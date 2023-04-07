Another data leakage accident caused by publishing the development environment configuration on the website! Moreover, such a situation still occurs in the information security industry that specializes in providing digital ID verification services. The researchers pointed out that the accident not only leaked the company’s internal information, but also implicated many large financial institutions in the UK and Australia.

Users looking for VPN services should pay attention! Recently, some people have distributed the money-stealing software OpcJacker in the name of providing such services, and then further deployed Trojan horse programs and remote desktop connection programs on the victim computers to carry out the second-stage attack.

In addition to the way hackers spread malicious programs, we must be vigilant, and the situation where hackers try to lure new blood is also worthy of attention. Security experts have found that it is increasingly common for hackers to use the encrypted communication software Telegram to distribute phishing kits, but the purpose of doing so is mainly to attract novices who lack relevant skills to commit cybercrime.

【Attack and Threat】

Digital ID verification solution provider OCR Labs exposed development environment configuration files, and customer data is at risk of leakage

On March 8, researchers from the information security news website Cybernews found a publicly accessible development environment configuration file (ENV) on the website idkit.com of digital ID verification solution provider OCR Labs, which contains database Account secrets, AWS Simple Queue Service (SQS) account secrets, and API keys for Google and Liveness, etc.

The researchers pointed out that the data breach affected the company’s customers, including a number of financial companies in Australia and the UK: QBank, Defense Bank, Bloom Money, Admiral Money, MA Money, Reed. After receiving the report, OCR Labs has taken protection measures for the ENV file.

Malware Opcjacker Distributed Under the Pretend of Offering a VPN Service

Information security company Trend Micro revealed the attack of the money-stealing software OpcJacker. Hackers started to attack Iran in the second half of 2022 under the guise of providing legitimate VPN services (but the researchers did not mention the name of the fraudulent VPN service). who distribute this stealing software. Hackers first send a modified VPN client installation program through malicious advertisements. Once the user executes it, the installation program will execute an encryption software called Babadeda, and then load Shell Code on the victim computer and execute OpcJacker.

Researchers pointed out that the purpose of hackers distributing this money-stealing software is not only to record keyboard input, capture screen images, and steal sensitive data stored in browsers, but also to further launch second-stage malicious programs, such as the Trojan horse program NetSupport RAT, a variant of the remote connection tool hVNC, etc. If users need to use VPN services, they should personally connect to the website of the legal operator to download.

Encrypted communication software Telegram has become more and more dirty, and Kaspersky pointed out that it has become the arsenal of many phishing hackers

Kaspersky, an information security company, warned that it is becoming more and more common for hackers to abuse the encrypted communication software Telegram to distribute phishing kits. They use Telegram robots to automatically provide and build phishing websites to collect victims’ information. Some hackers also provide free phishing kits, which contain pre-packaged kits that can imitate well-known manufacturers to build phishing websites.

The researchers pointed out that although some phishing tools are provided for free, hackers make profits through value-added services, such as: anti-bot mechanism, geo-location locking, URL encryption, fraudulent webpage and other packages charge related fees. In addition, hackers will also assist users in verifying the authenticity of stolen data.

But why do these hackers share their tools and stolen information with others? The researchers believe that it is very likely that they want to attract novices to cultivate a customer base, or obtain free human resources in the name of teaching related techniques.

Malware avoids detection by security systems through encrypted WinRAR self-extracting archives

The information security company CrowdStrike revealed the abuse of WinRAR self-extracting archives (SFX) attacks. Hackers can use the stolen account data and abuse the utility program utilman.exe to run the file without the user logging into Windows. The password-protected self-extracting archive, and then use the parameters provided by WinRAR to execute PowerShell, command prompt characters, and execute the job administrator with NT AUTHORITYSYSTEM privileges, and finally deploy the backdoor on the victim computer.

In this regard, the researchers warned that since antivirus software usually checks the files contained in the compressed files for malicious programs, rather than the commands of the compressed files, related attacks may be difficult to detect.

The Log4Shell vulnerability of the cloud infrastructure was exploited, and hackers carried out bandwidth hijacking attacks

Sysdig, an information security company, revealed an attack campaign that abused network bandwidth sharing software (Proxyware). However, unlike previous attacks, hackers did not provide software or lure users to deploy such software to “share “Bandwidth profit, but exploited the Log4Shell vulnerability to invade the target host, and then secretly deployed network bandwidth sharing software to carry out network bandwidth hijacking (Proxyjacking) attacks.

In one of the incidents, the researchers saw attackers targeting the Kubernetes environment, targeting unpatched Apache Solr, downloading malicious scripts from the C2 server, and finally executing the ELF executable file to log in to the Pawns.app account, and Use command-line network bandwidth sharing software IPRoyal Pawns to steal bandwidth. Once the attackers successfully launch the executable, they execute new commands to evade detection and attempt to persist on the victim machine.

Chromium-Based Browsers Locked, Rilide Malware Steals Cryptocurrencies

Information security company Trustwave revealed malware attacks targeting Chromium-based browsers such as Chrome, Edge, Opera, and Brave. Perform malicious activities in the background, with the purpose of defrauding users of two-factor authentication (2FA) codes and stealing cryptocurrency.

As for the channels for hackers to distribute Rilide, the researchers pointed out that there are two main ways, one is to spread by abusing the files of Microsoft’s typesetting software Publisher, and the other is to use Google advertisements to provide installation files of TeamViewer and Nivida drivers. . Researchers pointed out that this malicious program has become extremely popular recently because of payment disputes among hackers and the distribution of source code by buyers.

