Industry State of the Art

The normal activity continues around government cybersecurity and oversight agencies, particularly in the US, to stay in front of advisories for the most notable threats at the moment.  Scattered Spider, Diamond Sleet, Sapphire Sleet, Rhysida Ransomware, Royal Ransomware, and Silent Ransomware all got extra attention this month, while long-time concerns continued with Play, LockBit, and Cl0p ransomware groups.  Governments and regulatory agencies around the world continue to struggle with getting in front of the risks of the rapid growth of artificial intelligence. 

Standards & Advisories

MITRE ATT&CK v14 released - Help Net Security

“MITRE has released MITRE ATT&CK v14, the newest iteration of its popular investigation framework / knowledge base of tactics and techniques employed by cyber attackers.”

FBI and CISA Release Advisory on Scattered Spider Group

“Today, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) on Scattered Spider—a cybercriminal group targeting commercial facilities sectors and subsectors. The advisory provides tactics, techniques, and procedures (TTPs) obtained through FBI investigations as recently as November 2023.

Scattered Spider threat actors typically engage in data theft for extortion using multiple social engineering techniques and have recently leveraged BlackCat/ALPHV ransomware alongside their usual TTPs.

FBI and CISA encourage network defenders and critical infrastructure organizations to review the joint CSA for recommended mitigations to reduce the likelihood and impact of a cyberattack by Scattered Spider actors. For more information, visit StopRansomware and see the updated #StopRansomware Guide.”

FBI Warns: 5 Weeks In, Gaza Email Scams Still Thriving

“On Nov. 14, and Nov. 6, different branches of the FBI published alerts that cybercriminals are masquerading as fundraisers and charities, using emails, social media, cold calls, and crowdfunding websites to convince victims that their money will go to either Palestinian or Israeli victims of the conflict. Often they're opportunistic cybercriminals, but sometimes they're terrorist organizations, which "often establish fake charities using social media platforms to subsidize their operations," the Bureau noted.”

CISA, FBI, and MS-ISAC Release Advisory on Rhysida Ransomware

“Today, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA), #StopRansomware: Rhysida Ransomware, to disseminate known Rhysida ransomware indicators of compromise (IOCs), detection methods, and tactics, techniques, and procedures (TTPs) identified through investigations as recently as September 2023.

Observed as a ransomware-as-a-service (RaaS) model, Rhysida actors have compromised organizations in education, manufacturing, information technology, and government sectors and any ransom paid is split between the group and affiliates. Rhysida actors leverage external-facing remote services, such as virtual private networks (VPNs), Zerologon vulnerability (CVE-2020-1472), and phishing campaigns to gain initial access and persistence within a network.

CISA, FBI, and MS-ISAC encourage organizations review the joint CSA for recommended mitigations to reduce the likelihood and impact of Rhysida and other ransomware incidents. For more information, see CISA’s #StopRansomware webpage, which includes the updated #StopRansomware Guide.”

CISA Releases Roadmap for Artificial Intelligence Adoption

“Today, CISA released its Roadmap for Artificial Intelligence—in alignment with White House Executive Order 14110: Safe, Secure, And Trustworthy Development and Use of Artificial Intelligence—to outline a comprehensive set of actions CISA will take along five lines of effort:

1. Responsibly use AI to support our mission.
2. Assure AI systems.
3. Protect critical infrastructure from malicious use of AI.
4. Collaborate and communicate on key AI efforts with the interagency, international partners, and the public.
5. Expand AI expertise in our workforce.

Learn more about CISA’s Roadmap for Artificial Intelligence at cisa.gov/AI.”

FBI: Royal ransomware asked 350 victims to pay $275 million

“The FBI and CISA revealed in a joint advisory that the Royal ransomware gang has breached the networks of at least 350 organizations worldwide since September 2022.

In an update to the original advisory published in March with additional information discovered during FBI investigations, the two agencies also noted that the ransomware operation is linked to more than $275 million in ransom demands.”

Legislation & Regulatory

28 Countries Sign Bletchley Declaration on Responsible Development of AI

“The UK government called it a “landmark” decision for the future of artificial intelligence (AI). The Bletchley Declaration, an international agreement listing opportunities, risks and needs for global action on ‘frontier AI,’ systems that pose the most urgent and dangerous risks, has been signed by 28 countries, including the US, the UK, China, six EU member states, Brazil, Nigeria, Israel and Saudi Arabia.

All these countries attended the UK’s AI Safety Summit, taking place in Bletchley Park, England, on November 1-2.

The Declaration fulfills key summit objectives in establishing shared agreement and responsibility on the risks, opportunities and a forward process for international collaboration on frontier AI safety and research, particularly through greater scientific collaboration.”

NY governor wants new cybersecurity rules for hospitals after multiple attacks

“New York’s governor has proposed several new cybersecurity rules for the state’s hospitals following several attacks that limited operations at healthcare facilities for weeks this year.

Gov. Kathy Hochul wants to force hospitals to establish cybersecurity programs, assess cybersecurity risks, use defensive techniques and infrastructure, and implement protection measures for information systems.

Hospitals would have to create a chief information security officer role if they do not have one already.

Facilities would need to develop incident response plans and outline how they plan to notify the appropriate government bodies in the event of an attack. Hochul’s proposal includes measures to require hospitals to run tests of their response plans that ensure patient care can continue while systems are being restored.”

EU Formalizes Cybersecurity Support For Ukraine - Infosecurity Magazine

“The EU has cemented ties with Ukraine on cybersecurity cooperation, with a new formal agreement designed to improve information sharing and capacity building.

Announced today, the agreement formalizes discussions begun in Warsaw during the EU-Ukraine Cybersecurity Dialogue last year. It was signed by EU security agency ENISA, and Ukraine’s National Cybersecurity Coordination Center (NCCC) and the Administration of the State Service of Special Communications and Information Protection of Ukraine (SSSCIP).

The broad-based arrangement covers “short-term structured cooperation actions,” but also has a focus on longer term policy alignment, ENISA said. It covers three areas:

• Cyber awareness and capacity building to boost resilience. This could include Ukrainian participation in EU-wide cybersecurity exercises and training sessions, possible secondment arrangements, and sharing and promotion of cyber-awareness tools and programs
• Alignment of legislation and implementation including NIS2, and a focus on critical infrastructure sectors such as telecommunications and energy
• More systematic knowledge and information sharing to enhance situational awareness”

The US government wants to offer better cybersecurity to major infrastructure firms | TechRadar

“The US government's Cybersecurity and Infrastructure Security Agency (CISA) is expanding its managed cybersecurity services to critical infrastructure entities in a bid to further safeguard key platforms. 

The organization said its security project had proved a significant success so far, and that expanding it will not only help stress-test its capabilities but also take the load off security teams struggling to keep up with ever-intensifying attacks.

In a press release, CISA said it had started deploying its Protective Domain Name System (DNS) Resolver to pilot participants. Before that, the program was only available to federal civilian agencies.”

US, Britain, other countries ink agreement to make AI 'secure by design' | Reuters

“WASHINGTON, Nov 27 (Reuters) - The United States, Britain and more than a dozen other countries on Sunday unveiled what a senior U.S. official described as the first detailed international agreement on how to keep artificial intelligence safe from rogue actors, pushing for companies to create AI systems that are "secure by design."

In a 20-page document unveiled Sunday, the 18 countries agreed that companies designing and using AI need to develop and deploy it in a way that keeps customers and the wider public safe from misuse.

