The Chinese Phishing Group “PostalFurious” was discovered in April 2023 by Group-IB, a threat intelligence organization in Singapore, after detecting a smishing tactic PostalFurious used to replicate postal companies and toll operators throughout the Asia-Pacific area (APAC).
The phishing gang has recently expanded its operations into the Middle East, particularly the United Arab Emirates (UAE), with the aim of obtaining personal and financial data from residents in that region. These cybercriminals are currently sending phishing and smishing messages instructing recipients to pay for services using a URL that conceals the fraudulent domain and redirects them to a fake payment page where they input their full name, home address, and financial information. It’s unclear who they are trying to target, but they are beginning to impersonate government entities like postal operators. In order to escape detection and unauthorized access, phishing gangs employ highly proficient access strategies. However, Group-IB found the carefully concealed campaign connection between APAC and the UAE, as they both had the same infrastructure and coding activity.
The life science and molecular diagnostics organization, Enzo Biochem, provides patients with clinical research services and produces products like DNA tests. On April 6, 2023, the company first identified a ransomware attack that had breached their external system but wasn’t sure what information had been violated. A week later, they discovered the hack impacted client names and testing information, and subsequently made the latest news public.
Enzo Biochem made the breach official last week, on May 30th, by submitting filings with the Security and Exchange Commission (SEC). This informed 2.47 million people across the United States that this cyberattack had exposed their protected health information (PHI) and personal identifiable information (PII), like social security numbers.
In the article, Roy Akerman, CEO of Rezonate, explained how popular it is for hackers to leverage PII and PHI to leverage in other attacks or to sell on the Dark Web. Cyber professionals are still examining the underlying cause of this ransomware attack and developing a fast recovery strategy.
Beginning in 2018, senior officials in the Biden administration saw that North Korea has stepped up its cyberattacks in tandem with its nuclear and missile project. Cyber theft, notably cryptocurrency heists and other attacks, accounts for around half of the nation’s income and funds much of the infrastructure in Pyongyang, North Korea’s capital. About 10,000 proficient threat actors are working for Kim Jung-un, who has financial incentives to continue their successful cyberattacks.
This North Korean operation is not new, but it is becoming a bigger threat as time passes and new techniques emerge; in 2019, the United Nations (UN) estimated that the country had amassed over $2 billion from years of bank and cryptocurrency attacks. Furthermore, North Korea has been blamed for the most damaging heists in cryptocurrency. Last year, North Korea stole $620 million from Sky Mavis’ Ronin Network, and in 2020, it seized $281 million from KuCoin. Since North Korea has been doing this scheme for years, they have been continuously changing and becoming more sophisticated in order to sustain this funding. The United States is currently collaborating with its South Korean partners and other allies to raise awareness that this has been happening and still is.
Lace Tempest, a ransomware threat hacker, has exploited a flaw in MOVEit Transfer program downloads. Cybersecurity and infrastructure security authorities cautioned the media not to use the zero-day SQL vulnerability, CVE-2023-34362, as hackers could be allowing access where they can steal data and impersonate anyone in the database. Cybercriminals were aware of the vulnerability on the transfer software before it was detached and could be patched, allowing additional unauthorized attackers more opportunities.
Bleeping Computer reported nearly 2,500 cases that the MOVEit Transfer exposed publicly this past May. The attack was more opportunistic than directed at a specific user as the information has been in high demand.
One of the infected systems, “human2.aspx” in the “wwwroot” folder, went undiscovered for a considerable amount of time because the title resembled an actual file in their interface.
A Massachusetts company helped with the remediation efforts by providing patches for the following exposed versions: 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1).
Administrators should be aware of the “human2.aspx” files in the “wwwroot” folder on the MOVEit program, have all log files assessed for a significant period of time, and analyze data from unidentified IP addresses and sources in order to detect threat exploitation. It is strongly advised that users leverage the patch to address this issue and reduce the risk. Additionally, organizations should disable all HTTP and HTTPS connections if they’re unable to implement the patch.
Once a solution is implemented, security teams should go through and run tests to see if anything is compromised. If something is, then they should reset the account information that was exposed. Further, any files titled “human2.aspx” or any other alarming files should be closely analyzed and potentially deleted.
As new technologies in AI continue to evolve and public adoption increases, cybercriminals see this as an opportunity to attack users and gain information. ChatGPT has been a very popular resource since launching last November, leveraging natural language processing and AI technology to help people access information and increase efficiency in business.
As cybercriminals saw a new platform for conducting various cyber attacks, this is now a big security risk for the software supply chain. Threat actors have been using “AI package hallucinations” through ChatGPT as a way to spread malicious code packages and trojans in hopes of sneaking into applications and code repositories.
An AI hallucination is a believable response from the AI bot that isn’t accurate. This occurs because generative AI platforms like ChatGBT form their responses from the information available on the internet, which can lead to users adopting inaccurate information. When this happens malicious actors can go onto a platform, such as ChatGBT, to recommend malicious and/or unpublished packages. When users ask a similar question, the bot generates the malicious package unknowingly, which is a problem because users trust the chatbot. The developer then has a malicious library that can be used on various different applications.
Some common practices for developers to spot bad-coded libraries include justifying the library they just downloaded, following the right protocol, and trying to identify a highly skilled trojan in the downloaded library. Some ways to do this are by checking the date the package was created, seeing the amount of interaction it has through the number of downloads and comments, and seeing if there are any attached notes along with the package.