We’re back with the latest in cybersecurity with our weekly cybersecurity bulletin. Join us for an inside scoop on TeamViewer being used by threat actors and the cyberattack on Kansas State University. But that’s not all; we’ll also take you through two novel phishing campaigns involving fake Norton antivirus subscriptions and PDF decryptor tools and everything Google shared about the Androxgh0st malware so you can take the necessary action and protect yourself. Let’s take a look.
TeamViewer Exploited in Recent Ransomware Attacks on Networks
Threat actors have taken a liking to TeamViewer once again and are using it to gain initial access to organizations.
The remote access tool is widely used, and the new report from Huntress shows how old techniques have resurfaced. Threat actors are taking over victim devices using TeamViewer and deploying ransomware. They are not playing favorites and are attacking all endpoints – the ones that haven’t been used in months and the ones that are used by employees every day.
In both cases, the threat actors deploy ransomware using a DOS batch file, which executes a DLL (Dynamic Link Library) payload using the rundll32.exe command. Researchers at Huntress have not been able to link these attacks to any ransomware gangs, but they did specify that the attack is similar to LockBit encryptors created with the help of leaked LockBit Black builder – a tool that allows threat actors to launch their campaigns by creating different versions of the encryptor.
It is still not clear how exactly the threat actors are exploiting TeamViewer, but the organization shared a statement saying the unauthorized access has been the result of weakened TeamViewer default settings due to the use of easy passwords or outdated versions. As part of their response, they also shared some practices for secure access, which can enhance ransomware protection.
Cyberattack at Kansas State University Disrupts IT Network and Services
K-State, the Kansas State University, shared an announcement that it is managing a cybersecurity incident.
The incident took a toll on its VPN, K-State Today emails, and video services. The university revealed that its media portal was experiencing disruption in its IT systems on Tuesday morning, and by the afternoon, the cyberattack was confirmed. They took the affected systems offline once they detected the attack and also shared an update saying they have dedicated resources to bring all systems back online safely and soon.
The university has also taken the help of third-party IT forensic experts and is urging the students and staff to look out for more suspicious activity and report it to the IT help desk. The university has resumed services at a lower volume and also says there will be a 48-hour delay in email deliveries.
No threat actor group has come forward with the responsibility for the attack. You can visit the K-State media page for any updates on the cyberattack and what to do.
Russian FSB Hackers Utilize New Spica Backdoor Malware, Says Google
Google TAG has shared information about the ColdRiver hacking group, which is pushing backdoor malware using PDF decryption tools.
The Russian-backed threat actors send PDF documents to people that are encrypted via phishing emails. When the person replies that they are unable to read these encrypted PDFs, the threat actors send them a link to an executable PDF decryptor file. The name of the file is “Proton-decrypter.exe.” It also avoids detection as it opens up a fake PDF document that backdoors the victim’s system with the Spica malware. The Spica malware uses JSON web sockets and feeds information from the web browsers to the threat actor’s C2 (Command and Control) server.
Google has already added all domains and files that are used in these attacks to its Safe Browsing protection and also sent emails to the victims that they were attacked. If you received one, you should follow the instructions. If not, watch out for such phishing emails.
FBI Warns of Androxgh0st Malware Botnet Stealing AWS and Microsoft Credentials
CISA and FBI released a new warning about threat actors who are using Androxgh0st to build botnets to steal credentials from the cloud.
The botnet was researched by Lacework Labs and was controlling nearly 40,000 devices in 2022. It scans for websites and servers that have the following vulnerabilities.
- CVE-2017-9841 (PHPUnit unit testing framework)
- CVE-2021-41773 (Apache HTTP Server)
- CVE-2018-15133 (Laravel PHP web framework)
Once it recognizes a victim system, it attacks. Androxgh0st is scripted in Python and targets confidential files with .env extensions. Most of these are high-profile applications in Amazon Web Services (AWS) and Microsoft Office 365. Others are from SendGrid and Twilio. The malware can abuse SMTP (Simple Mail Transfer Protocol), exploit and steal credentials, and deploy applications.
If you want to stay safe, make sure that all your operating systems and firmware are up to date. Also, your Apache servers should not be running 2.4.49 or 2.4.50 versions.
Fake Antivirus Renewal Phishing Tactics Revealed in US Court Documents
The US Secret Service shared a warrant application for a seizure where the threat actors made away with $34,000 with fake antivirus renewal emails.
The stolen money is stored in a Chase Bank account in the name of Bingsong Zhou. The threat actor used Norton Antivirus renewal subscription emails to people claiming that they were about to be charged for the renewal license. The emails also had a number they could call to cancel the subscription. Once the victim called the phone number, the scammers directed them into installing remote access tools on their systems.
But they did not stop at the malware and asked them to enter their account credentials on a phishing page. An example of the email attack showed that the victims were scared by mentioning how they would be charged $349.95 for Norton antivirus unless they called and canceled. The threat actors tricked the victim into giving them remote access to his system and used a blue screen overlay to transfer $34,000 from his savings to their own account instead.
To ensure robust phishing protection, it’s crucial to stay vigilant for potentially harmful emails. Always make sure to confirm the legitimacy of each payment or subscription directly through the official website on the web.