CyberSecurity News Byte

Hosted ByJim Guckin

Welcome to CyberSecurity News Byte with Jim Guckin, your one-stop resource for the latest cybersecurity news, updates, and discussions. Our podcast is a vital tool for CyberSecurity and IT professionals, as well as technology leaders, who need to stay on top of the ever-evolving digital landscape.

Episode 54: April 24 2023

Links

https://cyberwarzone.com/new-captcha-protected-phishing-attack-targets-access-to-payroll-files/

https://cyware.com/news/lockbit-eyes-macos-test-version-of-macos-encryptor-revealed-53a7e8c3

https://edition.cnn.com/2023/04/20/business/cfpb-confidential-data/index.html

https://unit42.paloaltonetworks.com/chatgpt-scam-attacks-increasing

Phishing Scams Targeting Microsoft Teams

  • Live Scam
    • Targets people who need to access payroll files.
      • Through teams
    • Uses a captcha checkbox.
      • To stop security tool scanning
  • Attack
    • directs to a realilist payroll page pretending to be hosted by teams on office 365
    • Pushes victim to a captcha page
    • Directs to cloned Microsoft login page
      • No matter what it tells you “InValid” credentials
  • Protect yourself.
    • Phishing defense
    • IOC
      • https[://]azaleastays[.]com/devr365web2023/
      • https[://]payroll-microsoft365-access-panel-2023[.]softr[.]app/
      • https[://]recaptcha-104cff-index-gateway[.]webflow[.]io/

LockBit Ransomware Group looking at Apple

  • Lately, several major ransomware groups, including ESXiArgs, Royal, Black Basta, Hive, RedAlert, and GwisinLocker have migrated their focus from Windows to Linux or VMware ESXi. However, in what appears to be a new trend, researchers have now observed the migration of LockBit from Windows and Linux platforms to macOS.
  • What has been observed?
    • Researchers from MalwareHunterTeam have observed samples of LockBit encryptor targeting macOS, calling this the first major ransomware operation to do so.
    • One specific encryptor sample, named locker_Apple_M1_64, targets the macOS machines running on the Apple M1 Silicon chipset.
    • This encryptor sample is believed to be developed in December 2022, when this sample was uploaded to the VirusTotal, in a ZIP archive file, comprising several other variants of LockBit.
    • In addition to the macOS variant, the ZIP archive consists of previously unknown LockBit encryptors targeting FreeBSD, ARM, MIPS, and SPARC.
  • Possibly a test build
    • The identified samples bear several clues which indicate that the Apple M1 encryptor is an unplanned version, and not prepared with the aim to be used in the wild.
    • Several strings in the code refer to VMware ESXi that does not support the Apple M1 architecture.
    • In the list of extensions and filenames to be excluded, there are 65 entries, all of them being Windows-OS filenames (msstyles) and extensions (.exe), hinting that the code from the Windows variant has been copied as is.
    • This macOS encryptor, further, has a buffer-overflow bug and crashes as soon as it is run.
  • Based on the above factors, it is believed that the developer had put together the macOS variant using code from other variants just for testing.
  • Ending notes
    • Experts from Apple, along with several security agencies, have confirmed that this specific encryptor is not a threat to macOS users. However, LockBit is considered one of the most sophisticated threats and is known for its out-of-the-box tactics. Therefore, this discovery of the macOS variant cannot be taken lightly. MacOS users are suggested to tighten up their security posture with frequent backups and use strong passwords.

employee sent confidential data of 256,000 consumers to personal email

  • Consumer Financial Protection Bureau
    • An employee sent confidential data to personal email.
      • Hundred of thousands of accounts
    • Approximately 14 emails included consumer PII
      • personally identifiable information
    • two spreadsheets that listed names and transaction-specific account numbers
      •  about 256,000 consumer accounts at one institution.
      • “The numbers are used internally by the institution, are not the consumers’ bank account numbers, and cannot be used to gain access to a consumer’s account,” the CFPB said.
      • identified that the information includes PII regarding customers of 7 institutions and that it is still working to “identify the sensitivity of the PII and assess the risk of harm to consumers.”
    • employee who sent the emails
      • no longer works at the agency
      • access to the company network has been revoked
      • there’s no evidence to suggest that the confidential records were sent beyond their personal email
        • asked to delete the emails and provide proof, they have not yet cooperated

ChatGPT-Themed Scam Attacks Are on the Rise

  • Unit 42
    • Palo Alto’s Security Team
  • Report
    • Between November 2022 through early April 2023
      • 910% increase in monthly registrations for domains related to ChatGPT
      • 17,818% growth of related squatting domains from DNS Security logs
      • 118 daily detections of ChatGPT-related malicious URLs captured from the traffic seen in our Advanced URL Filtering system
  • Scam
    • various methods scammers use to entice users into downloading malware or sharing sensitive information
      • OpenAI for crypto frauds
      • Elon Musk’s name to attract victims
      • domain chatgptforchrome[.]com hosts an introduction page for the ChatGPT Chrome Extension. It uses the information and video from the official OpenAI extension.