Welcome to this week’s edition of the Threat Source newsletter.

We’ve seen attackers capitalize on the news time and again, from COVID-19 to U.S.-North Korea relationships and, of course, holiday shopping sales every November.

So, I was far from surprised to see that attackers are already using U.S. President Joe Biden’s student loan forgiveness plan as a basis for scams and phishing emails.

The Better Business Bureau and the U.S. Federal Trade Commission both released warnings over the past few weeks around fake offers, scams and website links related to the debt forgiveness plan, with which some borrowers will have up to $20,000 worth of loans forgiven.

Many of these scams, coming via phone calls, text messages and emails, are promising to provide guaranteed access to the forgiveness program or early applications for a fee. (Hint: This will not work.)

These attackers may also be looking to steal personal information by asking for things like names, addresses and the name of the college the target went to.

I can already see the phishing emails now... “Click on this link NOW to apply for Biden’s loan forgiveness program” or “Act now so you can get your $10,000 check!” Even though I couldn’t find reports as of this week of this type of email being used to spread malware, I feel like it’s inevitable.

This isn’t a new problem, either. A July study from the Tech Transparency Project found that nearly 12 percent of Google ads served related to student loans violated Google’s policies or had “scam characteristics.”

With that in mind, I felt it was important to remind folks of a few things with the real application to apply for student debt forgiveness reportedly coming in early October:

  • As of right now, Sept. 22, there is no real or formal application to have a portion of your student debt forgiven. Don’t believe anything that says otherwise.
  • There is no way to get early access to this program. Anyone offering this for a fee is very likely a scam.
  • The U.S. Department of Education will not reach out with a phone call to communicate regarding this program, do not provide any requested information over the phone.
  • Just because something shows up in the mail doesn’t mean it’s legit. Attackers are also likely to send phishing letters via traditional USPS delivery methods.
  • And, as always: If it seems too good to be true, it probably is.

The one big thing

Ukraine is again the target of a state-sponsored actor, with the Gamaredon APT launching information-stealing malware against organizations and users there. Gamaredon is a well-known actor that’s been around for several years and usually aligns with Russian state interests. The adversary is using phishing documents containing lures related to the Russian invasion of Ukraine. Talos researchers discovered the use of a custom-made information stealer implant that can exfiltrate victim files of interest and deploy additional payloads as directed by the attackers.

So now what?

There are new Cisco Secure product protections in place to protect against this actor’s activities. Additionally, if you fear you could be targeted by this campaign, there are two artifacts to scan for on the system that can indicate a compromise:

  • A registry key is created under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with the name "Windows Task" for persistence.
  • A mutex is created with the name Global\flashupdate_r.

Top security headlines from the week

Rideshare app Uber blamed the Lapsus$ ransomware group for a recent data breach. The company said the actor gained access to multiple internal Uber systems after stealing a third-party contractor's credentials and then tricking that user into approving a multi-factor authentication request. Uber engaged the U.S. Department of Justice and the FBI shortly after learning about the breach and is still investigating it. However, it does not appear that attackers accessed any customer or user data stored by its cloud providers, though they did download some internal messages and information from an internal finance team. (ZDNet, Washington Post)

New York’s Suffolk County is still recovering from a cyber attack that’s affected multiple areas of the local government. The county’s 911 system was still offline as of Tuesday, with responders forced to switch to pen and paper for tracking emergency calls. They’ve also had to enlist the help of the New York City Police Department to assist with background checks. The attackers may have also stolen and leaked some residents’ personal information and have allegedly posted images of stolen documents on the dark web. The adversaries say they’ve demanded an unspecified “small amount” of money for the return of access to its computers. (NBC 4 New York, Newsday)

The ChromeLoader malware is more dangerous than ever, according to new research from VMWare and Microsoft. Security researchers at the companies say the malware — which started as a browser-hijacking credential stealer — is now being used as a tool to deliver ransomware and steal sensitive information. The updated version of ChromeLoader has been used in hundreds of attacks over the past few weeks targeting enterprise networks in the education, government, health care and business services industries. Attackers are disguising ChromeLoader as legitimate Chrome browser services and plugins, such as OpenSubtitles, a site designed to help users to find subtitles for popular TV shows and movies. (Dark Reading, The Register)

Can’t get enough Talos?

Upcoming events where you can find Talos

Cisco Security Solution Expert Sessions (Oct. 11 & 13)

GovWare 2022 (Oct. 18 - 20)
Sands Expo & Convention Centre, Singapore