The agreement is non-binding and carries mostly general recommendations such as monitoring AI systems for abuse, protecting data from tampering and vetting software suppliers.

Still, the director of the U.S. Cybersecurity and Infrastructure Security Agency, Jen Easterly, said it was important that so many countries put their names to the idea that AI systems needed to put safety first.”

Trends

This month marked a shift into the recurring annual holiday cycle.  Marked increases in phishing and scam attempts were noted, as well as the volume of reports trying desperately to make users more prepared for them.  Artificial Intelligence of course continues to be an endless source of speculation and consternation as governments and industry struggle to figure out how to best leverage and mitigate the technology.  The scope of the problem of dismantling cyberthreats continues to be highlighted as raids and arrests again take players off the board and new actors spring up almost instantly to fill the void.  And finally, we have entered the time where companies race to assemble their annual reports and predictions for the coming year.

Threat reports

Crimeware and financial cyberthreat predictions for 2024 | Securelist

ASD Cyber Threat Report 2022-2023 | Cyber.gov.au

NCSC Annual Review 2023 - NCSC.GOV.UK

The song remains the same: The 2023 Active Adversary Report for Security Practitioners – Sophos News

SMB Threat Report | Huntress

Mergers, Acquisitions, Funding, Partnerships

Things seem to be looking up this month in terms of funds in the realm of cybersecurity.  While funding for new ventures still seems to be a little tight, as may be expected for this time of the year, there has been plenty of activity with regard to acquisitions, and significant layoffs appear to have tapered off to normal activity as well.

Funding

Authentication startup FusionAuth raises $65M, its first outside round | TechCrunch

Vulcan Cyber, which scans software for security vulnerabilities, lands $55M cash infusion | TechCrunch

Acquisitions

PagerDuty scoops up incident management startup Jeli.io | TechCrunch

Accenture Acquires Innotec Security, Expands Cybersecurity Presence in Spain

Confirmed: Palo Alto has acquired Talon Cyber Security, sources say for $625M | TechCrunch

BigBear.ai to Acquire Pangiam, Combining Facial Recognition and Advanced Biometrics with BigBear.ai’s Computer Vision Capabilities to Spearhead the Vision AI Industry

SentinelOne to acquire cybersecurity consulting firm Krebs Stamos Group

Boltonshield Acquires scanmeter to Enable Continuous Automated Cybersecurity Testing

SonicWall Acquires Managed Detection and Response Services Tailor-Made for MSPs/MSSPs

MSP C3 Buys MSSP Ingalls Information Security

Washington Harbour Buys Cybersecurity Services Provider SIXGEN - GovCon Wire

Broadcom Acquires VMware in a $61 Billion Deal

Cybersecurity platform Kiteworks acquires Round2 Capital-backed DRACOON; Know more | Silicon Canals

Amentum Announces Agreement to Merge with Jacobs’ Critical Mission Solutions and Cyber and Intelligence Businesses - HS Today

Headline news

DNSFilter

Private Browsing: Incognito Mode Isn’t Doing What You Think It’s Doing - WSJ

“There is an urban myth that says online shoppers who doggedly search for certain items on the web get tagged by algorithms that then cause them to see higher prices than others shopping for those same items.

But while such “private” settings as Google Chrome’s Incognito mode or

Safari private browsing mode do offer some benefits, getting a better price isn’t one of them.”

The Differences Between DNS Security and Protective DNS

“When researchers talk about DNS security, they often refer to anything that protects DNS infrastructure. Although protective DNS and DNS security fall under the cybersecurity umbrella, protective DNS takes a different approach to cybersecurity than standard DNS security. Both security strategies are important for the stability of your business, but protective DNS reduces risks from your weakest link–human error. Protective DNS is critical for your endpoint security, and it adds data protection, anti-phishing, and anti-malware protection for users.”

Major news

General Industry News

Microsoft’s Windows Hello fingerprint authentication has been bypassed - The Verge

“Microsoft’s Windows Hello fingerprint authentication has been bypassed on laptops from Dell, Lenovo, and even Microsoft. Security researchers at Blackwing Intelligence have discovered multiple vulnerabilities in the top three fingerprint sensors that are embedded into laptops and used widely by businesses to secure laptops with Windows Hello fingerprint authentication.”

LummaC2 Malware Deploys New Trigonometry-Based Anti-Sandbox Technique

“The stealer malware known as LummaC2 (aka Lumma Stealer) now features a new anti-sandbox technique that leverages the mathematical principle of trigonometry to evade detection and exfiltrate valuable information from infected hosts.

The method is designed to "delay detonation of the sample until human mouse activity is detected," Outpost24 security researcher Alberto Marín said in a technical report shared with The Hacker News.

Written in the C programming language, LummaC2 has been sold in underground forums since December 2022. The malware has since received iterative updates that make it harder to analyze via control flow flattening and even allow it to deliver additional payloads.

The current version of LummaC2 (v4.0) also requires its customers to use a crypter as an added concealing mechanism, not to mention prevent it from being leaked in its raw form.

Another noteworthy update is the reliance on trigonometry to detect human behavior on the infiltrated endpoint.”

New Reptar CPU flaw impacts Intel desktop and server systems

“Intel has fixed a high-severity CPU vulnerability in its modern desktop, server, mobile, and embedded CPUs, including the latest Alder Lake, Raptor Lake, and Sapphire Rapids microarchitectures.

Attackers can exploit the flaw—tracked as CVE-2023-23583 and described as a 'Redundant Prefix Issue'—to escalate privileges, gain access to sensitive information, or trigger a denial of service state (something that could prove very costly for cloud providers).”

DOJ to Launch Emerging Tech Board, Ensure Ethical Use of AI

“The Justice Department plans to help define the ethical and legal implications of using AI tools in a law enforcement and national security investigations. A top DOJ official announced plans to create an emerging technology board on Wednesday, just eight days after President Joe Biden had signed an executive order on responsible AI.”

Discord will switch to temporary file links to block malware delivery

“Discord will switch to temporary file links for all users by the end of the year to block attackers from using its CDN (content delivery network) for hosting and pushing malware.

After the file hosting change (described by Discord as authentication enforcement) rolls out later this year, all links to files uploaded to Discord servers will expire after 24 hours.

CDN URLs will come with three new parameters that will add expiration timestamps and unique signatures that will remain valid until the links expire, preventing the use of Discord's CDN for permanent file hosting.

While these parameters are already being added to Discord links, they still need to be enforced, and links shared outside Discord servers will only expire once the company rolls out its authentication enforcement changes.”

UK Banks Warn Quantum Will Imperil Entire Payment System - Infosecurity Magazine

“The UK finance industry has warned that quantum computing could unravel the security used to protect the country’s entire payment system.

Banking body UK Finance issued the warning in a new report published this week: Identifying and Minimising the Risks Posed by Quantum Technology.

Quantum computing is still in development, but if viable computers can be built using the technology, they could use Shor’s algorithm to crack the asymmetric (PKI) encryption used by the finance industry, rendering it practically useless.

These warnings are not new, but the banking industry is now lending them an added urgency, calling on industry and government to collaborate more closely on a post-quantum future.”

VX-Underground malware collective framed by Phobos ransomware

“A new Phobos ransomware variant frames the popular VX-Underground malware-sharing collective, indicating the group is behind attacks using the encryptor.

