Cyber Briefing - 2023.06.02
The latest in cybersecurity: MOVEit, RokRAT, ScarCruft, QBot, iPhones hacked, Harobot, Casepoint, HPCH, Bratislava, Prosperix, JD Group, Cisco, Armorblox, Google.
Welcome to?Cyber Briefing , the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please?subscribe .
???Cyber Alerts
In a recent move, CISA (Cybersecurity and Infrastructure Security Agency) has unleashed five highly informative Industrial Control Systems (ICS) advisories on June 1, 2023. These advisories serve as a lifeline of information, offering a comprehensive overview of the latest security issues, vulnerabilities, and potential exploits surrounding ICS.
The released advisories cover critical ICS components such as Advantech WebAccess-SCADA, HID Global SAFE, Delta Electronics DIAEnergie (Update A), Mitsubishi Electric FA Engineering Software (Update A), and Hitachi Energy Relion 670 650 SAM600IO (Update B). As the ICS landscape becomes increasingly complex, CISA urges users and administrators to delve into these advisories, equipping themselves with the necessary technical details and actionable mitigations.
Hackers are taking advantage of a newly discovered zero-day vulnerability found in the widely used MOVEit software, posing a significant threat to major companies. Security company Rapid7 has confirmed multiple instances of the bug being exploited across various customer environments. Progress Software, the creator of MOVEit, has issued an advisory urging immediate action and the disabling of HTTP and HTTPS traffic to protect the affected environment until a patch is released. As the attack unfolds, hackers have already begun mass downloading data from compromised companies, reminiscent of similar incidents involving file transfer tools this year.
Cybersecurity researchers shed light on the sophisticated RokRAT remote access trojan used by North Korean state-sponsored group ScarCruft, enabling unauthorized access, data exfiltration, and persistent control over compromised systems. ScarCruft, operating since 2012, is associated with the North Korean Ministry of State Security and focuses exclusively on targets in South Korea, leveraging social engineering and exploiting vulnerabilities in widely used software like Hancom's Hangul Word Processor. RokRAT, also known as DOGCALL, is actively developed, maintained, and has expanded to other operating systems. Recent attacks involve LNK files triggering multi-stage infections, leading to the deployment of RokRAT malware with capabilities such as metadata harvesting, screenshot capture, remote command execution, directory enumeration, and file exfiltration.
A recent analysis of the QBot malware has uncovered its evasive nature, with a significant percentage of its command-and-control servers active for only a day or less, and half of them not lasting beyond a week. Lumen Black Lotus Labs revealed that QBot employs an adaptable and dynamic infrastructure, concealing itself within residential IP space and infected web servers instead of relying on virtual private servers. QBot, also known as QakBot and Pinkslipbot, has evolved from a banking trojan to a downloader for various payloads, demonstrating its persistence since its inception in 2007.
Kaspersky uncovers a long-running campaign targeting iPhones with a zero-click exploit through iMessage, allowing the installation of malware without user interaction. The attack, dubbed "Operation Triangulation," began in 2019 and continues to affect devices. While the malware attempts to cover its tracks, signs of infection remain, hindering iOS updates and exhibiting abnormal data usage.
A recent investigation by Cisco Talos has uncovered a new cyber campaign known as Horabot, which specifically targets Spanish-speaking users in Latin America. Since November 2020, the campaign has been infecting victims with a banking trojan and spam tool, enabling the attackers to gain control over victims' email accounts and conduct phishing attacks. The threat actors behind Horabot are believed to be based in Brazil, and while the primary targets are currently focused in Latin America, there is a possibility of expansion into other markets with phishing emails written in English.
In a concerning cybersecurity incident, Casepoint, a prominent U.S.-based legal technology platform utilized by government agencies, corporations, and law firms, is currently investigating a breach where hackers claim to have stolen terabytes of sensitive data. The ALPHV ransomware gang, also known as BlackCat, has claimed responsibility for the attack, listing the stolen data on their dark web leak site. This breach puts at risk the data of high-profile clients, including the U.S. Courts, SEC, DoD, Marriott, and Mayo Clinic.
Harvard Pilgrim Health Care (HPHC) has revealed that a recent ransomware attack compromised the sensitive data of 2,550,922 individuals and resulted in the theft of their personal information. The Massachusetts-based health services provider discovered the breach in April 2023 and reported it to the U.S. Department of Health and Human Services. Investigation findings indicate that the cybercriminals had unauthorized access to HPHC's systems from late March to mid-April, during which they exfiltrated a range of sensitive data, including names, addresses, social security numbers, and clinical information.
The electronic systems and parking services in Bratislava, Slovakia, were paralyzed during the international security conference, GLOBSEC, due to a massive DDoS cyber-attack. An anti-NATO group claimed responsibility for the attack, expressing their opposition to US and NATO actions. Bratislava Mayor Matus Vallo assured that no data was breached, and efforts were underway to restore services in coordination with cybersecurity authorities.
领英推荐
US-based workforce management platform, Prosperix, has suffered a major data breach, exposing sensitive data of nearly 250,000 job seekers. The leaked information includes personal details like home addresses and phone numbers, putting individuals at risk of identity theft and fraud. While the company quickly resolved the issue, the potential consequences of this data leak highlight the urgent need for robust data security measures and increased awareness among job seekers to spot and avoid scams in the hiring process.
Pepkor-owned JD Group, a retail company in South Africa, has confirmed a significant data breach that has compromised the personal information of over 500,000 customers. The breach, which exposed names, contact details, and ID numbers, affected several stores under the JD Group, including Bradlows, Everyshop, HiFi Corp, and more. While the company has taken immediate action to investigate and mitigate the impact, the leaked data was made available on a hacker forum, indicating potential risks for affected customers.
???Cyber News
In a recent development, a teenage hacker and a Telegram chatroom operator in their 20s have been apprehended for allegedly leaking the mock test scores of 270,000 high school sophomores from a nationwide exam held in November. The 19-year-old hacker reportedly breached the server of the Gyeonggi Office of Education, stealing the test results and providing them to the chatroom operator, who then distributed the data to around 18,000 participants. The hacker used overseas IP addresses and exploited the server's vulnerability for several months, unbeknownst to the education office.
In its third cybersecurity acquisition of 2023, Cisco is set to acquire Armorblox to enhance email, cloud office application, and enterprise communication security through natural language understanding. The move will enable customers to better understand and interact with security control points, leveraging Armorblox's predictive and generative artificial intelligence. The acquisition is expected to close by the end of July, and Cisco sees numerous exciting security use cases and possibilities through this strategic addition to their portfolio.
Google has announced a new initiative to triple the rewards for bug bounty hunters who report sandbox escape chain exploits targeting its Chrome web browser. The program aims to encourage security researchers to identify and report vulnerabilities that could compromise the browser's security mechanisms. By submitting a full chain exploit, participants could receive rewards up to $180,000, providing valuable insights to enhance Chrome's resilience against attacks. This announcement follows Google's previous efforts in bolstering its bug bounty programs, including the launch of the Mobile Vulnerability Rewards Program and payments for reported bugs in open-source software.
Silicon Valley-based endpoint security company, SentinelOne, is planning to lay off approximately 105 employees after experiencing a drop in data usage for its consumption-based pricing products, resulting in lower-than-expected revenue. The layoffs are part of a cost-cutting strategy aimed at achieving non-GAAP profitability next year. CEO Tomer Weingarten emphasized the need for a more balanced and efficient approach in the current market conditions.
Subscribe ?and Comment.
Copyright ? 2023?CyberMaterial . All Rights Reserved.
Follow CyberMaterial on: