Cyber Briefing - 2024.02.16
?? What are the latest cybersecurity alerts, incidents, and news?
RansomHouse Gang, ESXi Attacks, MrAgent Tool, New Qakbot Variants, Windows, Fake Adobe Installers, Cloud Smishing Campaigns, Amazon Web Services (AWS) SNS Exploitation, TinyTurla-NG Backdoor, Polish NGOs, Ivanti Endpoints, State Gov Network Breached, Email Breach, U.S. Internet Corp , Health New Zealand | Te Whatu Ora , Data Breach, PSI Software SE, Canada's School District 67 (Okanagan Skaha) , Cyber Outage, 谷歌 , Global AI Framework for Cybersecurity, Federal Bureau of Investigation (FBI) , Russian Military's Router Botnet, 美国国务院 , Bounty for ALPHV Ransomware Leaders, JabberZeus Cyber Crime Leader, U.S. Cyber Attack, Iranian Surveillance Vessel.
Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe.
?? Cyber Alerts
??The RansomHouse ransomware operation introduces 'MrAgent,' a tool automating data encryption on VMware ESXi hypervisors. Designed for maximum impact, it targets critical applications, disabling firewalls, and deploying ransomware across multiple VMs simultaneously. MrAgent's adaptability across platforms signifies RansomHouse's intent to expand its reach, demanding heightened security measures from defenders.
Qakbot malware resurfaces with new variants in email campaigns, including fake Adobe installers. Despite previous takedown efforts, recent activity suggests ongoing development and distribution of the malware, prompting heightened surveillance from cybersecurity researchers. Sophos X-Ops detects up to 10 new QBot builds, highlighting evolving tactics and encryption techniques to evade detection.
Threat actors leverage AWS SNS and a custom spam script, SNS Sender, for a "smishing" campaign impersonating USPS, posing serious risks to cloud-reliant businesses, warns SentinelOne. The attack employs a phishing lure about missed packages, targeting vulnerable individuals, particularly senior citizens, collecting personal and financial information through fraudulent pages.
Turla's new backdoor, TinyTurla-NG, targets Polish NGOs, employing WordPress-based C2 endpoints. The campaign, running from December 2023 to January 2024, highlights the threat actor's ongoing sophistication in cyber operations. Cisco Talos warns of its highly targeted nature, indicating a concerning evolution in Turla's tactics and tools.
Thousands of Ivanti endpoints remain exposed to high-risk security flaws, including authentication bypass and command injection issues. Exploited by nation-state actors and now targeted by a broad range of threats, urgent patching or mitigation is critical to prevent unauthorized access and potential data breaches. Despite available security updates, a significant number of servers remain unpatched, increasing the risk of prolonged exposure to exploitation.
CISA discloses a state government network breach via a former employee's admin account. Attackers exploited a VPN access point, gaining access to on-premises and Azure environments, highlighting the importance of privileged account security and least privilege principles in cybersecurity measures. This incident underscores the risk of leveraging valid but unsecured accounts, emphasizing the need for robust access control and monitoring protocols to prevent unauthorized access and data breaches.
?U.S. Internet Corp.'s Securence unit inadvertently exposed over a decade's worth of internal and client emails online, accessible to anyone with a web browser. KrebsOnSecurity was alerted by Hold Security, revealing that thousands of domains and individual inboxes, including those of state and local governments, were accessible, highlighting critical security oversights within the company's infrastructure. Despite the breach being swiftly addressed, questions linger regarding the duration of exposure and the extent of potential repercussions for affected parties.
领英推荐
Health New Zealand Te Whatu Ora is notifying 12,000 individuals affected by an alleged unauthorized data release by a former staff member. Chief Executive Margie Apa states the incident, involving Covid-19 vaccinators' personal information, prompted legal action and cooperation with authorities and cybersecurity experts to mitigate risks and enhance data security measures.
In response to a cyberattack discovered on February 15, 2024, PSI Software SE swiftly disconnected its IT systems from the internet to prevent data breaches and corruption. The company is currently assessing the extent of the impact and taking measures to restore affected systems while prioritizing data integrity. Collaborating with cybersecurity experts, PSI Software SE is committed to mitigating risks and strengthening its security posture against future threats.
In Okanagan's School District No. 67 (Canada), a widespread network outage disrupts operations, affecting communication systems like phones and email. Despite the outage, schools continue to function, with support from local authorities, the Ministry of Education, and cybersecurity specialists. The district, encompassing Penticton, Summerland, Kaleden, and Naramata, faces uncertainties as efforts are underway to resolve the situation.
?? Cyber News
?Google advocates for an international framework to harness artificial intelligence in combating cyber threats, aiming to overturn the advantage long held by attackers. Through its AI Cyber Defense Initiative, the tech giant proposes leveraging AI's capacity to analyze vast datasets and transition from assistive to autonomous defense mechanisms. Google emphasizes the importance of secure AI design principles and scientific research to enable the development of AI agents for cybersecurity.
The FBI dismantles a GRU-operated botnet comprising Ubiquiti Edge OS routers, repurposed into a cyber espionage tool targeting the U.S. and its allies. Leveraging Moobot malware, the Russian hackers exploited routers with default credentials, posing a significant threat to governments and corporate entities globally. As part of "Operation Dying Ember," the FBI remotely neutralized the botnet's capabilities, temporarily blocking GRU access while preserving standard router functionality.
?The FBI dismantles a GRU-operated botnet comprising Ubiquiti Edge OS routers, repurposed into a cyber espionage tool targeting the U.S. and its allies. Leveraging Moobot malware, the Russian hackers exploited routers with default credentials, posing a significant threat to governments and corporate entities globally. As part of "Operation Dying Ember," the FBI remotely neutralized the botnet's capabilities, temporarily blocking GRU access while preserving standard router functionality.
?Ukrainian national Vyacheslav Igorevich Penchukov, known as 'tank' and 'father,' admitted to charges involving his leadership in the Zeus and IcedID malware groups. Arrested in Switzerland in 2022, he was extradited to the US in 2023. Penchukov's guilty plea follows years of evading justice, with allegations linking him to Maze and Egregor ransomware operations, showcasing his significant role in cybercrime.
The United States recently executed a cyberattack against an Iranian military vessel gathering intelligence in the Red Sea and the Gulf of Aden, retaliating for an Iranian-backed drone strike in Iraq. The operation aimed to disrupt the ship's ability to share intelligence with Houthi rebels in Yemen, who target cargo ships. While Iran claims the ship combats piracy, U.S. officials suspect it aids Houthi forces, escalating tensions in the region.
Subscribe and Comment.
Copyright ? 2024 CyberMaterial. All Rights Reserved.
Follow CyberMaterial on: