RANSOMWARE/MALWARE ACTIVITY
New Malware Campaign Impacts at Least 300,000 Users with Malicious Browser Extensions
Researchers at ReasonLabs have recently reported on a relatively new malware campaign which aims to steal victim's data via malicious browser extensions. Researchers have witnessed at least 300,000 users across Google Chrome and Microsoft Edge that have been infected. The trojan is distributed via fake websites impersonating trusted software including Roblox FPS Unlocker, YouTube, Steam, and VLC Player. The trojan installer registers a scheduled task which executes a PowerShell script that downloads and executes additional payloads. The malware modifies the Windows Registry to install malicious extensions on the Google Chrome Web Store and Microsoft Edge Add-ons. End users cannot disable the extension, and the malware can also turn off browser updates which would interfere with its persistence. The malicious extensions downloaded are capable of hijacking web search queries. Some forms of the malware also launch a local extension downloaded directly from the attacker command-and-control (C2) server which can intercept all web requests and inject scripts into all pages. In order to remove the malware, users must delete the scheduled task, remove registry keys, and delete all files associated with the malware. Researchers at ReasonLabs have reached out to Google and Microsoft regarding the malicious extensions to ensure the companies are aware of the issue. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
- The Hacker News: New Malware Hits 300000 Users
- Reason Labs: New Widespread Extension Trojan Malware Campaign
THREAT ACTOR ACTIVITY
Iranian Hacking Activities Aimed at Interfering and Influencing Upcoming US Election
Microsoft has reported an increase in Iranian cyber activities aimed at influencing the upcoming U.S. presidential election. The tech company's findings suggest that Iranian hackers, linked to the Islamic Revolutionary Guard Corps (IRGC), have been attempting to breach campaign infrastructure and create disinformation campaigns. This activity aligns with warnings from U.S. intelligence officials about Tehran's intent to act as a "chaos agent" to incite violence and disrupt the electoral process. In one (1) instance, an IRGC-affiliated group sent a spear-phishing email to a high-ranking official of an unnamed presidential campaign. Another group breached a user account at a county-level government, which had minimal access permissions. Additionally, Iranian hackers have created fake news websites aimed at both conservative and liberal voters, using AI to mimic legitimate news sources. These efforts are designed to stir controversy and sway voter opinions, especially in swing states. The Trump campaign has claimed that foreign actors, specifically from Iran, are behind a recent hack targeting their operation. This claim follows Microsoft's report detailing the phishing attempt on a campaign official and other disinformation efforts. Trump's spokesperson, Steven Cheung, blamed the hack on "foreign sources hostile to the United States," and emphasized the threat posed by Iran. The Iranian government has denied any involvement, stating that they have no intention of interfering in U.S. elections. However, this isn't the first time Iran has been accused of meddling in U.S. elections. In 2020, Iranian-linked groups attempted to gain access to election infrastructure and influence voter behavior through disinformation campaigns. Two (2) Iranian nationals were charged by the U.S. Department of Justice for their roles in these efforts. The U.S. Treasury Department also sanctioned several individuals and entities connected to the interference. Rob Joyce, former Director of Cybersecurity at the NSA, highlighted the potential for a tumultuous election season, noting the early start of hack-and-leak operations. He pointed out that Iran, along with Russia and China, has a history of election interference. Joyce urged vigilance, suggesting that the 2024 election cycle could see heightened cyber activity aimed at disrupting the democratic process. CTIX Analysts will continue to cover Threat Actor activities and trends ahead of the upcoming U.S. presidential election.
- The Record: Iran Article
- SecurityWeek: Iran Article
- CyberScoop: Iran Article
- Infosecurity Magazine: Iran Article
VULNERABILITIES
Vulnerabilities in Solarman and Deye Solar Systems May Threaten Global Energy Infrastructure
Recent cybersecurity research has revealed significant vulnerabilities in the photovoltaic (PV) system management platforms operated by the Chinese companies Solarman and Deye, which oversee a substantial portion of the world's solar energy output. Bitdefender researchers discovered multiple security flaws in these platforms that could allow malicious actors to hijack solar inverters, manipulate account settings, and disrupt power generation. These vulnerabilities, which included authorization token manipulation, token reuse across platforms, and excessive data exposure, pose serious risks such as unauthorized control of inverter settings, voltage fluctuations, and potential blackouts. The flaws also open the door to privacy violations, information harvesting, and targeted phishing attacks. With these vulnerabilities, threat actors could compromise the integrity and stability of the global electricity grid, which relies increasingly on solar power integrated with IoT devices. Following responsible disclosure in May 2024, Solarman and Deye addressed these issues by July 2024. This situation underscores the critical need for robust cybersecurity measures to protect our evolving energy infrastructure from cyber threats as the integration of renewable energy sources and digital platforms continues to grow. CTIX will continue to report on critical vulnerabilities in future FLASH Update issues.
- Bitdefender: Solar Industry Vulnerabilities Report
- The Hacker News: Solar Industry Vulnerabilities Article
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.