Cybersecurity Briefing | A Recap of Cybersecurity News in September 2023
by Alex Applegate on Oct 5, 2023 1:08:00 PM
Industry State of the Art
September has been a busy month in terms of policy and governance. Legislators and governments around the world are responding to urgent needs to install guardrails and oversight to the rapidly expanding sector of artificial intelligence. Open source and supply chain management continue to emerge as critical focus topics. And debates around international cybercrime and social media privacy continue to rage (separately) as unavoidable hot-button topics.
Standards & Advisories
“After years of vulnerabilities like Log4j, Heartbleed and other open-source vulnerabilities wreaking unknown levels of havoc on digital society, the federal government has arrived with a plan.
On Tuesday, the Cybersecurity and Infrastructure Security Agency released its long-awaited roadmap for open-source software, laying out a number of tasks and goals that U.S. officials hope will lead to better tracking around the use of such code in commercial and government IT environments and spur quick action from the cybersecurity community when a widespread or targeted vulnerability is disclosed.”
“The National Security Agency (NSA) and U.S. federal agency partners have issued new advice on a synthetic media threat known as deepfakes. This emerging threat could present a cybersecurity challenge for National Security Systems (NSS), the Department of Defense (DoD), and DIB organizations.
They released the joint Cybersecurity Information Sheet (CSI) ‘Contextualizing Deepfake Threats to Organizations’ to help organizations identify, defend against, and respond to deepfake threats. NSA authored the CSI with contributions from the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA).
The term “deepfake” refers to multimedia that has either been synthetically created or manipulated using some form of machine or deep learning (artificial intelligence) technology. Other terms used to describe media that have been synthetically generated and/or manipulated include Shallow/Cheap Fakes, Generative AI, and Computer Generated Imagery (CGI). “
“The Department of Homeland Security’s Homeland Threat Assessment is warning of bad actors potentially using artificial intelligence to disrupt critical infrastructure either through election influence campaigns or by targeting industrial systems.
The annual report — which outlines the key concerns for the next year — points to adversaries increasingly focusing and learning how to target critical infrastructure, like energy, the upcoming 2024 election, transportation, pipelines, and other vital services, with emerging technologies like AI.
State-backed hackers like China are also adapting AI to engage in influence campaigns or to better develop malware for large-scale attacks, DHS says.”
“Today, CISA, Federal Bureau of Investigation (FBI), and U.S. Cyber Command’s Cyber National Mission Force (CNMF) published a joint Cybersecurity Advisory (CSA), Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475. This CSA provides information on an incident at an Aeronautical Sector organization, with malicious activity occurring as early as January 2023.
CISA, FBI, and CNMF confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network. This vulnerability allows for remote code execution on the ManageEngine application. Additional APT actors were also observed exploiting CVE-2022-42475 to establish presence on the organization’s firewall device.”
“The MITRE Corporation and the US Cybersecurity and Infrastructure Security Agency (CISA) today announced a new extension for the open source Caldera platform that emulates adversarial attacks against operational technology (OT).
The new Caldera for OT extension is the result of a collaboration between the Homeland Security Systems Engineering and Development Institute (HSSEDI) and CISA, to help improve the resilience of critical infrastructure.
The Caldera cybersecurity platform provides automated adversary emulation, security assessments, and red-, blue-, and purple-teaming, and uses the MITRE ATT&CK framework as its backbone.
Caldera for OT, which also enables Factory and Security Acceptance Testing (FAT/SAT), is now available for industrial control systems (ICS) defenders to benefit from the open source platform as well.”
“Authorities in the US released a new cybersecurity advisory yesterday updating organizations on the latest tactics, techniques and procedures (TTPs) used by the Snatch ransomware-as-a-service (RaaS) group.
Although it first appeared in 2018, Snatch has been in continuous development since 2021, borrowing techniques off other operations, the Cybersecurity and Infrastructure Security Agency (CISA) and FBI explained.
It uses a classic double extortion playbook, with victim details being posted to a leak site if they fail to pay up.”
“Federal authorities are warning of "significant risk" for potential attacks on healthcare and public health sector entities by the North Korean-state sponsored Lazarus Group involving exploitation of a critical vulnerability in 24 ManageEngine IT management tools from Zoho.
The alert issued Tuesday by the U.S. Department of Health and Human Services' Health Sector Cybersecurity Coordination Center warns that the cybercriminal group has been targeting "internet backbone infrastructure and healthcare entities" in Europe and the United States with exploits of a vulnerability tracked as CVE-2022-47966.
The vulnerability is exploitable if the SAML single sign-on is or ever has been enabled in the ManageEngine setup, HHS HC3 said.”
“The Internet Systems Consortium (ISC) has released security advisories to address vulnerabilities affecting ISC’s Berkeley Internet Name Domain (BIND) 9. A malicious cyber actor could exploit these vulnerabilities to cause denial-of-service conditions.”
“Today, the U.S. National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Cybersecurity and Infrastructure Security Agency (CISA), along with the Japan National Police Agency (NPA) and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) released joint Cybersecurity Advisory (CSA) People's Republic of China-Linked Cyber Actors Hide in Router Firmware. The CSA details activity by cyber actors, known as BlackTech, linked to the People’s Republic of China (PRC). The advisory provides BlackTech tactics, techniques, and procedures (TTPs) and urges multinational corporations to review all subsidiary connections, verify access, and consider implementing zero trust models to limit the extent of a potential BlackTech compromise.
BlackTech has demonstrated capabilities in modifying router firmware without detection and exploiting routers’ domain-trust relationships to pivot from international subsidiaries to headquarters in Japan and the United States, which are the primary targets.”
Legislation & Regulatory
“For six months, medical device makers have had to comply with new cybersecurity regulations aimed at hardening medical devices against cyber attacks, but the US Food and Drug Administration has largely refrained from using its "refuse to accept" power up to now.
On Oct. 1, the FDA's grace period — during which the agency stated it would try not to use its ability to reject medical devices that lack appropriate cybersecurity controls and a post-market patching capability — will end. The manufacturers of medical cyber devices must now submit plans to monitor and patch post-market cybersecurity vulnerabilities, have a process in place for the secure design and development of devices, and provide a software bill of materials (SBOM) to the FDA. Those who do not satisfy the requirements could have their devices rejected on the grounds that they pose too great a cyber risk.
The agency's focus on medical-device cybersecurity stems from Congressional passage of an omnibus appropriations act in December 2022 that included a section, "Ensuring Cybersecurity of Medical Devices," requiring medical-device manufacturers submit cybersecurity information to the FDA regarding any cyber device. The powers granted to the FDA, which went into effect in March, could go a long way toward forcing the makers of medical devices to consider and plan for vulnerabilities and cyberattacks, says Ty Greenhalgh, industry principal for healthcare at Claroty, an IoT security firm.”
“Today, the United States, in coordination with the United Kingdom, sanctioned eleven individuals who are part of the Russia-based Trickbot cybercrime group. Russia has long been a safe haven for cybercriminals, including the Trickbot group. Today’s action was taken by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC). The U.S. Department of Justice (DOJ) is concurrently unsealing indictments against nine individuals in connection with the Trickbot malware and Conti ransomware schemes, including seven of the individuals designated today.
Today’s targets include key actors involved in management and procurement for the Trickbot group, which has ties to Russian intelligence services and has targeted the U.S. Government and U.S. companies, including hospitals. During the COVID-19 pandemic, the Trickbot group targeted many critical infrastructure and health care providers in the United States.”
“Negotiations over a U.N. cybercrime treaty have evolved into a diplomatic proxy war between democracies and their authoritarian rivals over competing future visions of the internet, technology, and human rights in the digital age, pitting the United States and its allies yet again against Russia and China at the United Nations.
Over the past 10 days, delegates from around the world have convened at the United Nations headquarters in New York for a sixth round of negotiations on the draft text of a first-ever U.N. convention combating cybercrime.
The aim of the treaty, at least on paper, is to make it easier for countries to share information on the astronomical rise of digital criminal activities like ransomware, denial-of-service attacks, and the exploitation of children online. A bulk of countries involved in the negotiations are hard at work in marathon closed-door negotiating sessions to do just that, according to diplomats and experts tracking the negotiations.
But a group of authoritarian governments is seeking to advance its own agenda through the U.N. treaty—and the consequences could be dire if it is successful.
The treaty, Western officials, experts, and human rights advocates say, could be used as a pretext to extend state repression into the digital realm—if autocratic governments in Russia, China, Iran, and elsewhere have their way on the final text. One risk is that the treaty could expand the scope of cybercrimes and allow states to crack down on political dissent, free media, or online content in general.”
“Controversial U.K. legislation that brings in a new regime of content moderation rules for online platforms and services — establishing the comms watchdog Ofcom as the main Internet regulator — has been passed by parliament today, paving the way for Royal Assent and the Online Safety Bill becoming law in the coming days.
Speaking during the bill’s final stages in the House of Lords, Lord Parkinson of Whitley Bay reiterated that the government’s intention for the legislation is “to make the UK the safest place in the world to be online, particularly for children”. Following affirmative votes as peers considered some last stage amendments he added that attention now moves “very swiftly to Ofcom… who stand ready to implement this — and do so swiftly”.
The legislation empowers Ofcom to levy fines of up to 10% (or up to £18 million whichever is higher) of annual turnover for violations of the regime.
The Online Safety (neé Harms) Bill has been years in the making as U.K. policymakers have grappled with how to response to a range of online safety concerns. In 2019 these efforts manifested as a white paper with a focus on rules for tackling illegal content (such as terrorism and CSAM) but also an ambition to address a broad sweep of online activity that might be considered harmful, such as violent content and the incitement of violence; encouraging suicide; disinformation; cyber bullying; and adult material being accessed by children. The effort then morphed into a bill that was finally published in May 2021.
The proposed legislation continued swelling in scope as a grab-bag of additional duties and requirements got bolted on in response to a smorgasbord of safety concerns reaching policymakers’ ears, whether related to trolling, scam ads, deepfake porn or (most recently) animal cruelty. Changes within the governing Conservative party since 2019 have also seen a succession of different senior ministers steering the legislation, including the likes of Oliver Dowden and Nadine Dorries — who, in Dorries’ case, enthusiastically pushed to speed up the application of criminal liability powers for tech CEOs.”
“The US Cybersecurity and Infrastructure Security Agency (CISA) has published new guidance designed to improve the accuracy of risk assessments related to hardware products in the supply chain.
The Hardware Bill of Materials Framework (HBOM) for Supply Chain Risk Management is the work of the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force.
It’s designed to encourage consistency in the naming of component attributes, a format for identifying and providing information on those components, and guidelines on what HBOM information is required based on the purpose for which the HBOM will be used.”
The U.S. Supreme Court on Friday chose to take a case on whether Florida and Texas laws that ban social media companies from removing content violates the First Amendment protections of the companies to be free of government compelling speech.
It sets the stage for a potentially landmark social media First Amendment ruling on what limits, if any, companies have in moderating the kind of speech allowed on their platforms.
Tech groups NetChoice and the Computer and Communications Industry Association challenged the Texas and Florida laws as unconstitutional because they say the laws compel private speech.
Mergers, Acquisitions, Funding, Partnerships
While some of the chilling effects over the last few months continue to illustrate that cybersecurity is not entirely recession-proof, it does appear that some of the industry contraction fears are being put to rest and venture capital is beginning to find its way into the market again.
There has been a heavy month of activity with larger companies acquiring new solutions to expand or strengthen their portfolios, with the brightest star appearing to be that Cisco has overcome previous obstacles and finally submitting a successful bid to acquire Splunk. The huge layoffs of the last few months didn’t reoccur this month, but there was some culling of staff at MalwareBytes as the company prepares for a split in its business.
But in happier news, several new or expanded funding rounds were closed this month, including DNSFilter securing an additional $15M in Series A funding just before our eighth anniversary!
In addition to our announcements about DNSFilter’s eighth birthday and approval of $15M in further series A funding, it’s been a busy month in other news around DNSFilter. Tales of our adventures at Black Hat, blog entries about things ranging from our continuous delivery network to how security is similar to fantasy football, a word from our CEO about proposed legislation around content governance in France, and a great set of results from our evaluation during G2’s Fall Awards (we got 29 badges!).
“I sat down with David Elkind, Chief Data Scientist, and Nick Saunders, Product Manager, to talk about how Black Hat went for the DNSFilter team. The three of us attended numerous briefings, trekked through the business hall, and put a few miles on our DNSFilter Nikes.”
“As a member of the DNSFilter Labs team, one of our responsibilities is to continually evaluate and investigate new sorts of data that become available from multiple sources. In mid-June, one of our Software-as-a-Service (SaaS) providers suffered an outage. As a result, the flow of critical data was interrupted for several hours, which then cascaded into an abrupt halt of active research. The outage was only temporary, but coming out of this was a short discussion with my colleagues about whether DNS query log data could be used to reliably identify a service outage, or even predict it. Based upon this conversation, I decided to dig further into the DNS query log data that was available to see what sort of behavior would be seen before, during and after a SaaS service outage."
“At DNSFilter, we’ve never had a global outage. You’ve probably heard us say that before. We repeat that because it’s something we’re proud of, and we’ve done a lot of work to ensure that our DNS network (our anycast network) has 100% uptime. What I want to address here is how we achieve that uptime.”
“What the heck is Webshrinker?
The short answer: Webshrinker is the machine learning tool behind DNSFilter’s fast and effective threat detection.
The longer answer: Webshrinker is a tool that harnesses the power of cloud computing and machine learning to provide access to a wealth of domain classification and website screenshot thumbnail data. Webshrinker crawls the Internet to detect and categorize web pages while operating in a way that mimics human browser sessions to avoid triggering fake pages meant to trick bots into thinking a website is safe.”
“I was asked recently to speak during the Fortyx80 / STEM Coding Lab CS Explorers program to provide middle school students (Grades 5-8) with a free opportunity to learn about careers in computer science, interact with industry professionals and visit tech companies throughout Pittsburgh.”
“If you’re a football fan like many of us at DNSFilter, it’s possible you have a fantasy league in the office or with your friends. Our #sportsball slack channel is keeping many of us going as the weather cools down and the days get shorter. It’s a fun way to discuss and track the football season (and potentially win bragging rights and the respect of your fantasy prowess).
Now you might be thinking, “How on Earth could fantasy football possibly relate to my cybersecurity stack?””
“At the end of June, Vint Cerf, one of the “fathers of the internet” published an article on Medium in response to a drafted bill by the French Republic. You can read the original French proposal here, but we’ll also include a version translated into English at the bottom of this article.
First, let me provide a quick summary of what the bill is proposing:”
“DNSFilter has been named a leader in Secure Web Gateway, DNS Security, and Web Security categories on G2, earning an impressive 29 badges and named in 29 reports. This includes new badges such as High Performer EMEA and Leader Americas in the Web Security category.
These accolades are a testament to our commitment to our customers. We are particularly proud of our badges for ease of implementation, administration, and quality support. Providing the most effective Protective DNS solution on the market is important to us as a company.”
General Industry News
“A threat group called "Scattered Spider" is reportedly behind the Sept. 10 MGM Resorts cyberattack, which days later is still keeping systems offline across the conglomerate's more than 30 hotels and casinos scattered around the globe.
According to a Reuters report that attributes the attack, citing sources familiar with the matter, the Scattered Spider ransomware group is believed to be made up of young adults in the US and UK. The group is known for using social engineering schemes to trick users into handing over their login credentials and is tracked as an affiliate for the BlackCat/ALPHV ransomware.
Scattered Spider also recently targeted Caesars Entertainment, which paid tens of millions in ransom to the cyberattackers, according to Bloomberg, which added that Caesars is expected to submit a required SEC regulatory filing in the coming days with more details on the attack. The group began targeting Caesars in late August, sources said.”
“It’s challenging to ensure proper protection for your organization in an ever-changing, vulnerable environment. In our survey of over 250 organizations, we found that 80% of security exposures are found in cloud environments and 20% of cloud services change every month. Trying to get a handle on this sort of volatility is not easy, but it is vitally important.”
“Google has agreed to pay $93 million to settle a lawsuit filed by the U.S. state of California over allegations that the company's location-privacy practices misled consumers and violated consumer protection laws.
"Our investigation revealed that Google was telling its users one thing – that it would no longer track their location once they opted out – but doing the opposite and continuing to track its users' movements for its own commercial gain," California Attorney General Rob Bonta said.
The lawsuit is in response to disclosures that the company continued to track users' locations despite stating to the contrary that such information would not be stored if the "Location History" setting was disabled.
The complaint filed by California alleged that Google collected location data through other sources and that it deceived users about their ability to opt out of personalized advertisements targeted to their location.”