Phobos launched in 2018 in what is believed to be a ransomware-as-a-service derived from the Crysis ransomware family. As part of this operation, a group of threat actors manage the development of the ransomware and hold the master decryption key, while other threat actors act as affiliates to breach networks and encrypt devices.

While Phobos has been around for a long time, it never evolved into an "elite" operation known for conducting massive attacks and demanding millions of dollars.

However, that does not mean it is not a big operation, as it sees wide distribution through many affiliated threat actors and accounts for 4% of all submissions to the ID Ransomware service in 2023.”

Cybersecurity firm executive pleads guilty to hacking hospitals

“The former chief operating officer of a cybersecurity company has pleaded guilty to hacking two hospitals, part of the Gwinnett Medical Center (GMC), in June 2021 to boost his company's business.

Vikas Singla, who worked for Securolytics, a network security company that provided services to the healthcare industry, pleaded guilty to hacking into the systems of GMC Northside Hospital hospitals in Duluth and Lawrenceville, as prosecutors said in a June 2021 indictment.

During his attack on September 27, 2018, he disrupted the health provider's phone and network printer services, and he stole the personal information of more than 200 patients from a Hologic R2 Digitizer digitizing device connected to a mammogram machine on GMC's Lawrenceville hospital.

On the same day, Singla used over 200 printers in the GMC hospital in Duluth to print stolen patient information and "WE OWN YOU" messages.

"The Defendant attempts to create and use publicity about the attack, including by causing the publication of information obtained without authorizations from the Digitiaze, to generate business for Securolytics," the guilty plea reads.

Singla "promoted" the GMC hack on Twitter, tweeting the names, dates of birth, and sexes of 43 patients whose data had been stolen in the breach. Securolytics also reached out potential clients after Singla's attack, highlighting the GMC incident in the emails.”

Administrator of Darkode Hacking Forum Sentenced to Prison - SecurityWeek

“The US Justice Department announced on Wednesday that a man who admitted being an administrator of a now-defunct cybercrime forum named Darkode has been sentenced to prison.

Thomas Kennedy McCormick, aka ‘Fubar’, a 30-year-old from Cambridge, Massachusetts, has been sentenced to 18 months in prison for his role in running Darkode. The sentence also includes three years of supervised release.

McCormick, who joined the site as a member in 2009, ended up being one of multiple administrators. Authorities said he was one the last admins of Darkode, before the cybercrime forum was shut down by law enforcement in 2015. The law enforcement operation resulted in 70 people being arrested, searched, or charged. “

In a first, cryptographic keys protecting SSH connections stolen in new attack | Ars Technica

“For the first time, researchers have demonstrated that a large portion of cryptographic keys used to protect data in computer-to-server SSH traffic are vulnerable to complete compromise when naturally occurring computational errors occur while the connection is being established.

Underscoring the importance of their discovery, the researchers used their findings to calculate the private portion of almost 200 unique SSH keys they observed in public Internet scans taken over the past seven years. The researchers suspect keys used in IPsec connections could suffer the same fate. SSH is the cryptographic protocol used in secure shell connections that allows computers to remotely access servers, usually in security-sensitive enterprise environments. IPsec is a protocol used by virtual private networks that route traffic through an encrypted tunnel.

The vulnerability occurs when there are errors during the signature generation that takes place when a client and server are establishing a connection. It affects only keys using the RSA cryptographic algorithm, which the researchers found in roughly a third of the SSH signatures they examined. That translates to roughly 1 billion signatures out of the 3.2 billion signatures examined. Of the roughly 1 billion RSA signatures, about one in a million exposed the private key of the host.”

Internet Infrastructure

Bad Bots Account for 73% of Internet Traffic: Analysis - SecurityWeek

“Bots are automated processes acting out over the internet. Some perform useful purposes, such as indexing the internet; but the majority are Bad Bots designed for malicious ends. Bad Bots are increasing dramatically — Arkose estimates that 73% of all internet traffic currently (Q3, 2023) comprises Bad Bots and related fraud farm traffic.”

EU Tightens Cybersecurity Requirements for Critical Infrastructure and Services

“The European Union's NIS2 Directive 2022/2555 is legislation aimed at improving the security and resilience of network and information systems across the EU. Although the legislation is already in effect, EU members have until October 2024 to transpose the directive into national law. Each organization encompassed by the directive will be legally obligated to live up to its requirements in less than a year's time. With the deadline coming up so soon, organizations must prepare themselves now to embrace these changes.”

Juniper networking devices under attack - Help Net Security

“CISA has ordered US federal agencies to patch five vulnerabilities used by attackers to compromise Juniper networking devices, and to do so by Friday.

Most of these bugs are not particularly severe by themselves, but they can be – and have been – chained together by attackers to achieve remote code execution on internet-facing vulnerable devices.

Juniper Networks fixed four flaws (numbered CVE-2023-36844 through CVE-2023-36847) affecting the J-Web GUI of Junos OS-powered devices in late August 2023, and urged customers to update their SRX firewalls and EX switches to plug the security holes.

Soon after, WatchTowr Labs researchers published related technical details and a PoC exploit combining the flaws and, very quickly, attackers began trying to exploit the vulnerabilities.

Then, in late September, external researchers published a new variant (CVE-2023-36851) of the SRX upload vulnerability (CVE-2023-36847), as well as an exploit for the code execution vulnerability (CVE-2023-36845) that works without a previous file upload, prompting Juniper to stress the importance of fixing “the ability to execute code”.”

Sandworm Linked to Attack on Danish Critical Infrastructure - Infosecurity Magazine

“Notorious Russian nation-state threat actor Sandworm has been linked to the largest ever cyber-attack targeting critical infrastructure in Denmark.

The incident took place in May 2023 and saw the attackers targeted 22 companies involved in operating Danish critical infrastructure, according to SektorCERT, a non-profit that helps protect organizations in this sector.

SektorCERT found evidence connecting some of these attacks to Sandworm, a group thought to operate under the Russian intelligence agency GRU. Sandworm was behind the attacks that took down power in parts of Ukraine in 2015 and 2016.

The group has also been blamed for more recent cyber-attacks on critical infrastructure in Ukraine, which have been coordinated with Russian military action in the region.

SektorCERT said that in its three years of existence, it had never previously seen signs that nation-state groups have targeted Danish critical infrastructure.”

New PoC Exploit for Apache ActiveMQ Flaw Could Let Attackers Fly Under the Radar

“Cybersecurity researchers have demonstrated a new technique that exploits a critical security flaw in Apache ActiveMQ to achieve arbitrary code execution in memory.

Tracked as CVE-2023-46604 (CVSS score: 10.0), the vulnerability is a remote code execution bug that could permit a threat actor to run arbitrary shell commands.

It was patched by Apache in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3 released late last month.

The vulnerability has since come under active exploitation by ransomware outfits to deploy ransomware such as HelloKitty and a strain that shares similarities with TellYouThePass as well as a remote access trojan called SparkRAT.”

Packet Reflection Threats in Private 5G Networks

“In an era dominated by the Internet of Things (IoT), envision a thriving manufacturing plant adorned with countless interconnected devices. These devices, operating on a private 5G network, create an intricate web of connectivity. Safeguarded within a private IP subnet, these IoT devices remain impervious to external threats thanks to their isolation. With the 5G core and backend servers securely nestled in the cloud, these devices have limited or no internet access.

Yet, a crucial question arises: How can attackers breach this seemingly impenetrable fortress? Amidst a world rife with security challenges, a vulnerability emerges in the form of packet reflection, jeopardizing the sanctity of these private 5G networks.”