U.S. tax filing site eFile.com hacked by JavaScript malware

Hackers attack the tax season in the United States every year, mainly through phishing emails to spread malware, but now there are also cases where third-party websites are targeted. According to a report by the information security news website Bleeping Computer, since March 17, many users and researchers have discovered that the website eFile.com, which is used by many Americans to file taxes, has been implanted with a malicious JavaScript file popper.js , confirmed by the news site, before April 1, almost every eFile.com web page will load this malicious JavaScript file.

Once the user accesses the website, the website will download the second-stage malicious payload according to the request of the browser (Chrome or Firefox), and finally deploy the backdoor program created by the PHP script code on the victim computer, allowing the attacker to obtain complete access rights. The scope of the accident has yet to be clarified.

Uber leaks driver data again, as law firm hacked

According to a report by the news website The Register, the car-sharing platform Uber issued a notice letter to some drivers, stating that the law firm Genova Burns was hacked from January 23 to 31, and unauthorized third parties accessed some internal The documents, resulting in the delivery of passengers to Uber drivers in New Jersey, the United States, their Social Security Number (SSN) and Tax Identification Number (TIN) may be leaked.

In this regard, Genova Burn said that it has not found signs of misuse of the above-mentioned personal data, but Uber did not disclose how many drivers were affected.

Samsung leaked information, suspected to provide company secrets to ChatGPT

According to a report by the Korean Economist (economist.co.kr), Samsung Electronics has opened its semiconductor division to use the ChatGPT chat robot since March 11, but it was reported that 3 data leakage accidents occurred in less than 20 days, of which Two cases were related to equipment materials, and the other one was related to the content of the meeting.

One of the employees posted the problematic source code to ChatGPT due to an error in the download software of the semiconductor equipment measurement database; the second employee entered the relevant code into ChatGPT in order to analyze the equipment yield data; the third employee It is to ask ChatGPT to make meeting minutes. The above situation makes Samsung’s internal data become the content of ChatGPT machine learning, and it is possible for other users to ask ChatGPT to obtain it.

In this regard, Samsung has limited the amount of information that employees ask ChatGPT, and plans to deploy the company’s internal dedicated AI service.

Pinduoduo, a shopping app that was removed by Google at the end of March, has been reported to have the function of elevating execution permissions without authorization, and it will still operate in the background after being closed

Google has recently removed the Pinduoduo app from the Play Market due to the presence of malicious programs on the Internet, which has attracted attention from all walks of life. Now it is reported that some researchers have discovered that after the shopping app is deployed on the mobile phone, it appears Abnormal behaviors such as attempts to elevate privileges. According to a report by the news website CNN, they sought the assistance of information security companies WithSecure, Oversecured, and Check Point to conduct reverse engineering analysis on the Pinduoduo version 6.49.0 application released in late February. In addition, Pinduoduo can also track other apps. Shopping app activity, monitoring competitors.

WithSecure chief researcher Mikko Hyppönen said that they have never seen mainstream apps elevate their permissions in such an attempt to obtain access rights that ordinary apps should not have; Sergey Toshin, founder of Oversecured, pointed out that there are about 50 Android vulnerabilities used by Pinduoduo, but most Some are all about components made by phone manufacturers.

And this is not the first time that researchers have raised doubts about Pinduoduo App——In February this year, Chinese information security company Dark Navy (Dark Navy) released a related investigation report, but did not name the shopping app containing malicious code as Pinduoduo .

MSI was attacked by ransomware Money Message and demanded $4 million

According to the information security news website Bleeping Computer, the ransomware hacker organization Money Message recently claimed to have attacked the Taiwanese computer manufacturer MSI and stolen 1.5 TB of data, including ERP databases, software source codes, keys, and BIOS firmware. Body and other files, they extorted $4 million from MSI.

In order to further confirm whether MSI has encountered a cyber attack, we connected to the stock market public observatory and found that MSI issued an announcement on the stock market public observatory at 12:00 noon on April 7. They stated that some information systems were attacked by cyber attacks. No material impact on finance and business.

【Vulnerabilities and Fixes】

Multiple Vulnerabilities Exposed in ProPump and Controls Pump Control System

Zero Science Lab, an information security company, revealed 9 vulnerabilities in the Osprey water pump controller owned by ProPump and Controls. Four of these vulnerabilities have a CVSS risk score of 9.8, which is a major level. These vulnerabilities are CVE-2023-28654, CVE-2023-27886, CVE-2023-27394, and CVE-2023-28398. These vulnerabilities involve hard-coded account secrets, command injection, and authentication process bypass.

It is worth noting that the researchers did not receive a response when they directly notified the developer. They also sought assistance from the US Cybersecurity and Infrastructure Security Agency (CISA) and the Vulnerability Information and Coordination Center (VINCE) at Carnegie Mellon University. ProPump and Controls still has not responded, nor has it issued a related announcement, and the above-mentioned vulnerabilities are likely to have not been patched.

【Other information security news】

The Criminal Bureau cracked down on the cyber attack and fraud incident of sending phishing text messages through fake base stations

Toyota City, Japan announced an email leak incident, which was caused by the failure of the supplier to update the software authorization, resulting in the invalidation of the mandatory email BCC

The Open University of Cyprus was attacked by ransomware Medusa

Middle Eastern organization targeted by hacker group Arid Viper, targeting Windows computers and mobile devices

Microsoft teams up with Forta to block Cobalt Strike servers used in attacks

Vulnerabilities in Nexx smart garage control system could allow attackers to crack door locks and manipulate sirens

RCE Vulnerability in Azure Pipelines Could Lead to Supply Chain Attacks

