This article is more than 1 year old

Shape-shifting cryptominer savages Linux endpoints and IoT

Also, Authorities seize WT1SHOP selling 5.8m sets of PII, The North Face users face tough security hike

In brief AT&T cybersecurity researchers have discovered a sneaky piece of malware targeting Linux endpoints and IoT devices in the hopes of gaining persistent access and turning victims into crypto-mining drones.

The malware was dubbed "Shikitega" for its extensive use of the popular Shikata Ga Nai polymorphic encoder, which allows the malware to "mutate" its code to avoid detection. Shikitega alters its code each time it runs through one of several decoding loops that AT&T said each deliver multiple attacks, beginning with an ELF file that's just 370 bytes. 

Shikitega also downloads Mettle, a Metasploit interpreter that gives the attacker the ability to control attached webcams and includes a sniffer, multiple reverse shells, process control, shell command execution and additional abilities to control the affected system. 

AT&T didn't say how the initial infection occurs, but it did say Shikitega exploits two Linux vulnerabilities disclosed in 2021 to achieve its ultimate objective, which AT&T said appears to be the installation and execution of the XMRig cryptocurrency miner. 

The final stage also establishes persistence, which Shikitega does by downloading and executing five shell scripts that configure a pair of cron jobs for the current user and a pair for the root user using crontab, which it can also install if not available. 

Shikitega also uses cloud hosting solutions to store parts of its payload, which it further uses to obfuscate itself by contacting via IP address instead of domain name. "Without [a] domain name, it's difficult to provide a complete list of indicators for detections since they are volatile and they will be used for legitimate purposes in a short period of time," AT&T said. 

Bottom line: Shikitega is a nasty piece of code. AT&T recommends Linux endpoint and IoT device managers keep security patches installed, keep EDR software up to date and make regular backups of essential systems. 

US, Portuguese authorities kill online stolen data market

A joint operation between Portuguese and US authorities has resulted in the seizure of WT1SHOP, an online marketplace selling nearly six million sets of stolen credentials and personally identifying information (PII).

In a Department of Justice announcement detailing the seizure, The US Attorney's Office for the District of Maryland said Portuguese authorities had seized the site, while US law enforcement took down four domains used by WT1STORE: Two .net addresses, a .cc domain and one .com.

An online search revealed a version of the website based in Russia still appears to be online, though whether it's still functioning beyond being up is unknown.

In the announcement, the DoJ said that WT1STORE contained approximately 25,000 scanned driver's licenses and passports, 1.7 million sets of login credentials from various websites, 108,000 bank accounts and 21,800 credit cards. 

Not only did WT1STORE have an impressive array of data for sale, it also was growing fast. The DoJ said that in June 2020 the site had some 60,823 registered users, 91 sellers, and had sold approximately 2.4 million sets of credentials, earning it around $4 million. By December 2021, the site had 106,273 users, 94 sellers and the aforementioned millions of pieces of PII.

The DoJ also unsealed its criminal complaint charging alleged WT1SHOP operator and Moldovan national Nicolai Colesnicov, who was charged with conspiracy and trafficking in unauthorized access devices. Colesnicov could face 10 years in federal prison if convicted.

Law enforcement was able to determine Colesnicov was the likely culprit behind the site by tracing Bitcoin sales made on the site and payments sent to web hosts and accounts linked to him. 

The DoJ did not say in the announcement if it knew where Colesnicov was located, or whether authorities had apprehended him. If he's in his home country the US might have trouble nabbing him, as Moldova doesn't have an extradition treaty with the US.

Credential stuffing avalanche at The North Face nets 200,000 records

Popular adventure clothing brand The North Face and shoe company Vans, subsidiaries of the same parent company, have admitted (PDF) to a credential stuffing attack that netted its attacker 194,905 user's worth of PII

Most every piece of PII stored on the two websites were compromised, with the exception of credit card numbers, which the brands' parent company VF Outdoors said it doesn't store on its sites. Outside of that one bright spot, the thieves made off with data including billing and shipping addresses, email addresses, full names and dates of birth, telephone numbers and more - a gift for identity thieves.

