Cyber Briefing - 2023.08.02
?? What's trending in cybersecurity today?
Stremio Vulnerability, Python, NodeStealer, Facebook , SpyNote, Android Trojan, 谷歌 AMP, Phishing, Tempur Sealy International , Iran’s Phishing Attack, India, NHS Lanarkshire, Daytona Beach, Cloudzy, Space Pirates, Ransomware, Socket, Converge Insurance.
Welcome to Cyber Briefing , the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe .
?? Cyber Alerts
A critical vulnerability in Stremio for Windows v4.4 has been discovered by CyFox researchers, potentially exposing millions of users to attacks. The vulnerability stems from the use of two Windows API functions, LoadLibraryA and LoadLibraryExA, allowing attackers to plant malicious DLL files in the application directory. This loophole enables unauthorized access and arbitrary code execution, and if the user runs the Stremio software with administrator rights, the attacker can gain the same privileges. Despite CyFox's attempts to contact the Stremio security team and share their findings, no response has been received, leading to concerns over unaddressed security risks and the need for urgent patches.
Cybersecurity researchers from Palo Alto Network Unit 42 have discovered a Python variant of NodeStealer, a stealer malware, capable of taking over Facebook business accounts and siphoning cryptocurrency. This previously undocumented strain was found as part of a campaign that began in December 2022. NodeStealer, first exposed by Meta in May 2023, was previously written in JavaScript, but the latest versions are now coded in Python. The malware starts by luring victims with bogus messages on Facebook offering free "professional" budget tracking Microsoft Excel and Google Sheets templates, which trick users into downloading a ZIP archive file that contains the stealer executable. Besides compromising Facebook business accounts, the malware steals credentials from web browsers, including MetaMask credentials from Google Chrome, C?c C?c, and Brave browsers, to carry out further attacks such as downloading additional malware and executing crypto theft.
In a recent technical analysis, Italian cybersecurity firm Cleafy has revealed an aggressive campaign involving the Android banking trojan SpyNote, targeting various European bank customers. The trojan is distributed through email phishing or smishing campaigns and executes fraudulent activities using remote access trojan (RAT) capabilities and vishing attacks. SpyNote gains Android's accessibility permissions to gather sensitive data and acts as both spyware and a tool for bank fraud, making it particularly concerning for users.
Cybersecurity experts are sounding the alarm on a surge in phishing activity exploiting Google Accelerated Mobile Pages (AMP) to circumvent email security measures and target enterprise employees' inboxes. Google AMP, known for accelerating mobile web content loading, is now being abused by threat actors who embed AMP URLs in phishing emails to avoid detection. This tactic redirects victims to malicious sites while evading analysis by security bots, making it a formidable challenge for email protection technology to identify and block such attacks effectively. Recent data shows a sharp rise in phishing attacks employing AMP, raising concerns about the method's growing adoption by malicious actors.
A comprehensive report from Qualys Threat Research Unit (TRU) has illuminated the concerning landscape of cloud risks, with a particular focus on the growing menace of cloud tech debt. The study, based on anonymized global cloud scans conducted in April 2023, exposed over 60 million applications that have reached the end of support and end of life, leaving critical categories like databases, web servers, and security software without security updates and substantially elevating the risk of potential breaches. Cloud misconfigurations also surfaced as a major concern, amplifying data breaches and unauthorized access, with failure rates for major cloud providers AWS, Microsoft Azure, and Google Cloud Platform (GCP) ranging from 34% to 60%.
The Israeli internal intelligence agency, Shin Bet, successfully thwarted a sophisticated spear-phishing attack launched by state-backed Iranian hackers, aimed at Israeli citizens, particularly researchers, and civil servants from various organizations. The hackers employed fake LinkedIn profiles and sophisticated social engineering techniques to gain unauthorized access to victims' computers, using seemingly harmless attachments that contained malware. By pretending to be real Israeli citizens and engaging in LinkedIn conversations before shifting communication to email, the attackers established trust, making it easier to persuade targets to open attachments or click on links. This incident highlights the escalating cyber warfare between Iran and Israel, emphasizing the need for global cooperation in countering and defending against state-sponsored cyber threats that can have significant implications on national security and individual privacy.
CloudSEK's contextual AI digital risk platform XVigil has made a concerning discovery on an English-speaking cybercrime forum where a database of PHI-IIIT Delhi (Portal for Health Informatics at the Indraprastha Institute of Information Technology, Delhi) was shared in exchange for forum credits. The leaked database consists of 82 files, totaling approximately 1.8 GB, compromising sensitive information like email addresses, names, internal healthcare documents, vaccine development-related papers, and more. The PHI Portal, hosted on ERNET (Education and Research Network) under the Ministry of Electronics and Information Technology (MeitY) in India, also reveals that part of the offered database is publicly accessible, raising concerns about potential data exposure.
领英推荐
Tempur Sealy, the prominent bedding products provider, is facing a serious cyber crisis as the company reveals that it fell victim to a cyberattack, leading to the shutdown of certain systems. The attack was detected on July 23, 2023, prompting the activation of incident response and business continuity plans. While Tempur Sealy is currently in the process of restoring critical IT systems and resuming operations, the company has yet to determine the full extent of the breach's impact and whether personal information was compromised. The incident raises concerns about the involvement of ransomware, considering the forced shutdown of systems, as the company navigates through the ongoing forensic investigation.
In a concerning revelation, the Information Commissioner's Office (ICO) has reprimanded an NHS trust in the UK for a serious breach of patient data privacy. Over the course of two years, 26 staff members at NHS Lanarkshire utilized an unapproved WhatsApp group to share sensitive patient information, including names, phone numbers, addresses, images, videos, screenshots, and clinical data. Initially set up to facilitate communication during the pandemic, the group was never authorized for processing patient data, violating GDPR's provisions for handling special category data.
Daytona Beach issues an urgent warning to all users to steer clear of its hacked Facebook page. The account has fallen victim to a cyber attack, showing suspicious posts in Spanish and featuring images unrelated to the city. In response, police detectives are actively collaborating with the chief information officer to investigate the breach and work with Facebook's parent company, Meta, to restore the page's security. While the situation unfolds, Facebook users are strongly advised not to disclose personal information and to avoid clicking on any posted links. To access reliable updates about Daytona Beach, concerned individuals can visit the city's official website or check their Twitter page for verified information.
?? Cyber News
Cybersecurity startup Halcyon has exposed Cloudzy, an Iranian-run company acting as a command-and-control provider (C2P) for over 20 hacking groups. These include state-sponsored APT actors, ransomware operators, and spyware vendors. Despite being registered in the United States, Cloudzy is suspected to be operated from Tehran, Iran, by an individual named Hassan Nozari. This raises concerns about potential violations of US sanctions. Cloudzy claims to maintain user anonymity and avoids accountability when alerted to malicious activity. It only requires a working email address for registration and accepts anonymous cryptocurrency payments. Halcyon's research reveals that more than half of Cloudzy's servers directly facilitate malicious activities, mainly using borrowed infrastructure from other ISPs.
Researchers from Positive Technologies have unveiled the activities of the threat actor known as Space Pirates, which has been conducting cyberattacks against 16 organizations in Russia and Serbia over the past year. The group's main objectives involve espionage and theft of confidential information, with targets ranging from government agencies and educational institutions to aerospace manufacturers and healthcare firms. The attackers utilize a sophisticated malware called Deed RAT, known for dynamically retrieving additional plug-ins from a remote server, including a Disk plug-in for file enumeration and a Portmap module for port forwarding. They also employ the previously undocumented malware Voidoor to interact with a legitimate forum, seeking access to users' personal messaging systems in search of specific victim IDs.
In recent data breach and cyber-attack cases, companies have faced difficulties when seeking coverage from insurers. Insurers often decline claims, citing reasons like failure to provide timely notice, failure to mitigate costs, or attributing losses to a party not covered by the policy. Even specialized cyber liability insurance policies are not exempt from these challenges. A recent case in Ohio's Supreme Court, EMOI Servs., L.L.C. v. Owners Ins. Co., denied coverage for a ransomware claim due to the lack of "physical harm or damage" to the computers, as required by the policy's terms. This is just one example of the rising trend where insurers narrowly interpret terms like "loss" or "damage" when dealing with ransomware claims, leading to potential litigation and arbitration. It highlights the need for companies to conduct comprehensive policy reviews and ensure their cyber insurance language aligns with their coverage needs to avoid coverage denials in the future.
Socket, a startup dedicated to enhancing software supply chain security, has successfully raised $20 million in new funding, showcasing the growing interest of investors in the open-source software security landscape. Andreessen Horowitz (a16z) led the funding round, joined by Abstract Ventures, bringing Socket's total funding to $24.6 million since its public launch in May 2022. Spearheaded by open-source developer Feross Aboukhadijeh, Socket is developing groundbreaking technology that utilizes "content-based analysis" to identify suspicious activity within software dependencies and rapidly address potential threats. The company aims to proactively detect and block software supply chain attacks, introducing new tools to monitor and prevent compromised or hijacked packages from infiltrating the ecosystem, and utilizing AI-driven source code analysis with ChatGPT to identify and summarize red flags in npm and PyPI packages.
In a strategic move, Forgepoint Capital, a venture capital firm, has made a significant $15 million Series A investment in Converge Insurance, a New York-based tech startup specializing in cyber insurance solutions for small- and medium-sized businesses. Converge Insurance distinguishes itself as a modern managing general agent (MGA) that combines cyber insurance, security, and technology to cater to the often-overlooked SMB market. With a focus on transparency and expert underwriting, the company aims to provide innovative cyber risk solutions to empower policyholders in managing technology risks more intelligently. As cyber-attacks continue to target businesses, this investment reflects the increasing demand for cyber insurance solutions and the importance of bolstering security measures.
Subscribe and Comment.
Copyright ? 2023 CyberMaterial . All Rights Reserved.
Follow CyberMaterial on:
The cybersecurity landscape is ever-evolving and intricate. Thanks for compiling this concise summary; staying informed is crucial in this digital age.
The cybersecurity landscape is ever-evolving and intricate. Thanks for compiling this concise summary; staying informed is crucial in this digital age.