A roundup of some of the noteworthy developments in the cybersecurity landscape, encompassing the latest vulnerability discoveries and emerging attack trends. Here are this edition's top stories -
↘️ A newly identified espionage operation run by hackers linked to China’s government has targeted dozens of organizations in Taiwan since the middle of 2021. Dubbed Flax Typhoon (or Ethereal Panda), the activity is designed to maintain network footholds to organizations across a broad range of industries for as long as possible. Rather than evolving specific arsenals of custom cyberattack tools, it uses minimal malware, primarily relying on living-off-the-land techniques, such as using tools built into the target’s operating system, and hands-on-keyboard activity to gain and maintain long-term access to victim networks, gain access to credentials, and move laterally through systems to expand their reach. Taking a less identifying route by using off-the-shelf malware and native Windows utilities makes the activity not only hard to detect but also confuse attribution. The group hacks into organizations by exploiting known vulnerabilities in public-facing servers and then employs legitimate tools built into the Windows operating system and otherwise benign VPN software to quietly remain in these networks. The idea, in a nutshell, is to create a web of persistent, long-term infections inside dozens of organizations, likely to carry out an extensive cyber espionage campaign, whose ultimate objectives are unclear at the moment. [The Hacker News]
↘️ A financially motivated cybercrime group exploited a zero-day vulnerability in the popular file archiving utility WinRAR since April 2023 to deliver malware to traders and attempted to conduct unauthorized transactions and withdraw funds. One of the pieces of malware delivered in this campaign, DarkMe, was previously observed in an operation dubbed DarkCasino that had been linked to a threat actor called EvilNum. The exact scale of the attacks is unclear, but signs of compromise have been detected in as many as 130 machines as of this week. [The Hacker News]
↘️ Two teenagers were held responsible for their role in the LAPSUS$ extortion gang and for orchestrating a hacking spree targeting several tech firms using a combination of social engineering, reconnaissance, phishing, credential theft, SIM swapping, and MFA-evasion techniques. [The Hacker News / Ars Technica]
↘️ Lazarus Group, a notorious hacking group working on behalf of the North Korean government is using a new strain of malware called QuiteRAT, a derivative of MagicRAT, to attack healthcare entities and internet backbone infrastructure in Europe and the U.S. The group’s penchant for infrastructure reuse has made it possible to identify another new malware called CollectionRAT, which overlaps with EarlyRAT. The new findings show that the adversary is “changing its tactics” and increasingly relying on open-source tools as it evolves its bag of tricks to mount financially motivated and espionage attacks that further the regime’s strategic priorities. [The Hacker News]
↘️ The U.S. government is warning about the increased threats faced by the space industry from foreign intelligence entities in the form of cyber attacks and supply chain compromises to “acquire vital technologies and expertise,” leading to intellectual property theft. [SecurityWeek]
↘️ Cellebrite, which provides phone hacking technology to law enforcement authorities to unlock handsets, is asking its customers to keep the methods used to extract the data a secret. [TechCrunch]
↘️ With Brazil recorded a surge in hacked Instagram accounts over the past year, affected users are turning to ethical hackers in the country to recover access. [Rest of World]
↘️ LLM-themed ads on Facebook claiming to offer Google’s AI chatbot Bard are directing unsuspecting users to rogue installer files that drop adware designed to serve unwanted ads on websites and deploy malicious browser add-ons with the goal of stealing victims’ credentials. [ESET / Trend Micro]
↘️ The percentage of ransomware attacks that resulted in the victim paying has fallen to a record low of 34% during Q2 2023, while the average ransomware payment stood at $740,144, up 126% from the previous quarter. It’s estimated that the Cl0p ransomware group may earn $75-100 million dollars just from attacks exploiting flaws in the MOVEit Transfer software, putting more pressure on IT vendors to secure customer data from breaches. [Coveware / Dark Reading]
↘️ A new HiatusRAT campaign targeted Taiwanese organizations and a U.S. military procurement system, marking a significant shift in tactics and victimology patterns. The malware, which first came to light earlier this year, previously focused on organizations from Latin America and Europe to create a covert proxy network. [The Hacker News]
↘️ A previously undocumented China-backed advanced persistent threat (APT) group dubbed Carderbee targeted organizations in Hong Kong and other regions in Asia in a supply chain attack that leveraged a legitimate software called Cobra DocGuard to deploy the PlugX backdoor. The campaign is just the latest example of a successful supply chain attack targeting companies worldwide. While the threat actor’s provenance and targeting scope remain murky, the crossover of tactics and tooling points to the involvement of a Chinese adversary. [The Hacker News / WIRED]
↘️ An updated Mac-oriented variant of a malware called XLoader has been observed masquerading as a productivity app to siphon sensitive data as part of a widespread campaign aimed at macOS environments. The development comes as threat actors are increasingly porting Windows malware for use in macOS as well as develop custom cross-platform stealers and other malware using programming languages like Go and Rust. [The Hacker News]
↘️ The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the National Institute of Standards and Technology (NIST) have published new guidance to proactively prepare for migrating to products that adhere to post-quantum cryptographic standards using a quantum readiness roadmap. “Early planning is necessary as cyber threat actors could be targeting data today that would still require protection in the future (or in other words, has a long secrecy lifetime), using a catch now, break later or harvest now, decrypt later operation,” the advisory reads. [CISA]
↘️ Natalie Mottram, a 24-year-old intelligence analyst working for police in the Northwest of England, shared with a criminal contact information about a major countrywide covert operation into the encrypted communications platform EncroChat, in what has been described as a “disgraceful” betrayal of her colleagues. Mottram, who has since pleaded guilty to tipping off the individual and his partner in April 2020, will be sentenced in November 2023. [NCA]
↘️ A new Telegram bot called Telekopye is being used by criminal actors to conduct phishing scams targeting users of online marketplaces. The toolkit is designed to allow scammers with minimal technical knowledge to engage in fraudulent activities, such as creating phishing websites and sending fraudulent emails and SMS messages. Multiple versions of the toolkit have been in circulation over the years, indicating active development. What’s more, the hierarchy of scammers using Telekopye is organized into different roles that have varying privileges and commission fees. [The Hacker News / Dark Reading]
↘️ Ransomware has witnessed a major spike in 2023, both in terms of volume and sophistication, mainly driven by a shift from phishing to a greater emphasis on vulnerability abuse. According to data derived by Check Point from over 120 ransomware “shame-sites,” a total of 48 ransomware groups reported breaching and publicly extorting more than 2,200 victims. In July 2023 alone, 502 ransomware incidents were recorded, a 154% increase year-on-year, compared to 198 attacks traced in July 2022. Cl0p has been attributed to 171 of them, with the actor breaching a record 988 entities by exploiting flaws in MOVEit Transfer. Excluding Cl0p, the reported victim count for July 2023 shows a decline of 91 in comparison to June. [Akamai / Barracuda Networks / BlackFog / Check Point / Guidepoint Security / NCC Group / ReliaQuest / Sophos (1), (2), (3)]
↘️ A mysterious piece of malware called Whiffy Recon scans for nearby Wi-Fi access points in an effort to triangulate the location of infected Windows devices. It’s delivered via a malware dropper known as SmokeLoader, but it currently unknown what it’s used for or who may be its targets. That said, such data could be valuable for espionage, surveillance, or physical targeting. [The Hacker News]
↘️ A data breach at electric car maker Tesla in May 2023 was the work of two former employees, who leaked the personal information of more than 75,000 individuals, including their names, addresses, phone numbers, and Social Security numbers to the German media outlet Handelsblatt, which reported on a litany of customer complaints about Tesla’s Full Self-Driving (FSD) features. The incident comes after Reuters reported in April that Tesla workers shared sensitive images recorded by customer cars between 2019 and 2022. [TechCrunch]
↘️ A hacking group calling itself “KittenSec” claims it has struck government and private sector computer systems in multiple NATO countries over the past month, justifying its attacks by arguing that it is exposing corruption. The development comes a month after another hacktivist group known as “SiegedSec” claimed it had breached NATO’s COI (Communities of Interests) Cooperation Portal. [CyberScoop]
↘️ Details have emerged about macOS App Management vulnerability that a malicious application downloaded from the internet can exploit to modify notarized apps. The vulnerability was reported to Apple in October 2022, but it remains unpatched to date. Security weaknesses have also been disclosed in the macOS Background Task Management mechanism, which Apple introduced in macOS Ventura to alert users if a piece of software unexpectedly establishes persistence on the device. The issues could cause persistence event notifications to fail under certain scenarios, giving users and security vendors a false sense of security. [Jeff Johnson / Lapcat Software / WIRED / DEF CON]
↘️ Multiple security vulnerabilities have been disclosed in the TP-Link Tapo L530E smart bulb that could be exploited by malicious actors to retrieve Tapo user passwords, manipulate the devices, and even steal a victim’s Wi-Fi SSID and password should the attacker be within the range of the smart bulb. TP-Link has released new firmware to address the issues. [arXiv / TP-Link]
↘️ A new VPN attack named TunnelCrack uses a combination of two vulnerabilities, named LocalNet and ServerIP, to intercept traffic outside the protected VPN tunnel. Exploitation is possible when a user connects to a rogue Wi-Fi network and in some cases through malicious ISPs. [TunnelCrack / Cisco / Mullvard]