Hackers infect VPNs to plant hidden backdoors

Plus, more news bytes including online casino infiltration and a mobile banking phishing scam.

Taking advantage of VPN vulnerabilities within hours after they had been announced publicly, Iranian government-backed hacking groups have been setting up secret backdoors in various countries around the world since 2019. ZDNet reported that the targeted companies consisted of the IT, telecommunications, oil & gas, aviation, government, and security industries. The compromised VPNs, all of which are enterprise-grade, include Pulse Secure, Palo Alto Networks, Fortinet, and Citrix. 

Exploiting the VPNs was only the first part of the plan. The second part involved infiltration of the targeted companies using both existing malware and custom-designed new malware. The end goal of the mass infection is still unknown, as the backdoors seem only to be used for surveillance and reconnaissance currently. Experts worry that the illicit access points could be used in the future for data-wiping attacks. 

Avast Security Evangelist Luis Corrons sees the strategy behind the attacks and acknowledges the danger. “Most companies using the aforementioned VPN vendors are big corporations, which are the likely targets of state-sponsored attacks,” he said. “But the VPN is only the entry point, so even those who patched the security vulnerabilities in a timely manner should assume that their networks could have been compromised and do a thorough analysis of all their servers and endpoints.”

Chinese hackers target online casinos

In more backdoor news, researchers have discovered that a new Chinese hacking group dubbed “CRBControl” has been using secret backdoors to gain access to the infrastructure of online gambling platforms based in Europe, the Middle East, and Southeast Asia since May 2019. The hackers, determined to be a Chinese nation-state group, were observed exfiltrating information from the websites such as framework and internal mechanics, but not stealing money. More on TechNadu.  

This week’s stat

12% of Americans say they have married or been in a committed relationship with someone they first met through online dating, according to Pew Research. If you’re open to finding love through the interwebs, check out our online dating survival guide.  

Phishing scam targets mobile banking users 

Mobile banking users in the U.S. and Canada were targeted by an SMS phishing scam that had a seven-month run and was only recently discovered and shut down. Targeted users received texts that spoofed their official bank and included a malicious link that opened a webpage fraudulently posing as the bank’s log-in page. Over 3,900 users fell for the ruse, giving up information such as usernames, passwords, payment card numbers, and birth dates. For more, including a list of the banks that were spoofed, see bankinfosecurity

Over 20,000 WordPress sites are using malicious premium themes

For more than three years, a bad actor has been using unofficial marketplaces to sell trojanized “premium” WordPress website themes. When the compromised themes are used for published websites, the bad actor is able to access the sites to install malware for malicious activities such as ad fraud and serving exploit kits to site visitors. It’s unclear how many active websites have been compromised by the scam, but experts estimate at least 20,000, noting that some of the tainted web themes have more than 125,000 views. More on this story at Bleeping Computer.

This week’s quote 

“The question has always been, how can we reach a broader market with our offering and still deliver the type of one-to-one service that has accounted for our success?” - Bob Psenka, founder of Northwest Technology Services. Learn how Bob found the secret to turning his MSP customers into raving fans. 

Extortionists threaten websites with bot traffic 

A new email extortion campaign threatens website owners who use the popular ad server Google AdSense, reported SC Magazine. The extortionists demand $5,000 in bitcoin payments in return for not flooding the owner’s website with bot traffic which, the extortionists say, would trigger Google’s anti-fraud mechanisms to block the owner’s AdSense account. When researchers brought the issue to Google’s attention, the company reportedly stated that their detection mechanisms would proactively catch such potential sabotage.

Ransomware alert for U.S. pipeline organizations

The U.S. Department of Homeland Security issued an alert through its Cybersecurity and Infrastructure Security Agency (CISA) warning the pipeline operations industry about recent ransomware tactics. A spearphishing email succeeded in forging access to a gas pipeline operator, infecting its IT network and then its OT (operational technology) network, encrypting files on both. While CISA did not specify which company had been hit, the agency provided the alert to inform and advise other organizations to protect their networks against similar attacks.

This week’s ‘must-read’ on The Avast Blog

Is the internet becoming less open? Nationalism is leading more countries to isolation online. Read more.


Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all your devices with our award-winning free antivirus

Related articles

--> -->