U.S. adults lost over $10 billion to fraud in 2023
Investment scams are the biggest earner for threat actors
↘️ The U.S. Securities and Exchange Commission (SEC) said it fell victim to a SIM swapping attack and that its X (formerly Twitter) account was not secured with multi-factor authentication (MFA), enabling malicious actors to take control of its account and falsely claim that bitcoin ETFs had been approved. SIM swapping is a technique used to transfer a person’s phone number to another device without authorization, allowing the unauthorized party to begin receiving voice and SMS communications associated with the number, including one-time passwords. SEC, which has since enabled MFA to secure the account, said it’s investigating how the party knew which phone number was associated with the account and how they got the carrier to change the SIM. In the aftermath of the incident, X has announced support for passkeys, but only for U.S.-based iOS users. [SEC]
↘️ An exposed API associated with Atlassian’s Trello project management tool can be abused to link private email addresses with public Trello accounts, enabling the creation of millions of data profiles containing both public and private information. Threat actors have been observed leveraging this loophole to create a dataset comprising over 15 million records by getting past rate limiting protections by using proxy servers to rotate the connections. To prevent the API from being misused further, Atlassian has implemented a change such that unauthenticated users/services cannot request another user’s public information by email. [Bleeping Computer]
↘️ A new espionage campaign potentially targeting the Indian Air Force has been found to leverage phishing lures to delivery an open-source information-stealing malware called Go Stealer that uses an actor-controlled Slack channel as a data exfiltration point. The development comes as asylum seekers in the U.S. have been targeted by MetaStealer malware via a booby-trapped ZIP files likely distributed via spam emails. [Cyble]
↘️ A new Java-based “sophisticated” information stealer called NS-STEALER uses a Discord bot to exfiltrate sensitive data from compromised hosts. NS-STEALER is far from the only Java-based stealer to be discovered in recent months. Previously, researchers uncovered another strain known as Rude Stealer that comes fitted with features to plunder a wide range of information and transmit it to a Telegram channel. Rude Stealer can also retrieve system specifications from a victim’s machine by executing the DirectX Diagnostic Tool (DxDiag), a Windows utility for diagnosing and troubleshooting DirectX, graphics, and sound-related issues. [The Hacker News]
↘️ Hackers siphoned $1.7 billion from cryptocurrency platforms in 2023, down by about $2 billion from a record high set the previous year. On the other hand, the number of individual hacking incidents grew from 219 in 2022 to 231 in 2023. The drop has been attributed to a decline in attacks targeting DeFi protocols. In 2023, hackers stole $1.1 billion from DeFi protocols, a 63.7% decline year-over-year. North Korean threat actors are estimated to have stolen over $1.0 billion from 20 attacks, up from 15 in 2022. But to compensate for the loss of income from DeFi hacks, North Korean hacking groups diversified their attacks in 2023, adding centralized crypto platforms and crypto wallets (e.g., Atomic Wallet, Alphapo, and Coinspaid) to their victim portfolio. [Chainalysis]
↘️ A pervasive and complex traffic distribution system (TDS) named VexTrio has been active since at least 2017, forging relationships with over 60 affiliates in their cybercrime operations through a massive network of 70,000 sites. These malicious campaigns are designed to redirect unsuspecting users to malicious destinations like phishing pages, scams, exploit kits, and malware-dropping sites on an unprecedented scale. In exchange for money from cybercrime groups, VexTrio acts as an “intermediary traffic broker” for microtargeting visitors to compromised WordPress sites by filtering traffic based on information gleaned from their browsers and redirecting them to malicious content should they match a predefined profile. It also incorporates a bevy of tricks to evade detection: a dictionary domain generation algorithm (DDGA) to dynamically generate large numbers of domains, multi-staged chains of TDS redirections, URL query parameter names that overlap with referral links used by legitimate TDS networks, and relying on the DNS protocol to achieve the redirections. [The Hacker News]
↘️ The iPhones belonging to two journalists in the African country of Togo, Loïc Lawson and Anani Sossou, have been compromised by the infamous Pegasus spyware developed by Israeli company NSO Group. The infections are said to have taken place in 2021. [Reporters Without Borders]
