August was a big month for cybersecurity news with headlines like NIST Expands Cybersecurity Framework with New Pillar and White House Pushes Cybersecurity Defense for K-12 Schools. We followed hundreds of stories through August to ensure you stay informed. Enjoy.
CISA issues new warning on actively exploited Ivanti MobileIron bugs
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today that state hackers have been exploiting two flaws in Ivanti's Endpoint Manager Mobile (EPMM), formerly MobileIron Core, since April.
"Advanced persistent threat (APT) actors exploited CVE-2023-35078 as a zero day from at least April 2023 through July 2023 to gather information from several Norwegian organizations, as well as to gain access to and compromise a Norwegian government agency’s network," CISA said on Tuesday.
"Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability.
"Consequently, CISA and NCSC-NO are concerned about the potential for widespread exploitation in government and private sector networks."
OWASP Top 10 for LLM (Large Language Model) applications is out!
OWASP released the OWASP Top 10 for LLM (Large Language Model) Applications project, which provides a list of the top 10 most critical vulnerabilities impacting LLM applications.
The project aims to educate developers, designers, architects, managers, and organizations about the security issues when deploying Large Language Models (LLMs).
The organization is committed to raising awareness of the vulnerabilities and providing recommendations for hardening LLM applications.
“The OWASP Top 10 for LLM Applications Working Group is dedicated to developing a Top 10 list of vulnerabilities specifically applicable to applications leveraging Large Language Models (LLMs).” reads the announcement of the Working Group. “This initiative aligns with the broader goals of the OWASP Foundation to foster a more secure cyberspace and is in line with the overarching intention behind all OWASP Top 10 lists.”
2022 Top Routinely Exploited Vulnerabilities | CISA
The following cybersecurity agencies co-authored this joint Cybersecurity Advisory (CSA):
This advisory provides details on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2022 and the associated Common Weakness Enumeration(s) (CWE). In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems.
The authoring agencies strongly encourage vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of this advisory—including the following—to reduce the risk of compromise by malicious cyber actors.
FBI warns of scammers posing as NFT devs to steal your crypto
The FBI warned today of fraudsters posing as Non-Fungible Token (NFT) developers to prey upon NFT enthusiasts and steal their cryptocurrency and NFT assets.
In these attacks, the criminals gain unauthorized access to NFT developer social media accounts or create nearly identical accounts to promote "exclusive" NFT releases.
This allows them to lure targets with misleading claims of "limited supply," labeling the promotions as "surprises" or previously undisclosed mints to induce a false sense of urgency and trick potential victims into making hurried decisions without proper due diligence.
NIST Expands Cybersecurity Framework with New Pillar - Infosecurity Magazine
The US National Institute of Standards and Technology (NIST) has released a new draft version of its popular best practice security framework, designed to expand its scope and provide more guidance on implementation.
The NIST Cybersecurity Framework (CSF) 2.0 is the first refresh since it was launched in 2014. It is designed to help organizations “understand, reduce and communicate about cybersecurity risk,” the standards body said.
“With this update, we are trying to reflect current usage of the Cybersecurity Framework, and to anticipate future usage as well,” said the framework’s lead developer, Cherilyn Pascoe.
“The CSF was developed for critical infrastructure like the banking and energy industries, but it has proved useful everywhere from schools and small businesses to local and foreign governments. We want to make sure that it is a tool that’s useful to all sectors, not just those designated as critical.”
FBI warns of increasing cryptocurrency recovery scams
The FBI is warning of an increase in scammers pretending to be recovery companies that can help victims of cryptocurrency investment scams recover lost assets.
The bulletin mentions that the money lost to cryptocurrency investment fraud surpassed $2.5 billion in 2022, and this only concerns cases reported to the authorities. Furthermore, many people lose cryptocurrency through information-stealing malware or phishing attacks that steal wallets, likely making this number far larger.
This situation creates an opportunity for recovery scheme scammers who tap into this vast pool of victims, taking advantage of their desperation to recover their funds while only deceiving them a second time.
Introducing first PKI Maturity Model (PKIMM)
Last year, the PKI Consortium established the PKI Maturity Model Working Group to build a PKI maturity model for evaluation, planning, and comparison between different PKI implementations.
Today, we are happy to announce that the initial draft version of the model has been finalized and is publicly available!
Anyone who would like to try the model and perform the assessment is more than welcome.
The maturity model is based on the Capability Maturity Model Integration (CMMI) developed by Carnegie Mellon University. It provides the following:
The PKI maturity model defines 5 levels of the PKI maturity based on different indicators and associated risks.
New Traffic Light Protocol standard released after five years
“The Forum of Incident Response and Security Teams (FIRST) has published TLP 2.0, a new version of its Traffic Light Protocol (TLP) standard, five years after the release of the initial version.
“The TLP standard is used in the computer security incident response team (CSIRT) community to facilitate the greater sharing of sensitive information.
“It also indicates any sharing limitations recipients have to consider when communicating potentially sensitive info with others.”
CISA, NSA, and NIST Publish Factsheet on Quantum Readiness
“On August 21, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and National Institute of Standards and Technology (NIST) released a joint factsheet, Quantum-Readiness: Migration to Post-Quantum Cryptography (PQC), to inform organizations—especially those that support Critical Infrastructure—of the impacts of quantum capabilities, and to encourage the early planning for migration to post-quantum cryptographic standards by developing a Quantum-Readiness Roadmap.
“CISA, NSA, and NIST urge organizations to review the joint factsheet and to begin preparing now by creating quantum-readiness roadmaps, conducting inventories, applying risk assessments and analysis, and engaging vendors. For more information and resources related to CISA’s PQC work, visit Post-Quantum Cryptography Initiative.”
A new California privacy bill should make it easier for residents to take their personally identifiable information (PII) off data brokers. But Californians won't be the only ones to benefit if the California Delete Act (Senate Bill 362) passes. Like other tech developments, where California goes, the rest of the nation tends to follow. Bill 362 provides a perfect template for a nationwide win against data brokers and the dangerous privacy infringements they cause.
One of the largest sources of online exposure (i.e., how your phone number pops up when someone Googles you), data brokers are companies that aggregate information about consumers. They, mostly legally, take this data from various different sources (public records, credit card transactions, social media, etc.) and then sell it to third parties.
Data brokers rarely vet their customers. As a result, anyone — from marketers and law enforcement agencies to cybercriminals — can get their hands on our personal information, such as contact details, family information, sexuality, reproductive health, and even geolocation. We know that criminal groups use data brokers for reconnaissance and targeted phishing emails.
If Senate Bill 362 passes (which looks likely), it could trigger a sequence of state copycat laws. Get enough of these over the line, and a federal data broker opt-out process will likely follow.
CISA Releases its Cybersecurity Strategic Plan
Today, CISA released a strategic plan to lay out how we will fulfill our cybersecurity mission over the next three years. The CISA Cybersecurity Strategic Plan aligns the following nine objectives to specific enabling measures and measures of effectiveness to drive accountability:
Learn more about CISA’s Cybersecurity Strategic Plan at https://www.cisa.gov/cybersecurity-strategic-plan.
Proposed Second Amendment to NYDFS Cybersecurity Regulations: Comments Due August 14
Following up on the recent release by the New York Department of Financial Services (“NYDFS”) of an updated proposed second amendment to its “first-in-the-nation” Cybersecurity Regulation, 23 NYCRR Part 500 (proposed second amendment released June 28, 2023), it is not too late for companies to submit comments on the most recent version of the proposed changes from NYDFS. Comments are due by 5:00 p.m. ET on August 14.
As background, the NYDFS Cybersecurity Regulation took effect in March 2017, including a robust set of cybersecurity requirements as well as a 72-hour incident notification requirement for NYDFS licensees. After amending the regulation on July 29, 2022, NYDFS released the first draft of a proposed second amendment to the regulation in November 2022 with a public comment period that closed on January 9, 2023. The changes proposed in November 2022 included several significant updates to the regulation with respect to:
After reviewing the comments received on these proposed changes, NYDFS released an updated version of the proposed changes on June 28, 2023 with adjustments made in response to these comments.
