Threat Source newsletter (Sept. 22, 2022) — Attackers are already using student loan relief for scams

By Jon Munshaw.

Welcome to this week’s edition of the Threat Source newsletter.

We’ve seen attackers capitalize on the news time and again, from COVID-19 to U.S.-North Korea relationships and, of course, holiday shopping sales every November.

So, I was far from surprised to see that attackers are already using U.S. President Joe Biden’s student loan forgiveness plan as a basis for scams and phishing emails.

The Better Business Bureau and the U.S. Federal Trade Commission both released warnings over the past few weeks around fake offers, scams and website links related to the debt forgiveness plan, with which some borrowers will have up to $20,000 worth of loans forgiven.

Many of these scams, coming via phone calls, text messages and emails, are promising to provide guaranteed access to the forgiveness program or early applications for a fee. (Hint: This will not work.) These attackers may also be looking to steal personal information by asking for things like names, addresses and the name of the college the target went to.

I can already see the phishing emails now… “Click on this link NOW to apply for Biden’s loan forgiveness program” or “Act now so you can get your $10,000 check!” Even though I couldn’t find reports as of this week of this type of email being used to spread malware, I feel like it’s inevitable.

This isn’t a new problem, either. A July study from the Tech Transparency Project found that nearly 12 percent of Google ads served related to student loans violated Google’s policies or had “scam characteristics.”

With that in mind, I felt it was important to remind folks of a few things with the real application to apply for student debt forgiveness reportedly coming in early October:

As of right now, Sept. 22, there is no real or formal application to have a portion of your student debt forgiven. Don’t believe anything that says otherwise. There is no way to get early access to this program. Anyone offering this for a fee is very likely a scam. The U.S. Department of Education will not reach out with a phone call to communicate regarding this program, do not provide any requested information over the phone. Just because something shows up in the mail doesn’t mean it’s legit. Attackers are also likely to send phishing letters via traditional USPS delivery methods. And, as always: If it seems too good to be true, it probably is.

The one big thing

Ukraine is again the target of a state-sponsored actor, with the Gamaredon APT launching information-stealing malware against organizations and users there. Gamaredon is a well-known actor that’s been around for several years and usually aligns with Russian state interests. The adversary is using phishing documents containing lures related to the Russian invasion of Ukraine. Talos researchers discovered the use of a custom-made information stealer implant that can exfiltrate victim files of interest and deploy additional payloads as directed by the attackers.

Why do I care? Gamaredon is actively targeting Ukrainian entities, specifically government organizations and critical infrastructure. These are all crucial industries to protect during Russia’s invasion of Ukraine, as they’ll likely be targeted regularly by state-sponsored actors. And as we outlined in last week’s Talos Takes, Gamaredon’s activities are not likely to remain isolated to Ukraine. So now what?

There are new Cisco Secure product protections in place to protect against this actor’s activities. Additionally, if you fear you could be targeted by this campaign, there are two artifcats to scan for on the system that can indicate a compromise:

A registry key is created under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with the name “Windows Task” for persistence. A mutex is created with the name Global\flashupdate_r.

Top security headlines from the week

Rideshare app Uber blamed the Lapsus$ ransomware group for a recent data breach. The company said the actor gained access to multiple internal Uber systems after stealing a third-party contractor’s credentials and then tricking that user into approving a multi-factor authentication request. Uber engaged the U.S. Department of Justice and the FBI shortly after learning about the breach and is still investigating it. However, it does not appear that attackers accessed any customer or user data stored by its cloud providers, though they did download some internal messages and information from an internal finance team. (ZDNet, Washington Post) New York’s Suffolk County is still recovering from a cyber attack that’s affected multiple areas of the local government. The county’s 911 system was still offline as of Tuesday, with responders forced to switch to pen and paper for tracking emergency calls. They’ve also had to enlist the help of the New York City Police Department to assist with background checks. The attackers may have also stolen and leaked some residents’ personal information and have allegedly posted images of stolen documents on the dark web. The adversaries say they’ve demanded an unspecified “small amount” of money for the return of access to its computers. (NBC 4 New York, Newsday) The ChromeLoader malware is more dangerous than ever, according to new research from VMWare and Microsoft. Security researchers at the companies say the malware — which started as a browser-hijacking credential stealer — is now being used as a tool to deliver ransomware and steal sensitive information. The updated version of ChromeLoader has been used in hundreds of attacks over the past few weeks targeting enterprise networks in the education, government, health care and business services industries. Attackers are disguising ChromeLoader as legitimate Chrome browser services and plugins, such as OpenSubtitles, a site designed to help users to find subtitles for popular TV shows and movies. (Dark Reading, The Register)

Can’t get enough Talos?

Russian Gamaredon Hackers Target Ukrainian Government Using Info-Stealing Malware Novel infostealer leveraged in Gamaredon attacks against Ukraine Talos Takes Ep. #113: Digging into Gamaredon’s cave and its recent campaign against Ukraine Our current world, health care apps and your personal data Threat Roundup for Sept. 9 - 16

Upcoming events where you can find Talos

Cisco Security Solution Expert Sessions (Oct. 11 & 13) Virtual

GovWare 2022 (Oct. 18 - 20) Sands Expo & Convention Centre, Singapore

Most prevalent malware files from Talos telemetry over the past week

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: c326d1c65c72eb66f5f5c0a84b1dcf3e8a79b69fffbd7a6e232b813ffbb23254 MD5: 8a5f8ed00adbdfb1ab8a2bb8016aafc1
Typical Filename: RunFallGuys.exe Claimed Product: N/A Detection Name: W32.Auto:c326d1.in03.Talos

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645
MD5: 2c8ea737a232fd03ab80db672d50a17a
Typical Filename: LwssPlayer.scr
Claimed Product: 梦想之巅幻灯播放器
Detection Name: Auto.125E12.241442.in02

SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 MD5: 8c69830a50fb85d8a794fa46643493b2 Typical Filename: AAct.exe Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Generic::1201