Unit 42 reported on the Kazuar .NET backdoor used by Turla (attributed to Russia's Federal Security Service (FSB)) as a second stage payload. Unit 42 provides a technical analysis of Kazuar, including metadata, configuration, infrastructure and C2 communication. Also noteworthy are its anti-analysis features, system profiling capabilities, and specific targeting of cloud apps. IOC provided. Link:https://unit42.paloaltonetworks.com/pensive-ursa-uses-upgraded-kazuar-backdoor/
CISA adds CVE-2023-5631 (Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability, CVSS 5.4 medium severity, disclosed by ESET as an exploited zero-day by APT Winter Vivern) to the Known Exploited Vulnerabilities Catalog.
Kaspersky elaborates on Operation Triangulation in which domestic subscribers, diplomatic missions, and embassies were targeted with Apple iOS zero-days (Russia’s FSB accused the USA for Operation Triangulation). The threat actors introduced two validators in the infection chain in order to ensure that the exploits and the implant do not get delivered to security researchers. Additionally, microphone recording could be tuned in such a way that it stopped when the screen was being used. They used private undocumented APIs in the course of the attack, indicating a great understanding of iOS internals. They additionally implemented in some modules support for iOS versions prior to 8.0, suggesting access for years. Link:https://securelist.com/triangulation-validators-modules/110847/
Trellix: Threat actors, including APTs, are abusing the Discord application for payload delivery, information stealing and data exfiltration. Trellix identified several malware families leveraging Discord's capabilities to conduct their operations, uncovering when they started abusing them. IOC provided. Link:https://www.trellix.com/en-us/about/newsroom/stories/research/discord-i-want-to-play-a-game.html
Cluster25: low-medium confidence that Russian state-sponsored APT28 Fancy Bear attributed to CVE-2023-38831 exploitation as part of a phishing campaign designed to harvest credentials from compromised systems. CVE2-2023-38831 is a 7.8 high severity vulnerability in WinRAR that was exploited as a Zero-Day by cybercriminals, and disclosed by Group-IB on 23 August 2023. Link:https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack
**Symantec:**new APT Grayling targets Taiwanese organizations in manufacturing, IT, and biomedical... as well as Pacific Island government org, Vietnam and U.S. orgs. Activity from February to May 2023. They exploit public facing applications, use DLL side-loading, and load custom malware and multiple publicly available tools. IOC provided. Link:https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks
ESET assesses with medium confidence that a cyberespionage campaign targeting a Guyana government entity is linked to a China-aligned threat actor. Initial infection was through spearphishing emails. ESET detailed the use of a new C++ backdoor dubbed DinodasRAT used for C2, with the exfiltrated data encrypted using the Tiny Encryption Algorithm (TEA). The threat actors also deployed Korplug. IOC provided. Link:https://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/
Belgium’s intelligence service has been monitoring Alibaba’s main logistics hub in Europe for espionage following suspicions Beijing has been exploiting its growing economic presence in the west.
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #38/2023 is out! It includes the following and much more:
➝ 🔓 ❌ TransUnion Denies #Breach After Hacker Publishes Allegedly Stolen Data
➝ 🔓 ⚖️ Hackers breached International Criminal Court’s systems last week
➝ 🔓 🤖 #Microsoft#AI researchers accidentally exposed terabytes of internal sensitive data
➝ 🦠 💸 #BlackCat#ransomware hits #Azure Storage with #Sphynx encryptor
➝ 🇮🇷 🇮🇱 Iranian Nation-State Actor OilRig Targets Israeli Organizations
➝ 🇮🇳 #India's biggest tech centers named as #cybercrime hotspots
➝ 🇫🇮 💊 Finnish Authorities Dismantle Notorious #PIILOPUOTI Dark Web Drug Marketplace
➝ 🇨🇦 🇷🇺 Canadian Government Targeted With #DDoS Attacks by Pro-#Russia Group
➝ 🇨🇳 🇺🇸 #China Accuses U.S. of Decade-Long #Cyberespionage Campaign Against #Huawei Servers
➝ 🇺🇸 🇨🇳 China's Malicious Cyber Activity Informing War Preparations, #Pentagon Says
➝ 🇨🇳 🦠 New #SprySOCKS Linux #malware used in cyber espionage attacks
➝ 🇬🇧 🔐 UK Minister Warns #Meta Over End-to-End Encryption
➝ 🇺🇸 🇷🇺 One of the #FBI’s most wanted hackers is trolling the U.S. government
➝ 🦠 🥸 Fake #WinRAR proof-of-concept exploit drops #VenomRAT malware
➝ 🦠 📈 #P2PInfect botnet activity surges 600x with stealthier malware variants
➝ 🦠 📡 Hackers backdoor #telecom providers with new HTTPSnoop malware
➝ 🦠 🐝 #Bumblebee malware returns in new attacks abusing #WebDAV folders
➝ 🔐 #GitHub launches #passkey support into general availability
➝ ☑️ 🐧 Free Download Manager releases script to check for #Linux malware
➝ 💬 🔐 #Signal adds quantum-resistant encryption to its #E2EE messaging protocol
➝ 🍏 🔐 #iOS 17 includes these new security and #privacy features
➝ 🩹 High-Severity Flaws Uncovered in #Atlassian Products and ISC BIND Server
➝ 🩹 😡 Incomplete disclosures by #Apple and #Google create “huge blindspot” for 0-day hunters
➝ 🍏 🩹 Apple emergency updates fix 3 new zero-days exploited in attacks
➝ 🩹 #TrendMicro fixes #endpoint protection zero-day used in attacks
➝ 🩹 #Fortinet Patches High-Severity #Vulnerabilities in FortiOS, FortiProxy, FortiWeb Products
➝ 🔓 Nearly 12,000 #Juniper#Firewalls Found Vulnerable to Recently Disclosed RCE Vulnerability
📚 This week's recommended reading is: "Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It" by Marc Goodman
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
The Citizen Lab (@citizenlab) & Google Threat Analysis Group has disclosed a new targeted spy campaign that utilizes newly disclosed zero day in iOS. These zero days contain a privilege escalation flaw in the OS kernel along with a WebKit flaw allows attackers to install spyware & snoop on victim devices.
