Cybersecurity and Infosec News Headlines Update on 2022-10-31

Updated on 2022-10-31

This Halloween, let’s once more visit the ghost of threat actors present. BlackByte claimed to have attacked a metal solution provider and is demanding $600,000 to delete the stolen data. It seems that data breaches are piling up high on the land down under. An airline suffered a breach that impacted only its customers. In other news, a federal agency has been suffering a ransomware attack that is affecting its critical operations. Now, get into the wagon while we give you a scary tour of cyberspace from the weekend.

More highlights from the past 24 hours

• Bed Bath & Beyond suffered a phishing scam wherein a third party accessed its data. Investigation into what type of data was compromised is ongoing. Read more: Bed Bath & Beyond reviewing possible data breach
• The Indianapolis Housing Agency suffered a ransomware attack as all of its employees lost access to their emails. It also impacted the federal agency’s ability to send out October rent payments to landlords. Read more: Indianapolis Low-Income Housing Agency Hit by Ransomware
• Mental health organizations Ypse and Reinier van Arkel, the Netherlands, suffered the data theft of 184 clients. This was caused due to the data breach at digital record storage service Carenzorgt. Read more: Patient files of Rainier van Arkel also captured in a hack
• A government data breach notice recently disclosed that the personal data of 28,282 individuals was compromised as a result of the data breach at Fulton City Police, Oswego County, in November 2021. Read more: Fulton data breach compromised personal data of thousands
• Security researcher Eilon Harel created an open-source, automated scanner for the timely discovery of secrets in exposed AWS S3 buckets. Read more: New open-source tool scans public AWS S3 buckets for secrets

Updated on 2022-10-30

Galaxy Store XSS

An anonymous researcher said he found an XSS vulnerability in the Samsung Galaxy Store that can allow a threat actor to cause the store to install and/or launch any desired application, leading to situations where malicious apps can be remotely installed on users’ devices. Read more: SSD Advisory – Galaxy Store Applications Installation/Launching without User Interaction

Juniper vulnerabilities

Octagon Networks published details on six vulnerabilities in Juniper’s SSL VPN products, including a pre-auth RCE tracked as CVE-2022-22241. Read more: Juniper SSLVPN / JunOS RCE and Multiple Vulnerabilities

Windows zero-day analysis

Zscaler researchers have published part two of a technical analysis of CVE-2022-37969, a zero-day vulnerability in the Windows OS that they spotted exploited in the wild. Microsoft patched the vulnerability in the September 2022 Patch Tuesday. Part one link here. Read more: Technical Analysis of Windows CLFS Zero-Day Vulnerability CVE-2022-37969 – Part 2: Exploit Analysis

Timing attacks on IM services

A team of academics identified a timing attack that can be performed on the read/delivery status notification feature of modern instant messaging services that can allow an attacker to distinguish different receivers and their locations by sending them instant messages. The attack works with 80% accuracy, and researchers successfully tested it against privacy-first services like Signal, WhatsApp, and Threema. Read more: Hope of Delivery: Extracting User Locations From Mobile Instant Messengers

“While making use of this side channel is mostly limited to people who are in each others’ contact lists and have already started a conversation before, it yet comprises an unexpected and privacy-infringing act with low technical requirements that is equally hard to detect and to mitigate for a potential victim.”

New tool—Legitify

DevOps security firm Legit Software has open-sourced this month a new tool called Legitify that can detect and remediate misconfigurations, security, and compliance issues across GitHub assets. Read more:

• Introducing Legitify: A Better Way To Secure GitHub
• Legit-Labs/legitify

New tool—Dastardly

Security firm PortSwigger open-sourced a new Burp Suite extension named Dastardly that can scan your CI/CD pipeline for possible vulnerabilities in your code. Read more: Free: Dastardly from Burp Suite

New tool—Spartacus

Software giant Accenture has open-sourced a new tool called Spartacus, a tool for discovering DLLs vulnerable to hijacking. Read more: Accenture/Spartacus

GFI report

Cybersecurity research group Hacker’s Choice has published an analysis of the Great Firewall of Iran (GFI), the Iranian government’s internet censorship system, which has been glowing red for more than a month since the onset of the Mahsa Amini protests. Read more: The Iran Firewall – A preliminary report

Influence operations

Google’s TAG security team has published a summary of the coordinated influence operation campaigns terminated on Google platforms in Q3 2022. Campaigns linked to China and Russia were taken down, but also operations linked to the US, Vietnam, Turkey, Iran, Sudan, North Macedonia, and Myanmar. Read more: TAG Bulletin: Q3 2022

Chrome zero-day

Google released Chrome v107.0.5304.87 to fix CVE-2022-3723, a zero-day vulnerability exploited in the wild. This is the seventh Chrome zero-day patched this year. Read more: Stable Channel Update for Desktop

Threat to Canada

The Canadian Centre for Cyber Security, Canada’s technical authority on cyber security, published an assessment of potential cyber threats its citizens and the government would most likely face through the next years, in 2023 and 2024. Among the listed threats are ransomware (because of course, ransomware), the threat to critical infrastructure because of the increased internet-connectivity of OT networks, increased state-sponsored activity, influence operations trying to degrade trust in online spaces, and the emergence of new disruptive technologies like machine learning automation and quantum computing. Read more: National Cyber Threat Assessment 2023-2024

US military cyber team’s defense of Ukraine

The BBC has a profile on a team of US military cybersecurity experts that have been helping the Ukrainian government protect their network. Read more: Inside a US military cyber team’s defence of Ukraine

DiDW arrest

German police detained a 22-year-old student for managing “Deutschland im Deep Web” (Germany on the Dark Web), the largest dark web marketplace catering to German-speaking users. The portal has been online since 2013 and has been known to sell drugs, weapons, and ammunition, being the website from where the perpetrator of the 2016 Munich terrorist attack also procured his weapons. Read more: Dark­net-Markt­platz: Mut­maß­li­cher Ad­mi­nis­tra­tor fest­ge­nom­men

Old vulnerabilities are still everyone’s favorites

An F5 Labs report citing data from their network of honeypots shows that the vast majority of malicious scanning and exploitation targeted older vulnerabilities dating as far back as 2017 and 2018, rather than new, recently-disclosed ones, with the most targeted one being CVE-2018-13379, a directory traversal issue in Fortinet SSL VPNs. Read more: Sensor Intel Series: Top CVEs in September 2022

New ransomware strains

Fortinet researchers have a summary of new low-tier ransomware samples that have been observed in the wild over the past month, including some classic “seized by FBI” garbage and two new strains calling themselves Wise Guys and Pyschedelic. Read more: Ransomware Roundup: New FBI, Wise Guys, and “Pyschedelic” Ransomware

Amazon server leak

Amazon said there was a “deployment error” with one of its Amazon Prime analytics servers that was left exposed online without a password for more than two weeks and leaked 215 million entries containing pseudonymized user data. According to TechCrunch, which first reported on the leak, the leaked data contained the name of the show or movie that a user was streaming, on what device it was streamed, Prime subscription details, and network quality. Read more: Amazon accidentally exposed an internal server packed with Prime Video viewing habits

Telegram gets a one-day block in Russia

Russia’s telecommunications watchdog, the Roskomnadzor, blocked Telegram’s t.me short URL on Saturday after a copy of a video was uploaded on the platform containing instructions on how Russian soldiers could surrender to the Ukrainian Armed Forces, once deployed in Ukraine. The URL was not in Roskomnadzor’s blocklist on Sunday, suggesting the block was lifted after only one day. Read more:

Liz Truss phone compromised

The personal smartphone of Liz Truss, the former UK Prime Minister, was compromised by Russian state hackers. According to a Daily Mail report, the hack took place over the summer while Truss was still Foreign Secretary, and the incident was suppressed by Boris Johnson’s cabinet to maintain her chances at becoming the next Prime Minister. According to the newspaper, the incident was considered so severe that UK security services took Truss’ phone and locked it in a secure location. Truss was also forced to change the number she had been using for the last ten years. Read more: MAIL ON SUNDAY EXCLUSIVE: Liz Truss’s personal phone that was hacked by Kremlin agents was so compromised it was locked away in a ‘secure location’ as experts fear top secret negotiations and private messages may have been leaked

CIA agent under investigation

The Associated Press reported that the FBI started an investigation of Kevin Chalker, a former CIA agent who worked for the Qatar government and allegedly orchestrated a hacking and spying operation against officials from rival soccer federations bidding for the 2022 World Cup. Read more: FBI probing ex-CIA officer’s spying for World Cup host Qatar

Apple’s security mixed messages

Apple this week published a new security research hub and a blog on memory corruption bugs (interesting), plus news that it’s paid out $20 million in total to security researchers, or about 0.02% of what Apple made in profit last year. In related news, Apple also confirmed that it only fully patches its latest operating systems. Read more:

• Apple clarifies security update policy: Only the latest OSes are fully patched
• Apple Security Research

Australia admits data laws ‘inadequate’ as medical hack hits millions

We’re in week three of “WTF is going on in Australia?” after several major hacks left the country scrambling. After one of its main telcos Optus was hacked, fast forward two weeks and now Medibank, the country’s biggest private health insurance company, was breached. Per the insurer’s statement, the criminal had access to all ahm, international students, and Medibank customers’ “personal data and significant amounts of health claims data.” Which is to say, the motherlode. The only bright side here is that Medibank was honest and transparent in the end — that’s it. This will likely have consequences for Australians for generations, especially if the attack was state-sponsored or involved. As a result, the Aussie government admitted this week that the nation’s cyber safeguards were “inadequate.” Understatement of the decade. Read more:

• Australia admits cyber defences ‘inadequate’ as medical hack hits millions
• Medibank Latest announcement
• Medibank says hackers had access to ‘all personal data’ belonging to all customers
• Medibank hack started with theft of company credentials, investigation suggests
• Paying off hackers is common, says top Australian govt cybersecurity firm
• Optus reveals at least 2.1 million ID numbers exposed in massive data breach

Updated on 2022-10-28

A multi-directional cyberattack took down the IT systems of Slavik and Polish parliaments. As the midterm elections get closer, hackers are getting desperate. They hacked the New York Post to target politicians. In other news, Play Store was once again found harboring malicious apps. Read along for the top 10 cyber highlights from the past 24 hours.

More highlights from the past 24 hours

• A data breach at the Australia-based Medlab Pathology compromised the individual disease diagnoses, national insurance cards, and payment information of 223,000 people. Read more: Medlab Pathology Breach Affects 223,000 Australians
• A new version of the Drinik Android malware was found capable of targeting customers of 18 Indian banks, pretending to be the nation’s official tax management app. Read more: Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers
• SASE vendor Versa Networks raised $120 million in pre-IPO funding round led by BlackRock Capital, with participation from Silicon Valley Bank. Read more: Versa Networks raises $120 million to accelerate SASE product innovations
• PreVeil, a cloud-based end-to-end encrypted email and file collaboration solutions provider, raised $20 million in Series C funding led by PSG. Read more: PreVeil Raises $20M in Series C Funding

Phishing “compensation”

Cryptocurrency exchange platform FTX said it is providing $6 million in compensation for some of its users who fell victim to a phishing scam last week. The company said the users didn’t fall victim to sites posing as FTX but to sites posing as another cryptocurrency platform named 3Commas. FTX said its users provided this fake site copies of their FTX API keys, usually provided to integrate two different services, which the hackers then used to drain accounts. FTX CEO Sam Bankman-Fried called this action a “one-time” compensation and said that the platform does not intend to compensate users again for losses due to phishing at other platforms. Read more: FTX to give a ‘one-time’ $6M compensation to phishing victims

Improved account recovery on npm

GitHub has rolled out an improved and easier account recovery procedures for developers that lost access to their MFA device and their account recovery codes. Read more: Improved account recovery flow in case of a lost 2FA device

New LinkedIn security features

LinkedIn announced new security features this week to help users verify and determine if a profile is authentic. In addition, the company is also deploying a system to detect AI-generated profile images and more systems to detect suspicious DMs. The move comes after the social network has become wildly popular among cybercrime and cyber-espionage groups alike for both scamming and luring users to malware and phishing sites. Read more: New LinkedIn profile features help verify identity, detect and remove fake accounts, boost authenticity

Cybersecurity sprint

The Biden administration announced this week a 100-day cybersecurity sprint meant to help protect the US chemical sector from cyberattacks. This will be the fourth cybersecurity sprint launched by the White House since April 2021, after similar programs targeted the pipeline, water, and railway transportation sectors. Read more:

• FACT SHEET: Biden-⁠Harris Administration Expands Public-Private Cybersecurity Partnership to Chemical Sector
• White House announces 100-day cyber sprint for chemical sector

XSS adds section for security firms

Probably tired after having his site scraped over and over again by security firms and malware searchers, the operator of the XSS cybercrime forum decided this week to add the ability for security firms to purchase a “scraper” option to allow them to collect data from the forum without getting blocked or banned.

Facebook subscription spam

A threat actor has hammered Polish Facebook users with a giant subscription spam campaign that used more than 600 different malicious landing sites, according to Avast.

Fodcha DDoS botnet

Qihoo 360’s Netlab division said it spotted new DDoS attacks carried out using Fodcha, a DDoS botnet that first emerged earlier this year in April. According to Netlab, the botnet has grown significantly over the past months, is now capable of executing DDoS attacks of over 1 Tbps, and its operators are also using it to extort companies. Netlab said they are doing this by adding an extortion demand in the UDP packets of their attack, requesting payment to a Monero address. Read more:

• 卷土重来的DDoS狂魔：Fodcha僵尸网络再次露出獠牙
• Fodcha, a new DDos botnet

send 10 xmr to 49UnJhpvRRxDXJHYczoUEiK3EKCQZorZWaV6HD7axKGQd5xpUQeNp7Xg9RATFpL4u8dzPfAnuMYqs2Kch1soaf5B5mdfJ1b or we will shutdown your business

Apple bug bounty program

Apple says it has awarded more than $20 million to security researchers via its bug bounty program since its launch in late 2019. Apple said the program has an average payout of $40,000 and also dished out 20 separate rewards of over $100,000 for high-impact issues. Read more: Apple Security Bounty. Upgraded.

VMware vulnerability

Sina Kheirkhah of Source Incite published details about CVE-2022-31678, a pre-authenticated remote code execution vulnerability in VMWare NSX Manager, a component of the VMware Cloud Foundation service. The vulnerability was patched earlier this week. Read more:

• Eat What You Kill :: Pre-authenticated Remote Code Execution in VMWare NSX Manager
• VMware Security Solutions > Advisories > VMSA-2022-0027.1

TCP/IP RCE

Researchers from Numen have published a write-up on CVE-2022–34718, a remote code execution vulnerability in the Windows TCP/IP component patched in September. A PoC is also included.

