Cybersecurity News and Events in the Month of December 2023
by Alex Applegate on Jan 9, 2024 4:04:15 PM
Industry State of the Art
It’s the end of another year, and it seems as if things all the way back in January happened ages ago. In the cybersecurity world, wars and regional geopolitics continue to stretch already-taxed resources. It’s hard to imagine, however, any topic dominating the cyber news cycles the way that they have been dominated by the growth of artificial intelligence, and Generative AI in particular. Almost as shocking is the idea that policy makers are moving with great speed to ensure the governing laws and regulations are in place to provide effective oversight, or at the very least remain flexible enough to keep them from falling too far behind.
Standards & Advisories
“The Russia-based actor Star Blizzard (formerly known as SEABORGIUM, also known as Callisto Group/TA446/COLDRIVER/TAG-53/BlueCharlie) continues to successfully use spear-phishing attacks against targeted organizations and individuals in the UK, and other geographical areas of interest, for information-gathering activity.
The UK National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Federal Bureau of Investigation (FBI), the US National Security Agency (NSA), the US Cyber National Mission Force (CNMF), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), and the New Zealand National Cyber Security Centre (NCSC-NZ) assess that Star Blizzard is almost certainly subordinate to the Russian Federal Security Service (FSB) Centre 18.
Industry has previously published details of Star Blizzard. This advisory draws on that body of information.
This advisory raises awareness of the spear-phishing techniques Star Blizzard uses to target individuals and organizations. This activity is continuing through 2023.”
“For the past several years, Europol has been observing a growing crime phenomenon: the use of Bluetooth trackers in organised crime.
Bluetooth trackers are small devices designed to help people find personal objects, such as keys and bags, as well as vehicles at risk of theft. They can be attached to an item one does not want to lose, and wirelessly connected to the owner’s mobile phone or tablet.
Criminals have always been quick to adopt new and emerging technologies, misusing them to further their criminal goals. It is no different with Bluetooth trackers: Europol is now seeing criminals increasingly using these devices to geolocate illicit commodities.
The vast majority of cases reported to Europol relate to cocaine smuggling. These trackers have been discovered most frequently alongside cocaine in container shipment of food products, but have also been found hidden in sea chests within sea vessels.
Based on the technological capabilities of Bluetooth trackers, and the information shared with Europol, it is confirmed that drug traffickers use them to track the transit of illicit cargo. Through the trackers, cargo can be traced after arrival in ports, and onward by road towards storage locations in European markets. They are likely also used to locate illicit shipments upon arrival in ports.
To warn about the misuse of this technology, Europol has issued a restricted early warning notification to all EU Member States, as well as a public version.”
“LYON, France – The first INTERPOL operation specifically targeting the phenomenon of human trafficking-fuelled fraud has revealed further evidence that the crime trend is expanding beyond Southeast Asia.
Following five months of investigative coordination, law enforcement from participating countries carried out more than 270,000 inspections and police checks at 450 human trafficking and migrant smuggling hotspots from 16-20 October.
Many of the hotspots are regularly used to traffic victims to notorious cyber scam centres in Southeast Asia. Victims are often lured through fake job ads and forced to commit online fraud on an industrial scale, while enduring abject physical abuse. Fraud schemes include fake cryptocurrency investments, as well as work-from-home, lottery and online gambling scams.
In total, the operation resulted in:
- The arrest of 281 individuals for offences such as human trafficking, passport forgery, corruption, telecommunications fraud, and sexual exploitation;
- The rescue of 149 human trafficking victims;
- More than 360 investigations opened, many of which remain ongoing.”
“The U.S. Federal Bureau of Investigation (FBI), U.S. Cybersecurity & Infrastructure Security Agency (CISA), U.S. National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC) assess Russian Foreign Intelligence Service (SVR) cyber actors—also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard—are exploiting CVE-2023-42793 at a large scale, targeting servers hosting JetBrains TeamCity software since September 2023.
Software developers use TeamCity software to manage and automate software compilation, building, testing, and releasing. If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes—access a malicious actor could further use to conduct supply chain operations. Although the SVR used such access to compromise SolarWinds and its customers in 2020, limited number and seemingly opportunistic types of victims currently identified, indicate that the SVR has not used the access afforded by the TeamCity CVE in a similar manner. The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments.
To bring Russia’s actions to public attention, the authoring agencies are providing information on the SVR’s most recent compromise to aid organizations in conducting their own investigations and securing their networks, provide compromised entities with actionable indicators of compromise (IOCs), and empower private sector cybersecurity companies to better detect and counter the SVR’s malicious actions. The authoring agencies recommend all organizations with affected systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities using the IOCs provided in this CSA. If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to the FBI and CISA.”
“Our nation’s critical infrastructure depends on embedded devices across industries such as oil and natural gas, electric, water management, automotive, medical, satellite, autonomous systems, and unmanned aircraft systems. However, these devices often lack proper security controls and are insufficiently tested for vulnerabilities. Sophisticated cyber adversaries increasingly attempt to exploit these devices, as evidenced by a growing number of CISA ICS advisories identifying significant threats to many life- and safety-critical devices. The EMB3D™ Threat Model, a collaborative effort by MITRE, Niyo Little Thunder Pearson (ONEGas, Inc.), Red Balloon Security, and Narf Industries, provides a common understanding of the threats posed to embedded devices and the security mechanisms required to mitigate them.
EMB3D aligns with and expands on several existing models, including Common Weakness Enumeration, MITRE ATT&CK®, and Common Vulnerabilities and Exposures, but with a specific embedded device focus. EMB3D provides a cultivated knowledge base of cyber threats to devices, including those observed in the field environment or demonstrated through proofs-of-concept and/or theoretic research. These threats are mapped to device properties to help users develop and tailor accurate threat models for specific embedded devices. For each threat, suggested mitigations are exclusively focused on technical mechanisms that device vendors should implement to protect against the given threat, with the goal of building security into the device. EMB3D is intended to offer a comprehensive framework for the entire security ecosystem—device vendors, manufacturers, asset owners, security researchers, and testing organizations.”
“Today, CISA released a Cybersecurity Advisory, Enhancing Cyber Resilience: Insights from the CISA Healthcare and Public Health Sector Risk and Vulnerability Assessment, that details findings from our risk and vulnerability assessments of a Health and Public Health (HPH) Sector organization.
CISA encourages all critical infrastructure organizations as well as software manufacturers to review the advisory and apply recommendations. The recommendations detail how organizations can harden networks to improve cyber resilience and reduce the likelihood of domain compromise.
CISA encourages HPH Sector organizations to visit our Healthcare and Public Health Cybersecurity page for the new HPH Cybersecurity Toolkit.”
“Today, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD's ACSC) released a joint Cybersecurity Advisory (CSA), #StopRansomware: Play Ransomware, to disseminate Play ransomware group’s tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) identified through FBI investigations as recently as October 2023.
Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data and have impacted a wide range of businesses and critical infrastructure organizations in North America, South America, Europe, and Australia.
FBI, CISA, and the ASD’s ACSC encourage organizations review and implement the recommendations provided in the joint CSA to reduce the likelihood and impact of Play and other ransomware incidents. For more information, see CISA’s #StopRansomware webpage, which includes the updated #StopRansomware Guide.”
“In May 2021, the White House issued a cybersecurity executive order, mandating the use of SBOMs for transparency and cyber risk mitigation, as they would provide a complete picture of software components, including open source software, and their relationships.
The NSA guidance (PDF) follows previous recommendations that the US government has provided on SBOMs and is meant to help organizations improve SBOM management by following three steps: cyber risk analysis, vulnerability analysis, and incident response.
The agency recommends that software suppliers mature their SBOM exchange practices, that both private and government organizations expand their SBOM research to help standardize solutions, and that software developers take ownership of customer security outcomes.”
Legislation & Regulatory
“The Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned the North Korean-backed Kimsuky hacking group for stealing intelligence in support of the country's strategic goals.
OFAC has also sanctioned eight North Korean agents for facilitating sanctions evasion and supporting their country's weapons of mass destruction (WMD) programs.
Today's measures come as a direct response to the Democratic People's Republic of Korea's (DPRK) alleged launch of a military reconnaissance satellite on November 21 to impede DPRK's capacity to generate income, acquire resources, and gather intelligence supporting the advancement of its WMD program.”
“The US Cybersecurity and Infrastructure Security Agency (CISA) has signed a working arrangement with its EU counterparts to increase cross-border information sharing and more to tackle criminals.
The European Union Agency for Cybersecurity (ENISA) said today the arrangement cements the existing tie-up and opens doors for possible new types of cooperations.
Namely, the two will work on sharing best practices for incident reporting and threat intelligence on "basic cyber threats."”
“The EU reached a provisional deal on the AI Act on December 8, 2023, following record-breaking 36-hour-long ‘trilogue’ negotiations between the EU Council, the EU Commission and the European Parliament.
The landmark bill will regulate the use of AI systems, including generative AI models like ChatGPT and AI systems used by governments and in law enforcement operations, including for biometric surveillance.”
“In this Help Net Security interview, Mike Regan, VP of Business Performance at TIA, discusses SCS 9001 Release 2.0, a certifiable standard crafted to assist organizations in operationalizing the NIST and other government guidelines and frameworks.
Enhancing its predecessor, the SCS 9001 2.0 standard presents a more comprehensive global cybersecurity and supply chain security framework adaptable to various communication networks across industries and sectors. Its design ensures compliance with the ICT market, heightened government legislation, and expanding industry initiatives.”
It’s the end of the year, and as is tradition, annual landscape reports, semiannual summaries, and quarterly landscape analyses are everywhere. And while there seems to be a notable decline in new funding for startups (as would be expected), the state of venture capital in cybersecurity seems healthy as there have been a significant number of mergers and acquisitions at the end of the year, and no significant layoffs. Threat activity has largely followed expected patterns, showing a significant uptick in phishing and scams, as well as other financially-motivated cyber crimes such as ransomware. Hacktivism is also moving in line with the strong geopolitical emotions involved in regional politics and conflict.
Mergers, Acquisitions, Funding, Partnerships
“ArmorCode, a cybersecurity platform that gathers vulnerability data from connected apps and software infrastructure, consolidating the data into a single location and standardizing it for analysis, has raised $40 million in a Series B round led by HighlandX with participation from NGP Capital, Ballistic Ventures, Sierra Ventures and Cervin.
Bringing ArmorCode’s total raised to $65 million, the proceeds will be put toward bolstering the startup’s go-to-market efforts and expanding its product and engineering teams, co-founder and CEO Nikhil Gupta told TechCrunch in an email interview. They’ll also be used to support the addition of new AI and software supply chain capabilities and grow ArmorCode’s partnerships in new geographies, specifically Europe, Gupta continued.”
“Thanks to advances in AI, small and medium businesses have become a significant target in the world of cybercrime, accounting for roughly half of all breaches worldwide by some estimates. Now, one of the companies building security tools for SMBs has raised a round of funding to expand its business, underscoring the demand in the market for better defenses.
Guardz, an Israeli startup that has built an all-in-one security and cyber insurance service for small and medium businesses, has raised another $18 million in a Series A round of funding.
The company emerged from stealth less than a year ago (at the end of January 2023), and since then it has had a bit of a pivot. It’s no longer selling directly to SMBs but is working with managed service providers that in turn sell and manage IT services for SMBs. MSPs, it found, were the primary route to getting their product to get used by SMBs (meaning direct business was not taking off). Now those MSPs are able to build their own offerings “powered” by Guardz.”
“NEW YORK, Nov. 29, 2023 /PRNewswire/ -- BlueVoyant, a cybersecurity company that illuminates, validates, and mitigates internal and external risks, today announced the acquisition of Conquest Cyber, a cyber defense company renowned for its innovative SaaS technology that streamlines risk management across an organization's entire cyber program. Conquest Cyber has proven successful within high-security environments, including the U.S. Defense Industrial Base (DIB) and Government organizations.
BlueVoyant raised more than $140 million in Series E funding to accompany the acquisition of Conquest Cyber. The additional funding was led by existing investors, Liberty Strategic Capital, a private equity firm, and ISTARI, a cybersecurity investor and advisor founded by Temasek. Eden Global Capital Partners, an affiliate of Eden Global Partners, served as a strategic advisor.”
“Cybersecurity unicorn Wiz is making its first acquisition since its establishment about four years ago, acquiring Israeli startup Raftt, which has developed a cloud-based platform for creating and sharing development environments. While the value of the deal was not disclosed, it is estimated to be in the tens of millions of dollars. Established in 2020, Raftt raised $5 million led by Aleph VC and Cardumen Capital. A number of private investors from the industry participated in the round, including serial entrepreneurs Ariel Maislos and Benny Schneider, devtools angel investors, Adi Sharabani, founder of Skycure and currently at Snyk, and Ariel Asraf, CEO of Coralogix.”
“Ekco, an IT and cybersecurity firm, has significantly expanded its UK operations with the acquisition of Bluecube. While financial terms of the deal were not disclosed, this move increases the company’s revenue to over €150M (approximately US$162M) and marks Ekco's largest acquisition to date.
This is technology M&A deal number 324 that ChannelE2E and MSSP Alert have covered so far in 2023. See more than 2,000 technology M&A deals for 2023, 2022, 2021, and 2020 listed here.
Ekco, founded in 2015, is based in Dublin, Ireland. The company has 297 employees listed on LinkedIn. Ekco’s areas of expertise include Managed Security Services, Cybersecurity, Managed Infrastructure, Managed Cloud, Consulting, Managed Backup, Disaster Recovery as a Service, SOCaaS, Managed XDR, Networking, Endpoint Detection and Response, and Managed SIEM.
Bluecube, founded in 2003, is based in Milton Keynes, United Kingdom. The company has 159 employees listed on LinkedIn. Bluecube’s areas of expertise include IT Support, Outsourced Solutions, Software Development, Managed Services, Business Continuity / Disaster Recovery, IT Consultancy, IT Solutions, Managed Backup, Azure, Cloud, Office 365, AWS, Google, Cyber Security, Incident Response, and Cloud solutions.”
“ROME — GreyCastle Security, a subsidiary of Assured Information Security of Rome, has been acquired by DeepSeas, a market leader in managed detection and response.
“As the majority owner of GreyCastle Security, we’re excited to have facilitated this strategic acquisition with DeepSeas,” said Charles Green, CEO of AIS.
“This move not only underscores our commitment to enhancing the capabilities of our portfolio of companies, but also positions GreyCastle Security’s people and offerings for continued growth and success in the dynamic cybersecurity market.”
GreyCastle Security is a leading provider of comprehensive cybersecurity services, officials said. DeepSeas will leverage the value of GreyCastle Security’s expertise and client-centric approach to bolster its professional services. The strategic acquisition will further enhance services in the DeepSeas framework, particularly in the areas of audit readiness, CISO advisory services and incident response preparedness. GreyCastle Security’s key offerings and personnel are transitioning to DeepSeas.”
“A Denver private-equity-backed firm has purchased a Baltimore edtech company that teaches universities and private businesses cybersecurity and software techniques through online exercises.
Federal Hill-based Infosec Learning was acquired by cybersecurity training firm ACI Learning on Dec. 6 in an effort by the larger firm to consolidate the cyber education market. Financial terms of the deal were not disclosed, but ACI is backed by Philadelphia private equity firm Boathouse Capital.”
“SAN JOSE, Calif. & PITTSBURGH--(BUSINESS WIRE)--Lynx Software Technologies (Lynx), a leader in the development of foundational, open architecture software solutions for the Mission Critical Edge, today announced the acquisition of Timesys Corporation (Timesys), a provider of development tools, cybersecurity solutions, and differentiated software engineering services for open-source embedded and edge software applications.
For over 20 years, Timesys has been an industry leader, helping customers build, secure, test, and maintain Linux-based and other open-source edge and embedded software solutions. Over 200 clients across aerospace, defense, industrial, medical, and enterprise end-markets rely on Timesys’ Linux expertise and developer productivity and security solutions to ensure on-time and on-budget delivery of reliable, secure, open-source software products. Central to this has been Timesys’ value-added developer productivity and cybersecurity solutions, including software composition analysis (“SCA”) tools that enable the production and management of software bill of materials (“SBOM”) and managed service offerings tied to Linux distribution and open-source software lifecycle management.”
“BOULOGNE-BILLANCOURT, France--(BUSINESS WIRE)--Regulatory News:
Exclusive Networks (Euronext Paris: EXN:FP), a global leader in cybersecurity, has acquired 100% of Consigas, a global cybersecurity services provider specialised in training and consulting.
This acquisition marks an additional milestone in Exclusive Networks’ strategy to enrich its global services capabilities and enhance its global leadership in value added services to vendors, partners and customers. Exclusive Networks’ value-creating service offerings leverage its technical know-how and knowledge to provide vendors and partners with design, implementation, training, support and management services for innovative cyber technology.
Following the acquisition, Lars Meyer, CEO of Consigas, will lead Exclusive Networks’ Palo Alto education services business, leveraging the existing country resources of Exclusive Networks combined with the experience of the Consigas team to become the global leader.
The aim of this acquisition is to expand Exclusive Networks’ global services capabilities, scaling Consigas’ services skills and digital tools in all territories through Exclusive Networks’ extensive partner network. Exclusive Networks is already a significant provider of training services, having delivered training to more than 6,000 professionals in the first half of 2023.
