Cyber Briefing - 2023.04.18
Welcome to?Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please?subscribe.
???Cyber Alerts
QBot malware is being distributed in phishing campaigns using PDFs and Windows Script Files (WSF) to infect Windows devices, with the goal of providing initial access to corporate networks for other threat actors. The malware spreads laterally through a network, stealing data and eventually deploying ransomware in extortion attacks. QBot is currently being distributed through reply-chain phishing emails, where threat actors use stolen email exchanges to reply with links to malware or malicious attachments, marking this as a worldwide malware distribution campaign. This highlights the importance of taking systems offline and performing a complete evaluation of the network for unusual behavior if a device becomes infected with QBot, as the malware can lead to devastating attacks on corporate networks.
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, highlighting the dangers of CVE-2019-8526 Apple macOS Use-After-Free Vulnerability and CVE-2023-2033 Google Chromium V8 Engine Type Confusion Vulnerability. These vulnerabilities are a frequent attack vector for malicious cyber actors, and CISA has urged all organizations to prioritize timely remediation of catalog vulnerabilities as part of their vulnerability management practice to reduce exposure to cyberattacks.
Cyble, a cybersecurity firm, recently discovered an Android trojan that has been targeting users in Australia and Poland, mimicking the CoinSpot cryptocurrency exchange, an Australian government agency, and the IKO bank. The malware is distributed through compromised websites, Discord attachments, and Bitbucket hosting services. Chameleon includes a wide range of malicious functionality, including stealing user credentials through overlay injections and keylogging, cookies, and SMS texts from the infected device. The malware evades detection by performing a variety of checks and requesting permission to use the Accessibility Service. Android users are advised to be cautious with apps they install on their devices and ensure that Google Play Protect is always enabled.
The Cybersecurity and Infrastructure Security Agency (CISA) has released the SBOM Sharing Lifecycle Report to help the cybersecurity and supply chain communities choose the right SBOM sharing solutions. The report describes the different parties and phases involved in the SBOM Sharing Lifecycle and provides insights into the current SBOM sharing landscape. The aim is to help readers choose a suitable SBOM sharing solution based on available resources and subject-matter expertise.
A new malware, Domino, developed by threat actors likely affiliated with the FIN7 cybercrime group, has been put to use by the now-defunct Conti ransomware gang, indicating collaboration between the two crews. Domino is designed to facilitate follow-on exploitation on compromised systems, including delivering an information stealer that has been advertised for sale on the dark web since December 2021. IBM Security X-Force reported that former members of the TrickBot/Conti syndicate have been using Domino since at least late February 2023 to deliver either the Project Nemesis information stealer or more capable backdoors such as Cobalt Strike.
Chinese state-sponsored hacking group APT41 was found using the GC2 (Google Command and Control) red teaming tool in attacks against a Taiwanese media company and an Italian job search site. The open-source project was abused to download and install additional payloads from Google Drive and exfiltrate stolen data to the cloud storage service. This is part of a growing trend of threat actors moving to legitimate red teaming tools and RMM platforms as part of their attacks.
NCR, formerly known as National Cash Register, has become the latest victim of the BlackCat/ALPHV ransomware gang. The attack caused an outage on the company’s Aloha point-of-sale platform, used by many in the restaurant industry. The group claims to have stolen customer credentials and threatened to leak them if ransom was not paid, with demands ranging from tens of thousands to tens of millions of dollars.
领英推荐
Researchers have found a new Android malware called "Goldoson" that was spread through 60 legitimate apps on the official Google Play store, totaling more than 100 million downloads in South Korea. Goldoson collects sensitive data, including lists of installed applications, Wi-Fi and Bluetooth device information, and nearby GPS locations, and can perform ad fraud by clicking advertisements in the background without the user’s consent. While some apps were updated by removing the malicious library, others were removed from Google Play.
German armaments and technology company, Rheinmetall, was the victim of a cyberattack that targeted all three of its divisions over the weekend. However, the company has stated that the attack did not impact its operations. The cybercrime section of the public prosecutor’s office in Cologne is aware of the attack and is currently investigating.
Volvo's retailer in Brazil, Dimas Volvo, has been leaking sensitive files through its website, exposing their clientele in the vast South American country. The leaked files could have been used by malicious actors to hijack official communication channels and infiltrate the company's systems. The issue causing the leak has been fixed, but it's not the only car brand to expose itself and its customers recently, with BMW and Toyota also experiencing data leaks.
Hundred Finance, a multi-chain lending protocol, has disclosed that it lost around $7 million following a hack on the Ethereum layer-2 blockchain Optimism. The protocol team is preparing a post-mortem on the attack and is advising people not to speculate until an official statement is released. Additionally, Hundred Finance is trying to establish a dialogue with the hacker in hopes of recovering some or all of the stolen funds.
???Cyber News
The Chinese hacker group, Vixen Panda, is suspected of targeting foreign ministries in various European countries. The hackers showed a keen interest in policy documents, as per a new report by Euractiv. While the Foreign Ministry State Secretary could not confirm the alleged Chinese involvement, the investigation into the attack is still underway.
QuaDream, an Israeli spyware vendor, is reportedly shutting down its operations following the exposure of its hacking toolset by Citizen Lab and Microsoft last week. The company's board of directors are looking to sell off its intellectual property, according to reports. The spyware framework, REIGN, was used against journalists, political opposition figures, and NGO workers across multiple continents.
Cybersecurity solutions provider ZeroFox is set to acquire threat intelligence and attack surface management company LookingGlass for roughly $26 million. The acquisition will integrate LookingGlass technology into ZeroFox's platform for enhanced visibility into external attack surface assets and vulnerabilities. The move comes amid a flurry of cybersecurity-related mergers and acquisitions (M&As), with more than 450 M&As announced in 2022, including 17 deals involving threat intelligence companies and 10 involving web security firms.
Peaches Stergo scammed an 87-year-old Holocaust survivor out of his life savings by borrowing $2.8 million from him, all while living a lavish lifestyle with her purchases of luxury items including a house in a gated community, a Corvette, Rolex watches, vacations, and more. Stergo met the victim on a dating site in early 2017 and continued the scam for four-and-a-half years. She pleaded guilty to one count of wire fraud and faces up to 20 years in prison.
Subscribe?and Comment.
Copyright ? 2023?CyberMaterial. All Rights Reserved.
Follow CyberMaterial on: