There’s no such thing as a slow week for cybercrime, which means that covering the waterfront on all of the threat intelligence and interesting stories out there is a difficult, if not impossible, task. This week was no exception and, in fact, seemed to offer a veritable trove of important happenings that we would be remiss not to mention.
To wit: Dangerous malware campaigns! Info-theft! YouTube Account Takeovers! Crypto under siege! Microsoft warnings!
In light of this, Dark Reading is debuting a weekly “in case you missed it” (ICYMI) digest, rounding up important news from the week that our editors just didn’t have time to cover before.
This week, read on for more on the following, ICYMI:
- Smart Factories Face Snowballing Cyberactivity
- Lazarus Group Likely Behind $100M Crypto-Heist
- 8220 Gang Adds Atlassian Bug to Active Attack Chain
- Critical Infrastructure Cyber Pros Feel Hopeless
- Hacker Impersonates TrustWallet in Crypto Phishing Scam
- Cookie-Stealing YTStealer Takes Over YouTube Accounts
- Follina Bug Used to Spread XFiles Spyware
Smart Factories Face Snowballing Cyberactivity
A whopping 40% of smart factories globally have experienced a cyberattack, according to a survey out this week.
Smart factories – in which industrial Internet of things IIoT) sensors and equipment are used to reduce costs, obtain telemetry, and bolster automation – are officially a thing, with the digitization of manufacturing well underway. But cyberattackers are taking notice too, according to Capgemini Research Institute.
Among sectors, heavy industry faced the highest volume of cyberattacks (51%). Those attacks take many forms, too: 27% of firms have seen an increase of 20% or more in bot-herders taking over IIoT endpoints for distributed denial-of-service (DDoS) attacks; and 28% of firms said they have seen an increase of 20% or more in employees or vendors bringing in infected devices, for instance.
“With the smart factory being one of the emblematic technologies of the transition to digitization, it is also a prime target for cyberattackers, who are scenting new blood,” according to the report.
At the same time, the firm also uncovered that in nearly half (47%) of organizations, smart factory cybersecurity is not a C-level concern.
Lazarus Group Likely Behind $100M Crypto-Heist
Security researchers are laying the $100 million hack of the Horizon Bridge crypto exchange at the feet of North Korea’s notorious Lazarus Group advanced persistent threat.
Horizon Bridge enables users of the Harmony blockchain to interact with other blockchains. The heist occurred June 24, with the culprits making off with various cryptoassets, including Ethereum (ETH), Tether (USDT), Wrapped Bitcoin (WBTC), and BNB.
According to Elliptic, there are strong indications that Lazarus is behind the incident. The group not only carries out classic APT activity like cyber-espionage, but also acts as a money-earner for the North Korean regime, researchers noted.
The thieves in this case have so far sent 41% of the $100 million in stolen crypto assets into the Tornado Cash mixer, Elliptic noted, which essentially acts as a money launderer.
8220 Gang Adds Atlassian Bug to Active Attack Chain
The 8220 Gang has added the latest critical security vulnerability affecting Atlassian Confluence Server and Data Center to its bag of tricks in order to distribute cryptominers and an IRC bot, Microsoft warned this week.
The Chinese-speaking threat group has been actively exploiting the bug since it was disclosed in early June.
“The group has actively updated its techniques and payloads over the last year. The most recent campaign targets i686 and x86_64 Linux systems and uses RCE exploits for CVE-2022-26134 (Confluence) and CVE-2019-2725 (WebLogic) for initial access,” Microsoft’s Security Intelligence Centre tweeted.
Critical Infrastructure Cyber Pros Feel Hopeless
A staggering 95% of cybersecurity leaders at critical national infrastructure organizations in the UK say they could see themselves leaving their jobs in the next year.
According to a survey from Bridewell, 42% feel a breach is inevitable and don’t want to tarnish their career, while 40% say they are experiencing stress and burnout which is impacting their personal life.
Meanwhile more than two -thirds of the respondents say that the volume of threats and successful attacks has increased over the past year – and 69% say it is harder to detect and respond to threats.
Hacker Impersonates TrustWallet in Crypto Phishing Scam
More than 50,000 phishing emails sent from a malicious Zendesk account made their way to email boxes in recent weeks, looking to take over TrustWallet accounts and drain funds.
TrustWallet is an Ethereum wallet and a popular platform for storing non-fungible tokens (NFTs). Researchers at Vade said that the phish impersonates the service, using a slick and convincing TrustWallet-branded site to ask for users’ password recovery phrases on a sleek TrustWallet phishing page.
The emails, meanwhile, are unlikely to trigger email gateway filters, since they’re being sent from Zendesk.com, which is a trusted, high-reputation domain.
“As NFTs and cryptocurrencies overall have seen a significant downturn in recent weeks, on-edge investors are likely to react quickly to emails about their crypto accounts,” according to Vade’s analysis this week.
Cookie-Stealing YTStealer Takes Over YouTube Accounts
A never-before-seen malware-as-a-service threat has emerged on Dark Web forums, aimed at taking over YouTube accounts.
Researchers at Intezer noted that the malware, which it straightforwardly calls YTStealer, works to steal YouTube authentication cookies from content creators in order to feed the underground demand for access to YouTube accounts. The cookies are extracted from the browser’s database files in the user’s profile folder.
“To validate the cookies and to grab more information about the YouTube user account, the malware starts one of the installed web browsers on the infected machine in headless mode and adds the cookie to its cookie store,” according to the analysis. “[That way] the malware can operate the browser as if the threat actor sat down on the computer without the current user noticing anything.”
From there, YTStealer navigates to YouTube’s Studio content-management page and nabs data, including the channel name, how many subscribers it has, how old it is, if it is monetized, if it’s an official artist channel, and if the name has been verified.
Follina Bug Used to Spread X-Files Spyware
A rash of cyberattacks is underway, looking to exploit the Microsoft Follina vulnerability to lift scores of sensitive information from victims.
Follina is a recently patched remote code-execution (RCE) bug that’s exploitable through malicious Word documents. It started life as an unpatched zero-day that quickly caught on among cybercrime groups.
According to a Cyberint Research Team report shared with Dark Reading via email, analysts found several XFiles stealer campaigns where Follina vulnerability was exploited as part of the delivery phase.
“The group that is selling the stealer is a Russia-region based and is currently looking to expand,” researchers said. “Recent evidence suggests worldwide threat actor campaigns [underway].”
The stealer sniffs out data from all Chromium-based browsers, Opera, and Firefox, including history, cookies, passwords, and credit card information. It also lifts FTP, Telegram and Discord credentials, and looks for predefined file types that are located on the victim’s Desktop along with a screenshot. It also targets other clients, such as Steam, and crypto-wallets.