Google bets on passwordless login with passkeys
A recap of some of the major stories in cybersecurity
A roundup of some of the noteworthy developments in the cybersecurity landscape, encompassing the latest vulnerability discoveries and emerging attack trends. Here are this edition's top stories -
↘️ An Iranian advanced persistent threat (APT) group dubbed Mint Sandstorm (aka Phosphorus) has mastered the ability to rapid adopt new proof-of-concept (PoC) vulnerabilities into their playbooks and target critical infra utilities in the U.S. [The Hacker News]
↘️ Google has begun rolling out a new security mechanism that will allow users to employ passkeys for account sign in on their various devices, eliminating the need for passwords and raising the bar significantly for attackers attempting account takeovers. Passkeys, built on the WebAuthn standard, comprises a private/public cryptographic key pair that’s generated when a new passkey is created for an online service. While the private key is locally stored on the device, the public key is uploaded to the server. User authentication is achieved by means of a challenge-response mechanism in which a unique message is signed with the private key that’s then decrypted using the corresponding public key held by the other party (i.e., Google), thereby confirming the user’s identity. The company will continue to support existing sign in methods in as a fallback option for the foreseeable future. [The Hacker News]

↘️ Kaspersky disclosed some level of cooperation between Russian state-sponsored actors Tomiris and Turla, a notorious threat actor with ties to the Russian government. The main characteristic of Tomiris is the building of implants (downloaders, backdoors, and information stealers) in various programming languages and cycling through them until one evades detection and is successfully executed on the victim’s systems. Despite the observed tool sharing, they are being treated as two separate groups, characterized by different tradecrafts. [The Hacker News / Dark Reading]
↘️ A recent surge in malspam attacks has been observed delivering the QBot trojan to victims in Germany, Argentina, Italy, Algeria, Spain, and the U.S. using simulated business correspondence and stolen email exchanges (aka reply-chain emails) to increase the probability of opening the malicious attachments. Qakbot, which was first detected in 2007, has evolved into a multi-purpose malware with an array of functionalities, including performing reconnaissance, exfiltrating data, and acting as an access-as-a-service that other cybercriminals use to deliver a range of second-stage malware like Cobalt Strike to already compromised hosts. Its modular nature gives it flexibility for keeping up with the evolving threat landscape. [The Hacker News / Dark Reading]
↘️ Encrypted directed messages have finally arrived on Twitter. Retrofitting encryption to a massive service is never easy, and in its current avatar, the feature is optional (i.e., not enabled by default), severely restrained, and has weaknesses aplenty. For a start, the feature is not yet “end-to-end” encrypted as it does not prevent man-in-the-middle attacks that could make it possible for a third-party (including Twitter) to eavesdrop on the conversations. Beyond its lack of support for encrypted photos, videos, and group chats, perhaps the most serious drawback is that encrypted DMs is limited to one-to-one conversations between verified (paying) users on the platform. The fact that it comes with a lot of asterisks and a laundry list of caveats is a sign that it’s still a work in progress. It’s not immediately clear if Twitter plans to extend the feature to all users. [The Hacker News / WIRED]
↘️ Israeli commercial spyware vendor NSO Group is back in limelight after Citizen Lab found that unknown customers of the company weaponized three “zero-click” exploits against iPhones in 2022 to deploy Pegasus. The attacks demonstrate how threat actors continue to evolve and grow in sophistication even as there is more documented evidence of repeated abuse of such tools by authoritarian governments to target civil society members. Besides new exploits, other similar attacks have leveraged older, unpatched devices to circumvent defenses erected by Apple. The development comes amid reports that another spyware vendor QuaDream is shutting down its operations, suggesting that the once-secretive sector is drawing more attention, prompting governments to impose new regulations to tackle abuse. What’s more, a recent report from Open Secrets revealed that NSO Group has spent over $2.9 million lobbying the U.S. government in a bid to get itself removed from a trade blocklist [The Hacker News / The Register / Open Secrets]
