Read: The Need for Digital Transformation in Finance

The August 2023 OptionOne Cybersecurity Briefing

By OptionOne Technologies

We searched through the most popular cybersecurity websites to bring you the latest industry news, updates, and tips.

Cybersecurity News

Malware Turns Thousands of PCs into Proxy Servers

AT&T Alien Labs has discovered a significant security threat involving the manipulation of malware-infected machines, The Hacker News reported. Cybercriminals are converting infected Windows and macOS devices into proxy server applications. This allows them to use the compromised systems as exit nodes, rerouting proxy requests at will.

The company providing the proxy service in question reportedly operates over 400,000 proxy exit nodes. However, the exact number of these nodes that have been co-opted through malware remains uncertain. While the proxy service provider claims that these nodes are sourced from informed users who willingly offer their devices, evidence to the contrary has been found.

The proxies are configured to gather information about the hacked systems, including running processes, CPU and memory utilization, and battery status. The installation of the proxy software is accompanied by additional malware or adware.

The development comes as macOS systems have increasingly become a prized target, with the dark web witnessing a 1,000% surge in threat actors advertising information stealer strains and sophisticated tools that can circumvent macOS security functions, namely Gatekeeper and Transparency, Consent and Control (TCC) since 2019.

14 Cybercriminals Arrested in Coordinate Crackdown Across Africa

According to a report by The Hacker News, coordinated law enforcement operations across 25 African countries have led to the arrest of 14 suspected cyber criminals. INTERPOL first announced the arrests on August 18th.

The operation enabled investigators to identify more than 20,600 cyber networks that were linked to financial losses of more than $40 million. Dubbed “Africa Cyber Surge II,” the operation was initially launched in April 2023.

Among those arrested were suspects in Cameroon who were involved in an online scam selling fraudulent works of art worth $850,000. Another suspect was arrested in Nigeria for defrauding a Gambian victim. Also arrested were two money mules linked to scams initiated through messaging platforms.

The cyber networks comprised 3,786 command-and-control (C2) servers, 14,134 victim IP addresses tied to data stealer infections, 1,415 phishing links and domains, 939 scam IP addresses, and over 400 malicious URLs, IPs, and botnets. Two darknet sites were also taken down.

Phishing Attack Targets Zimbra Customers in 4 Continents

A phishing campaign on the collaborative software suite Zimbra has spread to hundreds of organizations in over a dozen countries, Dark Reading reported. Zimbra has been “best by security incidents all year,” the report said, including a remote code execution bug, a cross-site scripting zero-day, and an info-stealing campaign launched by North Korea.

In the latest incident, an unidentified threat actor has been using scattershot phishing emails to obtain credentials for privileged Zimra accounts. Primary targets have included small-to-mid-sized businesses (SMBs), which represent the software’s primary customer base.

“Hundreds of different organizations were targeted by this campaign,” claims Anton Cherepanov, senior malware researcher for ESET. However, “the extent of damage is hard to say,” because most of the attacks were rooted out before they took hold.

Each attack involves a general phishing email purported to be from Zimbra itself. The email relays a seemingly urgent message about a server update or account deactivation, then asks for the user’s credentials. The email is signed “Zimbra Boss — Administration.”

The country most affected by the campaign was Poland, followed by Ecuador and Italy. Attacks have been as far-reaching as Mexico, Kazakstan, and the Netherlands.

Cybersecurity Updates

CISA Committee Produces Strategies for Remote Monitoring and Management Protections

The Cybersecurity and Infrastructure Security Agency (CISA) unveiled the Joint Cyber Defense Collective (JCDC) initiative two years ago. The cooperative effort between the public and private cybersecurity sectors has presented its first piece of guidance, which is “a road map to shore up the remote monitoring and management (RMM) systems ecosystem behind the country’s critical infrastructure,” Dark Reading reported.

MSPs use RMM tools to remotely access critical infrastructure systems. They are a favorite target of threat actors, as they allow them to gain access to the organizations using them.

They are “unlikely to trip common endpoint detection response or antivirus detections and often operate with a high level of permissions on the devices they control,” said Melissa Bischoping, director of endpoint security research at Tanium. “The JCDC’s efforts to improve both education and awareness and vulnerability management of RMM software will reduce the risk of a threat actor successfully leveraging this tooling.”

If RMM tools are compromised, they can lead to real-world repercussions. In 2021, a threat actor was able to gain control over TeamViewer, an RMM tool, to tweak chemicals used to treat Florida’s water supply.

The new guidance is intended to facilitate collaboration across operators and enable cybersecurity teams to better protect against threats. At the core of the guidance is the strategy of building “an enduring RMM operational community.”

FBI: Cybercriminals Are Targeting Victims Through Mobile Beta-Testing

The U.S. Federal Bureau of Investigation (FBI) published an official public services announcement warning that cybercriminals are targeting victims through mobile beta-testing applications, Naked Security by Sophos reported. The Bureau didn’t name any specific vendors, but the “beta-testing route” is popular because it lures Apple iPhone users into installing software that didn’t come from the App Store.

All apps sold and available on Apple’s App Store must be submitted by the vendor to Apple to become available for download. However, users can get “unendorsed” apps through Appl’s Mobile Device Management (MDM) system, which is intended for companies wanting to deploy proprietary, non-public, corporate apps onto company-managed devices.

Users can also sign up for Apple’s TestFlight Service, which lets users offer pre-release software for trial by a maximum of 10,000 users as part of a beta-testing program.

Threat actors may try to convince users to “join the club” by enrolling in MDM or TestFlight. This means they hand over immense control of their devices to the threat actor. These actors aren’t trying to scam millions of people out of a few dollars each. Instead, they are attempting to engage with a handful of people, earn their trust, then convince them to part with potentially tens of thousands of dollars.

As a result, the user sends money to the actor thinking it’s an investment opportunity for a new software. They get nothing in return.

Thanks for Reading

That’s it for this month’s Cybersecurity Briefing. Contact us today to learn more about our services.