Canary Trap’s Bi-Weekly Cyber Roundup

Welcome to this week’s edition of the “Bi-Weekly Cyber Roundup” by Canary Trap. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity and this bi-weekly publication is your gateway to the latest news.

In this week’s roundup, we’ll begin with how Interpol is combating cybercrime. Next, we’ll explore new tactics in the phishing landscape. We’ll then uncover which major drug companies were impacted by the Cencora data loss. Additionally, we’ll examine the potential damage caused by a trojan Minesweeper clone. Finally, we’ll dive into the risks associated with gift cards.

6 Facts About How Interpol Fights Cybercrime

Disrupting cybercrime requires a complex coordination of law enforcement, judicial processes, and technical capabilities, cutting across barriers of language, culture, and geopolitical divides. Cybercriminal activities today are often managed by mature criminal gangs operating global organizations that disregard laws and borders. Effective takedowns of cybercriminal activities and preventative campaigns necessitate a high degree of international cooperation.

Interpol’s Role in Combating Cybercrime

The International Criminal Police Organization (Interpol) plays a crucial role in this international effort. Celebrating its 100th anniversary, Interpol remains a vital organization in the technical age. Its global cybercrime program is one of four main law enforcement pillars, alongside terrorism, organized crime, and financial crime and corruption. Recently, Interpol has led notable cybercrime-fighting efforts such as the Synergia operation, which resulted in significant takedowns and arrests in the Middle East and Africa, and Operation Storm Makers II, targeting cyber fraud operations in numerous Asian countries that involved human trafficking.

At the RSA Conference USA 2024, Craig Jones, Interpol’s director of cybercrime, explained how the organization operates and collaborates with private firms to fulfill its mission. Key facts include:

Four Global Programs

Interpol’s operations are centered around four global programs: cybercrime, terrorism, organized crime, and financial crime and corruption.

Coordination, Not Direct Leadership

Interpol does not directly lead investigations or make arrests. Instead, it functions as a program management agency, helping law enforcement agencies collaborate, analyzing cybercrime data, and offering administrative support and professional training globally. Interpol acts as the largest threat intelligence operation in the world.

Member Country Coordination

Interpol is a politically neutral organization run through a constitutional system supported by its 196 member countries. It acts as a neutral facilitator, especially when countries with advanced cybercrime capabilities need to collaborate despite not being on speaking terms. Member countries are categorized into three strata based on their cybercrime-fighting capabilities. Advanced countries with robust capabilities can conduct full investigations and work effectively with others. Countries with reasonable capabilities focus on information-sharing and analysis. Those with limited capabilities receive training, information, and support to build their capacity.

Interpol’s Global Cyber Program

Interpol’s mission to reduce the global impact of cybercrime and protect communities involves investigating cybercriminal activity, disrupting criminal capabilities, and helping countries develop their internal capacities. The program consists of three components. First, Cybercrime Threat Response. This component aggregates data from law enforcement and private sector partners worldwide, serving as Interpol’s threat intelligence hub, issuing advisories and threat assessments. Second, Cyber Strategy and Capabilities Development. This handles outreach and training between agencies and private enterprises, helping build the necessary skills and knowledge to combat cybercrime. Third, Cybercrime Operations. This focuses on law enforcement coordination and takedowns of compromised infrastructure, blending training with operational support.

Regional Coordination

Interpol organizes its work through regional operations desks in Africa, Asia & the South Pacific, Europe, and the Americas. This regional model enhances effectiveness and resource utilization, avoiding the inefficiencies of country-by-country coordination. Singapore hosts the Interpol Innovation Centre, which includes labs for research on responsible AI, emerging threats, digital forensics, and global tech developments. This hub, funded in partnership with the Singapore government, helps Interpol leverage Singapore’s tech and financial leadership.

Public-Private Partnerships

Interpol collaborates with private partners, including financial organizations and global tech firms, for valuable data that enhances its threat intelligence capabilities. These partnerships are essential for disrupting cybercrime operations and mitigating financial losses caused by criminal activities.

Interpol’s multifaceted approach, involving coordination among diverse member countries, regional operations, and public-private partnerships, is vital for effectively combating global cybercrime.

New Tricks in the Phishing Playbook: Cloudflare Workers, HTML Smuggling, GenAI

Cybersecurity researchers have raised alarms about phishing campaigns exploiting Cloudflare Workers to deploy phishing sites targeting credentials for Microsoft, Gmail, Yahoo!, and cPanel Webmail accounts. This method, known as transparent phishing or adversary-in-the-middle (AitM) phishing, utilizes Cloudflare Workers as reverse proxy servers. These proxies intercept traffic between victims and legitimate login pages to capture credentials, cookies, and tokens, as detailed by Netskope researcher Jan Michael Alcantara. Over the past 30 days, a significant number of phishing campaigns hosted on Cloudflare Workers have targeted individuals in Asia, North America, and Southern Europe. The primary sectors affected include technology, financial services, and banking. Notably, a surge in traffic to Cloudflare Workers-hosted phishing pages was detected in Q2 2023, with distinct domain counts rising from just over 1,000 in Q4 2023 to nearly 1,300 in Q1 2024.

These phishing campaigns employ a technique called HTML smuggling, which uses malicious JavaScript to construct the malicious payload on the client side, thereby bypassing security measures. Unlike typical phishing attacks, the payload in this case is a phishing page, reconstructed and displayed to the user within their web browser. Victims are often prompted to sign in with Microsoft Outlook or Office 365 to view a supposed PDF document, leading to credential and multi-factor authentication (MFA) code theft via fake sign-in pages hosted on Cloudflare Workers. The phishing page is crafted using a modified version of an open-source Cloudflare AitM toolkit. Upon accessing the attacker’s login page, the attacker gathers web request metadata. After the victim enters their credentials, they are logged into the legitimate site while the attacker collects the response tokens and cookies, gaining visibility into any further activity performed by the victim post-login.

HTML smuggling is becoming a favored technique among threat actors as it allows the delivery of fraudulent HTML pages and other malware without triggering security alarms. For instance, Huntress Labs highlighted a case where a fake HTML file injected an iframe of the legitimate Microsoft authentication portal, retrieved from an attacker-controlled domain. Recent phishing campaigns also include invoice-themed emails with HTML attachments posing as PDF viewer login pages, stealing email account credentials, and redirecting victims to URLs hosting “proof of payment.”

Other forms of email-based phishing, such as phishing-as-a-service (PhaaS) toolkits like Greatness, target Microsoft 365 login credentials and bypass MFA using AitM techniques. These campaigns often involve QR codes within PDF files and CAPTCHA checks before redirecting victims to bogus login pages. Targeted sectors for these phishing attacks include financial services, manufacturing, energy/utilities, retail, and consulting in countries like the U.S., Canada, Germany, South Korea, and Norway. The sophisticated nature of these attacks, coupled with the use of advanced capabilities offered by PhaaS services, underscores the evolving tactics of cybercriminals. Moreover, threat actors are increasingly using generative artificial intelligence (GenAI) to craft convincing phishing emails and delivering oversized malware payloads (over 100 MB) to evade analysis.

The file inflation method, observed as a tactic to deliver malware such as Agent Tesla, AsyncRAT, Quasar RAT, and Remcos RAT, leverages the limitations of antivirus engines that skip scanning large files due to resource constraints. Additionally, adversaries are employing DNS tunneling in campaigns like TrkCdn, SpamTracker, and SecShow to track email interactions, monitor spam delivery, and scan victim networks for vulnerabilities. This technique embeds content in emails that, when opened, perform DNS queries to attacker-controlled subdomains.

The rise in malware advertising campaigns further complicates the security landscape, with malicious ads for popular software appearing in search engine results. These ads trick users into installing information stealers and remote access trojans such as SectopRAT (ArechClient). Cybercriminals also set up counterfeit pages mimicking financial institutions like Barclays, offering legitimate remote desktop software like AnyDesk under the guise of live chat support, thereby gaining remote access to victims’ systems.

Given these sophisticated and evolving threats, it is crucial to remain vigilant, particularly regarding sponsored search results. Cybercriminals’ ability to create malicious installers that evade detection necessitates heightened caution and robust cybersecurity measures.

Bayer and 12 Other Major Drug Companies Caught Up in Cencora Data Loss

In February, U.S. drug wholesaler Cencora, formerly known as AmerisourceBergen, experienced a significant data breach affecting numerous pharmaceutical suppliers. Over a dozen major pharmaceutical companies, including GlaxoSmithKline, Novartis, Genentech, Bayer, Regeneron, and Bristol Myers Squibb, have begun notifying individuals that their personal data was compromised in this breach. These notifications, reported to the California Attorney General, indicate that stolen information may include names, addresses, dates of birth, health diagnoses, medications, and prescriptions.

Despite assurances that there is no evidence of public disclosure or misuse of the data for fraudulent purposes, affected individuals are being urged to take protective measures. Cencora disclosed the breach in a February 2024 SEC Form 8-K filing, noting the discovery of the intrusion on February 21. The company stated that the incident had not materially impacted its operations but acknowledged the potential for personal information compromise. Cencora has not provided further updates or responded to inquiries regarding the breach. The exact number of individuals affected remains unknown, as California law does not require disclosure of this figure. This breach underscores the vulnerability of critical sectors to cyber threats and the importance of robust cybersecurity measures.