↘️ The infamous LockBit ransomware gang has developed a version of their malware for macOS devices, marking the first ever foray into Apple’s territory by a major ransomware group. That said, a closer examination of the binary reveals that it’s not quite ready for prime time. The roadblocks erected by Apple and the underdeveloped nature of the ransomware notwithstanding, it bears noting that threat actors are constantly on the lookout for expanding their attack spectrum and stay one step ahead of network defenders. [WIRED / Duo / The Hacker News / Bitdefender]
↘️ U.S. and other international partner agencies announced they pulled off a joint operation codenamed Medusa that decimated a long-standing malware operation called Snake carried out by Russia-based Turla hackers. Court documents show that the agencies have been investigating the stealthy malware for nearly all of its two decades of existence and had officers assigned to monitor the premier outfit’s activities from a “known FSB facility in Ryzan, Russia.” Infrastructure connected with Snake has been discovered in over 50 countries worldwide. The disruption is likely to force the threat actor to retool its arsenal. [The Hacker News / Ars Technica / TechCrunch]
↘️ U.S. law enforcement seized 13 more internet domains that hosted booter services, which are marketed as legitimate security testing tools to stress-test websites, for launching DDoS attacks against various targets. While purveyors of booters claim they are not responsible for how customers use their services, it’s also known that they are “heavily reliant on constantly scanning the Internet to commandeer misconfigured devices that are critical for maximizing the size and impact of DDoS attacks.” [Krebs on Security / The Hacker News]
↘️ Some of the major industrial and operational technology security vendors are coming together for an open sourced, threat intelligence sharing portal called Emerging THreat Open Sharing (or ETHOS) to provide early warnings about threats to critical infrastructure. [ETHOS]
↘️ The Conti and TrickBot ransomware group may no longer exist, but former members have likely teamed up with the FIN7 threat actors to distribute a new malware family named Domino in attacks on corporate networks. The development speaks to the tangled web of connections between criminal groups, as the lines between malware developers and ransomware gangs have become increasingly murky. It’s also an example of how threat actors with distinct motives and techniques establish a coalition of sorts to achieve their separate goals and expand their footprint. [The Hacker News]
↘️ Microsoft announced that it’s switching from a taxonomy based on chemical elements to one that uses weather-themed names to classify hacking groups. The shift appears to be motivated by the fact that it’s was running out names! (There are only 118 elements.) While cybersecurity vendors are known to use their own naming systems -- primarily stemming from differences in the way the TTPs are tracked -- the hodgepodge of different names can be confusing and “counterproductive for actual cybersecurity analysis.“ [WIRED / Dark Reading / The Record]
↘️ The U.S. Department of Justice (DoJ) indicted a North Korean bank official named Sim Hyon Sop, along with three others, for his alleged role in cryptocurrency laundering conspiracies designed to channel funds into the country’s coffers by “conspiring with over-the-counter (OTC) cryptocurrency traders to use stolen funds to buy goods for North Korea and for conspiring with North Korean IT workers to generate revenue through illegal employment at blockchain development companies in the United States.” With the exception of one unnamed individual (whose online alias is jammychen0150), all the other three have been sanctioned by the U.S. Treasury, with the State Department announcing a reward of up to $5 million for information leading to the arrest or conviction of Sim. North Korea is known for running sophisticated cyber operations designed to steal crypto that is then laundered and sent to the regime to fund its programs around weapons of mass destruction (WMD) and ballistic missiles. [DoJ / Department of the Treasury / Department of State / CNBC]
↘️ The leak of Babuk ransomware code in September 2021 has fueled several strains of ransomware families designed to target VMware ESXi hyperviors, which are increasingly prevalent in enterprise environments to run virtual machines are servers. This includes both infamous and smaller ransomware groups like Cylance, Dataf, Rorschach, Lock4, RTM Locker, Mario, Play, Babuk 2023, Conti, and REvil. Babuk was one of the earlier threat groups that targeted the ESXi platform. The Babuk Locker “builder” is particularly attractive to hackers because it can be used to spawn custom versions of the Linux-based ransomware. Other notable ransomware strains that are a fork of Babuk include Rook and AstraLocker. RaaS models are representative of how easy it has become for aspiring threat actors to buy their way into a group without having to write their own malware or build attack infrastructure. [The Hacker News]
