Incident & Breach Response
,
Security Operations
Also: FBI Warning About Androxgh0st; eBay Pays a $3 Million Fine for Cyberstalking
Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, Microsoft expanded plans to store EU citizens’ data locally, shipping-themed phishing spam is a threat, the British Library overcame a ransomware setback, the FBI warned of Androxgh0st malware, Remcos RAT targeted South Korea, and eBay was fined $3 million for a cyberstalking campaign.
See Also: OnDemand | Integrating Splunk and Panther for Real-Time Alerting and Custom Dashboarding
Microsoft Expands Plans to Store EU Citizens’ Data Locally
Microsoft is intensifying efforts to comply with European privacy laws by extending its EU Data Boundary initiative, allowing trading bloc countries to store “all personal data, such as automated system logs,” within local data centers.
Last year, Microsoft began storing European customer data in 15 EU-based data centers, covering Microsoft 365, Azure, Power Platform and Dynamics 365. In the latest development, Microsoft expanded local storage capabilities to encompass pseudonymized personal data, including automated system logs.
The move comes amid heightened scrutiny of American tech companies by European agencies regarding the processing of sensitive European citizen data. Meta faced a record 1.2-billion-euro fine from the Irish data regulator, leading to an order to suspend data transfers to the United States from Europe (see: Facebook Ordered to Suspend Data Transfers to US From Europe)
Shipping-Themed Emails Are Year-Round Threat
Researchers said shipping-themed emails are a persistent threat that surges only slightly during the holidays. According to a three-year trend analysis by Cofense, phishing attacks using topics such as waybills, bills of ladings and invoices tend to have higher volumes in June, October and November.
The malicious shipping-themed emails often deploy malware such as Agent Tesla Keyloggers. Cofense said phishers often exploit a 2017 vulnerability in Microsoft Office tracked as CVE-2017-11882 and known as the Microsoft Office Memory Corruption Vulnerability. It allows attackers to run arbitrary code.
The manufacturing sector, in particular, faces a significant influx of such emails, which deliver malware through attachments and infection URLs. The emails mostly focus on malware delivery but also may contain credential phishing.
British Library Begins Restoring Services
The British Library in London has begun the restoration of its online catalog after suffering a ransomware attack by the Rhysida gang last October. The attack on the national institution led to the shutdown of various library services as the attackers attempted to sell data it had stolen from staff and patrons. The online catalog is crucial for accessing rare books, maps, journals and music scores.
The Financial Times reported earlier this month that attack recovery will cost the British Library about 40% of its reserves. The library refused to pay a ransom demand of 600,000 pounds. Restoring digital services to their pre-attack level will cost up to 7 million pounds, the Financial Times reported, citing a person familiar with the matter.
Little is known about Rhysida’s origins or country affiliations, but its pattern of selecting targets loosely aligns with Russian-speaking ransomware groups that avoid hacking targets located in former Soviet or eastern bloc countries.
FBI Warns of Androxgh0st Malware Creates Potent Botnet
The FBI and the U.S. Cybersecurity and Infrastructure Security Agency issued a joint advisory warning about Androxgh0st malware’s evolving threat. Its operators actively seek .env
files containing high-profile credentials such as those for Amazon Web Services and Microsoft Office 365. A botnet under their control looks for websites that use the Laravel web application framework, scanning to see if the domain root-level .env
file is exposed online. Androxgh0st attackers may also exploit CVE-2018-15133 to identify the Laravel application key and use it to encrypt PHP code for a cross-site forgery request token cookie. CVE-2018-15133 allows for an insecure deserialization attack that enables remote code execution.
Androxgh0st operators also scan for Apache servers vulnerable to CVE-2021-41773, a path traversal attack that is successful when administrators haven’t set the “request all denied” configuration but have enabled CGI scripts.
December 2022 analysis from Lacework found that Androxgh0st is used to send spam from compromised email accounts.
The government advises removing all credentials from .env
files. “Cloud providers have safer ways to provide temporary, frequently rotated credentials to code running inside a web server without storing them in any file,” the advisory says.
Remcos RAT Targets South Korea
The Remcos remote access Trojan is making waves in South Korea by exploiting the popular web-based file storage system WebHard, camouflaging itself as adult-themed games and deceiving users into downloading malicious files, said AhnLab.
Using a tried-and-true method previously associated with njRAT and UDP RAT, the attackers use WebHard to distribute Remcos RAT. Victims fall prey to the ruse, unwittingly launching booby-trapped files that execute malicious Visual Basic scripts, initiating the download of an intermediate binary named ffmpeg.exe
from a server controlled by the threat actors.
eBay to Pay $3 Million Fine for Cyberstalking Campaign
eBay will pay a $3 million fine for a cyberstalking incident orchestrated by some of its employees, including executives, targeting a Massachusetts couple in 2019. The couple had criticized the e-commerce giant in a newsletter, prompting a retaliatory campaign involving gruesome items such as a bloody pig mask, a fetal pig and a funeral wreath.
The U.S. Attorney’s Office for the District of Massachusetts announced that eBay had pleaded guilty to six felonies, including interstate stalking, electronic communications stalking, witness tampering and obstruction of justice. The company admitted that former Senior Director Jim Baugh and six others from the security team had carried out the harassment to intimidate the couple into altering their newsletter content.
The employees went to extremes – installing a GPS tracker on the victims’ car, creating misleading Craigslist ads, and sending explicit Twitter messages. Baugh received a 57-month prison sentence in 2022, and the other employees faced various punishments.
Other Coverage From Last Week
With reporting from Information Security Media Group’s Akshaya Ashokan in Brighton, United Kingdom, and Prajeet Nair in Bengaluru, India.