June 6-12, 2024 | Issue 23 - CICYBER and CENTCOM
Martina Sclaverano, Prim Thanchanok Kanlayanarak, Samuel Pearson
Alya Fathia Fitri, Senior Editor
The Threat Actor, Commando Cat in a Cryptojacking Campaign for Financial Gains[1]
Date: June 6, 2024
Location: Global
Parties involved: Cybersecurity software company Trend Micro; Hacker group Commando Cat; Healthcare organizations; Financial institutions; Government agencies; Transport companies
The event: Trend Micro analyzed an ongoing cryptojacking campaign by Commando Cat to exploit compromised Docker remote API servers. Commando Cat installs containers by exploiting the vulnerabilities of Docker images, which are open-source templates to generate containers used to run applications. This exploit allows threat actors to access the victim’s operating system and command-and-control infrastructure. This attack method enables the threat actors to hijack the victim’s device, use it unauthorized, and avoid detection.[2]
Analysis & Implications:
The widespread use of Docker images for container services will very likely allow Commando Cat to reach more victims. Governmental institutions, private companies, and private users will very likely download Commando Cat’s malware through a vulnerable Docker image, losing control of their device. Key infrastructure institutions like healthcare organizations, banks, governmental agencies, and transport companies will very likely invest in researching a quick solution to scan their containers for vulnerabilities and patch them.
There is a roughly even chance that Commando Cat will gain access to devices of prominent individuals or organizations involved in the Israeli conflict, likely accessing confidential information regarding military strategy, humanitarian aid, and governmental information. There is a roughly even chance that the threat actor will blackmail the owners of the cryptojacked device, likely threatening the release of sensitive or compromising information. There is a roughly even chance that political groups supporting either side of the conflict will attempt to collaborate with Commando Cat to gain exclusive access to politicians’ and military personnel’s devices.
Date: June 9, 2024
Location: Israel
Parties involved: Microsoft Incorporation; Microsoft code editing application Visual Studio Code Marketplace; Visual Studio Code extension Dracula Official; Israeli government; Israeli researchers; Hamas; pro-Palestine coders; coders; companies in the coding industry
The event: Israeli researchers experimented with the security of Microsoft’s Visual Studio Code Marketplace by creating a typosquatting extension of a well-known application called Dracula Official, which sets the Studio to a dark theme. The tested extension includes the legitimate script of the Dracula Official as well as malicious code that collects information about the users. The study found that high-profile organizations and companies mistakenly installed the malicious version of the application. The researchers also discovered many high-risk and malicious extensions.[3]
Analysis & Implications:
Threat actors will likely use real publishing profiles on open-source platforms to appear more legitimate, very likely offering and creating fully-functioning applications to encourage more victims to download their applications. There is a roughly even chance that the original researchers will use these compromised extensions to target political entities involved in the Israeli conflict. There is a roughly even chance that the Israeli government will push for the improvement of this malicious tactic, likely using it in cyberwarfare and data gathering against Hamas and pro-Palestine coders. Coders from various industries and companies will likely fall victim to Dracula's typosquatting due to the widespread use of Microsoft Visual Code Studio.
Microsoft will likely respond to the identified malicious and high-risk extensions by reviewing its current extension publishing process and strengthening the security mechanisms and controls to reduce the exploitation of the Visual Studio Code Marketplace by impersonation and typosquatting. Microsoft will likely invest in an automated early threat detection model and behavior analysis to identify and understand the patterns of malicious codes. Microsoft will very likely advise users to check the credibility of extensions by examining source codes before downloading any applications.
[1] Cybersecurity, generated by a third party database
[2] Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers, Trend Micro, June 2024, https://www.trendmicro.com/en_no/research/24/f/commando-cat-a-novel-cryptojacking-attack-.html
[3] Malicious VSCode extensions with millions of installs discovered, Bleeping Computer, June 2024, https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-with-millions-of-installs-discovered/