↘️ Artificial intelligence (AI) tools will have an adverse near-term impact on cybersecurity, helping escalate the threat of ransomware, the U.K. National Cyber Security Centre (NCSC) warned. AI is also expected to enhance reconnaissance and social engineering, and generate malware that could evade detection by current security filters if it is trained on quality exploit data. “By lowering the barrier of entry to novice cyber criminals, hackers-for-hire and hacktivists, AI enables relatively unskilled threat actors to carry out more effective access and information-gathering operations,” the agency said. “This enhanced access, combined with the improved targeting of victims afforded by AI, will contribute to the global ransomware threat in the next two years.” [NCSC]
↘️ A comprehensive code security audit focusing on several components of the Tor anonymity network has discovered more than a dozen vulnerabilities, including a cross-site request forgery (CSRF) bug affecting the Onion Bandwidth Scanner (Onbasca) that can allow an unauthenticated attacker to inject bridges into the database. [The Tor Project]
↘️ The U.S. government said it disrupted a China-linked botnet called KV-botnet that hijacked hundreds of infected routers and used by a threat actor named Volt Typhoon to covertly target American and allied critical infrastructure networks. [The Wall Street Journal / The Hacker News / Dark Reading]
↘️ A new wave of phishing attacks have abused Microsoft Teams group chat requests to push malicious attachments that install DarkGate malware payloads on victims’ systems. The same technique was previously observed in October 2023. The surge in DarkGate malware attacks in recent months is attributed to the disruption of the QakBot botnet by law enforcement in late August 2023, prompting threat actors to turn to DarkGate as their preferred means of initial access to corporate networks. [AT&T / Kroll]
↘️ South Korea’s intelligence agency reported that North Korean threat actors are using generative AI technology to conduct sophisticated cyber attacks and identify hacking targets. “North Korea has demonstrated a comprehensive approach to developing its AI/ML capabilities across sectors, encompassing government initiatives, academia and commercial applications,” 38 North said in a report published last month. “There is evidence of concerted efforts to leverage these technologies, such as nuclear safety and wargaming, to achieve its broader economic and technological goals.” The development comes as cybercriminals are experimenting with generative AI, including sharing jailbreaks, although there is also a lot of skepticism about the efficacy of GPTs and LLMs. [The Korea Times / 38 North / Reuters / Sophos]
↘️ More than a dozen vulnerabilities, collectively dubbed 5Ghoul, have been discovered plaguing hundreds of smartphone models that employ specific 5G modems from Qualcom and MediaTek. The 14 security defects can be exploited to drop and freeze 5G connections on smartphones and routers, and to conduct downgrading attacks. [The Hacker News]
↘️ Datatilsynet, the Danish data protection authority, issued an injunction after finding that Google uses student data from Chromebooks and Google Workplace in schools for its own purposes such as performance analytics or developing new features. “The municipalities must comply with the order from August 1, 2024, but must state by March 1 at the latest how they intend to comply with it,” the agency said. The regulator ruled that municipalities aren’t allowed to send Google data unless the laws change, or Google provides a way to exclude students’ information out from processing. The development comes as Dutch regulators imposed a €10 million fine on ride-hailing app Uber for lack of transparency in treating the personal data of its drivers. It also follows a €10 million fine issued by the French Data Protection Authority to Yahoo! for failing to respect the choice of Internet users who refused cookies on its Yahoo[.]com website and for not allowing users of its Yahoo! Mail messaging service to freely withdraw their consent to cookies. France has previously penalized companies including Google, Meta, Amazon, Microsoft, Apple, and TikTok for similar breaches. [Datatilsynet / CNIL / CNIL]
↘️ Threat actors from North Korea known as Kimsuky have been observed using new Golang malware such as Troll Stealer and GoBear. The development is another reminder of the prolific nature of North Korean-linked cyber operations that have targeted South Korea, the U.S., and entities around the world for years. The development coincides with a United Nations probe into 58 suspected cyber attacks carried out by North Korean nation-state actors that netted $3 billion in illegal revenues to help it further develop its nuclear weapons program. [The Hacker News / Reuters]