New York State to Debut First Cybersecurity Strategy - WSJ
The state of New York debuted its first cybersecurity strategy, including plans to modernize government networks, provide digital defenses at the county level and regulate critical infrastructure.
The strategy, which Gov. Kathy Hochul announced Wednesday, comes as an array of cyberattacks have battered New York, with the state’s Division of Homeland Security and Emergency Services responding to 57 cyber incidents in 2022. These include a monthslong shutdown of municipal systems in Suffolk County, and attacks on schools and healthcare systems across the state.
Kathryn Garcia, director of operations for New York state, said that the growing sophistication of hackers and the threats they pose to both state and national security prompted the creation of the strategy.
“Many of the pieces of the strategy plan are already in flight, but we also know that we are only as strong as our weakest link,” she said.
The strategy focuses on five areas, including upgrading state networks to support modern security technology such as multifactor authentication. The plan also calls for the state to work with county governments and federal agencies on cybercrime investigations and information sharing.
Federal agencies gear up for zero trust executive order deadline - Help Net Security
Federal agencies are prepared to meet the zero trust executive order requirements from the Biden Administration with just over a year until the deadline, according to Swimlane.
The research investigated the confidence level of these agencies in meeting the memorandum’s requirements and the tools leveraged to overcome challenges in adopting the key components of a zero trust architecture.
Half-Year in Review: Recapping the top threats and security trends so far in 2023 | Talos
BlackBerry Global Threat Intelligence Report — August 2023 Edition | BlackBerry
Key Findings from the 1H 2023 FortiGuard Labs Threat Report | Fortinet
2023 Business Email Compromise Statistics | Tripwire
ProjectDiscovery raises $25M to launch a cloud version of its threat-scanning platform | TechCrunch
Identity management platform Veza secures $15M from Capital One and ServiceNow | TechCrunch
Horizon3 secures $40M to expand its pen testing platform | TechCrunch
Endor Labs, which helps companies secure their open source packages, raises $70M | TechCrunch
Cerby lands $17M to manage access to ‘nonstandard’ enterprise apps | TechCrunch
Malwarebytes Announces Acquisition of Leading Online Privacy Company Cyrus
Parsons Buys Cybersecurity Company SealingTech; Carey Smith Quoted - GovCon Wire
Thoma Bravo to Close $2.3 Billion ForgeRock Deal on DOJ Nod - Bloomberg
Gamma Strengthens Cyber Security Offering with Satisnet Acquisition - UC Today
Check Point buys Israeli cybersecurity co Perimeter 81 - Globes
Seceon Acquires Helixera, Hires Founder as VP of Cybersecurity Solutions Architecture
Rubrik acquiring cloud security startup Laminar for $200-250 million | Ctech
Partner One Acquires Key Fidelis Cybersecurity Assets
Dynatrace acquires cloud-native debugging platform Rookout | TechCrunch
HackerOne lays off 12% workforce as ‘one-time event’ | TechCrunch
Cybersecurity giant Rapid7 announces sweeping layoffs as losses mount | TechCrunch
SecureWorks layoffs affect 15% staff | TechCrunch
UK cybersecurity giant NCC Group is making more layoffs | TechCrunch
Sitting Down With DNSFilter's Newest Board Member, Jon Oberheide
Recently, DNSFilter's Director of Content Marketing, Serena Raymond, sat down with our newest member of the Board of Directors, Jon Oberheide. In this discussion, Serena and Jon touched on everything from Jon's experience as CTO and co-founder of Duo Security, to the flaws of the cybersecurity industry. Some responses from this interview have been slightly edited for clarity.
Black Hat 2023 Review: LLMs Everywhere
I attended as many Black Hat briefings as possible this year. As a data scientist, I paid particular attention to the data science, machine learning, and artificial intelligence talks. Before we get into details, let’s address the elephant in the room: ChatGPT and LLMs.
Yes, it did seem like every third talk was about trying to apply a large language model (LLM) to either hack or secure a computer. I don’t doubt that the hacker and security communities will continue to extract value from the compressed knowledge stored in large language models, and made available in user-friendly interfaces such as ChatGPT. But the organizations that extract the most value from LLMs will be the ones that are best able to take advantage of these models’ power for interpreting language. One talk in particular did an excellent job of this.
“In an increasingly interconnected world, the importance of securing digital landscapes has become paramount. Cyber threats, ranging from phishing attacks to malware infiltrations, constantly evolve and challenge the integrity of online environments. Amidst this landscape, DNS (Domain Name System) plays a pivotal role as a fundamental technology that translates human-readable domain names into IP addresses, enabling seamless internet browsing.”
The 19 most promising cybersecurity startups of 2023, according to VCs
Air-Gapped ICS Systems Targeted by Sophisticated Malware
Security teams in industrial control systems (ICS) environments are fighting a worm that gets past air-gapped defenses.
Researchers from Kaspersky ICS-CERT have been investigating cyberattacks against ICS and critical infrastructure in Eastern Europe, and uncovered a novel second-stage malware that gets around the typical data security that an air gapped system provides. The threat actors were trying to establish a permanent presence on the target networks for data exfiltration, the team said.
First, the attackers use known remote access and data collection tools to gain an initial foothold in the ICS network. Then, they deploy a "sophisticated" modular malware against the air-gapped ICS networks, which contaminates removable storage drives with a worm that exfiltrates targeted data. From there, they are just one step away from being able to transmit stolen data out of the environment.
Canon warns of Wi-Fi security risks when discarding inkjet printers
Canon is warning users of home, office, and large format inkjet printers that their Wi-Fi connection settings stored in the devices' memories are not wiped, as they should, during initialization, allowing others to gain access to the data.
This flaw could introduce a security and privacy risk for impacted users if the printer memory is extracted by repair technicians, temporary users, or future buyers of the devices, allowing them to get the connection details for your Wi-FI network.
The specific information stored in a Canon printer varies depending on the model and configuration but generally includes the network SSID, the password, network type (WPA3, WEP, etc.), assigned IP address, MAC address, and network profile.
Apple Users Open to Remote Control via Tricky macOS Malware
Recently discovered data-stealing malware is targeting macOS users with a sneaky approach that uses Hidden Virtual Network Computing (hVNC). It's being sold at a lifetime price of $60,000 on the Dark Web, with add-ons available.
Virtual Network Computing (VNC) software is typically used by IT teams to provide remote technical support to users. A doppelgänger version of the tool is hVNC, which can be bundled into malware that operates covertly, gaining access without requesting permission from the user.
According to Guardz researchers, a macOS version of such a tool has emerged on Exploit, the infamous Russian underground forum. It specializes in bagging all manner of sensitive information, including login credentials, personal data, financial information, and more. Concerningly for Apple users, the malware can also survive system reboots and other attempts at removal.
White House Pushes Cybersecurity Defense for K-12 Schools
Typically understaffed and underfunded when it comes to cybersecurity, American K-12 schools have experienced a ramp-up in ransomware attacks, particularly after the novel coronavirus pandemic forced hasty adoption of remote tools for teaching. School districts in four states - Massachusetts, Michigan, Minnesota and West Virginia - had to cancel classes or close completely after a cyberattack during the last school year, the White House told reporters Sunday evening.
"We must take cyberattacks on our schools just as seriously as we take physical attacks on critical infrastructure," said Cindy Marten, education deputy secretary, during the call.
On Monday there should be a slew of activity aimed at making it harder for attackers to reach school networks, including establishment of a new government cybersecurity council headed by the Department of Education, whose membership will seek to coordinate activities for cyber resilience among tens of thousands of school districts. One cybersecurity researcher counted 120 publicly reported ransomware attacks during 2023 - and the total number is likely to be much higher.
The Cybersecurity and Infrastructure Security Agency said it will train 300 K-12 entities over the coming school year and will conduct approximately one K-12 cyber exercise per month this year.
