Cybersecurity Trends June 2023: Threat Intelligence Report
In our June 2023 report, we take a closer look at the cybersecurity trends that marked June 2023 including a malware filled version of Super Mario 3, the rise of MacOS attacks, and other cybersecurity issues that you should be aware of.
Phishing and Malware trends and statistics
Newly registered domains
Confirmed new phishing domains
New potential similar domains
During the month of June, FYEO discovered a total of 63K (Thousand) newly registered top level domains of which 352 were considered similar domains that are likely squatting domains (e.g when someone registers a domain name that is similar to a well-known brand or organization with the intention of using it for malicious purposes such as phishing attacks).
A further 173 domains out of the newly registered domain were identified as actively serving fake websites and content related to phishing and 2.5K (Thousand) were identified as serving malware related files and content.
Data leaks and credentials statistics
Reported leaked credentials
Reported leak sources
FYEO indexed sources
FYEO indexed credentials
June also saw 79 security incidents that resulted in the compromise of more than 14M (Million) records. The biggest data breach of the month occurred at Oregon and Louisiana Departments of Motor Vehicles, where over 3M (Million) records were compromised.
During the month FYEO indexed and gathered a total of 565k (Thousand) leaked credentials from a total of 13 sources that were gathered through open sources and public releases.
In regards to FYEO’s collection statistics it's worth noting that there is in general a large delay in the time in which the hacked data gets published. Therefore the data collected by FYEO is most likely not the same sources that were reported hacked for the month.
MOVEit fiasco. List of victims continues to grow
Hackers are actively targeting the MOVEit Transfer file transfer software by exploiting a zero-day vulnerability identified as CVE-2023-34362. This flaw permits unauthorized access to an organization's data. Over 16 million people's information has been compromised.
MOVEit Transfer, created by Ipswitch (a Progress Software Corporation subsidiary), is a secure solution for transferring files between organizations and their customers over protocols such as SFTP, SCP, and HTTP.
Cybercriminals, notably those linked with the Clop ransomware group, have been aggressively abusing this zero-day vulnerability in MOVEit MFT to steal large amounts of data from targeted enterprises. The Clop gang has admitted responsibility for the assaults and claimed that the exploitation began on May 27th, during the US Memorial Day vacation, when organizations often have decreased employee levels.The Clop ransomware organization usually employs this approach of launching attacks around holidays.
The initial vulnerability which has been patched, CVE-2023-34362, is contained in the MOVEit Transfer online application. According to Progress Software Corporation, it allows attackers to get information about the database's structure and content, as well as execute SQL queries to change or remove components inside the database.
It was recently revealed that the University of California, Los Angeles (UCLA), Siemens Energy, and Schneider Electric all had unauthorized data access as a result of the MOVEit vulnerability. The Department of Health and Human Services (HHS) has become the fourth government department or agency to be affected by the MOVEit incident, according to Bloomberg and the Associated Press. The government allegedly notified Congress that the data hack had affected over 100,000 people.
Additionally, the Departments of Energy, Agriculture, and Personnel Management were all affected by this problem. Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), stated that "several" federal entities were affected but refused to specify how many.
MacOS Users are being attacked!
MacOS is widely regarded as one of the most secure operating systems available, thanks to its extensive security mechanisms. With over 100 million macOS devices globally at the beginning of 2023, its ubiquity has piqued the interest of threat actors, who have only lately begun attacking these devices.
An anonymous digital currency exchange in Japan was recently the target of an attack. The assault used a malware backdoor dubbed JokerSpy, which was intended for Apple macOS. This malware acts as an active tool for attackers, acting as a backdoor and an open-source reconnaissance tool. It is a flexible and cross-platform exploit capable of targeting macOS systems. To acquire data and perform unwanted instructions on infected systems, the attackers use a mix of Python and Swift apps.
A key component of this toolkit is XCC, a self-signed binary designed to support numerous architectures. Its primary function is to check for FullDiskAccess and ScreenRecording permissions. The software is effectively disguised as XProtectCheck, a file that mimics XProtect, a built-in antivirus technology in macOS that uses signature-based detection criteria to discover and remove malware from compromised computers. The hack targeted a well-known bitcoin service business situated in Japan. This service provider specializes in asset exchange, including major cryptocurrencies such as Bitcoin and Ethereum. However, the company's exact name has not been published.
Security researchers have revealed an updated version of a macOS malware known as RustBucket, which has been enhanced with improved capabilities to establish persistence and evade detection by security software. This malware is attributed to a North Korean threat actor called BlueNoroff, operating under the umbrella of the Lazarus Group, a well-known hacking unit overseen by the Reconnaissance General Bureau (RGB), the primary intelligence agency in North Korea.
RustBucket first came to light in April 2023. Initially, it was identified as an AppleScript-based backdoor that could retrieve a second-stage payload from a remote server. The second-stage malware, compiled in Swift, is designed to download the main malware, a Rust-based binary, from a command-and-control (C2) server. This main malware possesses extensive information-gathering capabilities and can fetch and execute additional Mach-O binaries or shell scripts on the compromised system. This marks the first instance of BlueNoroff targeting macOS users specifically, although a .NET version of RustBucket with similar features has since emerged.
The infection chain starts with a macOS installer file that installs a modified PDF reader, which functions as a backdoor. Notably, the malicious activity is triggered only when a weaponized PDF file is opened using the rogue PDF reader. The initial intrusion vectors observed in these attacks include phishing emails and the use of fake identities on social networks such as LinkedIn. The targeted attacks primarily focus on financial institutions in Asia, Europe, and the United States. These findings suggest that the motive behind these activities is illicit revenue generation, potentially aimed at circumventing sanctions.