“European regulators slapped TikTok with a $368 million fine on Friday for failing to protect children's privacy, the first time that the popular short video-sharing app has been punished for breaching Europe's strict data privacy rules.
Ireland's Data Protection Commission, the lead privacy regulator for Big Tech companies whose European headquarters are largely in Dublin, said it was fining TikTok 345 million euros and reprimanding the platform for the violations dating to the second half of 2020.
The investigation found that the sign-up process for teen users resulted in settings that made their accounts public by default, allowing anyone to view and comment on their videos. Those default settings also posed a risk to children under 13 who gained access to the platform even though they're not allowed.
Also, a “family pairing" feature designed for parents to manage settings wasn't strict enough, allowing adults to turn on direct messaging for users aged 16 and 17 without their consent. And it nudged teen users into more “privacy intrusive” options when signing up and posting videos, the watchdog said.
TikTok said in a statement that it disagrees with the decision, “particularly the level of the fine imposed.””
“In a recent update, a well-known and notorious threat actor declared their targeting of Telegram. This group initiated the attack after Telegram’s decision to ban their primary account on the messaging platform.
The actor in question is Anonymous Sudan, renowned for their distributed denial-of-service (DDoS) attacks, primarily motivated by political and religious causes. While this attack on Telegram does not appear to stem from a political or religious dispute, it seems to be a retaliatory action following the banning of their main channel, or to simply get Telegram’s attention.”
“The U.S. government today announced a coordinated crackdown against QakBot, a complex malware family used by multiple cybercrime groups to lay the groundwork for ransomware infections. The international law enforcement operation involved seizing control over the botnet’s online infrastructure, and quietly removing the Qakbot malware from tens of thousands of infected Microsoft Windows computers.
In an international operation announced today dubbed “Duck Hunt,” the U.S. Department of Justice (DOJ) and Federal Bureau of Investigation (FBI) said they obtained court orders to remove Qakbot from infected devices, and to seize servers used to control the botnet.”
“A group of 18 state attorneys general said on Monday they backed Montana's effort to ban Chinese-owned short video app TikTok, urging a U.S. judge to reject legal challenges ahead of the Jan. 1 effective date.
The state attorneys general led by Virginia and including Georgia, Alaska, Utah, Indiana, Nebraska, Indiana, Iowa, Kentucky and South Dakota said the suits from TikTok and users should be rejected "because TikTok intentionally engages in deceptive business practices which induce individuals to share sensitive personal information that can be easily accessed by the Chinese Communist Party and because TikTok’s platform harms children in Montana."
TikTok, which is owned by China's ByteDance, did not immediately respond to a request for comment Monday, and filed a suit in May seeking to block the first-of-its-kind U.S. state ban on several grounds, arguing it violates the First Amendment free speech rights of the company and users.
A hearing on TikTok's request for a preliminary injunction is set for Oct. 12.”
“Meta announced it has taken down two of the largest known covert influence operations originating from China and Russia.
The social network giant revealed it has blocked thousands of accounts and pages across its platform.
The company removed 7,704 Facebook accounts, 954 Pages,15 Groups, and 15 Instagram accounts to dismantle the operation from China. The entities were removed for violating our policy against coordinated inauthentic behavior.
The researchers reported that about 560,000 accounts followed one or more of these Pages, fewer than 10 accounts joined one or more of these Groups and about 870 accounts followed one or more
of these Instagram accounts. The pages were likely acquired from spam operators with built-in inauthentic followers primarily from Vietnam, Bangladesh and Brazil.
This network targeted several regions across the world, including Taiwan, the United States, Australia, the United Kingdom, Japan, and global Chinese-speaking audiences.”
“Business Email Compromise (BEC) attacks in the healthcare sector have seen a 279% increase this year, shows a new report published by Abnormal Security.
The data also suggests a 167% increase in advanced email attacks, including BEC, credential phishing, malware and extortion.
Further, the average number of advanced email attacks per 1000 mailboxes in the healthcare sector started the year at 55.66 in January 2023 and peaked at over 100 in March.
Although the numbers have stabilized at approximately 61.16 attacks per 1000 mailboxes for the rest of the year, historical trends suggest a potential increase during the holiday season.”
“In a significant victory against dark web criminals, the Finnish Customs (Tulli), together with European partners, has successfully taken down the dark web marketplace ‘Piilopuoti’.
Drugs and other illegal commodities were sold in large quantities on this Finnish-language platform which had been operating on the Onion Router (Tor) network since May 2022.
This successful action by the Finnish Customs was supported, among others, by the German Federal Criminal Office (Bundeskriminalamt) and the Lithuanian Criminal Police Bureau (Lietuvos kriminalinės policijos biuras). Europol’s European Cybercrime Centre coordinated the international activity and provided operational support and technical expertise. “
“The African Network Information Centre (Afrinic) has been placed under receivership after being effectively paralysed by an injunction that a South African company obtained in the Supreme Court of Mauritius.
Afrinic is a Regional Internet Registry (RIR) — the entity responsible for the raw Internet resources, like Internet Protocol addresses, for the entire African continent and Indian Ocean region.
Industry players on both sides of a conflict involving the registry have welcomed the Mauritian Supreme Court’s latest ruling, as it potentially creates a path to reconstitute the ailing entity’s board and appoint a CEO.”
“Sending an email with a forged address is easier than previously thought, due to flaws in the process that allows email forwarding, according to a research team led by computer scientists at the University of California San Diego.
The issues researchers uncovered have a broad impact, affecting the integrity of emails sent from tens of thousands of domains, including those representing organizations in the U.S. government–such as the majority of U.S. cabinet email domains, including state.gov, and security agencies.
Key financial service companies, such as Mastercard, and major news organizations, such as The Washington Post and the Associated Press, are also vulnerable.
It’s called forwarding-based spoofing, and researchers found that they can send email messages impersonating these organizations, bypassing the safeguards deployed by email providers such as Gmail and Outlook. Once recipients get the spoofed email, they are more likely to open attachments that deploy malware or to click on links that install spyware on their machine.”
“Within just the first six months of 2023, organizations operating critical IT infrastructure services in the United Kingdom reported more incidents to government authorities in which cyberattacks had significantly disrupted their operations than in any year previously, according to data obtained under the Freedom of Information Act.
While the total count of attacks might seem low — just 13 that affected organizations operating critical technology services, such as national internet exchange points or backhaul operators — the number marks a significant increase from the four disruptions the sector recorded in each 2022 and 2021.
Essential service providers across Britain — from power plants through to businesses in the transport and healthcare sectors, as well as IT infrastructure companies — are legally required to report disruptive cyber incidents to sector-specific authorities under the country’s Network & Information Systems Regulations (NIS Regulations) which also establish minimum security standards for their computer networks.
To be reportable, the disruption caused by these cyberattacks must meet certain thresholds. For instance, an NIS incident for an electricity distribution network would have to involve an unplanned loss of supply to at least 50,000 customers for more than three minutes. An incident affecting a nationally significant DNS Resolver would see the service’s bandwidth drop by more than 25% for 15 minutes or longer.”
“Square said there was “no evidence” a cyberattack caused an outage that left customers and small businesses unable to use the payment giant’s technology on Thursday through early-Friday.
The payments technology giant said in a post-mortem of the daylong outage that the outage was caused by a DNS issue. DNS, or domain name system, is the global protocol that converts human-readable web addresses into IP addresses, which allow computers to find and load websites from all over the world.
But if a company’s DNS settings are misconfigured or incorrectly changed, at worst it can cause the entire company to appear as if it’s dropped off the internet. That’s what happened with Square.”
“The front-end websites of popular decentralized exchange (DEX) Balancer were hit by a Domain Name System (DNS) attack on September 19.
Hackers compromised Balancer’s domain names to redirect users or their transactions to a malicious destination.
The Balancer team first alerted users about interacting with the balancer UI yesterday at 7:49 pm EST.”
“More than 97% of the world’s internet traffic passes through subsea cables at some point, according to ENISA. Subsea cables are a vital component of the global internet infrastructure, and it is critical to protect them from cyberattacks, physical attacks and other threats.
With the growing reliance on the internet, and the growing amounts of data being transmitted, subsea cable incidents could cause outages and disruptions. The cable landing stations as well as subsea areas, where many cables are close to each other are considered weak points.