Based in Europe, Consigas was founded in 2013 and is currently a Certified Professional Service Provider (CPSP) and Global Authorized Training Partner (ATP) for Palo Alto Networks. Consigas generated Gross sales of €3.1m in 2022 and the acquisition is expected to be earnings accretive for Exclusive Networks.”
“Okta, the identity and access management company, is acquiring security firm Spera.
Anticipated to close during the fiscal first quarter beginning in early February, the Spera acquisition will build on Okta’s existing identity threat detection and response (ITDR) capabilities, Okta says, while equipping customers with tech to “elevate their identity security, posture management and identify, detect and remediate risks.”
The terms of the deal weren’t disclosed, but Calcalist reports that Okta’s paying approximately $100 million to $130 million for Spera, contingent on milestones.”
“Financial terms of the planned acquisition were not released.
Isovalent, based in Cupertino, Calif., raised about $70 million in venture capital funding from a big-name roster of investors that included M12 (Microsoft’s Venture Fund), Google, Andreessen Horowitz and Mango Capital.
The transaction adds to an ongoing shopping spree at Cisco that added identity threat detection technology firm Oort, AI-powered email security firm Armorblox, cloud security posture management startup Lightspin, and cloud network security play Valtix.”
“Israeli cybersecurity firm Mend.io has acquired Atom Security, an Israeli company specializing in cyber risk assessment. Atom Security was founded earlier this year and the acquisition is valued at several million dollars. This marks Mend's fifth acquisition in the last three years, totaling tens of millions of dollars.”
DNSFilter Media Activity
“When researchers talk about DNS security, they often refer to anything that protects DNS infrastructure. Although protective DNS and DNS security fall under the cybersecurity umbrella, protective DNS takes a different approach to cybersecurity than standard DNS security. Both security strategies are important for the stability of your business, but protective DNS reduces risks from your weakest link–human error. Protective DNS is critical for your endpoint security, and it adds data protection, anti-phishing, and anti-malware protection for users.”
“The holiday shopping season has begun and is in full swing. And that means that the holiday scam and cyber attack season has begun as well. Here at DNSFilter, we’re trying to get the word out about some of the threats lurking about in cyberspace on as many different fronts as we can.
In that spirit, let’s discuss some of the most common threats that are common during the holiday season, how some of them work, and what you can do to help better protect yourself.”
“Malicious Domain Protection began at DNSFilter as a research project to assess whether some malicious domains can be detected by inspecting solely the domain string. This effort follows in a vein of academic research; a thorough review can be found in Harald Vranken and Hassan Alizadeh’s “Detection of DGA-generated domain names with TF-IDF”. Electronics, vol. 11, no. 3, 414, 2022. The basic premise is that some malware communicates with adversaries using domains created procedurally by domain-generation algorithms (DGA) to evade detection by security tools looking for domains known to be malicious. Typically, DGA domains are characterized by their completely random appearance, as if the user typed the domain accidentally while trying to clean up coffee spilled on a keyboard. (More sophisticated domain-generation algorithms used words, or parts of words, in a bid for inconspicuousness.)
The goal of Malicious Domain Protection is to inspect these domain strings and accurately assess their risk. While DGAs are a huge portion of what we’re able to assess with this new feature, it can go beyond DGA and may catch domains that fall into other threat vectors.
This project is now available for all customers to implement under the “extra settings” tab when creating a policy.”
“Clearly, no domain-based scam or malicious activity can happen on a domain until it has been registered. Thousands of new domains are registered every day. In terms of DNS risk mitigation, monitoring new domains is a critical tool to have in the arsenal. It is an early indicator of some of the most significant threats, it carries low cost and low risk, and it can provide improved clarity in the evaluation of other indicators.”
“AI, LLM, generative content, NLP, big data, neural processing, machine learning, GPT. In 2023 it's undeniable that these were some of the most heard terms from various businesses, news outlets and the social media sphere. Ultimately this alphabet soup can mean just as much as it sometimes doesn’t—and, as often is the case, the internet leans into the trend.
Sites popped up everywhere—some reputable while others less so—promising cyberpunk profile pictures, curated dating advice, a quick summary to that book you swore up and down you’d read for book club, business propositions, tweets, essays, marketing releases, code. The list of capabilities is dizzying when you get right down to it. An abundance of tools ready for you at the drop of a hat. But at what cost?”
Other Notable Industry Headlines
General Industry News
“Doppelganger – that’s the name of a vast disinformation campaign orchestrated by Russia to undermine Ukraine by spreading false narratives. But it has now moved onto a new target: the Israel-Hamas war.
From the font to the layout, everything looks exactly like the website of the French daily Le Parisien.
But what's surprising is the article that claims French President Emmanuel Macron has "the blood of Palestinians on his hands."
In reality, it’s a fake article, published on an almost identical platform with just a slightly different URL to the real Le Parisien website.
Indeed, the original Le Parisien URL ends with .fr while this one ends with .pm.
It’s not the first time this has happened. In June, the French authorities said they uncovered a massive Russia-linked disinformation campaign that targeted multiple newspapers and even the country’s Ministry of Foreign Affairs.
Websites such as the ones from 20 Minutes and Le Monde were ‘cloned’ and used to publish fake articles focused on the war in Ukraine.
They were mainly critical of Western support for Kyiv. But today, the campaign has expanded to the conflict between Israel and Hamas.
Misleading articles have been spotted in French, but also in German, like a spoofed Spiegel website.
But there is a common theme: the suggestion that the financial support coming from Western powers has been diverted from Ukraine to Israel. And that Ukraine will soon lose all military and financial support from the West.”
“A number of popular mobile password managers are inadvertently spilling user credentials due to a vulnerability in the autofill functionality of Android apps.
The vulnerability, dubbed “AutoSpill,” can expose users’ saved credentials from mobile password managers by circumventing Android’s secure autofill mechanism, according to university researchers at the IIIT Hyderabad, who discovered the vulnerability and presented their research at Black Hat Europe this week.
The researchers, Ankit Gangwal, Shubham Singh and Abhijeet Srivastava, found that when an Android app loads a login page in WebView, password managers can get “disoriented” about where they should target the user’s login information and instead expose their credentials to the underlying app’s native fields, they said. This is because WebView, the preinstalled engine from Google, lets developers display web content in-app without launching a web browser, and an autofill request is generated.”
“A critical Bluetooth security flaw could be exploited by threat actors to take control of Android, Linux, macOS and iOS devices.
Tracked as CVE-2023-45866, the issue relates to a case of authentication bypass that enables attackers to connect to susceptible devices and inject keystrokes to achieve code execution as the victim.
"Multiple Bluetooth stacks have authentication bypass vulnerabilities that permit an attacker to connect to a discoverable host without user confirmation and inject keystrokes," said security researcher Marc Newlin, who disclosed the flaws to the software vendors in August 2023.
Specifically, the attack deceives the target device into thinking that it's connected to a Bluetooth keyboard by taking advantage of an "unauthenticated pairing mechanism" that's defined in the Bluetooth specification.
Successful exploitation of the flaw could permit an adversary in close physical proximity to connect to a vulnerable device and transmit keystrokes to install apps and run arbitrary commands.”
“Meta has announced that the immediate availability of end-to-end encryption for all chats and calls made through the Messenger app, as well as the Facebook social media platform.
End-to-end encryption (E2EE) protects clear data by ensuring that it is readable only to the parties involved in the exchange. Anyone else accessing it would get scrambled information.”
“This post is the first in a two-part series on DNS rebinding in web browsers. Here, I’ll talk about a DNS rebinding exploit against our own platform which allowed me to extract low-privileged AWS credentials. In the next post, I share new techniques to reliably achieve split-second DNS rebinding in Chrome, Edge, and Safari, as well as to bypass Chrome's restrictions on requests to private networks.
While the impact of this vulnerability ended up being low due to defence-in-depth measures we employ, the technique to get there is interesting in itself as it is simple enough to demonstrate that DNS rebinding exploits can be realistic, even in time-boxed scenarios such as pentests.”
“A new collection of eight process injection techniques, collectively dubbed PoolParty, could be exploited to achieve code execution in Windows systems while evading endpoint detection and response (EDR) systems.
SafeBreach researcher Alon Leviev said the methods are "capable of working across all processes without any limitations, making them more flexible than existing process injection techniques."
The findings were first presented at the Black Hat Europe 2023 conference last week.”
“Malicious actors often acquire a large number of domain names (called stockpiled domains) at the same time or set up their infrastructure in an automated fashion. They do so, for example, by creating DNS settings and certificates for these domains using scripts.
Automation employed by attackers can leave traces of information about their campaigns in various data sources. Security defenders can find these traces in locations such as certificate transparency logs (e.g., certificate field reputation or timing information) and passive DNS (pDNS) data (e.g., infrastructure reuse or characteristics).
Leveraging these crumbs of information, we built a detector to identify stockpiled domains. The two main advantages of detecting stockpiled domains are expanding coverage of malicious domains and providing patient-zero detections as attackers stock up on domains for future use.
To detect stockpiled domains, we engineered over 300 features to process many terabytes of data and billions of pDNS and certificate records. We used a knowledge base of millions of malicious and benign domains to calculate certificate and pDNS reputation and to train and test a Random Forest machine learning algorithm.”
“Bad bots are plaguing the internet, making up over 30% of internet traffic today. Cybercriminals can use them to target online businesses with fraud and other types of attacks, according to the latest research from online fraud and mitigation company DataDome.
According to a report from DataDome, a company specializing in bot and online fraud protection, released on November 28, 68% of US websites lack adequate protection against simple bot attacks, highlighting how vulnerable US businesses could be to automated cyberattacks.
The researchers assessed more than 9,500 of the largest transactional websites in terms of traffic, including banking, e-commerce, and ticketing businesses. They found that the US websites face significant risks ahead of the busy holiday shopping season. The findings also highlighted that traditional CAPTCHAs aren’t effective in preventing automated attacks.
As per DataDome’s report shared with Hackread.com ahead of publication on Tuesday, 72.3% of e-commerce websites and 65.2% of classified ad websites failed the bot tests, whereas 85% of DataDome’s fake Chrome bots remained undetected.”
“A set of 21 newly discovered vulnerabilities impact Sierra OT/IoT routers and threaten critical infrastructure with remote code execution, unauthorized access, cross-site scripting, authentication bypass, and denial of service attacks.
The flaws discovered by Forescout Vedere Labs affect Sierra Wireless AirLink cellular routers and open-source components like TinyXML and OpenNDS (open Network Demarcation Service).
AirLink routers are highly regarded in the field of industrial and mission-critical applications due to high-performance 3G/4G/5G and WiFi and multi-network connectivity.”
“Threat actors can take advantage of Amazon Web Services Security Token Service (AWS STS) as a way to infiltrate cloud accounts and conduct follow-on attacks.
The service enables threat actors to impersonate user identities and roles in cloud environments, Red Canary researchers Thomas Gardner and Cody Betsworth said in a Tuesday analysis.
AWS STS is a web service that enables users to request temporary, limited-privilege credentials for users to access AWS resources without needing to create an AWS identity. These STS tokens can be valid anywhere from 15 minutes to 36 hours.
Threat actors can steal long-term IAM tokens through a variety of methods like malware infections, publicly exposed credentials, and phishing emails, subsequently using them to determine roles and privileges associated with those tokens via API calls.”
“The ability to spoof DNS records is very appealing to attackers, as it can lead to devastating consequences, including sensitive data exposure, credential compromise, and even remote code execution.
In this blog post, we examine an attack surface in DNS that has been rarely researched, and is exposed by a seemingly harmless DHCP feature. By using it, we found several different ways that attackers could spoof DNS records on Microsoft DNS servers, including an unauthenticated arbitrary DNS record overwrite.
Alongside the attack flows, we also describe in detail the inner workings of a Microsoft DHCP server, its interaction with DNS and Active Directory, and how to properly secure these interfaces. Although many scattered (and inaccurate!) resources on DHCP exist online, we believe this blog post to be an accurate, comprehensive resource on the subject where all the critical information for defenders is presented in one place.”
“The Black Lotus Labs team at Lumen Technologies is tracking a small office/home office (SOHO) router botnet that forms a covert data transfer network for advanced threat actors. We are calling this the KV-botnet, based upon artifacts in the malware left by the authors. The botnet is comprised of two complementary activity clusters, our analysis reveals that this nexus has been active since at least February 2022. The campaign infects devices at the edge of networks, a segment that has emerged as a soft spot in the defensive array of many enterprises, compounded by the shift to remote work in recent years.
The KV-botnet features two distinct logical clusters, a complex infection process and a well-concealed command-and-control (C2) framework. The operators of this botnet meticulously implement tradecraft and obfuscation techniques. From July 2022 through February 2023, we observed overlap between NETGEAR ProSAFE firewalls acting as relay nodes for networks compromised by a threat group known as Volt Typhoon. Also known as “Bronze Silhouette,” this group is a “state-sponsored actor based in China that typically focuses on espionage and information gathering.” Microsoft assesses the “Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.”
In addition to the overlap between Volt Typhoon and KV-botnet, we observed similar techniques used against an internet service provider, two telecommunications firms, and a U.S. territorial government entity based in Guam. This activity took place from August 2022 through May 2023. Using proprietary telemetry from the Lumen global IP backbone, we assess that Volt Typhoon is at least one user of the KV-botnet and that this botnet encompasses a subset of their operational infrastructure. One significant correlation to support this assessment is an observed decline in operations in June and early July 2023, which coincides with the public disclosure by several U.S. Government agencies on May 24, 2023.”
“Can getting ChatGPT to repeat the same word over and over again cause it to regurgitate large amounts of its training data, including personally identifiable information and other data scraped from the Web?
The answer is an emphatic yes, according to a team of researchers at Google DeepMind, Cornell University, and four other universities who tested the hugely popular generative AI chatbot's susceptibility to leaking data when prompted in a specific way.”
“Microsoft Copilot Studio allows users to quickly build enterprise Copilots on top of their business data. Every enterprise user can now plug enterprise data into GPT models now and share their bots with the world.
What could go wrong?”
“Researchers recently were able to get full read and write access to Meta's Bloom, Meta-Llama, and Pythia large language model (LLM) repositories, in a troubling demonstration of the supply chain risks to organizations using these repositories to integrate LLM capabilities into their applications and operations.
The access would have allowed an adversary to silently poison training data in these widely used LLMs, steal models and data sets, and potentially execute other malicious activities that would heighten security risks for millions of downstream users.”
“Prompt injection is, thus far, an unresolved challenge that poses a significant threat to Language Model (LLM) integrity. This risk is particularly alarming when LLMs are turned into agents that interact directly with the external world, utilizing tools to fetch data or execute actions. Malicious actors can leverage prompt injection techniques to generate unintended and potentially harmful outcomes by distorting the reality in which the LLM operates.
This is why safeguarding the integrity of these systems and the agents they power demands meticulous attention to confidentiality levels, sensitivity, and access controls associated with the tools and data accessed by LLMs.”
“OpenAI on Monday released a framework it says will help assess and protect against the "catastrophic risks" posed by the "increasingly powerful" artificial intelligence models it develops.
The ChatGPT maker's preparedness team looks to monitor the technology's use and share warnings if it sees danger signs with its AI models' capabilities, such as allowing bad actors to use them to build chemical and biological weapons, spread malware, or carry out social engineering attacks. The company said in a 27-page preparedness framework that it will also monitor for emerging risks beyond the current dangers and "hypothetical scenarios to concrete measurements and data-driven predictions."
“Barracuda security researchers are warning of a recent surge in phishing attacks leveraging Adobe InDesign, a known and trusted document publishing system. Some of the attacks are targeted.
According to Barracuda telemetry, there has been a near 30-fold increase since October in emails carrying Adobe InDesign links. The daily count has jumped from around 75 per day to around 2,000 per day. Almost one in 10 (9%) of these emails carry active phishing links. A further 20% or so include removed content.
Many of the phishing links seen by Barracuda researchers have the top-level domain of “.ru” and are hosted behind a content delivery network (CDN) that acts as a proxy for the source site. This helps to obscure the source of the content and makes it harder for security technologies to detect and block the attacks.”
“In one of our previous blog posts, we have explored the perilous realm of QR code phishing (quishing) attacks, shedding light on their prevalence and the potential risks they pose to unsuspecting individuals.
As we diligently monitor security threats, a disconcerting trend has come to our attention: quishing tactics are evolving, becoming increasingly sophisticated and more challenging to detect.
Attackers are no longer limited to employing standard QR codes embedded in email bodies. Now, attackers are utilizing a diverse set of techniques to disguise malicious QR codes and circumvent security measures. These techniques include:
- Color Manipulation:
Attackers are now manipulating the color of QR codes, seamlessly blending them with surrounding text or backgrounds to increase their stealth.
- Combining Multiple Tactics:
Attackers are using QR code phishing combined with other tactics, such as mimicking CAPTCHAs, MFA, and using two-stage phishing techniques.
- Embedding in Multiple Formats:
QR codes are no longer confined to images; they are embedded within various formats, such as PDF documents, videos, and other file types, making detection more challenging.
In this blog we investigate some of these emerging evasion techniques used in quishing attacks. Read on to learn more.”
“A new USPS Delivery Phishing Scam has surfaced, in which scammers are exploiting Freemium Dynamic DNS and SaaS Providers to steal victims’ login credentials and other data.
Cybersecurity researchers at Bloster AI have uncovered a new USPS Delivery Phishing campaign that employs sophisticated techniques to target victims in the United States.
It comes as no surprise that cybercriminals are employing sophisticated techniques to exploit reputable services for scams, making it challenging for innocent consumers to enjoy the holiday shopping season. This pattern is evident in the ongoing scam attack against Booking.com customers.
According to Bloster AI, an automated digital risk protection service, Walmart is a prime target this season due to the higher volume of shipping needs during November and December in the USPS phishing attack. Bolster’s CheckPhish has already discovered over 3,000 phishing domains mimicking Walmart.”
“FortiGuard Labs recently identified an email phishing campaign using deceptive booking information to entice victims into clicking on a malicious PDF file. The PDF downloads a .NET executable file created with PowerGUI and then runs a PowerShell script to fetch the final malware, known as MrAnon Stealer. This malware is a Python-based information stealer compressed with cx-Freeze to evade detection. MrAnon Stealer steals its victims' credentials, system information, browser sessions, and cryptocurrency extensions. Figure 1 illustrates the attack flow.”
“A new wave of BazarCall attacks uses Google Forms to generate and send payment receipts to victims, attempting to make the phishing attempt appear more legitimate.
BazarCall, first documented in 2021, is a phishing attack utilizing an email resembling a payment notification or subscription confirmation to security software, computer support, streaming platforms, and other well-known brands.
These emails state that the recipient is being auto-renewed into an outrageously expensive subscription and should cancel it if they do not want to be charged.”
“The Israel National Cyber Directorate warns of phishing emails pretending to be F5 BIG-IP zero-day security updates that deploy Windows and Linux data wipers.
Israel's National Cyber Directorate (INCD) acts as the CERT responsible for protecting the country from cyber threats and to warn organizations and citizens about known attacks.
Since October, Israel has been heavily targeted by pro-Palestinian and Iranian hacktivists, who have been conducting data theft and data-wiping attacks on organizations in the country.”
Supply Chain Attacks
“New research has found that over 15,000 Go module repositories on GitHub are vulnerable to an attack called repojacking.
"More than 9,000 repositories are vulnerable to repojacking due to GitHub username changes," Jacob Baines, chief technology officer at VulnCheck, said in a report shared with The Hacker News. "More than 6,000 repositories were vulnerable to repojacking due to account deletion."
Collectively, these repositories account for no less than 800,000 Go module-versions.”
“Since the beginning of 2023, ESET researchers have observed an alarming growth of deceptive Android loan apps, which present themselves as legitimate personal loan services, promising quick and easy access to funds.
Despite their attractive appearance, these services are in fact designed to defraud users by offering them high-interest-rate loans endorsed with deceitful descriptions, all while collecting their victims’ personal and financial information to blackmail them, and in the end gain their funds. ESET products therefore recognize these apps using the detection name SpyLoan, which directly refers to their spyware functionality combined with loan claims.”
“ESET Research has discovered a cluster of malicious Python projects being distributed in PyPI, the official Python package repository. The threat targets both Windows and Linux systems and usually delivers a custom backdoor. In some cases, the final payload is a variant of the infamous W4SP Stealer, or a simple clipboard monitor to steal cryptocurrency, or both. In May 2023, we reported on another cluster of packages we found on PyPI that delivers password and cryptocurrency stealing malware, but the two clusters appear to be different campaigns.”
“In December 2020, the SolarWinds attack sent shockwaves around the world. Attackers gained unauthorized access to SolarWinds' software development environment, injected malicious code into Orion platform updates, and created a backdoor called Sunburst, potentially compromising national security. The attack affected 18,000 organizations, including government agencies and major corporations, and the malicious actors responsible for the breach may have been preparing to carry out the attack since 2019.
Although three years have passed and governments and other organizations have reevaluated security best practices and legislation, new developments in this story continue to emerge. This shows that more must be done to help prevent such a drastic attack from happening again.”
Malvertising and Adware
“ScamClub is a threat actor who’s been involved in malvertising activities since 2018. Chances are you probably ran into one of their online scams on your mobile device.
Confiant, the firm that has tracked ScamClub for years, released a comprehensive report in September while also disrupting their activities. However, ScamClub has been back for several weeks, and more recently they were behind some very high profile malicious redirects.
The list of affected publishers includes the Associated Press, ESPN and CBS, where unsuspecting readers are automatically redirected to a fake security alert connected to a malicious McAfee affiliate.
ScamClub is resourceful and continues to have a deep impact on the ad ecosystem. While we could not identify precisely which entity served the ad, we have reported the website used to run the fake scanner to Cloudflare which immediately took action and flagged it as phishing.”
“Microsoft has warned of a new wave of CACTUS ransomware attacks that leverage malvertising lures to deploy DanaBot as an initial access vector.
The DanaBot infections led to "hands-on-keyboard activity by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating in the deployment of CACTUS ransomware," the Microsoft Threat Intelligence team said in a series of posts on X (formerly Twitter).
DanaBot, tracked by the tech giant as Storm-1044, is a multi-functional tool along the lines of Emotet, TrickBot, QakBot, and IcedID that's capable of acting as a stealer and a point of entry for next-stage payloads.
UNC2198, for its part, has been previously observed infecting endpoints with IcedID to deploy ransomware families such as Maze and Egregor, as detailed by Google-owned Mandiant in February 2021.”
“During the past month, we have observed an increase in the number of malicious ads on Google searches for “Zoom”, the popular piece of video conferencing software. Threat actors have been alternating between different keywords for software downloads such as “Advanced IP Scanner” or “WinSCP” normally geared towards IT administrators.
While Zoom is used by millions of people around the world, these campaigns are likely targeting victims who are into cryptocurrencies as well as corporate users, in order to gain access to company networks.
In this blog post, we chose to highlight two cases:
- Case #1 is about a new loader which we have not seen mentioned publicly before called HiroshimaNukes. It drops an additional payload designed to steal user data.
- Case #2 is a campaign dropping FakeBat loader where the threat actor tracked victims via a panel that was new to us, called Hunting panel 1.40. FakeBat is often used by threat actors as the initial entry point for hands on keyboard operations.
We have reported the malicious ads to Google.”
“During this past year, we have seen an increase in the use of malicious ads (malvertising) and specifically those via search engines, to drop malware targeting businesses. In fact, browser-based attacks overall have been a lot more common if we include social engineering campaigns.
Criminals have found success in acquiring new victims thanks to search ads; we believe there are specialized services that help malware distributors and affiliates to bypass Google’s security measures and helping them to set up a decoy infrastructure. In particular, we saw similarities with the malvertising chains previously used to drop FakeBat.
In the past few days, researchers including ourselves have observed PikaBot, a new malware family that appeared in early 2023, distributed via malvertising. PikaBot was previously only distributed via malspam campaigns similarly to QakBot and emerged as one of the preferred payloads for a threat actor known as TA577.
In this blog post, we share details about this new campaign along with indicators of compromise.”
“MetaStealer is a popular piece of malware that came out in 2022, levering previous code base from RedLine. Stealers have become a very hot commodity in the criminal space, so much so that there is competition between various groups.
Threat actors have primarily used malspam as an infection vector to drop MetaStealer as well as cracked software via stolen YouTube accounts, but it was at least once previously seen in a malvertising campaign.
In the past week, we observed some malicious ads that weren’t dropping FakeBat or PikaBot, but rather a different payload that we recognized as MetaStealer. Interestingly, in early December, the malware authors behind MetaStealer gave an interview and announced that they were about to release a new and improved version of their tool.”
“A ransomware infection at a cloud IT provider has disrupted services for 60 or so credit unions across the US, all of which were relying on the attacked vendor.
This is according to the National Credit Union Administration, which on Friday told The Register it is fire-fighting the situation with the credit unions downed this week by the intrusion. The NCUA regulates and insures these financial orgs.
"I can confirm that approximately 60 credit unions are currently experiencing some level of outage due to a ransomware attack at a third-party service provider," the NCUA spokesperson said. "Member deposits at affected federally insured credit unions are insured by the National Credit Union Share Insurance Fund up to $250,000."
We're told the unions' IT provider Ongoing Operations – ironic – was hit by ransomware on Sunday, sparking days of disruption for the biz's clients. It's believed the cloud provider was infiltrated via the Citrix Bleed vulnerability.”
“The ransomware breach that crippled U.S. Treasury trading operations at an American subsidiary of Industrial & Commercial Bank of China Ltd. on November 8 has laid bare the vulnerability of the global financial system to cyberattacks. LockBit ransomware group claimed responsibility for the attack against ICBC, the largest lender in the world by assets, with $5.7 trillion under management. This ominous cyber-event sent shockwaves through the $26 trillion U.S. Treasury market.
LockBit specifically targeted ICBC Financial Services (ICBC FS), a wholly owned U.S. subsidiary of the state-owned lender, which plays a critical role in the world of international finance. “ICBC FS primarily engages in providing global clearing, execution and financing services to institutional clients,” according to credit-ranking agency Fitch Ratings. The Financial Times reported that this ICBC unit is an “intermediary for governments, hedge funds, and proprietary traders wanting to buy and sell U.S. debt.”
According to the Treasury, the LockBit attack exploited a known vulnerability in the Citrix NetScaler product suite. The ransomware disruption temporarily prevented bank employees from accessing their corporate email accounts and connecting to the Depository Trust and Clearing Corporation to resolve large batches of U.S. Treasury trades. Bundled in this trade backlog were systemically vital repurchase agreement (repo) transactions.”
“A cybercriminal group calling itself BlackSuit has claimed responsibility for a series of ransomware attacks, including breaches at schools in central Georgia.
And earlier in the year, a zoo in Tampa Bay was targeted by the same hacking gang.
Meanwhile, liberal arts college DePauw University in Indiana says that it was recently targeted, and a "limited amount of data on specific individuals was accessed." 214GB of stolen data has since been made available for download on BlackSuit's extortion site on the dark web.”
“Based on a recent Digital Forensics & Incident Response (DFIR) engagement with a law enforcement agency (LEA) and one of the leading investment organizations in Singapore, Resecurity, Inc. (USA) has uncovered a meaningful link between three major ransomware groups. Resecurity’s HUNTER (HUMINT) unit spotted the BianLian, White Rabbit, and Mario ransomware gangs collaborating in a joint extortion campaign targeting publicly-traded financial services firms.
These cooperative ransom campaigns are rare, but are possibly becoming more common due to the involvement of Initial Access Brokers (IABs) collaborating with multiple groups on the Dark Web. Another factor that may be leading to greater collaboration are law enforcement interventions that create cybercriminal diaspora networks. Displaced participants of these threat actor networks may be more willing to collaborate with rivals.
Still, the growing systemic significance of IABs in the cybercriminal underworld has fomented a more fluid threat landscape where ransomware operators move from one group to another in pursuit of the best financial conditions. Thus, the malicious activity of disparate ransomware gangs may overlap due to the interconnection of varied cybercriminal actors and infrastructures. This is why it is critical to share such intelligence for further analysis with the broader cybersecurity community.”
“An evolving geopolitical landscape and shifting regulatory requirements have transformed Europe's cybersecurity environment over the past year, bringing new challenges for safeguarding critical infrastructure and sensitive data.
The Ukraine war and the conflict in Gaza have led to a rise in hacktivism, and ransomware gangs have excelled in capitalizing quickly on new critical vulnerabilities to gain initial access within many organizations. This is exacerbated by threat actors having more access to various means of automation, be it readily available command and control (C2) toolkits, generative AI (genAI) to support their spear-phishing efforts, or commercially available ransomware from the Dark Web.”
“A group of politically motivated Ukrainian hackers claimed they disrupted the operations of Bitrix24, a Russian provider of customer relationship management (CRM) services.
“This means war sponsors like Rosneft are facing huge operational issues with their clients, just like over 40% of CRM system users in the aggressor country,” the IT Army of Ukraine said on Wednesday in a statement on Telegram. Rosneft is a Russian state-controlled energy company.
Bitrix24 hasn't officially confirmed the incident, but its website indicates that on Wednesday, its servers in Russia, Belarus, and Kazakhstan experienced "a temporary failure." The company blamed the disruption on network connectivity issues and said that it is working to resolve the problem. The server's availability status hasn't been updated yet.”
“Hacktivist group Predatory Sparrow says it was behind a cyberattack on gas stations across Iran that disrupted operations.
Between 60% and 70% of Iranian gas stations reportedly have been affected.
Meanwhile, Reza Navar, a spokesperson for Iran's petrol stations association, told state news that a software issue was the culprit, and that it's being resolved. He advised drivers not to visit petrol stations.
Iran's oil minister Javad Owji said outside interference was a possible cause, according to Reuters.”
“Cyberspace aggression against Israel has intensified since the onset of war in the Gaza Strip, changing in nature from simple online vandalism to attacks aimed at causing disruption and sowing fear, says Israel's cybersecurity agency.
Cyber Israel in a Sunday report said it is tracking roughly 15 hacker groups associated with Iran, Hamas and Hezbollah that are maliciously acting in Israeli cyberspace.
One of the most prominent attack vectors is phishing emails and messages impersonating government alerts and software updates. Following the Oct. 7 incursion into Israel from Gaza by Hamas - and the subsequent Israeli counteroffensive - the intensity of phishing has increased, the report says.”
Nation-State / Advanced Persistent Threat
“Microsoft's Threat Intelligence team issued a warning earlier today about the Russian state-sponsored actor APT28 (aka "Fancybear" or "Strontium") actively exploiting the CVE-2023-23397 Outlook flaw to hijack Microsoft Exchange accounts and steal sensitive information.
The targeted entities include government, energy, transportation, and other key organizations in the United States, Europe, and the Middle East.
The tech giant also highlighted the exploitation of other vulnerabilities with publicly available exploits in the same attacks, including CVE-2023-38831 in WinRAR and CVE-2021-40444 in Windows MSHTML.”
“A regulatory agency in Florida that oversees the long-term supply of drinking water confirmed that it responded to a cyberattack over the last week as the top cybersecurity agencies in the U.S. warned of foreign attacks on water utilities.
A spokesperson for the St. Johns River Water Management District, which works closely with utilities on water supply issues, confirmed that it “identified suspicious activity in its information technology environment” and that “containment measures have been successfully implemented.”
The agency does not have direct control over water utility technology.
On Friday, a ransomware gang said it attacked the organization, providing samples of what it stole. The cybercriminals did not say how much total data was taken in the attack.
Most of the work by the St. Johns River Water Management District is centered around educating the public about water conservation, setting rules for water use, conducting research, collecting data, restoring and protecting water above and below the ground, and preserving natural areas.”
“Starting in March 2023, Proofpoint researchers have observed the Russian advanced persistent threat (APT) TA422 readily use patched vulnerabilities to target a variety of organizations in Europe and North America. TA422 overlaps with the aliases APT28, Forest Blizzard, Pawn Storm, Fancy Bear, and BlueDelta, and is attributed by the United States Intelligence Community to the Russian General Staff Main Intelligence Directorate (GRU). While TA422 conducted traditional targeted activity during this period, leveraging Mockbin and InfinityFree for URL redirection, Proofpoint observed a significant deviation from expected volumes of emails sent in campaigns exploiting CVE-2023-23397—a Microsoft Outlook elevation of privilege vulnerability. This included over 10,000 emails sent from the adversary, from a single email provider, to defense, aerospace, technology, government, and manufacturing entities, and, occasionally, included smaller volumes at higher education, construction, and consulting entities. Proofpoint researchers also identified TA422 campaigns leveraging a WinRAR remote execution vulnerability, CVE-2023-38831.”
“The UK and allies have today (December 7th) exposed a series of attempts by the Russian Intelligence Services to target high-profile individuals and entities through cyber operations. The UK Government judges that this was done with the intent to use information obtained to interfere in UK politics and democratic processes.
Centre 18, a unit within Russia’s Intelligence Services, the FSB, has been identified as being accountable for a range of cyber espionage operations targeting the UK.
The activity was in turn conducted by Star Blizzard; a group that the UK’s National Cyber Security Centre (NCSC) – a part of GCHQ – assesses is almost certainly subordinate to FSB Centre 18.
While some attacks resulted in documents being leaked, attempts to interfere with UK politics and democracy have not been successful.
Star Blizzard is also commonly known as Callisto Group, SEABORGIUM or COLDRIVER and is operated by FSB officers. The group has also selectively leaked and amplified the release of information in line with Russian confrontation goals, including to undermine trust in politics in the UK and likeminded states.”
“Early this year, Ukrainian cybersecurity researchers found Fighting Ursa leveraging a zero-day exploit in Microsoft Outlook (now known as CVE-2023-23397). This vulnerability is especially concerning since it doesn’t require user interaction to exploit. Unit 42 researchers have observed this group using CVE-2023-23397 over the past 20 months to target at least 30 organizations within 14 nations that are of likely strategic intelligence value to the Russian government and its military.
During this time, Fighting Ursa conducted at least two campaigns with this vulnerability that have been made public. The first occurred between March-December 2022 and the second occurred in March 2023.
Unit 42 researchers discovered a third, recently active campaign in which Fighting Ursa also used this vulnerability. The group conducted this most recent campaign between September-October 2023, targeting at least nine organizations in seven nations.
Of the 14 nations targeted throughout all three campaigns, all are organizations within NATO member countries, except for entities in Ukraine, Jordan and the United Arab Emirates. These organizations included critical infrastructure and entities that provide an information advantage in diplomatic, economic and military affairs.”
“Operation Blacksmith involved the exploitation of CVE-2021-44228, also known as Log4Shell, and the use of a previously unknown DLang-based RAT utilizing Telegram as its C2 channel. We’re naming this malware family “NineRAT.” NineRAT was initially built around May 2022 and was first used in this campaign as early as March 2023, almost a year later, against a South American agricultural organization. We then saw NineRAT being used again around September 2023 against a European manufacturing entity.
During our analysis, Talos found some overlap with the malicious attacks disclosed by Microsoft in October 2023 attributing the activity to Onyx Sleet, also known as PLUTIONIUM or Andariel.
Talos agrees with other researchers’ assessment that the Lazarus APT is essentially an umbrella of sub-groups that support different objectives of North Korea in defense, politics, national security and research and development. Each sub-group operates its own campaigns and develops and deploys bespoke malware against their targets, not necessarily working in full coordination. Andariel is typically tasked with initial access, reconnaissance and establishing long-term access for espionage in support of North Korean government interests. In some cases, Andariel has also conducted ransomware attacks against healthcare organizations.
The current campaign, Operation Blacksmith, consists of similarities and overlaps in tooling and tactics observed in previous attacks conducted by the Andariel group within Lazarus.
A common artifact in this campaign was “HazyLoad,” a custom-made proxy tool previously only seen in the Microsoft report. Talos found HazyLoad targeting a European firm and an American subsidiary of a South Korean physical security and surveillance company as early as May 2023.
In addition to Hazyload, we discovered “NineRAT” and two more distinct malware families — both DLang-based — being used by Lazarus. This includes a RAT family we’re calling “DLRAT” and a downloader we call “BottomLoader” meant to download additional payloads such as HazyLoad on an infected endpoint.”
“In this report, SentinelLabs, Microsoft, and PwC threat intelligence researchers provide attribution-relevant information on the Sandman APT cluster positioning this threat on the broader threat landscape. We highlight links between Sandman and a suspected China-based threat actor using the shared KEYPLUG backdoor – STORM-0866/Red Dev 40. This includes victimology overlaps, cohabitation, and sharing C2 infrastructure control and management practices.
STORM-0866/Red Dev 40 is a developing APT threat cluster primarily targeting entities in the Middle East and the South Asian subcontinent, including telecommunication providers and government entities. These are regions and sectors where we also observed Sandman activity. The modular backdoor KEYPLUG is a staple in STORM-0866/Red Dev 40’s arsenal. Mandiant first reported on KEYPLUG as part of intrusions into U.S. government entities by the Chinese APT group APT41.
Microsoft and PwC have subsequently identified at least three other developing clusters involving KEYPLUG, including STORM-0866/Red Dev 40. Their research, making the case that KEYPLUG is likely shared among multiple suspected China-based groups, was presented at LabsCon 2023. They distinguish STORM-0866/Red Dev 40 from the other clusters based on specific malware characteristics, such as unique encryption keys for KEYPLUG C2 communication, and a higher sense of operational security, such as relying on Cloud-based reverse proxy infrastructure for hiding the true hosting locations of their C2 servers.”
“The Black Lotus Labs team at Lumen Technologies linked a small office/home office (SOHO) router botnet, tracked as KV-Botnet to the operations of China-linked threat actor Volt Typhoon. The botnet is comprised of two complementary activity clusters, the experts believe it has been active since at least February 2022. The threat actors target devices at the edge of networks.
The KV-Botnet is composed of end-of-life products used by SOHO devices. In early July and August of 2022, the researchers noticed several Cisco RV320s, DrayTek Vigor routers, and NETGEAR ProSAFEs that were part of the botnet. Later, in November 2022, most of the devices composing the botnet were ProSAFE devices, and a smaller number of DrayTek routers. In November 2023, the experts noticed that the botnet started targeting Axis IP cameras, such as the M1045-LW, M1065-LW, and p1367-E.”
Data Breaches / Credential Stuffing
“A large, Seattle-based surgical group is notifying nearly 437,400 individuals that their information was potentially compromised in a ransomware and data theft incident earlier this year. The breach is part of a larger, disturbing trend in the healthcare sector in 2023.
Proliance Surgeons, which has about 100 locations in Washington state and treats more than 800,000 patients annually, reported the hacking incident involving a network server to the U.S. Department of Health and Human Services on Nov. 20.
In its breach notice, the specialty medical group said the cyberattack on its network had involved some IT systems and files being encrypted, as well as unauthorized access resulting in the removal of "a limited number" of files.”
“Telling the future is a tricky business, and failure to foretell your own mishaps doesn't help. The content platform WeMystic is a good example of this, with the Cybernews research team discovering that it exposed its users' sensitive data.
WeMystic offers its users astrology, spiritual well-being, and esotericism alongside an online shop for natural stones, chakras, tarot cards, bracelets, and other products. The platform primarily serves Brazilian, Spanish, French, and English speakers.
According to our team, WeMystic left an open and passwordless MongoDB database containing 34 gigabytes of data related to the service as part of the MongoDB infrastructure.
Businesses employ MongoDB to organize and store large swaths of document-oriented information. While WeMystic has since closed the database, researchers said that the data was accessible for at least five days.”
“There's no sugarcoating this news: The Hershey Company has disclosed cyber crooks gobbled up 2,214 people's financial information following a phishing campaign that netted the chocolate maker's data.
According to a security notification filed with the Maine Attorney General's office, the phishing emails landed in employees' inboxes in early September. From that point on, it sounds like accessing private data was as easy as stealing candy from a baby.
The other Chocolate Factory did not immediately respond to The Register's questions.”
“On Friday, genetic testing company 23andMe announced that hackers accessed the personal data of 0.1% of customers, or about 14,000 individuals. The company also said that by accessing those accounts, hackers were also able to access “a significant number of files containing profile information about other users’ ancestry.” But 23andMe would not say how many “other users” were impacted by the breach that the company initially disclosed in early October.
As it turns out, there were a lot of “other users” who were victims of this data breach: 6.9 million affected individuals in total.”
“Carpet cleaning giant Stanley Steemer said nearly 68,000 people were affected by a cyberattack the company experienced in March.
In documents filed with regulators in Maine, the Ohio-based cleaning business said hackers broke into its systems on February 10 and were discovered on March 6.”
“Cold storage and logistics giant Americold has confirmed that over 129,000 employees and their dependents had their personal information stolen in an April attack, later claimed by Cactus ransomware.
Americold employs 17,000 people worldwide and operates more than 24 temperature-controlled warehouses across North America, Europe, Asia-Pacific, and South America.
The April network breach led to an outage affecting the company's operations after Americold forced it to shut down its IT network to contain the breach and "rebuild the impacted systems."
“Mr. Cooper is sending data breach notifications warning that a recent cyberattack has exposed the data of 14.7 million customers who have, or previously had, mortgages with the company.
Mr. Cooper (previously Nationstar Mortgage LLC) is a Dallas-based mortgage lending firm that employs approximately 9,000 people and has millions of customers. The lender is one of the largest servicers in the United States, servicing loans of $937 billion.
In early November 2023, the company announced that it had been breached in a cyberattack on October 30, 2023, which it discovered the following day.”
“Comcast Cable Communications, doing business as Xfinity, disclosed on Monday that attackers who breached one of its Citrix servers in October also stole customer-sensitive information from its systems.
On October 25, roughly two weeks after Citrix released security updates to address a critical vulnerability now known as Citrix Bleed and tracked as CVE-2023-4966, the telecommunications company found evidence of malicious activity on its network between October 16 and October 19.
Cybersecurity company Mandiant says the Citrix flaw had been actively exploited as a zero-day since at least late August 2023.”
“ESO Solutions, a provider of software products for healthcare organizations and fire departments, disclosed that data belonging to 2.7 million patients has been compromised as a result of a ransomware attack.
According to the notification, the intrusion occurred on September 28 and resulted in data being exfiltrated before the hackers encrypted a number of company systems.
During the investigation of the incident, ESO Solutions discovered that the attackers accessed one machine that contained sensitive personal data.”
SEO Stuffing / Cache Poisoning / Typosquatting / Impersonation
“Brand impersonation has long been a favorite tactic of cybercriminals, who exploit the familiarity and reputation of well-known brands to deceive targets into providing sensitive information. Just last year, we discovered 265 different brands impersonated by threat actors in credential phishing attacks over only six months—demonstrating the wealth of trusted entities attackers have the ability to convincingly mimic.
But it’s not only financial institutions and social media sites that see their brands impersonated. In a recent multi-stage impersonation attack, threat actors posed as the popular streaming service Disney+ with impressive sophistication.
What sets this attack apart is the level of personalization and attention to detail employed by the perpetrators, making it difficult for traditional security solutions and even vigilant individuals to identify it as malicious. Based on initial research in late September, the threat actor targeted 44 individuals across 22 different organizations with this Disney+ impersonation attack.”
“Threat actors are abusing organizations' weak authentication practices to create and exploit OAuth applications, often for financial gain, in a string of attacks that include various vectors, including cryptomining, phishing, and password spraying.
OAuth is an open authentication standard increasingly being adopted for cross-platform access; users would recognize it at play when logging into a website with a prompt to click on a link to log in with another social media account, such as "Log in with Facebook" or "Log in with Google." OAuth enables applications to get access to data and resources to other online services and sites based on permissions set by a user, and it is the mechanism responsible for the authentication handoff between the sites.”
Cryptocurrency and Blockchain
“Threat actors from the Democratic People's Republic of Korea (DPRK) are increasingly targeting the cryptocurrency sector as a major revenue generation mechanism since at least 2017 to get around sanctions imposed against the country.
"Even though movement in and out of and within the country is heavily restricted, and its general population is isolated from the rest of the world, the regime's ruling elite and its highly trained cadre of computer science professionals have privileged access to new technologies and information," cybersecurity firm Recorded Future said in a report shared with The Hacker News.
"The privileged access to resources, technologies, information, and sometimes international travel for a small set of selected individuals with promise in mathematics and computer science equips them with the necessary skills for conducting cyber attacks against the cryptocurrency industry."
The disclosure comes as the U.S. Treasury Department imposed sanctions against Sinbad, a virtual currency mixer that has been put to use by the North Korea-linked Lazarus Group to launder ill-gotten proceeds.”
“A vulnerability in an open-source library that is common across the Web3 space impacts the security of pre-built smart contracts, affecting multiple NFT collections, including Coinbase.
The disclosure came earlier today from Web3 development platform Thirdweb. The announcement provides a minimum of details, which irked some users who wanted clarifications that could help them protect contracts.
Thirdweb said that it became aware of the security flaw on November 20 and pushed a remediation two days later, but did not disclose the name of the library and the type or severity of the vulnerability to prevent tipping off attackers.”
“Check Point’s Blockchain Threat Intelligence system raised an alert on pool liquidity manipulation, resulting in a staggering token price increase of 22,000%. The malicious actor exploited the liquidity pool, stealing $80,000 from unsuspecting holders.”
“Till now, he have heard about "Bitcoin digital wallet hacked" or "Bitcoin website hacked", but now a hacker has stolen cryptocurrency from mining pools and generated $83,000 in digital cash in more than four months by gaining access to a Canadian Internet provider.
Bitcoin is a virtual currency that makes use of cryptography to create and transfer bitcoins. Users make use of digital wallets to store bitcoin addresses from which bitcoins are received or sent. Bitcoin uses public-key cryptography so that each address is associated with a pair of mathematically linked public and private keys that are held in the wallet.
Researchers at Dell SecureWorks Counter Threat Unit (CTU), a cyber intelligence company, have discovered a series of malicious activities in which a cryptocurrency thief used bogus Border Gateway Protocol (BGP) broadcasts to hijack networks belonging to no less than 19 Internet service providers, including Amazon and other hosting services like DigitalOcean and OVH, in order to steal cryptocurrency from a group of bitcoin users.”
Ledger is a hardware wallet that lets users buy, manage, and securely store their digital assets offline, supporting multiple cryptocurrencies, including Bitcoin and Ethereum.
The company offers a library called the "Ledger dApps Connect Kit" that allows web3 apps to connect to Ledger hardware wallets.”
“GokuMarket, a centralized crypto exchange owned by ByteX, left an open instance, revealing the details of virtually all of its users, the Cybernews research team has discovered.
The leak comes after the team discovered an unprotected MongoDB instance, which stored information on GokuMarket crypto exchange users.
Businesses employ MongoDB to organize and store large swaths of document-oriented information, and in GokuMarket’s case, the details of over a million customers and admin users.”
“Cryptocurrency scammers are abusing a legitimate Twitter "feature" to promote scams, fake giveaways, and fraudulent Telegram channels used to steal your crypto and NFTs.
On X, formerly and more widely known as Twitter, a post's URL consists of the account name of the person who tweeted it and a status ID, as shown below.
The website uses the status ID to determine what post should be loaded from the site's database, not bothering to check if the account name is valid.
This allows you to take an URL for a Tweet and modify the account name to whatever you want, even high-profile accounts. When visiting the URL, the website simply redirects you to the correct URL associated with the ID.”
“Imperva Threat Research has discovered undocumented activity from a hacker group known as the 8220 gang. This group is known for mass malware deployment using an ever-evolving arsenal of TTPs. The 8220 gang mainly targets Windows and Linux web servers with cryptojacking malware.
The 8220 gang, believed to be of Chinese origins, was first identified in 2017 by Cisco Talos when it targeted Drupal, Hadoop YARN, and Apache Struts2 applications for propagating cryptojacking malware. the group exploited Confluence and Log4j vulnerabilities, and recently, Trend Micro found them leveraging Oracle WebLogic vulnerability (CVE-2017-3506) to infect systems.”
Other Cybersecurity Headlines
“Booking.com customers are being targeted by a novel social engineering campaign, which is “paying serious dividends” for cybercriminals, according to new research by Secureworks.
The researchers said the campaign, which they believe has been running for at least a year, begins by deploying the Vidar infostealer to gain access partner hotels’ Booking.com credentials. This information is then used to send phishing emails to Booking.com customers and trick them into handing over their payment details, in many cases leading to money being stolen.
The scam is proving so fruitful that sales of Booking.com portal credentials are commanding sale prices of up to $2000 in two cybercrime forums, according to the researchers.”
“The Spanish police have arrested one of the alleged leaders of the 'Kelvin Security' hacking group, which is believed to be responsible for 300 cyberattacks against organizations in 90 countries since 2020.
News of the arrest of a leader of the financial component of the group was posted to the Spanish National Police's Telegram channel Sunday morning, stating that the threat actors are linked to attacks on government institutions across Spain, Germany, Italy, Argentina, Chile, Japan, and the United States.
"The group's main objectives are critical infrastructure and government institutions, having attacked the City Councils of Getafe (Madrid), Camas (Seville), La Haba (Badajoz) and the Government of Castilla-La Mancha in Spain," reads the machine-translated Telegram post.”
“An international law enforcement operation codenamed 'Operation HAECHI IV' has led to the arrest of 3,500 suspects of various lower-tier cybercrimes and seized $300 million in illicit proceeds.
The South Korean authorities led HAECHI operations and worked with law enforcement agencies from 34 countries, including the United States, the United Kingdom, Japan, Hong Kong (China), and India.
The latest operation, which occurred between July and December 2023, targeted threat actors engaging in voice phishing, romance scams, online sextortion, investment fraud, money laundering associated with illegal online gambling, business email compromise, and e-commerce fraud.”
“The Department of Justice announced today that the FBI successfully breached the ALPHV ransomware operation's servers to monitor their activities and obtain decryption keys.
On December 7th, BleepingComputer first reported that the ALPHV, aka BlackCat, websites suddenly stopped working, including the ransomware gang's Tor negotiation and data leak sites.
While the ALPHV admin claimed it was a hosting issue, BleepingComputer learned it was related to a law enforcement operation.
Today, the Department of Justice confirmed our reporting, stating that the FBI conducted a law enforcement operation that allowed them to gain access to ALPHV's infrastructure.”
“The Federal Criminal Police Office in Germany (BKA) and the internet-crime combating unit of Frankfurt (ZIT) have announced the seizure of Kingdom Market, a dark web marketplace for drugs, cybercrime tools, and fake government IDs.
The law enforcement operation also included authorities from the United States, Switzerland, Moldova, and Ukraine, while one of the administrators has been arrested in the US.
Kingdom Market was an English-speaking marketplace on the dark web with international reach that has operated since March 2021. Platform members sold drugs, malware, cybercrime services, stolen personal information, and forged documents, and paid in cryptocurrencies such as Bitcoin, Litecoin, Monero, and Zcash.”
Navigating the complexities of cybersecurity challenges today means more than just being alert; it requires a readiness to adapt and embrace superior technologies for better protection of your digital assets. The recent announcement of Cisco Umbrella Roaming Clients end-of-life (EOL) on April 2, 2024, and its end-of-support (EOS) on April 2, 2025, has encouraged several organizations to consider the next steps in maintaining robust cybersecurity ...
The term “zero-day attacks” is thrown around frequently with a lot of concern—and rightfully so. In today’s world where even the most menial tasks are conducted online, there is always some cyber threat lurking in the dark shadows of the internet. Picture this: A burglar finds a secret doorway to your house and decides to pay you a visit. All your assets are now accessible to him, even without your knowledge.
AI, LLM, generative content, NLP, big data, neural processing, machine learning, GPT. In 2023 it's undeniable that these were some of the most heard terms from various businesses, news outlets and the social media sphere. Ultimately this alphabet soup can mean just as much as it sometimes doesn’t—and, as often is the case, the internet leans into the trend.Sites popped up everywhere—some reputable while others less so—promising cyberpunk profile ...