Credential stuffing involves using previously obtained account credentials (like those sold by WT1STORE) to fraudulently login to the compromised accounts. The reasons can vary, from gaining insider access to secured systems to stealing additional PII for use in future crimes or for sale online. 

According to VF, the company said it disabled passwords and erased payment card tokens. Users who were affected by the breach will be forced to create new passwords and re-enter payment information. VF didn't say if it blocked the attacker's access, which might not be reassuring to those looking for confirmation they're safe going forward.

As has been the case in past credential stuffing attacks, the data used to break into The North Face and Vans accounts may not have been stolen from VF, which the company reminds users to consider when setting a new password.

"If a breach occurs on … other websites, an attacker could use your email address and password to access your account [with us]," the company said in letters sent to affected users. 


Facebook login buttons vanishing from the web

The near-ubiquitous Facebook login buttons on third-party websites have begun to vanish, with brands like Dell, Best Buy, Ford Motor Company, Nike, Twitch, Patagonia and others all recently removing the option.

Per CNBC, while Facebook users previously may have enjoyed the option to not have to create a new account on participating websites, the scandal-plagued social media giant has been losing users, who are becoming leery of what they share with Meta's brands due to accusations of privacy violations

Identity management company LoginRadius's CEO Rakesh Soni told CNBC that as user's have learned more about what Facebook does with their data through scandals like Cambridge Analytica, they've soured on the site and don't want to give it access to online activities outside of what it already knows. 

Dell CIO Jen Felch told CNBC that those concerns have led to a decrease in customers using social logins, which she believes indicates "people making a decision to isolate that social media account versus having other connections to it."

"We really just looked at how many people were choosing to use their social media identity to sign in, and that just has shifted over time," Felch said. Per CNBC, Dell said it still has an option on its sites to log in using a Google account because it's the only option with significant engagement. 

CNBC said that Dell first removed the Facebook login option around a month ago, and Meta doesn't appear to have commented on the change or what it may mean for the company's bottom line since then. 

When Apple announced App Tracking Transparency that would require giving users an opt-in option for tracking, Meta voiced concern the move would impact the company's profits. After less than a year of availability, social media companies including Facebook had lost a collective $10 billion in advertising revenue.

Bronze President (not that one) attacks EMEA, South America

A malware campaign detected by Secureworks Counter Threat Unit (CTU) researchers suggests that alleged Chinese state-sponsored hacking group Bronze President may have new targets in Europe, the Middle East and South America. 

The attack has been spotted targeting government officials in the three regions. CTU said the attack's structure is similar to Bronze President's previous campaigns and fits its modus operandi of launching politically-relevant attacks against government officials.

The malware campaign analyzed by CTU was centered on the PlugX malware, a remote access trojan used by a number of state-sponsored hacking groups. CTU said the attack isn't particularly sophisticated, instead relying on phishing and fooling targets into clicking on a malicious RAR file to execute the PlugX payload. 

Based on the directory structure of the RAR file being used in the attack, CTU said it's likely being distributed through phishing emails. Once the victim opens the RAR file and clicks on an LNK file disguised as a document, the malware gets to work embedding an easily-hijacked DLL file on the target's system it uses to introduce additional payloads.

Bronze President has traditionally launched attacks against countries neighboring China, like Myanmar and Vietnam, but CTU said the group "has demonstrated an ability to pivot quickly for new intelligence collection opportunities." 

Case in point, Bronze President made moves earlier this year when Russia invaded Ukraine, managing to install malware on systems belonging to Russian officials. 

Secureworks also discovered that previous campaign, which it said was indicative of changing intelligence gathering strategies in various countries. 

"The war in Ukraine has prompted many countries to deploy their cyber capabilities to gain insight about global events, political machinations, and motivations. This desire for situational awareness often extends to collecting intelligence from allies and 'friends,'" CTU said. ®

More about


Send us news

Other stories you might like