↘️ China-linked threat actors dubbed Volt Typhoon has targeted U.S. critical infrastructure and maintained access and footholds in some victim information technology environments “for at least five years.” The group, estimated to be active since June 2021, is known for its strong focus on operational security, allowing it to penetrate networks and remain undetected for years. While the strategy of staying hidden by using legitimate utilities and blending in with normal traffic isn't a new phenomenon in cybercrime, it does make it difficult for organizations to actively scan for malicious activity. [The Hacker News]
↘️ An underground service called OnlyFake allegedly uses neural networks to generate realistic photos of fake IDs for just $15, raising concerns that it could streamline bank fraud and the laundering of stolen funds. 404 Media, which used the service to create the IDs, said it was able to “successfully step through the identity verification check of a cryptocurrency exchange.” The service has since gone offline. [404 Media]
↘️ In a weird turn of events, a security researcher named Noah Roskin-Frazee and his accomplice, Keith Latteri, are facing charges for defrauding Apple out of $2.5 million by exploiting a flaw in a backend system called Toolbox and ordering gift cards and hardware for themselves. Roskin-Frazee is credited with reporting CVE-2023-38593 and CVE-2023-42894 to Apple last year. [The Register / 404 Media]
↘️ The payments made by victims of ransomware attacks doubled in 2023 compared to the previous year, exceeding $1 billion, according to Chainalysis, which looked at the cryptocurrency wallets known to be used by cybercrime groups to receive ransom payments from targeted organizations. In a related development, U.S. adults lost over $10 billion to fraud in 2023, a 14% increase year-over-year, with investment scams the biggest earner for threat actors, earning them $4.6 billion. [The Hacker News / WIRED / FTC]
↘️ An ongoing cloud account takeover (ATO) campaign has targeted dozens of Microsoft Azure environments and compromised hundreds of user accounts, including senior executives. The activity, underway since November 2023, targets users with individualized phishing lures within shared documents that redirect users to malicious phishing web pages and harvest credentials for data exfiltration, internal and external phishing, and financial fraud. [Proofpoint]
↘️ VPN service provider ExpressVPN temporarily removed the split tunneling feature — which limits which apps send their traffic through the VPN — from the latest version of its software to “minimize the potential ongoing risk to customers” after finding a bug in the way it handled DNS requests for users who have split tunneling activated. The issue — present in versions 12.23.1–12.72.0 published between May 19, 2022, and February 7, 2024 — meant that DNS requests were sent to the user’s internet service provider (ISP) instead of a dedicated ExpressVPN server, thereby allowing the ISP to see what domains are being visited by that user, although they “still can’t see any individual webpages, searches, or other online behavior.” [ExpressVPN]
↘️ The European Court of Human Rights (ECHR) ruled that weakening end-to-end encryption disproportionately risks undermining human rights. The ruling is expected to throw a wrench into the E.U.’s proposed plans to require email and messaging service providers to create backdoors that would allow law enforcement to easily decrypt users’ messages. [Ars Technica]
↘️ Advanced persistent threats (APTs) aligned with China, Iran, North Korea, and Russia are all using large language models (LLMs) to enhance their operations, albeit as a productivity tool to complement their reconnaissance and malware development efforts. While none of these LLM abuses observed so far have been particularly devastating, the development comes as the rapid proliferation of AI models in recent months has prompted alarm bells, cautioning of privacy and security risks and the broader misuse of the technology to produce disinformation at scale and craft more effective spear-phishing lures. Talk about opening the Pandora's Box! [The Hacker News]
↘️ “Hunter-killer” malware, which are designed to seek out and disable enterprise security defenses, has witnessed a 333% surge between 2022 and 2023, demonstrating a drastic shift in adversaries’ ability to identify and neutralize advanced enterprise defenses such as next-gen firewalls, antivirus, and EDR. [Picus Security / SecurityWeek]