10 July 2020 | Asia Cyber Summary

In the spotlight this week:


  • Threat intelligence firm Gemini Advisory discovered that the “Keeper” Magecart group (which consists of an interconnected network of 64 attacker domains and 73 exfiltration domains) has targeted over 570 e-commerce sites in 55 different countries. Over 85% of the victim sites operated on the Magento CMS which is known to be the top target for Magecart attacks and boasts over 250,000 users worldwide.


  • ESET has analyzed the operations of Evilnum, the APT group behind the Evilnum malware previously seen in attacks against financial technology companies. The toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from Golden Chickens, a Malware-as-a-Service (MaaS) provider whose infamous customers include FIN6 and Cobalt Group.


  • The security F5 BIG-IP hole has been described as a critical remote code execution vulnerability that can be exploited to take complete control of a system. The issue is related to the Traffic Management User Interface (TMUI) configuration utility.


JUL 9, 2020 | WastedLocker Goes "Big-Game Hunting" in 2020

After initially compromising corporate networks, the attacker behind WastedLocker performed privilege escalation and lateral movement prior to activating ransomware and demanding a ransom payment. The deployment of "dual-use" tools and "LoLBins" enabled adversaries to evade detection and stay under the radar as they further operated toward their objective in the corporate environment.

WastedLocker is one of the latest examples of the continued use of lateral movement and privilege escalation to maximize the damage caused by ransomware. The use of "big-game hunting" continues to cause significant operational and financial damages to organizations around the globe.

Source: https://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html



JUL 9, 2020 | More Evil: A deep dive into Evilnum and Its Toolset


ESET has analyzed the operations of Evilnum, the APT group behind the Evilnum malware previously seen in attacks against fin-tech companies. Although Evilnum has been seen in the wild at least since 2018 and documented previously, little has been published about the group behind it and how it operates. The group targets remain fintech companies, but its toolset and infrastructure have evolved and now consist of a mix of custom homemade malware combined with tools purchased from Golden Chickens, a MaaS provider whose infamous customers include FIN6 and Cobalt Group.

Source: https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/

JUL 7, 2020 | 'Keeper' Hacking Group Behind Hacks at 570 Online Stores

Hackers who go by the name of “Keeper” accidentally leaked more than 184,000 stolen cards through an improperly secured backend server. The Keeper gang broke into online store backends, altered their source code, and inserted malicious scripts that logged payment card details entered by shoppers in checkout forms.

These types of attacks are known among the cyber security community as “web skimming”, “e-skimming”, or "Magecart" intrusions (named so after the first hacker group that used these tactics). In a report published by threat intelligence firm Gemini Advisory, the company says that Keeper has been operating since at least April 2017 and continues to operate to this day.

Source: https://www.zdnet.com/article/keeper-hacking-group-behind-hacks-at-570-online-stores/#ftag=RSSbaffb68


JUL 7, 2020 | Feds Indict 'fxmsp' in Connection with Million-Dollar Hacking Operation


The U.S. Department of Justice has charged a man with hacking-related crimes as part of an investigation into a group of foreign scammers accused of targeting more than 300 organizations throughout the world.

Prosecutors in the Western District of Washington charged Andrey Turchin, with five felony counts in connection with a year-long fraud effort. Last known to be in Kazakhstan, Turchin allegedly sold remote access hacking tools on cybercriminal forums, typically charging tens of thousands of dollars for access to data valued at tens of millions of dollars.

Turchin went by a series of aliases, including “fxmsp,” according to the Justice Department. He was initially charged in December 2018, though the indictment was kept under seal until this week, one month after security vendor Group-IB released its own research documenting the work of a hacker known by the “fxmsp” alias.

Source: https://www.cyberscoop.com/fxmsp-andrey-turchin-indictment-fraud-stolen-data/



JUL 6, 2020 | BIG-IP Vulnerability Exploited to Deliver DDoS Malware

CVE-2020-5902 was disclosed on July 1st, 2020 by F5 Networks in K52145254 as a CVSS 10.0 remote code execution vulnerability in the Big-IP administrative interface. By the 3rd of July 2020, NCC Group observed active exploitation. This situation is still developing.

Hackers continue to exploit the recently-patched BIG-IP security flaw, with plenty of potential targets as researchers have identified thousands of vulnerable systems.

The security hole has been described as a critical remote code execution vulnerability that can be exploited to take complete control of a system. The issue is related to the Traffic Management User Interface (TMUI) configuration utility. An attacker who has access to this utility can exploit the weakness to create or delete files, disable services, intercept data, and run arbitrary code or commands.

Proof-of-concept (PoC) exploits and technical information were made public for CVE-2020-5902 shortly after its disclosure and the first exploitation attempts were observed soon after. The vulnerability is easy to exploit and experts have pointed out that the entire exploit fits in a tweet.

Source: https://www.securityweek.com/big-ip-vulnerability-exploited-deliver-ddos-malware




Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.

Copyright © 2020 Blackpanda.
All Rights Reserved.

HONG KONG

Room 37, Level 5, Core F

Cyberport 3

100 Cyberport Rd

Hong Kong

+852 6975 1099

SINGAPORE

6 Raffles Quay
#11-07
Singapore (048580)

+65 6692 9110

JAPAN

301, 2-7-18

Nishiazabu Minato-ku

Tokyo 106-0031

+81 80 2077 9824

MALAYSIA

D1-U3A-6 Solaris Dutamas

Jalan Dutamas 1

50480 Kuala Lumpur

+60 3 6206 2582

PHILIPPINES

Penthouse, World Plaza Bldg.

5th Ave., Bonifacio Global City

Taguig City 1634

+63 2 8250 6110

  • LinkedIn
  • Facebook
  • Twitter