Cyber Briefing - 2023.07.26
?? What's trending in cybersecurity today?
AMD Vulnerability, Zenbleed, Mac Malware, TETRA, Casbaneiro, Egypt Health Ministry, Australian Home Affairs, Quinn Emanuel, Wuhan Earthquake Center, China, FraudGPT, WormGPT, Data Breach Cost, Ransomware, MITRE
Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe.
?? Cyber Alerts
A new and critical security vulnerability dubbed "Zenbleed" has been unearthed, putting AMD's Zen 2 architecture-based processors at serious risk. Discovered by Google Project Zero researcher Tavis Ormandy, this flaw facilitates potential data exfiltration at a staggering speed of 30 kb per core, per second. Classified as a speculative execution attack, the exploit capitalizes on CPU optimization techniques, granting unauthorized access to sensitive data like encryption keys and passwords. Worryingly, this vulnerability can be leveraged remotely through JavaScript on websites, underscoring the need for immediate microcode updates from original equipment manufacturers (OEMs) to defend against potential breaches.
A new and sophisticated Mac malware called "Realst" has been discovered in a large-scale cyber campaign that targets Apple computers, including the upcoming macOS 14 Sonoma. The malware is distributed through fake blockchain games like Brawl Earth and WildWorld, shared on social media via direct messages, allowing threat actors to vet targets and avoid detection by security researchers. Once installed, the malware steals sensitive data, including cryptocurrency wallets and browser information, and sends it back to the attackers. With 16 variants identified and categorized into four main families, Realst demonstrates rapid and active development, making it a significant threat to macOS users, particularly those engaged in cryptocurrency activities.
A highly sophisticated and largely undetected toolkit called Decoy Dog has been discovered, believed to be used for cyber intelligence operations, leveraging the domain name system (DNS) for command and control activities. Infoblox researchers suspect four actors are behind this toolkit, utilizing it for highly-targeted operations primarily in the Russian and Eastern European regions, possibly related to Russia's invasion of Ukraine. Decoy Dog is an upgraded version of Pupy, using Python 3.8, expanding communications vocabulary, and adding the ability to run arbitrary Java code for persistence on victim devices. Despite Infoblox's efforts to uncover the toolkit, its full scope, purpose, and handlers remain a mystery, requiring additional research to determine targets and compromise methods.
Midnight Blue discloses five security vulnerabilities in the widely adopted Terrestrial Trunked Radio (TETRA) standard, impacting government entities and critical infrastructure sectors. Among the findings is a potentially intentional backdoor, raising concerns about potential exposure of sensitive information. TETRA, widely used in over 100 countries and controlling essential systems like power grids and railways, faces risks of real-time decryption, message injection, and user deanonymization, urging immediate action to address these critical shortcomings.
The financially motivated threat actors behind the Casbaneiro banking malware family have adopted a User Account Control (UAC) bypass technique, allowing them to gain full administrative privileges on compromised machines and execute malicious code undetected. While their primary focus remains on Latin American financial institutions, the shift in tactics poses a significant risk to multi-regional financial organizations. Spear-phishing emails now embed links to HTML files, leading targets to download RAR files instead of the usual PDF attachments, and the attackers employ fodhelper.exe for UAC bypass and high integrity level execution. This evolution in attack techniques highlights the need for heightened security measures to counter the evolving threat landscape.
MikroTik routers, a prime target for threat actors, are facing a privilege escalation vulnerability (CVE-2023-30788) that exposes up to 900,000 devices to potential attacks. The flaw allows attackers to gain full control over affected MIPS-processor-based devices, posing significant risks to both Latin American financial institutions and multi-regional organizations. Researchers at VulnCheck discovered the exploit, which enables attackers to execute malicious code, pivot into an organization's network, and execute man-in-the-middle attacks, urging administrators to apply MikroTik's fix promptly to safeguard their assets.
In its latest release, the CVE MITRE foundation presents the list of "On the Cusp" vulnerabilities, showcasing the ranking changes of Common Weakness Enumerations (CWEs) between 2022 and 2023. This list provides crucial insights for organizations seeking to bolster their software security defenses and mitigate risks effectively. While the top 25 most dangerous weaknesses are highlighted, it's vital to remain vigilant about exploitable vulnerabilities beyond this ranking, as they still pose significant threats to organizations.