Game Installers Turned Trojan Horses: Malware Campaign Exploits Trust and Popularity of Super Mario 3 Installer
Threat actors leverage game installers as a means to distribute various types of malware. This tactic capitalizes on the broad user base of games and the inherent trust users have in game installers as legitimate software. Recently, researchers from Cyble made a discovery regarding the distribution of a modified version of the Super Mario 3: Mario Forever installer. This trojanized game installer, distributed as a self-extracting archive executable, is being disseminated through unidentified channels. It is likely being promoted on gaming forums, social media groups, or pushed to users through malvertising and Black SEO practices. Within the archive, three executables are present: one that installs the legitimate Mario game ("super-mario-forever-v702e.exe") and two others named "java.exe" and "atom.exe." These two files are discreetly installed in the victim's AppData directory during the game's installation process.
Once the malicious executables are on the victim's system, the installer executes them to run an XMR (Monero) miner and a SupremeBot mining client. The "java.exe" file acts as a Monero miner, gathering information about the victim's hardware and connecting to a mining server at "gulf[.]moneroocean[.]stream" to commence mining. Meanwhile, SupremeBot ("atom.exe") duplicates itself and places the copy in a hidden folder within the game's installation directory.
Next, a scheduled task is created by SupremeBot to run the duplicate every 15 minutes indefinitely, concealing its presence under the guise of a legitimate process. The initial process is terminated, and the original file is deleted in order to evade detection. Subsequently, the malware establishes a command-and-control (C2) connection to transmit information, register the client, and receive mining configurations for Monero mining operations.
SupremeBot then retrieves an additional payload from the C2 server, presented as an executable named "wime.exe." This final file is Umbral Stealer, an open-source C# information stealer available on GitHub since April 2023. Umbral Stealer is responsible for pilfering data from the compromised Windows device.
The stolen data encompasses information stored in web browsers, such as stored passwords and cookies containing session tokens, as well as credentials and authentication tokens for platforms like Discord, Minecraft, Roblox, and Telegram. Additionally, cryptocurrency wallets are also targeted by the stealer.
A look back at infamous phishing attacks
Phishing is a prevalent and highly dangerous form of cybercrime that involves tricking individuals and organizations into revealing sensitive information or downloading malware. It has become increasingly common, with reports estimating that 3.4 billion malicious emails are sent daily. This deceptive attack method relies on well-crafted emails, social media posts, or phone messages that exploit the negligence or unawareness of individuals.
A new phishing website is created approximately every 20 seconds, according to a report shared by DataPort.
There have been several historic phishing attacks that have left a lasting impact due to their devastating consequences. Here are a few examples:
Google & Facebook Attack:
Evaldas Rimasauskas, a Lithuanian man, orchestrated a business email compromise scheme, successfully stealing over $100 million from Facebook and Google. Rimasauskas and his accomplices created convincing forged email accounts mimicking a Taiwan-based company called Quanta Computer, which had legitimate business dealings with the tech giants. They sent carefully crafted phishing emails containing fake invoices, contracts, and letters, tricking employees into believing they owed millions of dollars. Over a two-year period from 2013 to 2015, Facebook and Google employees paid more than $100 million to Rimasauskas' fake company's bank accounts, which he subsequently laundered through various banks.
Ford Aerospace Corporation (FCC) Attack:
FACC, an Austrian aerospace parts manufacturer, experienced one of the most financially damaging BEC (Business Email Compromise) attacks in history in 2016. The attack involved an employee receiving an apparently routine email, impersonating FACC's CEO, Walter Stephan. The email requested the transfer of approximately $50 million to another account as part of an alleged "acquisition project." Falling for the deception, the employee transferred the money, resulting in severe financial losses. Although approximately $10 million was prevented from being transferred, the incident still had a significant impact, leading to the CEO losing his job.
Crelan Bank Attack:
Following the FACC incident, Crelan Bank, a Belgian firm, fell victim to a similar scam. The attacker impersonated the CEO's email account and instructed an employee to transfer funds to an account controlled by the attacker. The details regarding the purpose of the transfer and the exact amount paid were not disclosed publicly.
Ukrainian Power Grid Attack:
In December 2015, the Ukrainian electricity distribution company Kyivoblenergo became the world's first power grid provider to suffer a cyberattack that resulted in a blackout. The attack was facilitated through a phishing email, granting the perpetrators access to Kyivoblenergo's network. Using malware called BlackEnergy, the attackers targeted the company's computer and SCADA systems, disconnecting 30 substations for three hours. This attack, believed to be the work of the NotPetya group, affected approximately 230,000 customers, causing a significant power outage in the Ivano-Frankivsk region of Ukraine, where nearly half the homes lost power.
These phishing attacks serve as reminders of the significant risks posed by cybercriminals who exploit human vulnerabilities for financial gain or to disrupt critical infrastructure. It is crucial to remain vigilant, exercise caution when interacting with electronic communications, and implement robust cybersecurity measures to mitigate the risks associated with phishing.
By utilizing FYEO Agent, individuals and organizations can significantly enhance their defense against phishing attempts. In an era where online threats continue to evolve, investing in a reliable cybersecurity product is essential. With FYEO Agent, which is completely free to use, users can mitigate the risks posed by phishing attacks, protect their sensitive information, and maintain a secure online presence.