10 February 2021

CYBERSECURITY NEWS V. 10.02 – Morse code in malicious URLs, Chrome update, CD Projekt RED hit by ransomware

hexway cybersecurity blog brings you the latest news about attacks and data breaches, emerging malware, and vendor security updates

News FYI

CD Projekt RED hit by ransomware attack

CD PROJEKT RED, a famous game developer, has reported a ransomware attack that affected its internal network.

The attackers managed to obtain the data of the CD PROJEKT capital group and encrypt the systems leaving a ransom note.

According to the note, they managed to steal the source code of the popular games Cyberpunk 2077, The Witcher 3, and Gwent. Hackers gained access to accounting, administrative, and other essential documents, but the data of CD PROJEKT's partners and gamers remained intact, according to the results of a preliminary investigation.

The attackers threaten to sell or publish the stolen source codes and send the documents to game journalists if the company does not fulfill the requirements within 48 hours. CD Projekt does not plan to pay or negotiate.

Hackers broke into US city water supply to poison water

Hackers attacked a water treatment plant in Oldsmar, Florida, and tried to raise the alkali level of water by more than 100 times. It is reported that they gained remote access to an employee's computer via TeamViewer. The employees discovered the break-in by themselves: they noticed that someone was controlling the mouse. The hackers had spent about 3-5 minutes in the enterprise system, and the staff reversed the changes saving the citizens of Oldsmar. After that, the employees independently disabled remote access to the water treatment system.

Chrome update fixes actively exploited 0-day

The latest version of Google Chrome (88.0.4324.150) for Windows, Mac, and Linux, released on February 4, 2021, has fixed a 0-day vulnerability in the JavaScript engine V8.

Mattias Buelens discovered a heap buffer overflow bug (CVE-2021-21148) at the end of January 2021. Usually, such vulnerabilities only lead to crashes, which attackers can abuse to execute arbitrary code.

On January 28, Microsoft announced that a North Korean government-backed hacker group had likely used a Chrome exploit chain to target vulnerability researchers.

Google has not officially confirmed this, but many experts believe that this 0-day vulnerability in Chrome had been exploited by hackers, and these attacks were eventually noticed by the company's experts.

Hackers used Morse code to hide malicious URLs

As part of a new phishing campaign, hackers employed a new obfuscation tactic that uses Morse code to hide malicious URLs in an email attachment and bypass mail gateways and filters.

A phishing attack begins by sending an email disguised as an invoice for a company. The email contains an HTML attachment with a title that looks like an Excel company invoice.

When you view the document in an editor, you can find JavaScript code that maps letters and numbers to Morse code. For example, the letter "a" appears as ".-" and "b" appears as "-...".

This script calls the decodeMorse () function to decode a Morse code string to a hexadecimal string. The string is then decoded into JavaScript tags, which are inserted into the HTML page.

These embedded scripts, combined with the HTML attachment, contain various resources required to display a fake Excel spreadsheet warning about a time out and prompting the user to re-enter the password. As soon as they do so, the form sends the data to a remote site controlled by the attackers.

The campaign is targeted: attackers use the logo.clearbit.com service to insert recipient company logos into the login form to make it more convincing.

Try Hexway online

Related posts