Phishing campaigns via Google Ads target password managers

The digital threat landscape has seen an increase in sophisticated attacks and unique approaches used by threat actors in the last week. Recent developments, such as the Lazarus Group’s Zoho ManageEngine attack and the emergence of Flax Typhoon, as well as Kroll’s data breach, “MalDoc in PDF” technique, and critical Juniper Junos OS flaws, demonstrate threat actors’ ingenuity. As threat actors’ strategies grow, so does the need for vigilance and proactive defense against ever-changing cyber threats. SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. New SwiftSlicer wiper is now being used to target Windows domains

Microsoft discovered a new hacking group it is now tracking as Flax Typhoon, which targets enterprises in education, critical manufacturing, and information technology with the likely intention of espionage. Flax Typhoon initially obtained access by taking use of known security flaws in servers that are accessible to the general public, including VPN, web, Java, and SQL applications. China Chopper, a small (4KB) yet potent web shell with the ability to execute code remotely, was dropped by the hackers.

Once inside a network, Flax Typhoon operators use command-line tools to establish persistent access over the remote desktop protocol and deploy a VPN connection to bad actor-controlled network infrastructure to collect credentials from compromised systems. The hackers use Windows Remote Management (WinRM), WMIC, and other LOLBins for lateral movement. To stay protected, it is recommended to apply the latest security updates to internet-exposed endpoints and public-facing servers, and multi-factor authentication (MFA) should be enabled on all accounts. Additionally, ensure that Windows systems are kept updated with the latest security patches.

2. Bitwarden password vault targeted in Google Ads phishing

Bitwarden and other password managers are being targeted in phishing campaigns via Google Ads, with the goal of stealing users’ password vault credentials. The phishing campaign used the domain ‘appbitwarden[.]com’ in the ad, redirecting users to ‘bitwardenlogin[.]com’ when clicked. The page at ‘bitwardenlogin.com’ was a perfect replica of the official Bitwarden Web Vault login page.

The phishing page collects the credentials, and then redirects users to the genuine Bitwarden login page after submission. To avoid being a victim of such phishing campaigns, it is advised to stay cautious when clicking on Google Ads, even if they appear legitimate and always verify the authenticity of the website before entering any information. Additionally, use a reliable ad-blocker to prevent malicious ads from appearing on the device.

3. Lazarus Group exploits Zoho ManageEngine flaw, deploys QuiteRAT malware

A new type of ransomware, named Mimic, utilizes the APIs of the Windows file search tool ‘Everything’ to locate and encrypt targeted files. It begins with an executable delivered via email, which when executed extracts four files including the main payload, additional files, and tools to disable Windows Defender on the targeted system. The utility ‘Everything’ is a popular filename search engine for Windows developed by Void Tools. It is known for its speed and low system resource usage, as well as its support for real-time updates.

Mimic ransomware encrypts files and adds the “.QUIETPLACE” extension to them. It also drops a ransom note which demands payment in Bitcoin to recover the encrypted data. It is recommended to keep all software and operating systems up to date to reduce the risk of vulnerabilities being exploited. Regularly back up important data to an offline location to ensure its restoration in case of a ransomware attack.

4. Gootkit malware continues to evolve with new components and obfuscations

The Lazarus Group leveraged a critical security vulnerability in Zoho ManageEngine ServiceDesk Plus, specifically identified as CVE-2022-47966. This exploitation occurred only five days post the emergence of its proof-of-concept online. The malevolent actors used this flaw to directly deploy the QuiteRAT binary from a malicious URL. QuiteRAT is a sophisticated malware developed on the Qt framework, which contributes to the complexity of its code, making analysis considerably challenging.

Researchers noted a significant shift in the Lazarus Group’s approach. Instead of predominantly using their tools post-compromise, they now increasingly rely on open-source tools and frameworks even during the initial access phase of their operations. Historically, the Lazarus Group favored custom-built implants such as MagicRAT, VSingle, Dtrack, and YamaBot to establish initial access on compromised systems. Organizations need to remain vigilant, keeping their systems patched and adopting proactive detection and defense mechanisms to counter such advanced persistent threats.

5. Prilex modification now targeting contactless credit card transactions

Brazilian threat actor behind point-of-sale (PoS) malware, Prilex, is a singular threat actor that has evolved from ATM-focused malware into unique modular PoS malware, which is the most advanced PoS threat seen so far. Its new updates allow it to block contactless payment transactions to steal from NFC cards. The main agenda behind the new functionality discovered is to disable the contactless payment feature to force the user into inserting the card in the PIN pad reader.

This effectively permits the threat actors to capture the data coming from the transaction by using various techniques, such as manipulating cryptograms, forcing protocol downgrades, and performing a GHOST attack. This can be accomplished even on cards protected with the so-called unhackable CHIP and PIN technology. PoS software developers are advised to implement self-protection techniques in their modules to prevent malicious code from tampering with the transactions managed by those modules. Additionally, all EMV validations must be implemented to protect against counterfeit fraud through authentication of unique data that resides on chip cards, smart phones, and other devices.