Prominent Asian Companies and Governments Targeted by Hackers

Asian companies and local governments are the targets of attacks by a formerly undocumented espionage group, Worok, which has been active this late 2020. According to ESET researcher Thibaut Passilly, “Worok’s tool set includes a C++ loader CLRLoad, a PowerShell backdoor PowHeartBeat, and a C# loader PNGLoad that uses steganography to extract hidden malicious payloads from PNG files.”

Worok is said to overlap with TA428 adversaries in tools and interests linked to attacks against financial, maritime, and telecom sectors in Asia, a government agency in the Middle East, and a private firm in southern Asia. From May 2021 to January 2022, a noticeable break of malicious activities by the group was experienced, and The Slovak cybersecurity firm confirmed the group’s goals to be in line with information theft.

Among the tools used in Worok’s malware is CRLoad, a first-stage loader succeeded by an NTED-based loader capable of executing an unknown PowerShell script embedded in a PNG image file. Since 2022, infections chains have dropped CRLoad favoring a full-featured Powershell implant called PowHeartBeat that is used to launch PNGLoad; it communicates with a remote server via HTTP or ICMP to carry out arbitrary commands, send and receive files, and perform related file operations.

According to ESET, it was unable to retrieve any final-stage PNG payloads. However, it is suspected that the malware could be kept out of sight in valid PNG images and stay hidden without calling any attention.

Read: https://thehackernews.com/2022/09/worok-hackers-target-high-profile-asian.html

Growth investment Implemented in Hornetsecurity

Hornetsecurity announced that TA Associates signed an agreement to make a strategic growth investment in the company. TA will join investors PSG Equity and Verdane, plus the company’s management team. This company provides a wide range of products designed to protect over 2 million users from the latest cyber threats. Their portfolio includes email security, back-up solutions, archiving and continuity services, and security awareness training.

Hornetsecurity serves customers from a wide variety of sizes and industries, differentiating product offerings customized to a range of security needs. Most customers are served through a trusted channel partner of over 8,000 VARs (value-added resellers), MSPs (managed service providers), and MSSSPs (managed security service providers).

Verdane invested in Hornetsecurity in 2021, while PSG did so in 2020. Since then, the company has expanded its cloud cyber security offering, adding back-up solutions and security awareness training. This investment intends to support their product build-out and international expansion through organic growth acceleration and M&A. This transaction is expected to close in the fourth quarter of 2022, waiting for customary regulatory approval.

Read: https://www.helpnetsecurity.com/2022/09/06/hornetsecurity-ta-associates/

Botnets in the Work From Home Era

Recently, a Russian botnet pretending to be a proxy service harmed millions of devices across the world, allowing cybercriminals to access stolen accounts until it was shut down by the Feds.

Botnets deploy in large numbers and are in constant evolution. The underlying host spreads across thousands of different owners, and shutting them down requires careful coordination across law enforcement, hosting providers, and network carriers. Additionally, cybercriminals trade botnet assets and use them for different cyberattacks based on where they can make the most money, becoming an asset for organized crime.

• Botnet DDoS Attacks Present a Challenge for Security Teams: Remote work provided convenience while also creating new opportunities for threat actors to attack. According to the FBI’s 2021 Internet Crime Report, corporate networks are more vulnerable when accessed using insecure and personal work-from-home devices.

DDoS attacks can access business systems even when protected by firewalls and cannot be protected by antivirus. Once these attacks happen, consequences go from server crashes, unresponsive applications, and network outages that take businesses offline for legitimate users.

• Mitigating and Defending Against Botnet Attacks: First line of defense uses network security controls that keep a worldwide IP reputation database of known ill-natured IPs and domains. Ask your security vendors how they block network traffic using IP addresses.

The second line of defense needs to detect network traffic based on protocol behavior and session flow. Current detection techniques combine machine learning algorithms and threshold-based countermeasures.

• Building a Layered Cybersecurity Plan: Cybersecurity hygiene is crucial when defending against botnets. Frequent vulnerability scanning, configuration hardening, and organizing patch management policies are basic steps to prevent host systems from becoming botnet victims.

Something else to consider is implementing network access controls, a zero-trust policy for users, and continuing to train employees on how to identify suspicious activity online. Botnet attacks are here to stay, so users and businesses need to protect themselves against malware.

Read: https://www.darkreading.com/attacks-breaches/botnets-in-the-age-of-remote-work

Sextortion Ring Dismantled by Interpol

A transactional sextortion ring was uncovered and dismantled after a joint investigation between Interpol’s cybercrime division and police in Singapore and Hong Kong. Interpol says that 12 suspects were arrested in July and August, following investigations that found them asking potential victims via online sex and dating platforms to download a malicious mobile app.

The perpetrators would use this app to steal information from the victims’ phones’ contact lists, which was then used to blackmail them by threatening to share their private videos with their contacts.

To make matters worse for their targets, they’ll also often access their social media or contact info, threatening to send the sexual imagery they got their hands on, plus distribute various strains of malware via emails.

Sextortion is a type of digital extortion consisting of the coercion or tricking of targets into sharing explicit content that will later be used for blackmail. According to the FBI, a massive increase in sextortion has spiked by 2021, advising potential victims to protect themselves from potential attempts:

• Don’t ever send compromising images to anyone, no matter who they are or claim to be.
• Do not open attachments from unknown senders.
• Make sure your electronic devices and web cameras are turned off when not in use.

Read: https://www.bleepingcomputer.com/news/security/interpol-dismantles-sextortion-ring-warns-of-increased-attacks/

Infosecurity Europe 2022: Survey Results Show Underprepared & Overconfident Specialists

BAS (Breach and attack simulation) is emerging quickly as a tool for overstretched security teams and proactive CISOs. For those who have adopted these systems, the hard part of managing security tool portfolios becomes more manageable by the ability to automatically validate their efficiency.

As BAS implementation begins to take an international hold, the following article uses 2022’s InfoSec Europe event in London as an opportunity to check the industry’s evolving perspective. It shows a survey from security and IT professionals to learn how to validate their controls, how they view BAS, and how prepared they are to face potential threats.

Participants stated that when asked how familiar they were with the policies, processes, and technologies their organization uses to monitor security control, 70.2% said they were familiar. Those who are more knowledgeable about BAS scored 48% on a security test, proving that there are still misconceptions about the value the technology provides.

When asked which threats respondents felt they could deal with proactivity and ease, the results were quite promising:

• 87% felt able to deal with phishing threats.
• 37% felt prepared for a data breach.
• 35.2% felt prepared for spear phishing.
• 48.1% felt prepared for malware infection.

Despite respondents feeling somewhat unprepared for threats other than phishing, 70.4% said they felt their organization was able to respond to any security incident. The same number stated their organization had the right tools to efficiently identify threats and repair security gaps. Of those who admitted their organization wasn’t prepared for a security incident, 36.8% felt that a lack of knowledge was a big issue, while 42.1% mentioned a lack of funds.

Read: https://securityboulevard.com/2022/09/underprepared-overconfident-infosecurity-europe-2022-survey-results/

PSA: Zero-Day Vulnerability in WPGateway Actively Exploited in the Wild

Wordfence has issued a Public Service Announcement about the WPGateway plugin vulnerability being exploited since September 8th, without an actual fix from the developers. They are protecting their paying customers already from the attack (which allows non admin users to inject a user with administrator privileges). One thing to look for if you use that plugin is a user named “rangex” with admin rights. That’s a sign you WordPress site has been compromised.

They will roll out the protection to their free users 30 days later on October 8th, 2022.

Read: https://www.wordfence.com/blog/2022/09/psa-zero-day-vulnerability-in-wpgateway-actively-exploited-in-the-wild/

Elsewhere Online

Telangana cops aid victims of cyber fraud crime
Read: https://telanganatoday.com/reach-us-quick-telangana-cops-urge-cyber-fraud-victims

Cyber experts are looking forward to NDAA
Read: https://www.politico.com/newsletters/weekly-cybersecurity/2022/09/06/its-ndaa-time-and-cyber-experts-are-looking-ahead-00054856

Government requiring views to fight malware and hackers
Read: https://www.bcs.org/articles-opinion-and-research/government-is-calling-for-views-to-further-combat-hacking/

TeslaGun Panel Used By Hackers To Attack ServHelper
Read: https://thehackernews.com/2022/09/ta505-hackers-using-teslagun-panel-to.html

Cyberattacks Occur Against Linux: Preparation is Advised
Read: https://www.darkreading.com/application-security/defenders-prepared-cyberattacks-linux-cloud-migration