A roundup of some of the noteworthy developments in the cybersecurity landscape, encompassing the latest vulnerability discoveries and emerging attack trends. Here are this edition’s top stories -
↘️ A sophisticated cyber espionage platform called StripedFly masqueraded for years as a run-off-the-mill cryptocurrency miner. While it can indeed mine crypto, that's just the tip of the iceberg of what’s a fully-featured modular framework capable of harvesting sensitive data from compromised hosts. StripedFly exhibits some similarities to Equation Group malware and has coding style and practices that resemble an NSA implant codenamed STRAITBIZARRE, although there is no conclusive evidence connecting it the suspected NSA hacking group. What's more, questions hover around the true motive of its perpetrators — a question further muddled by the existence of a related ransomware component known as ThunderCrypt. [The Hacker News / Kim Zetter]
↘️ Researchers have discovered a “kill switch” that appears to have put an end to the infamous Mozi botnet, which exploited security vulnerabilities in IoT devices. The first indications that something was off appeared in August when the botnet’s activity abruptly dropped from over 13,000 bots to about 3,000. ESET, which found the kill switch in late September 2023, said the payload was sent to the infected devices, effectively deactivating the Mozi malware. Among the evidence that the botnet shutdown was calculated is that the update carrying the kill switch was signed with the correct private key and has a strong connection to the botnet's original source code. [The Hacker News]
↘️ Russia’s Federal Security Service (FSB) has detained two men suspected of launching cyber attacks against domestic IT assets in support of Ukraine. “As part of it, he carried out computer attacks using malicious software on Russian information resources, which led to disruption of the country’s critical infrastructure facilities,” the FSB was quoted as saying. A criminal case has been opened against both of them under Article 275 of the Russian Federation Criminal Code. [Kommersant]
↘️ Microsoft announced that it will update security protections for signing keys after coming under criticism that deficient security controls allowed Chinese hackers named Storm-0558 to steal a Microsoft account (MSA) consumer signing key. To that end, the company said it intends to use hardware security modules (HSMs) to store and protect keys in hardware and that encrypts data at rest, in transit, and during computation. [Microsoft]
↘️ The multi-faceted Flipper Zero device can carry out DoS attacks on iPhones running iOS 17 by continuously sending Bluetooth pairing requests, rendering the device unusable. The spam attacks have now also been ported to an Android app, effectively eliminating the need for Flipper Zero. The only reliable way to protect against the pop-ups and crash attack is by disabling Bluetooth, a solution that may not be practical if you use an Apple Watch or Bluetooth headphones regularly. [Ars Technica / Bleeping Computer]
↘️ Natalie Mottram, a former intelligence analyst working for the police of England who pleaded guilty to tipping off a criminal friend about law enforcement’s access to the encrypted communications platform EncroChat, has been jailed to three years and nine months in prison. [NCA]
↘️ Okta disclosed that the recent cyber attack on its support system impacted 134 customers, five of whom were targeted with session hijacking attacks. It said the breach was facilitated due to an employee who logged into a likely compromised personal Google account on a company-managed laptop, exposing a service account credential that had permissions to view and update customer support cases. Over the past year, Okta has found itself in the crosshairs of multiple hacking groups that target its infrastructure to break into third-party organizations. [The Hacker News]
↘️ Discord announced plans to switch to temporary file links for all users by the end of the year to block attackers from using its content delivery network (CDN) for hosting and pushing malware. [Bleeping Computer]
↘️ The North Korea-backed threat actor called BlueNoroff is targeting Apple customers with new macOS malware tracked as ObjCShellz that can open remote shells on compromised devices. BlueNoroff (aka APT28 and Sapphire Sleet) is a group withing the Lazarus umbrella that specializes in financial crime. ObjCShellz is thought to be a post-exploitation implant used as part of a multi-stage malware attack. A slightly unusual feature present in the malware is that it logs the victim server’s responses to the malware commands – both successes and failures. The means of infection is currently unknown, although the target is believed to be a company in the cryptocurrency sector. The scale or success of the social engineering campaign isn't currently understood. The latest development highlights the progressive sophistication of North Korean threat actors, adding new tools to their arsenal on a regular basis, even as they have begun to collaborate in an unprecedented manner, coordinating efforts and sharing both tools and information. The simultaneous convergence and diversification paints a picture of the ever-evolving adaptability and complexity of North Korea’s offensive programs. [The Hacker News]
↘️ The App Defense Alliance (ADA), an initiative set up by Google back in 2019 to combat malicious Android apps infiltrating the Play app store, has joined the Joint Development Foundation (JDF), a Linux Foundation project focused on helping organizations working on technical specifications, standards, and related efforts, with Meta, Microsoft, and Google joining as founding steering members. [Google / Linux Foundation]
↘️ Russian threat actors are getting better at concocting offensive OT arsenal that can be used to breach critical infrastructure. In one cyber physical attack that led to a power outage in Ukraine in October 2022, the adversary known as Sandworm — Unit 74455 of Russia's GRU spy agency — leveraged living-off-the-land techniques to stealthily achieve its stated goals within four months of obtaining initial access through unknown means. The unplanned power outage coincided with mass missile strikes on critical infrastructure across Ukraine, likely emerging as a rare example of coordinated Russian cyber and kinetic attacks. The development is the first time since 2016 that the power has gone out in Ukraine due to a cyberattack. [WIRED / The Hacker News / CyberScoop]
