Weekly Axis Of Easy #258
Last Week’s Quote was “The things you think about determine the quality of your mind. Your soul takes on the color of your thoughts.” … was by Marcus Aurelius. Congrats to our winner, Tricia!
This Week’s Quote: “I was not designed to be forced. I will breathe after my own fashion. Let us see who is the strongest.” … by ???
THE RULES: No searching up the answer, must be posted to the blog – the place to post the answer is at the bottom of the post, in the comments section.
The Prize: First person to post the correct answer gets their next domain or hosting renewal on us.
In this issue:
- Hackers Exploited Atlassian Confluence Bug to Deploy Ljl Backdoor for Espionage
- Ukraine Shutters Major Russian Bot Farm Investment Fraud Drench European Investors via Thousands of Fake Sites
- Meta is being sued for giving US hospitals a data-tracking tool that allegedly ended up disclosing patient information to Facebook
- Taiwan Govt Websites Attacked During Pelosi Visit
Elsewhere online
- $190 million stolen by hackers from U.S. crypto firm Nomad
- Prosecutors in Germany have issued a warrant for the arrest of Russian hacker over energy sector attacks
- Fake copyright claims are being weaponized on the internet: How fake DMCA takedowns censored a leading crypto critic via Substack
- SHARPEXT: The tool North Korean hackers are using to read your Gmail
It is said that a threat actor is “highly likely” to have exploited a glitch in the security of an old Atlassian Confluence server to position a backdoor against an unnamed organization in the research and technical services sector. Cybersecurity firm Deepwatch has attributed the attack –which occurred during a seven-day period in May– to a threat activity cluster identified as TAC-040.
According to the company, “the evidence indicates that the threat actor executed malicious commands with a parent process of tomcat9.exe in Atlassian’s Confluence directory.” They also stated that post initial compromise, the threat actor ran various commands to enumerate the local system, network, and Active Directory environment.
After reporting active exploitation in real-world attacks, the issue was addressed by Deepwatch on June 4, 2022. However, given the absence of forensic artifacts, Deepwatch speculated the breach could have required the utilization of the Spring4Shell vulnerability (CVE-2022-22965) to gain access to the Confluence web.
Not much is known about TAC-040 other than its goals might be espionage-related; however, the presence of a loader for an XMRig miner suggests that financial gain might have also been the motive.
According to online blog sources, the attack chain is also notable for deploying a previously undocumented implant: “Ljl Backdoor,” with roughly 700MB of archived data estimated to have been withdrawn before the server was taken offline by the victim.
Read: https://thehackernews.com/2022/08/hackers-exploited-atlassian-confluence.html
Ukraine Shutters Major Russian Bot Farm
Law enforcers in Ukraine claim to have dismantled a large bot farm used by Russian special services to spread misinformation and propaganda in the country. The Secret Service of Ukraine (SSU) stated that the million-strong bot farm was used to “destabilize content” on the country’s military and political leadership.
The misinformation included fake news on the situation at the front, a supposed conflict between the President’s Office and the commander-in-chief of Ukraine’s armed forces, and a campaign to discredit the first lady. The culprit leader of this operation was unmasked as a Russian citizen and ‘political expert’ based in Kyiv.
With the leader’s guidance and equipment based in Kyiv, Kharkiv, and Vinnytsia, the group managed multiple bot accounts for social media, registering new accounts with 5000 SIM cards and circumventing internet blocking with 200 proxy servers spoofing IP addresses.
Ukraine claims to have “neutralized” 1200 cyber-incidents and cyber-attacks on the government since the beginning of the war. However, Russian propaganda efforts haven’t ceased, both inside Ukraine and in a bid to sway public opinion among its allies. Recorded Future claimed in July 2022 that Moscow is running multiple info ops campaigns designed to sow division in the West.
Read: https://www.infosecurity-magazine.com/news/ukraine-shutters-major-russian-bot/
Investment Fraud Drench European Investors via Thousands of Fake Sites
A network of 11,000 domains was discovered promoting fake investment scams to users in Europe. According to researchers, more than 5,000 of these domains are currently active, spotting the operation and tracking the network of content hosts and redirections.
The whole point of this mission is to fool users into an opportunity for high-return investments and persuade them to deposit at least $255 to register for fake services. The platforms hosted showcase false evidence of enrichment and apparent celebrity promotions in order to sound authentic. Its is targeted to the following countries: the U.K, Germany, Belgium, Portugal, Poland, Norway, the Netherlands, Sweden, and the Czech Republic.
How does this scam work? First, the scammers make an effort to advertise on social media platforms or through hacked YouTube and Facebook accounts to reach greater audiences and potential victims. Lured users click on the ads that redirect them to landing pages with fake success stories and are requested contact details by the scammers.
When this is done, a call center customer agent comes to contact with the victim, providing further details about the social engineering scam, convincing them to deposit 250 EUR (or $255) or more.
If the victim deposits the funds, they are granted access to a fake investment dashboard to follow their gains on a daily basis, this is an illusion of legitimate investment that asks users to deposit a bigger amount to earn more profit. The scam is disclosed when victims try to withdraw money from the platform.
Read: https://cyware.com/news/investment-fraud-drench-european-investors-via-thousands-of-fake-sites-b85554b5/
Meta is being sued for giving US hospitals a data-tracking tool that allegedly ended up disclosing patient information to Facebook
Allegedly Meta has access to the private medical data of millions of people without any sort of permission. According to a new lawsuit, the company has used it to serve cherry-picked medicine and treatment ads on Facebook.
The suit was filed on the last week of June in the Northern District of California and it’s the second of its kind to accuse US hospitals of providing Meta with sensitive information about patients, violating HIPAA (Health Insurance Portability and Accountability Act).
The complaint says that these hospitals used Meta’s Pixel tool, that allows businesses to measure and build audiences for ad campaigns. The tool then accessed patients’ password-protected portals and shared sensitive health information that was sold to Facebook advertisers by Meta.
In June, The Markup (a nonprofit newsroom) conducted an investigation, finding that 33 out of America’s 100 top hospitals use the Meta Pixel. It details the experience of one Facebook user who started getting targeted ads for medication related to heart and knee conditions. She had previously submitted in her private patient portal at the University of California, San Francisco Medical Center.
Meta’s policy states that advertisers shouldn’t share data with them that they know includes health, financial information, or other categories of sensitive information. However, the lawsuit accuses the company of knowingly collecting this sensitive information from healthcare websites.
Read: https://www.businessinsider.com/meta-facebook-sued-data-tracking-hospitals-disclosed-patient-health-data-2022-8
Taiwan Govt Websites Attacked During Pelosi Visit
Alleged Chinese and Russian forces temporarily forced major Taiwanese government websites offline via cyber-attacks during US House Speaker Nancy Pelosi’s visit to the island, Taipei on Thursday July 28th. The websites affected during Pelosi’s visit include those of the presidential office, foreign ministry and the main government English portal.
In 2020, Taiwanese authorities were informed that Chinese hackers managed to infiltrate at least 10 Taiwan government agencies and gained access to around 6,000 email accounts in an attempt to steal data. China also claims self-ruled democratic Taiwan as part of its territory to be seized one day. On July 28th they kicked off its largest ever military drills around the island in response.
According to Taiwan’s defense ministry, its website was offline for an hour around midnight on Wednesday July 27th, because of a distributed denial of service (DDoS) attack. Taiwan’s foreign ministry has also stated that the attacks on its website and the government’s English portal were linked to IP addresses from China and Russia that tried to gain access to websites up to 8.5 million times per minute.
The presidential office spoke out, saying it would up its monitoring in the face of “hybrid information warfare by external forces.” Officials have also said that Taiwanese government agencies are facing at least 5 million cyber-attacks and probes per day.
Read: https://www.securityweek.com/taiwan-govt-websites-attacked-during-pelosi-visit
Elsewhere Online
$190 million stolen by hackers from U.S. crypto firm Nomad
Read: https://www.techrepublic.com/article/hackers-steal-almost-200-million-from-crypto-firm-nomad
Prosecutors in Germany have issued a warrant for the arrest of Russian hacker over energy sector attacks
Read: https://therecord.media/german-prosecutors-issue-warrant-for-russian-hacker-over-energy-sector-attacks/
Fake copyright claims are being weaponized on the internet: How fake DMCA takedowns censored a leading crypto critic via Substack
Read: https://mashable.com/article/dmca-copyright-cryptocurrency-substack
SHARPEXT: The tool North Korean hackers are using to read your Gmail
Read: https://arstechnica.com/information-technology/2022/08/north-korea-backed-hackers-have-a-clever-way-to-read-your-gmail/
Smart App Control for Windows 11 is the new security feature that blocks files used to push viruses Read: https://www.bleepingcomputer.com/news/microsoft/windows-11-smart-app-control-blocks-files-used-to-push-malware/
Previously on #AxisOfEasy
If you missed the previous issues, they can be read online here:
- August 1st, 2022: An Update To Facebook’s Link Schema Aims To Fight Privacy Browsers And Privacy Plugins
- July 25th, 2022: Verified Twitter Vulnerability Exposes Data From 5.4 Million Accounts
- July 18th, 2022: CRTC Chair Ian Scott Confirms Bill C-11 Can Be Used To Pressure Internet Platforms To Manipulate Algorithms
- July 12th, 2022: Apple Debuts Lockdown Mode to Prevent State-Sponsored Spying
- July 4th, 2022: Ending Freedom Of The Press, Speech, And Expression: The Main Goal Of Big Corporations