A mysterious Sandman rises in the Middle East
New threat actor linked to attacks targeting telecommunication service providers
A roundup of some of the noteworthy developments in the cybersecurity landscape, encompassing the latest vulnerability discoveries and emerging attack trends. Here are this edition's top stories -
↘️ The Signal Foundation, maker of the Signal Protocol that’s used in various apps such as Signal, WhatsApp, and Google’s RCS Messages app for Android, has rolled out a cryptosystem update to ensure quantum resistance. In a related development, Meta has hit back at the U.K. after it criticized the company’s plans to encrypt messages in Messenger and Instagram Direct, which said that rolling out end-to-end encryption on its platforms must “not to come at a cost to our children’s safety.” The National Crime Agency (NCA) has warned the plans could “massively reduce our collective ability” to protect children. [The Hacker News / Ars Technica / BBC News / TechCrunch]
↘️ A mysterious new threat actor named Sandman has been linked to attacks targeting telecommunication service providers in the Middle East, Western Europe, and South Asia, using a modular info-stealing malware called LuaDream. The attacks are characterized by a cautious and deliberate approach: minimal and strategic movements within infected networks, and a larger goal to minimize detection risk. Sandman joins a growing list of advanced attackers such as ShroudedSnooper targeting telecom companies for espionage, using unique sophisticated backdoors that are challenging to detect. Telecom companies have long been a lucrative target for threat actors because of the opportunities they provide for conducting broad cyber espionage. The discovery also highlights the evolving threat landscape, with previously unseen actors deploying cutting-edge tools to pursue their objectives. Sandman’s origins and motivations remain currently unknown. [The Hacker News]
↘️ Jake Appelbaum’s PhD thesis contains several new revelations from the classified NSA documents provided to journalists by whistleblower Edward Snowden. While these revelations go back a decade, it shows that the NSA compromised lawful Russian interception infrastructure, SORM, listed the Tibetan government in exile as one of its targets of the PRISM program, and that Afghanistan was among the countries impacted by MYSTIC. [Computer Weekly / Electrospaces]
↘️ The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the 1,000th bug to its Known Exploited Vulnerabilities (KEV) catalog this week after nine new issues were spotlighted. [The Hacker News]
↘️ Abraham Teklu Lemma, a U.S. government contractor who was born in Ethiopia, has been arrested on charges of passing on classified national defense information to an Ethiopian intelligence agency official using an unnamed encrypted messaging app. Lemma worked as an IT administrator for the Department of State, and as a Management Analyst for the Department of Justice, enabling him to use his TOP SECRET security clearance to access sensitive documents. [Department of Justice / Department of State]
↘️ A Russian man living in Hong Kong has been taken into U.S. custody and charged with smuggling large quantities of American-made military-grade microelectronics to Russia. “[Maxim Marchenko] employed a web of shell companies as part of an overseas smuggling ring to ship dual-use U.S. technology with military applications to Russia in contravention of U.S. law,” the U.S. government said. [Department of Justice]
↘️ A security flaw discovered in the librsvg library (CVE-2023-38633) can be exploited by threat actors to leak sensitive information by means of directory traversal issue when rendering an SVG vector image. The problem arises as a result of differences in URL parsing implementations when validating the URL and loading the contents, parses URLs using Gio’s inbuilt URI parser (GLib). [Canva]
↘️ Password manager service LastPass is now urging customers to choose a strong master password after reports that miscreants likely have succeeded at cracking open some of the LastPass vaults stolen following a data breach late last year. However, the move is unlikely win over critics, who say the company failed to enforce stricter password requirements in the first place. [KrebsOnSecurity]
↘️ The U.S. state of California passes the Delete Act, giving individuals the right to request data deletion, including from data brokers, by January 1, 2026. Specifically, it requires the California Privacy Protection Agency (CPPA) to set up an “accessible deletion mechanism that, among other things, allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor.” [California Legislative Information]
↘️ Apple AirTags are a great way to keep tab of everyday things. Unsurprisingly, they have also put to use by stalkers, and now, weapons dealers to keep an eye on illicit gun shipments. [Forbes]
↘️ The Pakistan government is urging companies in the country from avoiding using software from Indian firms due to the possibility that they may have backdoors or malware which could collect logs, data traffic analysis, and personal identifiable information. [Geo News]
↘️ A group of academics have demonstrated a method that involves eavesdropping on individual numeric keystrokes at an accuracy rate of up to 90%, 6-digit numerical passwords with an accuracy of 85%, and complex app passwords at an accuracy of roughly 66% by capturing perturbations in the wireless network’s radio signals observed during key presses using tools like Wireshark. The proposed approach, dubbed WiKI-Eve, exploits BFI (beamforming feedback information), a new feature in 2013 with WiFi 5, which exchanges the channel state information between the device and the access point in cleartext, thereby opening the door to interception attacks. A separate research method called Wi-BFI leverages the same loophole to reconstruct the feedback information. The developments come as UC Santa Barbara researchers discovered it’s possible to use Wi-Fi signals to image still objects and likely read text. The novel technique has been dubbed Wiffract. [arXiv / UC Santa Barbara]