Meanwhile, the U.S. Environmental Protection Agency (EPA) has issued a warning about the cybersecurity posture of the nation’s drinking water systems. Over 70 percent of inspected water systems failed to meet security standards, often relying on default passwords and single logins. The EPA’s enforcement alert highlights the increasing frequency and severity of cyberattacks against community water systems, which could allow adversaries to manipulate operational technology and cause significant harm. Cybercriminals from Russia, China, and Iran have been identified as having breached U.S. water systems in the past year. In response, the EPA, FBI, and the Cybersecurity and Infrastructure Security Agency (CISA) have strongly recommended that water system owners and operators take specific actions to enhance their security, with free assistance available through the EPA’s Cybersecurity Technical Assistance Form.

These events underscore the ongoing challenges organizations face in safeguarding sensitive data against sophisticated cyber threats. As cybercriminals continue to target critical infrastructure and major corporations, it is imperative for entities to bolster their cybersecurity measures, invest in advanced protection technologies, and foster a culture of security awareness to mitigate the risks and potential impacts of data breaches.

Hackers Phish Finance Organizations Using Trojan Minesweeper Clone

Hackers are exploiting a Python clone of Microsoft’s classic Minesweeper game to conceal malicious scripts targeting financial organizations in Europe and the US. The attacks are attributed to a threat actor tracked as ‘UAC-0188,’ identified by Ukraine’s CSIRT-NBU and CERT-UA. This actor uses the game’s legitimate code to disguise Python scripts that download and install the SuperOps RMM, a legitimate remote management software, that gives the attackers direct access to compromised systems. The attack begins with an email from “support@patient-docs-mail.com,” posing as a medical center under the subject “Personal Web Archive of Medical Documents.” The email prompts recipients to download a 33MB.SCR file from a Dropbox link. This file contains code from a Python clone of Minesweeper along with malicious Python code that downloads additional scripts from a remote source, specifically “anotepad.com.”

CERT-UA reports that further investigation has revealed at least five breaches in financial and insurance institutions across Europe and the United States, all traced back to the same malicious files.

The inclusion of Minesweeper code serves as a cover, making the file appear benign to security software. This executable also contains a function named “create_license_ver,” which is repurposed to decode and execute the hidden malicious code. The 28MB base64-encoded string within the executable decodes to a ZIP file containing an MSI installer for SuperOps RMM, which is eventually extracted and executed using a static password.

SuperOps RMM, though a legitimate remote access tool, is used in this scenario to grant unauthorized access to the attackers. CERT-UA emphasizes that organizations not using SuperOps RMM should consider its presence or any related network activity, such as connections to the “superops.com” or “superops.ai” domains, as indicators of a hacker compromise.

This sophisticated method of hiding malicious code within legitimate software highlights the evolving tactics of cybercriminals. Financial institutions must remain vigilant and employ robust cybersecurity measures to detect and thwart such attacks. Enhanced email security, vigilant monitoring of network activity, and swift response protocols are crucial to protecting against these advanced threats.

The Growing Risk of Gift Card Fraud

Microsoft Threat Intelligence has identified gift cards as prime targets for fraud and social engineering, largely due to their lack of customer names or bank accounts, which reduces scrutiny and offers cybercriminals a new surface to exploit. A notable increase in activity has been observed from the threat actor group Storm-0539, also known as Atlas Lion, particularly around major U.S. holidays such as Memorial Day, Labor Day, Thanksgiving, Black Friday, and Christmas. Leading up to Memorial Day 2024, there was a 30% rise in activity from Storm-0539 between March and May 2024.

Active since late 2021, Storm-0539 has evolved from a group specializing in malware attacks on point-of-sale (POS) devices to targeting cloud and identity services. They now focus on the payment and card systems of large retailers, luxury brands, and fast-food chains. Their advanced strategies include exploiting cloud environments to conduct reconnaissance on gift card issuance processes and employee access.

Storm-0539’s deep understanding of cloud systems allows them to compromise identity and access privileges, mimicking nation-state-sponsored threat actors. Instead of espionage, they hijack accounts to create gift cards for fraudulent purposes. After gaining initial access, they register malicious devices on victim networks, bypassing multifactor authentication (MFA) protections and maintaining persistent access.

To avoid detection, Storm-0539 masquerades as a legitimate organization, securing resources from cloud providers under false pretenses. They create convincing websites with typosquatting domain names to deceive victims.

Organizations issuing gift cards should consider their portals high-value targets and implement continuous monitoring and auditing for anomalous activities. Conditional access policies and educating security teams on social engineering tactics are crucial. Investing in cloud security best practices, implementing sign-in risk policies, transitioning to phishing-resistant MFA, and applying the least privilege access principle are essential defenses.

References:

Canary Trap’s Bi-Weekly Cyber Roundup