Apple Users See Big Mac Attack, Says Accenture
It's no surprise that Apple Mac computers have become prize attack targets in recent years, but the number of Dark Web threat actors pursuing macOS is rising at an alarming rate. Accenture's threat intelligence unit on Monday reported a tenfold increase in Dark Web threat actors targeting Macs since 2019, much of it during the past 18 months.
The findings come from Accenture Cyber Threat Intelligence (ACTI) and its Dark Web reconnaissance efforts. While threat actors have historically directed their attacks at Windows and Linux devices, the ACTI team has observed a vast Dark Web community of skilled attackers who have set their sights on Macs.
Thomas "Mannie" Willkan, a cyber threat intelligence consultant with Accenture's ACTI who monitors Dark Web activity, tells Dark Reading that threat actors have traditionally ignored macOS. "It was more lucrative and easier to target Windows and Linux, but now, they have changed their scoping," Willkan says. "I think, partly, it is because they are constantly innovating and trying to stay ahead of security measures. But also, it's because there's now an economic incentive to target the Mac.
Attacker Breakout Time Shrinks Again, Underscoring Need for Automation
Attackers are getting quicker. New research reveals they have shaved a few more minutes off of the time they need to transition from gaining initial access to a system, to their attempt to attack other devices on the same network.
CrowdStrike finds the average intrusion required 79 minutes after initial compromise before launching an attack on other systems on a network. That's down from 84 minutes in 2022. CrowdStrike's 2023 Threat Hunting Report, published on Tuesday, also reveals the fastest time was seven minutes between the initial access and attempts to extend the compromise, based on more than 85,000 incidents processed in 2022.
An attacker's main goal is to move to other systems and establish a presence in the network, so that even if incident responders quarantine the original system, the attacker can still come back, says Param Singh, vice president of CrowdStrike's OverWatch security service. In addition, attackers want to gain access to other systems via legitimate user credentials, he says.
The breakout time is one measure of an attackers' agility when compromising corporate networks. Another measure defenders use is the time it takes between the initial compromise and detection of the attacker, known as dwell time, which hit a low of 16 days in 2022, according to incident response firm Mandiant's annual M-Trends report. Together, the two metrics suggest that most attackers quickly take advantage of a compromise and have carte blanche for more than two weeks before being detected.
Most VPNs can be tricked into leaking traffic - Security - iTnews
Nearly 70 VPN clients and servers are vulnerable to a long-standing attack that can cause them to leak user traffic, university researchers have claimed.
The multi-campus collaboration have dubbed their attack TunnelCrack and have published proof-of-concept exploit code.
“Our tests indicate that every VPN product is vulnerable on at least one device”, the researchers wrote, with VPNs running on Apple devices most likely to be vulnerable, but most VPNs on Windows and Linux also are.
VPNs running on Android were the most likely to be secure, they said.
Discord.io Halts All Operations After Massive Data Breach - Infosecurity Magazine
Discord.io has shut down operations after suffering a major data breach exposing the personal details of its 760,000 members.
A statement on the Discord.io website confirmed that a preview of the Discord.io's users database was posted on cybercrime marketplace BreachForums at 12.51am CET on Monday, August 14 (18.51 ET Sunday, August 13), with the rest of the database offered for sale.
As a result, a notice on Discord.io reads: “We are stopping all operations for the foreseeable future.”
The third-party service is not an official Discord website, but allows server owners to create custom invites to their Discord channels.
Discord.io added that it has canceled all active subscriptions and will be reaching out to individual members as soon as possible.
File sharing site Anonfiles shuts down due to overwhelming abuse
Anonfiles, a popular service for sharing files anonymously, has shut down after saying it can no longer deal with the overwhelming abuse by its users.
Anonfiles is an anonymous file-sharing site that allows people to share files anonymously without their activity being logged.
However, it soon became one of the most popular file-sharing services used by threat actors to share samples of stolen data, stolen credentials, and copyrighted material.
Internet Infrastructure
US ‘lagging behind’ on Border Gateway Protocol security practices, CISA and FCC chiefs say
The U.S. government is lagging behind other countries in instituting more stringent cybersecurity measures governing Border Gateway Protocol (BGP) – a set of technical rules responsible for routing data efficiently.
BGP is one of the most important facets of the internet, serving as the underpinning for everyday actions like banking, telemedicine visits and more. This week, FCC Chairwoman Jessica Rosenworcel and Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly convened a meeting of senior government officials, internet service providers (ISPs) and cloud content providers, and nonprofits to discuss needed BGP security improvements that are underway and planned.
IRS confirms takedown of bulletproof hosting provider Lolek
A popular bulletproof hosting platform was taken down by authorities in the U.S. and Poland this week, marking the latest effort to limit the anonymous access cybercriminals have to critical tools.
As early as Tuesday, the <Lolek>Hosted website showed a banner from the FBI and IRS.
“This domain has been seized by the Federal Bureau of Investigation and Internal Revenue Service - Criminal Investigation as part of a coordinated law enforcement action taken against Lolek Hosted,” the banner said.
Other participants in the operation were the U.S. Attorney’s Office for the Middle District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice, the agencies said. There also was “substantial assistance” by two Polish authorities: the Regional Prosecutor's Office in Katowice and the Central Bureau for Combating Cybercrime in Krakow.
An IRS spokesperson confirmed that the takedown banner was an official seizure notice.
The FBI declined to comment on the notice, and Polish authorities did not respond to requests for comment.
MaginotDNS attacks exploit weak checks for DNS cache poisoning
A team of researchers from UC Irvine and Tsinghua University has developed a new powerful cache poisoning attack named 'MaginotDNS,' that targets Conditional DNS (CDNS) resolvers and can compromise entire TLDs top-level domains.
The attack is made possible thanks to inconsistencies in implementing security checks in different DNS software and server modes (recursive resolvers and forwarders), leaving roughly one-third of all CDNS servers vulnerable.
The researchers presented the attack and paper earlier this week at Black Hat 2023, reporting that the identified problems have now been remediated at the software level.
Artificial Intelligence
'DarkBERT' GPT-Based Malware Trains Up on the Entire Dark Web
The developer behind the FraudGPT malicious chatbot is readying even more sophisticated adversarial tools based on generative AI and Google's Bard technology — one of which will leverage a large language model (LLM) that uses as its knowledge base the entirety of the Dark Web itself.
An ethical hacker who already had discovered another AI-based hacker tool, WormGPT, tipped off the researchers that the FraudGPT inventor — known on hacker forums as "CanadianKingpin12" — has more AI-based malicious chatbots in the works, according to SlashNext.
The forthcoming bots — dubbed DarkBART and DarkBERT — will arm threat actors with ChatGPT-like AI capabilities that go much further than existing cybercriminal genAI offerings, according to SlashNext. In a blog post published Aug. 1, the firm warned that the AIs will potentially lower the barrier of entry for would-be cybercriminals to develop sophisticated business email compromise (BEC) phishing campaigns, find and exploit zero-day vulnerabilities, probe for critical infrastructure weaknesses, create and distribute malware, and much more.
Microsoft kills Cortana in Windows 11 preview, long live AI!
Microsoft has officially begun killing off Cortana as the company moves its focus towards integrating ChatGPT and AI into Windows 11.
In June, Microsoft announced that Cortana would reach the end of support in August 2023 and that new AI productivity features are coming to Edge and Windows.
Unmasking hypnotized AI: The hidden risks of large language models
The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it’s important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent.
In a bid to explore security risks posed by these innovations, we attempted to hypnotize popular LLMs to determine the extent to which they were able to deliver directed, incorrect and potentially risky responses and recommendations — including security actions — and how persuasive or persistent they were in doing so. We were able to successfully hypnotize five LLMs — some performing more persuasively than others — prompting us to examine how likely it is that hypnosis is used to carry out malicious attacks. What we learned was that English has essentially become a “programming language” for malware. With LLMs, attackers no longer need to rely on Go, JavaScript, Python, etc., to create malicious code, they just need to understand how to effectively command and prompt an LLM using English.
Phishing
Threat actors abuse Google AMP for evasive phishing attacks
Security researchers are warning of increased phishing activity that abuses Google Accelerated Mobile Pages (AMP) to bypass email security measures and get to inboxes of enterprise employees.
Google AMP is an open-source HTML framework co-developed by Google and 30 partners to make web content load faster on mobile devices.
AMP pages are hosted on Google’s servers, where content is simplified and some of the heavier media elements are pre-loaded for faster delivery.
The idea behind using Google AMP URLs embedded in phishing emails is to make sure that email protection technology does not flag messages as malicious or suspicious due to Google’s good reputation.
The AMP URLs trigger a redirection to a malicious phishing site, and this additional step also adds an analysis-disrupting layer.
Data from anti-phishing protection company Cofense shows that the volume of phishing attacks employing AMP spiked significantly towards mid-July, suggesting that threat actors may be adopting the method.
Hackers exploited Salesforce zero-day in Facebook phishing attack
Hackers exploited a zero-day vulnerability in Salesforce's email services and SMTP servers to launch a sophisticated phishing campaign targeting valuable Facebook accounts.
The attackers chained a flaw dubbed "PhishForce," to bypass Salesforce's sender verification safeguards and quirks in Facebook's web games platform to mass-send phishing emails.
The benefit of using a reputable email gateway like Salesforce to distribute phishing emails is the evasion of secure email gateways and filtering rules, ensuring that the malicious emails reach the target's inbox.
The campaign was discovered by Guardio Labs analysts Oleg Zaytsev and Nati Tal, who reported the unknown vulnerability to Salesforce and helped them with the remediation process.
However, the discovered issues in Facebook's game platform are outstanding, as Meta's engineers are still trying to figure out why the existing mitigations failed to stop the attacks.
Microsoft Says Russia-Linked Hackers Behind Dozens of Teams Phishing Attacks
SAN FRANCISCO (Reuters) - A Russian government-linked hacking group took aim at dozens of global organizations with a campaign to steal login credentials by engaging users in Microsoft Teams chats pretending to be from technical support, Microsoft researchers said on Wednesday.
These "highly targeted" social engineering attacks have affected "fewer than 40 unique global organizations" since late May, Microsoft researchers said in a blog, adding that the company was investigating.
The Russian embassy in Washington didn't immediately respond to a request for comment.
Fake FlipperZero sites promise free devices after completing offer
A site impersonating Flipper Devices promises a free Flipper Zero after completing an offer but only leads to shady browser extensions and scam sites.
Flipper Zero is a portable multi-functional cybersecurity tool for pen-testers and hacking enthusiasts. The tool allows researchers to tinker with a wide range of hardware by supporting RFID emulation, digital access key cloning, radio communications, NFC, infrared, Bluetooth, and more.
Interpol takes down 16shop phishing-as-a-service platform
A joint operation between Interpol and cybersecurity firms has led to an arrest and shutdown of the notorious 16shop phishing-as-a-service (PhaaS) platform.
Phishing-as-a-service platforms offer cybercriminals a one-stop-shop to conduct phishing attacks. These platforms typically include everything you need, including email distribution, ready-made phishing kits for well-known brands, hosting, data proxying, victim overview dashboards, and other tools that help increase the success of their operations.
These platforms are a significant risk as they lower the bar of entry for inexperienced cybercriminals, offering them a simple and cost-effective way to launch phishing attacks with only a few clicks.
Group-IB, which aided Interpol in the takedown operation, reports that the 16shop platform offered phishing kits that targeted Apple, PayPal, American Express, Amazon, and Cash App accounts, among others.
Group-IB's telemetry data shows that 16shop is responsible for creating 150,000 phishing pages, which targeted people mainly from Germany, Japan, France, the USA, and the UK.
Interpol's announcement mentions that at least 70,000 users from 43 countries were compromised by phishing pages created through 16shop.
Cybercriminals Increasingly Using EvilProxy Phishing Kit to Target Executives
Threat actors are increasingly using a phishing-as-a-service (PhaaS) toolkit dubbed EvilProxy to pull off account takeover attacks aimed at high-ranking executives at prominent companies.
According to Proofpoint, an ongoing hybrid campaign has leveraged the service to target thousands of Microsoft 365 user accounts, sending approximately 120,000 phishing emails to hundreds of organizations worldwide between March and June 2023.
Nearly 39% of the hundreds of compromised users are said to be C-level executives, including CEOs (9%) and CFOs (17%). The attacks have also singled out personnel with access to financial assets or sensitive information. At least 35% of all compromised users had additional account protections enabled.
The campaigns are seen as a response to the increased adoption of multi-factor authentication (MFA) in enterprises, prompting threat actors to evolve their tactics to bypass new security layers by incorporating adversary-in-the-middle (AitM) phishing kits to siphon credentials, session cookies, and one-time passwords.
Phishing Operators Make Ready Use of Abandoned Websites for Bait
Attackers are increasingly targeting abandoned and barely maintained websites for hosting phishing pages, according to a new study from Kaspersky.
In many cases, phishers' focus is on WordPress sites because of the sheer number of known vulnerabilities in the widely used content management system and its numerous plug-ins.
Researchers at Kaspersky recently counted 22,400 unique WordPress websites that threat actors had compromised between mid-May and the end of July to host phishing pages. The number included websites that attackers were literally able to walk into because they provided open access to the control panel, as well as sites that attackers had to break into via vulnerability exploits, credential theft, and other means. Kaspersky detected 200,213 attempts by users to visit phishing pages that threat actors had hosted on these websites.
Supply Chain Attacks
Lessons Not Learned From Software Supply Chain Attacks
Software supply chain attacks continue to be successful, and it seems like lessons from previous attacks are not being learned. In December, an unauthorized user accessed GitHub's systems and stole three encrypted code-signing certificates: one Apple-issued Developer ID certificate and two DigiCert-issued code-signing certificates for its desktop and Atom applications. While the attacker did not decrypt and use the certificates, GitHub decided to revoke them as a precautionary measure. This security breach had highly disruptive consequences for its user base, as outlined in a February announcement.
Another security breach at Micro-Star International (MSI) resulted in a software supply chain attack, where hackers had access to private signing keys for MSI's firmware and Intel's UEFI. When malware infects firmware and UEFI, it poses a significant threat. Malware is increasingly being hidden in the software supply chain through compromises in build platforms, poor code-signing hygiene, and exploitation of third-party open source and commercial software. The growing usage of open source software may contribute to this trend.
Iran's APT34 Hits UAE With Supply Chain Attack
The Iran-linked advanced persistent threat known as APT34 is at it again, this time mounting a supply chain attack with the ultimate goal of gaining access to government targets inside the United Arab Emirates (UAE).
Maher Yamout, lead security researcher of the EEMEA Research Center at Kaspersky, says the attackers used a malicious IT job recruitment form as a lure. APT34 (aka OilRig) created a fake website to masquerade as an IT company in the UAE, sent the recruitment form to a target IT company, and when the victim opened the malicious document to presumably apply for the advertised IT job, info-stealing malware executed.
Yamout says the malware collected sensitive information and credentials that allowed APT34 to access the IT company clients' networks. He explains that the attacker then specifically looked to target government clients, using the victim IT group's email infrastructure for command-and-control (C2) communication and data exfiltration. Kaspersky couldn't verify if the government attacks were successful due to its limited downstream visibility, but "we assess to medium-high confidence" that they were, Yamout says, given the group's typical success rate.
AI Risk Database Tackles AI Supply Chain Risks
An emerging free tool that analyzes artificial intelligence (AI) models for risk has set a path to become a mainstream part of cybersecurity teams' toolboxes to tackle AI supply chain risks. Created last March by the AI risk experts at Robust Intelligence, the AI Risk Database has been enhanced with new features and opensourced on GitHub today, in conjunction with new partnership agreements with MITRE and Indiana University that will have the organizations working together to enhance the database's ability to feed automated AI assessment tools.
"We want this to be VirusTotal for AI," says Hyrum Anderson, distinguished ML engineer at Robust Intelligence and co-creator of the database.