Citizen Lab & Google urges iPhone & iPad users to update to iOS 17.0.1 as soon as possible.
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #35/2023 is out! It includes the following and much more:
➝ 🔓 🏌🏻♂️Golf gear giant #Callaway data breach exposes info of 1.1 million
➝ 🔓👕 Forever 21 data breach affects half a million people
➝ 🔓 🤦🏻♂️ #LogicMonitor customers hit by hackers, because of default passwords
➝ 🇺🇸 ⚖️ Lawsuit Accuses University of Minnesota of Not Doing Enough to Prevent #DataBreach
➝ 🎬 🔓 #Paramount discloses data breach following security incident
➝ 🏥 🔓 #Healthcare Organizations Hit by Cyberattacks Last Year Reported Big Impact, Costs
➝ 🇺🇸 🌎 #Microsoft joins a growing chorus of organizations criticizing a #UN cybercrime treaty
➝ 🇺🇸 🦠 U.S. Hacks #QakBot, Quietly Removes Botnet Infections
➝ 🇷🇺 🇺🇦 #Russia targets #Ukraine with new Android #backdoor, intel agencies say
➝ 🇷🇺 🕵🏻♂️ Unmasking #Trickbot, One of the World’s Top Cybercrime Gangs
➝ 🇨🇳 👀 ‘Earth Estries’ #Cyberespionage Group Targets Government, Tech Sectors
➝ 🇨🇳 Chinese Hacking Group Exploits Barracuda Zero-Day to Target Government, Military, and Telecom
➝ 💸 🇪🇺 Pay our ransom instead of a #GDPR fine, #cybercrime gang tells its targets
➝ 🇺🇸 🇨🇳 #Meta: Pro-Chinese influence operation was the largest in history
➝ 🇪🇸 📸 Spain warns of #LockBit Locker ransomware phishing attacks
➝ 🇵🇱 🚂 Two Men Arrested Following #Poland Railway Hacking
➝ 🇰🇵 🐍 #Lazarus hackers deploy fake #VMware PyPI packages in #VMConnect attacks
➝ 💸 #Classiscam fraud-as-a-service expands, now targets banks and 251 brands
➝ 💬 🎠 Trojanized #Signal and #Telegram apps on Google Play delivered spyware
➝ 🦠 📄 MalDoc in PDFs: Hiding malicious Word docs in PDF files
➝ 🇧🇷 👀 A Brazilian phone #spyware was hacked and victims’ devices ‘deleted’ from server
➝ 👨🏻💻 🔐 #GitHub Enterprise Server Gets New Security Capabilities
➝ 🚗 💰 Over $1 Million Offered at New #Pwn2Own#Automotive Hacking Contest
➝ 🩹 #Splunk Patches High-Severity Flaws in Enterprise, IT Service Intelligence
➝ ⛏️ 🔓 Recent #Juniper Flaws Chained in Attacks Following #PoC Exploit Publication
📚 This week's recommended reading is: "Spam Nation: The Inside Story of Organized Cybercrime―from Global Epidemic to Your Front Door" by @briankrebs
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
Germany's domestic intelligence apparatus (BfV), South Korea's National Intelligence Service (NIS) and the U.S. National Security Agency (NSA) warn about cyber attacks mounted by a threat actor tracked as Kimsuky, using #socialengineering and #malware to target think tanks, academia, and news media sectors.
"Kimsuky has been observed leveraging open source information ( #OSINT ) to identify potential targets of interest and subsequently craft their online personas to appear more legitimate by creating email addresses that resemble email addresses of real individuals they seek to impersonate.
The adoption of spoofed identities is a tactic embraced by other state-sponsored groups and is seen as a ploy to gain trust and build rapport with the victims. The adversary is also known to compromise the email accounts of the impersonated individuals to concoct convincing email messages.
#Kimsuky actors tailor their themes to their target's interests and will update their content to reflect current events discussed among the community of North Korea watchers.
Besides using multiple personas to communicate with a target, the electronic missives come with bearing with password-protected malicious documents, either attached directly or hosted on Google Drive or Microsoft OneDrive."
For almost 20 years, the FBI have been tracking a cyber-espionage malware called "Snake" that is used by a hacking group affiliated with Russia's Federal Security Service. Here's how the U.S. government took it down.
For those watching the TikTok hearing - a thread of something most of the public missed two months ago as it was unsealed in a federal court late on a Friday night. Facebook tried to keep it secret for years - a Sep 2018 "Status and Re-scoped Approach" from the unprecedented audit Mark Zuckerberg promised Congress during its Cambridge Analytica scandal. /1
We will separately review #China and #Russia, given the risk associated with those countries.
For other #jurisdictions, we have identified them as tier 1 ..."