• TCP/IP Vulnerability CVE-2022–34718 PoC Restoration and Analysis
• Windows TCP/IP Remote Code Execution Vulnerability
• numencyber/VulnerabilityPoC

SiriSpy

According to reverse engineer Guilherme Rambo, any app with access to the Bluetooth service can record conversations with Siri, using audio from the iOS keyboard dictation feature while AirPods or Beats headsets are connected. The bug, named SiriSpy, was patched earlier this week. Read more: About the security content of iOS 16.1 and iPadOS 16

Leeloo Multipath

Qualys researchers published details on Leeloo Multipath, two EoP vulnerabilities in the Linux multipathd service. Read more: Leeloo Multipath: Authorization bypass and symlink attack in multipathd (CVE-2022-41974 and CVE-2022-41973)

New tool—Text4Shell tools

DevOps security firm JFrog has open-sourced a collection of tools to scan projects for the Text4Shell vulnerability. Read more:

• jfrog/text4shell-tools
• CVE-2022-42889: TEXT4SHELL VULNERABILITY BREAKDOWN

Hexacon 2022 videos

Talks from the Hexacon 2022 security conference, which took place earlier this month, are available on YouTube.

Updated on 2022-10-27

Kiss-a-dog. That’s the name of the latest cryptomining campaign targeting cloud containers. Healthcare breach volumes reached a record high, as found on the online public tally site by the HHS Office of Civil Rights. In other news, a North Korean hacker group has returned with multiple malware strains to target Android users. Here are the top 10 highlights from the past 24 hours.

More highlights from the past 24 hours

• The federal tally of healthcare data breaches reached a new high at 5,006 reported incidents since 2009. Each data breach impacted over 500 individuals, with 369 million total affected. Read more: Federal Tally Reaches 5,000 Health Data Breaches Since 2009
• Trend Micro spotted an exploitation attempt of Weave Scope to target AWS Elastic Compute Cloud (EC2) instances and pilfer credentials. Read more: Threat Actors Target AWS EC2 Workloads to Steal Credentials
• A phishing email impersonating LinkedIn was discovered targeting users of travel organizations to steal their credentials. The campaign can bypass Google’s email security controls. Read more: LinkedIn Phishing Spoof Bypasses Google Workspace Security
• Cloud-native runtime security startup Spyderbat snapped up $10 million in Series A funding led by NTTVC, with Benhamou Global Ventures, LiveOak Venture Partners as participants. Read more: Spyderbat Raises $10 Million for Cloud and Container Security Platform
• Arnica, a behavior-based threat detection startup, bagged $7 million in seed funding led by Joule Ventures and First Rays Venture Partners. Read more: Arnica raises $7 million to protect software supply chains without harming developer velocity

GUAC to understand software supply chains

Google announced a new open source project called GUAC, the Graph for Understanding Artefact Composition, which aims to aggregate many different sources of software security metadata and make it easily accessible and searchable. Read more:

• Announcing GUAC, a great pairing with SLSA (and SBOM)!
• Google announces GUAC open source project on software supply chains

Cisco warns of high-severity vulnerabilities in Identity Services Engine

Cisco disclosed multiple vulnerabilities last week in its Identity Services Engine software. Two of the issues, CVE-2022-20822 and CVE-2022-20959, could be exploited to read and delete files on a targeted device, or to execute arbitrary code or access sensitive information. Cisco’s PSIRT team said it believes proof of concept code for the vulnerability will become available in the wild after the disclosures. However, there is no evidence of these issues being exploited in the wild. Read more:

• Vulnerabilities in Cisco Identity Services Engine require your attention (CVE-2022-20822, CVE-2022-20959)
• Cisco Identity Services Engine Unauthorized File Access Vulnerability

Snyk layoffs

DevOps and cybersecurity unicorn Snyk is set to sack 198 employees, representing roughly 14% of its workforce. Read more: Cyber unicorn Snyk to sack 198 employees, 14% of workforce

VirusBulletin 2022 videos

Some of the recorded talks from the VirusBulletin 2022 security conference, which took place earlier this month, are available on YouTube.

Some nice tutorial

Crowdstrike’s John Halon will be releasing a browser exploitation series on Google Chrome. Part one is already out. Read more: Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals

(ISC)² drama

Security certification body (ISC)² is being widely criticized by current and former members for passing organization-wide changes despite complaints from its members. According to The Daily Swig, the organization has changed its mission, has eliminated its Ethics Committee, and is readying to change the process for electing the board of directors to a process controlled by current members—in what former members have described as “a coup by governance.” Read more:

• PROPOSED AMENDMENTS TO (ISC)² BYLAWS
• Security certification body (ISC)² defends ‘undemocratic’ bylaw changes

22yo SQLite vulnerability

Trail of Bits disclosed this week CVE-2022-35737, an arbitrary code execution vulnerability in the SQLite database engine. The vulnerability affects all SQLite versions released since October 2000. Read more: Stranger Strings: An exploitable flaw in SQLite

Aukey router zero-day

Code White security researcher @esj4y has published a proof-of-concept exploit for an RCE vulnerability in Aukey router model WR-R01. The researcher said he published the exploit after the vendor failed to respond to his disclosure and because they don’t seem to manufacture or sell the model anymore. Read more: 3sjay/sploits

LogCrusher and OverLog

Varonis researchers published details on LogCrusher and OverLog, two Internet Explorer vulnerabilities.

• LogCrusher, which allowed any domain user to remotely crash the Event Log application of any Windows machine on the domain.
• OverLog, which causes a remote denial-of-service (DoS) attack by filling the hard drive space of any Windows machine on the domain. (CVE-2022-37981)

Varonis said that even if Microsoft retired IE this June, the two vulnerabilities still impact user systems because IE components are still present in core Windows apps. Read more: The Logging Dead: Two Event Log Vulnerabilities Haunting Windows

APT activity targeting EU bodies

CERT-EU, the EU agency that provides incident response to official EU agencies, said that almost two-thirds (63%) of the threat alerts it sent in Q3 2022 were related to cyber-espionage activity. The agency said of the 11 “top threat actors” they are tracking, they detected direct attacks against EU bodies from three groups—but no successful breach. The full report is here [PDF].

Microsoft SharePoint vulnerability

Singapore-based security firm StarLabs disclosed on Tuesday a vulnerability in Microsoft SharePoint Server 2019. Described as a post-auth SSRF, Microsoft fixed the issue but refused to assign a CVE identifier for StarLabs’ finding/work. Read more: Microsoft SharePoint Server Post-Authentication Server-Side Request Forgery vulnerability

Abuse of legitimate RATs

Synacktiv researchers have published in-depth research on how threat actors are abusing legitimate remote access tools in their attacks. The research covers apps like Teamviewer, AnyDesk, Atera, and Splashtop. Read more: LEGITIMATE RATS: A COMPREHENSIVE FORENSIC ANALYSIS OF THE USUAL SUSPECTS

Dutch hacker arrested

Dutch police detained a 19-year-old from the town of Krimpen aan den IJssel for hacking into the network of a healthcare software supplier and stealing files containing user data. Authorities said they are still investigating to see if the teen had resold any of the data. While authorities did not name the victim of this incident, Dutch healthcare provider disclosed a security breach of its Carenzorgt.nl portal on the same day as the Dutch police announcement. Read more:

• Softwareleverancier gehackt, verdachte aangehouden
• Carenzorgt.nl security incident

Alfa-Bank ATMs defrauded

A Russian criminal group stole roughly 60 million rubles ($975,000) from the ATMs of Russian bank Alfa-Bank by abusing a glaring design flaw that allowed them to insert counterfeit cash into the ATMs and later withdraw legitimate currency. Read more: Альфа-Банк обокрали на десятки миллионов с помощью билетов «банка приколов»

KEV update

CISA has updated its KEV database with six vulnerabilities that are currently being actively exploited in the wild. The list includes two Cisco vulnerabilities from 2020 and two GIGABYTE vulnerabilities from 2018. Read more: CISA Adds Six Known Exploited Vulnerabilities to Catalog

Ransomware in Singapore

The Singapore government convened an inter-agency Counter Ransomware Task Force (CRTF) to develop and make recommendations on possible policies, operational plans, and capabilities to improve Singapore’s counter-ransomware efforts.

Singapore built a new task force—the Counter Ransomware Task Force (CRTF)—to assist research & educational institutions and businesses to defend against ransomware attacks. Read more: Inter-agency Task Force to Counter Ransomware Threats

More cybersecurity coordination needed for K-12 sector

A report from the US Government Accountability Office (GAO) found that while there are three federal agencies that assist K-12 schools in protecting against cyber threats, there are no formal channels for how agencies coordinate with each other or with K-12 schools to address cybersecurity risks or incidents; hence more coordination is needed between all players to improve the K-12 cybersecurity stance across the board. Read more: Critical Infrastructure Protection: Additional Federal Coordination Is Needed to Enhance K-12 Cybersecurity

Sigstore reaches GA

Sigstore, a system for cryptographically signing software releases to protect users against supply chain attacks, has reached general availability.

“To date over 4 million signatures have been logged using Sigstore and two of the world’s largest open source communities, Kubernetes and Python, have adopted Sigstore’s wax seal of authenticity by signing their production releases with Sigstore. Most recently, npm announced they are actively working to integrate Sigstore, so all npm packages can be reliably linked to their source code and build instructions.”

Read more:

• Sigstore Announces General Availability at SigstoreCon
• Why we’re excited about the Sigstore general availability
• Sigstore is now Generally Available
• Kubernetes signals massive adoption of Sigstore for protecting open source ecosystem
• New request for comments on improving npm security with Sigstore is now open

Chrome EOL on Win7/8.1

Google announced this week plans to end support for its Chrome browser on Windows 7 and Windows 8.1 next year, on January 10, 2023. Read more: Sunsetting support for Windows 7 / 8/8.1 in early 2023

“With the release of Chrome 110 (tentatively scheduled for February 7, 2023), we’ll officially end support for Windows 7 and Windows 8.1. You’ll need to ensure your device is running Windows 10 or later to continue receiving future Chrome releases.”

E-Pal breach

E-Pal, a web service dedicated to helping gamers find free or pro teammates for their favorite games, has disclosed a security breach that took place earlier this month. The company’s data, leaked online, was also added to HIBP. Read more: Submitted Breach Notification Sample

L2DAO crypto-heist

Ethereum investment project L2DAO confirmed on Monday that a hacker drained 49,950,000 L2DAO tokens from its project, worth around $234,000, at the time of the incident. The company said the hacker dumped the funds, but they were able to repurchase 31,239,677 L2DAO tokens ($146,000) with its own treasury.

Updated on 2022-10-26

A massive freejacking campaign was found abusing free-tier cloud dev resources. This advanced sibling of cryptojacking has earned the attackers some handsome profits, suspect experts. A ticketing service provider recently notified of a data breach that went undetected for a couple of years. While we are on breaches, Medibank finally confirmed that all of its customers have been impacted by its recent breach. Read along for more news from the cyberspace.

More highlights from the past 24 hours

• See Tickets notified customers of a data breach that potentially impacted their payment details via a website skimmer. The breach went for 2.5 years, from June 25, 2019, to January 8, 2022. Read more: See Tickets discloses 2.5 years-long credit card theft breach
• Attack analysis by Sophos revealed that victims in the manufacturing and production sectors pay the highest ransom, coming in at just over $2 million. Read more: These ransomware victims are making the highest ransom payments
• Rockville-based integrated security solutions provider Sepio raised an undisclosed amount in Series B funding round led by U.S. Venture Partners (USVP). Read more: Sepio Raises Series B Funding Round
• Israel-based Valence Security bagged $25 million in Series A funding led by Microsoft’s M12 venture fund, with participation from YL Ventures, Akamai Technologies, and others. Read more: Microsoft M12 Leads $25 Million Valence Security Series A

Updated on 2022-10-25

Was Iran’s Atomic Energy Organization hacked? While the hackers are claiming so, Tehran has just laughed the entire incident off. In the same vein, Hive claimed responsibility for the attack on Tata Power. In other news, hackers are targeting Ukrainian critical infrastructure, warned the CERT-UA. Here are the top 10 highlights from the past 24 hours.

More highlights from the past 24 hours

• Check Point discovered that DHL is the most spoofed brand in phishing emails, accounting for 22% of all worldwide phishing attempts, between July and September. DHL is followed by Microsoft at 16% and LinkedIn at 11%. Read more: DHL named most-spoofed brand in phishing
• Corsa Security, a network security provider, raised $10 million in Series D funding led by Roadmap Capital. The firm aims to enhance the product development of its security orchestrator. Read more: Network Security Company Corsa Security Raises $10 Million

Updated on 2022-10-24

BSides Portland 2022 videos

Talks from the BSides Portland 2022 security conference, which took place earlier this month, are available on YouTube.

Autodesk vulnerabilities

Fortinet researchers published details on 24 vulnerabilities in various Autodesk software products, including many remote code execution issues. Read more: FortiGuard Labs Researcher Discovers Multiple Vulnerabilities in Multiple Autodesk Products

SHA-3 buffer overflow

US cryptographer Nicky Mouha unveiled details on CVE-2022-37454, a vulnerability in eXtended Keccak Code Package (XKCP), a library that implements various cryptographic schemes. The vulnerability impacts XKCP’s SHA-3 implementation and allows attackers to execute arbitrary code or can eliminate expected cryptographic properties. Fixes were deployed last week for XKCP and its implementations for Python, PHP, and Ruby. Read more:

• CVE-2022-37454 Detail
• SHA-3 Buffer Overflow
• XKCP/XKCP

Winnti APT

Malwarebytes has a report on a new cyber-espionage campaign targeting government entities in Sri Lanka. The company linked this operation to the Winnti APT group. Read more: Winnti APT group docks in Sri Lanka for new campaign

Android bankers

Dr.Web researchers said they uncovered a series of Android shopping apps meant to infect Malaysian users with a banking trojan. Read more: Banking trojans disguised as shopping apps attack Malaysian Android users

Dark Crystal RAT

Splunk researchers have a report out on the Dark Crystal RAT, or DCRat, a common payload used by low-sophisticated threat groups these days. Read more: Dark Crystal RAT Agent Deep Dive

Team Mysterious Bangladesh

Indian security firm CloudSEK said it found evidence that Team Mysterious Bangladesh, a group of pro-Bangladesh hacktivists, are planning cyberattacks against various Indian targets. Read more: Team Mysterious Bangladesh planning another tide of attack over Indian entities

TommyLeaks and SchoolBoys

Two new recently discovered ransomware operations named TommyLeaks and SchoolBoys are actually run by the threat actor. According to BleepingComputer, the group has been active since last month and built its ransomware encrypter/decrypter using the leaked LockBit ransomware builder. Read more: TommyLeaks and SchoolBoys: Two sides of the same ransomware gang

New Sparta group

A new ransomware hack-and-leak group named Sparta has compromised and extorted at least 12 victims. Despite being a new threat actor, Sparta ranked fourth behind LockBit, BlackBasta, and AlphV, in NCC Group’s monthly threat. In the meantime, the IceFire group appears to have taken a hiatus, not having listed any new victims last month after ranking in the Top 10 in August. Read more: NCC Group Monthly Threat Pulse – September 2022

New malware threats

Red Canary, which runs a monthly ranking of the top malware threats it sees online, said it saw three new malware families break into its Top 10 for the month of October:

• Web Companion (#6) – a program that, if given permission, can access and change users’ browser settings
• Zloader (#7) – a banking trojan with many variants; while it originally focused on credential theft, in more recent years, it’s delivered pre-ransomware payloads on behalf of several ransomware families
• PureCrypter (#8) – Multi-stage encrypted malware suite that uses process injection to deliver and execute additional malicious payloads such as information stealers or remote access tools

Facebook hacking groups

Meta removed more than 45 Facebook groups and pages that were advertising hacking services and hacked accounts following a Bloomberg and Cisco Talos investigation. The groups had more than 1 million combined members, including three with more than 100,000 members. Read more: Hacking Tools, Stolen Credit Cards Advertised on Facebook Groups

Pop star hacker sentenced

Adrian Kwiatkowski, a 22-year-old from the UK, was sentenced last week to 18 months in prison for hacking the personal accounts of famous pop stars, stealing unreleased music, and then selling it online in exchange for cryptocurrency. According to the UK Crown Prosecution Service, Kwiatkowski was in possession of 565 stolen and unreleased songs and admitted to officials to selling two unreleased songs by British pop star Ed Sheeran and 12 songs by American musician Lil Uzi Vert. Read more: Computer hacker of famous musicians’ digital accounts is jailed

Australia to increase data breach penalties

Following a string of high-profile hacks over the past month (Optus, Telstra, Medibank, Woolworths, and EnergyAustralia), Australian government officials plan to introduce legislation this week to significantly increase penalties for repeated or serious privacy breaches. According to officials, the new law will increase maximum penalties from the current $2.22 million penalty to $50 million, or even 30% of the company’s adjusted turnover in the relevant period. Read more: Tougher penalties for serious data breaches

Argentina’s army gets ransomwared

Argentina’s Joint Chief of Staff of the Armed Forces disconnected its IT network last week after the agency suffered a ransomware attack. Local media reported that the incident prevented army officials from holding their regular security meetings, including ones with international partners. Read more: Detectan un “virus malicioso” en el sistema informático del Estado Mayor Conjunto de las Fuerzas Armadas

Updated on 2022-10-21

Improper use of Meta Pixel amassed a whopping three million affected individuals in a healthcare data breach. Australian cyberattack victims are racking up quite the number as we have an electricity company as the latest victim. LockBit has made its name at the top of the most prolific ransomware list by being the most active. Read along for more highlights from the past 24 hours.

More highlights from the past 24 hours

• Advocate Aurora Health, a U.S.-based healthcare system, suffered a data breach that compromised the IP address, scheduled appointments, medical record numbers, and other information of three million patients. Read more: Healthcare system Advocate Aurora Health data breach potentially impacted 3M patients
• EnergyAustralia fell victim to a cyberattack resulting in the exposure of the names, contact details, gas and electricity bills, and credit card digits of 323 residential and small business customers. Read more: EnergyAustralia latest to be hit by cyber-attack as details of hundreds of customers exposed
• Since Conti shut down, LockBit has taken over the ransomware landscape and accounted for 42% of attacks of a total of 455 attacks by 27 ransomware variants, from July to September, as per a report by Intel. Read more: With Conti gone, LockBit takes lead of the ransomware threat landscape
• The Biden administration issued a directive that necessitates freight railroad operators and owners to improve their security stance in the face of cyberattacks by foreign governments. Read more: Biden administration issues new cybersecurity requirements for rail operators

“Won’t fix” bug

MDSec researchers have found an unauthenticated SSRF to RCE vulnerability in the Microsoft Office Online Server, which the Redmond-based company said it would not fix as it doesn’t meet their regular definition of a security flaw. Read more: Microsoft Office Online Server Remote Code Execution

Cuba ransomware

Microsoft’s security team said it recently spotted the operators of the Cuba ransomware installing an Avast anti-rootkit driver on compromised networks to elevate privileges and disable local security solutions. Read more: Defenders beware: A case for post-ransomware investigations

KEV update

CISA has updated its KEV database with two new vulnerabilities that are currently being actively exploited. The two are a recently patched Zimbra zero-day and a 2021 vulnerability patched last year in the Linux kernel. Read more: KNOWN EXPLOITED VULNERABILITIES CATALOG

Supple chain attack figures

DevOps security firm Sonatype said it discovered 97,334 malicious libraries across several programming ecosystems in 2022. The number is up from roughly 12,000 last year, representing nearly 633% in incidents over the course of a calendar year. More in the company’s State of the Software Supply Chain report. Read more: Open Source Supply, Demand, and Security

WatchDog

After AquaSec researchers reported last month that they’d seen new malware linked to the TeamTNT gang and their infrastructure—a notable event because the TeamTNT gang formally announced their retirement last year—Trend Micro researchers said they believe this new malware might be the work of a threat actor known as WatchDog. Read more:

• Threat Alert: New Malware in the Cloud By TeamTNT
• TeamTNT Returns – or Does It?

SIM swappers sentenced

Two Massachusetts men were sentenced this week to prison for a scheme to steal “OG” social media and cryptocurrency accounts using SIM-swapping attacks. Eric Meiggs, 24, of Brockton, was sentenced to two years and one day in prison, and Declan Harrington, 22, of Beverly, was sentenced to two years and seven days in prison. Read more: Two Men Sentenced for Nationwide Scheme to Steal Social Media Accounts and Cryptocurrency

Car thieves detained in France

Two car thieves were detained in France last week for stealing Lexus and Toyota cars using a “quick start electronic key” device disguised inside a portable JBL speaker. Read more: Grâce à une fausse enceinte Bluetooth JBL, ils réussissaient à voler des voitures

Another NSO target

Mexican opposition congressman Agustin Basave Alanis revealed this week that his iPhone was infected with a version of the Pegasus spyware. The official said he was notified by Apple about the infection last November and confirmed the infection with experts from CitizenLab, according to a report from Latin America privacy watchdog R3D. Read more: EL DIPUTADO DE OPOSICIÓN AGUSTÍN BASAVE ALANÍS FUE ESPIADO CON PEGASUS, CONFIRMA CITIZEN LAB

Russian MP calls for cyberattacks on Ukraine

Alexander Khinshtein, a member of the Russian Parliament, publicly advocated this week for the Russian government to carry out cyberattacks against Ukraine as a preemptive measure to stop theoretical Ukrainian cyberattacks. Someone should tell him this clueless MP about HermeticWiper and all the other wipers that hit Ukraine this year. He might not be aware of what’s going on in his own country. Read more: Глава комитета Госдумы Хинштейн призвал к киберударам по центрам принятия решений Украины

Ukraine dismantles another bot farm

Ukraine’s Security Service said it dismantled another Russian bot farm operating inside its borders, inside the city of Dnipro, where a threat actor was running 10,000 fake accounts dispensing Kremlin propaganda across the EU. The operation marks the sixth time Ukrainian officials have gone after Russian bot farms operating inside Ukraine, after similar operations in February (18,000 bots), March (100,000 bots across five bot farms), August (1,000,000 bots), September (7,000 bots), and October (50,000 bots). Read more: СБУ ліквідувала у Дніпрі ворожу ботоферму, яка створила майже 10 тис. фейкових акаунтів для «розгону» кремлівської пропаганди в ЄС

Germany fines Telegram

The German government has fined Telegram €5.125 million for failing to create and maintain a system through which users can report illegal content on the platform. The fine applies to fiscal years 2021 and 2022. Read more: Germany slaps messaging app Telegram with $5 million fine

Another TikTok scandal

Forbes reported on Thursday that they obtained documents showing how a Beijing-based team inside Bytedance was planning to use TikTok to monitor the location of some US citizens. The team was created to keep track of TikTok’s US employees, but Forbes claims it had also planned to monitor non-employees as well. Read more: TikTok Parent ByteDance Planned To Use TikTok To Monitor The Physical Location Of Specific American Citizens

Minecraft drama

The developer of the PolyMC launcher app for Minecraft servers has kicked out all his fellow collaborators, citing their “leftist queer ideology.” Never a good sign, so if you’re a Minecraft gamer, you might want to remove a single-developer-controlled closed app from your system as soon as possible. Read more: If you use PolyMC for Minecraft you should switch away now

LibreOffice, not OpenOffice

Take note, IT departments. OpenOffice has been dead for eight years now.

Technoserv hack

The Russian National Republican Army of Russia, an anti-Russian government hacktivist group, took credit for hacking Technoserv, one of the country’s largest IT companies and a major government contractor. Read more: Russians Against Putin: NRA Claims Massive Hack of Russian Government Contractors’ Computers

Moola Market crypto-heist

A threat actor stole $9 million worth of cryptocurrency from DeFi platform Moola Market, only to return 93% of the funds within hours of the hack as part of a shady deal to “rebrand” the hack as vulnerability research and the 7% of the stolen funds as a bug bounty payment. These types of deals have been widespread in the cryptocurrency ecosystem and are not only bordering on criminality but also making a sham of actual white-hat hacking. Read more: Moola Market attacker returns most of $9M looted for $500K bounty

Microsoft breach

Microsoft confirmed on Wednesday a report from security firm SOCRadar that the OS maker misconfigured one of its cloud servers that eventually leaked the details of some of its business transactions and prospective customers. SOCRadar claimed the data of more than 65,000 customers was exposed as a result of the leaky server, but Microsoft said that “greatly exaggerated the scope of this issue” and that the number was far smaller, including many duplicates. Microsoft also said it was disappointed that SOCRadar released BlueBleed, a tool for users to search and see if their data was exposed in the incident. Read more:

• Investigation Regarding Misconfigured Microsoft Storage Location
• Sensitive Data of 65,000+ Entities in 111 Countries Leaked due to a Single Misconfigured Data Bucket

Defense Health Agency

The US Defense Health Agency, the agency that provides healthcare services to the US Army, Navy, and Air Force during peace and wartime, has disclosed a security breach that exposed the details of more than 1,200 individuals. Read more: HHS Office for Civil Rights probes ‘hacking/IT incident’ at Defense Health Headquarters

Multiple issues in Robustel R1510 cellular router could lead to code execution, denial of service

Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely. The Robustel R1510 router is a dual-ethernet port wireless router that shares 3G and 4G wireless signals for use in industrial and internet-of-things environments. The router includes the use of open VPN tunneling, a cloud management platform to manage other devices and routers and different safeguards to manage data caps. Talos discovered five operating system command injection vulnerabilities in the router that an adversary could trigger by sending the targeted device a specially crafted network request. All these vulnerabilities have a CVSS severity score of 9.1 out of 10. Read more: Vulnerability Spotlight: Multiple issues in Robustel R1510 cellular router could lead to code execution, denial of service

Updated on 2022-10-20

A LockBit victim recently confirmed that it suffered a ransomware attack back in July, in a notice to the state attorney general’s office. Imagine a project you have been working on, a critical one, and then you see that it was open for the entire world to see and misuse. This is exactly what happened when researchers found two million .git folders exposed. In other news, a new variant of the Ursnif malware is here to wreak havoc. Keep your eyes on it! And, here are the top 10 highlights from the past 24 hours.

More highlights from the past 24 hours

• Whitworth University confirmed that the data breach this summer was caused by a ransomware attack that may have impacted 5,182 current and former students and staff. Read more: Whitworth confirms it was victim of ransomware attack; warns thousands of students, staff of data breach
• Cybernews researchers spotted around two million .git folders, containing crucial project information, exposed to the public internet. Read more: Playing with fire: millions of .git folders exposed to public
• Most students, including prospective students, from the University of Otago, New Zealand, had their personal information unprotected for six weeks – found a student magazine critic. Read more: Prospective students caught up in University of Otago data breach. Read more: Prospective students caught up in University of Otago data breach
• Online fine wine dealer iDealwine suffered a data breach that compromised the name, addresses, phone numbers, and email addresses of its customers. Read more: iDealwine suffers a data breach
• A new variant of the Gozi banking trojan, dubbed LDR4, is back as a backdoor trojan that is likely to be used in ransomware attacks, warned Mandiant. Read more: From RM3 to LDR4: URSNIF Leaves Banking Fraud Behind
• Data privacy software Anonos raised $50 million in debt financing round led by GT Investment Partners and facilitated by Aon. Read more: Anonos raises $50 million to fuel customer success and expand global partnership

Updated on 2022-10-19

New details have emerged on the Medibank ransomware attack, wherein a group of hackers is threatening to release the stolen personal information. Threat actors targeted the IT infrastructure of the Canadian government, affecting members of Parliament and others. Here’s another breach news. Verizon started notifying certain customers of a data breach that impacted their credit card information. Read along to know what transpired in the past 24 hours.

More highlights from the past 24 hours

• The FBI warned against scammers targeting individuals seeking to enroll in the Federal Student Aid program for their payment details, money, and personal details. Read more: FBI: Scammers likely to target US Student Loan Debt Relief applicants
• Digital risk protection services Bolster raised $15 million in a venture capital funding round led by Cervin, Cheyenne Ventures, and Liberty Global Ventures. Read more: Bolster Raises $15 Million to Tackle Fakes and Frauds
• Human risk management startup OutThink raised $10 million in seed funding led by AlbionVC, with Forward Partners, Gapminder, and others as participants. Read more: OutThink Raises $10 Million for Human Risk Management Platform

MagSound attack

A team of academics from the Hong Kong Polytechnic University published details about MagSound [PDF], an attack that uses magnetic interference induced by a wireless charger to send malicious voice commands to a smartphone. Since the voice commands are created using magnetic waves, they are also inaudible to humans. Read more: Inducing Wireless Chargers to Voice Out for Inaudible Command Attacks

“Essentially, we show that the microphone components of smart devices suffer from severe magnetic interference when they are enjoying wireless charging, due to the absence of effective protection against the EMI at low frequencies (100 kHz or below). By taking advantage of this vulnerability, we design two inaudible voice attacks, HeartwormAttack and ParasiteAttack, both of which aim to inject malicious voice commands into smart devices being wirelessly charged. They make use of a compromised wireless charger or accessory equipment (called parasite) to inject the voice, respectively. We conduct extensive experiments with 17 victim devices (iPhone, Huawei, Samsung, etc.) and 6 types of voice assistants (Siri, Google STT, Bixby, etc.). Evaluation results demonstrate the feasibility of two proposed attacks with commercial charging settings.”

CCC conference canceled again

The Chaos Computer Club has canceled its yearly security conference for the second year in a row, citing the uncertainty around the state of the COVID-19 pandemic and what requirements will be later this year in December. Read more: Kein Congress 2022: Wir freuen uns auf dezentrale Alternativen und das Camp 2023

New tool—Antignis

EU cybersecurity firm Hunt&Hackett released this week a new tool called Antignis that can create firewall rules based on a host’s context, configuration, and usage patterns. The company said they plan to make the tool available via GitHub later this week. Read more: Introducing Antignis: A data driven tool to configure Windows host-based firewall

New tool—SAM

BSI, the German cybersecurity agency, released a new tool this week named SAM (System Activity Monitor) that extends the default Windows ETW (Event Tracing for Windows) to enable the recording of extra parameters and events on Windows systems, which could later be used for debugging or incident response. Read more: Telemetrie Monitoring Framework

Gafgyt

SecurityScorecard malware analyst Vlad Pasca published a report this week on the Gafgyt IoT malware strain, also known as Bashlite. Read more: [Report] A Detailed Analysis Of The Gafgyt Malware Targeting IoT Devices

ProxyRelay

Security researcher Orange Tsai published details on ProxyRelay, the fourth major vulnerability he found in Exchange servers. His previous findings include well-known vulnerabilities like ProxyLogon, ProxyOracle, and ProxyShell. Read more: A New Attack Surface on MS Exchange Part 4 – ProxyRelay!

Git security updates

The Git Project released security updates for the Git versioning system this week. GitHub said none of these issues affect its service. Read more:

• * [ANNOUNCE] Git v2.38.1 and others
• Git security vulnerabilities announced

Oracle CPU

The quarterly Oracle security updates are out, with patches for 370 vulnerabilities. Read more: Oracle Critical Patch Update Advisory – October 2022

Magento patch warning

Web security firm Sansec warned users of the Magento e-commerce platform to look into upgrading their online stores to the latest version of the CMS rather than install a security hotfix patch released for older versions.

CYBERCOM cleans its network

US CYBERCOM said it executed what the agency described as a global cyberspace defensive operation earlier this month between October 3 and 14. CYBERCOM said the operation focused on internal DOD systems, where together with its partners, the agency searched, identified, and mitigated “publicly known malware.” Read more: CYBERCOM executed global cyberspace defensive operation

Chinese hackers scanning US political party domains

The Washington Post reported on Tuesday that the FBI has notified US political parties that Chinese threat actors are scanning their domains ahead of the upcoming midterm election in what appears “a potential precursor to hacking operations.” Read more: Chinese hackers are scanning state political party headquarters, FBI says

IDF’s first-ever cyberattack

Israeli news outlet Ynet has a cool feature on the Israel Defense Forces’ first-ever cyber operation, way back in the 90s.

Loan forgiveness scams

With news that the Biden administration is preparing to forgive some student loans, the FBI published a warning this week about the potential email, phone, and web scams that may arise in the coming months. The FBI said scammers would most likely try to obtain personally identifiable information, financial information, or payment from US citizens who are eligible for student loan forgiveness, and the agency reminded everyone that the US government does not intend to charge any processing fees for this process. Read more: Potential Fraud Schemes Targeting Individuals Seeking Federal Student Loan Forgiveness

Reporter accuses law firm of hacking

Former WSJ reporter Jay Solomon has accused Philadelphia-based law firm Dechert LLP of hiring Indian hackers to compromise his email account and using the stolen information to have him fired. Solomon’s public statement comes after Iranian-American aviation executive Farhad Azima, one of his former sources, also sued the same law firm last week, together with a New York City public relations company and an Israeli private investigator, accusing the three of conspiring to hack his email account and tamper with witnesses part of ongoing litigation, and even leak information to the press. Read more:

• Former WSJ reporter says law firm used Indian hackers to sabotage his career
• Aviation executive sues law firm Dechert, others over hacking claims

New UEFI bootkit sold in underground forums: Eclypsium CTO Scott Scheferman spotted an ad on an underground hacking forum for Black Lotus, a new UEFI rootkit being sold to cybercrime gangs for a meager $5,000.

The features that stand out to me the most, I’ve captured in bullet form.

• Written in assembly and C, only 80kb in size
• Works globally other than in CIS states, filterable by Geo, etc.
• Anti-VM and Anti-Debug with Code Obfuscation
• Bypasses UAC, Secure Boot, and Can Load Unsigned Drivers
• Disables HVCI, BitLocker, Windows Defender
• Persists on the UEFI with Ring 0 agent protection
• Fully featured Install Guide with SOPs and FAQ’s
• Stable and scales to a high number of bots, full backend API (PHP/SQL)
• Fully featured tasking, file transfer, robust security, all needed functionality possible to persistent and operate indefinitely within an environment undetected. (perhaps for years akin to current UEFI implants in the wild that are discovered 2-5 years after the begin)
• Vendor independent, uses a signed bootloader if Secure Boot enabled, wild distribution potential across IT and OT environments.

Israel backdoored the Netherlands’ wiretapping system

Guilhem Giraud, a former employee of the French internal security service DGSI, revealed in a book published last month that during a visit for exchange of experience in 2006 with their Dutch counterparts, Dutch officials revealed that they found a backdoor in equipment supplied by an Israeli vendor to the country’s Driebergen communications wiretapping center. Giraud said the 2006 visit and the candid disclosure from Dutch officials was one of the reasons why French authorities built the PNIJ interception platform using only homemade systems, taking what he described as a “no Israeli suppliers” approach. After the book made some waves in the Netherlands last week, a spokesperson for the Dutch government rebuffed Giraud and told local newspaper de Volkskrant that the backdoor story was just “nonsense.” Read more: ‘Achterdeur in het nationale aftapsysteem van de politie, Israëli’s konden meeluisteren’

KataOS

Google open-sourced last week KataOS, a “secure” operating system written in the Rust programming language, designed for smart IoT devices. The OS is definitely an early alpha and a work in progress. Use appropriately. Read more: Announcing KataOS and Sparrow

BitKeep hack

Cryptocurrency wallet application BitKeep said an attacker exploited a bug in its platform to steal roughly $1 million worth of crypto from its customers. The company said it would reimburse all users who lost funds.

Parlor leak

Workweek CEO Adam Ryan revealed this week that right-wing social media site Parler accidentally revealed the personal email addresses of more than 300 of its verified users in a marketing email this week. This is your typical case of confusing CC and BCC fields.

Updated on 2022-10-18

It’s just the second day of the week and we already have a handful of data breaches. Three healthcare entities fell victim to three disparate data breach incidents; all affecting hundreds of thousands of individuals. Researchers also discovered the Winnti group attacking government entities in Hong Kong for a year. Here are the top 10 highlights from the past 24 hours.

More highlights from the past 24 hours

• Pennsylvania-based Keystone Health recently disclosed suffering a data breach in August that possibly impacted the personal details, including PHI, of 235,237 patients. Read more: Keystone Health Data Breach Impacts PHI of 235K Individuals
• A vendor of the Seton Medical Center vendor recently fell victim to a phishing attack that potentially exposed the names, dates of birth, clinical information, and medical record numbers of its patients. Read more: Phishing incident may have exposed Seton patient names, clinical information
• The HHS Office for Civil Rights (OCR) data breach portal revealed that a healthcare data breach impacted 13 anesthesia providers and over 380,000 individuals. One victim is the Anesthesia Associates of El Paso’s management company.
• The FBI warned against Chinese hackers scouring the Democrats and Republican state party headquarters for vulnerable systems that can be hacked ahead of the elections. Read more: Chinese hackers are scanning state political party headquarters, FBI says

Updated on 2022-10-17

The nation-state cyber threat activity does not seem to take a pause. In a recent wave of cyberattacks, Russian threat actors targeted multiple Bulgarian government offices in a massive DDoS attack. In other incidents, the LockBit operators threatened a Japanese tech company to pay ransom and an Australian retail marketplace company was targeted by threat actors that impacted around 2.2 million customers. Continue reading for the top ten cybersecurity highlights from the weekend.

More highlights from the past 24 hours

• The infrastructure of multiple government institutions in Bulgaria, including the Ministry of Internal Affairs, Defence, and Justice, and the Constitutional Court, were hit by a massive DDoS attack. Investigation revealed that the attack originated from Magnitogorsk, Russia. Read more: Government institutions in Bulgaria have been hit by a cyber attack during the weekend, experts believe it was launched by Russian threat actors.
• A local government authority in London, Hackney Council, spent over $11.7 million to recover the sensitive data and systems compromised in a devastating cyberattack caused by Pysa/Mespinoza ransomware in October 2020. Read more: Hackney Council Ransomware Attack Cost £12m+
• More than 45,000 VMware ESXi servers reached end-of-life, putting the software users at risk of vulnerabilities. VMware will no longer provide software and security updates unless companies purchase an extended support contract. Read more: Over 45,000 VMware ESXi servers just reached end-of-life
• Scammers are using Hurricane Ian—the deadliest hurricane to strike the state of Florida since 1935—as a lure to steal personal information and relief funds from the Federal Emergency Management Agency (FEMA). Read more: Cybercriminals use Hurricane Ian as lure for scams, theft of FEMA funds

New tool—RansomLook

Malware analyst @F_kZ_ open-sourced a new tool named RansomLook that can monitor the dark web leak sites of ransomware groups and data extortion groups to retrieve recently listed victims. Read more: RansomLook

New tool—Money365

Security researcher Silverhack open-sourced a new tool called Monkey365, a PowerShell module that can be used to audit Azure cloud environments and their security configurations. Read more: silverhack/monkey365

 New tool—Regulator

US software engineer Peter Crampton developed and open-sourced a new tool named Regulator that uses a novel subdomain enumeration technique. Read more:

• Regulator: A unique method of subdomain enumeration
• cramppet/regulator

Cybersecurity awareness month

Here’s something to be aware of this “cybersecurity awareness” month—namely, bad cybersecurity advice.

Telegram username leak

As clockwork, ten days after Telegram founder Pavel Durov aggressively attacked WhatsApp for “containing security issues,” security researchers have found a major leak of Telegram usernames in encrypted communications.

PAN bypass

Palo Alto Networks fixed this week an authentication bypass vulnerability (CVE-2022-0030) in its PAN-OS operating system, used for its firewalls and other networking devices. Read more: CVE-2022-0030 PAN-OS: Authentication Bypass in Web Interface

Linux WLAN RCEs

The Linux kernel team has fixed five vulnerabilities in the Linux WiFi component that could be exploited via booby-trapped WLAN frames. Read more: [oss-security] Various Linux Kernel WLAN security issues (RCE/DOS) found

“During their research they found multiple more problems in the WLAN stack, exploitable over the air.”

Prynt infostealer

CYFIRMA researchers noted an increase in malware operations deploying the Prynt infostealer in the wild, which is somewhat baffling, especially after the discovery of a recent backdoor in the malware’s code. Read more:

• Infostealer Prynt Malware a Deep Dive into Its Process Injection Technique
• No Honor Among Thieves – Prynt Stealer’s Backdoor Exposed

Puerto Rican student sentenced for hacking

Iván Santell-Velázquez, a former University of Puerto Rico (UPR), was sentenced to 13 months in prison for hacking the university email and Snapchat accounts of more than 100 fellow female students and publishing their nude pictures on social media. Read more: Student Who Hacked Over a Dozen Email and Snapchat Accounts of Female Students from the University of Puerto Rico Sentenced to 13 Months in Prison

RansomCartel

PAN’s Unit42 threat intel team published a report on Ransom Cartel, a data extortion group that surfaced in December 2021 and which researchers believe might be a front for the old REvil ransomware group. Read more: Ransom Cartel Ransomware: A Possible Connection With REvil

Bored Ape phishers detained

French authorities have detained five suspects in Paris last week on the suspicion that they orchestrated a sprawling phishing campaign throughout 2021 and 2022 that targeted owners of Bored Ape NFTs. According to authorities, the group is believed to have stolen BFTs worth $2.5 million (at the time of the thefts, of course). French press credited cryptocurrency blockchain investigator ZackBXT with initially tracking down the five suspects back in August. Read more:

• BORED APE: CINQ PERSONNES MISES EN EXAMEN À PARIS POUR LE VOL D’UNE COLLECTION DE NFT
• Scammers In Paris

Microsoft didn’t update driver blocklist for two years

Microsoft has confirmed that since 2019, for more than two years, its staff has failed to push new updates to a blocklist that would have prevented the installation of known vulnerable drivers on its Windows operating system. The company’s admission comes after cybersecurity firms started noting a trend in BYOVD (Bring Your Own Vulnerable Driver) exploits, which are attacks where threat actors install and exploit a vulnerable driver to elevate their access on a system instead of attacking the OS itself. The existence, rise, and continued success of these attacks meant that Microsoft had not been updating its driver blocklist, despite all public claims. Read more: How a Microsoft blunder opened millions of PCs to potent malware attacks

Drones dropping zero-days

Here’s a great thread by @Laughing_Mantis about a real world breach involving a drone-delivered exploit system that allowed the attackers into the target’s Confluence instance “in order to target other internal devices from credentials stored there.” It just goes to show that attackers are spending big for one-time attack scenarios, said @Laughing_Mantis. Read more: How Wi-Fi spy drones snooped on financial firm

The Google plasma globe affair of 2012

Fascinating notes from @lcamtuf, the creator of an internal Google red team exercise involving an “evil” USB-powered plasma globe, which when plugged in would register as a keyboard and deliver a malicious payload. Why, you might ask? It was at a time when USB threats weren’t fully explored. Plus, bonus video. Read more:

• The Google plasma globe affair of 2012
• The O․MG Elite cable is a scarily stealthy hacker tool

Secret agents targeting drug cartels in Australia exposed in breach

What on earth is going on in Australia? First, Optus was breached, then Telstra, and now the Australian Federal Police is mopping up after a massive breach of emails from the Colombian government apparently exposed the identities and methods of agents working to stop drug importations to Australia. The leak contains information of 35 AFP operations — some still active, reports the Herald, which delayed publication to reduce the risk of endangering the lives of agents and informants. Much of the emails were in Spanish, and reviewed by reporters. Guacamaya, the hacktivist group with environmental motives which also recently hacked the Mexican military, claimed responsibility for the breach. Read more:

• Secret agents targeting drug cartels in Australia exposed in data hack
• Optus could face millions in fines as two new data breach investigations launched
• Australia’s Telstra hit by data breach, two weeks after attack on Optus
• Mexico Military Is Hacked, Exposing Abuse and Efforts to Evade Oversight
• AFP classified documents hacked in data leak, exposing agents fighting drug cartels
• Australian police secret agents exposed in Colombian data leak
• Woolworths says data of online unit’s 2.2 mln users breached
• High-Value Targets: String of Aussie Telco Breaches Continues

Chinese tech threatens future global security, U.K. spy chief warns

In a spicy speech in London, the head of Britain’s signals intercept agency GCHQ warned of a growing threat from China amid claims the country is effectively trying to export its authoritarianism around the world. Jeremy Fleming (side note: what an extremely English name) said that technologies like its digital currency and satellites “deliberately and patiently set out to gain strategic advantage by shaping the world’s technology ecosystems.” Without action from like-minded allies — presumably the Five Eyes and beyond — the spy chief said the “divergent values of the Chinese state will be exported through technology,” said Fleming, who called it a “huge threat to us all.” Rare speech from a top British spy, but wow, let’s keep it light? Read more:

• Chinese Tech Threatens Future Global Security, U.K. Spy Chief Warns
• Fear driving China’s tech manipulation poses threat to all – UK spy chief
• Chinese technology poses major risk – GCHQ Chief
• UK spy chief: Britain must invest more to counter China’s tech dominance

Updated on 2022-10-14

Right when you think that you have recovered from a ransomware attack, the blow of data leak arrives. This is something a healthcare entity in Barcelona is facing at the moment. Remember that cyberattack on Advanced that disrupted 111 operations? The MSP has now informed that some customer data was definitely stolen in the attack. In another vein, the Ducktail infostealer has come in a new guise and pretends to be free app for a variety of services. Read along for the top 10 highlights from the past 24 hours.

