Threat Analysis; your attack surface.

The Hacker News

New Chinese Malware Attack Framework Targets Windows, macOS, and Linux Systems.

A previously undocumented command-and-control (C2) framework dubbed Alchimist is likely being used in the wild to target Windows, macOS, and Linux systems.

"Alchimist C2 has a web interface written in Simplified Chinese and can generate a configured payload, establish remote sessions, deploy payloads to the remote machines, capture screenshots, perform remote shellcode execution, and run arbitrary commands," Cisco Talos said in a report shared with The Hacker News. Written in GoLang, Alchimist is complemented by a beacon implant called Insekt, which comes with remote access features that can be instrumented by the C2 server.”

"Since Alchimist is a single-file based ready-to-go C2 framework, it is difficult to attribute its use to a single actor such as the authors, APTs, or crimeware syndicates."

The trojan, for its part, is equipped with features typically present in backdoors of this kind, enabling the malware to get system information, capture screenshots, run arbitrary commands, and download remote files, among others.

Alchimist C2 panel further features the ability to generate first stage payloads, including PowerShell and wget code snippets for Windows and Linux, potentially allowing an attacker to flesh out their infection chains to distribute the Insekt RAT binary. The instructions could then be potentially embedded in a maldoc attached to a phishing email that, when opened, downloads and launches the backdoor on the compromised machine. What's more, the Linux version of Insekt is capable of listing the contents of the ".ssh" directory and even adding new SSH keys to the "~/.ssh/authorized_keys" file to facilitate remote access over SSH.

The Hacker News

Hackers Using Vishing to Trick Victims into Installing Android Banking Malware.

Malicious actors are resorting to voice phishing (vishing) tactics to dupe victims into installing Android malware on their devices.

The Dutch mobile security company said it identified a network of phishing websites targeting Italian online-banking users that are designed to get hold of their contact details.

Telephone-oriented attack delivery (TOAD), as the social engineering technique is called, involves calling the victims using previously collected information from the fraudulent websites.

The caller, who purports to be a support agent for the bank, instructs the individual on the other end of the call to install a security app and grant it extensive permissions, when, in reality, it's malicious software intended to gain remote access or conduct financial fraud.

What's more, the infrastructure utilized by the threat actor has been found to deliver a second malware named SMS Spy that enables the adversary to gain access to all incoming SMS messages and intercept one-time passwords (OTPs) sent by banks.

The new wave of hybrid fraud attacks presents a new dimension for scammers to mount convincing Android malware campaigns that have otherwise relied on traditional methods such as Google Play Store droppers, rogue ads, and smishing.

The Hacker News

64,000 Additional Patients Impacted by Omnicell Data Breach - What is Your Data Breach Action Plan?

Founded in 1992, Omnicell is a leading provider of medication management solutions for hospitals, long-term care facilities, and retail pharmacies. On May 4, 2022, Omnicell's IT systems and third-party cloud services were affected by ransomware attacks which may lead to data security concerns for employees and patients. While it is still early in the investigation, this appears to be a severe breach with potentially significant consequences for the company.

Omnicell began informing individuals whose information may have been compromised on August 3, 2022. Hackers may be able to access and sell patient-sensitive information, such as social security numbers, due to the time delay between the breach and the company's report of affected patients.

The type of information that may be exposed are:

• Credit card information.
• Financial information.
• Social security numbers.
• Driver's license numbers.
• Health insurance details.

The healthcare industry is one of the most targeted sectors globally, with attacks doubling year over year. And these costs are measured in millions or even billions of dollars - not to mention increased risks for patients' privacy (and reputation).

The Washington Post

How to protect schools getting whacked by ransomware.

Ransomware gangs are taking Americans to school. So far this year, hackers have taken hostage at least 1,735 schools in 27 districts; the massive Los Angeles Unified School District is their latest target.

Ransomware hackers breach computers, lock them up, steal sensitive data and demand money to release their hold on organizations’ critical systems. These criminals often attack schools because they are profitable targets. If all ransomware victims refused to pay, the attacks would stop. Indeed, paying up might be illegal: The Treasury Department released guidance last year noting that giving money to global criminal organizations can violate sanctions law.

The trouble is, saying no isn’t always easy. Los Angeles didn’t capitulate, and the criminals leaked a trove of data — a consequence that can prove more or less serious depending on the sensitivity of the stolen information.

“Because we can,” said a representative of the ransomware gang that took down Los Angeles Unified School District, explaining the collective’s motivations to a Bloomberg News reporter. Schools’ task is to turn “can” to “can’t” — or, at least, to make success pay a whole lot less.

CNET News.

Verizon Alerts Prepaid Customers to Recent Security Breach.

Verizon notified prepaid customers this week of a recent cyberattack that granted third-party actors access to their accounts, as reported earlier Tuesday by BleepingComputer. The attack occurred between Oct. 6 and Oct. 10 and affected 250 Verizon prepaid customers.

The breach exposed the last four digits of customers' credit cards used to make payments on their prepaid accounts. While no full credit card information was accessible, the information was enough to grant the attackers access to Verizon user accounts, which hold semi-sensitive data such "name, telephone number, billing address, price plans, and other service-related information," per a notice from Verizon.

Account access also potentially enabled attackers to process unauthorized SIM card changes on prepaid lines. Also known as SIM swapping, unauthorized SIM card changes can allow for the transfer of an unsuspecting person's phone number to another phone.

From there, the counterfeit phone can be used to receive SMS messages for password resets and user identification verifications on other accounts, giving attackers potential access to any account they have, or can guess, the username for. Consequently, Verizon recommended affected customers secure their non-Verizon accounts such as social media, financial, email and other accounts that allow for password resets by phone.