A cyber threat intelligence provider and a dark web monitoring firm recently observed an alarming claim on hacker forum Popürler. An 'established' threat actor boasted possession of two million data records stolen from the Egyptian Ministry of Health and Population. The leaked database allegedly contains highly sensitive patient information, including names, IDs, national numbers, medical details, and contact information. The threat actor provided a sample dataset and hinted at financial motives behind these actions, previously linked to breaches in Indonesian entities.
Around 50 business owners and employees who participated in the Understanding Small Business and Cyber Security study were left shocked when their personal information, including names, business names, phone numbers, and emails, was accidentally published on the parliament website. The incident was revealed in response to a question from the shadow cybersecurity and home affairs minister, James Paterson, as reported by The Guardian Australia. The data leak comes as part of Australia's Cyber Wardens program, aimed at enhancing cybersecurity awareness and capabilities among small businesses, but it has raised concerns about data privacy and security within the government-backed initiative.
A startling cyber attack on a third-party electronic discovery vendor has sent shockwaves through Quinn Emanuel Urquhart & Sullivan, a leading U.S. law firm, raising concerns over potential client information exposure. Although the firm assured that the ransomware attack was confined to a limited group of clients and matters, the incident highlights the escalating cybersecurity threats faced by legal service providers. With law firms like Jones Day and Goodwin Procter previously ensnared in similar breaches, the urgency to safeguard sensitive data from cyberattacks has become paramount for the legal sector.
The Wuhan Earthquake Monitoring Center faces a daunting cybersecurity challenge as it falls victim to a cyberattack orchestrated by an overseas organization, as disclosed by the city's emergency management bureau. Suspected to be government-backed, the attack raises concerns about the involvement of hacker groups with governmental backgrounds from outside the country, potentially originating from the US. With seismic intensity data at risk of being illegally controlled and stolen, immediate action has been taken to investigate the case and handle the perpetrators in accordance with the law, given the serious threat posed to national security.
?? Cyber News
In its 18th annual Cost of a Data Breach Report, IBM reveals that the average global cost of a data breach has reached a record $4.45 million, showing a slight increase of over 2% year on year. The main contributor to this surge in costs was detection and escalation activities, with expenses in forensics, investigations, and crisis management rising by 42% year on year. Disappointingly, the report highlights that breached organizations are more likely to pass incident costs onto consumers (57%) rather than investing in increased security measures (51%). While some countries and industries experienced a reduction in breach costs, the US remains the country with the highest breach costs, and healthcare stands as the costliest vertical, with costs per breached organization reaching $10.93 million.
Researchers have identified a concerning trend of AI-driven hacker tools on the Dark Web, with the emergence of "FraudGPT" and "WormGPT." Sold on a subscription basis, FraudGPT is being used by threat actors to conduct malicious activities, including phishing campaigns and creating undetectable malware. While ChatGPT has ethical guardrails to prevent misuse, the rise of these adversarial AI tools showcases the need for improved security measures to defend against AI-enabled cyber threats, with defenders advised to implement a defense-in-depth strategy and use AI-based security tools to stay ahead of cybercriminals.
In Q2 2023, GuidePoint Research and Intelligence Team (GRIT) released a ransomware report unveiling shocking statistics. The report monitored 1,177 publicly reported ransomware victims, signifying a significant 38% rise compared to the previous quarter and an alarming 100% increase compared to the same period last year. The manufacturing and technology sectors remained the hardest hit, while the consulting and insurance industries saw concerning relative growth rates of 236% and 160%, respectively. The surge in Ransomware-as-a-Service (RaaS) activity was also evident, with 14 new groups emerging during the quarter, representing a substantial 260% increase compared to Q1. LockBit held a dominant position across most impacted industries, except in healthcare, where it faced competition from BianLian and Karakurt.
Researchers in Australia have uncovered evidence suggesting that China is using fake social media accounts connected to transnational criminal groups to disseminate online propaganda and disinformation. The Australian Strategic Policy Institute (ASPI) report indicates that certain fake accounts linked to China's influence operations are associated with a network of Twitter accounts promoting Warner International Casino, an online gambling platform operating in Southeast Asia. The casino's connection to criminal networks could be providing cover for government operations, while also enabling China to acquire inauthentic accounts for its covert influence operations online, the researchers stated.
Subscribe and Comment.
Copyright ? 2023 CyberMaterial. All Rights Reserved.
Follow CyberMaterial on: