๐จ Latest issue of my curated #cybersecurity and #infosec list of resources for week #35/2023 is out! It includes the following and much more:
โ ๐ ๐๐ปโโ๏ธGolf gear giant #Callaway data breach exposes info of 1.1 million
โ ๐๐ Forever 21 data breach affects half a million people
โ ๐ ๐คฆ๐ปโโ๏ธ #LogicMonitor customers hit by hackers, because of default passwords
โ ๐บ๐ธ โ๏ธ Lawsuit Accuses University of Minnesota of Not Doing Enough to Prevent #DataBreach
โ ๐ฌ ๐ #Paramount discloses data breach following security incident
โ ๐ฅ ๐ #Healthcare Organizations Hit by Cyberattacks Last Year Reported Big Impact, Costs
โ ๐บ๐ธ ๐ #Microsoft joins a growing chorus of organizations criticizing a #UN cybercrime treaty
โ ๐บ๐ธ ๐ฆ U.S. Hacks #QakBot, Quietly Removes Botnet Infections
โ ๐ท๐บ ๐บ๐ฆ #Russia targets #Ukraine with new Android #backdoor, intel agencies say
โ ๐ท๐บ ๐ต๐ปโโ๏ธ Unmasking #Trickbot, One of the Worldโs Top Cybercrime Gangs
โ ๐จ๐ณ ๐ โEarth Estriesโ #Cyberespionage Group Targets Government, Tech Sectors
โ ๐จ๐ณ Chinese Hacking Group Exploits Barracuda Zero-Day to Target Government, Military, and Telecom
โ ๐ธ ๐ช๐บ Pay our ransom instead of a #GDPR fine, #cybercrime gang tells its targets
โ ๐บ๐ธ ๐จ๐ณ #Meta: Pro-Chinese influence operation was the largest in history
โ ๐ช๐ธ ๐ธ Spain warns of #LockBit Locker ransomware phishing attacks
โ ๐ต๐ฑ ๐ Two Men Arrested Following #Poland Railway Hacking
โ ๐ฐ๐ต ๐ #Lazarus hackers deploy fake #VMware PyPI packages in #VMConnect attacks
โ ๐ธ #Classiscam fraud-as-a-service expands, now targets banks and 251 brands
โ ๐ฌ ๐ Trojanized #Signal and #Telegram apps on Google Play delivered spyware
โ ๐ฆ ๐ MalDoc in PDFs: Hiding malicious Word docs in PDF files
โ ๐ง๐ท ๐ A Brazilian phone #spyware was hacked and victimsโ devices โdeletedโ from server
โ ๐จ๐ปโ๐ป ๐ #GitHub Enterprise Server Gets New Security Capabilities
โ ๐ ๐ฐ Over $1 Million Offered at New #Pwn2Own#Automotive Hacking Contest
โ ๐ฉน #Splunk Patches High-Severity Flaws in Enterprise, IT Service Intelligence
โ โ๏ธ ๐ Recent #Juniper Flaws Chained in Attacks Following #PoC Exploit Publication
๐ This week's recommended reading is: "Spam Nation: The Inside Story of Organized Cybercrimeโfrom Global Epidemic to Your Front Door" by @briankrebs
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end โฌ๏ธ
๐จ Latest issue of my curated #cybersecurity and #infosec list of resources for week #46/2023 is out! It includes the following and much more:
โ ๐ ๐ฏ๐ต #Toyota confirms breach after Medusa #ransomware threatens to leak data
โ ๐บ๐ธ ๐ Ransomware gang files #SEC complaint over victimโs undisclosed #breach
โ ๐ ๐ชถ Attackers claim Plume Design, Inc data breach
โ ๐บ๐ธ ๐ฐ #ICBC paid ransom after hack that disrupted markets, #cybercriminals say
โ ๐ #Dragos Says No Evidence of Breach After Ransomware Gang Claims Hack via Third Party
โ ๐ โ๏ธ Hackers swipe Booking.com, damage from attack is global
โ ๐ท๐บ ๐บ๐ฆ Russian #CyberEspionage Group Deploys #LitterDrifter USB #Worm in Targeted Attacks
โ ๐ฎ๐ฑ ๐บ๐ธ Israeli Man Who Made $5M From Hacking Scheme Sentenced to Prison in US
โ ๐ซ๐ฎ โ๏ธ Alleged Extortioner of Psychotherapy Patients Faces Trial
โ ๐บ๐ธ ๐ธ #LockBit ransomware exploits #CitrixBleed in attacks, 10K servers exposed
โ ๐บ๐ธ โ๏ธ #IPStorm botnet with 23,000 proxies for malicious traffic dismantled
โ ๐ถ๐ป ๐งจ Teens with โdigital bazookasโ are winning the ransomware war, researcher laments
โ ๐ธ #Ethereum feature abused to steal $60 million from 99K victims
โ ๐ฉ๐ฐ ๐ท๐บ #Denmark Hit With Largest #Cyberattack on Record
โ ๐จ๐ณ ๐ฐ๐ญ Chinese Hackers Launch Covert #Espionage Attacks on 24 Cambodian Organizations
โ ๐ฒ๐พ Major Phishing-as-a-Service Syndicate '#BulletProofLink' Dismantled by Malaysian Authorities
โ ๐ช๐บ ๐ฅณ EU Parliament committee rejects mass scanning of private and encrypted communications
โ ๐ฉน #ICS Patch Tuesday: 90 Vulnerabilities Addressed by Siemens and Schneider Electric
โ ๐ฆ ๐ 27 Malicious #PyPI Packages with Thousands of Downloads Found Targeting IT Experts
๐ป๐ณ ๐ฎ๐ณ Vietnamese Hackers Using New #Delphi-Powered #Malware to Target Indian Marketers
โ ๐ #Google Adds #Passkey Support to New Titan Security Key
โ ๐ Zero-Day Flaw in #Zimbra Email Software Exploited by Four Hacker Groups
โ ๐ฉน #SAP Patches Critical Vulnerability in Business One Product
โ ๐ New #Reptar CPU flaw impacts Intel desktop and server systems
โ ๐ New #CacheWarp AMD #CPU attack lets hackers gain root in Linux VMs
๐ This week's recommended reading is: "Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World" by @marcusjcarey and Jennifer Jin
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end โฌ๏ธ
Germany's domestic intelligence apparatus (BfV), South Korea's National Intelligence Service (NIS) and the U.S. National Security Agency (NSA) warn about cyber attacks mounted by a threat actor tracked as Kimsuky, using #socialengineering and #malware to target think tanks, academia, and news media sectors.
"Kimsuky has been observed leveraging open source information ( #OSINT ) to identify potential targets of interest and subsequently craft their online personas to appear more legitimate by creating email addresses that resemble email addresses of real individuals they seek to impersonate.
The adoption of spoofed identities is a tactic embraced by other state-sponsored groups and is seen as a ploy to gain trust and build rapport with the victims. The adversary is also known to compromise the email accounts of the impersonated individuals to concoct convincing email messages.
#Kimsuky actors tailor their themes to their target's interests and will update their content to reflect current events discussed among the community of North Korea watchers.
Besides using multiple personas to communicate with a target, the electronic missives come with bearing with password-protected malicious documents, either attached directly or hosted on Google Drive or Microsoft OneDrive."
Check Point highlights the persistent threat of malicious Word/Excel Documents (maldocs):
Old Vulnerabilities Still Pose Risks: Despite being several years old, CVEs from 2017 and 2018 in Microsoft Word and Excel remain active threats in the cybersecurity landscape. Examples include CVE-2017-11882, CVE-2017-0199, and CVE-2018-0802.
Widespread Use by Cybercriminals: These vulnerabilities are exploited by well-known malware such as GuLoader, Agent Tesla, Formbook, and others. APT groups also got on the list, with Gamaredon APT being a notable example. They target lucrative sectors like finance, government, and healthcare, indicating a strategic approach by attackers.
Challenges in Detection: Despite their age, these MalDocs can evade detection due to their sophisticated construction and the use of various tricks to bypass security measures.
The Australian Cyber Security Centre (ACSC) Australian Signals Directorate (ASD) released the ASD Cyber Threat Report 2022-2023. Their executive summary notes that Australian networks were regularly targeted by both opportunistic and more deliberate malicious cyber activity.
State actors focused on critical infrastructure, data theft, and disruption of business. Notably "The AUKUS partnership, with its focus on nuclear submarines and other advanced military capabilities, is likely a target for state actors looking to steal intellectual property for their own military programs." They call out China and Russia specifically.
Australian critical infrastructure was targeted via increasingly interconnected systems.
Cybercriminals continued to adapt tactics to extract maximum payment from victims.
Data breaches impacted many Australians.
1 in 5 critical vulnerabilities was exploited within 48 hours.
The cache โ containing >570 files, images & chat logs โ offers an unprecedented look inside the ops of one of the firms that #Chinaโs govt agencies hire for on-demand, mass #data-collecting ops.
The files โ posted to GitHubโฆ& deemed credible by #cybersecurity expertsโฆโ detail contracts to extract foreign data over 8 yrs & describe targets w/in โฅ20 foreign govts & territories, including India, Hong Kong, Thailand, South Korea, the United Kingdom, Taiwan & Malaysiaโฆ.
**Symantec:**new APT Grayling targets Taiwanese organizations in manufacturing, IT, and biomedical... as well as Pacific Island government org, Vietnam and U.S. orgs. Activity from February to May 2023. They exploit public facing applications, use DLL side-loading, and load custom malware and multiple publicly available tools. IOC provided. Link:https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks
๐จ Latest issue of my curated #cybersecurity and #infosec list of resources for week #38/2023 is out! It includes the following and much more:
โ ๐ โ TransUnion Denies #Breach After Hacker Publishes Allegedly Stolen Data
โ ๐ โ๏ธ Hackers breached International Criminal Courtโs systems last week
โ ๐ ๐ค #Microsoft#AI researchers accidentally exposed terabytes of internal sensitive data
โ ๐ฆ ๐ธ #BlackCat#ransomware hits #Azure Storage with #Sphynx encryptor
โ ๐ฎ๐ท ๐ฎ๐ฑ Iranian Nation-State Actor OilRig Targets Israeli Organizations
โ ๐ฎ๐ณ #India's biggest tech centers named as #cybercrime hotspots
โ ๐ซ๐ฎ ๐ Finnish Authorities Dismantle Notorious #PIILOPUOTI Dark Web Drug Marketplace
โ ๐จ๐ฆ ๐ท๐บ Canadian Government Targeted With #DDoS Attacks by Pro-#Russia Group
โ ๐จ๐ณ ๐บ๐ธ #China Accuses U.S. of Decade-Long #Cyberespionage Campaign Against #Huawei Servers
โ ๐บ๐ธ ๐จ๐ณ China's Malicious Cyber Activity Informing War Preparations, #Pentagon Says
โ ๐จ๐ณ ๐ฆ New #SprySOCKS Linux #malware used in cyber espionage attacks
โ ๐ฌ๐ง ๐ UK Minister Warns #Meta Over End-to-End Encryption
โ ๐บ๐ธ ๐ท๐บ One of the #FBIโs most wanted hackers is trolling the U.S. government
โ ๐ฆ ๐ฅธ Fake #WinRAR proof-of-concept exploit drops #VenomRAT malware
โ ๐ฆ ๐ #P2PInfect botnet activity surges 600x with stealthier malware variants
โ ๐ฆ ๐ก Hackers backdoor #telecom providers with new HTTPSnoop malware
โ ๐ฆ ๐ #Bumblebee malware returns in new attacks abusing #WebDAV folders
โ ๐ #GitHub launches #passkey support into general availability
โ โ๏ธ ๐ง Free Download Manager releases script to check for #Linux malware
โ ๐ฌ ๐ #Signal adds quantum-resistant encryption to its #E2EE messaging protocol
โ ๐ ๐ #iOS 17 includes these new security and #privacy features
โ ๐ฉน High-Severity Flaws Uncovered in #Atlassian Products and ISC BIND Server
โ ๐ฉน ๐ก Incomplete disclosures by #Apple and #Google create โhuge blindspotโ for 0-day hunters
โ ๐ ๐ฉน Apple emergency updates fix 3 new zero-days exploited in attacks
โ ๐ฉน #TrendMicro fixes #endpoint protection zero-day used in attacks
โ ๐ฉน #Fortinet Patches High-Severity #Vulnerabilities in FortiOS, FortiProxy, FortiWeb Products
โ ๐ Nearly 12,000 #Juniper#Firewalls Found Vulnerable to Recently Disclosed RCE Vulnerability
๐ This week's recommended reading is: "Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It" by Marc Goodman
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end โฌ๏ธ
Yet another JetBrains TeamCity On-Prem vulnerability: CVE-2024-23917 (9.8 critical)
If abused, the flaw may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server.
Why you should care about CVE-2024-23917:
Russian Foreign Intelligence Service (SVR) exploited a similar JetBrains TeamCity authentication bypass vulnerability CVE-2023-42793 (9.8 critical) worldwide, as reported in a CISA cybersecurity advisory dated 13 December 2023, less than 2 months ago.
Hot off the press! CISA adds CVE-2023-43770 (6.1 medium) Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability to the Known Exploited Vulnerabilities (KEV) Catalog.
๐ (to be replaced later) https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Why you should care about CVE-2023-43770:
ESET Research previously reported on 25 October 2023 that the Winter Vivern APT was exploiting a similar RoundCube cross-site scripting vulnerability CVE-2023-5631 as a zero-day against European overnmental entities and a think tank.
Since November 2023, Microsoft has observed a distinct subset of Mint Sandstorm (PHOSPHORUS) targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom, and the United States. In this campaign, Mint Sandstorm used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files. In a handful of cases, Microsoft observed new post-intrusion tradecraft including the use of a new, custom backdoor called MediaPl.
๐ https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
Denmark's CERT (SektorCERT) reported that 22 companies that operate parts of Danish energy infrastructure were compromised in a May 2023 coordinated attack, linked to SANDWORM actors. Sandworm is a state-sponsored APT publicly attributed to Russian General Staff Main Intelligence Directorateโs Russian (GRUโs) Main Centre for Special Technologies (GTsST) by the U.S. government. The attackers leveraged a Zyxel vulnerability CVE-2023-28771 (9.8 critical) to gain control of the firewall. SektorCERT's incident response report includes a detailed analysis and timeline of the attack, recommendations and IOC. Link:https://media.licdn.com/dms/document/media/D4D1FAQG-Qsry8BH9dg/feedshare-document-pdf-analyzed/0/1699785104486?e=1700697600&v=beta&t=icNMQ-rDYgeSojoaax-1KpC7YrCF7MVtkrDClSFiKIY
The Record: Chinese state-sponsored hackers broke into an internal computer network used by the Dutch Ministry of Defence last year, according to the Netherlands. Both the countryโs military (MIVD) and civilian (AIVD) security services said the ministry had been hacked for espionage purposes after the threat actor exploited a vulnerability in FortiGate devices.
๐ https://therecord.media/dutch-find-chinese-hackers-networks-fortinet
The Ministry of Defence (MOD) of the Netherlands was impacted in 2023 by an intrusion into one of its networks. The effects were limited because of prior network segmentation.
Incident response uncovered previously unpublished malware, a remote access trojan (RAT) designed specifically for Fortigate appliances. It is used as second-stage malware, and does not exploit a new vulnerability. Intelligence services MIVD & AIVD refer to the malware as COATHANGER based on a string present in the code.
The COATHANGER malware is stealthy and persistent. It hides itself by hooking system calls thatcould reveal its presence. It survives reboots and firmware upgrades.
MIVD & AIVD assess with high confidence that the malicious activity was conducted by a state-sponsored actor from the Peopleโs Republic of China. This is part of a wider trend of Chinese political espionage against the Netherlands and its allies.
MIVD & AIVD assess that use of COATHANGER may be relatively targeted. The Chinese threat actor(s)scan for vulnerable edge devices at scale and gain access opportunistically, and likely introduce COATHANGER as a communication channel for select victims.
Organizations that use FortiGate devices can check if they are affected using the detection methods described in section 4 of this report. Refer to section 5 for advice for incident response.
Action that organizations can take to prevent future malicious activity: for all internet-facing (edge)devices, install security patches from the vendor assoon as they become available. More preventive steps are described in section 5 of this report.
BlackBerry reported on a new commercial cyberespionage group called AeroBlade specifically targeting the U.S. Aerospace industry. With network infrastructure and weaponization that became operational in September 2022 and an offensive phase that began July 2023, this threat actor has improved their toolset for successful data exfiltration. IOC provided.
๐ https://blogs.blackberry.com/en/2023/11/aeroblade-on-the-hunt-targeting-us-aerospace-industry
Ukraine's CERT-UA provides IOC and technical instructions for removing DIRTYMOE malware, which has worm-like capabilities and creates a DDoS botnet. The DIRTYMOE/Purple Fox infection of 2000+ affected computers and activity is tracked by the identifier UAC-0027.
๐https://cert.gov.ua/article/6277422
The Record: Hackers working for Russiaโs intelligence services (Star Blizzard is attributed to FSB Center 18) are impersonating researchers and academics in an ongoing campaign to gain access to their colleaguesโ email accounts, according to messages and files seen by Recorded Future News and independently analyzed by two cybersecurity companies.
๐ https://therecord.media/russian-campaign-impersonating-western-researchers-academics
Cloudflare blog on Thanksgiving 2023 security incident:
"Based on our collaboration with colleagues in the industry and government, we believe that this attack was performed by a nation state attacker with the goal of obtaining persistent and widespread access to Cloudflareโs global network."
This week's feature guest is CISA's assistant director for cybersecurity Eric Goldstein. He'll talk about CISA ordering USG agencies to disconnect their Ivanti equipment, the Volt Typhoon campaign and a Politico report into CISA's Joint Cyber Defense Collaborative. Up later today
Censys assesses that Russian company Raccoon Security is a brand of NTC Vulkan, an IT company contracted by Russian intelligence to create offensive cyber tools. NTC Vulkan documents were leaked, and they detail project requirements contracted with the Russian Ministry of Defense, including in at least one instance for GRU Unit 74455, also known as Sandworm Team, according to Mandiant. Censys assesses with high confidence that the NTC Vulkan hosts, certificates, and domains identified in this report belong to the same NTC Vulkan, and that Raccoon Security, and its related domains, host, and certificates belong to the Moscow-based cybersecurity development brand of the same name. Links:https://censys.com/discovery-of-ntc-vulkan-infrastructure/ and see semi-related Mandiant article.
๐ต๏ธโโ๏ธ #Russian state-backed #APT29 hacker group breached HP Enterprise's cloud emails, stealing confidential data from cybersecurity and key departments.