Cyber Series: August in review 

This breach, first reported by POLITICO, has raised concerns about foreign interference in the 2024 US presidential election in November. The Trump campaign referenced an incident in June where a spear-phishing email, attributed to another Iranian group, Mint Sandstorm, was sent to a high-ranking campaign official. 

Security Affairs 

Newly identified Android malware empties accounts, wipes devices 

BingoMod, a newly identified Android malware, can wipe devices after depleting its victims' bank accounts. Spread via text messages, the malware disguises itself as a legitimate mobile security tool and can steal up to €15,000 per transaction. 

Distributed via smishing (SMS phishing) campaigns, BingoMod disguises itself as other legitimate mobile security tools, like APP Protection, Antivirus Cleanup, Chrome Update, and others. It sometimes mimics the icons of legitimate apps such as AVG AntiVirus and Security. 

Key features and techniques 

• Accessibility services exploitation: During installation, BingoMod requests permission to use accessibility services, giving it extensive control over the device. 
• On-device fraud (ODF): The malware establishes communication channels (socket-based for receiving commands and HTTP-based for sending screenshots) that enable real-time remote control by threat actors. This method allows the malware to bypass standard anti-fraud systems by initiating fraudulent transactions directly from the victim's device. 
• VNC mechanism: BingoMod uses Android's Media Projection application programming interface (API) to capture real-time screen content, which is transmitted to the threat actors. It also allows remote operators to perform actions like clicking, typing, launching apps, and initiating overlay attacks. 
• Spread and persistence: The malware can spread via SMS from infected devices and disable or remove security solutions. To evade detection, it uses code obfuscation techniques, including code-flattening and string obfuscation. 
• Device wiping: If registered as a device admin app, BingoMod can wipe the device's external storage or perform a complete factory reset via remote commands. 

BingoMod is currently in v1.5.1 and appears to be in early development, with ongoing efforts to enhance its evasion capabilities.  

Bleeping Computer 

Qilin ransomware upgrades, now steals Google Chrome credentials  

The Qilin ransomware group first emerged in October 2022. It is believed to be linked to Russia-based threat actors and has targeted a diverse range of industries.  

On 3 June 2024, Qilin targeted Synnovis, an outsourced lab service provider for NHS hospitals in south-east London. It claimed to have exfiltrated hospital and patient data and demanded a US$50m ransom. After unsuccessful negotiations, Qilin leaked the entire stolen dataset. 

Qilin group is known for these “double extortion” tactics, where data is both encrypted and stolen, with the threat of public exposure if the ransom isn't paid.  

However, while investigating the Synnovis breach cyber security researchers made a troubling discovery – Qilin now specifically targets credentials stored in Google Chrome browsers. Chrome commands around 65% of the browser market, so access to the credentials stored in it could allow attackers to infiltrate financial accounts, emails, cloud storage, and business applications. 

The evolving tactics of Qilin underscore the critical need for organisations to continuously monitor threats and adapt their security strategies. Key protective measures include: 

• implementing multi-factor authentication (MFA) on remote access solutions; 
• deploying robust endpoint security to detect and prevent suspicious activities; and 
• regularly backing up data.  

Additionally, it is essential that all network systems, including operating systems and web browsers, are fully patched. 

HackRead 

US prison for Russian who sold logins to nearly 3,000 accounts   

Georgy Kavzharadze has been sentenced to prison in the United States for his role in selling stolen credentials on the dark web marketplace Slilpp. He’ll also have to pay back US$1.2m from fraudulent transactions he enabled.  

The 27-year-old from Moscow operated from July 2016 until May 2021, when Slilpp was taken down by international law enforcement in a coordinated operation. Authorities arrested Kavzharadze a year later and extradited him to the US, although from which country has not been disclosed. 

The Slilpp marketplace, which had been in operation for nearly a decade, facilitated the sale of more than 80m credentials, causing estimated damages exceeding US$200m worldwide.  

Kavzharadze’s activities on Slilpp were extensive, with over 297,300 credentials sold and more than 626,000 listed during his five-year involvement. Authorities linked Kavzharadze to over $200,000 in Bitcoin withdrawals from the site between 2016 and 2018, a sum now valued at more than $450,000. 

The Register 

Shortage protocols activated after ransomware attack on US blood bank 

A major ransomware attack on OneBlood, a major non-profit blood bank serving hospitals across Florida, Georgia, and the Carolinas in the US, has severely disrupted its operations. 

The attack compromised its software systems, leading to a reduction in operational capacity and slowing down processes.  

While OneBlood is still functioning, for now it is reliant on manual procedures – apart from being slower and less efficient, this is having an effect on inventory management and blood availability. To ease the burden, the organisation has requested that the more than 250 hospitals it serves activate their critical blood shortage protocols. 

OneBlood is actively working with anti-malware experts and various agencies to manage the incident and restore full functionality to its systems. The specific details of the ransomware involved are not yet known.  

This incident underscores a troubling trend of ransomware attacks targeting the healthcare sector, exemplified by recent attacks from sophisticated threat actors such as North Korean advanced persistent threat (APT) groups. 

Security Week 

TDECU data breach affects half a million people 

The Texas Dow Employees Credit Union (TDECU) recently reported a significant data breach that affected the personal information of 500,474 people.  

TDECU was founded in the mid-1950s by employees of Dow Chemical Company but has since grown through mergers and acquisitions. 

The breach occurred on 29 May 2023, but was not discovered until over a year later. According to TDECU’s notification, the incident was linked to the MOVEit vulnerability.  

The credit union provided several recommendations to those who may have been affected, including:  

• changing passwords;  
• enabling two-factor authentication;  
• being alert to phishing scams, and  
• avoiding storing card details on websites.  

Malware Bytes