Artificial Intelligence

Addressing the State of AI’s Impact on Cyber Disinformation/Misinformation - SecurityWeek

“With the recent presidential Executive Order, and the AI Safety Summit being held at Bletchley Park in the UK, developments in artificial intelligence continue to command headlines around the world.

The recent rapid rise of artificial intelligence continues to be a game-changer in many positive ways, even though we are still touching the very fringes of its potential. New and previously unimaginable medical treatments, safer, cleaner and more integrated public transport, more rapid and accurate diagnoses, and environmental breakthroughs are all within the credible promise of AI today. Yet, within this revolution, a shadow looms.

Both China and Russia have made no secret of their desire to “win the AI race” with current and pledged investments ranging from hundreds of millions to billions of dollars in AI research and development. While companies like OpenAI, IBM and Apple might be top of mind when asked to name the major players in artificial intelligence, we should not forget that for every Amazon there’s an Alibaba, for every Microsoft a Baidu, and for every Google a Yandex. It is inevitable that states, activists, and advanced threat actors will leverage the power of AI to turbocharge disinformation campaigns.”

Generative AI is shaping future incident management processes - Help Net Security

“Persistent challenges in adhering to established incident management processes pose a significant risk to organizations, amplifying potential downtime costs amidst a surge in service incidents, according to Transposit.

Despite a majority of respondents (59.4%) who have a defined incident management process in place and a level of automation that meets their needs (71.1%), organizations grapple with a surge in service incidents and still struggle to quickly resolve them.”

A Closer Look at ChatGPT's Role in Automated Malware Creation

“As the use of ChatGPT and other artificial intelligence (AI) technologies becomes more widespread, it is important to consider the possible risks associated with their use. One of the main concerns surrounding these technologies is the potential for malicious use, such as in the development of malware or other harmful software. Our recent reports discussed how cybercriminals are misusing the large language model’s (LLM) advanced capabilities:

• * We discussed how ChatGPT can be abused to scale manual and time-consuming processes in cybercriminals’ attack chains in virtual kidnapping schemes.
• * We also reported on how this tool can be used to automate certain processes in harpoon whaling attacks to discover “signals” or target categories. 

To address this concern, OpenAI implemented safety filters to prevent the misuse of ChatGPT features and capabilities. These filters, which have become increasingly sophisticated as technologies progressed, are designed to detect and prevent any attempt to use this popular AI tool for malicious purposes.

This blog entry will explore the effectiveness of these safety measures, the potential for AI technologies to be misused by criminal actors, and the limitations of current AI models.”

First Wave of Vulnerability-Fixing AIs Available for Developers

“GitHub has joined a growing list of companies offering AI-powered bug-fixing tools for software developers.

Developers who sign up for the beta program as part of GitHub's Advanced Security can scan their code with CodeQL, the company's static-analysis scanner, and fixes will be suggested for the most critical vulnerabilities. The feature will automatically find and fix issues, offering "precise, actionable suggestions" for any pull request, and should reduce developers' time to remediate vulnerabilities, says Justin Hutchings, senior director of product management at GitHub.”

Predator AI | ChatGPT-Powered Infostealer Takes Aim at Cloud Platforms - SentinelOne

“Predator AI is advertised through Telegram channels related to hacking. The main purpose of Predator is to facilitate web application attacks against various commonly used technologies, including content management systems (CMS) like WordPress, as well as cloud email services like AWS SES. However, Predator is a multi-purpose tool, much like the AlienFox and Legion cloud spamming toolsets. These toolsets share considerable overlap in publicly available code that each repurposes for their brand’s own use, including the use of Androxgh0st and Greenbot modules.

Predator is an actively developed project. In September 2023, a member of the primary Telegram channel inquired about Predator adding a Twilio account checker, to which the developer replied they could deliver in about 2 weeks. In October, the developer posted an update showing the new Twilio checking feature. The version we analyzed has Twilio features, which suggests it is a recent build.

At the top of the script, there is a message from the developer which states that the tool is protected by copyright law. The message also has a disclaimer saying the tool is for educational purposes and the author does not condone any illegal use.”

Phishing

The ‘Gram Scam: Meta Phishing Attack Lures Victims via Spoofed Copyright Infringement Policy - Perception Point

“Perception Point security researchers recently discovered a phishing campaign targeting Meta users on Instagram. The attack leverages legitimate two-factor authentication codes to steal user credentials. Read on to learn more about this evolving attack.”

Police seized BulletProftLink phishing-as-a-service (PhaaS) platform

“The Royal Malaysian Police announced to have dismantled the notorious BulletProftLink phishing-as-a-service (PhaaS) platform. A joint international operation conducted by the Malaysian police, the FBI, and the Australian Federal Police took down several domains employed in the cybercriminal operation.

“We seized around RM960,000 put inside an e-wallet, apart from other valuables during the simultaneous raid we conducted earlier this week.” explained Inspector General of Police Tan Sri Razarudin Husain, who also confirmed the arrest of eight people, including the mastermind. The suspects were detained in various locations, including Kuala Lumpur, Sabah, Selangor, and Perak on November 6, 2023.”

Silent Ransom Group ramps up callback phishing attacks, FBI warns

“The FBI issued a warning about a callback phishing scam orchestrated by the Silent Ransom Group to gain initial access to organizations the gang targeted in a recent ransomware campaign.

Callback phishing attacks involve threat actors emailing employees at a target company, typically seeking payment of a fake account, and asking them to phone the gang’s call center to resolve the issue.

Once they had the victim on the phone, the threat group used social engineering tactics to manipulate the caller into installing malware on their computer, giving the gang initial access into the target organization.

Callback phishing is an appealing way for ransomware groups to gain entry to the networks of organizations whose data they want to steal and encrypt because it poses a low risk of detection, is cheap to execute, and can generate results quickly.”

Credential Phishing IOCs Jump 45% in Q3 | Cofense

“During Q3 of 2023, new and old techniques appeared, creating a high volume of campaigns that reached users in environments protected by secure email gateways (SEGs). Throughout this quarter, we saw an increase in volume for both credential phishing and malware campaigns. Cofense Intelligence also observed a resurgence in some malware families that have been less common in previous quarters, while the more notable families like QakBot and Emotet remained inactive.”

Europol and Eurojust support Czech and Ukrainian police in taking down multi-million euro voice phishing gang

“The Czech and Ukrainian police have disrupted, with the support of Europol and Eurojust, a prolific phishing gang believed to have defrauded victims across Europe of tens of millions of euros. In Czechia alone, the damage caused by this criminal group is estimated at over EUR 8 million (CZK 195 000 000).

As a result of this investigation, six suspects were already arrested in Ukraine and four in the Czech Republic in April this year. Locations in Czechia (Domazlice, Rokycany and Plzen) and Ukraine (Dnipropetrovsk) were searched during the raids, including the homes of the accused, vehicles and call centres.

Mobile phones, SIM cards and computer equipment were seized during the crackdown.

The criminal group operated from call centres located in Ukraine and carried out vishing attacks, mainly targeting Czech victims. The fraudsters asked them to transfer funds from their ‘compromised’ bank accounts to ‘safe’ bank accounts controlled by the criminals.

The suspects used  spoofed phone numbers and impersonated bank employees and police officers to gain the trust of their victims.”

