Breach Roundup: Raccoon Stealer Makes a Comeback - Source: www.govinfosecurity.com

Cybercrime
,
Fraud Management & Cybercrime
,
Incident & Breach Response

Also: QR Codes Used in Phishing Campaign; Belarus ISPs Used for Spying

Anviksha More (AnvikshaMore) •
August 17, 2023

Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, Raccoon Stealer returned, hackers used QR codes, Belarus ISPs were used to spy on diplomats, Geico reported a MOVEit breach, an Israeli hospital dealt with ransomware extortion, Clorox took systems offline after an attack, and researchers found flaws in AudioCodes phones and Zoom’s ZTP.

Raccoon Stealer Makes a Comeback

A popular info stealer malware is again available on criminal forums after six months of inactivity following the 2022 arrest of a key administrator. The future of Raccoon Stealer became uncertain after Dutch police arrested Ukrainian national Mark Sokolovsky following his indictment by a Texas grand jury. Law enforcement in the United States, Italy and the Netherlands disrupted the info stealer’s digital infrastructure.

“We are happy to return with new strength and understanding of our mistakes,” Raccoon Stealer operators announced. “All this time, our team has been working tirelessly to bring you our latest developments that will enrich your experience using the stealer.”

Cybersecurity firm Cyberint analyzed the malware’s latest version and said recently introduced features from Raccoon’s operators makes it easier, more convenient and more straightforward to use.

A new quick search tool lets users find specific links in large stolen datasets and easily retrieve any information they need. Another new feature is heightened protection from bots used to detect Raccoon Stealer traffic. The info stealer that targets login credentials, credit card information, cryptocurrency wallets and browser information is known to regularly receive updates.

Hackers Use QRs Code to Target Major US Energy Firm

Cybersecurity firm Cofense in a Wednesday report uncovered a campaign beginning in May targeting a wide array of industries including manufacturing, insurance, technology and financial services. Among the targets was a “major energy company based in the US” that received about 29% of the more than 1,000 campaign emails sent containing malicious QR codes.

“Email lures came in the form of updating account security surrounding 2FA, MFA and general account security,” said Nathaniel Raymond, a threat intelligence analyst at Cofense.

The FBI in January 2022 warned that cybercriminals are directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim’s device and redirecting payment for cybercriminal use.

Hackers repurposed Bing redirect URLs, which were initially designed for marketing objectives. These URLs have dual functionality – they were intended for legitimate marketing but were exploited by the hackers for malicious purposes in the phishing campaign.

“Abusing trusted domains, using obfuscation tactics, coupled with hiding the URLs inside QR codes embedded into a PNG or PDF attachment, helps ensure that emails bypass security and make it into inboxes,” Raymond said.

Hackers Intercept Internet Traffic in Belarus to Spy on Diplomats

A cyberespionage group dubbed MoustachedBouncer by researchers at Eset is using access to Belarus internet service providers to spy on foreign diplomats.

Active since at least 2014, the group has deployed adversary-in-the-middle tactics at Belarusian ISPs since 2020. Eset assesses with medium confidence that the group is aligned with Belarus interests and with low confidence that MoustachedBouncer is using a Russian-designed system for remote control access to all user communications known as SORM. The system, whose acronym stands for “System of Operative Investigative Measures,” is operational in Belarus, Amnesty International reported in 2021.

The attackers use two distinct malware frameworks, NightClub and Disco, for data theft, including capturing screenshots and recording audio. The Disco implant relies on tricking Windows 10 systems at the ISP level into assuming they’re behind a legitimate captive portal. The attackers present a fake Windows Update that leads to malicious software download. Disco also reaches its command-and-control server through deep packet inspection interception at the ISP level.

The older NightClub implant uses email protocols to reach its command-and-control server, likely in cases where users have deployed a VPN to encrypt their internet traffic while it’s still in Belarus. Among the victims identified by Eset are diplomats from a northeast African country, a South Asian country and an Eastern European country.

“The main takeaway is that organizations in foreign countries where the internet cannot be trusted should use an end-to-end encrypted VPN tunnel to a trusted location for all their internet traffic in order to circumvent any network inspection devices,” the Eset researches wrote.

Geico Possibly Caught Up in MOVEit Hack

The United States’ second largest auto insurer is warning employees that it used MOVEit file transfer software to move data to third-party vendors. A letter to employees from CISO Zhiwei Fu suggests that they freeze their credit. Fu said Geico reacted quickly to the Memorial Day weekend hack of the software instigated by Clop, a Russian-speaking ransomware-as-a-service group. At latest count, the hack has affected 760 organizations and the personal data of at least 46 million individuals.

Fu said Geico is monitoring “with our partners to find out if any data they have from Geico has been compromised.” A company spokesman told Information Security Media Group that no Geico customers had been affected by the hack and emphasized that the insurer’s systems had not been hacked.

Israeli Hospital Halts New Admissions in Response to Ransomware

The Mayanei Hayeshua Medical Center near Tel Aviv fell victim to an attack by unidentified cybercriminal group on Tuesday. Newspaper Israel Hayom reported Wednesday that the hacking group has threatened to reveal sensitive medical files, including those of Prime Minister Benjamin Netanyahu and leaders of the ultra-Orthodox community.

The hospital’s administrative computer systems were compromised in an Aug. 8 ransomware attack, leading it to stop accepting new outpatients and routing new emergency patients to nearby hospitals, reported The Jerusalem Post.

Clorox Takes Systems Offline in Response to Cyberattack

Bleach manufacturing giant The Clorox Company took certain systems offline after detecting unusual activity on its IT systems. In a Tuesday update, the company said plants and distribution centers activated business continuity plans to fulfill orders placed before Sunday, Aug. 13.

In a Monday filing with federal regulators, the company acknowledged that “the incident has caused, and is expected to continue to cause, disruption to parts of the Company’s business operations.” It said it has informed law enforcement and is collaborating with third-party cybersecurity experts to investigate the incident and restore operations.

Flaws in Zoom ZTP and AudioCodes Phones Expose Information

Researchers at German cybersecurity company SySS uncovered security vulnerabilities in AudioCodes phones and Zoom’s Zero Touch Provisioning that may be exploited by malicious actors for remote attacks. The flaws could enable external attackers to gain full control over devices, potentially leading to eavesdropping on calls, corporate network breaches and even the creation of botnets, security researcher Moritz Abrell said in an analysis published Friday.

Researchers found that the Voice over Internet Protocol devices using Zoom’s ZTP don’t properly check the authenticity of the server when they are downloading configuration files, enabling an attacker to set up a malicious server and trick the devices into downloading harmful or malicious firmware.

Researchers also found cryptographic authentication flaws in AudioCodes VoIP phones that could potentially allow unauthorized individuals to intercept and access transmitted information such as passwords or configuration files. These combined vulnerabilities could be leveraged for widespread device takeover, presenting significant security concerns.