The database is meant to help the security community discover and report information about security vulnerabilities lurking in public machine learning (ML) models, he says. The database also tracks other factors in these models that threaten reliability and resilience of AI systems, including issues that can cause brittleness, ethical problems, and AI bias.
As Anderson explains, the tool is under development to deal with what is shaping up to be a looming supply chain problem in the world of AI systems. As with many other parts of the software supply chain, AI systems depend on a host of open source components to run their code. But added into that mix is the additional complexity of dependencies on open source ML models and open source data sets used to train data.
OWASP Lead Flags Gaping Hole in Software Supply Chain Security
The founder and lead of the open-source OWASP's dependency-check project has devised what he thinks is a solution to the problem of securing the software supply chain, using a novel process called binary source validation.
The idea of binary source validation involves inspecting software at a layer deeper than the software's source code, to look at the build artifacts created while coding, and validate them as legitimate, explains long-time software developer Jeremy Long, principal engineer at ServiceNow and an OSWAP guru. He notes that software bills of material (SBOMs) that provide a view into source code simply aren't sufficient security measures.
The kernel of the binary validation idea lies in a well-known 1984 paper entitled "Reflections on Trusting Trust" by Ken Thompson, the co-author of Unix, which outlined the process of compromising a code compiler with a backdoor in such a way that the backdoor does not appear in the published source code. Yet, if a developer uses the compromised compiler to create next version of the software, it injects the backdoor into that compiler. Subsequently, if a developer compiles the OS with the compiler, the backdoor also gets injected into the OS. This scenario is how Thompson himself dropped a backdoor deep into Unix, he revealed in his paper.
FortiGuard AI Detects Continued OSS Supply Chain Hidden in Python Package Index
Python Package Index (PyPI) packages have become a common way for threat actors to post malware that unsuspecting victims may download. The FortiGuard Labs team has been monitoring this attack vector for some time and, earlier this year, began posting a monthly update of the malicious packages we have discovered. Recently, we introduced a new AI engine to our OSS supply chain threats hunting system. We have already discovered several new malicious PyPI attacks using this AI engine assistant.
This report looks at two sets of malicious PyPI packages published in early July. We have bundled them together by author to demonstrate how it is common for the same author to release several similar or even identical malicious packages using different PyPI account IDs. For example, the packages in the first set were written by a threat actor who goes by the handle Josef M and uses the email address “johannes.mayer@yahoo.com.” The second set was written by an author with the PyPI ID “killskids.”
Carderbee hacking group hits Hong Kong orgs in supply chain attack
A previously unidentified APT hacking group named 'Carderbee' was observed attacking organizations in Hong Kong and other regions in Asia, using legitimate software to infect targets' computers with the PlugX malware.
Symantec reports that the legitimate software used in the supply chain attack is Cobra DocGuard, created by Chinese developer' EsafeNet,' and used in security applications for data encryption/decryption.
The fact that Carderbee uses PlugX, a malware family widely shared among Chinese state-backed threat groups, indicates that this novel group is likely linked to the Chinese threat ecosystem.
Malvertising and Adware
Xurum: New Magento Campaign Discovered | Akamai
Digital commerce is a widely targeted industry for cybercriminals in general, but Magento’s widespread popularity has unfortunately made it an especially appealing (and lucrative) target. The most notable specific attack is Magecart, in which the attackers aim to deploy JavaScript-based skimmers to illicitly acquire sensitive user information. These Magecart threat actors take advantage of well-known web vulnerabilities to achieve this acquisition.
There have been at least seven threat groups that have targeted Magento shops since 2015, which speaks to the prominence of the platform and the success the threat actors have achieved through this exploit.
In early 2022, the CVE-2022-24086 vulnerability came to light, enabling attackers to exploit the Magento template engine and execute arbitrary PHP code on susceptible targets. The exploit operates through multiple steps, with common attack vectors involving the abuse of either the check-out process or the wishlist functionality. Since its disclosure, this vulnerability has emerged as a primary entry point for numerous Magecart actors who are targeting vulnerable Magento 2 shops.
Over the past few months, Akamai has been closely monitoring a focused campaign that specifically targets a relatively small number of Magento deployments. We dubbed the campaign Xurum to reference the domain name of the C2 server utilized by the attackers.
Macs are getting compromised to act as proxy exit nodes - Help Net Security
AdLoad, well-known malware that has been targeting systems running macOS for over half a decade, has been observed delivering a new payload that – unbeknown to the owners – enlisted their systems into a residential proxy botnet.
According to AT&T Alien Labs threat intelligence researchers, who analyzed over 150 samples of the malware they found in the wild, many devices are infected.
“Alien Labs has identified over 10,000 IPs reaching out to the proxy servers each week that have the potential to be proxy exit nodes. It is unclear if all these systems have been infected or are voluntarily offering their systems as proxies, but it could be indicative of a bigger infection globally.”
Sneaky Amazon Google ad leads to Microsoft support scam
A legitimate-looking ad for Amazon in Google search results redirects visitors to a Microsoft Defender tech support scam that locks up their browser.
Today, BleepingComputer was alerted to what appeared to be a valid advertisement for Amazon in the Google search results.
The advertisement shows Amazon's legitimate URL, just like in the company's typical search result.
However, clicking on the Google ad will redirect the person to a tech support scam pretending to be an alert from Microsoft Defender stating that you are infected with the ads(exe).finacetrack(2).dll malware.
DarkGate reloaded via malvertising and SEO poisoning campaigns
In July 2023, we observed a malvertising campaign that lured potential victims to a fraudulent site for a Windows IT management tool. Unlike previous similar attacks, the final payload was packaged differently and not immediately recognizable.
The decoy file came as an MSI installer containing an AutoIT script where the payload was obfuscated to avoid detection. Upon analysis and comparison, we determined that this sample was an updated version of DarkGate, a multi purpose malware toolkit first identified in 2018.
Since the malware's obfuscation and encryption features have been recently documented by other researchers, we will focus on two of its web delivery methods, namely the use of malicious ads and search engine poisoning.
The campaigns we observed coincide with an announcement from DarkGate's developer in June as well, boasting about the malware's new capabilities and limited customer seats.
Ransomware
Iranian cloud company accused of hosting cybercriminals, nation-state hackers
An Iranian technology company is providing infrastructure services to ransomware gangs and an array of nation-state hackers, researchers have found.
A report released Tuesday by the cybersecurity firm Halcyon details how the internet service provider Cloudzy accepts cryptocurrency in exchange for the anonymous use of technological services used to carry out cyberattacks.
The company allegedly provides a range of services to prolific ransomware gangs like BlackBasta and Royal while also serving as the backbone of attacks for government hackers from North Korea, Russia, China, India, Pakistan, and Vietnam. The infrastructure is even allegedly used by controversial Israeli spyware vendor Candiru.
ISPs like Cloudzy are called “Command-and-Control Providers” (C2P), which Halcyon described as a “relatively unknown dimension of the ransomware economy.”
The number of ransomware attacks targeting Finland has increased fourfold since the country began the process of joining NATO in 2023.
The news was reported by Recorded Future News which interviewed Sauli Pahlman, the deputy director general for Finland’s National Cyber Security Centre (NCSC).
Finnish officials believe that the surge in the number of attacks is politically motivated.
Vladimir Putin issued multiple warnings that Russia would respond in kind if Nato set up military infrastructure in Finland after they joined the alliance.
In June, the Finnish government expelled nine diplomats from the Russian embassy in Helsinki and accused them of cyber espionage for Moscow.
In October 2022, the Finnish Security Intelligence Service (Suojelupoliisi or SUPO) warned of a highly likely intensification of cyberespionage activities conducted by Russia-linked threat actors over the winter.
At the time, the SUPO pointed out NATO that membership will make the country a privileged target for Russian intelligence and influence operations.
Code leaks are causing an influx of new ransomware actors
Ransomware gangs are consistently rebranding or merging with other groups, as highlighted in our 2022 Year in Review, or these actors work for multiple ransomware-as-a-service (RaaS) outfits at a time, and new groups are always emerging.
This trend is already continuing this year. Since 2021, there have been multiple leaks of ransomware source code and builders — components that are essential to creating and modifying ransomware. This has had a significant effect on the threat landscape, giving unsophisticated actors the ability to easily generate their own ransomware with little effort or knowledge. As more actors enter this space, Cisco Talos is seeing an increasing number of ransomware variants emerge, leading to more frequent attacks and new challenges for cybersecurity professionals, particularly regarding actor attribution.
Talos assesses with high confidence that this threat actor is targeting victims in English-speaking countries, Bulgaria, China and Vietnam, as the actor’s GitHub account, “nguyenvietphat,” has ransomware notes written in these countries’ languages. The presence of an English version could indicate the actor intends to target a wide range of geographic areas.
Talos assesses with moderate confidence that the threat actor may be of Vietnamese origin because their GitHub account name and email contact on the ransomware notes spoofs a legitimate Vietnamese organization’s name. The ransom note also asks victims to contact them between 7 and 11 p.m. UTC+7, which overlaps with Vietnam’s time zone. We also spotted a slight difference in the Vietnamese language ransom note, as it starts with, “Sorry, your file is encrypted!” in contrast to the others that begin with, “Oops, your files are encrypted!” By saying “sorry,” the threat actor may have intended to show a heightened sensitivity toward victims in Vietnam, which could indicate the attackers themselves are Vietnamese.
We further assess the threat actor began this campaign around June 4, 2023, because they joined GitHub and created a public repository called “Ransomware” on that date, which overlaps with the compilation date of the ransomware binary. In the repository, they added ransom note text files in five languages: English, Bulgarian, Vietnamese, Simplified Chinese and Traditional Chinese.
Akamai Technologies, Inc. (NASDAQ: AKAM), the cloud company that powers and protects life online, today released a new State of the Internet report that spotlights the evolving ransomware landscape. Ransomware on the Move: Exploitation Techniques and the Active Pursuit of Zero-Days finds that the use of Zero-Day and One-Day vulnerabilities has led to a 143% increase in total ransomware victims between Q1 2022 and Q1 2023. The report also found that ransomware groups increasingly target the exfiltration of files, the unauthorized extraction or transfer of sensitive information, which has become the primary source of extortion. This new tactic indicates file backup solutions are no longer a sufficient strategy to protect against ransomware.
According to the report, adversaries are evolving their methods and techniques from phishing to put a greater emphasis on vulnerability abuse. As these adversaries shift tactics, LockBit has dominated the ransomware landscape, from Q4 2021 to Q2 2023, with 39% of total victims - more than triple the number of victims of the second-highest ranked ransomware group. Further analysis shows that the CL0P ransomware group is aggressively developing Zero-Day vulnerabilities, growing its victims by 9x year over year.
Ransomware infection wipes all CloudNordic servers • The Register
CloudNordic has told customers to consider all of their data lost following a ransomware infection that encrypted the large Danish cloud provider's servers and "paralyzed CloudNordic completely," according to the IT outfit's online confession.
The intrusion happened in the early-morning hours of August 18 during which miscreants shut down all of CloudNordic's systems, wiping both company and customers' websites and email systems. Since then, the IT team and third-party responders have been working to restore punters' data — but as of Tuesday, it's not looking great.
Data Breaches / Credential Stuffing
Retail chain Hot Topic discloses wave of credential-stuffing attacks
American apparel retailer Hot Topic is notifying customers about multiple cyberattacks between February 7 and June 21 that resulted in exposing sensitive information to hackers.
Hot Topic is a retail chain specialized in counter-culture clothing and accessories, and licensed music, that has 675 stores across the U.S. It also operates an online shop with nearly 10 million visitors every month, according to data from SimilarWeb.
In a data breach notification today, the company explained that hackers used stolen account credentials and accessed the Rewards platform multiple times, potentially stealing customer data, too.
The company says that the investigation determined that Hot Topic was not the source of the credentials but it could also not find the source.
Tennessee Heart Clinic Tells 170,000 of Hacking, Data Breach
A Tennessee-based cardiac care clinic is notifying more than 170,000 patients and others that hackers may have stolen their sensitive personal and medical information in a cyberattack detected in April. The Karakurt cybercrime group claimed credit for the hack a month later.
In a report filed to Maine's attorney general on Friday, The Chattanooga Heart Institute said that on April 17 it saw indications of a cyberattack on its IT network. The incident affected a total of 170,450 individuals, including five Maine residents, the clinic said.
The entity, which includes three vascular surgeons and 27 cardiologists at four locations in Tennessee and one in Georgia, said in a breach notice posted on its website that a forensics investigation into the incident had determined that an "unauthorized third party" gained access to its network about a month earlier, between March 8 and March 16.
CloudSEK's contextual AI digital risk platform XVigil has discovered a post on an English speaking cybercrime forum, sharing a database of PHI-IIIT Delhi for Forum credits. A total of 82 Databases were compromised and leaked data includes Emails, Name, Year and Internal healthcare & Vaccine development related documents, including research papers and more. It should be noted that a portion of the offered database is accessible for public consumption on the PHI Portal hosted on ERNET (Education and Research Network): ERNET is an autonomous scientific society under the Ministry of Electronics and Information Technology (MeitY) in India.
US govt contractor Serco discloses data breach after MoveIT attacks
Serco Inc, the Americas division of multinational outsourcing company Serco Group, has disclosed a data breach after attackers stole the personal information of over 10,000 individuals from a third-party vendor's MoveIT managed file transfer (MFT) server.
In a breach notification filed with the Office of the Maine Attorney General, Serco said that the information was exfiltrated from the file transfer platform of CBIZ, its benefits administration provider.
The personal information compromised in the attack includes any combination of the following: name, U.S. Social Security Number, date of birth, home mailing address, Serco and/or personal e-mail address, and selected health benefits for the year.
Serco is currently collaborating with CBIZ to investigate the breach and assess the full extent of the incident, focusing on ensuring that the third-party vendor has implemented security measures to prevent future incidents.
According to CBIZ, a cybersecurity firm is also conducting a thorough investigation into the matter.
Serco's client roster includes a long list of U.S. federal agencies, including the Departments of Homeland Security, Justice, and State, as well as U.S. Intelligence Agencies and multiple U.S. Armed Forces branches (e.g., Navy, Army, Marine Corps, Air Force).
Serco is also a contractor for U.S. state and local governments and the Canadian government, and it also provides services to high-profile commercial customers such as Pfizer, Capital One, and Wells Fargo.
The company employs over 50,000 people across 35 countries and has an annual revenue of over $5,7 billion in 2022.
Colorado Department of Higher Education warns of massive data breach
The Colorado Department of Higher Education (CDHE) discloses a massive data breach impacting students, past students, and teachers after suffering a ransomware attack in June.
In a 'Notice of Data Incident' published on the CDHE website, the Department says they suffered a ransomware attack on June 19th, 2023.
The data stolen from CDHE is significant, impacting the following students, past students, and teachers who:
The stolen information includes full names, social security numbers, dates of birth, addresses, proof of addresses (statements/bills), photocopies of government IDs, and for some, police reports or complaints regarding identity theft.
Stalkerware slinger LetMeSpy shuts down after data theft • The Register
Stalkerware slinger LetMeSpy will shut down for good this month after a miscreant breached its servers and stole a heap of data in June.
In a notice on its homepage, the Polish Android developer "would like kindly inform you that as of August 31, 2023, the letmespy.com website will cease operations."
According to the surveillance-ware maker, its security was comprehensively smashed on June 21 by persons unknown, who downloaded the entire contents of its website database before deleting that information. After that "data security incident," the developer said it had blocked access to user accounts, "for security reasons."
Identity theft has established itself as the main initial access method for threat actors, according to CrowdStrike.
In its 2023 Threat Hunting Report published during Black Hat USA, CrowdStrike found that 80% of breaches now involved the use of compromised identities, of which 62% involved the abuse of legitimate accounts and 34% of domain or default accounts.
Adam Meyers, CrowdStrike’s senior VP of intelligence, estimated that advances in enterprise security, especially endpoint detection and response (EDR) solutions, “made it more difficult for threat actors, ransomware groups as well as nation-state groups, to accomplish their goals, bring their own tools and stay in one particular network without getting detected.”
Missouri warns that health info was stolen in IBM MOVEit data breach
Missouri's Department of Social Services warns that protected Medicaid healthcare information was exposed in a data breach after IBM suffered a MOVEit data theft attack.
The attack was conducted by the Clop ransomware gang, who began hacking MOVEit Transfer servers on May 27th using a zero-day vulnerability tracked as CVE-2023-34362.
These attacks allowed the threat actors to steal data from over 600 companies worldwide, including companies, educational orgs, federal government agencies, and local state agencies.
Even more UK cops step forward with data leak confessions • The Register
Norfolk and Suffolk police have stepped forward to admit that a “technical issue” resulted in raw data pertaining to crime reports accidentally being included in Freedom of Information responses.
The latest blunder follows a litany of recent errors elsewhere in the forces: Police Service in Northern Ireland (PSNI) last week confirmed it unwittingly exposed a spreadsheet containing details of serving police officers; and this week Cumbria constabulary said it mistakenly published the names, salaries and allowances for all officers and staff online.
Today in a joint statement, Norfolk and Suffolk constabularies – based in the east of England – say they "identified an issue relating to a very small percentage of responses to Freedom of Information Requests for crime statistics, issued between April 2021 and March 2022."
So far, Norfolk and Suffolk police reckon that data has not been accessed by anyone outside of policing, nevertheless the UK's data watchdog, the Information Commissioner's Office, was notified of the leak.
Tesla Discloses Data Breach Related to Whistleblower Leak - SecurityWeek
Tesla told US authorities that a data breach discovered in May resulted in the exposure of the personal information, including social security numbers, of more than 75,700 individuals.
A notification letter sent to impacted people reveals that the data breach is related to a couple of former employees sending confidential information to German media outlet Handelsblatt. Tesla said the ex-workers “misappropriated the information in violation of Tesla’s IT security and data protection policies”.
The compromised information includes names, contact information, and employment-related records associated with current and former employees. Impacted individuals are being offered credit monitoring and identity protection services.
The leak came to light in May, when Handelsblatt reported that it had received 100 Gb of confidential Tesla data from a whistleblower. The newspaper said Tesla had failed to adequately protect employee, customer and partner data.
The leaked files, dubbed ‘Tesla Files’, reportedly included information on more than 100,000 current and former employees, customer bank details, production secrets, and customer complaints regarding driver assistance systems.
Handelsblatt has assured Tesla that it does not intend to publish the personal data provided by the whistleblower.
The Metropolitan Police were on red alert tonight after details of officers and staff were hacked in a massive security breach. All 47,000 personnel were warned of the risk their photos, names and ranks had been stolen when cyber crooks penetrated the IT systems of a contractor printing warrant cards and staff passes.
Cryptocurrency
Kroll data breach exposes info of FTX, BlockFi, Genesis creditors
Multiple reports on social media warn of a data breach at financial and risk advisory company Kroll that resulted in exposing to an unauthorized third-party the personal data of some credit claimants.
Kroll, who is facilitating claims for insolvent companies FTX, BlockFi, and Genesis Global Holdco, has confirmed that one of its employees was the victim of a SIM-swapping attack.
Hackers stole the Kroll employee's phone number and used it to gain access to some files with personal data of bankruptcy claimants.
FTX and BlockFi posted on X today that a security incident at Kroll involving unauthorized third-party access on its systems exposed “limited, non-sensitive customer data of specific claimants.”
Although the nature of exposed data are not explicitly mentioned, the two companies clarify that user passwords and client funds haven’t been impacted, as neither FTX’s nor BlockFi’s systems were directly breached.
Also, both state that Kroll will notify impacted individuals directly, and the company has already contained and remediated the incident.
Founders of crypto mixer arrested, sanctioned after US cracks down on Tornado Cash | AP News
WASHINGTON (AP) — U.S. government officials on Wednesday started cracking down on the co-founders of the virtual currency mixer Tornado Cash, just days after a federal judge decided that the government had the authority to sanction them.
Treasury’s Office of Foreign Assets Control sanctioned Russian national Roman Semenov, one of the three co-founders of Tornado Cash, for allegedly supporting the North Korean hacking organization Lazarus Group, among other things.
Also Wednesday, the Justice Department unsealed an indictment charging Semenov and Tornado Cash co-founder Roman Storm, from Auburn, Washington, with conspiracy to commit money laundering, operating an unlicensed money-transmitting business and other crimes. Storm was arrested in Washington on Wednesday by federal officials.
Semenov is believed to be in Dubai.
Tornado Cash and other mixing services combine various digital assets, including potentially illegally obtained funds along with legitimately obtained funds, so that illegal actors can obscure the origin of the stolen funds.
Hacks against DeFi platforms result in theft of millions | SC Media
Decentralized finance platforms Exactly Protocol and Harbor Protocol had millions worth of cryptocurrency stolen in separate cyberattacks, reports The Record, a news site by cybersecurity firm Recorded Future. Exactly Protocol disclosed that it had lost $7.3 million worth of ETH in the attack, which it confirmed to be investigating since Aug. 18. Aside from attempting to communicate with threat actors behind the intrusion, Exactly noted that it has been working with Chainalysis and other experts in investigating the incident. Moreover, Exactly said that it will be addressing the vulnerability that was leveraged in compromising the DeFi protocol while giving a reward worth $700,000 for tips regarding the platform's hackers. Another cyberattack was reported by ComDex's DeFi tool Harbor Protocol on Aug. 19, although specifics regarding the value of pilfered cryptocurrency remain uncertain. Harbor has called on users to assist in tracing the stolen funds but users have expressed disappointment over the platform's lack of communication regarding the incident. PeckShield has reported that cyberattacks against crypto platforms have resulted in the theft of almost $500 million during the first six months of 2023.
Couple admit laundering $4B of stolen Bitfinex Bitcoins • The Register
Ilya Lichtenstein and Heather Morgan on Thursday pleaded guilty to money-laundering charges related to the 2016 theft of some 120,000 Bitcoins from Hong Kong-based Bitfinex.
The Feds arrested Lichtenstein, 35, and Morgan, 33, in February 2022 following the US government's tracing of about 95,000 of the stolen BTC – worth about $3.6 billion at the time and $2.8 billion today – to digital wallets controlled by the married couple.
The Justice Department at the time described the seizure as the largest ever and has since recovered an additional $475 million.
Lichtenstein, a Russian national, founded MixRank, a marketing firm, and Endpass, a decentralized identity platform, and owned a single-member investment entity called Demandpath. Morgan was the CEO of SalesFolk, a marketing firm, and briefly became something of an internet celebrity for her entrepreneurial rapping under the name Razzlekhan.
FBI Warns of Cryptocurrency Heists by North Korea's Lazarus Group
The FBI has tracked hundreds of millions of dollars in cryptocurrency stolen by the Democratic People's Republic of Korea (DPRK) TraderTraitor-affiliated actors, more commonly referred to as Lazarus Group or APT38, and is now warning cryptocurrency companies of this malicious blockchain activity.
In an investigation, the FBI found that these threat actors moved 1,580 bitcoins from multiple cryptocurrency heists and are holding the funds in six different bitcoin addresses. The group may attempt to cash out the stolen cryptocurrency, amounting to more than $40 million.
This cybercrime group was also responsible for multiple high-profile heists in June spanning multiple countries, including $60 million of the virtual currency from Alphapo, $37 million from CoinsPaid, and $100 million from Atomic Wallet.
Threat Actor Exploits Zero-Day in WinRAR to Target Crypto Accounts
A threat actor with possible connections to Russia's financially motivated Evilnum group is targeting users in online cryptocurrency trading forums via a now-patched bug in the popular WinRAR file compression and archiving utility.
The bug, tracked as CVE-2023-38831, allowed the attackers to hide malicious code in zip archives masquerading as ".jpg," ".txt," and other file formats, and then distribute them in online cryptocurrency trading forums.
The attacks have been going on since at least April — some three months before researchers at Group-IB discovered the vulnerability and reported it to Rarlab, the company that develops and distributes WinRAR.
Other Headlines
Hackers steal Signal, WhatsApp user data with fake Android chat app
Hackers are using a fake Android app named 'SafeChat' to infect devices with spyware malware that steals call logs, texts, and GPS locations from phones.
The Android spyware is suspected to be a variant of "Coverlm," which steals data from communication apps such as Telegram, Signal, WhatsApp, Viber, and Facebook Messenger.
CYFIRMA researchers say the Indian APT hacking group 'Bahamut' is behind the campaign, with their latest attacks conducted mainly through spear phishing messages on WhatsApp that send the malicious payloads directly to the victim.
Also, the CYFIRMA's analysts highlight several TTP similarities to another Indian state-sponsored threat group, the 'DoNot APT' (APT-C-35), that has previously infested Google Play with fake chat apps acting as spyware.
Late last year, ESET reported that the Bahamut group was using fake VPN apps for the Android platform that included extensive spyware functions.
In the latest campaign observed by CYFIRMA, Bahamut targets individuals in South Asia.
Hackers use open source Merlin post-exploitation toolkit in attacks
Ukraine is warning of a wave of attacks targeting state organizations using 'Merlin,' an open-source post-exploitation and command and control framework.
Merlin is a Go-based cross-platform post-exploitation toolkit available for free via GitHub, offering extensive documentation for security professionals to use in red team exercises.
It offers a wide range of features, allowing red teamers (and attackers) to obtain a foothold on a compromised network.
However, as we saw with Sliver, Merlin is now being abused by threat actors who use it to power their own attacks and spread laterally through compromised networks.
Passwordless is more than a buzzword among cybersecurity pros - Help Net Security
Password security remains highly relevant even as cybersecurity strategies move toward a passwordless future. Of the 100 Black Hat USA 2023 attendees Delinea polled, 54% said passwordless is a viable concept, while 79% agreed that passwords are evolving or becoming obsolete.
When asked how they protect their passwords, most attendees surveyed indicated they use an additional authentication method to secure their credentials and identity. 73% use some form of multi-factor authentication (MFA), 57% specifically indicated they use an authenticator app and 40% use biometrics.
52% use a password manager, while 34% use a PAM solution to store passwords securely. One in five (21%) indicated they are using passkeys now instead of or in addition to passwords.
Ukrainian hackers claim to leak emails of Russian parliament deputy chief
Ukrainian hackers claim to have broken into the email account of a senior Russian politician and exposed documents that allegedly prove his involvement in money laundering and sanction evasion schemes.
A group calling itself Cyber Resistance leaked 11 GB of emails allegedly belonging to Alexander Babakov, a deputy chairman of Russia’s parliament, and made them public on Monday. Recorded Future News was not able to immediately corroborate the claim or verify the authenticity of the documents, but the leak contains scans of Babakov’s passport, tax and financial documents, as well as his medical records.
Babakov has close ties to the Kremlin. He was appointed as special presidential representative to Russia by Vladimir Putin in 2012 and was the leader of Rodina, a nationalist political party in Russia, in 2006. Babkov was sanctioned by the EU, Canada and Switzerland in 2014, and has been subject to U.S. sanctions since 2017.
"Mysterious Team Bangladesh" Targeting India with DDoS Attacks and Data Breaches
A hacktivist group known as Mysterious Team Bangladesh has been linked to over 750 distributed denial-of-service (DDoS) attacks and 78 website defacements since June 2022.
"The group most frequently attacks logistics, government, and financial sector organizations in India and Israel," Singapore-headquartered cybersecurity firm Group-IB said in a report shared with The Hacker News. "The group is primarily driven by religious and political motives."
Some of the other targeted countries include Australia, Senegal, the Netherlands, Sweden, and Ethiopia.
In addition, the threat actor is said to have gained access to web servers and administrative panels, likely by exploiting known security flaws or poorly-secured passwords.
Clorox cleans up security breach that disrupted operations • The Register
The Clorox Company has some cleaning up to do as some of its IT systems remain offline and operations "temporarily impaired" following a security breach.
In a filing Monday to the SEC, America's financial watchdog, the cleaning giant disclosed "unauthorized activity" in its networks.
The intrusion continues to disrupt "parts of the company's business operations," and it is "working diligently to respond to and address this issue, and is also coordinating with law enforcement," according to the Form 8-K submission.
The manufacturer has also hired third-party cybersecurity firms to help probe the mess and aid in the IT scrubbing efforts.
Russian Cyber Adversary BlueCharlie Alters Infrastructure in Response to Disclosures
A Russia-nexus adversary has been linked to 94 new domains starting March 2023, suggesting that the group is actively modifying its infrastructure in response to public disclosures about its activities.
Cybersecurity firm Recorded Future linked the revamped infrastructure to a threat actor it tracks under the name BlueCharlie, a hacking crew that's broadly known by the names Blue Callisto, Callisto (or Calisto), COLDRIVER, Star Blizzard (formerly SEABORGIUM), and TA446. BlueCharlie was previously given the temporary designation Threat Activity Group 53 (TAG-53).
"These shifts demonstrate that these threat actors are aware of industry reporting and show a certain level of sophistication in their efforts to obfuscate or modify their activity, aiming to stymie security researchers," the company said in a technical report shared with The Hacker News.
BlueCharlie is assessed to be affiliated with Russia's Federal Security Service (FSB), with the threat actor linked to phishing campaigns aimed at credential theft by making use of domains that masquerade as the login pages of private sector companies, nuclear research labs, and NGOs involved in Ukraine crisis relief. It's said to be active since at least 2017.
MoustachedBouncer: Espionage against foreign diplomats in Belarus
MoustachedBouncer is a cyberespionage group discovered by ESET Research and first publicly disclosed in this blogpost. The group has been active since at least 2014 and only targets foreign embassies in Belarus. Since 2020, MoustachedBouncer has most likely been able to perform adversary-in-the-middle (AitM) attacks at the ISP level, within Belarus, in order to compromise its targets. The group uses two separate toolsets that we have named NightClub and Disco.
Ukraine Fends Off Sandworm Battlefield Espionage Ploy
Ukrainian cyber defenders said they had thwarted an attempt by Russian military intelligence to deploy widespread malware programmed to spy on battlefield management apps.
The Security Service of Ukraine, known as the SBU, and military investigators said Russian hackers known as Sandworm operating in the GRU Main Intelligence Directorate had planned a campaign based on at least seven custom-coded Android malware packages.
Ukraine uses a variety of apps to manage the battlefield and improve artillery targeting. In a report published Tuesday, Kyiv authorities said Sandworm had obtained Ukrainian military mobile devices captured on the battlefield.
Russian hackers' preparation for the malware campaign was "long-term and thorough," the SBU said. Among their targets were communications made over the Starlink satellite system, the mega-constellation of 3,500 satellites in low Earth orbit used by Kyiv for military communications, including with drones to identify Russian targets and guide artillery strikes (see: Pentagon to Pay Starlink for Ukraine's Satellite Broadband). Malware Ukraine identifies as STL is designed to collect communications made through Starlink.
Chinese Espionage Group Active across Eastern Europe
A Chinese state-sponsored hacking group likely deployed more than a dozen malware variants to target critical infrastructure across Eastern European as part of an espionage campaign, warns security firm Kaspersky.
In a report analyzing the group's activities, Kaspersky researchers uncovered 15 malware variants used by the group since 2022 to target industrial organizations across Eastern Europe.
Kaspersky attributed the activity, with medium to high confidence, to APT31, also known as Violet Typhoon - formerly Zirconium - and Judgment Panda. The group specializes in intellectual property theft. Security researchers from Mandiant said in a July report that they had spotted APT31 targeting air-gapped networks to steal information for oil and gas organizations across the world.