More highlights from the past 24 hours

• Hackers broke into the computer systems of the Church of Jesus Christ of Latter-day Saints and stole personal data—usernames, membership record numbers, contact details, and others—informed the Mormon Church. Read more: Mormon Church IT ransacked, data stolen by ‘state-sponsored’ cyber-thieves
• A new threat cluster, dubbed WIP19, was observed targeting IT and telecom service providers in Asia and the Middle East. The group leverages a legitimate, stolen digital certificate issued by DEEPSoft. Read more: WIP19 Espionage | New Chinese APT Targets IT Service Providers and Telcos With Signed Malware
• WithSecure researchers discovered that MS Office 365 email encryption could expose messages, due to the use of a weak block cipher operation mode. Read more: Microsoft Office 365 email encryption could expose message content
• Data privacy platform DataGrail, bagged $45 million in Series C round led by Third Point Ventures, with Cloud Apps Capital, Felicis Ventures, and others as participants. Read more: DataGrail Raises $45 Million for Data Privacy Platform
• Cloud email protection platform Red Sift announced the acquisition of Hardenize, a comprehensive security tool. The terms of the deal were not disclosed. Read more: Red Sift acquires Hardenize to enhance its email security solutions

Hulio founds new infosec firm

Former NSO Group CEO Shalev Hulio and former Austrian chancellor Sebastian Kurz have founded a new company called Dream Security. According to Israeli news outlet Globes, the new company will focus on providing defensive security services to the EU industrial sector and has already raised more than $20 million in funding. Read more: Former NSO CEO and ex-Austrian Chancellor found startup

Unofficial extended security updates

Acros Security said it plans to continue to offer security updates for Windows 7 and Windows Server 2008 R2 systems through its 0patch micro-patching service. Microsoft officially ended support for both operating systems in 2021 and has continued to offer paid security updates to enterprise customers through its Extended Security Updates (ESU) program. Support for both OSes in ESU will end in January 2023, but Acros said it plans to support both for two extra years, until 2025, through its 0patch service. Read more: Two More Years of Critical Security Patches for Windows 7 and Windows Server 2008 R2

Timing attack on npm API

AquaSec researchers discovered a security flaw in the npm API that can be used to expose if an organization has private packages and then run a timing attack and go through a list of names to verify which ones are assigned to the organization. GitHub refused to fix the issue. Read more: Threat Alert: Private npm Packages Disclosed via Timing Attacks

Review of Chinese APTs

BoozAllenHamiltorn has published a report reviewing recent Chinese offensive cyber-espionage operations, a report that also includes a comprehensive catalog of threat actors and their tactics. Read more: How to prepare today for cyber threats from China

WIP19

SentinelOne said it’s been tracking a new Chinese-speaking threat group (WIP19) that has been targeting telecommunications and IT service providers in the Middle East and Asia. SentinelOne says WIP19 uses legitimate, stolen certificates to sign novel malware, including a new credentials dumper, ScreenCap, and new SQLMaggie malware. Read more:

• WIP19 Espionage | New Chinese APT Targets IT Service Providers and Telcos With Signed Malware
• MSSQL, meet Maggie

Icarus Stealer

OALabs published an analysis of the Icarus infostealer. Read more: Icarus Stealer – What is it?

Phishing targets election workers

US cybersecurity firm Trellix said it detected a malicious email campaign that has targeted county workers managing US local election infrastructure. Election workers in Arizona and Pennsylvania were targeted months before their states’ primary elections cycles. The malicious emails tried to lure workers on phishing sites and steal their credentials. Read more: 2022 Election Phishing Attacks Target Election Workers

Project DDOSIA

A pro-Russian hacktivist group named NoName057(16) launched a program this month called DDOSIA, through which the group claims to pay contributors who download their tool and launch DDoS attacks against western targets. Read more:

• Pro-Russian Group Targeting Ukraine Supporters with DDoS Attacks
• Russian DDoS attack project pays contributors for more firepower

New type of ATM MitM/relay attack detected

The European Association of Secure Transactions (EAST), an industry group of banks and ATM vendors, said it’s aware of at least 501 cases of ATM thefts where attackers used a new type of ATM MitM/relay attack to intercept and steal customer funds. “Our Expert Group on All Terminal Fraud (EGAF) is monitoring and analysing these attacks, with close cooperation between industry partners and law enforcement in the affected countries,” EAST Executive Director Lachlan Gunn said in the organization’s half-year H1 2022 report [PDF]: New fraud type adds to surge in European Terminal Fraud attacks 

Web attacks in Q3 2022

Similarly to Cloudflare, GoDaddy’s Sucuri team has also published its quarterly web malware threat report for Q3 2022. Read more: SiteCheck Malware Trends Report – Q3 2022

The report includes data from 260,101 website infections and is summarized in the video below:

Midterm election InfoOps

Recorded Future has a report on the possible sources of malign influence operations that are likely to take place during the upcoming US Midterm Elections. The usual suspects include Russia, China, Iran, and even from within, from the many right-wing extremist groups that have recently popped up inside the US in recent years. Read more: Malign Influence During the 2022 US Midterm Elections

The real reason to ban TikTok

In an op-ed for Cyberscoop, Dakota Cary of the Krebs Stamos Group argues that the real reason for the US to ban TikTok is because of the risk of manipulation of public sentiment in favor of the Chinese government and not because of its data security practices. Read more: The reason to ban TikTok has nothing to do with data security

Russia looks to create its own GitHub

The Russian Ministry of Digital Development is looking to create a “national open source repository” to host public open source projects that could be safely used inside the country. Work will begin on this new project on November 1, 2022, and the ministry hopes to have the service running by April 30, 2024. Russia will become the second country after China (Gitee) to create its own GitHub-like clone. Read more: В России появится национальный репозиторий открытого кода

OpenSSL withdraws faulty versions

The OpenSSL project has withdrawn v3.0.6 and v1.1.1r, two versions of the OpenSSL library it released a day earlier, after it received reports of serious performance regressions. Read more: Withdrawal of OpenSSL 3.0.6 and 1.1.1r

RSS feed for MSFT security updates

After years of pleadings from its customers, Microsoft has finally made available an RSS feed for its security updates portal. Pop the champagne bottles! Read more:

• Improvements in Security Update Notifications Delivery – And a New Delivery Method
• MSRC Security Update Guide RSS Feed

Firefox Relay can now protect phone numbers

Mozilla has added a phone number masking feature to Firefox Relay, an anonymization service it launched in 2020 to help users hide their real email addresses from snoopy online services. Phone number masking will be a paid feature. Read more:

• Protect your privacy and your phone number with Firefox Relay
• Protect your true email address to help control your inbox

Signal removes SMS/MMS support

Signal said it plans to stop supporting the ability to send and receive SMS and MMS messages via its Android app as a way to improve user privacy and security. The feature was only supported in its Android app and was a leftover from the Signal service’s early days when it was known under the name of TextSecure. Read more: Removing SMS support from Signal Android (soon)

ProtonMail adds support for security keys

Proton, the company behind ProtonMail, one of the largest secure email service providers outside the Gmail-Outlook-Yahoo trifecta, added support this week for securing accounts with a hardware-based security key. Read more: Protect your Proton Account with YubiKey and other keys

New W3C security standard

The W3C has published the first draft of a new specification that will standardize password reset URLs to a default format:

https://example.com/.well-known/change-password

The standard was proposed by two Apple engineers, Ricky Mondello and Theresa O’Connor, and the idea behind it is to make password reset URLs across all modern websites discoverable for automated tools, which could then help users change passwords across multiple services at once. Read more: A Well-Known URL for Changing Passwords

QANplaytform hack

The QANplatform cryptocurrency bridge said it lost an estimated $2 million worth of cryptocurrency after an attacker gained access to one of its hot wallets. Read more: QANX Bridge wallet disclosure analysis [continuously updated]

Updated on 2022-10-13

Another day, another crypto theft. This time, a crypto trading platform lost a hundred million dollars to attackers. Researchers discovered a Chinese cyberespionage group targeting strategically significant U.S. entities. The Vice Society group, reportedly, bagged another educational institution as its victim. That’s all for this section. Now, read along for the latest highlights from the past 24 hours.

More highlights from the past 24 hours

• YoWhatsapp, an unofficial WhatsApp version, was found deploying the Triada trojan to steal WhatsApp account keys for further malicious actions. Read more: Malicious WhatsApp mod distributed through legitimate apps
• Cyber training platform Immersive Labs raised $66 million in a new funding round led by Ten Eleven Ventures, with participation from Summit Partners, Insight Partners, and others. Read more: Cyber training platform pulls in another $66M after post-pandemic remote working increases cyber threats
• Cybersecurity company Stairwell raised $45 million in Series B funding led by Section 32, with participation from Sequoia Capital, Accel, and others. Read more: Stairwell raises $45 million to secure organizations against emerging malware threats

Updated on 2022-10-12

It ain’t over until it’s over. A major healthcare entity disclosed that thousands of additional individuals were impacted by an April breach. LockBit ransomware is once again making the news as its affiliates attempt to exploit Exchange servers. In other news, COVID-themed phishing attacks are back after a brief hiatus. Here are the top 10 highlights from the past 24 hours.

More highlights from the past 24 hours

• Omnicell revealed that the data breach from April has impacted a further 64,000 individuals, bringing the total number of affected individuals to 126,000. Read more: 64,000 Additional Patients Impacted by Omnicell Data Breach – What is Your Data Breach Action Plan?
• The 1.5GB Turkish database, containing the data of 46 million citizens, that was leaked in 2016, is now being resold and offered for free on several underground forums. Read more: Turkish Database Leak being resold
• INKY found that COVID-19 phishing messages doubled in September as compared to the previous three months, and are expected to rise further. The emails impersonate the U.S. SBA and exploit Google Forms. Read more: Google Forms abused in new COVID-19 phishing wave in the U.S.
• The White House National Security Council will announce plans for a consumer products cybersecurity labeling program that will enhance the digital security of internet-connected devices. Read more: White House to unveil ambitious cybersecurity labeling effort modeled after Energy Star
• In a definitive agreement, Thoma Bravo is to acquire Identity and Access Management (IAM) software firm ForgeRock, in an all-cash transaction valued at $2.3 billion. Read more: Thoma Bravo acquires ForgeRock for $2.3 billion
• Cross-device privacy app IronVest raised $23 million in seed funding led by Accomplice, with participation from Ulysses, Trust Ventures, and others. Read more: IronVest Emerges from Stealth to Transform Personal Online Security and Privacy, Closes $23 Million Seed Funding Round

Another crypto bug reported by the NSA

In addition, Microsoft also rolled out a patch for CVE-2022-34689, a critical-rated vulnerability in the Windows CryptoAPI. Discovered and reported to Microsoft by the US NSA and UK NCSC, this vulnerability can allow attackers to manipulate public X509 certificates “to spoof their identity and perform actions such as authentication or code signing as the targeted certificate,” which is the type of vulnerability that you almost certainly don’t want in your enterprise environment. This also marks the third or fourth bug (around there, we lost count) reported by the NSA in Windows’ cryptographic systems over the past two years. Read more: Windows CryptoAPI Spoofing Vulnerability CVE-2022-34689

Patch Tuesday

Yesterday was October’s Patch Tuesday. We had security updates being released by Adobe, Apple, Microsoft, SAP, Google (Android and Chrome), and others. Patches for the two recent Exchange zero-days were not included in yesterday’s Patch Tuesday, but there was a fix for another zero-day, CVE-2022-41033, a vulnerability in the Windows COM service. Read more:

• Windows COM+ Event System Service Elevation of Privilege Vulnerability
• Google Chrome Stable Channel Update for Desktop
• Android Security Bulletin—October 2022
• SAP Security Patch Day
• Microsoft CVE Summary
• Apple security updates
• Adobe Security Bulletins and Advisories

Stalloris RPKI downgrade attack

Something we missed in May was Stalloris, the first-ever downgrade attack on RPKI. Read more: Stalloris: RPKI Downgrade Attack

“We demonstrate the first downgrade attacks against RPKI. The key design property in RPKI that allows our attacks is the tradeoff between connectivity and security: when networks cannot retrieve RPKI information from publication points, they make routing decisions in BGP without validating RPKI. We exploit this tradeoff to develop attacks that prevent the retrieval of the RPKI objects from the public repositories, thereby disabling RPKI validation and exposing the RPKI-protected networks to prefix hijack attacks. We demonstrate experimentally that at least 47% of the public repositories are vulnerable against a specific version of our attacks, a rate-limiting off-path downgrade attack. We also show that all the current RPKI relying party implementations are vulnerable to attacks by a malicious publication point. This translates to 20.4% of the IPv4 address space.”

Siemens PLC hardcoded key

Claroty researchers developed a new method to extract master encryption keys embedded within the Siemens SIMATIC S7-1200/1500 PLC and TIA Portal product lines. These keys can be used to bypass security features on these products and compromise devices. Read more:

• The Race to Native Code Execution in PLCs: Using RCE to Uncover Siemens SIMATIC S7-1200/1500 Hardcoded Cryptographic Keys
• Researchers extract master encryption key from Siemens PLCs

Gwisin/Ghost ransomware

KISA, the South Korean cybersecurity agency, has put out a technical report on the Gwisin/Ghost ransomware. Other reports on the same ransomware are also available from AhnLab and SK Shielders. Read more:

• (ENG) TTPs #8: Operation GWISIN – Analysis on Fully Customized Ransomware Attack Strategies
• Gwisin Ransomware Targeting Korean Companies
• SK쉴더스 Top-CERT, 귀신 랜섬웨어 공격 전략과 대응 방안 공개

Cryptominers account for 65% of GCP incidents

In its quarterly threat report [PDF], Google Cloud said that 65% of the security incidents that impacted its customers’ servers during the second quarter of 2022 were linked to infections with crypto-mining malware. In most cases, the attackers gained access to customer infrastructure by using weak passwords for services like SSH, WordPress, and RDP.