Supply Chain Attacks

Atomic Stealer distributed to Mac users via fake browser updates | Malwarebytes

“Atomic Stealer, also known as AMOS, is a popular stealer for Mac OS. Back in September, we described how malicious ads were tricking victims into downloading this piece of malware under the disguise of a popular application.

In an interesting new development, AMOS is now being delivered to Mac users via a fake browser update chain tracked as ‘ClearFake’. This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system.

With a growing list of compromised sites at their disposal, the threat actors are able to reach out a wider audience, stealing credentials and files of interest that can be monetized immediately or repurposed for additional attacks.”

Attacker targeting Python developers

“It has become commonplace for attackers to invest a significant amount of time and effort within the open-source ecosystem.  

Attackers, driven by malicious intent, demonstrate an extraordinary level of persistence in their pursuit of exploiting vulnerabilities in the open-source ecosystem. While they may not always achieve their objectives in every single attack, their unwavering determination allows them to eventually identify and target vulnerable individuals or organizations. This persistence, coupled with the increasing number of attackers engaging in these activities, suggests that there is a certain degree of success within this realm. 

For close to six months, a malicious actor has been stealthily uploading dozens of malicious Python packages, most of them mimicking the names of legitimate ones, to bait unsuspecting developers.“

48 Malicious npm Packages Found Deploying Reverse Shells on Developer Systems

“A new set of 48 malicious npm packages have been discovered in the npm repository with capabilities to deploy a reverse shell on compromised systems.

"These packages, deceptively named to appear legitimate, contained obfuscated JavaScript designed to initiate a reverse shell on package install," software supply chain security firm Phylum said.

All the counterfeit packages have been published by an npm user named hktalent (GitHub, X). As of writing, 39 of the packages uploaded by the author are still available for download.”

Uncovering thousands of unique secrets in PyPI packages

“Let’s start with the big reveal of what we found: 

• 3,938 total unique secrets across all projects
• 768 of those unique secrets were found to be valid
• 2,922 projects contained at least one unique secret

To put those numbers in perspective, there are over 450,000 projects released through the  PyPI website, containing over 9.4 million files. There have been over 5 million released versions of these packages. If we add up all the secrets shared across all the releases, we found 56,866 occurrences of secrets, meaning once a secret enters a project, it is often included in multiple releases.”

Diamond Sleet supply chain compromise distributes a modified CyberLink installer | Microsoft Security Blog

“Microsoft Threat Intelligence has uncovered a supply chain attack by the North Korea-based threat actor Diamond Sleet (ZINC) involving a malicious variant of an application developed by CyberLink Corp., a software company that develops multimedia software products. This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload. The file, which was signed using a valid certificate issued to CyberLink Corp., is hosted on legitimate update infrastructure owned by CyberLink and includes checks to limit the time window for execution and evade detection by security products. Thus far, the malicious activity has impacted over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the United States.

Microsoft attributes this activity with high confidence to Diamond Sleet, a North Korean threat actor. The second-stage payload observed in this campaign communicates with infrastructure that has been previously compromised by Diamond Sleet. More recently, Microsoft has observed Diamond Sleet utilizing trojanized open-source and proprietary software to target organizations in information technology, defense, and media.”

Malvertising and Adware

New SEO#LURKER Attack Campaign: Threat Actors Use SEO Poisoning and Fake Google Ads to Lure Victims Into Installing Malware - Securonix

“An interesting ongoing SEO poisoning/malvertising campaign leveraging WinSCP lures along with a stealthy  infection chain lures victims into installing malware (alongside the legitimate WinSCP software). Attackers are likely leveraging dynamic search ads which let threat actors inject their own malicious code while mimicking legitimate sources like Google search pages.

A rather steep uptick in malicious advertising (malvertising) has been observed, especially in the last year which involves threat actors paying either your favorite search engine or social networking sites for ad space in order to promote malware in prominent locations.

The Securonix Threat Research team has been tracking an ongoing campaign SEO#LURKER which targets “WinSCP” keywords in Google Search results. WinSCP is a popular SSH/SCP connection platform which has established a huge user base over the years making it a lucrative target for threat actors. It’s highly likely that WinSCP is not the only downloadable software being targeted by these threat actors to serve malicious advertisements.”

Malvertiser copies PC news site to deliver infostealer | Malwarebytes

“The majority of malvertising campaigns delivering malicious utilities that we have tracked so far typically deceive victims with pages that are almost the exact replica of the software vendor being impersonated. For example, we have seen fake websites appearing like the real Webex, AnyDesk or KeePass home page.

In a new campaign, we observed a threat actor copying a legitimate Windows news portal (WindowsReport.com) to distribute a malicious installer for the popular processor tool CPU-Z.

This type of website is often visited by geeks and system administrators to read the latest computer reviews, learn some tips and download software utilities. The Windows Report was never compromised and is legitimate, but rather threat actors copied its content to trick users.

This incident is a part of a larger malvertising campaign that targets other utilities like Notepad++, Citrix and VNC Viewer as seen in its infrastructure (domain names) and cloaking templates used to avoid detection. We have informed Google with the relevant details for takedown.”

NodeStealer Malware Hijacking Facebook Business Accounts for Malicious Ads

“Compromised Facebook business accounts are being used to run bogus ads that employ "revealing photos of young women" as lures to trick victims into downloading an updated version of a malware called NodeStealer.

"Clicking on ads immediately downloads an archive containing a malicious .exe 'Photo Album' file which also drops a second executable written in .NET – this payload is in charge of stealing browser cookies and passwords," Bitdefender said in a report published this week.”

Google search ads abused to spread ransomware by ALPHV/BlackCat gang | SC Media

“A ransomware gang is responsible for a string of Google search ads that used major brands as lures to distribute ransomware over past three weeks. Targeted are businesses and public entities. This campaign adds to a recent string of breaches perpetrated by cybergang ALPHV/BlackCat, according to eSentire researchers.

ESentire said in a blog post outlining the research that the ads placed by the cybergang purported to be legitimate offers for software tools. However, the ads linked to malicious sites that enticed victims to download a Python-based malware payload that opens access for further infection, according to eSentire’s Threat Response Unit (TRU).”

Ransomware

Play Ransomware Goes Commercial - Now Offered as a Service to Cybercriminals

“The ransomware strain known as Play is now being offered to other threat actors "as a service," new evidence unearthed by Adlumin has revealed.

"The unusual lack of even small variations between attacks suggests that they are being carried out by affiliates who have purchased the ransomware-as-a-service (RaaS) and are following step-by-step instructions from playbooks delivered with it," the cybersecurity company said in a report shared with The Hacker News.

The findings are based on various Play ransomware attacks tracked by Adlumin spanning different sectors that incorporated almost identical tactics and in the same sequence.

This includes the use of the public music folder (C:\...\public\music) to hide the malicious file, the same password to create high-privilege accounts, and both attacks, and the same commands.

Play, also called Balloonfly and PlayCrypt, first came to light in June 2022, leveraging security flaws in Microsoft Exchange Server – i.e., ProxyNotShell and OWASSRF – to infiltrate networks and drop remote administration tools like AnyDesk and ultimately deploy the ransomware.”

LockBit ransomware exploits Citrix Bleed in attacks, 10K servers exposed

“The Lockbit ransomware attacks use publicly available exploits for the Citrix Bleed vulnerability (CVE-2023-4966) to breach the systems of large organizations, steal data, and encrypt files.

Although Citrix made fixes available for CVE-2023-4966 more than a month ago, thousands of internet-exposed endpoints are still running vulnerable appliances, many in the U.S.”

