Cyber Briefing - 2023.06.05
The latest in cybersecurity: North Korea, Spear-Phishing, Google, TinyNote Backdoor, Magecart, TrueBot, BlackSuit Ransomware, Burton, YKK Group, Iran, Ukraine.
The latest in cybersecurity: MOVEit, RokRAT,?ScarCruft, QBot, iPhones hacked, Harobot, Casepoint, HPCH, Bratislava, Prosperix, JD Group, Cisco, Armorblox, Google.
Welcome to?Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please?subscribe.
???Cyber Alerts
Multiple government agencies from the U.S. and South Korea issue a joint advisory highlighting the state-sponsored North Korean hacker group Kimsuky (APT43) and their use of impersonating journalists and academics for spear-phishing attacks. These campaigns are aimed at collecting intelligence from think tanks, research centers, academic institutions, and media organizations. Kimsuky, part of North Korea's Reconnaissance General Bureau, has been conducting large-scale espionage campaigns since at least 2012, leveraging their refined social engineering techniques to create convincing spear-phishing emails.
Google has taken down 32 malicious extensions from the Chrome Web Store that had a combined download count of 75 million. These extensions appeared to have legitimate functionality but contained obfuscated code that allowed them to alter search results and deliver spam or unwanted ads. Cybersecurity researcher Wladimir Palant discovered the code in one extension and later found it in another 18 extensions, raising concerns about potential abuse such as injecting ads or stealing sensitive information. While Google has removed the extensions from the store, users need to manually uninstall them to eliminate the risk.
Israeli cybersecurity firm Check Point has identified a new backdoor malware, dubbed TinyNote, attributed to the Chinese nation-state group known as Camaro Dragon. While the malware may lack sophistication, it employs multiple persistency tasks and diverse communication methods to retain access to compromised hosts. Camaro Dragon, also known as Mustang Panda, has previously been linked to custom firmware implants and utilizes compromised home routers for covert communications. The latest findings highlight the group's evolving evasion tactics, sophisticated targeting, and diverse arsenal of custom tools, with TinyNote specifically targeting Southeast and East Asian embassies.
Researchers from Akamai have uncovered an ongoing Magecart web skimmer campaign targeting users in North America, Latin America, and Europe. This campaign involves hijacking legitimate websites to serve as makeshift command and control (C2) servers, allowing threat actors to distribute malware and steal personally identifiable information (PII) and credit card data. The attackers employ various evasion techniques, such as obfuscation and masquerading the attack as popular third-party services like Google Analytics, making it challenging to detect their malicious activities.
Researchers at VMware's Carbon Black Managed Detection and Response (MDR) team have issued a warning about a significant increase in TrueBot activity during May 2023. TrueBot, a downloader associated with threat actor TA505, has been active since 2017 and has recently been observed carrying out malicious activities like distributing Clop Ransomware. The attackers exploit vulnerabilities in Netwrix auditor and use Raspberry Robin as delivery vectors, employing deceptive techniques such as masquerading an executable as a software update to trick users into downloading and executing it. The report highlights the importance of early detection and containment by leveraging Carbon Black's capabilities and MDR support to mitigate the potential for widespread network infection.
An analysis by Trend Micro reveals that the Linux variant of the newly discovered BlackSuit ransomware exhibits significant similarities to the ransomware family known as Royal. The researchers noted an "extremely high degree of similarity," with nearly identical functions, blocks, and jumps between the two strains. BlackSuit, which surfaced in early May 2023, is capable of targeting both Windows and Linux hosts, employing a double extortion scheme to encrypt sensitive data in compromised networks.
Leading snowboard maker Burton Snowboards confirmed a data breach after a "cyber incident" in February, where some customer information was potentially accessed or stolen. The breach was discovered after a system outage and forced the company to cancel online orders. Burton has notified affected customers, reset account passwords, and hired external forensic experts to investigate the breach. The information potentially compromised includes names, Social Security numbers, and financial account details, although Burton states that credit card details or bank account numbers were not saved or held on their website. The company is cooperating with law enforcement and relevant regulators, and there have been no reports of misuse of customer information so far.
YKK Group, the renowned Japanese manufacturing conglomerate known for producing zippers and industrial hardware, has been posted on the dark web blog of the notorious LockBit gang. The cybercriminals hinted at a potential breach and stated that the exposed data will be published in two weeks. With over 100 affiliated companies worldwide and a revenue of over $6 billion, the extent of the potential data exposure remains unknown.
South Africa's Department of Justice has suffered another cyber breach, marking the third incident in as many years. Hackers targeted the department's Guardian's Fund in KwaZulu-Natal and the Free State, making off with R18 million. The attack took place on April 6, but the discovery and reporting of the incident were delayed by five days, raising concerns about the department's response.
A data breach at the Hillsborough County Supervisor of Elections Office has compromised the private information of 58,000 voters. The breach involved unauthorized access to files containing sensitive details such as Social Security and driver's license numbers, primarily from voter registration list maintenance records. The voter registration system and ballot tabulation system, which have additional security measures, were not affected. The office is working closely with law enforcement to investigate the cybercrime, and affected individuals will be notified about the breach.
领英推荐
A trove of leaked documents, images, and videos from the offices of Iranian President Ebrahim Raisi has been posted online, suggesting an authentic data breach, according to cybersecurity experts. The materials, shared by a group called "GhyamSarnegouni," include diplomatic correspondence, floor plans of the president's offices, network topologies of sensitive government systems, and more. While some information was already known, the breach is seen as embarrassing for the Iranian government, and it sheds light on internal activities, including nuclear expansion.
Swiss authorities have launched an investigation into a cyberattack that targeted the Bernese IT company Xplain, which provides services to several federal and cantonal government departments, including the police, army, customs, and the Federal Office of Police (Fedpol). The attack, claimed by the Play ransomware gang, resulted in the publication of alleged stolen data from Fedpol and the Federal Office for Customs and Border Security (FOCBS) on a Darknet forum. Although Fedpol stated that only simulated, anonymous data for test purposes were accessed, the incident highlights the vulnerability of critical government entities.
???Cyber News
The U.S. Department of Defense has agreed to cover the expenses for Ukraine's access to Starlink satellite broadband, highlighting the country's dependence on technology companies and the risks associated with relying on the private sector during times of conflict. Starlink, operated by SpaceX, has become crucial for Ukraine's government and military, providing essential connectivity for critical communications, including drone operations and artillery strikes against Russian targets. While private companies like Microsoft, Amazon Web Services, and various cybersecurity firms have also supported Ukraine, the Pentagon's involvement underscores the importance of securing reliable communication channels during wartime.
Russia's telecom giant Rostelecom is in discussions with the Russian government to supply up to 2 million mobile devices running on the Aurora operating system over the next three years. The move comes as Russia accuses U.S. intelligence of hacking thousands of Apple phones for spying purposes. The country aims to promote domestic technology and reduce reliance on Western software, with Aurora offering complete control over data processing and compliance with government security guidelines.
Microsoft is warning investors of a possible fine from European privacy regulators for targeted advertising on its LinkedIn platform, which could amount to hundreds of millions of dollars. The European Union's General Data Protection Regulation (GDPR) has empowered data protection authorities to limit targeted advertising on privacy grounds, and Microsoft received a notification from the Irish Data Protection Commission indicating its intention to impose a fine after investigating a complaint from 2018. In response, Microsoft is increasing its reserve fund and anticipates taking a charge of approximately $425 million in the fourth quarter of this year.
Subscribe?and Comment.
Copyright ? 2023?CyberMaterial. All Rights Reserved.
Follow CyberMaterial on: