Rafel RAT Targets Outdated Android Devices with Ransomware Attacks
The open-source Android malware known as Rafel RAT has become a prevalent threat, targeting outdated devices in numerous cybercriminal campaigns. According to researchers from Check Point, over 120 campaigns have utilized Rafel RAT, with some launching ransomware attacks that demand payments via Telegram. Known threat actors like APT-C-35 and others from Iran and Pakistan are behind many of these campaigns. High-profile organizations, including those in government and military sectors, have been targeted, particularly in the United States, China, and Indonesia. The majority of affected devices run Android versions 11 or older, which no longer receive security updates, making them vulnerable to exploits. Rafel RAT spreads through deceptive apps mimicking popular platforms such as Instagram and WhatsApp, requesting risky permissions during installation. The malware’s commands can lock devices, wipe data, and encrypt files, posing significant risks to users with outdated Android devices.
CoinStats Breach Affects 1,590 Crypto Wallets, North Korean Hackers Suspected
CoinStats, a popular cryptocurrency portfolio management app with 1.5 million users, recently experienced a significant security breach, compromising 1,590 hosted wallets. The attack, suspected to be carried out by North Korean hackers, targeted users who hosted their wallets on the CoinStats platform. While the app’s portfolio management features, which require read-only access to external wallets, remained unaffected, the breach impacted 1.3% of CoinStats-hosted wallets. CoinStats has urged affected users to transfer funds to external wallets immediately. Although the platform remains offline for investigation and mitigation, CoinStats’ CEO shared evidence pointing to the involvement of the North Korean Lazarus Group, notorious for substantial crypto heists. Scammers have already begun exploiting the situation, promoting fake refund schemes using typosquatted handles. Users are advised to ignore these scams as CoinStats has not announced any refund programs.
Four FIN9 Hackers Indicted for Cyberattacks Resulting in $71 Million in Losses
Four Vietnamese nationals linked to the notorious cybercrime group FIN9 have been indicted for their roles in cyberattacks that resulted in over $71 million in losses for U.S. companies. The accused, Ta Van Tai, Nguyen Viet Quoc, Nguyen Trang Xuyen, and Nguyen Van Truong, engaged in cybercriminal activities from May 2018 to October 2021, stealing data and funds from their targets. U.S. Attorney Philip R. Sellinger emphasized the group’s use of phishing campaigns, supply chain attacks, and other hacking methods to carry out their crimes while attempting to remain anonymous. The indictment highlights how FIN9 exploited third-party vendors and used malware to infiltrate victim networks, exfiltrating confidential data such as financial information and credit card details. The stolen data was then sold for cryptocurrency. The defendants face severe penalties, including potential decades-long prison sentences, and forfeiture of assets obtained through their illegal activities.
New Attack Uses MSC Files and Windows XSS Flaw to Breach Networks
A new command execution technique called ‘GrimResource’ leverages specially crafted MSC (Microsoft Saved Console) files and an unpatched Windows XSS (cross-site scripting) flaw to execute code via the Microsoft Management Console (MMC). Following Microsoft’s July 2022 decision to disable macros by default in Office, attackers have shifted to using various file types in phishing attacks, eventually landing on MSC files.
MSC files, utilized in MMC to manage operating system aspects, have been exploited in this new attack. The Elastic team, inspired by previous research from Genian, identified this technique involving an old, unpatched Windows XSS flaw in the ‘apds.dll’ library to deploy malware like Cobalt Strike. A sample file (‘sccm-updater.msc’) uploaded to VirusTotal on June 6, 2024, showcases this active exploitation, undetected by antivirus engines.
The GrimResource attack begins with a malicious MSC file exploiting a DOM-based XSS flaw in ‘apds.dll,’ executing arbitrary JavaScript via a crafted URL. Although reported in October 2018, the vulnerability remains unpatched in the latest Windows 11 version. This flaw, combined with the ‘DotNetToJScript’ technique, allows arbitrary .NET code execution, bypassing security measures.