↘️ Since September 2022, Royal has targeted over 350 known victims worldwide and ransomware demands have exceeded $275 million, the U.S. government said. Royal, which is suspected to have emerged from the ashes of the now-defunct Conti Group, may also be gearing up a fresh rebrand under the name BlackSuit. The development comes as a short-lived ransomware outfit Ransomed.vc claimed to have shut down for good after a number of suspected arrests. [The Hacker News]
↘️ TETRA, a set of encryption algorithms used to secure emergency radio communications, is expected to enter the public domain after a number of security flaws were disclosed earlier this year, prompting criticism that proprietary encryption algorithms make it harder to detect issues. [The Register]
↘️ The U.S. government has released a roadmap for artificial intelligence (AI) after President Joe Biden issued an Executive Order to globally promote AI safety standards, safeguard U.S. networks and critical infrastructure, and address the potential weaponization of AI. In September 2023, the National Security Agency (NSA) announced the creation of the AI Security Center to oversee the development and integration of artificial intelligence capabilities within U.S. national security systems. [CISA / White House / Department of Defense / WIRED]
↘️ Encrypted email service Tuta (formerly known as Tutanota) vehemently disputed allegations from former Royal Canadian Mounted Police (RCMP) intelligence officer that it’s a honeypot for law enforcement and intelligence services. “It is not linked to any secret service and there is no backdoor included. It is not even necessary to trust our words, as our entire client code is published so that anyone can verify that there is no backdoor,” the company said. [Tuta]
↘️ Molerats, a threat actor active in the Middle East for over a decade, has improved its attack tools with an initial access downloader called IronWind in its attacks targeting government entities. The attacks, observed from July through October 2023, entails different variants of the attack chain, which has been tweaked to use various lures, focusing on Dropbox links in July, Excel files in August, and RAR archives in October. Besides iterating on their efforts, the threat actors have employed geofencing to limit the scope of the attacks, redirecting parts of the attack chain to benign documents on legitimate servers to avoid detection. [The Hacker News]
↘️ Law enforcement agencies in Ukraine and Czechia have disrupted a multimillion-dollar fraud gang who called victims impersonating bank staff, using classic voice phishing (vishing) techniques by tricking them to “transfer funds from their ‘compromised’ bank accounts to ‘safe’ bank accounts controlled by the criminals,” resulting in losses of €8 million in Czechia alone. Ten suspects have been arrested in connection with the operation. In a related development, Thomas Kennedy McCormick, 30, has been sentenced to 18 years in prison for his role as the administrator of the the now-defunct cybercrime forum Darkode, which was dismantled in July 2015. McCormick was arrested on December 10, 2018, and pled guilty in March 2020. [Europol / Department of Justice]
↘️ The Australian Signals Directorate (ASD) has revealed that cyber security incidents impacting Australian critical infrastructure increased by almost one-third in the 22-23 financial year, touching 143. It also said that one in five critical vulnerabilities was exploited within 48 hours of public disclosure. The U.K. National Cyber Security Centre (NCSC), in a similar vein, said critical sectors are facing ‘enduring and significant’ threat, in part due to a rise of state-aligned groups and an increase in aggressive cyber activity. [ASD / NCSC]
↘️ Over a dozen critical vulnerabilities discovered in the infrastructure used by AI models such as H2O-3, MLflow, and Ray that could expose them system takeover and sensitive information theft, resulting in severe impacts to the AI supply chain. [Protect AI / Dark Reading]
↘️ There has been a 202% increase in bots attempting to take over consumer financial accounts in Q2 2023, and a 164% increase in bots attempting to establish fake new bank accounts. 21% of traffic going to dating sites in the first half of 2023 was bad bot traffic. What’s more, intelligent bot traffic that employs machine learning and AI to mimic human behavior and evade detection has witnessed a substantial increase. The surge in bot and human fraud farm attacks is driven by generative AI (to unleash web scraping attacks) and cybercrime-as-a-service (CaaS) offerings. “This shift lowers the barrier to entry and grants access to cybercrime for a broader range of individuals, making it easier for those with limited technical skills to use fully automated bots at scale that cause widespread damage to businesses and consumer,” according to a report from Arkose Labs. [Arkose Labs]
↘️ Multiple fake accounts impersonating cryptocurrency scam investigators and blockchain security companies like CertiK, ZachXBT, and Scam Sniffer are promoting phishing pages to drain wallets in an ongoing campaign on X (formerly Twitter). The fake accounts induce a sense of urgency by claiming a security breach on Uniswap or OpenSea, urging potential victims to revoke their permissions by clicking on a bogus link that urges them to connect their wallets. [Bleeping Computer]
↘️ Hackers affiliated with a loose-knit online community called The Com are using online casinos, including the gambling company Stake, to multiply and attempt to launder their ill-gotten gains, offering insight into the myriad ways threat actors use the stolen cryptocurrency to their advantage. [404 Media]
↘️ Low-budget Android tablets marketed for children on Amazon have been found preloaded with the Corejava malware, which was also discovered embedded in the software of cheap Android-powered TVs earlier this year, and a potentially unwanted program named Adups that’s capable of automatically downloading and installing new malware from the internet in the form of over-the-air updates. [EFF / TechCrunch]
↘️ Microsoft celebrated 20 years of Patch Tuesday, calling it “an initiative that has become a cornerstone of the IT world’s approach to cybersecurity.” The pattern of releasing security updates on the second Tuesday of every month underscored the “idea of a predictable schedule for patch releases, shifting from a ‘ship when ready” model to a regular weekly, and eventually, monthly cadence,” Microsoft said. Patch Tuesday was conceived and implemented in 2003. [Microsoft]