Cyber Briefing: 2024.10.28
?? What's happening in cybersecurity today?
TeamTNT, Cloud, Docker, Inc , Cryptomining, Black Basta Ransomware, Microsoft Teams , Parano Stealer, Credentials, OS Downgrade, 微软 Windows, Kernel Threat, Fog, SonicWall , VPN Flaws, Networks, Base Blockchain, $1 Million Theft, Rumpke Waste & Recycling , Libération Newspaper, France, Telecom Operator, Free , Nordea , Federal Bureau of Investigation (FBI) , Cybersecurity and Infrastructure Security Agency , China, Telecom, Political Figures, 黑莓 , APAC, Cybersecurity HQ, Malaysia, Singapore, Scams, Amazon Web Services (AWS) , Domains, Russia, APT29, Phishing, Ukraine, REvil, Sentenced, Cybercriminals
?Welcome to Cyber Briefing , the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe .
The notorious hacking group TeamTNT has escalated its cloud-targeted cryptomining attacks, focusing on exposed Docker daemons to infiltrate cloud environments with sophisticated malware. In a recent campaign, the group leverages Docker Hub to distribute malicious Alpine Linux images that deploy the Sliver command-and-control (C2) framework, replacing the Tsunami backdoor they previously used. This approach enables TeamTNT to remotely control infected servers and establish a Docker Swarm, facilitating both cryptomining and the rental of compromised resources to other cybercriminals.
Black Basta ransomware affiliates have adopted a new tactic, using Microsoft Teams to impersonate IT support and gain access to target networks. According to ReliaQuest researchers, attackers first flood employees’ inboxes with spam emails, then contact them through Teams, posing as help desk personnel. The attackers, operating from fake Entra ID tenants with names like “Help Desk” or “Security Admin,” deceive employees by offering to help mitigate the spam issue, often directing them to download remote management tools like AnyDesk.
Parano Stealer has emerged as a new infostealer variant, showcasing its ability to collect and exfiltrate sensitive information from compromised endpoints. Developed using Python, this malware targets various types of data, including user credentials, cookies, and cryptocurrency wallet information, as well as system details and data from popular third-party applications such as Steam, Telegram, and Discord.
Researchers have identified a critical OS downgrade vulnerability that targets the Microsoft Windows kernel, potentially allowing attackers to bypass Driver Signature Enforcement (DSE) on fully patched systems. This exploit enables the loading of unsigned kernel drivers, which could facilitate the deployment of custom rootkits that evade security controls, conceal processes, and maintain stealth within the system. Dubbed "Windows Downdate," the technique hijacks the Windows Update process, enabling persistent downgrades to older versions of critical OS components that may harbor unpatched vulnerabilities.
Fog and Akira ransomware operators have been increasingly exploiting vulnerabilities in SonicWall VPN accounts to breach corporate networks, primarily through the critical SSL VPN access control flaw identified as CVE-2024-40766. Although SonicWall issued a fix for this flaw in late August 2024, it was already under active exploitation shortly thereafter. Recent reports from Arctic Wolf reveal that these two ransomware groups have conducted at least 30 intrusions, with 75% attributed to Akira and the remaining 25% to Fog.
An exploit involving unverified lending contracts on the Base blockchain has led to a theft of approximately $1 million, according to blockchain security firm Cyvers Alerts. The incident, reported on October 25, revealed how an attacker manipulated the price of Wrapped Ether (WETH) through vulnerabilities in smart contracts, siphoning off nearly $994,000 initially. The attacker subsequently transferred the stolen funds to the Ethereum network and utilized Tornado Cash, a privacy-focused service, to obscure the funds.
Rumpke Waste Management has confirmed that it experienced a cybersecurity incident, prompting an ongoing investigation into the matter. The company assures its customers that their data and payment processing systems remain secure, and there has been no disruption to trash and recycling collection services. In a statement, Rumpke emphasized its commitment to information security for both employees and customers, expressing confidence that no sensitive payment information was compromised.
领英推荐
On October 25, 2024, the French newspaper Libération fell victim to a ransomware attack that aimed to disrupt its operations. While the malicious software targeted the newspaper's systems, the editorial team reported that their digital publishing infrastructure, as well as journalists' and subscribers' data, remained secure and unaffected. Thanks to the quick actions of their IT teams, Libération was able to mitigate the attack's impact, ensuring that their website continued to function normally and that plans were in place for the Saturday paper's distribution.
Free, the second-largest telecommunications operator in France, has confirmed it was the victim of a cyberattack targeting a management tool that led to unauthorized access to some personal data of certain subscribers. The company clarified that no passwords, bank card information, or communication content—such as emails, SMS, and voice messages—were compromised in the breach. While the date and extent of the attack remain unspecified, Free has stated that there was no operational impact on its services.
Nordea Bank experienced significant disruptions on October 25, 2024, due to a cyberattack impacting its website and mobile app across Sweden, Norway, Denmark, and Finland. Customers reported difficulties logging into their accounts, with error messages indicating a problem with the service. Cathrine Graff, the press manager at Nordea in Norway, confirmed that the bank was targeted by a Distributed Denial-of-Service (DDoS) attack, which aims to overwhelm a server and render it inaccessible to legitimate users.
?? Cyber News
U.S. agencies, including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), are investigating allegations of cyber intrusions linked to Chinese government hackers, targeting multiple telecommunications companies and high-profile political figures. Reports indicate that devices belonging to Vice President Kamala Harris, former President Donald Trump, and vice presidential candidate JD Vance were compromised during these breaches.
BlackBerry Limited has announced the establishment of its Asia Pacific (APAC) Cybersecurity Regional Headquarters in Cyberjaya, Malaysia, reinforcing the country's position as a cybersecurity hub. This strategic move aligns with BlackBerry's long-term vision of leveraging Malaysia's emerging technology centers and robust government support. The headquarters will collaborate with the Malaysian Communications and Multimedia Commission (MCMC) and the recently inaugurated Cybersecurity Center of Excellence (CCoE), aimed at upskilling the local cybersecurity workforce.
Singapore has implemented new regulations requiring banks and telecom companies to take decisive action against impersonation scams. Under this framework, financial institutions have six months to establish real-time detection tools to block fraudulent transactions; failure to do so will result in them assuming liability for any stolen funds. This initiative comes in response to a reported 50% increase in scams in 2023, leading to significant financial losses for victims.
Amazon Web Services (AWS) has taken decisive action against the Russian hacking group APT29, seizing domains used in phishing attacks targeting Ukraine and other nations. This initiative follows reports from Ukraine’s CERT-UA, which indicated that APT29 had been sending emails that mimicked AWS, aiming to harvest Windows credentials via Microsoft Remote Desktop. The phishing messages referenced AWS and Microsoft services, delivering Remote Desktop Protocol (RDP) configuration files that, when executed, granted attackers remote access to compromised devices.?
In a significant legal development, four members of the notorious REvil ransomware group have been sentenced to prison in Russia, marking a rare instance of cybercriminals facing conviction within the country. The St. Petersburg court found Artem Zaets, Alexei Malozemov, Daniil Puzyrevsky, and Ruslan Khansvyarov guilty of illegal circulation of payment methods, with Puzyrevsky and Khansvyarov additionally convicted of using and distributing malware. Zaets and Malozemov received sentences of 4.5 and 5 years, while Khansvyarov and Puzyrevsky were sentenced to 5.5 and 6 years, respectively.
Subscribe and Comment.
Copyright ? 2024 CyberMaterial . All Rights Reserved.
Follow CyberMaterial on: