ZeroFox Daily Intelligence Brief

ZeroFox Daily Intelligence Brief - October 28, 2023

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

Chilean Telecommunication Giant Confirms Cybersecurity Incident
Crambus Espionage Group Targets Middle-Eastern Government Systems
GoPIX Malware Targets Brazilian Payment System
Data broker / initial-access broker / hacktivist group: Anonymous Algeria and Ddarknotevil
Vulnerabilities: CVE-2023-4752 and CVE-2023-0004
Breaches: Combolist: 'DISNEY PLUS @Josplus_uwu.txt' (1,096 Records)

Chilean Telecommunication Giant Confirms Cybersecurity Incident

Grupo GTD, a telecommunication service provider within Latin America (with customers in Chile, Spain, Columbia, and Peru), confirmed a cybersecurity incident which impacted several of its services such as its data centers, internet access, Voice-over-IP (VoIP), and telephony services. However, its communication COR and ISP continue to remain operational. The company has since taken down the infrastructure service platform where the attack struck. Chile's Computer Security Incident Response Team is investigating the incident and shared IOCs and steps for organizations to assess whether they were impacted by the attack.

Crambus Espionage Group Targets Middle-Eastern Government Systems

Crambus (also known as OilRig and APT34), a government-targeting espionage group with links to Iran, was observed infiltrating the computer systems of various Middle Eastern Governments from February to September 2023. The attackers stole files, deployed various malware including a PowerShell backdoor known as PowerExchange, modified firewall rules, and used the network administration tool Plink to enable remote access to victim systems. The group has recently employed social-engineering tactics, amplifying attack strategies with expertise on espionage.

GoPIX Malware Targets Brazilian Payment System

Brazil's PIX instant payment system has been targeted by threat actors through a new malware called GoPIX. Campaigns to deploy the malware have been observed since December 2022, wherein the file is distributed via fake ads when users search for particular results on search engines. Victims are redirected to a malicious landing page, while a cloaking service filters out sandboxes, bots and security tools. Researchers noted that the page switches between two URLs to download a payload depending upon whether the 27275 port is accessible on the target system. GoPIX acts as a clipboard stealer, replacing PIX payment requests and cryptocurrency wallet addresses.

THREAT ACTIVITY: INITIAL-ACCESS BROKERS, DATA BROKERS, AND HACKTIVISTS

Anonymous Algeria: Claims to have targeted Emirates Airlines for supporting Israel
Ddarknotevil: Selling a database of Kitapbaski[.]com, a Turkey-based book publisher

VULNERABILITIES

CVE-2023-4752: Use After Free in GitHub repository vim/vim prior to 9.0.1858.
CVE-2023-0004: A local file deletion vulnerability in Palo Alto Networks PAN-OS software

BREACHES

Combolist: 'DISNEY PLUS @Josplus_uwu.txt' (1,096 Records) Email Address and Password