UA Cyber Police chief killed in Russian bombing

Yuriy Zaskoka, the chief of Ukraine’s Cyber Police department, was killed following a Russian missile strike aimed at civilian infrastructure in the Kyiv city center, the agency confirmed on Monday. Read more: Внаслідок ракетного удару росії по Києву загинув кіберполіцейський

US fines Bittrex

The US Treasury’s Financial Crimes Enforcement Network (FinCEN) has fined cryptocurrency platform Bittrex $29.2 million for failing to detect and block payments to sanctioned entities and also failing to detect payments related to criminal activity, such as payments to dark web markets and ransomware groups. FinCEN said Bittrex made over 116,000 transactions valued at over $260 million to sanctioned entities and connected to criminal activity over the past few years. Read more: FinCEN Announces $29 Million Enforcement Action Against Virtual Asset Service Provider Bittrex for Willful Violations of the Bank Secrecy Act

“Bittrex failed to implement effective transaction monitoring on its trading platform, relying on as few as two employees with minimal anti-money laundering training and experience to manually review all of the transactions for suspicious activity, which at times were over 20,000 per day.”

Belgium wants better anti-phishing support

Eva De Bleeker, the State Secretary for the Belgian Consumer Protection Agency, has been silently pushing local banks to provide 24/7 customer support for victims of phishing attacks and help them lock accounts before money can be stolen. De Bleeker said that most banks have complied with her request but “it should soon become apparent that some banks remain stubborn.” Read more: Phishing: De Bleeker wil streng optreden tegen onbereikbare banken en pleit voor een systeem van ‘traag bankieren’

Forced to delete notebooks and files

Peiter “Mudge” Zatko, Twitter’s former head of security, alleged that Twitter management forced him to burn notebooks and delete files in order to get his severance package. According to Bloomberg, citing court documents unsealed this week, this included 10 handwritten notebooks and deleted 100 computer files. Read more: Musk Claims Twitter Ordered Whistle-Blower to Destroy Evidence

Brute-force protection for local admin accounts now generally available

With yesterday’s Patch Tuesday security updates, Microsoft has also enabled a new feature by default for all Windows OS versions that will lock and freeze all local admin accounts for 10 minutes after 10 failed login attempts. The feature is meant to be Microsoft’s best protection against brute-force attacks, including those carried out via RDP, that have served as an initial entry for many cybercrime and cyber-espionage operations over the past years. A similar feature to block SMB-based brute-force attacks is also in the works. Read more:

• KB5020282—Account lockout available for local administrators
• SMB authentication rate limiter now on by default in Windows Insider

New Stealth protocol

The Proton VPN provider said it developed a new protocol called Stealth designed to help its users avoid detection and bypass internet censorship and VPN blocks in oppressive regimes, corporate networks, or annoying ISPs. Read more: Defeat censorship with Stealth, our new VPN protocol

Android leaks some VPN traffic

VPN provider Mullvad said it identified a vulnerability in the VPN service of the Android operating system that leaks some of the user’s traffic connectivity checks outside of the VPN tunnel in a way that Mullvad and other VPN apps cannot prevent or block, even when the “Block connections without VPN” option is turned on in the Android OS VPN settings. Mullvad said it reported the issue to Google, who said it’s intended behavior and does not plan to fix it. Read more: Android leaks connectivity check traffic

New Pixel security features

With the new Google Pixel 7 smartphone et to be released on October 13, Google engineers have put out an overview of the latest security features that come packaged with their new device. This includes a new Safety Center feature to centralize all privacy and security features in one place, automatically clearing clipboard data after an hour, new hardware, and the ability to clear permissions on unused apps on older Android versions via the Google Play app. Read more: Google Pixel 7 and Pixel 7 Pro: The next evolution in mobile security

STAX Finance hack

DeFi platform STAX Finance said it lost $2.3 million after an attacker exploited a bug in TempleDAO, the backbone of its service.

IT-Glue credential stuffing incident

Kaseya enforced a mandatory password reset and MFA setup for customers of its IT Glue platform over the weekend. Kaseya denied rumors that appeared on Reddit—that it might have suffered a security breach—and said in a press release on Monday that the password reset was just a precaution after its IT Glue service dealt with a “concerted credentials stuffing campaign.”

Read more:

• Action Required: Please Reset your IT Glue Password
• Important Statement on Enforced Password Rotation & MFA

Record TV ransomware attack

Brazilian TV station RecordTV was hit by the BlackCat ransomware gang over the weekend. According to local news outlet TecMundo, the attack encrypted the TV station’s file storage servers, preventing employees from accessing recorded materials. As a result of the attack, RecordTV changed its regular programming to air sitcoms for half a day until engineers regained control over their network. Some employees were also sent home on Sunday, but programming has since returned to its normal schedule. Read more: Rede Record sofre ataque cibernético e muda programação às pressas

Updated on 2022-10-11

Killnet is on an attack spree and this time it amassed multiple victims – several major airports in the U.S. SingTel suffered its second Australian subsidiary data breach, leaving hundreds of thousands of customer records compromised. In other news, the dark web got a new PhaaS platform, which has made it elementary for wannabe threat actors to launch their attacks. Read along for more highlights from the past 24 hours.

More highlights from the past 24 hours

• Mobile network carrier SingTel is dealing with another subsidiary data breach after hackers published sensitive information of 129,000 customers and 23 enterprises belonging to Dialog Group. Read more: Singtel Confronts Multiple Data Leaks
• Hackers took over an Iranian state-operated TV channel to display a message against Ali Khamenei, Iran’s Supreme Leader, for 10 seconds. Read more: Iran State TV Channel Hacked to Show Supreme Leader in Crosshairs
• Bad actors are targeting Solana crypto users with fake NFTs purporting to be a new security update for the Phantom wallet. The victims are then infected with password stealers and their crypto wallets are stolen. Read more: Solana Phantom Targeted by Password-Stealing Malware
• IriusRisk, a threat modeling company, bagged $29 million in Series B funding led by Paladin Capital Group, with additional participation from existing investors. Read more: Series B funding round brings total amount raised to more than $37 million
• Cybersecurity services provider Allurity announced the acquisition of tech-enabled cybersecurity services provider CSIS Security Group, for an undisclosed amount. Read more: Allurity acquires CSIS Security Group to expand its services into new markets

Updated on 2022-10-10

An easy way to promote your offerings to the masses is by giving out free samples. This marketing tactic is also being followed by cybercriminals who dumped over a million payment card details for free to promote a carding shop. Once burned, and then, once again. A U.S.-based cancer testing lab suffered another phishing attack in quick succession, right after a previous one in March. A data breach at an Australian produce supplier affected 10% of its customers. Read along to know what conspired during the weekend.

More highlights from the past 24 hours

• Threat actors stole a database containing 152,000 customer records, including names, emails, hashed passwords, and social media links, from the Turkish branch of Harvard Business Review. Read more: Harvard Business Publishing licensee hit by ransomware
• The State Bar of Georgia notified of unauthorized access to its systems, which potentially compromised the personal data of some current and former employees, as well as some members. Read more: State Bar of Georgia Notifies Members and Employees of Cybersecurity Incident
• Costa Group, an Australian fruit and vegetable supplier, disclosed suffering a phishing attack in August. Compromised data may include workers’ bank information, passport details, tax file numbers, and superannuation details. Read more: Australian Firm Costa Group Suffers Phishing Attack
• Hartnell College, California, confirmed suffering a ransomware attack that knocked offline its networks. Students were warned to keep an eye on their account statements and credit reports. Read more: Hartnell College struck by ransomware attack, students told to monitor credit reports
• App security provider Pradeo announced the acquisition of app security software firm Yagaan, for an undisclosed amount. Read more: Pradeo acquires Yagaan, strengthens its cybersecurity services unification strategy

New tool—Aftermath

Cybersecurity firm Jamf open-sourced last week a new project called Aftermath, a Swift-based, open-source incident response framework for macOS. Read more: jamf/aftermath

Dompdf vulnerability

Tanto Security disclosed a vulnerability in Dompdf, a popular PHP library used for rendering PDF files from HTML. The vulnerability allows RCE in PHP apps that use it. Read more:

• CVE-2022-41343
• dompdf

Phisher detained in the Netherlands

Dutch authorities are requesting a three-year prison sentence for a 24-year-old man from Amsterdam accused of carrying out phishing campaigns. According to Dutch authorities, the suspect was detained after he created a phishing template using the text from an authentic banking email he received himself but forgot to remove a link that contained a unique identifier that allowed authorities to track him down. Read more: Drie jaar geëist tegen man die valse betalingsherinneringen namens ANWB verstuurde

Clever cryptominer

Bitdefender researchers have a report on a new cryptominer operation that lures users with pirated and cracked software but then exploits a DLL side-loading vulnerability in the Microsoft OneDrive app to install a cryptocurrency miner on their systems. Bitdefender said the malware has infected at least 700 users between May 1 to July 1 this year. Read more: Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

PseudoManuscrypt

Security firm BitSight said in a report last week that they tracked up to 51,500 systems infected with the PseudoManuscrypt malware until its operators changed their command-and-control infrastructure at the end of August. Since then, the botnet has gone down to around 7,000 daily infected systems. Read more:

• From Zero To 50k Infections – PseudoManuscrypt Sinkholing – Part 1
• PseudoManuscrypt: a mass-scale spyware attack campaign

EU-US data flow agreement

US President Joe Biden signed an executive order on Friday, setting up a new legal framework for personal data transfers between the EU and the US. The new EO is meant to replace the past Safe Harbor and Privacy Shield agreements, both of which were struck down by the European Court of Justice in 2015 and 2020, respectively, for not protecting user data against sprawling signals intelligence collection practices. According to a fact sheet for the new agreement, the White House claims it has added more safeguards, but some EU privacy advocates do not seem impressed. Read more:

• Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities
• FACT SHEET: President Biden Signs Executive Order to Implement the European Union-U.S. Data Privacy Framework
• New US Executive Order unlikely to satisfy EU law
• Biden signs executive order with new framework to protect data transfers between the U.S. and EU

Election company CEO arrested

The Los Angeles County district attorney announced on Tuesday the arrest of Eugene Yu, the CEO of Konnech, the company behind PollChief, an election worker management software platform. US officials said Yu stored the personal details of the app’s users on servers located in China, which is in violation of the data privacy and security clauses of its contract with the state of California. Read more: October 4, 2022: Head of Election Worker Management Company Arrested in Connection with Theft of Personal Data

Avast marks Firefox as ransomware

Mozilla released an emergency security update for Firefox on Friday to fix an issue where the Avast and AVG antivirus products were detecting Firefox installations as ransomware and crashing users’ browsers. Read more: 105.0.3 Firefox Release October 7, 2022

Tracking Linux users online

In an academic paper published last month, a team of academics from the Hebrew University of Jerusalem said they found a security flaw in the Linux kernel that allowed them to individually track Linux users across browsers, browser privacy modes, containers, and IPv4/IPv6/VPN networks. The research team said they reported the issue to the Linux kernel team, who fixed it in a security patch this May. Read more: Device Tracking via Linux’s New TCP Source Port Selection Algorithm (Extended Version)

“We describe a tracking technique for Linux devices, exploiting a new TCP source port generation mechanism recently introduced to the Linux kernel. This mechanism is based on an algorithm, standardized in RFC 6056, for boosting security by better randomizing port selection. Our technique detects collisions in a hash function used in the said algorithm, based on sampling TCP source ports generated in an attacker-prescribed manner. These hash collisions depend solely on a per-device key, and thus the set of collisions forms a device ID that allows tracking devices across browsers, browser privacy modes, containers, and IPv4/IPv6 networks (including some VPNs). It can distinguish among devices with identical hardware and software, and lasts until the device restarts.”

Iranian TV hacked

The Edalaate Ali (Ali’s Justice) hacktivist group hijacked the signal of the Iranian state television during a news bulleting on Saturday. A news piece showing Iranian Supreme Leader Ayatollah Ali Khamenei meeting with government officials was replaced with an image of Khamenei with a crosshair on his forehead and photos of protesters slain in the recent anti-government protests. The incident, which only lasted a few seconds before TV engineers cut off the broadcast, also included the phrase “join us and rise up” as the Iranian state is sent to enter its second month of anti-government protests this week. Read more: Iranian State TV Hack Puts Supreme Leader In Crosshairs, Shows Slain Protesters

Updated on 2022-10-09

IR teamers really need a break

New survey findings from IBM [PDF] show incident responders are absolutely knackered. The survey asked 1,100 incident responders for their views. Two-thirds say they experience stress or anxiety in their daily lives as a result of responding to incidents, with 30% experiencing insomnia, and 29% say it affects their social lives, though 84% say they have adequate access to mental health support (100% would be better, companies!). Read more:

• IBM Security Incident Responder Study – July 6-13, 2022
• Between ransomware and month-long engagements, IR teams need a hug – and a nap

PG&E publicly exposed partial Social Security numbers

PG&E, one of the biggest power and utility providers in the U.S., exposed Americans’ partial Social Security numbers thanks to a buggy implementation of Experian’s credit check questions used for verifying a person’s identity, which only required a person’s name and address to retrieve their partial SSN. @Lucky225 found that the company’s site asked for the person’s SSN, driver’s license or passport number when signing up for service, but the form wasn’t validating the input properly, so you could simply enter “123456789” or all-zeros as the ID number and it would result in Experian spitting back their verification questions.

This is what the form looked like:

Read more: PG&E was publicly exposing partial SSN information of US consumers through its use of Experian Identity Verification questions.

Updated on 2022-10-07

The past 24 hours gave us another massive crypto hack, wherein hackers stole hundreds of millions worth of cryptocurrency from a blockchain bridge. We also have another healthcare breach as a Texas-based primary care provider informed thousands of patients that their data was probably compromised. Phishing attacks spoofing Zoom are back as a campaign targeted thousands. Read along for the rest of the highlights.

More highlights from the past 24 hours

• Family Medical Center Services informed 233,948 patients of a data security incident that left their data, including contact details, SSNs, and PHI, potentially compromised. Read more: Family Medical informs 234K patients of possible data compromise
• Activision Blizzard was hit by a DDoS attack, resulting in widespread connectivity issues during the launch of the overly anticipated game Overwatch 2. Read more: Overwatch 2 launch marred by ongoing DDoS attacks
• Armorblox reported a credential phishing attack that spoofed Zoom to pilfer victims’ Microsoft user credentials. The phishing email targeted over 21,000 users. Read more: Zoom: 1 Phish, 2 Phish Email Attack
• Game company 2K warned an unknown number of users that the threat actor gained access to their personal information following the recent breach of its help desk. Read more: 2K warns users their info has been stolen following breach of its help desk
• Enterprise security platform Oort bagged $15 million in Series A round, co-led by .406 Ventures and Energy Impact Partners, with existing investors as participants. Read more: Enterprise Security Startup Oort Raises $15M in Series A Funding to Stop Identity-Based Cyber Attacks
• Cyber insurtech firm Elpha Secure raised $20 million in Series A funding led by Canapi Ventures, with participation from Stone Point Ventures, AXIS Capital, and other existing investors. Read more: Elpha Secure raises $20 million to accelerate product development

US HHS HC3 Presentation on Risks Posed by Legitimate Security Tools

The US Department of Health and Human Services Health Sector Cybersecurity Coordination Center (HHS HC3) has published a presentation detailing risks posed by legitimate security tools. The presentation addresses threats posed by Cobalt Strike, PowerShell, Mimikatz, Sysinternals, Anydesk, and Brute Ratel. The document does not call for organizations to stop using the tools; instead, it urges organizations “weigh the risks and rewards of each of these tools and be aware of both the value and risk they bring with them.”