↘️ Cybersecurity experts have exposed a web of complex cyber-espionage attacks targeting a government in Southeast Asia. What was initially thought to be the work of a single actor later revealed that the attacks were orchestrated by three separate and distinct clusters of threat actors, namely Mustang Panda, Alloy Taurus, and Gelsemium. [The Hacker News]
↘️ Tibetan, Uyghur, and Taiwanese individuals and organizations are the targets of a persistent and prolonged campaign orchestrated by a threat actor codenamed EvilBamboo to gather sensitive information. [The Hacker News]
↘️ Recently identified Xenomorph Android banking trojan samples show an expanded target list that now includes U.S. financial institutions. Initially detailed in February 2022 and likely linked to the infamous banking trojan Alien, the malware relies on overlays to steal users’ personal and login information. The malware relies on an Automated Transfer System (ATS) framework that supports a wide range of actions that can be chained in sequences to manipulate infected devices, harvest information, disable security features, and hide the malicious activity. In an interesting twist, the server hosting the malware also includes Windows-based stealer malware like Lumma C2 and RisPro, suggesting that the server might be part of a distribution service. [The Hacker News]
↘️ The Middle East has once again found itself in the crosshairs of a new cybersecurity threat called Deadglyph, a sophisticated backdoor deployed by a hacking outfit called Stealth Falcon. The revelation of adds another layer of complexity to the enigmatic group’s toolkit, which has in the past targeted people critical of the Arab monarchy. The discovery of Deadglyph also shines a spotlight on the ever-evolving tactics of APT groups, incorporating intricate architecture, dynamic modules, and counter-detection mechanisms that make it a formidable digital threat. [The Hacker News]
↘️ A new cybercrime group called ShadowSyndicate has emerged from the shadows to distribute and manage seven different ransomware families since July 2022. What makes it a little different from other groups is the sheer breadth of ransomware families distributed in a single year. While affiliates are an indispensable cog in the RaaS ecosystem, it’s relatively rare to observe a grup that’s so broad in scope. That said, the presence of ShadowSyndicate in a space that’s already crowded with a growing number of threat actors is an indication of the continuing monetary returns that can be pocketed via ransomware attacks. [The Hacker News]
↘️ Hackers backed by the Chinese government known as BlackTech are planting malware into routers and network edge devices that provides long-lasting and undetectable backdoor access to the networks of multinational companies in Japan and the U.S. By using firmware implants, the objective is to stay hidden and silently hop around the corporate networks of its targets. Active since 2007, the actor possesses traditionally used custom malware, dual-use tools, and living-off-the-land tactics to conceal its operations and stake a foothold inside of Windows, Linux, and FreeBSD operating systems. The bespoke malware strains are lent an air of legitimacy by stolen code-signing certificates and are constantly updated in order to evade antivirus detection. The ultimate goal is to obtain administrator privileges over vulnerable network routers, and perform a downgrade attack by installing an older firmware and hot patching it in memory to incorporate an SSH backdoor. [The Hacker News]
↘️ A sophisticated Chinese cyber-espionage campaign targeting Microsoft Outlook accounts gave Beijing access to 60,000 unclassified emails when they broke into the accounts belonging to 10 U.S. U.S. State Department officials over the summer. Data stolen from the inboxes reportedly included travel itineraries, diplomatic deliberations, and the 10 officials' Social Security numbers. The attack has been attributed to an adversary named Storm-0558. [Reuters]
↘️ Operation Zero, a Russian zero-day acquisition firm, announced that it is offering up to $20 million for full exploit chains targeting Android and iOS devices due to “high demand on the market.” It also noted that “the end user is a non-NATO country.” Zero-day acquisition firms typically purchase exploits targeting unreported vulnerabilities in software to sell them to government agencies or private organizations, which are then put to use for spying on specific targets, or are incorporated by surveillanceware vendors into their products, which are then sold to authoritarian regimes for espionage purposes. [Operation Zero / TechCrunch]
↘️ In the latest assault on the software supply chains, attackers managed to slip in malicious code updates to hundreds of GitHub repositories by using stolen access tokens to commit rogue changes and then used the name of a well-known tool, Dependabot, to convince developers to accept those updates. [The Hacker News / Dark Reading]
↘️ Sebastien Raoult, aka Sezyo Kaizen, a French citizen and member of the notorious ShinyHunters cybercrime group, has pleaded guilty in a U.S. court to fraud and identity theft charges. He was arrested last year in Morocco and extradited to the U.S. in January. Raoult and his co-conspirators have been accused of hacking into over 60 companies between April 2020 and July 2021, and stealing confidential information and customer records, which were then sold on dark web forums for profit. The theft was perpetrated by setting up bogus login pages, links to which were sent via phishing emails to targets. [Department of Justice]
