA, and that MFA has been configured along with whatever logging capabilities are available, specifically associated with authentication.

  
The next thing organizations need to do is acknowledge and act on infostealer infections with urgency. Once an infostealers is detected, assume that all credentials on that system have been compromised, work quickly and effectively to remediate by resetting the passwords, remembering this spreads far beyond just the enterprise itself. Speed is of the utmost importance, as high-value credentials will be sold and actioned quickly. The goal is to make sure that whoever purchases the credentials cannot access critical data. Additionally, ensuring your users have a vetted and trusted way to store passwords is critical. By having an approved mechanism, you avoid credentials ending up stored in web browsers and easy picking for infostealers.

  
In a perfect world, we’d expect MFA to be deployed everywhere, but that’s not realistic. For instances where MFA cannot be deployed, there are a couple mechanisms to increase security and protection. If possible, limit the access of these accounts to the absolute least privilege. If internal assets are going to be accessed, look at deploying jump boxes. This creates a single point of connection where increased scrutiny can be applied. All non-MFA protected accounts should have increased visibility and all security alerts generated from these accounts should be investigated quickly and effectively.

  
As attackers continue to shift focus to the data they are trying to steal organizations need to take an honest look at where this data is housed and what data protections are in place to ensure you don’t end up in the headlines for stolen data being sold to the highest bidder, even if that bidder is the compromised organization itself.

Snowflake isn’t an outlier, it’s the canary in the coal mine

The site is supplying malicious code that delivers dynamically generated payloads and can lead to other attacks, after a Chinese organization bought it earlier this year.

Source: Bleakstar via Shutterstock

A domain that more than 100,000 websites use to deliver JavaScript code is now being used as a conduit for a Web supply chain attack that uses dynamically generated payloads, redirects users to pornographic and sports-betting sites, and can potentially lead to data theft, clickjacking, or other attacks. The malicious activity follows the sale of the domain polyfill\[.\]io to a Chinese organization earlier this year.

Security researchers are warning that the cdn\[.\]polyfill\[.\]io domain has been compromised to serve malicious code in scripts to end users in a widespread attack. The site allows websites to use modern JavaScript features in older browsers by including only the necessary polyfills based on the user's browser.

Researchers from security monitoring firm c/side sounded the alarm about the attack in an advisory by founder Simon Wijckmans warning website owners to "check your code for any use of the polyfill\[.\]io domain and remove it from your applications."

"This attack places an estimated +100k websites at immediate risk," he wrote. "When a once-safe domain is embedded in thousands of websites and concealed like JavaScript threats are, it becomes a tempting path for malicious actors."

**Dynamically Generated Payloads**

Specifically, researchers discovered malicious, obfuscated code that "dynamically generates payloads based on HTTP headers, activating only on specific mobile devices, evading detection, avoiding admin users, and delaying execution" being injected into devices via websites using cdn\[.\]polyfill\[.\]io, Wijckmans wrote.

"In some instances, users receive tampered JavaScript files, which include a fake Google Analytics link," he wrote. "This fake link redirects users to various sports betting and pornographic websites, seemingly based on their region."

Given that the malicious code is JavaScript, it also could "at any moment introduce new attacks like formjacking, clickjacking, and broader data theft," Wijkmans noted.

**Polyfill Users Were Forewarned**

Polyfill users were already clued in back in February of the potential for malicious activity and were advised to stop using the polyfill\[.\]io domain after it was purchased by Funnull, a Chinese company. Following the sale, the developer of the open source Polyfill project, Andrew Betts, urged users in a post on X to remove references to the content delivery network (CDN), in part because he never owned the site.

"I created the Polyfill service project but I have never owned the domain name and I have had no influence over its sale," he wrote.

A site called Pollykill was even created on Feb. 27 "to bring awareness to a major JavaScript supply chain vulnerability," since Polyfill was sold and all Polyfill traffic was pointed "to the Baishan Cloud CDN."

Pollykill also provides users with alternatives to using the site to deliver JavaScript to their websites, warning users of the "many risks associated with allowing an unknown foreign entity to manage and serve JavaScript within your web application."

"They can quietly observe user traffic, and if malicious intent were taken, they can potentially steal usernames, passwords and credit card information directly as users enter the information in the Web browser," according to the site.

**Immediate Action Required**

Supply chain attacks that compromise website scripts and other code that's used widely across applications or Web properties are serious business, which means anyone using Polyfill needs to take action now, Wijkmans said.

"Third-party resources are in a very powerful position and thus a high value target for bad actors," he wrote, adding that CDNs hosting third-party scripts are especially subject to attack.

However, one thing that's important to note is that "the Polyfill service itself is still solid," Wijkmans said. "You can host your own version in a safe and controlled environment without issue."

As the problem lies in the domain cdn\[.\]polyfill\[.\]io, it should immediately be removed from any site using it. Moreover, threat feeds currenty don't flag the domain, so administrators should not rely on that, Wijkmans added.

The Polykill website also advises developers to use a code search tool or integrated development environment (IDE) to search for instances of the malicious domain in source code across all projects within an organization. It cites resources by the developer community Fastly Connect that also can help them secure websites that use Polyfill; these include polyfill-fastly\[.\]net and polyfill-fastly\[.\]io, which are free drop-in replacements for polyfill\[.\]io in a website's code.

Fastly’s fork of the open source code 223 also can be used to self-host the service to maintain full control over the code delivered to users, according to Fastly.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Polyfill.io Supply Chain Attack Smacks Down 100K+ Websites

Affected devices could include wireless access points, routers, switches and VPNs.

Multiple vulnerabilities in TP-Link Omada system could lead to root access

LockBit claimed to have breached Federal Reserve but in fact the data came from Evolve Bank & Trust

A shockwave went through the financial world when ransomware group LockBit claimed to have breached the US Federal Reserve, the central banking system of the United States.