Note

• Key takeaways here are actionable defense and detection strategies for these technologies. As a penetration tester, I know that no control is a silver bullet, but we attackers have a harder time when PowerShell is disabled, Credential Guard is enabled, and defenders are watching for beacon-like and odd DNS traffic egressing their networks.
• In the 2020 SANS Emerging Threats keynote at the RSA Conference, Ed Skoudis pointed out “Living off the Land” attacks that used these and other tools to essentially use the target’s resident apps against itself. Two of his key recommendations: (1) More use of application whitelisting to limit access to the needed tools; and (2) Purple Teaming, where the Red Team launches LotL attacks and the defenders improve ability to detect and rapidly mitigate.
• Many tools like these can be used for both legitimate and nefarious purposes. The trick is understanding what is normal in your environment and making sure you can detect anomalous behavior. Use application allow/deny lists, particularly on critical servers, to block the installation of anything beyond what they need to meet mission objectives.
• A tool can be used for legitimate or nefarious means. A screwdriver can be used to fix things or it can be used to attack people or break into premises. It is the intent of the person using the tool that matters. That being said, I like this presentation as it gives a good insight into how these tools can be abused and in most cases outlines steps you can take to protect against the abuse/misuse of these tools.

Read more in

• Abuse of Legitimate Security Tools and Health Sector Cybersecurity (PDF)
• Ongoing abuse of legitimate security tools pose threat to healthcare, HHS warns

Updated on 2022-10-06

The government sector has, lately, been under constant attacks by nation-state actors. Today we have two such instances. While on one hand, an Arizona city fell victim to a data breach, on the other, Russian hackers knocked offline several U.S. state government websites. In other news, the BlackByte ransomware has popped up with a new tactic to evade security solutions. Here are the top 10 highlights from the past 24 hours.

More highlights from the past 24 hours

• The City of Tucson, Arizona, suffered a data breach that affected the personal information of 123,513 individuals after a hacker breached the city’s network. Read more: City of Tucson discloses data breach affecting over 125,000 people
• Russian hackers claimed credit for taking down state government websites in Mississippi, Colorado, Kentucky, and other states, as part of politically-motivated hacking. Read more: Russian-speaking hackers knock US state government websites offline
• Australian employees of G4S, both current and former, were asked to stay alert after their tax information, medical checks, and bank account details were posted online following a ransomware attack. Read more: Staff at security firm G4S on alert after tax numbers and bank details posted online following hack
• A new hacktivist group Egypt Leaks has been targeting Egyptian financial institutions and leaking huge volumes of compromised payment data of major Egyptian banks on the dark web. Read more: Researchers at cybersecurity firm Resecurity spotted a new group of hacktivists targeting financial institutions in Egypt
• RatMilad, a new Android spyware, was found targeting mobile devices in the Middle East to conduct cyberespionage, eavesdrop on, or extort the victims. Read more: We Smell A RatMilad Android Spyware
• A new BEC campaign is leveraging an email thread that pretends to have been forwarded by their boss to trick targeted employees into giving up huge sums of money. Read more: This sneaky fraud attack looks like an email forwarded by your boss
• Penetration testing and attack surface management firm NetSPI bagged $410 million in a growth equity round led by KKR, with participation from Ten Eleven Ventures. Read more: KKR Boosts NetSPI Stake with $410 Million Investment
• California-based security and privacy developer RealDefense raised $30 million in a debt financing round, led by Sunflower Bank. Read more: RealDefense Closes $30 Million in New Financing To Accelerate Acquisitions and Growth

CISA Schedules Additional Listening Session for Incident Reporting Rules Input

The US Cybersecurity and Infrastructure Security Agency (CISA) has scheduled an additional listening session for public input on its proposed cyber incident reporting regulations in Washington, DC. CISA is seeking input on the Cyber Incident Reporting for Critical Infrastructure Act of 2022. There are also sessions scheduled for New York City, Philadelphia, Oakland, CA, Boston, Seattle, and Kansas City, MO. Interested parties may register at https://www.cisa.gov/circia.

Note

• The new session is October 19th in Washington, DC. The proposed regulation requires reporting of “covered cyber incidents” to CISA within 72 hours, and report “ransom payments” within 24 hours. Input is needed to make sure that “covered entities,” “covered cyber incidents,” and “ransom payments” are properly defined.

Read more in

• Cyber Incident Reporting for Critical Infrastructure Act of 2022: Washington, D.C. Listening Session (PDF)
• CISA Announces DC Event for Public Input on Incident Reporting Regulations

Updated on 2022-10-05

The military-industrial complex deals with lots of sensitive information coveted by cybercriminals. In one such campaign, nation-state hackers leveraged a new malware to attack a U.S. organization in the defense industrial base sector. Just after Optus, another Australian telco suffered a significant data breach. In other news, a YouTube channel has been disseminating malware disguised as anonymity software. Read along for the top 10 highlights from the past 24 hours.

More highlights from the past 24 hours

• A cyberattack against New Zealand healthcare provider Pinnacle potentially compromised the commercial and personal details of thousands of patients. Read more: Cyber attack on health provider Pinnacle a ‘wake up call’ 
• AI data privacy startup Securiti raised $75 million in Series C funding led by Owl Rock Capital, with participation from Mayfield Fund and General Catalyst. Read more: Securiti launches data security cloud and announces $75M Series C
• Firmware security firm Eclypsium snapped up $25 million in Series B funding, led by Ten Eleven Ventures, with J-Ventures, Andreessen Horowitz, Madrona Venture Group, and others as participants. Read more: Firmware Security Company Eclypsium Raises $25 Million in Series B Funding

New Arm security features

Chipmaker Arm announced a slew of new security features for its CPUs, such as support for shadow stacks via the “Guarded Control Stack (GCS)” feature, translated tables permissions hardening, and support for multiple memory encryption contexts. Read more: Arm A-Profile Architecture Developments 2022

Azure Firewall Basic hits public preview

Azure Firewall Basic, a stripped-down and cheaper version of the Azure Firewall service specifically designed for SMBs, has now entered public preview. Read more: Azure Firewall Basic now in preview

PS5 jailbreak

The PlayStation 5 has been jailbroken to allow users to install custom packages. An exploit is available on GitHub, and this marks the first major PS5 hack since its launch back in 2020. Read more:

• Cryptogenic/PS5-4.03-Kernel-Exploit
• The PS5 Has Been Jailbroken – Custom Packages Can Now Be Installed
• Released! PS5 Kernel exploit + Webkit vulnerability for Firmware 4.03

Cyber activity unlikely to impact elections

In a joint public service announcement on Tuesday, the FBI and CISA said that “any attempts by cyber actors to compromise election infrastructure are unlikely to result in large-scale disruptions or prevent voting,” similarly to how it had no impact on previous elections.

“Any attempts tracked by FBI and CISA have remained localized and were blocked or successfully mitigated with minimal or no disruption to election processes.”

Cybersecurity workforce

The White House and the Office of the National Cyber Director (ONCD) are requesting advice on how the government should handle the current cybersecurity workforce shortage, currently estimated at around 700,000 empty jobs. The Biden administration said it’s looking for recommendations “as to how the Federal government can further lead, assist, or encourage other key stakeholders in government, industry, non-profits, and academia to advance progress in cyber training, education, or workforce development—including ways that expand diversity, equity, inclusion, and accessibility.” Read more: Office of the National Cyber Director Requests Your Insight and Expertise on Cyber Workforce, Training, and Education

BEC money laundered sentenced

A US judge sentenced a Georgia man to 25 years in prison this week for laundering more than $9.5 million on behalf of cybercrime gangs. The man, named Elvis Eghosa Ogiekpolor, set up at least 50 bank accounts through which he received stolen funds from romance and business email compromise (BEC) scams. Read more: Georgia man who laundered millions from romance scams, Business Email Compromises, and other online fraud receives 25-year sentence

OTP bypass bots

CloudSEK researchers said they detected cybercriminals advertising a new automated service called Apollo that can bypass one-time passcode (OTP) protections on online accounts. While several bots like these exist already, such as the Generaly OTP Bot, this one is particularly intriguing because it can also spoof calls on behalf of any company using Google Voice to trick victims into giving away their OTP code. Read more:

• Apollo OTP Bot Exploiting Google Voice for MFA Bypass
• Upgraded Version of Generaly OTP Bot for MFA Bypass on Popular Payment Platforms

Attack Manager

In addition, the same CloudSEK team said they spotted a new DDoS-for-hire service called AttackManager, also advertised on several underground cybercrime forums. The service appears to have been set up in August and has yet to garner any substantial following. Read more: New DDoS-for-Hire Platform Advertised on Multiple Cybercrime Forums

Nigerian BEC magic

We know that Nigerian BEC groups are superstitious and often ask for help from shamans, but this is something else altogether.

NRA hacktivists

KyivPost has a profile on the National Republican Army (NRA), a hacktivist group that claims to be made up of Russian citizens looking the overthrow the Putin Government, a-la the Cyber Partisans group in Belarus. The group’s latest action includes ransoming Unisoftware, a software service provider for Russia’s Federal Tax Service, the Russian Ministry of Finance, and the Central Bank of Russia. Read more: Russian Citizens Wage Cyberwar From Within

Secureworks threat landscape

Secureworks published on Tuesday its report on the 2022 threat landscape. Among the report’s findings:

• Dwell time for ransomware gangs has gone down to 11 days this year, from 22 days last year.
• The loader landscape is evolving, and there’s evidence of close collaboration between the groups operating different loaders. There is also a shift towards lightweight, disposable loaders in place of complex botnets like TrickBot or Emotet.
• Compromise of unpatched internet-facing infrastructure has overtaken credentials-based attacks as the primary initial attack vector (IAV) and was the start for 52% of ransomware incidents over the past year.
• Accelerated use of Infostealers as a means of enabling ransomware operations

ELITETEAM

The excellent researchers from Team Cymru published a report last week on the infrastructure of ELITETEAM, a bulletproof hosting provider registered in Seychelles that has historically hosted quite a large number of malicious campaigns. Team Cymru reported that the hosting provider seems to run on different clusters, each dedicated to various operations, like hosting traffic distribution systems (TDS), banking trojans, ransomware, and crypto-mining botnets.

All the data and information we have researched points to ELITETEAM being Russian / Russian-speaking, operating behind a shell organization in Seychelles. We have reason to believe that Datahouse, RU is connected to ELITETEAM and worthy of further investigation.

VirtualGate

Researchers from Norfolk Security have additional analysis on VirtualGate, a malware strain used by a Chinese threat actor to backdoor guest Windows operating systems running on top of VMWare ESXi hypervisors. The malware was first detailed in a Mandiant report last week, along with VirtualPie and VirtualPita, two pieces of malware deployed at the hypervisor level, through which VirtualGate is deployed.

Read more:

• Some Notes on VIRTUALGATE
• Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors

Maggie backdoor

German security firm DCSO said it found a new backdoor malware strain named Maggie that’s been infecting MSSQL databases across the internet. Besides providing attackers access to the compromised servers, Maggie can also be used as a proxy to relay malicious traffic and launch brute-force attacks against other MSSQL systems. According to DCSO, the vast majority of infected servers are located in South Korea, India, Vietnam, and China. Read more: MSSQL, meet Maggie

DeftTorero

Kaspersky researchers have published a report on DeftTorero (aka Lebanese Cedar, Volatile Cedar), an advanced persistent threat group that was initially spotted in 2015 but about which very few have been reported in recent years. Kaspersky’s research covers DefttTorero attacks that took place between late 2019 and mid-2021, during which the company’s experts say the group abandoned their old malware strains and shifted to fileless/LOLBINS techniques and the use of publicly-available offensive tools. Read more: DeftTorero: tactics, techniques and procedures of intrusions revealed

“Based on our telemetry, the indicators of the intrusions we assessed between late 2019 and mid-2021 are similar to the usual DeftTorero victimology, with a clear focus on Middle Eastern countries such as Egypt, Jordan, Kuwait, Lebanon, Saudi Arabia, Turkey and the United Arab Emirates. The targeted web servers occasionally host multiple websites belonging to different industry verticals such as Corporate, Education, Government, Military, Media, and Telcos. This presents the threat actor with the opportunity to pivot to other victims of interest.”

Earth Aughisky

Trend Micro has published an overview report on how the malware portfolio of the Earth Aughisky (Taidoor) APT has changed over the years. Read more: Tracking Earth Aughisky’s Malware and Changes

“Our research paper, “The Rise of Earth Aughisky: Tracking the Campaigns Taidoor Started,” lists all the malware attributed to the group, the connections of these malware families and tools with other APT groups, and the latest updates in illicit activities potentially connected to real-world changes.”

APT naming schemes

Security researcher Arkbird has put together a list with all the APT naming schemes used by various infosec entities, from CERTs to security firms. Read more: StrangerealIntel/EternalLiberty

Ranger stored passwords in plaintext

A now-patched version of Rancher, an open source Kubernetes management tool, stored sensitive values in plaintext, a pair of software developers have discovered. Exploitation could have enabled attackers to gain privileged access to various Rancher-owned Kubernetes objects, The Daily Swig reported. Read more:

• Rancher API and cluster.management.cattle.io object vulnerable to plaintext storage and exposure of credentials
• Rancher stored sensitive values in plaintext, exposed Kubernetes clusters to takeover

Drupal security updates

…are out and are here. Read more: Drupal core – Critical – Multiple vulnerabilities – SA-CORE-2022-016

Hacking Google series

The six episodes of the Hacking Google series are available in this YouTube playlist. They cover the five major Google security teams and the Project Aurora hack that led to their creation. Read more: HACKING GOOGLE YouTube Playlist

NSA internship

The US NSA has listed summer internship positions for next year if you’re interested.

New tool—Dissect

Researchers from NCC’s Fox-IT team have open-sourced a new project called Dissect, a modular Python framework for enterprise-scale incident response and investigations. Read more: Dissect: An incident response game-changer – A streamlined, easy-to-use solution, now available as Open Source Software

New tool—Freeze

Cybersecurity firm Optiv open-sourced last week a new project called Freeze that can be used to bypass EDR solutions. Read more:

• Sacrificing Suspended Processes
• optiv/Freeze

EvilGoPhish update

The EvilGoPhish phishing toolkit has been updated to support Twilio-based SMS-based phishing campaigns. Hooray for the red-teamers and cybercrime gangs, I guess! Read more: evilgophish/CHANGELOG.md

MITRE ATT&CK update

The MITRE ATT&CK framework has been updated with support for Campaigns. Read more: Introducing Campaigns to MITRE ATT&CK

Sysmon 14.1 is out

Complete with a new feature named FileBlockShredding that prevents wiping tools from corrupting and deleting files. The feature was announced last month at the LABScon security conference as a way to protect Ukrainian systems against Russian data wipers. Read more: Sysmon v14.1

Stressed out

A survey conducted by IBM of more than 1,100 IR teams found that two-thirds of incident responders are “experiencing stress or anxiety in their daily lives” due to the high demands of their cybersecurity engagements, including dealing with two or more intrusions at the same time. Respondents also cited experiencing insomnia, burnout, and impact on their social life or personal relationships as some of the side-effects of their demanding jobs. See full results and charts here. Read more:

• New IBM Study Finds Cybersecurity Incident Responders Have Strong Sense of Service as Threats Cross Over to Physical World
• IBM Security Incident Responder Study – July 6-13, 2022

‘People search’ websites create privacy nightmares for abortion rights advocates

Since the overturning of Roe v. Wade that saw nationwide rights protecting abortion dismantled by the U.S. Supreme Court, reproductive rights advocates are facing increasingly violent threats and fear that their personal information — collected without their consent by ‘people search’ websites — can identify where they live. The FTC has already taken action against geolocation data brokers but has not yet included data brokers trading in public records. It’s a real problem. While there are public data removal tools and services, they are not silver bullets — and some have basically refused to remove their home addresses, despite several requests and a lawyer’s letter.

Read more:

• People search websites create privacy nightmares for abortion rights advocates
• National Abortion Federation Releases 2021 Violence & Disruption Report

Parking apps can let anyone track your car, this hacker wants to stop it

A cybersecurity expert found he was able to pinpoint the live location of vehicles in about a quarter of all cases over a 100 day period using three different techniques, which is now public. De Ceukelaire warned that parking apps — even if you don’t use them — can be used to register license plates without verification, which can be used to send alerts any time a target vehicle enters a license plate-reading (known as ANPR or ALPR) parking lot. He described it as a “privacy disaster” throughout Europe and the United States.

Read more:

• Parking apps can let anyone track your car—this hacker wants to stop it
• “Hey Siri, follow that car!” How traffic cameras expose your location through parking apps.

Flaws in Matrix’s end-to-end encryption now patched

Developers of the open source Matrix messenger protocol released an update on Wednesday to fix critical end-to-end encryption bugs. Matrix is a sprawling ecosystem of interoperable apps, clients and servers across platforms that allows users to exchange end-to-end encrypted real-time messages — or some 69 million Matrix accounts and 100,000 servers. But, vulnerabilities disclosed this week found major weaknesses that could compromise scrambled messages, all of which rely on a malicious or compromised server. Ars has a great breakdown of what went down, and what needs fixing, and @claucece has an excellent breakdown by tweet thread.

Read more:

• Serious vulnerabilities in Matrix’s end-to-end encryption have been patched
• Practically-exploitable Cryptographic Vulnerabilities in Matrix

New U.S. intel unit logo ‘erroneously posted’

What’s this new U.S. intel logo all about?

This was, or appeared to be, the new logo for the National Intelligence Manager for the Air Domain, an aviation-focused unit of the Office of the Director of National Intelligence, the federal department that oversees the U.S. intelligence community. Look closely and you’ll see what looks like a UFO and a Russian fighter jet(?!) leading to considerable chatter and analysis. Alas, all things edgy in intel don’t last long. A government spokesperson said the seal was “erroneously posted” and that the seal is both unofficial and incorrect. Buzzkills. Read more:

• What’s with the UFO on a U.S. intelligence agency seal?
• DID A US INTEL AGENCY JUST GET A NEW SEAL WITH A UFO ON IT?

NSO hacked more people for longer, says new research

@DonnchaC and @billmarczak found that when Apple releases security fixes, it doesn’t always patch the same bug in older versions of its software — including actively exploited bugs(!) — leaving users running older software vulnerable to attacks (via @josephmenn). That means spyware makers like NSO Group have hacked both more people and for longer than previously known. That also means NSO’s WhatsApp attack that hit 1,400 targets back in 2019 “was much larger” in scope. Wow.

Read more:

• An inconvenient truth about Apple security updates
• WhatsApp: Israeli firm ‘deeply involved’ in hacking our users

Anonymous bug reports rocket after Beijing slapdown

When Log4j first emerged, it was researchers at Chinese cloud giant Alibaba who disclosed the bug and got it fixed, much to the anger (and eventual sanctions) by Beijing, which wanted to be informed first. As a result, China stemmed the ability of researchers to share vulnerability reports. But new research from the Atlantic Council found a huge drop in reports from China in Log4j’s wake — but that it also saw “an increase of similar size and significance in contributions tagged either to individuals, companies with no known country tag, or no acknowledgement at all”. The researchers say it could be that Chinese researchers are still reporting bugs, but anonymously. Read more:

• Dragon tails: Preserving international cybersecurity research
• China’s infosec researchers obeyed Beijing and stopped reporting vulns … or did they?

Can Kaspersky survive the Ukraine war?

Cyberscoop looks at Kaspersky, the Russian antivirus and cybersecurity giant, dogged by controversies in the U.S. and abroad, amid claims its technology could help Moscow achieve its wartime goals. But with sanctions hitting both the Russian government and high-level Russian citizens — including the company’s founder, Eugene Kaspersky — and with more to come, the future doesn’t look so bright for the once rising star of the security community. Read more:

• Can Kaspersky survive the Ukraine war?
• Exclusive: How a Russian firm helped catch an alleged NSA data thief

Hyperjacking hypervisors

Mandiant, the newly-owned Google unit, has new research out this week revealing a “mysterious” team of hackers are targeting VMware’s virtualization software, known as a hypervisor, which lets you run multiple operating systems on a single bit of hardware. But by targeting the hypervisor itself, the attackers can invisibly watch and run commands on those virtual computers nearly invisibly. The attackers appear to be tied to China, but even by its own analysis, Mandiant isn’t entirely sure. Read more:

• Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors
• Mystery Hackers Are ‘Hyperjacking’ Targets for Insidious Spying

VA investigating breach after source code leak

The Dept. of Veterans Affairs in the U.S. is conducting a breach investigation after a federal contractor published source code — including sensitive credentials — on GitHub months ago. The hardcoded admin credentials published to GitHub allowed “six foreign IP addresses” to clone the source code, including “at least one from a country hostile to the U.S.” Yikes. A dozen internal applications were exposed, but the VA only discovered after someone reported the issue on September 9. Fedscoop has the… well, scoop. Read more: VA investigates breach after federal contractor publishes source code

Updated on 2022-10-04

Russia’s second-largest computer and home appliance store chain suffered a breach allegedly by a cybercriminal group dubbed NLB Team. Meanwhile, a report made an astonishing revelation about 24% of organizations suffering a ransomware attack with 20% of victims added only the last year. What more? A phishing campaign targeted KFC and McDonald’s customers in Saudi Arabia, UAE, and Singapore. Hackers were able to pilfer payment details of some of them. Continue reading to learn major cybersecurity highlights for the day.

More highlights from the past 24 hours

• Digital Network System, a Russian retail chain, disclosed a breach that blurted out the personal data of customers and employees. Hackers, known as NLB Team reportedly exploited a security hole. Read more: Russian retail chain ‘DNS’ confirms hack after data leaked online
• Hackers took to domain impersonation to display malicious, browser-based applications for KFC and McDonald. Payment details of some customers across Saudi Arabia, UAE, and Singapore were impacted. Read more: Phishing Campaigns Target KFC, McDonald’s in Saudi Arabia, UAE, Singapore
• The Finnish Security Intelligence Service issued an alert against serious cyberattack attempts from Russia-linked threat actors around winter. The warning is in light of its future NATO membership. Read more: The Finnish Security Intelligence Service (SUPO) warns Russia will highly likely intensify its cyber activity over the winter.
• Around 24% of organizations surveyed have suffered a ransomware attack at least once, with 20% of attacks coming only in the last year, revealed The 2022 Ransomware Report by Hornetsecurity. Read more: Many IT pros don’t think a ransomware attack can impact Microsoft 365 data
• An Okta report found that government agencies and businesses worldwide are swiftly moving toward the zero-trust architecture with 72% of government organizations surveyed already employing it. Read more: Zero Trust Architecture Rises Across Industries
• Sweden-based Detectify, a domain and web application security firm, nabbed $10 million in funding from Insight Partners. This round brings the total raised to $42 million. Read more: Web Security Company Detectify Raises $10 Million

Updated on 2022-10-03

Attack spree on the critical sector touches new heights with a couple of cybercrime activities of late. For instance, a hacker group rattled government agencies in Latin America after it successfully harvested 6TB of sensitive data. Meanwhile, the BlackCat ransomware group mysteriously listed and then delisted its attack claims on an IT firm known to engage with federal agencies. Lastly, do check CISA’s guidelines for transitioning to TLP 2.0! Read along for more news from the top 24 hours.

More highlights from the past 24 hours

• Officials at Shangri-La Hotel and Resorts revealed they suffered a breach that exposed the personal information of customers across eight of its Asian properties. Read more: Shangri-La Hotels Customer Database Hacked
• German police nabbed a cybercriminal suspected of having stolen around $4,000,000 from online users via phishing. The phishing emails would contain a fake message about a change in users’ bank security system. Read more: German police identified a gang that stole €4 million via phishing attacks
• According to Venafi, 81% of firms surveyed have experienced a cloud security incident in the last year, with over 50% also believing that security risks are higher in a cloud infrastructure than on-premise. Read more: More Than Half of Security Pros Say Risks Higher in Cloud Than On Premise

Transit Swap crypto-heist

Decentralized cryptocurrency exchange platform Transit Swap lost $21 million / $23 million worth of funds after a hacker exploited a bug in its code on Saturday. The company confirmed the hack on Sunday and said they have “the hacker’s IP, email address, and associated on-chain addresses,” and are working to recover the funds. According to blockchain security firm SlowMist, the attacker appears to have returned 70% of the stolen funds already. Read more: Cross-chain DEX Aggregator Transit Swap Hacked Analysis

Whistleblower hacks

In a Twitter threat last week, Hindenburg Research, a research agency that exposed a fraud case inside Nikola Corp, said that critics and whistleblowers inside the company were targeted by hackers shortly after the company’s wrongdoings were exposed back in 2020.

ECG hack

For almost a week, Ghanaians have been unable to purchase any new power credits and have had electricity cut off to their homes after a threat actor hacked the Electricity Company of Ghana (ECG) and locked its servers, in what local experts are calling a suspected ransomware attack. Read more:

• Electricity Company of Ghana prepaid central database compromised
• ECG systems hacked with ransomware – Sources

CBSA breach

Canada’s privacy commissioner’s office said that the data of 1.38 million Canadians were exposed after a security breach at one of the Canada Border Services Agency’s contractors. The incident took place in 2019, targeted a US company used by the CBSA, and involved approximately 9,000 photos of licence plates collected from travellers entering Canada at the Cornwall, Ontario, border crossing. Read more: Data breach at border agency contractor involved up to 1.38 million licence plates

US rep wins UN ITU election

US representative Doreen Bogdan-Martin was elected as the new head of the UN’s International Telecommunication Union (ITU), a crucial agency that sets global standards for telecoms and tech infrastructure. Bogdan-Martin won 139 of the 175 possible votes, defeating Russia’s representative and replacing China’s Houlin Zhao, who has led the ITU for two consecutive terms since 2014. Read more:

• Ms Doreen BOGDAN-MARTIN ITU Secretary-General-elect
• US defeats Russia to head UN telecoms agency in fight for internet’s future

Microsoft rewrites SmartScreen technology

Microsoft said they rewrote the entire Windows Defender SmartScreen technology (Microsoft’s SafeBrowsing analog) “to improve reliability, performance, and cross-platform portability” and detect phishing and malicious sites faster. Read more: More reliable web defense

Russia sets up cybercrime-fighting agency

Russia’s Ministry of Internal Affairs announced on Friday the creation of UBK, a new unit inside the ministry dedicated to fighting cybercrime. Read more: В МВД РФ создадут Управление по организации борьбы с киберпреступлениями

Russia blocks Soundcloud

Roskomnadzor, Russia’s telecommunications watchdog, blocked access to music streaming platform Soundcloud, most likely related to the platform hosting podcasts discussing Russia’s invasion of Ukraine. According to Podcasts.ru, Soundcloud’s mobile app is still working, and only the main web portal appears to have been blocked. Read more:

• УНИВЕРСАЛЬНЫЙ СЕРВИС
• Podcasts.ru

Phisher arrested in Germany

German police said last week that they detained a 24-year-old man for stealing €4 million from personal bank accounts. Authorities said the suspect gained access to the accounts after phishing the account owners, including for the TAN (transaction) codes needed to exfil funds.

REF2731

Elastic’s security team has published a report on REF2731, a malware campaign that deploys the PARALLAX loader to install the Netwire RAT. Read more: Exploring the REF2731 Intrusion Set

Diavol comeback

Walmart’s security team said last week that they saw new attacks using the Diavol ransomware, developed by a former TrickBot member Alla Witte, who is currently in custody. Read more:

• Diavol resurfaces
• Latvian National Charged for Alleged Role in Transnational Cybercrime Organization

DJVU ransomware

BlueBerry’s security team published last week an analysis of the ever-evolving DJVU (STOP) ransomware. According to BlackBerry researchers, in recent campaigns, DJVU was often seen deployed after the victim was initially compromised with the RedLine infostealer. Read more: DJVU: The Ransomware That Seems Strangely Familiar…

WindShift APT

macOS malware connaisseur Patrick Wardle has analyzed WindTape, a second-stage macOS backdoor used by the WindShift APT. Read more: Unmasking WindTape

Poisoning Akamai’s entire CDN cache

Italian security researchers Jacopo Tediosi and Francesco Mariani discovered a technique that would allow them to poison the cache of all websites running on Akamai’s CDN. While Akamai didn’t have a bug bounty program, the two researchers said they made roughly $50,000 by reporting the issue to many of Akamai’s customers. Read more: Worldwide Server-side Cache Poisoning on All Akamai Edge Nodes ($50K+ Bounty Earned)

Zscaler buys ShiftRight

Security firm Zscaler has acquired ShiftRight, a company specializing in security workflow automation services. The acquisition was announced in June—for $25.6 million—and closed last week. Read more:

• Zscaler Acquires ShiftRight to Integrate Security Workflow Automation Technology into the Zero Trust Exchange Platform
• ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934

New tool—AzTokenFinder

Security researcher @HackmichNet released last week a tool called AzTokenFinder that can find and extract Azure tokens from other processes, like PowerShell, Excel, Word, and others. Read more: HackmichNet/AzTokenFinder

BSides San Francisco 2022 videos

Talks from the BSides San Francisco 2022 security conference, which took place in June this year, are available on YouTube. Read more: BSidesSF 2022 Playlist

Google TAG history

Google has put together a nice video on how the TAG team came to be.