↘️ The global median dwell time, which refers to the median number of days an attacker is present in a target’s environment before being detected, dropped to 16 days in 2022, down from 21 days in 2021, according to Mandiant. This suggests that businesses are detecting cyberattacks faster despite facing increasingly sophisticated adversaries. Interestingly, the percentage of global intrusions involving ransomware declined from 23% to 18%. The Google Cloud subsidiary said that exploits, phishing, and stolen credentials were used in more than half of the intrusions (68%) it investigated, with a majority of the attacks motivated by money or espionage. Among exploits, three vulnerabilities made up the lion’s share of the attacks: CVE-2021-44228, CVE-2022-1388, and CVE-2022-22954. In most cases, organizations were notified that a breach or ransomware attack had occurred from an external third-party. “Attackers are showing willingness to eschew the traditional cyber rules of engagement, to bully and threaten and get very personal with targets, and to show up to places in person to enable initial access,” the company noted. [Mandiant / SecurityWeek]
↘️ The Ukrainian cyber police have arrested a 36-year-old man from the city of Netishyn for selling the personal data and sensitive information of over 300 million people using Telegram for anywhere between $500 and $2,000. [Cyber Police of Ukraine]
↘️ China is building sophisticated cyber weapons to “seize control” of enemy satellites, rendering them useless for data signals or surveillance during wartime, according to a leaked U.S. intelligence report. On a related note, a team of researchers from Thales identified vulnerabilities that could be used to hack into a European Space Agency-owned satellite, allowing them to take full control of its communication, imaging—and even its maneuverability systems. [Financial Times]
↘️ The threat actors behind the RapperBot malware have ventured into cryptojacking by creating a hybrid binary that piggybacks the mining functionality onto its existing DDoS capability. The miner is also configured to use multiple mining pools for both redundancy and additional privacy. The continual updates suggest that RapperBot is being actively maintained by its authors. [The Hacker News]
↘️ A Russian espionage group tracked as Nomadic Octopus has been observed spying on Tajikistan’s high ranking government officials, public service infrastructures, and telecoms services, likely by infiltrating a telecom carrier in the country. The operation “started in this firm’s network then expanded their access through document theft, stolen clients’ contracts and credentials, weak network security configurations and exploitation of not up-to-date software and services,” PRODAFT said. [The Hacker News]
↘️ Google patched a vulnerability in its cloud platform called GhostToken that could have allowed attackers to backdoor Google accounts using malicious OAuth applications. The issue related to how a threat actor could delete an application (trojanized or otherwise) after being authorized and linked to an OAuth token that gives it access to the Google account, causing it to go into a pending deletion state for 30 days and effectively hiding the app from Google’s application management page. These pending-deletion projects associated with the application can be completely restored at the owner’s whim to get a new access token and access the victim’s data and hide it again as required. [The Hacker News / SecurityWeek]
↘️ North Korean hacking group ScarCruft has offered fresh evidence of how adversaries have pivoted to using LNK, or shortcut files, to distribute malicious payloads as part of a multi-stage malware delivery process after Microsoft began blocking macros by default to prevent malware delivery via Office documents. This is part of a larger trend that began in earnest last year, spawning a bevy of commercial tools to create malicious LNK files. [The Hacker News]
↘️ Fitness apps such as Strava have been found to leak sensitive location information of users, even when they’ve used in-app features to specifically set up an “endpoint privacy zone” to hide their activity within specified areas such as their homes. [Dark Reading]
↘️ Unknown hackers are breaking into the accounts of people who have AT&T email addresses, and using that access to then hack into the victim’s cryptocurrency exchange’s accounts and steal their crypto. [TechCrunch]