Clop group obtained access to the email addresses of about 632,000 US federal employees

“Russian-speaking Clop ransomware group gained access to the email addresses of about 632,000 US federal employees at the departments of Defense and Justice. The security breach is the result of the MOVEit hacking campaign that took place this summer. The MOVEit campaign also targeted additional US agencies, including the Department of Health and Human Services, the Department of Agriculture, and the General Services Administration.

The news of the attacks on the government departments was reported by federal cybersecurity officers to the House Science, Space and Technology Committee in July.”

THREAT ALERT: INC Ransomware

“INC Ransom is a new ransomware group that emerged in August 2023, spreading ransomware with the same name.  From the start of the operation till mid-September of the same year the group leaked the data of more than a dozen victims on their blog similarly to other groups of this type.  The ransomware group exercises double and triple extortion on them.

The INC Ransom group was first observed by security researchers in early August 2023.
The group’s victims are mostly private sector businesses and the also includes a government organization and a charity association. All known victims are exclusively from Western countries with the majority of them from the United States and Europe (a single victim was from Singapore).”

Ransomware Attacks against the Energy Sector on the rise - Nuclear and Oil & Gas are Major Targets in 2024

“Resecurity has identified an alarming rise in ransomware operators targeting the energy sector, including nuclear facilities and related research entities. Over the last year, ransomware attackers have targeted energy installations in North America, Asia, and the European Union. In the EU, Handelsblatt reported that ransomware attacks targeting the energy sector more than doubled in 2022 over the previous year, with defenders recording 21 attacks through the past October.

After a brief, sectoral ‘cease-fire’ following the 2021 Colonial Pipeline ransomware attack, cybercriminals are once again homing in on energy-industry targets. Threat actors reason that the seizure of the higher-value Critical Infrastructure (CI) assets handled by these firms will yield more lucrative payouts in ransom negotiations. Factors that make energy firms more vulnerable to ransomware attacks include complexities in converging IT and operational technology (OT) networks, third-party risks, and historic geopolitical fragmentation.”

Ransomware ‘catastrophe’ at Fidelity National Financial causes panic with homeowners and buyers | TechCrunch

“Last Tuesday, Fidelity National Financial, or FNF, a real estate services company that bills itself as the “leading provider of title insurance and escrow services, and North America’s largest title insurance company,” announced that it had experienced a cyberattack.

Since then, homeowners who have mortgages and prospective buyers who are purchasing properties with FNF or one of its many subsidiaries have been left confused and concerned, not knowing exactly what is happening or what to do.”

Nation-State / Advanced Persistent Threat

Russia’s APT29 Targets Embassies With Ngrok and WinRAR Exploit - Infosecurity Magazine

“Ukrainian security researchers have revealed a major new Russian cyber-espionage campaign which they claim may have been designed to harvest information on Azerbaijan’s military strategy.

APT29 (aka Cozy Bear, Nobelium and many other monikers) was behind the attacks, according to a new report from the Ukrainian National Security and Defense Council (NDSC).

It targeted embassies in Azerbaijan, Greece, Romania and Italy, as well as international institutions such as the World Bank, European Commission, Council of Europe, WHO, UN and others.”

Decrypting Danger: Check Point Research deep-dive into cyber espionage tactics by Russian-origin attackers targeting Ukrainian entities

“LitterDrifter, Gamaredon’s latest tool in its cyber arsenal, is a VBS-written worm with dual functionalities.

Its primary objectives are automatic spreading over USB drives and establishing communication with a flexible set of command-and-control servers. This strategic design aligns with Gamaredon’s overarching goals, allowing the group to maintain persistent access to its targets.”

The New APT Group DarkCasino and the Global Surge in WinRAR 0-Day Exploits - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.

“In 2022, NSFOCUS Research Labs revealed a large-scale APT attack campaign called DarkCasino and identified an active and dangerous aggressive threat actor. By continuously tracking and in-depth study of the attacker’s activities, NSFOCUS Research Labs has ruled out its link with known APT groups, confirmed its high-level persistent threat nature, and following the operational name, named this APT group DarkCasino.

In August 2023, security vendor Group-IB followed up and disclosed a DarkCasino activity against cryptocurrency forum users, and captured a WinRAR 0-day vulnerability CVE-2023-38831 used by the APT threat actor DarkCasino in this attack.

NSFOCUS Research Labs analyzed the APT group DarkCasino’s attack activities in WinRAR vulnerability exploitation and confirmed its techniques and tactics; At the same time, NSFOCUS Research Labs also found a large number of attacks by known APT organizations and unconfirmed attackers when tracking the exploitation of WinRAR vulnerabilities. Most of these attacks targeted national governments or multinational organizations.

This report will analyze the APT group DarkCasino and its detailed attacks launched recently, disclose the exploitation of WinRAR vulnerabilities by multiple known APT attackers and new threat actors, and predict the development trend of this threat.”

TA402 Uses Complex IronWind Infection Chains to Target Middle East-Based Government Entities | Proofpoint US

“In mid-2023, Proofpoint researchers first identified TA402 (Molerats, Gaza Cybergang, Frankenstein, WIRTE) activity using a labyrinthine infection chain to target Middle Eastern governments with a new initial access downloader Proofpoint has dubbed IronWind. From July through October 2023, TA402 utilized three variations of this infection chain—Dropbox links, XLL file attachments, and RAR file attachments—with each variant consistently leading to the download of a DLL containing the multifunctional malware. In these campaigns, TA402 also pivoted away from its use of cloud services like Dropbox API, which Proofpoint researchers observed in activity from 2021 and 2022, to using actor-controlled infrastructure for C2 communication.  

As of late October 2023, Proofpoint researchers had not observed any changes in targeting by   TA402, an APT group that historically has operated in the interests of the Palestinian Territories, nor identified any indications of an altered mandate despite the current conflict in the region. It remains possible that this threat actor will redirect its resources as events continue to unfold.” 

UK and Republic of Korea issue warning about DPRK state-linked cyber actors attacking software supply chains

“Cyber actors linked to the Democratic People’s Republic of Korea (DPRK) are increasingly targeting software supply chain products to attack organisations around the world, the UK and the Republic of Korea have warned today (Thursday).

In a new joint advisory, the National Cyber Security Centre (NCSC) – a part of GCHQ – and the National Intelligence Service (NIS) have detailed how DPRK state-linked cyber actors have been using increasingly sophisticated techniques to gain access to victims’ systems.

The actors have been observed leveraging zero-day vulnerabilities and exploits in third-party software to gain access to specific targets or indiscriminate organisations via their supply chains.

The NCSC and the NIS consider these supply chain attacks to align and considerably help fulfil wider DPRK-state priorities, including revenue generation, espionage and the theft of advanced technologies.

The advisory provides technical details about the malicious activity, case studies of recent attacks emanating from the DPRK and advice on how organisations can mitigate supply chain compromises.”

Data Breaches / Credential Stuffing

Auto parts giant AutoZone warns of MOVEit data breach

“AutoZone is warning tens of thousands of its customers that it suffered a data breach as part of the Clop MOVEit file transfer attacks.

AutoZone is the leading retailer and distributor of automotive spare parts and accessories in the U.S., operating 7,140 shops in the country and also in Brazil, Mexico, and Puerto Rico.

The company has an annual revenue of nearly $17.5 billion, employs 119,000 people, and its online shop is visited by 35 million users per month, according to similarweb.com stats.

