Cyber Security Headlines – November 17, 2021

Emotet botnet makes comeback with help from TrickBot

The notorious Emotet botnet has made a comeback nearly 10 months after a coordinated law enforcement operation dismantled its command-and-control infrastructure. According to researcher Luca Ebach, the infamous TrickBot malware is being leveraged as an entry point to distribute a new version of Emotet which takes the shape of a DLL file. Europol dubbed Emotet the “world’s most dangerous malware” because of its use by threat actors as a precursor to many critical data theft and ransomware attacks. The first deployment was detected this past Sunday and nine Emotet command-and-control servers are currently online.

(The Hacker News)

Leaked Robinhood customer data now up for sale

Following up on a story we brought you last week, the data of approximately 7 million Robinhood customers stolen in a data breach that began by social engineering a customer service rep, is now being sold by the hacker for at least $10,000. Two days after Robinhood disclosed the attack, and after a failed extorsion attempt, a threat actor named ‘pompompurin’ announced on a hacking forum that they were selling the data including email addresses and full names of millions of customers and more extensive details for a small subset of individuals. Pompompurin, is the same threat actor responsible for abusing FBI email servers to send threatening emails over the weekend.

Bleeping Computer)

WordPress sites defaced in fake ransomware attacks

Hundreds of WordPress sites were defaced over the weekend with a message claiming that the site’s data was encrypted. In a message on the updated page, the attackers requested 0.1 bitcoin (~$6,100) to unlock the affected websites. But upon further analysis, the ransom message only appears on a few selected site pages with no signs of encryption, which likely explains why nobody has paid the ransom demand so far. Security firm Sucuri said that the “fake ransomware” campaign exploited a vulnerability in a WordPress plugin named Directorist which was installed on the affected sites. At least 300 sites have been affected so far but site owners appear to have had little difficulty restoring affected pages.

(The Record)

MosesStaff locks up targets without ransom demand

Researchers at Check Point Research (CPR) have warned that the MosesStaff hacking group is aiming politically motivated, destructive attacks at Israeli targets with the goal of inflicting maximum damage. MosesStaff is exploiting known vulnerabilities in Microsoft Exchange Server and then leveraging a webshell to deploy a Python script which moves laterally across the network and then downloads and installs the custom payload. But unlike other anti-Zionist hacktivists, which look to extort their victims and cause embarrassment, MosesStaff has no intention of demanding a ransom or handing over decryption keys. MosesStaff explained via social-media that their purpose is to, “fight against the resistance and expose the crimes of the Zionists in the occupied territories.” The good news is that the researchers found the hackers’ encryption method to be flawed making it possible to decrypt victim systems using a simple program that initiates proper input/output control (IOCTL) to the DiskCryptor driver.

(Threatpost)

Thanks to our episode sponsor, Vulcan Cyber

Matt Hurewitz is the associate director of application security at Best Buy. Matt has a theory that a risk-based approach to application security is more effective than a faith-based approach. We agree. Attend the Vulcan Cyber virtual summit on December 9th to hear how Matt and the Best Buy team approach application security. Learn from the best. Registration is free for your entire team. Go to vulcan.io and click the button at the top of the screen to register for the event.

GitHub fixes vulnerability in NPM service

GitHub Chief security officer Mike Hanley said they have fixed an issue with the NPM (Node Package Manager) JavaScript registry that would allow an attacker to update any package without proper authorisation. The issue, which appears to date back to September 2020, was reported by security researchers on November 2, and was patched within six hours. The vulnerability involves a discrepancy in the way the NPM service performs underlying updates to the registry to determine which package to publish. NPM is an essential developer resource used in JavaScript utility libraries which are downloaded millions of times per day. GitHub is planning to tighten the security of the NPM registry by requiring two-factor authentication (2FA) for maintainers and admins of the most popular packages, starting in the first quarter of 2022. 

(The Register)

Belarus now linked to Ghostwriter campaign

According to threat intelligence firm Mandiant, operation “Ghostwriter,” a propaganda campaign that has pushed fabricated narratives on a number of topics including North Atlantic Treaty Organization (NATO) and COVID-19, is the work of people in Belarus, including the country’s military. Ghostwriter is accused of harvesting stolen passwords and leaking hacked data to pollute political discourse and collect intelligence. According to research from back in April, Ghostwriter dumped stolen social media account info from Polish officials which was used by the state-sponsored group UNC1151 with the apparent goal of destabilizing the internal politics of several NATO countries. Mandiant has now determined that UNC1151 is operating out of Minsk and the bulk of their activity targets Ukraine, Latvia, Lithuania, Poland and Germany in addition to Belarusian dissidents, media entities and journalists.

(CyberScoop)

Data of millions of hotel booking site customers leaked

The personal data of nearly 5.9 million Singaporean and South-east Asian customers of hotel booking site RedDoorz was found to have been leaked, in what the Government has called Singapore’s largest data breach. Leaked data includes customer name, contact number, e-mail address, date of birth, encrypted account passwords and booking information. Local firm Commeasure, which operates the website, has been fined $74,000 by the Personal Data Protection Commission (PDPC). The fine is disproportionately lower than than the $1 million fine imposed on SingHealth and Integrated Health Information Systems in a 2018 data breach affecting 1.5 million people. The commission said with respect to the fine it levied, that it had considered hardship on the hospitality sector caused by the Covid-19 pandemic.

(The Straits Times)

Adult site’s customers and employees stripped of their privacy

One of the internet’s top 5 adult cam sites, StripChat, has suffered a security breach and has leaked the personal data of millions of users and adult models.The leak, discovered by security researcher Bob Diachenko, occurred after StripChat exposed its ElasticSearch database cluster on the internet between November 4 and November 7. Leaked data includes username, email, IP address, ISP details, tip balance, and account info for 65 million site users as well as username, gender, studio ID, live status, tip info and ratings belonging to 421,000 models broadcasting on the site. A trove of site transaction data and chat messages was also leaked during the incident. 

(The Record)