MoustachedBouncer trains its eyes on Belarusian embassies
A recap of some of the major stories in cybersecurity
A roundup of some of the noteworthy developments in the cybersecurity landscape, encompassing the latest vulnerability discoveries and emerging attack trends. Here are this edition's top stories -
↘️ The U.S. government said the Chinese cyber espionage campaign tracked as Volt Typhoon (aka Vanguard Panda) may be more widespread and endemic than previously realized, with the malware planted deeply inside numerous networks controlling the communications, power, and water feeding U.S. military bases at home and abroad. [The New York Times]
↘️ Google said n-day security flaws in Android function like 0-days on Android due to patch gaps between upstream vendors and downstream manufacturers. “Across the Android ecosystem there were multiple cases where patches were not available to users for a significant time,” the company said. “Attackers didn’t need 0-day exploits and instead were able to use n-days that functioned as 0-days.” [Google]
↘️ Cyber attacks on governments and public entities worldwide surged by 40% from March to May compared to the previous quarter. Government entities in North America, Australia, South Korea, and Japan were the most heavily targeted. What’s more, threat actors deployed approximately 11.5 attacks per minute during the time period. [BlackBerry]
↘️ A newly identified cyber espionage group called MoustachedBouncer in Belarus is targeting foreign embassies in the country with the assistance of local internet service providers as part of a highly targeted years-long campaign that employs diverse tactics and novel backdoors to gather sensitive information. The group is said to be operating since at least 2014, while also closely cooperating with a separate suspected Belarusian, pro-Russian cyberespionage effort known as Winter Vivern. [The Hacker News]
↘️ The U.S. Cybersecurity and Infrastructure Security Agency is drawing attention to the critical attack surface that’s Unified Extensible Firmware Interface (UEFI), stating that “what attackers achieve depends on which phase and what element of UEFI they are able to subvert.” UEFI has become a lucrative target because compromising the firmware allows threat actors to achieve a high level of persistence on a system. [CISA]
↘️ A U.S.-based hacktivist group called the “Cult of the Dead Cow” (aka cDc) launches a privacy framework dubbed Veilid (pronounced vay-lid) that "seeks to provide a foundation for messaging, file sharing, and even social networking apps without harvesting any data, all secured by the kind of end-to-end encryption that makes interception hard even for governments." Said to be in the works for three years, it has been described as an “open-source, peer-to-peer, mobile-first networked application framework” that combines aspects of TOR and IPFS. [Veilid / The Washington Post / The Register]
↘️ A gang of hacktivists driven by religious and political motives called Mysterious Team Bangladesh has in its crosshairs government, financial, and transportation-sector organizations in India and Israel. Founded in 2020 by an actor named D4RK_TSN, the suspected Bangladeshi group has been linked to over 750 DDoS attacks and 78 website defacements since June 2022. “Unlike traditional cybercriminals or nation-state threat actors who try to remain unnoticed, hacktivists aim to draw as much attention to their cause as possible, be it political, religious, or both,” Group-IB said. DDoS attacks remain a critical threat over other types of common cyber attacks due to their immediate potential to impact business, leading to financial and reputational losses. [The Hacker News / BankInfoSecurity / Bleeping Computer]
↘️ Global ransomware attacks have scaled an all-time high over the past one year, surpassing 1,900 incidents. The biggest offender is Cl0p, which has been linked to attacks on hundreds of companies by exploiting zero-day flaws in widely-used enterprise software. As many as 253 ransomware incidents have targeted industrial organizations in the second quarter of 2023, an 18% increase from the previous quarter. In a related development, the threat actors behind Akira ransomware, which was discovered in March 2023, have compromised at least 63 entities to date. A closer inspection of the Akira ransomware transactions has also found evidence linking the group to the Conti operation. The ransomware landscape continues to be in a constant state of flux, with criminal actors launching new variants and adapting their tactics by targeting VMware ESXi servers and launching data leak APIs to put more pressure on victims. [Malwarebytes / Cyberint / Dragos / Arctic Wolf]
↘️ Attackers were recently spotted exploiting a zero-day flaw in Salesforce’s email and SMTP services in a sophisticated phishing campaign aimed at stealing credentials from Facebook users. The emails, which originated from a “@salesforce.com” domain, were designed to appear as if sent from Meta Platforms, leading recipients to a phishing page hosted on Facebook’s web games platform to capture passwords and authentication codes. [The Hacker News]
↘️ Sporting events and venues are increasingly vulnerable to cyber attacks, posing risks to organizers, regional host facilities and attendees. Such events face unique cybersecurity challenges due to the vast digital surface that exhibits a high level of cyber-physical convergence. This, in turn, could lead to the exploitation of connected devices and interconnected networks, including hospitals that serve players and fans. [The Hacker News]
↘️ A new hidden Virtual Network Computing (hVNC) malware capable of targeting Apple macOS devices is being offered for sale on the cybercrime underground for a lifetime price of $60,000 by an actor named RastaFarEye. hVNC malware, typically distributed through email attachments, malicious websites, or exploit kits, establishes contact with a remote server and can be used to take control of a victim’s computer without their knowledge and steal sensitive information. [Guardz]
↘️ Medical infusion pumps procured from the secondary market like eBay have been found to inadequately decommissioned, enabling cybersecurity researchers to recover W-Fi configuration settings from the original organizations that deployed them. With these devices used to deliver and control fluids directly into a patient’s body, properly disposing of sensitive information on these devices should be a priority. In general, it’s always a good practice to clear the stored Wi-Fi network information when disposing of old technology, such as old phones, computers, printers, and smartwatches, as this data is often unprotected and easy to retrieve from discarded gadgets. [Rapid7 / Kaspersky]
↘️ LetMeSpy, a commercial spyware service, to shut down on August 31, 2023, following a massive data breach in June 2023 that exposed extensive call logs, text messages, and location data points impacting victims primarily in the U.S., India, and Western Africa. [The Hacker News]
↘️ Researchers from the U.K. have devised a new deep learning-based acoustic side-channel attack that’s capable of deciphering keyboard input solely from audio signals. The technique involves training the model, called CoAtNet, to associate specific audio patterns with corresponding characters, allowing it to virtually “listen” to the keystrokes and transcribe it with an accuracy of 95% simply by recording the sounds from a nearby phone. The model achieves an accuracy rate of 93% when trained using Zoom recordings. [The Hacker News]
↘️ The world of cryptocurrency investment has become a breeding ground for fraudulent activities. As more novice investors enter the crypto market seeking substantial returns, scammers have devised increasingly sophisticated schemes such as pig butchering to prey on victims and loot their assets. In a latest twist, such social engineering attacks have begun to latch on to generative AI tools to make the conversations appear more trustworthy and convincing. [The Hacker News]
↘️ Google is changing the release cadence of Google Chrome security updates from bi-weekly to weekly to minimize the attack window and address the growing patch gap problem that allows threat actors extra time to exploit published N-day and zero-day flaws. “Bad actors could possibly take advantage of the visibility into these fixes and develop exploits to apply against browser users who haven’t yet received the fix,” the company said. As noted above, the vulnerability patch gap has also become a major problem for Android, with Google warning that n-day flaws have become as dangerous as zero-days. [Google]
↘️ Python security fixes often happen through “silent” code commits, without an associated Common Vulnerabilities and Exposures (CVE) identifier, thereby providing malicious actors an opportunity to potentially exploit undisclosed vulnerabilities in unpatched systems. [Exploring Security Commits in Python]
↘️ Striking tactical and tooling similarities have been uncovered between by both Rhysida and Vice Society, suggesting that the latter may have adopted Rhysida as one of its preferred ransomware payloads. The shared focus on education and healthcare sectors further solidifies this link. Ransomware attacks involving Rhysida have demonstrated advanced defense evasion capabilities, such as deleting logs and forensic artifacts, to hinder detection and analysis. [The Hacker News]
↘️ A Chinese nation-state group called RedHotel (aka Aquatic Panda or Earth Lusca) has been attributed to attacks targeting 17 different countries between 2021 and 2023, making it a dominant cyber threat. Known for conducting both intelligence-gathering and economic espionage attacks, the adversary operates with a robust support system on its backend and employs an expansive, two distinct infrastructure clusters dedicated to reconnaissance and long-term access as well as a myriad toolset that mixes post-exploitation frameworks and bespoke malware. [The Hacker News]
↘️ Multiple zero-day security vulnerabilities, CVE-2023-33241 and CVE-2023-33242 (aka BitForge), have been disclosed in some of the most used cryptographic multi-party computation (MPC) protocols useed in popular cryptocurrency wallets that, if exploited, could allow “attackers and malicious insiders to drain funds” without their knowledge. [Fireblocks]
↘️ An unfixed hardcoded encryption key flaw, CVE-2023-39250, in Dell’s Compellent Integration Tools for VMware (CITV) could be exploited by attackers to decrypt stored vCenter admin credentials and retrieve the cleartext password. Dell is recommending that users change the root password as a mitigation, while a fix is planned for November 2023. [DEF CON / Bleeping Computer]
↘️ The Gafgyt botnet malware is actively attempting to exploit a critical vulnerability in the end-of-life Zyxel P660HN-T1A router in an average of 7,100 attacks per day since the beginning of July 2023. The flaw in question is CVE-2017-18368, an unauthenticated command injection vulnerability in the device’s Remote System Log forwarding function that was addressed in 2017. It has also been added to CISA’s Known Exploited Vulnerabilities catalog. [Fortinet]
↘️ The U.S. Department of Homeland Security (DHS) announced that a review board will examine malicious targeting of cloud computing environments, including suspected-Chinese cyber espionage operation that breached Microsoft’s Exchange and harvested government emails in May 2023. [DHS / CyberScoop]
↘️ A legitimate open-source tool called Freeze.rs is being weaponized by malicious actors to introduce a raft of malware to targets, marking a new sophistication to phishing attacks. [The Hacker News]
↘️ New side-channel attacks have been discovered in Intel and AMD CPUs that could be abused by threat actors to leak sensitive information, including encryption keys. Despite the potentially massive blast radius, the attacks have been deemed difficult to pull off in real-world conditions. [WIRED / CyberScoop / The Hacker News]
↘️ Microsoft’s Visual Studio Code (VS Code) code editor and development environment contains a security flaw that allows malicious extensions to retrieve authentication tokens stored in Windows, Linux, and macOS credential managers due to a lack of isolation of authentication tokens in VS Code’s Secret Storage API. While the computer giant has acknowledged the problem, it will not be fixed as it stems from an “inherent result of their design choice not to support extension sandboxing.” [Cycode]
↘️ NATO is investigating claims made by SiegedSec, a hacktivist crew that targets government bodies, that it stole 845MB of data belonging to 31 nations. It is still unclear as to how exactly the group gained access into these information-sharing and IT environments, but it potentially could have been through the use of stolen credentials. [CloudSEK / Cyberint / The Register]
↘️ Multiple campaigns have been observed spreading malware loader families such as GuLoader, GootLoader, and BATLOADER via phishing emails and malicious advertisements impersonating Zoom and TradingView on search engines. In another attack campaign, attackers are leveraging ScreenConnect, delivered via a compromised website, to achieve remote control over the machine and push additional malware such as AsyncRAT. The activity has been dubbed Operation PhantomControl. [Morphisec / ASEC / Trustwave / eSentire / Trend Micro]
↘️ Researchers have found a critical security hole in Minecraft mods called BleedingPipe that hackers are actively exploiting to run malicious commands on the game’s servers and servers and take control of the devices. In a related development, threat actors are also exploiting a 5-year-old bug in Activision’s Call of Duty: Modern Warfare 2 game to propagate a worm. [Minecraft security community / TechCrunch]
↘️ Trojanized installers associated with popular software are being used by threat actors to spread information stealers and remote access trojans like njRAT. [The Hacker News / Cyble]
↘️ Security vulnerabilities have been discovered in the Android-based software powering Peloton treadmills that could potentially grant threat actors access to user databases and install malware that makes the equipment vulnerable to eavesdropping attacks and turn it into a zombie IoT device that can be remotely controlled by a command-and-control (C2) center. [Check Point]
↘️ The release of ChatGPT and Bard clones like FraudGPT, WormGPT, WolfGPT, XXXGPT, and Evil-GPT is a clear sign that generative artificial intelligence can become a potent weapon in the hands of cyber criminals looking to set up phishing scams or create malware, especially as OpenAI, Google, Microsoft, and others take steps curtail the misuse of their own tools. While they are far from perfect, these chatbots are marketed for illegal activities [SlashNext / Trustwave / KrebsOnSecurity / WIRED]
↘️ An analysis of more than 19.6 million stealer logs has found that 376,107 of them provide access to corporate SaaS applications, with the cost of financial services-related logs marketed for an average price of $112.27, compared with $14.31 for those without. [Flare]
↘️ The U.K. Electoral Commission disclosed a data breach of its systems that went undetected for over a year, allowing the threat actors to access years’ worth of voter data belonging to 40 million people. The attack is said to have taken place in August 2021, but the authority was only alerted to the hack “by a suspicious pattern of log-in requests to our systems” in October 2022. While the election oversight body has been silent on the technical specifics of the incident, evidence points to the exploitation of ProxyNotShell flaws in Microsoft Exchange servers. [TechCrunch / TechCrunch / The Hacker News]