Earlier this year, the Clop ransomware gang exploited a zero-day MoveIT vulnerability to breach thousands of organizations worldwide, following up with double extortion and data leaks impacting millions of people.

AutoZone informed the U.S. authorities today that it suffered a data breach as part of these attacks on May 28, 2023, resulting in the compromise of data of 184,995 people.”

US Cybersecurity Lab Suffers Major Data Breach - Infosecurity Magazine

“A leading US laboratory famed for cybersecurity, nuclear and clean energy research has reportedly suffered a major breach of employee data.

Dating back to the 1940s, Idaho National Laboratory (INL) is responsible for generating the first usable electricity from nuclear power and developing the first nuclear propulsion systems for nuclear submarines and aircraft carriers.

More recently, it claims to have become “a world leader in securing critical infrastructure systems,” and particularly industrial control systems.

However, local reports claim the facility suffered a massive data breach affecting its HR systems on Sunday night.”

Nearly 2 Million Turkish Citizens Affected in Vaccination Data Breach

“A hacker released 1.9 million lines of data related to Turkish vaccinations, potentially exposing the information of almost 2 million citizens.

The SafetyDetectives cybersecurity team discovered a web forum post allegedly containing vaccination records from Turkey. Other forum members speculated that the information came from the 2021 e-Nabız (e-Pulse) leak involving Turkey’s Ministry of Health, but our investigation confirmed the leak to be new and presumably collected on April 4, 2023. It included vaccination data from 2015 to 2023.

The leak was shared on a web forum on September 10, 2023. It was posted in SQL format and not behind a paywall, making the full database accessible to the public. A close inspection of the data showed that it was likely collected from an online server by exploiting an information disclosure vulnerability.”

Nearly 9 million patients' records compromised in data breach

“A cyberattack on a medical transcription company compromised highly sensitive health data belonging to nearly four million patients at Northwell Health, New York State's largest healthcare provider and private employer.

The breach also impacted a healthcare system in Illinois, Cook County Health, which disclosed that 1.2 million of its patients were affected. About four million additional patients from undisclosed locations were also impacted.

The attack is one of the worst medical data breaches in recent years, according to a U.S. Department of Health and Human Services data breach list.

The Nevada-based transcription company, Perry Johnson & Associates (PJ&A), disclosed the breach earlier this month in a legally required filing, revealing that the breach began as early as March and that it did not begin to notify affected patients until the end of September.

According to a PJ&A notice, the stolen data not only included basic information like patient names, addresses and dates of birth, but also admission diagnoses, some Social Security numbers, laboratory and diagnostic testing results and medications.

A Northwell spokesperson said 3.89 million patients were affected and shared a statement confirming it had been informed of the breach by PJ&A.”

Toyota confirms breach after Medusa ransomware threatens to leak data

“Toyota Financial Services (TFS) has confirmed that it detected unauthorized access on some of its systems in Europe and Africa after Medusa ransomware claimed an attack on the company.

Toyota Financial Services, a subsidiary of Toyota Motor Corporation, is a global entity with a presence in 90% of the markets where Toyota sells its cars, providing auto financing to its customers.

Earlier today, the Medusa ransomware gang listed TFS to its data leak site on the dark web, demanding a payment of $8,000,000 to delete data allegedly stolen from the Japanese company.”

Vietnam Post exposes 1.2TB of data, including email addresses | Cybernews

“Vietnam Post Corporation, a Vietnamese government-owned postal service, left its security logs and employee email addresses accessible to outside cyber snoopers, Cybernews researchers have discovered. The exposed sensitive data could spell trouble if accessed by malicious actors.

On October 3rd, the Cybernews research team discovered an open Kibana instance belonging to the Vietnam Post Corporation. Kibana is a visualization dashboard for data search and analytics, helping enterprises deal with large quantities of data.

At the time of discovery, the data store contained 226 million logged events, resulting in 1.2 Terabytes of data, which was being updated in real-time. The leaked information also had employee names and emails.

Those logs were mainly attributable to cybersecurity software such as Extended Detection and Response (XDR) and Security Information and Event Management (SIEM). Some records resembled a modified version of Wazuh, an open-source security information and event management (SIEM) platform.”

New Samsung data breach impacts UK store customers

“Samsung Electronics is notifying some of its customers of a data breach that exposed their personal information to an unauthorized individual.

The company says that the cyberattack impacted only customers who made purchases from the Samsung UK online store between July 1, 2019, and June 30, 2020.”

Pharmacy provider Truepill data breach hits 2.3 million customers

“Postmeds, doing business as ‘Truepill,’ is sending notifications of a data breach informing recipients that threat actors accessed their sensitive personal information.

Truepill is a B2B-focused pharmacy platform that uses APIs for order fulfillment and delivery services for direct-to-consumer (D2C) brands, digital health companies, and other healthcare organizations across all 50 states in the U.S.

Regarding the number of impacted individuals, According to the U.S. Department of Health and Human Services Office for Civil Rights breach portal the incident impacts 2,364,359 people.”

Cryptocurrency

Cryptojacking Attack Campaign Against Apache Web Servers Using Cobalt Strike - ASEC BLOG

“AhnLab Security Emergency response Center (ASEC) is monitoring attacks against vulnerable web servers that have unpatched vulnerabilities or are being poorly managed. Because web servers are externally exposed for the purpose of providing web services to all available users, these become major attack targets for threat actors.

Major examples of web services that support Windows environments include Internet Information Services (IIS), Apache, Apache Tomcat, and Nginx. While the Apache web service is usually used in Linux environments, there are some cases where it is used to provide services in Windows environments since it supports Windows as well.

Recently, ASEC identified an attack campaign where the XMRig CoinMiner is installed on Windows web servers running Apache. The threat actor used Cobalt Strike to control the infected system. Cobalt Strike is a commercial penetration testing tool, and it is recently being used as a medium to dominate the internal system in the majority of attacks including APT and ransomware.”

Attackers Exploit Middle East Crisis to Solicit Fraudulent Cryptocurrency Donations for Children

“Threat actors are known to capitalize on geopolitical events to manipulate victims into sending money under the guise of charitable donations, and the ongoing events in Gaza and Israel are no exception.

In a recent charity attack detected by Abnormal, cybercriminals attempted to solicit fraudulent donations by playing on sympathy for children in Palestine. The attackers encouraged recipients to donate funds to the provided cryptocurrency wallet addresses, claiming the money would go to providing basic needs, including water, medical care, and Internet access.

According to our research, the campaign targeted 212 individuals at 88 organizations.”

Polish court discovers secret cryptomining rigs hidden throughout building

“Officials at Poland’s Supreme Administrative Court in Warsaw discovered a number of high-powered cryptocurrency mining rigs hidden in the courthouse — including in a ventilation duct and beneath a raised floor — which had been powered by electricity from the court’s mains supply.

The devices had their own modems to connect to the internet, according to Polish news channel TVN 24, meaning they were not connected to the court building’s network.

Judge Sylwester Marciniak told the broadcaster that the episode “did not result in any threat to the security of data stored in the Supreme Administrative Court,” and added that Poland’s Internal Security Agency — the country’s FBI — had been informed.

According to TVN 24, the devices were capable of consuming several thousands Polish Zlotys of energy per month — with 1,000 Zloty worth about $250 — and had been placed near power supply equipment.”