On LockBit’s dark web leak site, the group threatened to release over 30 TB of banking information containing Americans’ banking data if a ransom wasn’t paid by June 25:

LockBit leak site

> “Federal banking is the term for the way the Federal Bank of America distributes its money. The Reserve operates twelve banking districts around the country which oversee money distribution within their respective districts. The twelve cities which are home to the Reserve Banks are Boston, New York City, Philadelphia, Richmond, Atlanta, Dallas, Saint Louis, Cleveland, Chicago, Minneapolis, Kansas City and San Francisco.
> 
> 33 terabytes of juicy banking information containing American’s banking secrets.”

The statement ends expressing the group’s disappointment about a negotiator who apparently offered to pay $50,000.

So, you can imagine that everyone was anticipating the end of the countdown that signalled the release of the stolen data with bated breath.

However, when that deadline passed and the data was released, people who looked at the data found it did not, in fact, belong to the Federal Reserve but instead to a particular financial organization: Evolve Bank & Trust.

Overview of the available data

All the links lead to directories containing data that seems to belong to Evolve.

There hasn’t been enough time to do a full analysis of the huge amount of data, but it appears it is only remotely tied to the Federal Reserve by some included links to a Federal Reserve press link from mid-June.

At that time, the US Federal Reserve Board penalized Evolve Bancorp and its subsidiary, Evolve Bank & Trust, for multiple “deficiencies” in the bank’s risk management, anti-money laundering (AML) and compliance practices.

According to the Federal Reserve statement released at the time:

> “In addition, Evolve did not maintain an effective risk management program or controls sufficient to comply with anti-money laundering laws and laws protecting consumers.”

So, as expected, LockBit drew a lot of attention under false pretences.

The group was disrupted by law enforcement in February of 2024 and their activity diminished as a result. As the ThreatDown monthly ransomware review of May review pointed out:

> “While LockBit is technically still alive, it’s fair to say the group is not what it was: Not only are its attacks dwindling, but in early May law enforcement also revealed the identity of alleged LockBit leader Dmitry Khoroshev, aka LockBitSupp. LockBitSupp, who is now subjected to a series of asset freezes and travel bans, also has a reward of up to $10 million over his head for information that leads to his arrest.”

And recently the FBI announced it had over 7,000 LockBit decryption keys in its possession, allowing it to help victims to recover data encrypted by the gang in past attacks. LockBit ransomware has impacted over 1,800 US victims, according to FBI stats.

Back to the data, it’s good news it appears not to be from the Federal Reserve. However, it’s not good news for customers of Evolve Bank & Trust and their data may well have been stolen and published. And it’s a lot of data.

A lot of data

We’ll keep you updated on this developing story. For now, there’s no official statement from Evolve, but there are general things to know if you think you have been involved in a data breach.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Federal Reserve &#8220;breached&#8221; data may actually belong to Evolve Bank 

Google has taken steps to block ads for e-commerce sites that use the Polyfill.io service after a Chinese company acquired the domain and modified the JavaScript library ("polyfill.js") to redirect users to malicious and scam sites.
More than 110,000 sites that embed the library are impacted by the supply chain attack, Sansec said in a Tuesday report.
Polyfill is a popular library that

Supply Chain Attack / Web Security

Google has taken steps to block ads for e-commerce sites that use the Polyfill.io service after a Chinese company acquired the domain and modified the JavaScript library ("polyfill.js") to redirect users to malicious and scam sites.

More than 110,000 sites that embed the library are impacted by the supply chain attack, Sansec said in a Tuesday report.

Polyfill is a popular library that incorporates support for modern functions in web browsers. Earlier this February, concerns were raised following its purchase by China-based content delivery network (CDN) company Funnull.

The original creator of the project, Andrew Betts, urged website owners to immediately remove it, adding "no website today requires any of the polyfills in the polyfill\[.\]io library" and that "most features added to the web platform are quickly adopted by all major browsers, with some exceptions that generally can't be polyfilled anyway, like Web Serial and Web Bluetooth."

The development also prompted web infrastructure providers Cloudflare and Fastly to offer alternative endpoints to help users move away from polyfill\[.\]io.

"The concerns are that any website embedding a link to the original polyfill\[.\]io domain, will now be relying on Funnull to maintain and secure the underlying project to avoid the risk of a supply chain attack," Cloudflare researchers Sven Sauleau and Michael Tremante noted at the time.

"Such an attack would occur if the underlying third party is compromised or alters the code being served to end users in nefarious ways, causing, by consequence, all websites using the tool to be compromised."

The Dutch e-commerce security firm said the domain "cdn.polyfill\[.\]io" has since been caught injecting malware that redirects users to sports betting and pornographic sites.

"The code has specific protection against reverse engineering, and only activates on specific mobile devices at specific hours," it said. "It also does not activate when it detects an admin user. It also delays execution when a web analytics service is found, presumably to not end up in the stats."

San Francisco-based c/side has also issued an alert of its own, noting that the domain maintainers added a Cloudflare Security Protection header to their site between March 7 and 8, 2024.

The findings follow an advisory about a critical security flaw impacting Adobe Commerce and Magento websites (CVE-2024-34102, CVSS score: 9.8) that continues to remain largely unpatched despite fixes being available since June 11, 2024.

"In itself, it allows anyone to read private files (such as those with passwords)," Sansec said, which codenamed the exploit chain CosmicSting. "However, combined with the recent iconv bug in Linux, it turns into the security nightmare of remote code execution."

It has since emerged that third-parties can gain API admin access without requiring a Linux version vulnerable to the iconv issue (CVE-2024-2961), making it an even more severe issue.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#cisco