↘️ The longstanding North Korean cyber espionage group Kimsuky has expanded its attack arsenal with a new spear-phishing campaign that uses Microsoft OneDrive links in documents armed with malicious macros that drop novel reconnaissance malware called ReconShark. It can do more than just steal data about the targeted system, deploying additional payloads depending on “what detection mechanism processes run on infected machines.” [The Hacker News]
↘️ The widespread use of VMware ESXi hypervisor and the fact that it does not support any third-party malware detection capabilities has made the technology an increasingly lucrative target for ransomware operators. This has manifested in the form of several ransomware strains that have expanded their operations to strike ESXi systems. By compromising ESXi, attackers can potentially gain control over multiple virtual machines on the host, and considerably scale up their attacks by encrypting several machines in one go. This results in additional pressure on victims to pay a ransom demand. [The Hacker News]
↘️ Toyota Japan apologized after leaving millions of customers’ vehicle details on the public internet since November 2013. It only impacts customers in Japan. [TechCrunch / Toyota]
↘️ Move over crypto. As the popularity of generative AI chatbots skyrockets, threat actors are increasingly using ChatGPT and Google Bard-themed lures to spread malware across Facebook that’s capable of taking over their accounts. [The Hacker News]
↘️ A malware loader called AresLoader is being promoted on Telegram channels to distribute a variety of malware such as Aurora Stealer, IcedID, Laplas Clipper, Lumma Stealer, NetSupport RAT, Stealc, and SystemBC. [The Hacker News / Cyble / Flashpoint / IBM Security X-Force]
↘️ Threat actors in Iran are increasingly relying on a tactic called “cyber-enabled influence operations,” where they use inauthentic online personas to exaggerate unsophisticated cyberattacks, with the aim of sowing fear, stirring up unrest, and achieving various geopolitical goals. [The Hacker News / Decipher /
↘️ An ex-Ubiquiti engineer, Nickolas Sharp, was sentenced to six years in prison yesterday after pleading guilty in a New York court to stealing tens of gigabytes of confidential data, demanding a $1.9 million ransom from his former employer, and then publishing some of the data publicly when his demands were refused. While the rogue took steps to cover his tracks using a VPN, a temporary internet outage disabled the service and exposed his home IP address. [The Hacker News / Ars Technica]
↘️ A Chinese-speaking threat actor known as Xiaoqiying (aka Genesis Day, Teng Snake) has been linked to a new round of website defacement and data exfiltration attacks against organizations in Japan and Taiwan. [Recorded Future]
↘️ A security vulnerability (CVE-2023-27217) has been disclosed in Belkin’s Wemo Mini Smart Plug V2 that could be exploited to inject arbitrary commands and take control of the devices. Belkin said the issue is unlikely to be patched owing to the fact that the device is end-of-life (EoL). Users are advised to avoid exposing these units directly to the internet. [The Hacker News]
↘️ The share of HTML attachments assessed to be malicious has more than doubled, from 21% last May to nearly 46% in March 2023. [Barracuda]
↘️ Microsoft is warning of a surge in business email compromise (BEC) attacks and the evolving tactics employed by cybercriminals, including the use of platforms, like BulletProftLink, for creating industrial-scale malicious mail campaigns. In recent months, multiple threat actors such as Crimson Kingsnake, Firebrick Ostrich, Midnight Hedgehog, Mandarin Capybara, and Water Dybbuk have been uncovered as orchestrating indiscriminate BEC attacks to extract money from victims. [Microsoft]
↘️ The supply chain attack targeting 3CX has turned out to be bigger than previously thought. Two critical infrastructure organizations in the energy sector and two companies involved in financial trading are among the latest victims. The modified financial services software, which is now considered to be the starting point of the attacks, is suspected to be leveraged by hackers aligned with North Korea, whose primary goal appears to be financial gain. The actors have a history of targeting cryptocurrency entities and exchanges in order to steal money for the sanctions-hit regime.
The attack is the first documented case of a software supply chain attack leading to a second software supply chain attack, wherein the corrupted X_TRADER installer was used to carry out a supply chain attack that compromised the Windows and macOS versions of 3CX’s communications software. Operatives working on behalf of the country have orchestrated a series of crypto-focused hacks in recent years, making off with an estimated $1.7 billion in crypto in 2022 alone, per the U.S. Treasury. [The Hacker News]