↘️ An Israeli surveillanceware company called Cytrox used three recently disclosed Apple zero-day vulnerabilities to fashion an exploit chain for iPhones that was delivered to targets in Egypt when visiting HTTP sites, resulting in the surreptitious deployment of the Predator spyware. The adversary-in-the-middle (AitM) attack redirected targets to an actor-controlled site that dropped the exploit chain without requiring any interaction, marking a troubling development in the realm of cyber espionage. [The Hacker News]
↘️ A new study has discovered nearly 100,000 exposed industrial control systems (ICS) owned by organizations spanning 96 countries, potentially allowing an attacker to access and control physical infrastructure such as power grids, traffic light systems, security and water systems, and more. The number is down from 140,000 reported in 2019. The top 10 impacted countries are the U.S., Canada, Italy, the U.K., France, the Netherlands, Germany, Spain, Poland and Sweden. The most impacted sectors are education, technology, government, business services, manufacturing, utilities, real estate, energy, tourism, and finance. [BitSight]
↘️ The U.S. government has issued a warning about a rising ransomware trend in which separate attacks are conducted just hours or days apart, phenomenon known as “dual ransomware attacks.” Such second ransomware attacks against already compromised entities could exacerbate the impact, it said. [The Hacker News]
↘️ While the full impact of an actively exploited MOVEit Transfer flaw is still being mapped out, estimates show that more than 2,300 organizations have been affected to date, making it one of the largest hacks this year. But even as the ripple effects are still being felt, another set of critical flaws in the company's WS_FTP service has come under active exploitation. This underscores the continued downward trend in the time it takes for threat actors to exploit vulnerabilities, a metric called the time-to-exploit. [The Hacker News / Mandiant]
↘️ Major Linux distributions such as Debian, Fedora, and Ubuntu are affected by a GNU C Library (glibc) vulnerability called Looney Tunables (CVE-2023-4911) that could provide an attacker with full root privileges, resulting in unauthorized data access, alterations, and potential data theft. Because the vulnerability is relatively easy to exploit, a proof-of-concept (PoC) code has not been made available. The vulnerability in question affects the processing of the GLIBC_TUNABLES environment variable, a feature introduced in glibc to allow users to fine-tune the library’s behavior at runtime. “A successful exploit can allow attackers to gain root privileges, enabling unauthorized data access, alteration or deletion and potentially leveraging further attacks by escalating privileges,” Qualys said. [The Hacker News / Dark Reading / Decipher]
↘️ The Linux Foundation has announced OpenPubkey, an open-source cryptographic protocol to help boost software supply chain security. “OpenPubkey enables users to securely and accurately bind cryptographic keys to users and workloads by turning an OpenID Connect Identity Provider (IdP) into a Certificate Authority (CA),” it said. [The Linux Foundation]
↘️ Mozilla has turned on Encrypted Client Hello (ECH) in Firefox 118, to address a security gap in Transport Layer Security (TLS), by encrypting the initial handshake message to make it more difficult for threat actors to identify the website a user connects to. “When you use ECH, your initial ‘hello’ message to a website becomes securely encrypted,” the browser maker said. “Only the website you're visiting can decrypt it, ensuring your message remains private throughout its journey.” [Mozilla]
↘️ Cybercriminals are hijacking high-profile YouTube accounts to direct unsuspecting victims to bogus websites that promote crypto scams as part of a stream-jacking campaign. In these attacks, YouTube account holders are sent phishing emails under the guise of sponsorship and collaborations to trick them into installing stealer malware, effectively facilitating the theft of their account credentials and session tokens. Malicious links spread through the compromised YouTube channels propagated a well-known crypto doubling scam in which viewers are urged to send any amount of cryptocurrency with the promise of doubling the amount sent. In a related scam, job seekers are lured into parting with crypto by getting them to complete meaningless tasks that they believe will earn them money. The operation has been codenamed WebWyrm. [Bitdefender / CloudSEK]
↘️ A global network of Android-based consumer products, dubbed BADBOX, came pre-loaded with firmware backdoors installed and sold through a compromised hardware supply chain in order to facilitate ad fraud on a large scale. These devices are off-brand, meaning they are not Google Play Protect certified. “The BADBOX scheme is an incredibly sophisticated operation, and it demonstrates how criminals use distributed supply chains to amplify their schemes on unsuspecting consumers who purchase devices from trusted e-commerce platforms and retailers,” HUMAN said. Unfortunately, users who have purchased one of the BADBOX-infected devices have no other option but to replace them as they are fundamentally unfixable due to the fact that the malware connects with a command-and-control server on booting up for the first time. This, in turn, allows new apps or code to be remotely installed by the threat actors without the device owner’s permission. [WIRED / The Hacker News]