March 11, 2024  — 

MSP cybersecurity news digest: March 11, 2024

Pepco hit by phishing attack

A phishing attack targeted Pepco Group's Hungarian business, resulting in the theft of approximately €15.5 million.

Pepco Group, which operates Poundland, Dealz and Pepco in various European countries, and had a revenue of €5.6 billion in 2023, has initiated an investigation in collaboration with law enforcement to locate and freeze the stolen funds. Despite efforts to recover the funds through banking partners and police assistance, the success of these endeavors remains uncertain.

The company claimed that the cyberattack did not compromise any customer, supplier or staff data. Pepco Group said it aims to reassure its stakeholders, highlighting its strong financial position with access to over €400 million in liquidity and emphasizing its commitment to enhancing security measures. Although technical details of the attack are not disclosed, it is speculated to be a Business Email Compromise (BEC) attack.

Threat actors stole data from Taiwan-based Chunghwa Telecom

Taiwan's Ministry of National Defense disclosed that threat actors stole sensitive data from Chunghwa Telecom Company, the country's largest telecom service provider, with a revenue of $7.04 billion in 2023.

This includes military and government documents, with the stolen data amounting to 1.7 TB, as per Taiwan's Defense Ministry. The leaked information, including a Navy contract with Chunghwa Telecom, is reportedly being sold on a dark web forum, according to Broadcaster TVBS. Taiwan's Defense Ministry attributed the breach to attackers who accessed sensitive information and sold it online, prompting measures to enhance information security.

Despite the breach, Chunghwa Telecom stated that its operations remain unaffected.

New WogRAT malware abuses online notepad service to store malware

A new malware dubbed “WogRAT” targets both Windows and Linux systems, leveraging “aNotepad” as a covert channel for malicious code storage and retrieval.

Researchers identified the malware, active since late 2022, primarily targeting Asian countries like Japan, Singapore, and China. While the distribution methods remain unclear, the malware's executables mimic popular software names, suggesting it’s likely distributed through malvertising or similar means. Notably, “aNotepad” is abused to host a base64-encoded .NET binary, appearing as an innocuous Adobe tool, evading detection by security tools.

Upon execution, the malware downloads a further malicious binary from “aNotepad”, initiating the WogRAT backdoor, which communicates with a command and control server. Additionally, a Linux variant of WogRAT exists, sharing similarities with the Windows version but employing different tactics, such as utilizing Tiny Shell and a reverse shell mechanism. However, the distribution method for Linux remains unknown, and unlike the Windows variant, it does not utilize “aNotepad” for malicious code hosting.

Switzerland: Play ransomware leaked 65,000 government documents

The National Cyber Security Centre (NCSC) of Switzerland has published a report detailing a data breach resulting from a ransomware attack on Xplain, revealing the compromise of numerous sensitive federal government files.

Xplain, a Swiss provider of technology and software solutions for various governmental entities, fell victim to the Play ransomware gang on May 23, 2023. Following through on their threats, the threat actor leaked stolen documents containing confidential information on their darknet portal in early June 2023.

The Swiss government commenced an investigation into the leaked files, acknowledging the potential presence of Federal Administration documents. As per a recent statement, the Swiss government confirmed that out of approximately 1.3 million published files, 65,000 are relevant to the Federal Administration, with the majority affecting administrative units of the Federal Department of Justice and Police (FDJP).

Approximately 5,000 documents contained sensitive information, including personal data and classified information, while a smaller subset contained IT system documentation and passwords. The extended duration of the investigation is attributed to the complexity of analyzing unstructured data and the legal intricacies surrounding the examination of confidential information, necessitating interagency coordination and extensive resources.

New backdoor targeting European officials linked to Indian diplomatic events

A previously unidentified threat actor named SPIKEDWINE has been observed targeting European officials associated with Indian diplomatic missions using a newly identified backdoor named WINELOADER.

According to findings from researchers, the adversary utilized a PDF file within emails purportedly sent from the Ambassador of India, inviting diplomatic personnel to a wine-tasting event.

The attack's focal point is a PDF file containing a malicious link, camouflaged as a questionnaire, prompting recipients to complete it for participation. Clicking the link leads to initiating an HTML application ("wine.hta") housing obfuscated JavaScript code, to extract an encoded ZIP archive containing WINELOADER from the same domain.

The malware encompasses a core module designed to execute commands from the C2 server, inject itself into a dynamic-link library (DLL), and adjust the interval between beacon requests, while employing compromised websites for C2 and hosting intermediate payloads to enhance evasiveness. The researchers noted that the threat actor employs tactics such as evading memory forensics and automated URL scanning solutions to avoid detection.