Cyber Briefing - 2023.07.06
The latest in cybersecurity: TeamsPhisher, Linkedin, Ransomware, SolarView, Silentbob, StackRot, Nagoya Port, University of Illinois, Nickelodeon, OPERA1ER, Blockchain.
Welcome to?Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please?subscribe.
???Cyber Alerts
A member of the U.S. Navy's red team has developed a Python-based tool called TeamsPhisher that takes advantage of a lingering security flaw in Microsoft Teams. The tool bypasses file-sending restrictions for external users, enabling attackers to deliver malware through external accounts. TeamsPhisher automates the attack process, leveraging techniques from security researchers and providing options to refine the attack, such as secure file links and delayed message transmissions. Until Microsoft addresses this unresolved problem, organizations are advised to disable communication with external tenants or create allow-lists with trusted domains to mitigate the risk of exploitation.
A sophisticated threat called RedEnergy is actively targeting energy utilities, oil, gas, telecom, and machinery sectors in Brazil and the Philippines through LinkedIn pages, combining data theft and encryption to maximize damage. Zscaler researchers have identified this malware, which steals information from browsers and executes ransomware activities. The attack begins with a FakeUpdates campaign, luring users to download JavaScript-based malware disguised as web browser updates. It then leverages reputable LinkedIn pages to redirect victims to a fake landing page, initiating the download of a malicious executable and paving the way for data theft, encryption, and potential ransom demands.
A critical vulnerability in Contec's SolarView solar power monitoring product is being actively exploited by a Mirai variant, putting hundreds of energy organizations at risk. The flaw, CVE-2022-29303, allows remote code injection by unauthenticated attackers and affects versions dating back to at least 4.0. Despite the patch in version 8.0, over 400 internet-exposed systems are still running vulnerable versions. The impact of exploitation can be significant, potentially leading to loss of productivity, revenue, and even acting as a pivot to attack other ICS resources.
Cybersecurity researchers at Aqua have uncovered a potentially massive campaign against cloud-native environments, involving a sophisticated attack infrastructure. Dubbed "Silentbob," this operation utilizes an aggressive cloud worm that targets exposed JupyterLab and Docker APIs, deploying the Tsunami malware, hijacking cloud credentials and resources, and further infecting vulnerable systems. Aqua's investigation revealed malicious container images and exposed instances, indicating active exploitation by threat actors, possibly connected to the notorious TeamTNT cryptojacking group or an advanced copycat. The industry is on high alert as the cyber threat landscape evolves with increasingly complex and coordinated attacks.
A serious vulnerability named StackRot (CVE-2023-3269) has been discovered, impacting multiple versions of the Linux kernel. The vulnerability, affecting the kernel's memory management subsystem, can be exploited to compromise the kernel and elevate privileges. A patch has been released for the affected stable kernels, and full details about the issue, along with an exploit code, are expected to be disclosed by the end of the month. Linux users are urged to check their kernel versions and ensure they are running an updated release to mitigate the risk of StackRot.
Confidential documents stolen from schools and leaked online by ransomware gangs have revealed deeply personal and sensitive information about student experiences, including sexual assaults, psychiatric hospitalizations, and abuse. The leaked files, which included over 300,000 documents from the Minneapolis Public Schools, exposed not only sexual assault case folios but also medical records, discrimination complaints, and personal information of district employees. The impact of such data breaches on staff, students, and parents is profound, highlighting the urgent need for improved cybersecurity measures in schools.
The Port of Nagoya, Japan's largest and busiest port, has suffered a ransomware attack that has disrupted the operation of its container terminals. The attack, which occurred on July 4, 2023, has impacted the "Nagoya Port Unified Terminal System" (NUTS), the central system controlling all container terminals in the port. As a result, container loading and unloading operations have been canceled, causing significant financial losses and disruption to the flow of goods. The port authority is working to restore the system and resume operations as soon as possible, while the identity of the threat actor behind the attack remains unknown.
The University of Illinois, along with other institutions, faced a cyber attack on May 31, as revealed in a recent Massmail. The attack compromised personal data of students, potentially accessed by an unauthorized party. The breach was brought to the University's attention by the National Student Clearinghouse (NSC), which promptly took action to secure the data after identifying the vulnerability. Although there is no current evidence of fraudulent use, NSC continues to investigate the incident, and affected individuals will receive direct notifications. The email also included an FAQ section, outlining NSC's role and offering guidance on protecting against identity fraud, such as ordering free annual credit reports and contacting the Federal Trade Commission.
领英推荐
A significant data breach has reportedly exposed around 500GB of sensitive data, including unaired television shows, scripts, and other materials. Nickelodeon's legal team has taken swift action, issuing DMCA takedowns and imposing severe consequences for anyone discussing the leaked content. The breach is believed to have originated from an authentication issue within Nickelodeon's "consumer products and experience" portal, allowing unauthorized access to the animation department's sensitive content.
The Russian state-owned railway company RZD experienced a significant cyberattack, resulting in the temporary shutdown of its website and mobile app. Ukrainian hacktivist group IT Army claimed responsibility for the attack, citing their mission to disrupt the aggressor country's economy. RZD managed to restore its operations after approximately six hours, but some online services remain unavailable due to ongoing attacks.
???Cyber News
Cybercriminals have adapted to the evolving landscape of blockchain systems, successfully pilfering approximately $920 million in the first half of the year. These hackers employed various techniques, including targeting smart contracts, executing phishing attacks, and breaching cryptocurrency exchanges. Although the quality of attacks has improved, the total amount stolen has seen a significant decrease compared to last year, with losses from cyber incidents dropping by 54%. However, the number of attacks remains consistent, indicating the growing sophistication of hackers in exploiting vulnerabilities within blockchain systems.
Law enforcement agencies have apprehended a key member of the OPERA1ER cybercrime group, notorious for targeting mobile banking services and financial institutions through malware, phishing, and Business Email Compromise (BEC) campaigns. Spanning over 30 attacks across 15 countries in Africa, Asia, and Latin America, the gang is believed to have stolen between $11 million and $30 million in the past four years. The arrest was made during Operation Nervone, a collaborative effort involving AFRIPOL, Interpol, Group-IB, Orange, the United States Secret Service, and Booz Allen Hamilton DarkLabs.
San Francisco startup Infisical has successfully raised $2.8 million in seed funding, led by Gradient Ventures, Google's venture capital arm, along with investments from Y Combinator, TwentyTwo VC, and prominent tech executives. Infisical aims to address the growing issue of secrets sprawl by providing an open-source secrets management platform, helping organizations protect valuable corporate secrets such as API keys, usernames and passwords, and security certificates. With leaked secrets posing a significant risk to supply-chain security, Infisical joins a group of well-funded startups capitalizing on the need for effective secret management tools in the face of increasing multi-cloud deployments and modern DevOps processes. The company plans to utilize the funding to expand its operations, meet growing demand, and further develop its product offerings.
Instagram Threads, Meta's upcoming Twitter competitor, will not be released in the European Union due to privacy concerns, as confirmed by Ireland's Data Protection Commission. The "text-based conversation app" was set for launch on July 6, 2023, but its availability will not extend to the EU "at this point." The decision aligns with Meta's cautious approach to comply with the region's stringent privacy regulations, similar to Google's postponement of its AI chatbot Bard launch in the EU.
The European Union Agency for Cybersecurity (ENISA) has released its first comprehensive cyber threat landscape report focusing on the health sector. The report highlights the prevalence of ransomware attacks, with 54% of cybersecurity threats targeting the sector. Furthermore, the study emphasizes the significant impact of financially motivated attacks, data breaches, and disruptions to healthcare services, underlining the urgent need for robust cybersecurity practices in the industry.
Subscribe?and Comment.
Copyright ? 2023?CyberMaterial. All Rights Reserved.
Follow CyberMaterial on:
Users really have to be careful with the LinkedIn-Based Stealer-as-a-Ransomware Threat