Crypto-miner and malware found hidden inside npm libraries
Sonatype has uncovered crypto-mining malware hidden inside three JavaScript libraries uploaded on the official npm package repository. The three files, disguised as user-agent string parsers, can detect the user’s operating system and then run a BAT or Shell script, based on the victim’s platform, downloading an externally-hosted EXE or a Linux ELF, and executing the binary with arguments specifying the mining pool to use, the wallet to mine cryptocurrency for, and the number of CPU threads to utilize. The three npm packages were: klow, klown, and okhsa, and were live only for a day, on October 15. In a related but separate story, a critical severity advisory was posted on GitHub on Friday and mentioned in CISA’s website, warning of embedded malware in three versions of ua-parser-js, which is used in apps and websites to discover the type of device or browser a person is using from User-Agent data. CISA urges users and administrators using compromised ua-parser-js versions 0.7.29, 0.8.0, and 1.0.0 to update to the respective patched versions.
(The Record, CISA, and GitHub)
Facebook sues Ukrainian who scraped the data of 178 million users
Facebook alleges that Alexander Alexandrovich Solonchenko of Kirovograd, Ukraine abused a feature of Facebook Messenger called Contact Importer, which allows users to synchronize their phone address books to find friends. Between January 2018 and September 2019, Solonchenko allegedly used an automated tool to pose as Android devices in order to feed Facebook servers with millions of random phone numbers. As Facebook servers returned information for which phone numbers had an account on the site, Solonchenko collected the data, which he later offered for sale on RaidForums.
BlackMatter ransomware victims quietly helped using secret decryptor
Soon after the BlackMatter ransomware operation launched, Emsisoft discovered a flaw allowing them to create a decryptor recover victim’s files. Emsisoft immediately alerted law enforcement, ransomware negotiations firms, incident response firms, CERTS worldwide, and trusted partners with information about the decryptor, choosing to keep things quiet so as to not alert the ransomware gangs to the flaws. As victims started refusing to pay, BlackMatter grew increasingly suspicious and angry with ransomware negotiators, to the point of sending death threats.
Massive campaign uses YouTube to push password-stealing malware
Unrelated to the YouTube influencer phishing story we brought you last week, another major YouTube campaign is underway, in which how-to videos are being used to distribute password-stealing trojans through embedded links in video descriptions. Although this is not a new technique, security researchers have noticed a significant uptick in YouTube campaigns pushing RedLine and Racoon Stealer malware. The threat actors use stolen Google accounts to launch new YouTube channels to spread the malware, creating hundreds of videos and channels in mere minutes.
Thanks to our episode sponsor, Banyan Security
Replace your traditional network access boxes – VPNs, bastion hosts, and gateways – with a cloud-based zero trust remote access solution and enable a safe and reliable “work from anywhere” environment. Visit banyansecurity.io for more information.
Data breach hits US dental patients
The computer systems of Pittsburgh-based North American Dental Management were hit between March 31 and April 1, 2021. The company provides administrative and technical support services for Professional Dental Alliance (PDA) offices. The information that may have been exposed, which may have included patients’ protected health information was stored in email accounts that the attacker was able to breach as the result of an email phishing incident.
Phone carrier employee sentenced for role in SIM-swapping scheme
A former sales representative of a mobile carrier has been sentenced after accepting bribes of up to $500 a day to perform the switches required to reroute phone numbers for SIM-swapping. In this case, between 2017 and 2018, Stephen Defiore of Florida was a sales representative for an unnamed carrier. He accepted the bribes to swap the phone number, PIN, and SIM card number with that of victim’s handset details. Defiore was sentenced on October 19 and will serve three months probation, a year of home confinement, and must perform 100 hours of community service. He must also pay a $100 fee and $77,417.50 in restitution.
(ZDNet)
Microsoft warns of TodayZoo phishing kit used in extensive credential stealing attacks
Microsoft on Thursday disclosed an “extensive series of credential phishing campaigns” that takes advantage of a custom phishing kit that stitches together components from other widely circulated ones with the goal of siphoning user login information. The Microsoft 365 Defender Threat Intelligence Team, which detected the first instances of the tool in the wild in December 2020, dubbed the copy-and-paste attack infrastructure “TodayZoo.” The TodayZoo phishing campaign is no different in that the sender emails impersonate Microsoft, claiming to be password reset or fax and scanner notifications, to redirect victims to credential harvesting pages. Where it stands out is the phishing kit itself, which is cobbled together out of chunks of code taken from other kits — “some available for sale through publicly accessible scam sellers or reused and repackaged by other kit resellers.”
New Olympic record for DDoS defense
The organizers of the Tokyo Olympics and Paralympics say they blocked about 450 million cyberattacks on their systems and networks during the Games. They say no impact on operations was reported. The organizers announced the figure at a news conference on Thursday with representatives of telecommunications firm NTT, which was tasked with cybersecurity for the Games this summer. They said the number of cyberattacks was more than twice that reported during the 2012 London Games, when comparable data were available. The officials say they deterred all the attacks, which likely came from a wide range of countries and regions.