The attack employs ‘transformNode’ obfuscation to evade warnings, reconstructing a VBScript that loads a .NET component called ‘PASTALOADER.’ This component retrieves a Cobalt Strike payload, injecting it into ‘dllhost.exe’ using the ‘DirtyCLR’ technique and indirect system calls. Elastic Security has detailed these indicators and provided YARA rules to help defenders detect such suspicious MSC files.
Hackers Target New MOVEit Transfer Critical Auth Bypass Bug
Hackers are exploiting a newly disclosed critical authentication bypass vulnerability, CVE-2024-5806, in Progress MOVEit Transfer. This flaw allows attackers to bypass authentication in the Secure File Transfer Protocol (SFTP) module, enabling unauthorized access to sensitive data and the ability to manipulate files.
Exploitation attempts began soon after the vulnerability was disclosed. Approximately 2,700 internet-exposed MOVEit Transfer instances have been identified, mainly in the US, UK, Germany, Canada, and the Netherlands. Offensive security firm watchTowr published technical details and proof-of-concept exploit code, increasing the risk of attacks.
Progress has released patches for affected MOVEit Transfer versions, urging immediate updates. MOVEit Cloud customers are already protected. Additionally, administrators are advised to block Remote Desktop Protocol (RDP) access and restrict outbound connections to mitigate further risks. Another related flaw, CVE-2024-5805, impacts MOVEit Gateway 2024.0.0. With MOVEit widely used in enterprises, swift action is crucial to prevent breaches.
BlackSuit Ransomware Gang Claims Attack on KADOKAWA Corporation
The BlackSuit ransomware gang has claimed responsibility for a recent cyberattack on KADOKAWA Corporation, threatening to publish stolen data if their ransom demands are not met. KADOKAWA, a prominent Japanese media conglomerate known for its subsidiaries like FromSoftware, reported on June 8 that multiple websites were down due to a cyberattack, affecting their data center.
This attack has significantly disrupted the company’s operations, including the popular video-sharing platform Niconico. Despite efforts to restore services, KADOKAWA’s latest update confirms that many operations remain impacted, with Niconico services still suspended.
BlackSuit announced their involvement by listing KADOKAWA on their data leak site and releasing a small sample of the stolen data. They threaten to publish the full data, which includes contacts, confidential documents, employee data, business plans, and financial information, by July 1 if the ransom is not paid.
Launched in May 2023, the BlackSuit ransomware group is a rebrand of the Royal ransomware operation, with ties to the defunct Conti cybercrime syndicate, a collective of Russian and Eastern European hackers. The FBI and CISA previously linked BlackSuit to attacks on over 350 organizations, demanding over $275 million in ransoms. Their recent attack on CDK Global caused major disruptions to car dealerships across North America.
Ticketmaster Sends Notifications About Recent Massive Data Breach
Ticketmaster has begun notifying customers affected by a significant data breach in which hackers stole the company’s Snowflake database, containing the data of millions of users. The breach, discovered in May 2024, exposed customer names, contact information, and other personal details.
The data breach notification, shared with the Office of the Maine Attorney General, revealed that unauthorized access occurred between April 2 and May 18, 2024. Ticketmaster identified the breach on May 23 and found no further unauthorized activity since the investigation began. Customers are advised to stay vigilant against identity theft and fraud, with Ticketmaster offering one year of free identity monitoring.
Despite initially stating the breach affected over 1,000 people, it actually impacted millions worldwide, exposing sensitive information. The data theft was executed by the threat actor ShinyHunters, who claimed to have stolen personal and credit card information of 560 million users by exploiting compromised credentials lacking multi-factor authentication. This shows the extent of sensitive data that cybercriminals can steal in attacks.
Conclusion
In conclusion, the cyber landscape is fraught with various threats, from zero-day vulnerabilities to ransomware attacks and phishing campaigns. Staying vigilant and implementing robust security measures is essential to safeguard sensitive data.
As experts in ransomware recovery and cybersecurity, we offer specialized services such as Ransomware Recovery Services, Ransomware Negotiation Services, and Ransomware Settlement Services. If your organization requires assistance in recovering from a ransomware attack or bolstering its cybersecurity defenses, contact us today.