The top U.S. #intelligence ofcl on Mon warned that the #war in #Gaza could embolden #terrorist groups, which are aligned in their opposition to the #UnitedStates for its support of #Israel.
“The crisis has galvanized #violence by a range of actors around the world. And while it is too early to tell, it is likely that the Gaza conflict will have a generational impact on #terrorism,” #ODNI#AvrilHaines, told an annual hearing on #GlobalSecurity#threats.
The cache — containing >570 files, images & chat logs — offers an unprecedented look inside the ops of one of the firms that #China’s govt agencies hire for on-demand, mass #data-collecting ops.
The files — posted to GitHub…& deemed credible by #cybersecurity experts…— detail contracts to extract foreign data over 8 yrs & describe targets w/in ≥20 foreign govts & territories, including India, Hong Kong, Thailand, South Korea, the United Kingdom, Taiwan & Malaysia….
“We rarely get such unfettered access to the inner workings of any intelligence operation,” said John Hultquist, chief analyst of MandiantIntelligence, a #cybersecurity firm owned by GoogleCloud. “We have every reason to believe this is the authentic data of a contractor supporting global & domestic #cyberespionage operations out of China,” he said.
US #intelligence ofcls see #China as the greatest long-term threat to American #security & have raised alarm about its targeted #hacking campaigns.
Hot off the press! CISA adds CVE-2023-43770 (6.1 medium) Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability to the Known Exploited Vulnerabilities (KEV) Catalog.
🔗 (to be replaced later) https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Why you should care about CVE-2023-43770:
ESET Research previously reported on 25 October 2023 that the Winter Vivern APT was exploiting a similar RoundCube cross-site scripting vulnerability CVE-2023-5631 as a zero-day against European overnmental entities and a think tank.
Check Point highlights the persistent threat of malicious Word/Excel Documents (maldocs):
Old Vulnerabilities Still Pose Risks: Despite being several years old, CVEs from 2017 and 2018 in Microsoft Word and Excel remain active threats in the cybersecurity landscape. Examples include CVE-2017-11882, CVE-2017-0199, and CVE-2018-0802.
Widespread Use by Cybercriminals: These vulnerabilities are exploited by well-known malware such as GuLoader, Agent Tesla, Formbook, and others. APT groups also got on the list, with Gamaredon APT being a notable example. They target lucrative sectors like finance, government, and healthcare, indicating a strategic approach by attackers.
Challenges in Detection: Despite their age, these MalDocs can evade detection due to their sophisticated construction and the use of various tricks to bypass security measures.
This week's feature guest is CISA's assistant director for cybersecurity Eric Goldstein. He'll talk about CISA ordering USG agencies to disconnect their Ivanti equipment, the Volt Typhoon campaign and a Politico report into CISA's Joint Cyber Defense Collaborative. Up later today
Yet another JetBrains TeamCity On-Prem vulnerability: CVE-2024-23917 (9.8 critical)
If abused, the flaw may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server.
Why you should care about CVE-2024-23917:
Russian Foreign Intelligence Service (SVR) exploited a similar JetBrains TeamCity authentication bypass vulnerability CVE-2023-42793 (9.8 critical) worldwide, as reported in a CISA cybersecurity advisory dated 13 December 2023, less than 2 months ago.
The Record: Chinese state-sponsored hackers broke into an internal computer network used by the Dutch Ministry of Defence last year, according to the Netherlands. Both the country’s military (MIVD) and civilian (AIVD) security services said the ministry had been hacked for espionage purposes after the threat actor exploited a vulnerability in FortiGate devices.
🔗 https://therecord.media/dutch-find-chinese-hackers-networks-fortinet
The Ministry of Defence (MOD) of the Netherlands was impacted in 2023 by an intrusion into one of its networks. The effects were limited because of prior network segmentation.
Incident response uncovered previously unpublished malware, a remote access trojan (RAT) designed specifically for Fortigate appliances. It is used as second-stage malware, and does not exploit a new vulnerability. Intelligence services MIVD & AIVD refer to the malware as COATHANGER based on a string present in the code.
The COATHANGER malware is stealthy and persistent. It hides itself by hooking system calls thatcould reveal its presence. It survives reboots and firmware upgrades.
MIVD & AIVD assess with high confidence that the malicious activity was conducted by a state-sponsored actor from the People’s Republic of China. This is part of a wider trend of Chinese political espionage against the Netherlands and its allies.
MIVD & AIVD assess that use of COATHANGER may be relatively targeted. The Chinese threat actor(s)scan for vulnerable edge devices at scale and gain access opportunistically, and likely introduce COATHANGER as a communication channel for select victims.
Organizations that use FortiGate devices can check if they are affected using the detection methods described in section 4 of this report. Refer to section 5 for advice for incident response.
Action that organizations can take to prevent future malicious activity: for all internet-facing (edge)devices, install security patches from the vendor assoon as they become available. More preventive steps are described in section 5 of this report.
Cloudflare blog on Thanksgiving 2023 security incident:
"Based on our collaboration with colleagues in the industry and government, we believe that this attack was performed by a nation state attacker with the goal of obtaining persistent and widespread access to Cloudflare’s global network."
The Record: Hackers working for Russia’s intelligence services (Star Blizzard is attributed to FSB Center 18) are impersonating researchers and academics in an ongoing campaign to gain access to their colleagues’ email accounts, according to messages and files seen by Recorded Future News and independently analyzed by two cybersecurity companies.
🔗 https://therecord.media/russian-campaign-impersonating-western-researchers-academics
Ukraine's CERT-UA provides IOC and technical instructions for removing DIRTYMOE malware, which has worm-like capabilities and creates a DDoS botnet. The DIRTYMOE/Purple Fox infection of 2000+ affected computers and activity is tracked by the identifier UAC-0027.
🔗https://cert.gov.ua/article/6277422
🕵️♂️ #Russian state-backed #APT29 hacker group breached HP Enterprise's cloud emails, stealing confidential data from cybersecurity and key departments.
Since November 2023, Microsoft has observed a distinct subset of Mint Sandstorm (PHOSPHORUS) targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom, and the United States. In this campaign, Mint Sandstorm used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files. In a handful of cases, Microsoft observed new post-intrusion tradecraft including the use of a new, custom backdoor called MediaPl.
🔗 https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
Cyber Espionage Unveiled: Defending Against Covert Digital Threats
Cyber espionage is a type of cyber attack that involves stealing classified, sensitive data or intellectual property to gain an advantage over a competitive company or government entity. It is a form of espionage that has moved into the cyber world, where armies of hackers from around the world use cyber warfare for economic, political, or military gain.
BlackBerry reported on a new commercial cyberespionage group called AeroBlade specifically targeting the U.S. Aerospace industry. With network infrastructure and weaponization that became operational in September 2022 and an offensive phase that began July 2023, this threat actor has improved their toolset for successful data exfiltration. IOC provided.
🔗 https://blogs.blackberry.com/en/2023/11/aeroblade-on-the-hunt-targeting-us-aerospace-industry
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #46/2023 is out! It includes the following and much more:
➝ 🔓 🇯🇵 #Toyota confirms breach after Medusa #ransomware threatens to leak data
➝ 🇺🇸 😂 Ransomware gang files #SEC complaint over victim’s undisclosed #breach
➝ 🔓 🪶 Attackers claim Plume Design, Inc data breach
➝ 🇺🇸 💰 #ICBC paid ransom after hack that disrupted markets, #cybercriminals say
➝ 🔓 #Dragos Says No Evidence of Breach After Ransomware Gang Claims Hack via Third Party
➝ 🔓 ✈️ Hackers swipe Booking.com, damage from attack is global
➝ 🇷🇺 🇺🇦 Russian #CyberEspionage Group Deploys #LitterDrifter USB #Worm in Targeted Attacks
➝ 🇮🇱 🇺🇸 Israeli Man Who Made $5M From Hacking Scheme Sentenced to Prison in US
➝ 🇫🇮 ⚖️ Alleged Extortioner of Psychotherapy Patients Faces Trial
➝ 🇺🇸 💸 #LockBit ransomware exploits #CitrixBleed in attacks, 10K servers exposed
➝ 🇺🇸 ⚖️ #IPStorm botnet with 23,000 proxies for malicious traffic dismantled
➝ 👶🏻 🧨 Teens with “digital bazookas” are winning the ransomware war, researcher laments
➝ 💸 #Ethereum feature abused to steal $60 million from 99K victims
➝ 🇩🇰 🇷🇺 #Denmark Hit With Largest #Cyberattack on Record
➝ 🇨🇳 🇰🇭 Chinese Hackers Launch Covert #Espionage Attacks on 24 Cambodian Organizations
➝ 🇲🇾 Major Phishing-as-a-Service Syndicate '#BulletProofLink' Dismantled by Malaysian Authorities
➝ 🇪🇺 🥳 EU Parliament committee rejects mass scanning of private and encrypted communications
➝ 🩹 #ICS Patch Tuesday: 90 Vulnerabilities Addressed by Siemens and Schneider Electric
➝ 🦠 🐍 27 Malicious #PyPI Packages with Thousands of Downloads Found Targeting IT Experts
🇻🇳 🇮🇳 Vietnamese Hackers Using New #Delphi-Powered #Malware to Target Indian Marketers
➝ 🔐 #Google Adds #Passkey Support to New Titan Security Key
➝ 🐛 Zero-Day Flaw in #Zimbra Email Software Exploited by Four Hacker Groups
➝ 🩹 #SAP Patches Critical Vulnerability in Business One Product
➝ 🐛 New #Reptar CPU flaw impacts Intel desktop and server systems
➝ 🐛 New #CacheWarp AMD #CPU attack lets hackers gain root in Linux VMs
📚 This week's recommended reading is: "Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World" by @marcusjcarey and Jennifer Jin
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
Censys assesses that Russian company Raccoon Security is a brand of NTC Vulkan, an IT company contracted by Russian intelligence to create offensive cyber tools. NTC Vulkan documents were leaked, and they detail project requirements contracted with the Russian Ministry of Defense, including in at least one instance for GRU Unit 74455, also known as Sandworm Team, according to Mandiant. Censys assesses with high confidence that the NTC Vulkan hosts, certificates, and domains identified in this report belong to the same NTC Vulkan, and that Raccoon Security, and its related domains, host, and certificates belong to the Moscow-based cybersecurity development brand of the same name. Links:https://censys.com/discovery-of-ntc-vulkan-infrastructure/ and see semi-related Mandiant article.
Denmark's CERT (SektorCERT) reported that 22 companies that operate parts of Danish energy infrastructure were compromised in a May 2023 coordinated attack, linked to SANDWORM actors. Sandworm is a state-sponsored APT publicly attributed to Russian General Staff Main Intelligence Directorate’s Russian (GRU’s) Main Centre for Special Technologies (GTsST) by the U.S. government. The attackers leveraged a Zyxel vulnerability CVE-2023-28771 (9.8 critical) to gain control of the firewall. SektorCERT's incident response report includes a detailed analysis and timeline of the attack, recommendations and IOC. Link:https://media.licdn.com/dms/document/media/D4D1FAQG-Qsry8BH9dg/feedshare-document-pdf-analyzed/0/1699785104486?e=1700697600&v=beta&t=icNMQ-rDYgeSojoaax-1KpC7YrCF7MVtkrDClSFiKIY
The Australian Cyber Security Centre (ACSC) Australian Signals Directorate (ASD) released the ASD Cyber Threat Report 2022-2023. Their executive summary notes that Australian networks were regularly targeted by both opportunistic and more deliberate malicious cyber activity.
State actors focused on critical infrastructure, data theft, and disruption of business. Notably "The AUKUS partnership, with its focus on nuclear submarines and other advanced military capabilities, is likely a target for state actors looking to steal intellectual property for their own military programs." They call out China and Russia specifically.
Australian critical infrastructure was targeted via increasingly interconnected systems.
Cybercriminals continued to adapt tactics to extract maximum payment from victims.
Data breaches impacted many Australians.
1 in 5 critical vulnerabilities was exploited within 48 hours.
Recorded Future: Chinese state-sponsored cyber operations have evolved into a more mature and coordinated threat, focusing on exploiting both known and zero-day vulnerabilities in public-facing security and network appliances. Their cyber operations focus on targets that align with China's military, political, economic, and domestic security priorities. No IOCs. Link:https://www.recordedfuture.com/charting-chinas-climb-leading-global-cyber-power