Fraudsters make $50,000 a day by spoofing crypto researchers

“Multiple fake accounts impersonating cryptocurrency scam investigators and blockchain security companies are promoting phishing pages to drain wallets in an ongoing campaign on X (former Twitter).

To lure potential victims, the scammer uses a breach on major cryptocurrency exchange platforms. The scenario urges users to act swiftly to safeguard their digital assets from potential theft.

The scammers impersonate accounts on X belonging to blockchain analytics or crypto fraud investigation firms and researchers, like CertiK, ZachXBT, and Scam Sniffer, to promote  fabricated security breaches on Uniswap and Opensea.”

Wallet Drainers Starts Using Create2 Bypass Wallet Security Alert - Scam Sniffer

“Recently, we discovered that some Wallet Drainers have started using Create2 to bypass security alerts in certain wallets. By exploiting Create2’s ability to pre-calculate contract addresses, the Drainers can generate new addresses for each malicious signature. These addresses are deployed after the victim signs the malicious signature.

After noticing these abnormal transactions, we suspected that this method was used to bypass wallet security alerts. Subsequent tests confirmed our suspicions. The drainer associated with this has stolen nearly $60 million from around 99,000 victims in the past six months.

After a discussion with SlowMist team, a group has employed the same technique in Address Poisoning to steal $3 million from 11 victims since Aug. One victim lost up to $1.6 million.”

Microsoft: BlueNoroff hackers plan new crypto-theft attacks

“Microsoft warns that the BlueNoroff North Korean hacking group is setting up new attack infrastructure for upcoming social engineering campaigns on LinkedIn.

This financially motivated threat group (tracked by Redmond as Sapphire Sleet) also has a documented history of cryptocurrency theft attacks targeting employees within cryptocurrency companies.

After picking their targets following initial contact on LinkedIn, the BlueNoroff hackers backdoor their systems by deploying malware hidden in malicious documents pushed via private messages on various social networks.”

Other Headlines

FBI takes down IPStorm malware botnet as hacker behind it pleads guilty

“The FBI dismantled the IPStorm botnet proxy network and its infrastructure this week following a September plea deal with the hacker behind the operation.

The Justice Department said it took down the infrastructure associated with the IPStorm malware — which experts said infected thousands of Linux, Mac, and Android devices across Asia, Europe, North America and South America.

The botnet was first sighted by researchers in June 2019, primarily targeting Windows systems, and stood out to experts because it used the InterPlanetary File System (IPFS) peer-to-peer protocol to communicate with infected systems and relay commands. Cisco warned last year that IFPS was being exploited widely by hackers.

By 2020, several security companies discovered that the malware had expanded to versions that infected other devices and platforms. Cybersecurity journalist Catalin Cimpanu reported that the botnet grew from around 3,000 infected systems in May 2019 to more than 13,500 devices by 2020.”

OracleIV - A Dockerised DDoS Botnet - Cado Security | Cloud Forensics & Incident Response

“Cado Security Labs researchers recently discovered a novel campaign targeting publicly-exposed instances of the Docker Engine API. Attackers are exploiting this misconfiguration to deliver a malicious Docker container, built from an image named “oracleiv_latest” and containing Python malware compiled as an ELF executable. The malware itself acts as a Distributed Denial of Service (DDoS) bot agent, capable of conducting DoS attacks via a number of methods.

It’s not the first time the Docker Engine API has been targeted by attackers. This method of initial access has become increasingly popular in recent years and is often used to deliver cryptojacking malware. Inadvertent exposure of the Docker Engine API occurs frequently enough that several unrelated campaigns have been observed scanning for it. 

This should come as no surprise, given the move to microservice-driven architectures by many software teams. Once a valid endpoint is discovered, it’s trivial to pull a malicious image and launch a container from it to carry out any conceivable objective. Hosting the malicious container in Dockerhub, Docker’s container image library, streamlines this process even further.”

OpenAI confirms DDoS attacks behind ongoing ChatGPT outages

“OpenAI has been addressing "periodic outages" due to DDoS attacks targeting its API and ChatGPT services within the last 24 hours.

While the company didn't immediately provide any details on the root cause of these incidents, OpenAI confirmed earlier today that they're linked to ongoing distributed denial-of-service (DDoS) attacks.

"We are dealing with periodic outages due to an abnormal traffic pattern reflective of a DDoS attack. We are continuing work to mitigate this," OpenAI said in an update to an incident report published 11 hours ago.

Those affected by these issues see "something seems to have gone wrong" errors, with ChatGPT adding that "There was an error generating a response" to their queries.”

Beware of BlueNoroff: Mac users targeted with new malware variant - 9to5Mac

“Security researchers have pulled the curtain back on what appears to be a variant of the infamous RustBucket malware that targets macOS systems. What was first detected earlier in April, a new report from Jamf Threat Labs highlights how this attack continues to evolve and who its potential targets may be.

RustBucket is a relatively new form of malware that specifically targets Mac users. It is the work of an Advanced Persistent Threat (APT) group out of North Korea called BlueNoroff, a sub-group of the nation-state’s well-known cybercrime enterprise Lazarus Group.”

Researchers Uncover Massive Underground Link-Shortening Service Used by Malicious Actors

“New research indicates that the .US top-level domain contains numerous domains linked to a malicious link-shortening service dubbed ‘Prolific Puma’ promoting malware and phishing. Infoblox has been monitoring this three-year-old service, which uses short domains hosted on uncooperative providers to disguise harmful landing pages.

Within a month, the actor has registered thousands of domains, predominantly on the U.S. top-level domain (usTLD), aiding in the dispersal of phishing, scams, and malware.”

Over Half of Users Report Kubernetes/Container Security Incidents - Infosecurity Magazine

“Cloud native development practices are creating dangerous new security blind spots for organizations in the US, UK, France and Germany, according to a new study from Venafi.

The machine identity specialist polled 800 security and IT leaders from large organizations based in these four countries to compile its latest report: The Impact of Machine Identities on the State of Cloud Native Security in 2023.

It revealed that 59% of respondents have experienced security incidents in their Kubernetes or container environments – with network breaches, API vulnerabilities and certificate misconfigurations the main culprits.

Nearly a third (30%) of these organizations claimed this incident led to a data breach or network compromise. This can have serious knock-on effects: a third (33%) had to delay an application launch, 32% experienced disruption to their application service and 27% suffered a compliance violation as a result.”

Atlassian warns of exploit for Confluence data wiping bug, get patching

“Atlassian warned admins that a public exploit is now available for a critical Confluence security flaw that can be used in data destruction attacks targeting Internet-exposed and unpatched instances.

Tracked as CVE-2023-22518, this is an authentication bypass vulnerability with a 9.1/10 severity rating affecting all versions of Confluence Data Center and Confluence Server software.

Atlassian warned in an update to the original advisory that it found a publicly available exploit that puts publicly accessible instances at critical risk.”

Domain Squatting and Brand Hijacking: A Silent Threat to Digital Enterprises

“Domain squatting, often known as cybersquatting, involves the registration or use of a domain name to profit from a trademark belonging to someone else. For instance, a squatter might register a misspelt version of a well-known brand’s URL to misdirect their traffic – For instance, It is Google.com, not ɢoogle.com.

Similarly, brand hijacking is a form of online piracy in which an entity masquerades as a reputable brand to deceive its audience, damaging brand credibility and customer trust. According to Mimecast’s 2022 report on email security, 46% of the businesses it surveyed reported a rise in online brand spoofing and impersonation, with an average of ten incidents in 2021.”