The International Cable Protection Committee in its 2022 report concludes that most subsea cable incidents are accidental, due to anchoring and fishing. Some cable incidents are caused by natural phenomena like underwater earthquakes. In rare cases, system failures are responsible for incidents.
Malicious actions such as sabotage attacks and espionage have to be considered also. Particularly, a coordinated sabotage attack on multiple cables at once could cause significant disruptions of internet connectivity. Repairing subsea cables is complex, takes a long time, and requires highly specialised cable repair ships, only few in the world.
While eavesdropping on cables on the seabed is considered unlikely, accessing communications data at the cable landing stations or at cable landing points is feasible, and should be considered as a threat.”
“Organizations are optimistic about AI, but AI adoption requires attention to privacy and security, productivity, and training, according to GitLab.
“The transformational opportunity with AI goes way beyond creating code,” said David DeSanto, CPO, GitLab. “According to the GitLab Global DevSecOps Report, only 25% of developers’ time is spent on code generation, but the data shows AI can boost productivity and collaboration in nearly 60% of developers’ day-to-day work. To realize AI’s full potential, it needs to be embedded across the software development lifecycle, allowing everyone involved in delivering secure software, not just developers, to benefit from the efficiency boost.”
Although organizations are enthusiastic about implementing AI, data privacy and intellectual property are key priorities when adopting new tools.
95% of senior technology executives said they prioritize privacy and protection of intellectual property when selecting an AI tool. 32% of respondents were ‘very’ or ‘extremely’ concerned about introducing AI into the software development lifecycle, and of those, 39% cited they are concerned that AI-generated code may introduce security vulnerabilities, and 48% said they are concerned that AI-generated code may not be subject to the same copyright protection as human-generated code.
Security professionals worry that AI-generated code could result in more security vulnerabilities, making more work for security professionals.
Only 7% of developers’ time is spent identifying and mitigating security vulnerabilities and 11% is spent on testing code. 48% of developers were significantly more likely to identify faster cycle times as a benefit of AI, compared to 38% of security professionals.
51% of all respondents are already seeing productivity as a key benefit of AI implementation.”
“Large language models (LLMs) such as ChatGPT have shaken up the data security market as companies search for ways to prevent employees from leaking sensitive and proprietary data to external systems.
Companies have already started taking dramatic steps to head off the possibility of data leaks, including banning employees from using the systems, adopting the rudimentary controls offered by generative AI providers, and using a variety of data security services, such as content scanning and LLM firewalls. The efforts come as research reveals that leaks are possible, bolstered by three high-profile incidents at consumer device maker Samsung and studies that find as much as 4% of employees are inputting sensitive data.
In the short term, the data security problem will only get worse — especially because, given the right prompts, LLMs are very good at extracting nuggets of valuable data from training data. Technical solutions will be important, says Ron Reiter, co-founder and CTO at Sentra, a data life cycle security firm.”
“It’s been a rapid evolution, even for the IT industry. At 2022's edition of Black Hat, CISOs were saying that they didn’t want to hear the letters "AI"; at RSAC 2023, practically everyone was talking about generative AI and speculating on the huge changes it would mark for the security industry; at Black Hat USA 2023, there was still talk about generative AI, but with conversations that centered on managing the technology as an aid to human operators and working within the limits of AI engines. It shows, overall, a very quick turn from breathless hype to more useful realism.
The realism is welcomed because generative AI is absolutely going to be a feature of cybersecurity products, services, and operations in the coming years. Among the reasons that is true is the reality that a shortage of cybersecurity professionals will also be a feature of the industry for years to come. With generative AI use focused on amplifying the effectiveness of cybersecurity professionals, rather than replacing FTEs (full-time equivalents or full-time employees), I heard no one discussing easing the talent shortage by replacing humans with generative AI. What I heard a great deal of was using generative AI to make each cybersecurity professional more effective — especially in making Tier 1 analysts as effective as "Tier 1.5 analysts," as these less-experienced analysts are able to provide more context, more certainty, and more prescriptive options to higher-tier analysts as they move alerts up the chain”
“Scams involving human manipulation comprised 75% of all desktop threats in the first half of 2023, according to new data from Norton.
The consumer security vendor analyzed its own tracking and blocking data to compile the latest Consumer Cyber Safety Pulse report.
Norton claimed to have blocked over 1.5 billion threats in the first half of the year, including eight million phishing attempts, 3.5 million desktop threats and nearly 33,000 mobile threats.”
“The most complicated aspect of any crisis affecting a small or medium-sized business is that they are generally equipped with fewer resources than larger corporations. Whether it be a less experienced security capability, smaller headcount, smaller budget, and so on, fewer resources make everything a little trickier.
SMBs often have fewer cybersecurity guardrails in place due to a lack of informed leadership and lack of funds. This not only heightens their vulnerability to phishing attacks but also makes it more difficult to clean up the mess after an attack.
While a small business is less likely to make national headlines for falling victim to a phishing attack, there are still plenty of large-scale, long-term obstacles SMBs will face. For instance, a smaller organization only serving a couple hundred customers may encounter a breach of sensitive company data. This organization is more vulnerable to revenue loss and a lack of customer retention – a problem that larger corporations are less concerned about. In the same vein of revenue loss, if a phishing attack is focused on fraudulent wire transfer information, money could be mistakenly transferred to a cybercriminal.
In addition to tangible losses like this, irreparable damage to a small business’s reputation can also be a result of a phishing attack.”
“Cybercriminals are abusing Google Looker Studio to create counterfeit cryptocurrency phishing websites that phish digital asset holders, leading to account takeovers and financial losses.
Google's Looker Studio (formerly Data Studio) is an online data conversion tool used for creating customizable reports out of raw data from spreadsheets and other sources, featuring easily digestible elements like charts and graphs.
Check Point researchers have discovered that hackers are exploiting the trusted service of Google Looker Studio to craft cryptocurrency phishing pages.”
“IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads.
Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as the emails reference then-recent amendments regarding conscription. Under the new ordinance, the state will bar individuals who fail to report for service from applying for loans, conducting real estate transactions, engaging in international travel, and suspend their driver’s license.
It is highly likely Hive0117 pose a threat to in-region entities and enterprises, given the use of emergent policies associated with the ongoing conflict in Ukraine to conduct operations, combined with the diverse functionality and fileless nature of DarkWatchman malware.”
“AhnLab Security Emergency response Center (ASEC) has recently identified circumstances of multiple phishing script files disguised as PDF document viewer screens being distributed as attachments to emails. A portion of the identified file names are as below, and keywords such as purchase order (PO), order, and receipt were used.”
“A threat actor known as W3LL developed a phishing kit that can bypass multi-factor authentication along with other tools that compromised more than 8,000 Microsoft 365 corporate accounts.
In ten months, security researchers discovered that W3LL’s utilities and infrastructure were used to set up about 850 phishing that targeted credentials for more than 56,000 Microsoft 365 accounts.
Serving a community of at least 500 cybercriminals, W3LL’s custom phishing tools were employed in business email compromise (BEC) attacks that caused millions of U.S. dollars in financial losses.
Researchers say that W3LL’s inventory covers almost the entire kill chain of a BEC operation and can be operated by “cybercriminals of all technical skill levels.””
“Scammers are impersonating the bankruptcy claim agent for crypto lender Celsius in phishing attacks that attempt to steal funds from cryptocurrency wallets.
In July 2022, crypto lender Celsius filed for bankruptcy and froze withdrawals from user accounts. Customers have since filed claims against the company, hoping to recover a portion of the funds.
Over the past few days, people have reported receiving phishing emails pretending to be from Stretto, the Claims Agent for the Celsius bankruptcy proceeding.”
“85% of phishing emails utilized malicious links in the content of the email, and spam emails increased by 30% from Q1 to Q2 2023, according to a VIPRE report.
Information technology organizations also overtook financial institutions (9%) as the most targeted sector for phishing in Q2 as compared to VIPRE’s previous quarterly report.”
“Domain names ending in “.US” — the top-level domain for the United States — are among the most prevalent in phishing scams, new research shows. This is noteworthy because .US is overseen by the U.S. government, which is frequently the target of phishing domains ending in .US. Also, .US domains are only supposed to be available to U.S. citizens and to those who can demonstrate that they have a physical presence in the United States.
.US is the “country code top-level domain” or ccTLD of the United States. Most countries have their own ccTLDs: .MX for Mexico, for example, or .CA for Canada. But few other major countries in the world have anywhere near as many phishing domains each year as .US.
That’s according to The Interisle Consulting Group, which gathers phishing data from multiple industry sources and publishes an annual report on the latest trends. Interisle’s newest study examined six million phishing reports between May 1, 2022 and April 30, 2023, and found 30,000 .US phishing domains.
.US is overseen by the National Telecommunications and Information Administration (NTIA), an executive branch agency of the U.S. Department of Commerce. However, NTIA currently contracts out the management of the .US domain to GoDaddy, by far the world’s largest domain registrar.
Under NTIA regulations, the administrator of the .US registry must take certain steps to verify that their customers actually reside in the United States, or own organizations based in the U.S. But Interisle found that whatever GoDaddy was doing to manage that vetting process wasn’t working.”
“Chinese-language speakers have been increasingly targeted as part of multiple email phishing campaigns that aim to distribute various malware families such as Sainbox RAT, Purple Fox, and a new trojan called ValleyRAT.
"Campaigns include Chinese-language lures and malware typically associated with Chinese cybercrime activity," enterprise security firm Proofpoint said in a report shared with The Hacker News.
The activity, observed since early 2023, entails sending email messages containing URLs pointing to compressed executables that are responsible for installing the malware. Other infection chains have been found to leverage Microsoft Excel and PDF attachments that embed these URLs to trigger malicious activity.
These campaigns demonstrate variation in the use of infrastructure, sender domains, email content, targeting, and payloads, indicating that different threat clusters are mounting the attacks.
Over 30 such campaigns have been detected in 2023 that employ malware typically associated with Chinese cybercrime activity. Since April 2023, no less than 20 of those campaigns are said to have delivered Sainbox, a variant of the Gh0st RAT trojan that's also known as FatalRAT.
Proofpoint said it identified at least three other campaigns delivering the Purple Fox malware and six additional campaigns propagating a nascent strain of malware dubbed ValleyRAT, the latter of which commenced on March 21, 2023.”
“Facebook’s Messenger platform has been heavily abused in the past month to spread endless messages with malicious attachments from a swarm of fake and hijacked personal accounts. These threat actors are targeting millions of business accounts on Facebook’s platform — from highly-rated marketplace sellers to large corporations, with fake business inquiries, achieving a staggering “success rate” with approximately 1 out of 70 infected!
Originating yet again from a Vietnamese-based group, this campaign uses a tiny compressed file attachment that packs a powerful Python-based stealer dropped in a multi-stage process full of simple yet effective obfuscation methods.
In this write-up, we will share our analysis of this campaign, including how it appears from the victim’s perspective as well as the the threat actor’s ecosystem of dark markets. All of this will illustrate how this operation, along with its robust underground marketplace supply and demand, manages to compromise so many businesses on one of the world’s most popular platforms.”
“In August, FortiGuard Labs obtained a Word document containing a malicious URL designed to entice victims to download a malware loader. This loader employs a binary padding evasion strategy that adds null bytes to increase the file's size to 400 MB. The payloads of this loader include OriginBotnet for keylogging and password recovery, RedLine Clipper for cryptocurrency theft, and AgentTesla for harvesting sensitive information. Figure 1 illustrates the comprehensive attack flow.
In this blog, we examine the various stages of how the file is deployed and delve into the specifics of the malware it delivers.”
“A study released Tuesday by Netacea found that 72% of organizations surveyed suffered bot attacks that originated in China, and 66% from Russia.
The study also found that the average business loses 4.3% of online revenues every year to bots, or $85.6 million, a number that has more than doubled in the past two years.
Netacea commissioned independent researchers Coleman Parkes for the third straight year to survey 440 businesses with average online revenue of $1.9 billion across the travel, entertainment, ecommerce, financial services, and telecom sectors in the United States and UK.
The survey also found that it takes four months on average to detect bot attacks, with 97% admitting it takes over a month to respond. And 40% of businesses report attacks on their APIs, while attacks on mobile apps have overtaken website attacks for the first time.”
“A novel peer-to-peer botnet called P2Pinfect targeting the Redis and SSH open source services has reportedly has experienced a dramatic 600-times increase since August 28, including a 12.3% increase in traffic over the past week.
In a blog post September 20, Cado Security Labs reported P2Pinfect compromises have been observed in China, the United States, Germany, the UK, Singapore, Hong Kong, and Japan.
Researchers first discovered P2Pinfect in July targeting servers hosting publicly-accessible instances of the Redis open source database. In today’s blog, the researchers noted that targeting Redis is only half of P2Pinfect’s functionality. The malware also has the ability to propagate via SSH, and includes a list of username/password pairs to assist with brute-forcing.
In terms of the potential danger, Matt Muir, threat research lead at Cado Security, explained that attackers could use a botnet of this scale to conduct disruptive DDoS attacks as we've seen used by hacktivists throughout the Russia/Ukraine war. Muir added that attackers could also use it to mine cryptocurrency at scale, or simply to support additional malware campaigns or social engineering operations such as phishing.”
Supply Chain Attacks
“Hijacking opensource software packages to insert malicious code has become a popular way for attackers to spread malware rapidly across the software supply chain. But now new research has found that if users wait about 14 days before updating these software packages to new versions, they can avoid the downstream effects of package-hijack attacks.
Researchers at JFrog investigated the compromise of various open source software packages, some with hundreds of millions of downloads. They analyzed the timespan it took for the attack to be discovered, and how many times the package was downloaded before the malicious activity could be mitigated.
Ultimately, they found that can take from mere hours to more than a week for project developers or maintainers of those packages to discover the malicious code and produce an update that fixes the problem, according to a report shared with Dark Reading.
This means that waiting about two weeks before updating to any new version of an open source software package is generally a safe bet.”
“In today's hospitality industry, vacation rental software has shifted from a luxury to a must-have for hotels, resorts, and smaller businesses, simplifying booking, guest interactions, and property management. While vacation rental software may seem focused on booking, it holds valuable data like credit card info, guest preferences, and communications. This data is a prime target for cybercriminals seeking financial gain or unauthorized access.
Especially attractive is credit card information, which draws the attention of financially motivated hackers, accounting for 41% of hospitality breaches (source: Verizon Data Breach Investigations Report). The combination of the hospitality industry's substantial transaction volume and the integration of payment gateways make it a lucrative target.
Another key characteristic of financially driven attacks targeting payment and financial systems is the attackers' intimate familiarity with the internal workings of the software. Often, these threat actors possess a deep understanding of how systems function and connect, and they are motivated to allocate effort and resources into developing specialized tools. Unsurprisingly, cybercriminals find the idea of generating a steady, repeating income by exploiting payment systems quite interesting.
While significant resources are at the disposal of large hotel networks and travel search engines, enabling them to enforce robust security measures (though recent breaches underscore that this isn't infallible), smaller hotels and resorts face an even more formidable challenge. Custom software is costly and time-consuming, so they opt for third-party solutions from trusted providers. But this reliance introduces a new issue: supply chain vulnerability.
This deep-dive article examines a recent breach targeting a small resort in the United States. The business in question had adopted the IRM Next Generation (“IRM-NG”) online booking engine, a product by Resort Data Processing, Inc. During the investigation by Bitdefender Labs, we discovered a collection of vulnerabilities in this software. In addition, the attack was supported by a suite of tailor-made malware, designed by the threat actor to seamlessly integrate with the software’s architecture. This underscores the threat actor’s intricate understanding of the software’s internal workings and highlights their capacity to exploit its functionalities for extracting sensitive information.”
“"What's in a name? That which we call a rose By any other name would smell as sweet." When Shakespeare wrote these words (Romeo and Juliet, Act 2, Scene 2) in 1596, he was saying that a name is just a convention. It has no intrinsic meaning. Juliet loves Romeo for who he is, not for his name.
But without knowing it, Shakespeare was also describing dependency confusion attacks.
Dependency confusion is when packages you are using in your code are not yours. They have the same name, but it is not your code that is running in production. Same name, but one package smells like a rose and the other ... stinks.
Recent research reports estimate that 41% to 49% of organizations are at risk for dependency confusion attacks. New research from OX Security shows that when an organization is at risk for a dependency confusion attack, 73% of its assets are vulnerable. The research focused on midsize and large organizations (1K+, 8K+, 80K+ employees) across a wide range of sectors — finance, gaming, technology, and media — and found the risk in every sector across organizations of all sizes. The research also found that almost all applications with more than 1 billion users are using dependencies that are vulnerable to dependency confusion.
This article aims to help you understand dependency confusion and how to prevent it.”
“By definition, a supply chain is the network of all the individuals, organizations, resources, activities and technology involved in the creation and sale of a product. In only a few rare cases does one organization have full control over every step in the entire process. The links in such a supply chain often work closely together, sometimes so much so that they have access to parts of each other’s systems.
Although it is important to guard every aspect of your supply chain to avoid disruptions, for the scope of this article we will focus on the cybersecurity element of it.
From a security perspective, it's imperative to choose your partners wisely. An organization's security posture is its readiness and ability to identify, respond to and recover from security threats and risks. If you are the one paying, you can often make demands about the security posture of the partner, but the other way around is usually much harder.
We probably all know the compliance audits that are the result of these demands. And it makes sense we do not wish to fall victim to the mistakes made in another organization that we have no control over. It’s usually more than enough to worry about the processes we need to control inside our own organization.”
“Cybersecurity researchers have discovered a fresh batch of malicious packages in the npm package registry that are designed to exfiltrate Kubernetes configurations and SSH keys from compromised machines to a remote server.
Sonatype said it has discovered 14 different npm packages so far: @am-fe/hooks, @am-fe/provider, @am-fe/request, @am-fe/utils, @am-fe/watermark, @am-fe/watermark-core, @dynamic-form-components/mui, @dynamic-form-components/shineout, @expue/app, @fixedwidthtable/fixedwidthtable, @soc-fe/use, @spgy/eslint-plugin-spgy-fe, @virtualsearchtable/virtualsearchtable, and shineouts.
Malvertising and Adware
“A new malvertising campaign is targeting corporate users who are downloading the popular web conferencing software Webex. Threat actors have bought an advert that impersonates Cisco's brand and is displayed first when performing a Google search.
We are releasing this blog to warn users about this threat as the malicious ad has been online for almost one week. The malware being used in this campaign is BatLoader, a type of loader that is very good at evading detection.
Note that Webex has not been compromised, this is a malicious campaign where threat actors are impersonating well-known brands to distribute malware.”
“Malicious ads served inside Microsoft Bing's artificial intelligence (AI) chatbot are being used to distribute malware when searching for popular tools.
The findings come from Malwarebytes, which revealed that unsuspecting users can be tricked into visiting booby-trapped sites and installing malware directly from Bing Chat conversations.
Introduced by Microsoft in February 2023, Bing Chat is an interactive search experience that's powered by OpenAI's large language model called GPT-4. A month later, the tech giant began exploring placing ads in the conversations.
But the move has also opened the doors for threat actors who resort to malvertising tactics and propagate malware.”
“The organization tasked with managing the lake and river systems along the border between the U.S. and Canada for the last hundred years announced Wednesday that it experienced a cyberattack following reports that ransomware hackers claimed to have stolen reams of data.
The International Joint Commission (IJC) — guided by the 1909 Boundary Waters Treaty signed by both countries — approves projects that affect the water levels and flows across the border, investigates transboundary issues and offers solutions.
On Monday, the NoEscape ransomware gang claimed it attacked the organization — which has offices in Washington, D.C., Ottawa and Windsor — and stole 80 GB of contracts, geological files, conflict of interest forms and more.”
“We have been observing malware families RedLine and Vidar since the middle of 2022, when both were used by threat actors to target victims via spear-phishing scams. Earlier this year, RedLine targeted the hospitality industry with its info stealer malware.
Our latest investigations show that the threat actors behind RedLine and Vidar now distribute ransomware payloads with the same delivery techniques they use to spread info stealers. This suggests that the threat actors are streamlining operations by making their techniques multipurpose. In this particular case we investigated, the victim initially received a piece of info stealer malware with Extended Validation (EV) code signing certificates. After some time, however, they started receiving ransomware payloads via the same route.
EV code signing certificates are issued to organizations that are verified to have legal and physical existence in each country. They entail an issuance process with extended identity verification compared to regular code signing certificates, as well as private key generation where a hardware token is required.”
“A new ransomware strain called 3AM has been uncovered after a threat actor used it in an attack that failed to deploy LockBit ransomware on a target network.
Researchers say in a report today that the new malware “has only been used in a limited fashion” and it was a ransomware affiliate’s fallback when defense mechanisms blocked LockBit.”
“Federal authorities are warning the health sector about threats posed by Akira, a ransomware-as-a-service group that surfaced about six months ago and has been linked to several dozen attacks on predominately small and midsized entities across many industries.
The group seems to favor organizations in which multifactor authentication has not been deployed on virtual private networks, the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center said in a threat alert issued Tuesday.”
“Knowledge is our best weapon in the fight against cybercrime. An understanding of how various gangs operate and what tools they use helps build competent defenses and investigate incidents. This report takes a close look at the history of the Cuba group, and their attack tactics, techniques and procedures. We hope this article will help you to stay one step ahead of threats like this one.”
“A financially motivated threat actor has been outed as an initial access broker (IAB) that sells access to compromised organizations for other adversaries to conduct follow-on attacks such as ransomware.
SecureWorks Counter Threat Unit (CTU) has dubbed the e-crime group Gold Melody, which is also known by the names Prophet Spider (CrowdStrike) and UNC961 (Mandiant).
"This financially motivated group has been active since at least 2017, compromising organizations by exploiting vulnerabilities in unpatched internet-facing servers," the cybersecurity company said.
"The victimology suggests opportunistic attacks for financial gain rather than a targeted campaign conducted by a state-sponsored threat group for espionage, destruction, or disruption."”
“The German police in cooperation with the US Secret Service have executed search warrants against suspected members of the DoppelPaymer ransomware group in Germany and Ukraine.
In March of 2023, we reported how the German Regional Police and the Ukrainian National Police, with support from Europol, the Dutch Police, and the United States Federal Bureau of Investigations (FBI), apprehended two suspects and seized computer equipment.
Since then, cybercrime group specialists from the North Rhine-Westphalia State Criminal Police Office (LKA NRW), together with the Cybercrime Central and Contact Point (ZAC NRW), carried out another targeted strike against people associated with the criminal network.
Two men in particular became the focus during blockchain investigations by the LKA NRW and the US Secret Service. They are a 44-year-old Ukrainian who apparently held a key position within the organization and a 45-year-old man from southern Germany who is suspected of having received suspicious funds, possibly originating from ransomware attacks.”
Nation-State / Advanced Persistent Threat
“Ukrainian cyber defenders said Russian military hackers targeted a critical energy infrastructure facility with phishing emails containing a malicious script leading to cyberespionage.
The Computer Emergency Response Team of Ukraine on Monday linked the campaign to APT28, the Russian GRU hacking group also known as Fancy Bear and Forest Blizzard, which was formerly Strontium.
The Russian state hacking group is behind a number of spear-phishing campaigns against Kyiv. U.S. and U.K. authorities earlier this year warned that the group had been exploiting a known vulnerability to deploy malware and access Cisco routers worldwide (see: Ukraine Facing Phishing Attacks, Information Operations).
CERT-UA released the report as Ukrainian forces have reportedly breached the southern first line of Russian defenses.”
“The APT36 hacking group, aka 'Transparent Tribe,' has been observed using at least three Android apps that mimic YouTube to infect devices with their signature remote access trojan (RAT), 'CapraRAT.'
Once the malware is installed on a victim's device, it can harvest data, record audio and video, or access sensitive communication information, essentially operating like a spyware tool.
APT36 is a Pakistan-aligned threat actor known for using malicious or laced Android apps to attack Indian defense and government entities, those dealing with Kashmir region affairs, and human rights activists in Pakistan.”
“Russian APT group Gamaredon has intensified its cyber espionage activities ahead of and during Ukraine’s counter-offensive operations, according to a new report from the National Security and Defense Council of Ukraine.
The government agency said the Russia-affiliated group, which has consistently targeted Ukraine since 2013, is ramping up attacks on military and government entities with the aim of stealing sensitive data relating to its counter-offensive operations against Kremlin troops.
The war in Ukraine has reached a critical point, with Kyiv currently undertaking a much-publicized counter-offensive designed to push back Russian forces from its territory.
The Council observed a “notable surge” in Gamaredon’s infrastructure preparations in the build-up to the counter-offensive, during April and May 2023.”
“A cluster of threat actor activity that Unit 42 observed attacking a Southeast Asian government target could provide insight into a rarely seen, stealthy APT group known as Gelsemium.
We found this activity as part of an investigation into compromised environments within a Southeast Asian government. We identified the cluster as CL-STA-0046.
This unique cluster had activity spanning over six months between 2022-2023. It featured a combination of rare tools and techniques that the threat actor leveraged to gain a clandestine foothold and collect intelligence from sensitive IIS servers belonging to a government entity in Southeast Asia.
In addition to an array of web shells, the main backdoors used by the threat actor were OwlProxy and SessionManager. This combination, which was publicly documented once before in 2020, is rare and was previously used to target several entities in Laos.
Based on our analysis and available threat intelligence, we attribute CL-STA-0046 to the Gelsemium APT group, with a moderate level of confidence. The observations we describe here could provide a view into a threat group about which only a handful of public reports have been published to date.”
“An advanced persistent threat (APT) group suspected with moderate-high confidence to be Stately Taurus engaged in a number of cyberespionage intrusions targeting a government in Southeast Asia. The intrusions took place from at least the second quarter of 2021 to the third quarter of 2023. Based on our observations and analysis, the attackers gathered and exfiltrated sensitive documents and other types of files from compromised networks.
We found this activity as part of an investigation into compromised environments within a Southeast Asian government. We identified this cluster of activity as CL-STA-0044.
Our analysis of this cluster of activity revealed attempts to establish a robust and enduring foothold within compromised networks and steal sensitive information related to individuals of interest working for the government.
With moderate-high confidence, we conclude that this activity is linked to the Chinese cyberespionage group Stately Taurus. This group is also known by several aliases, including Mustang Panda, BRONZE PRESIDENT, TA416, RedDelta and Earth Preta. Over the years, Unit 42 has observed the group gathering information on targets in and around the Southeast Asia region.”
Data Breaches / Credential Stuffing
“Software bug-tracking company Rollbar disclosed a data breach after unknown attackers hacked its systems in early August and gained access to customer access tokens.
The security breach was discovered by Rollbar on September 6 when reviewing data warehouse logs showing that a service account was used to log into the cloud-based bug monitoring platform.
Once inside Rollbar's systems, the threat actors searched the company's data for cloud credentials and Bitcoin wallets.”
“The multinational aerospace corporation Airbus announced that it is investigating a data leak after cybersecurity firm Hudson Rock reported that a hacker posted information on thousands of the company’s vendors to the dark web.
A threat actor who goes by the moniker “USDoD” announced he had gained access to an Airbus web portal by compromising the account of a Turkish airline employee.
The hacker claimed to have details on thousands of Airbus vendors. The threat actors obtained the personal information of 3,200 individuals associated with Airbus vendors, exposed data include names, job titles, addresses, email addresses, and phone numbers.”
“Johnson & Johnson Health Care Systems ("Janssen") has informed its CarePath customers that their sensitive information has been compromised in a third-party data breach involving IBM.
IBM is a technology service provider for Janssen; specifically, it manages the CarePath application and database supporting its functions.
CarePath is an application designed to help patients gain access to Janssen medications, offer discounts and cost-saving advice on eligible prescriptions, provides guidance on insurance coverage, and serves drug refiling and administering alerts.”
“Freecycle, an online forum dedicated to exchanging used items rather than trashing them, confirmed a massive data breach that affected more than 7 million users.
The nonprofit organization says it discovered the breach on Wednesday, weeks after a threat actor put the stolen data for sale on a hacking forum on May 30, warning affected people to switch passwords immediately.
The stolen information includes usernames, User IDs, email addresses, and MD5-hashed passwords, with no other information exposed, according to Freecycle.
From screenshots shared by the threat actor who is selling the stolen information, the credentials of Freecycle founder and executive director Deron Beal were stolen in the incident, giving the threat actor full access to member information and forum posts”
“The Microsoft-owned healthcare technology firm Nuance revealed that the Clop extortion gang has stolen personal data on major North Carolina hospitals as part of the Progress MOVEit Transfer campaign.
MOVEit Transfer is a managed file transfer that is used by enterprises to securely transfer files using SFTP, SCP, and HTTP-based uploads.
The Clop ransomware gang (aka Lace Tempest) was credited by Microsoft for the campaign that exploited a zero-day vulnerability, tracked as CVE-2023-34362, in the MOVEit Transfer platform.
In June, the Clop ransomware group claimed to have hacked hundreds of companies globally by exploiting MOVEit Transfer vulnerability.
Among the victims of the Clop group, there is also Microsoft’s Nuance health-care technology subsidiary.
Nuance launched an investigation into the incident with the help of cyber security experts and a law firm.
The company on Friday said that Clop group may have stolen personal data at numerous North Carolina hospitals and other health care providers”
“An infamous threat group connected to the North Korean state has been blamed for a major attack on cryptocurrency exchange CoinEx on Tuesday.
The Hong Kong-headquartered exchange warned users in a post on X (formerly Twitter) on September 12 that it had “detected anomalous withdrawals from several hot wallet addresses used to store CoinEx’s exchange assets.”
After investigating, the firm said the cause of the incident had been a hot wallet private key that got into the wrong hands. Funds were withdrawn in nine cryptocurrencies, working out roughly to $53m.
CoinEx said it had suspended deposits and withdrawals of all crypto assets and temporarily shuttered its hot wallet server, as well as transferred remaining assets from the compromised wallet to safe addresses.”
“When Fortress Trust disclosed a theft of customers’ cryptocurrency last week – later revealed to total close to $15 million – it pinned the blame on an unnamed third-party vendor.
CoinDesk has identified that vendor, which has acknowledged it fell victim to a phishing attack. But the story may be more complicated than just a single party’s blunder.
The vendor is Retool, a San Francisco-based company with Fortune 500 customers, which built the portal for a handful of Fortress clients to access their funds, people familiar with the matter said.
The theft, which helped spur Fortress to agree to sell itself to blockchain tech company Ripple, occurred as a result of a phishing attack, they said.”
“Attackers are targeting 3D modelers and graphic designers with malicious versions of a legitimate Windows installer tool in a cryptocurrency-mining campaign that's been ongoing since at least November 2021.
The campaign abuses Advanced Installer, a tool for creating software packages, to hide malware in legitimate installers for software used by creative professionals — such as Adobe Illustrator, Autodesk 3ds Max, and SketchUp Pro, according to a report by Cisco Talos' Threat Researcher Chetan Raghuprasad published this week.
Attackers execute malicious scripts through a feature of the installer called Custom Action, dropping several payloads — including the M3_Mini_Rat client stub backdoor, Ethereum cryptomining malware PhoenixMiner, and multi-coin mining threat lolMiner.
Most of the campaign's software installers were written in French, which makes sense as most of the victims are in France and Switzerland, according to the post. However, the campaign also targeted victims in the US, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore, and Vietnam.”
“Crypto gambling site Stake suffered a security breach, and threat actors withdrew $41M of funds stolen including Tether and Ether.
Researchers reported abnormally large withdrawals made from the crypto gambling site Stake to an account with no previous activity, a circumstance that suggests that threat actors have hacked the platform and stolen crypto assets, including Tether and Ether.
Stake.com offers traditional casino games (such as slots, blackjack and roulette) and sports betting. It offers video streams with live dealers. Users on Stake.com typically do not deal with traditional currencies, instead they deposit and withdraw cryptocurrencies to and from their betting account. Account balances can be withdrawn in the equivalent value of cryptocurrency and then deposited back into the user’s personal cryptocurrency wallet.”
“A novel cloud-native cryptojacking operation has set its eyes on uncommon Amazon Web Services (AWS) offerings such as AWS Amplify, AWS Fargate, and Amazon SageMaker to illicitly mine cryptocurrency.
The malicious cyber activity has been codenamed AMBERSQUID by cloud and container security firm Sysdig.
"The AMBERSQUID operation was able to exploit cloud services without triggering the AWS requirement for approval of more resources, as would be the case if they only spammed EC2 instances," Sysdig security researcher Alessandro Brucato said in a report shared with The Hacker News.
"Targeting multiple services also poses additional challenges, like incident response, since it requires finding and killing all miners in each exploited service."”
“Malicious actors have stolen more than $1m in a ‘pig butchering’ cryptocurrency scam in just three months, researchers from Sophos have found.
The highly sophisticated operation used a total of 14 domains and dozens of nearly identical fraud sites, according to the investigation.
The attackers utilized fake trading pools of cryptocurrency from decentralized finance (DeFi) trading applications to defraud their victims, with one individual losing $22,000 in a single week.
These “liquidity pools,” which encompass various types of cryptocurrencies, enable users to make profits by trading from one cryptocurrency to another. Those who participate receive a percentage of any fee paid when a trade is made – with another account (typically the operators of the pool) given permission to access participants’ wallets to facilitate the trades.
Sophos found that pig butchers are increasingly setting up such pools to siphon funds from users – ultimately emptying victims’ entire liquidity pools for themselves.”
“In what's becoming an all-too-common occurrence in the current threat landscape, security researchers have found yet another malicious open source package, this time an active Python file on GitLab that hijacks system resources to mine cryptocurrency.
The package, called "culturestreak," originates from an active repository on the GitLab developer site from a user named Aldri Terakhir, Checkmarx revealed in a blog post Sept. 19.
If downloaded and deployed, the package runs in an infinite loop that exploits system resources for unauthorized mining of Dero cryptocurrency as part of a larger cryptomining operation, according to Checkmarx.
"Unauthorized mining operations like the one executed by the 'culturestreak' package pose severe risks as they exploit your system's resources, slow down your computer, and potentially expose you to further risks," Checkmarx security researcher Yehuda Gelb wrote in the post.”
“From passkeys to multifactor authentication (MFA), most businesses are embracing solutions that protect sensitive information to minimize their attack surface and enhance cybersecurity posture. While these approaches are a step in the right direction, security teams should recognize they may not be enough to fully secure user data.
As enterprises deploy new ways to protect their networks, cybercriminals are simultaneously evolving tactics to bypass these defenses. Bad actors are already using techniques like session hijacking and account takeover to bypass passkeys and MFA to gain entry into corporate systems. What's worse, these tactics are primarily enabled by malware-exfiltrated data, one of the most challenging security gaps to address.
Malware quickly and stealthily steals large amounts of accurate authentication data, including personally identifiable information (PII) such as login credentials, financial information, and authentication cookies — and some malware is already beginning to exfiltrate local key vaults like those maintained by password managers, many of which have started offering passkey solutions. Last year, threat actors conducted over 4 billion malware attempts, making it the most preferred cyberattack method. Moreover, according to SpyCloud's "2023 Annual Identity Exposure Report," over 22 million unique devices were infected by malware last year, with the stolen data making its way to criminal networks to use in attacks ranging from session hijacking to ransomware.
While malware-exfiltrated data — including business application logins and cookies for code repositories, customer databases, and financial systems — grows in importance to criminals, security teams still lack the necessary visibility to contend with those exposures. Those who understand how malware functions and how cybercriminals use malware-siphoned data to carry out follow-on attacks are better equipped to address the threat.”
“End-to-end encrypted communication is simply a feel-good thing for most people, but there are also high-risk users such as whistleblowers, journalists, or activists who seriously depend on confidential communication. We're seeing regular in-the-wild campaigns targeting mail servers, for example on Zimbra instances, as tracked by the US Cybersecurity and Infrastructure Security Agency (CISA).
Many messenger services have already switched to end-to-end encryption (E2EE) to protect messages in transit and at rest, but it is still rare among email services. While PGP and S/MIME do exist, they are usually cumbersome to set up and use, even for tech-savvy users. That's why many people turn to privacy-oriented webmail services like Proton Mail, Skiff, and Tutanota that make E2EE available out-of-the-box and easy to use.
This led us to audit the security of these services, specifically their web clients. While the cryptography seems solid, we wanted to know if it is possible to attack the clients directly. Since the encryption happens in the web client, a successful attacker would be able to steal emails in their decrypted form.
In this blog post, we first present the technical details of the vulnerabilities we found in Proton Mail. We show how an innocent-looking piece of code led to a Cross-Site Scripting issue that made it possible for attackers to steal decrypted emails and impersonate victims.”
“In January 2021, Threat Analysis Group (TAG) publicly disclosed a campaign from government backed actors in North Korea who used 0-day exploits to target security researchers working on vulnerability research and development. Over the past two and a half years, TAG has continued to track and disrupt campaigns from these actors, finding 0-days and protecting online users. Recently, TAG became aware of a new campaign likely from the same actors based on similarities with the previous campaign. TAG is aware of at least one actively exploited 0-day being used to target security researchers in the past several weeks. The vulnerability has been reported to the affected vendor and is in the process of being patched.
While our analysis of this campaign continues, we are providing an early notification of our initial findings to warn the security research community. We hope this post will remind security researchers that they could be targets of government backed attackers and to stay vigilant of security practices.”
“Hacker group GhostSec is disclosing the source code for software developed by the Iranian FANAP group, alleging it to be surveillance software used by the Iranian state on its own citizens.
The group claims to have cracked FANAP group's proprietary code, and has analyzed around 26GB of compressed data which it is releasing a file at a time, according to a series of Telegram posts. GhostSec has so far released various core components of the code, such as configuration files and API data.
The FANAP group is an Iranian provider of technology to financial services and the IT sector, but has apparently expanded its wares into a comprehensive surveillance system used by the Iranian government to monitor its citizens, according to GhostSec's findings — with features akin to the Pegasus spyware from the NSO group, or tools from Cellebrite.”
“The German Federal Financial Supervisory Authority (BaFin) announced today that an ongoing distributed denial-of-service (DDoS) attack has been impacting its website since Friday.
BaFin is Germany’s financial regulatory authority, part of the Federal Ministry of Finance, responsible for supervising 2,700 banks, 800 financial, and 700 insurance service providers.
The regulator is known for its law enforcement role in Germany and internationally. In recent years, it imposed $10M and $5M fines on the Deutsche Bank and the Bank of America, respectively, for various violations.
The German agency informed today that it has taken all the appropriate security precautions and defensive measures to shield its operations from the hackers.”
“As part of a recent Coordinated Vulnerability Disclosure (CVD) report from Wiz.io, Microsoft investigated and remediated an incident involving a Microsoft employee who shared a URL for a blob store in a public GitHub repository while contributing to open-source AI learning models. This URL included an overly-permissive Shared Access Signature (SAS) token for an internal storage account. Security researchers at Wiz were then able to use this token to access information in the storage account. Data exposed in this storage account included backups of two former employees’ workstation profiles and internal Microsoft Teams messages of these two employees with their colleagues. No customer data was exposed, and no other internal services were put at risk because of this issue. No customer action is required in response to this issue. We are sharing the learnings and best practices below to inform our customers and help them avoid similar incidents in the future.
SAS tokens provide a mechanism to restrict access and allow certain clients to connect to specified Azure Storage resources. In this case, a researcher at Microsoft inadvertently included this SAS token in a blob store URL while contributing to open-source AI learning models and provided the URL in a public GitHub repository. There was no security issue or vulnerability within Azure Storage or the SAS token feature. Like other secrets, SAS tokens should be created and managed properly. Additionally, we are making ongoing improvements to further harden the SAS token feature and continue to evaluate the service to bolster our secure-by-default posture.
After identifying the exposure, Wiz reported the issue to the Microsoft Security Response Center (MSRC) on June 22nd, 2023. Once notified, MSRC worked with the relevant research and engineering teams to revoke the SAS token and prevent all external access to the storage account, mitigating the issue on June 24th, 2023. Additional investigation then took place to understand any potential impact to our customers and/or business continuity. Our investigation concluded that there was no risk to customers as a result of this exposure.”
“The International Criminal Court (ICC) disclosed a cyberattack on Tuesday after discovering last week that its systems had been breached.
"At the end of last week, the International Criminal Court's services detected anomalous activity affecting its information systems," the ICC said.
"Immediate measures were adopted to respond to this cybersecurity incident and to mitigate its impact."
It said it is currently investigating the incident with the assistance of Dutch authorities, as the Netherlands serves as ICC's host country.”
When researchers talk about DNS security, they often refer to anything that protects DNS infrastructure. Although protective DNS and DNS security fall under the cybersecurity umbrella, protective DNS takes a different approach to cybersecurity than standard DNS security. Both security strategies are important for the stability of your business, but protective DNS reduces risks from your weakest link–human error. Protective DNS is critical for you...
The impending Cisco Umbrella RC End-of-Life has many Umbrella users concerned about their next steps and questioning which protective DNS solution might be able to fill the gap for their organization.
Industry State of the Art
This month there was a high level of focus on compliance issues spanning several focus areas from governments and oversight agencies around the world. And while there were actions taken with regard to specific vulnerabilities, a larger spotlight was placed on bigger picture security considerations in a more general context.