Thursday, September 22, 2022

Threat Source newsletter (Sept. 22, 2022) — Attackers are already using student loan relief for scams


By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

We’ve seen attackers capitalize on the news time and again, from COVID-19 to U.S.-North Korea relationships and, of course, holiday shopping sales every November. 

So, I was far from surprised to see that attackers are already using U.S. President Joe Biden’s student loan forgiveness plan as a basis for scams and phishing emails.  

The Better Business Bureau and the U.S. Federal Trade Commission both released warnings over the past few weeks around fake offers, scams and website links related to the debt forgiveness plan, with which some borrowers will have up to $20,000 worth of loans forgiven. 

Many of these scams, coming via phone calls, text messages and emails, are promising to provide guaranteed access to the forgiveness program or early applications for a fee. (Hint: This will not work.) These attackers may also be looking to steal personal information by asking for things like names, addresses and the name of the college the target went to. 

I can already see the phishing emails now... “Click on this link NOW to apply for Biden’s loan forgiveness program” or “Act now so you can get your $10,000 check!” Even though I couldn’t find reports as of this week of this type of email being used to spread malware, I feel like it’s inevitable. 

This isn’t a new problem, either. A July study from the Tech Transparency Project found that nearly 12 percent of Google ads served related to student loans violated Google’s policies or had “scam characteristics.” 

With that in mind, I felt it was important to remind folks of a few things with the real application to apply for student debt forgiveness reportedly coming in early October: 

  • As of right now, Sept. 22, there is no real or formal application to have a portion of your student debt forgiven. Don’t believe anything that says otherwise. 
  • There is no way to get early access to this program. Anyone offering this for a fee is very likely a scam. 
  • The U.S. Department of Education will not reach out with a phone call to communicate regarding this program, do not provide any requested information over the phone. 
  • Just because something shows up in the mail doesn’t mean it’s legit. Attackers are also likely to send phishing letters via traditional USPS delivery methods. 
  • And, as always: If it seems too good to be true, it probably is. 

The one big thing 


Ukraine is again the target of a state-sponsored actor, with the Gamaredon APT launching information-stealing malware against organizations and users there. Gamaredon is a well-known actor that’s been around for several years and usually aligns with Russian state interests. The adversary is using phishing documents containing lures related to the Russian invasion of Ukraine. Talos researchers discovered the use of a custom-made information stealer implant that can exfiltrate victim files of interest and deploy additional payloads as directed by the attackers. 

Why do I care? 

Gamaredon is actively targeting Ukrainian entities, specifically government organizations and critical infrastructure. These are all crucial industries to protect during Russia’s invasion of Ukraine, as they’ll likely be targeted regularly by state-sponsored actors. And as we outlined in last week’s Talos Takes, Gamaredon’s activities are not likely to remain isolated to Ukraine. 

So now what?

There are new Cisco Secure product protections in place to protect against this actor’s activities. Additionally, if you fear you could be targeted by this campaign, there are two artifcats to scan for on the system that can indicate a compromise: 
  • A registry key is created under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with the name "Windows Task" for persistence. 
  • A mutex is created with the name Global\flashupdate_r. 

 

Top security headlines from the week


Rideshare app Uber blamed the Lapsus$ ransomware group for a recent data breach. The company said the actor gained access to multiple internal Uber systems after stealing a third-party contractor's credentials and then tricking that user into approving a multi-factor authentication request. Uber engaged the U.S. Department of Justice and the FBI shortly after learning about the breach and is still investigating it. However, it does not appear that attackers accessed any customer or user data stored by its cloud providers, though they did download some internal messages and information from an internal finance team. (ZDNet, Washington Post

New York’s Suffolk County is still recovering from a cyber attack that’s affected multiple areas of the local government. The county’s 911 system was still offline as of Tuesday, with responders forced to switch to pen and paper for tracking emergency calls. They’ve also had to enlist the help of the New York City Police Department to assist with background checks. The attackers may have also stolen and leaked some residents’ personal information and have allegedly posted images of stolen documents on the dark web. The adversaries say they’ve demanded an unspecified “small amount” of money for the return of access to its computers. (NBC 4 New York, Newsday

The ChromeLoader malware is more dangerous than ever, according to new research from VMWare and Microsoft. Security researchers at the companies say the malware — which started as a browser-hijacking credential stealer — is now being used as a tool to deliver ransomware and steal sensitive information. The updated version of ChromeLoader has been used in hundreds of attacks over the past few weeks targeting enterprise networks in the education, government, health care and business services industries. Attackers are disguising ChromeLoader as legitimate Chrome browser services and plugins, such as OpenSubtitles, a site designed to help users to find subtitles for popular TV shows and movies. (Dark Reading, The Register


Can’t get enough Talos? 

Upcoming events where you can find Talos 



GovWare 2022 (Oct. 18 - 20)
Sands Expo & Convention Centre, Singapore 

Most prevalent malware files from Talos telemetry over the past week  


MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Win.Worm.Coinminer::1201 

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

MD5: 8a5f8ed00adbdfb1ab8a2bb8016aafc1   
Typical Filename: RunFallGuys.exe 
Claimed Product: N/A 
Detection Name: W32.Auto:c326d1.in03.Talos 

MD5: 2c8ea737a232fd03ab80db672d50a17a     
Typical Filename: LwssPlayer.scr     
Claimed Product: 梦想之巅幻灯播放器     
Detection Name: Auto.125E12.241442.in02 

MD5: 8c69830a50fb85d8a794fa46643493b2 
Typical Filename: AAct.exe 
Claimed Product: N/A  
Detection Name: PUA.Win.Dropper.Generic::1201 

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.