The cybersecurity landscape is facing a surge in new threats and vulnerabilities, with recent discoveries highlighting the increasing sophistication and scope of cyberattacks. From AI-powered phishing kits to malware targeting critical infrastructure, the need for robust cybersecurity measures has never been more urgent.
Key Takeaways
AI-powered phishing kits are being bundled with malicious Android apps by a Spanish-speaking cybercrime group.
Exposed Selenium Grid services are being exploited for illicit cryptocurrency mining.
New ICS malware, dubbed FrostyGoop, is targeting critical infrastructure in Ukraine.
Multiple vulnerabilities in BIND 9 DNS software could lead to denial-of-service attacks.
A privilege escalation vulnerability in Google Cloud Platform's Cloud Functions service has been revealed.
AI-Powered Phishing Kits
A Spanish-speaking cybercrime group named GXC Team has been observed bundling phishing kits with malicious Android applications. This sophisticated AI-powered phishing-as-a-service platform targets users of more than 36 Spanish banks, governmental bodies, and 30 institutions worldwide. The phishing kit is priced between $150 and $900 a month, while the bundle including the phishing kit and Android malware is available for about $500 per month.
The campaign targets users of Spanish financial institutions, tax and governmental services, e-commerce, banks, and cryptocurrency exchanges in the United States, the United Kingdom, Slovakia, and Brazil. The phishing kits come with adversary-in-the-middle (AiTM) capabilities, lowering the technical barrier to entry for large-scale phishing campaigns.
Exploited Selenium Grid Services
Cybersecurity researchers have identified an ongoing campaign leveraging internet-exposed Selenium Grid services for illicit cryptocurrency mining. The campaign, named SeleniumGreed, targets older versions of Selenium and has been active since at least April 2023. The attackers exploit misconfigured instances of Selenium Grid, which lack authentication, to run Python code that downloads and runs an XMRig miner.
The attack involves sending a request to the vulnerable Selenium Grid hub to execute a Python program containing a Base64-encoded payload. This payload spawns a reverse shell to an attacker-controlled server, fetching the final payload, a modified version of the XMRig miner. Over 30,000 instances are exposed to remote command execution, posing a significant security risk.
New ICS Malware: FrostyGoop
A new ICS-focused malware named FrostyGoop has been discovered targeting critical infrastructure in Ukraine. The malware, written in Golang, interacts directly with Industrial Control Systems (ICS) using Modbus TCP over port 502. It targets Windows systems and has been used to attack ENCO controllers, causing inaccurate measurements and system malfunctions.
The incident resulted in a loss of heating services to more than 600 apartment buildings for almost 48 hours. FrostyGoop is the ninth ICS-focused malware discovered in the wild, following Stuxnet, Havex, Industroyer, Triton, BlackEnergy2, Industroyer2, and COSMICENERGY.
Vulnerabilities in BIND 9 DNS Software
The Internet Systems Consortium (ISC) has released patches to address multiple security vulnerabilities in the BIND 9 DNS software suite. These vulnerabilities could be exploited to trigger a denial-of-service (DoS) condition. The flaws have been addressed in BIND 9 versions 9.18.28, 9.20.0, and 9.18.28-S1.
The vulnerabilities include:
Logic error causing assertion failure.
Excessive CPU load from validating DNS messages signed using the SIG(0) protocol.
Slowing down database processing by crafting excessively large numbers of resource record types.
Malicious DNS client causing server response delays.
ConfusedFunction Vulnerability in Google Cloud Platform
Cybersecurity researchers have disclosed a privilege escalation vulnerability in Google Cloud Platform's Cloud Functions service, named ConfusedFunction. This vulnerability allows attackers to escalate their privileges to the Default Cloud Build Service Account, accessing numerous services such as Cloud Build, storage, artifact registry, and container registry.
The issue arises from the excessive permissions granted to the Cloud Build service account created when a Cloud Function is deployed. Google has updated the default behavior to use the Compute Engine default service account, but existing instances remain vulnerable.
The ConfusedFunction vulnerability underscores the risks associated with software complexity and inter-service communication in cloud services. Users must assign minimum permissions to the Cloud Build service account to mitigate potential misuse.
Learn how the team at Betterworld Technology can help protect you from cyber-threats by booking a consultation with our experts now, together we can find the best solutions and systems to implement and help your organization run smoothly and efficiently.
Sources
This AI-Powered Cybercrime Service Bundles Phishing Kits with Malicious Android Apps, The Hacker News.
Ongoing Cyberattack Targets Exposed Selenium Grid Services for Crypto Mining, The Hacker News.
New ICS Malware 'FrostyGoop' Targeting Critical Infrastructure, The Hacker News.
CISA Warns of Exploitable Vulnerabilities in Popular BIND 9 DNS Software, The Hacker News.
Researchers Reveal ConfusedFunction Vulnerability in Google Cloud Platform, The Hacker News.