Cyber Briefing: 2024.09.05
?? What's going on in the cyber world today?
KTLVdoor Malware, Earth Lusca, Revival Hijack, PyPI, Packages, North Korea, Fake App, FreeConference, EUCLEAK, YubiKey Clone, Security Keys, 思科 , Smart Licensing Utility, Planned Parenthood Federation of America , RansomHub Attack, WSAudiology , UK, Tewkesbury Borough Council , Propark Mobility , Hospital Sisters Health System , US Election Interference, Russia, Initial Access Brokers, Palo Alto Networks , IBM QRadar, Irish Data Protection Commission, X, AI Training, Nigerians Sentenced, Business Email Compromise, Fraud
?Welcome to Cyber Briefing , the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe .
A newly discovered cross-platform malware called KTLVdoor has been linked to cyberattacks by the Chinese-speaking threat actor Earth Lusca. Written in Golang, this malware can target both Windows and Linux systems. KTLVdoor is highly obfuscated and masquerades as legitimate system utilities such as sshd, Java, and SQLite. Once deployed, it can perform tasks like file manipulation, command execution, and remote port scanning. Over 50 command-and-control (C&C) servers, all hosted by Alibaba in China, have been identified as communicating with the malware.
The Revival Hijack supply-chain attack has emerged as a significant threat, endangering over 22,000 PyPI packages by exploiting the reuse of names from deleted packages. Attackers are registering new projects with the names of removed packages, which could lead to malicious code being distributed to developers. This vulnerability arises because PyPI immediately reopens the names of deleted projects for new registrations. Researchers from JFrog have observed this technique in action, noting that deleted packages are frequently targeted.
North Korean hackers have launched a new campaign, Contagious Interview, targeting job seekers by using a fake video conferencing application posing as FreeConference.com . Discovered in August 2024 by Group-IB, this attack involves tricking victims into downloading a Node.js project containing BeaverTail downloader malware, which then installs the InvisibleFerret Python backdoor. This backdoor enables remote control, keylogging, and browser data theft. The attackers have shifted from previous methods, now using fake installers for Windows and macOS that mimic legitimate software to deliver the malware.
A newly discovered vulnerability, dubbed "EUCLEAK," affects FIDO devices that use Infineon's SLE78 security microcontroller, including Yubico's YubiKey 5 Series. The flaw allows attackers to extract Elliptic Curve Digital Signature Algorithm (ECDSA) secret keys through a side-channel attack involving electromagnetic (EM) emissions. Despite its potential severity, the attack requires extended physical access, specialized equipment, and deep expertise in electronics and cryptography, making it primarily a threat to high-value targets rather than the general user base.
Cisco has addressed two critical vulnerabilities in its Smart Licensing Utility that could allow unauthenticated remote attackers to elevate privileges or access sensitive information. The flaws, identified as CVE-2024-20439 and CVE-2024-20440, both received a CVSS score of 9.8. CVE-2024-20439 involves an undocumented static user credential that could be exploited to gain administrative access, while CVE-2024-20440 stems from excessively verbose debug logs that could expose credentials through crafted HTTP requests. Cisco has released updates for affected versions 2.0.0, 2.1.0, and 2.2.0, advising users to upgrade to version 2.3.0 to mitigate these risks.
On September 4, 2024, RansomHub, a ransomware group, claimed responsibility for a cyber attack on Planned Parenthood Federation of America. The attackers have stolen 93 gigabytes of data from Planned Parenthood, including financial documents, legal records, and personal details. The group posted samples of the stolen data on their dark web leak site and has threatened to release the full data unless their demands are met. Planned Parenthood of Montana, specifically targeted in the breach, has confirmed the incident and is currently investigating the attack while working to manage the potential impact on affected individuals.
WS Audiology, the third-largest hearing aid company globally, has suffered a significant cyberattack impacting its IT systems across Australia, New Zealand, Singapore, and Hong Kong. The breach, first detected on July 5, 2024, has compromised sensitive personal data, including patients' names, health information, and employees' salary and bank details. Russian ransomware group Blacksuit is reportedly behind the attack, threatening to leak the stolen data.
领英推荐
Tewkesbury Borough Council in England has reported significant disruptions to its services following a cyber attack that occurred on Wednesday afternoon. The council has taken immediate action by shutting down its systems and is working closely with the national cyber security center and counter-fraud agency to investigate the incident. As a result, many services are currently unavailable or experiencing delays, and phone lines are expected to be very busy. Residents and businesses are advised to only contact the council if absolutely necessary until normal operations are restored.
On September 3, 2024, ProPark Mobility, a leading provider of parking and mobility services, reported a significant data breach to the California Attorney General. The breach, which involved unauthorized access to the company's computer network, may have resulted in the removal of sensitive employee information. The incident, which occurred between January 15 and January 18, 2024, led ProPark to enlist cybersecurity experts and law enforcement to investigate. Affected individuals have been notified, but specific details regarding the compromised data have not been disclosed.
On September 3, 2024, Illinois based Hospital Sisters Health System (HSHS) filed a notice with the Texas Attorney General regarding a significant data breach. The breach, which occurred between August 16 and August 27, 2023, compromised sensitive patient information, including names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, and medical information. HSHS detected the unauthorized access in August 2023, containing the incident and working with third-party security experts to investigate.
?? Cyber News
On September 4, 2024, the United States launched a major offensive against Russian efforts to influence the 2024 presidential election. The Department of Justice seized 32 internet domains used in a covert Russian campaign, known as "Doppelganger," which aimed to spread government propaganda. Indictments were unsealed against Russian nationals Kostiantyn Kalashnikov and Elena Afanasyeva for allegedly creating a U.S.-based content company to disseminate this propaganda.
Initial access brokers (IABs) are increasingly targeting large organizations with billion-dollar revenues, according to recent research from Cyberint. Analyzing data from the past year and a half, the study found that firms with revenues exceeding $1 billion constituted 27% of all initial access listings for sale in 2023, rising to 33% in the first half of 2024. The average revenue of targeted organizations in early 2024 was nearly $2 billion, reflecting a 1000% increase.
On September 4, 2024, Palo Alto Networks finalized its acquisition of IBM’s QRadar Software as a Service (SaaS) assets in a $500 million deal, marking a significant expansion of its cybersecurity portfolio. This acquisition integrates QRadar’s capabilities into Palo Alto Networks’ Cortex XSIAM platform, enhancing threat prevention with a centralized solution that combines SIEM, SOAR, ASM, and XDR functionalities.
The Irish Data Protection Commission (DPC) has concluded its investigation into X (formerly Twitter) after the company halted its use of European user data for training its AI model, Grok. This decisive action marks a significant precedent in data privacy enforcement under the Data Protection Act 2018. The DPC had raised concerns that X’s practice of incorporating publicly available posts into its AI model without explicit consent violated EU data protection laws. In response, X agreed to cease these practices and comply with stricter data usage guidelines, though it did not admit wrongdoing.
Two Nigerian nationals, Ebuka Raphael Umeti and Franklin Ifeanyichukwu Okwonna, were sentenced in the U.S. for their involvement in a significant business email compromise (BEC) fraud scheme. On August 27, Umeti was sentenced to 10 years in prison, while Okwonna received a five-year and three-month sentence on September 3. Both were ordered to pay approximately $5 million in restitution. The scheme, which operated from February 2016 to July 2021, involved sending phishing emails to steal sensitive information and tricking victims into transferring funds to the defendants' accounts.
Subscribe and Comment.
Copyright ? 2024 CyberMaterial . All Rights Reserved.
Follow CyberMaterial on: