Microsoft researchers warned of a major phishing operation that attempted adversary-in-the-middle attacks on over 10,000 organizations. Hackers could extract login credentials by bypassing MFA, as well as trigger BEC attacks against other targets. Undoubtedly, malware evasion techniques continue to reap benefits for hackers. Recently, Qakbot has made a similar progression to keep itself hidden from modern anti-malware solutions. Security experts have shared their insights on the new variant.
Separately, AWS fixed multiple flaws in the authentication process that could let unauthenticated users bypass the protection for privilege escalation. Identified as CVE-2022-2385, the bug is an error in parameter validation.
Top Breaches Reported in the Last 24 Hours
Millions swindled from Uniswap
Uniswap, a DeFi protocol, reported a loss of about $8 million in ETH. It was a phishing attack and not the abuse of an exploit as was presumed earlier. During the campaign, attackers promised airdrops offering free tokens to Uniswap users. The hack was completed after some individuals unknowingly approved malicious transactions, which resulted in the theft of some LP NFTs.
Stolen credentials used to launch BEC attacks
Microsoft discovered a widespread phishing campaign aimed at over 10,000 organizations. The campaign, active since September 2021, has been pilfering user credentials even if accounts are protected with MFA. Hackers essentially pulled off an Adversary-in-the-Middle (AiTM) attack to steal session cookies and also accessed victims’ user mailboxes to launch BEC attacks against other targets.
Iraqi group hits Tel Aviv Community
A hacker group, known as al-Tahera, from Iraq claimed to have breached the website of a Tel Aviv municipality and knocked it offline. The message by the hackers read “Do not work, it's suspended by order of General Qassem Soleimani.” The group declared that the attack was in regard to the assassination of the top Iranian military commander Lieutenant General Qassem Soleimani.
BlackCat blackmails Bandai Namco
Bandai Namco, a Japanese multinational video game publisher, has been targeted by a ransomware attack. Rumors are that BlackCat actors could be behind the attack as the group allegedly posted to release the stolen data from the firm. The firm, however, is yet to confirm the attack.
Top Malware Reported in Last 24 Hours
Lesser known variants of ChromeLoader
Security experts at Palo Alto Networks disclosed new variants of ChromeLoader, an information-stealing malware. The malware was first used in a December 2021 attack wherein hackers used an AutoHotKey-compiled executable in place of the later-observed version using ISO files. Additionally, a macOS version of the malware is said to have emerged in March that distributed fake Chrome extensions through sketchy disk image files.
Evading techniques of Qakbot
Zscaler exposed new detection evasion attempts by Qakbot malware actors. It is now using ZIP file extensions, catchy file names with common formats, and Excel 4.0 macros to fool victims into downloading attachments containing the malware. In another method, hackers introduce code obfuscation by adding new layers in the attack chain from initial compromise to execution and using several URLs and unknown file extensions to deliver the payload.
Top Vulnerabilities Reported in the Last 24 Hours
Microsoft’s July 2022 Patch Tuesday
The monthly patch release by Microsoft has addressed 84 flaws affecting Windows, with two related to its Edge browser. Four flaws were rated ‘critical’ and the remaining 80 were labeled ‘important.’ Furthermore, a zero-day in the Windows Client Server Runtime Subsystem, tracked as CVE-2022-22047, was already being exploited in the wild.
AWS patches authentication bugs
AWS fixed three authentication bugs present in its IAM Authenticator for Kubernetes, used by Amazon Elastic Kubernetes Service. Customers using the AWS IAM Authenticator within Amazon EKS need not do anything to protect themselves. However, those hosting and managing their own Kubernetes clusters using AccessKeyID need to update the AWS IAM Authenticator for Kubernetes to version 0.5.9.
Top Scams Reported in the Last 24 Hours
Researchers at INKY have unearthed a new type of phone scam associated with an accounting software package called QuickBooks (by Intuit). Hackers impersonated top brands, including Apple, PayPal, and McAfee, to extract PII, card data, login credentials, and more. The scam managed to remain under wraps for over six months as it was identical to non-fraudulent QuickBooks notifications.