Cyber Briefing: 2024.11.13
?? What's trending in cybersecurity today?
?Iran Hackers, Aerospace, Fake Jobs, SnailResin Malware, GoIssue, Phishing Tool, GitHub Developers, Bulk Email, North Korea, Flutter Dev Apps, 苹果 macOS, Citrix Virtual Apps, 微软 , NTLM, Zoom Link, Scam, GIGA, Chinese Hackers, Tibet Post , Gyumed Tantric University, Familylinks, Inc. , Pennsylvania, Southern Oregon Veterinary Specialty Center , BBS Financial and Consulting Inc. , Ransomware, United Nations , Cybercrime Treaty, Tech Firms, Human Rights, CHERI Alliance , UK Agencies, 谷歌 , Memory Safety, Crypto Launderer, 奥睿 , Breach Settlement, Snyk , Probely (a Snyk Business)
?Welcome to Cyber Briefing , the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe .
Iranian cyber espionage group TA455, affiliated with the Islamic Revolutionary Guard Corps (IRGC), has been conducting a series of targeted attacks against the aerospace, aviation, and defense industries since at least September 2023. Using social engineering tactics, the group has lured victims with fake job offers, distributing malware through phishing emails and malicious LinkedIn profiles. The attacks deploy SnailResin malware, which installs the SlugResin backdoor on compromised machines, granting the attackers remote access to steal credentials, escalate privileges, and move laterally within networks.
A new phishing tool called GoIssue, developed by the threat actor cyberdluffy, is gaining attention for its ability to target GitHub developers through large-scale email campaigns. GoIssue extracts email addresses from public GitHub profiles and sends bulk phishing emails designed to bypass spam filters and deceive developers into providing their login credentials. Once victims are tricked into clicking on malicious links, they may unknowingly authorize rogue OAuth apps to access their private repositories, leading to data theft, code manipulation, or even ransom demands.
North Korean hackers, possibly linked to the Lazarus Group, have been found using Flutter, a cross-platform app development framework, to deploy malware on macOS devices. The malware, disguised as a Minesweeper game titled "New Updates in Crypto Exchange (2024-08-28)," is embedded within the app, which is a clone of a basic Flutter game available on GitHub. The threat actors have also used Apple developer IDs to sign and notarize the apps, enabling them to bypass Apple’s security measures.
Cybersecurity researchers have uncovered critical vulnerabilities in Citrix Virtual Apps and Desktops, potentially allowing unauthenticated remote code execution (RCE) attacks. These flaws are rooted in the Session Recording component, which captures user activity for compliance and troubleshooting. The vulnerabilities, CVE-2024-8068 and CVE-2024-8069, are triggered by a misconfigured Microsoft Message Queuing (MSMQ) instance, which uses BinaryFormatter for deserialization, exposing systems to attack.
Microsoft's November 2024 Patch Tuesday update addresses 90 vulnerabilities, including two actively exploited flaws affecting Windows NTLM and Task Scheduler. Among the fixed issues, CVE-2024-43451, a Windows NTLM Hash Disclosure Spoofing vulnerability, allows attackers to steal NTLMv2 hashes, enabling them to authenticate as a user and move laterally within networks. Another critical flaw, CVE-2024-49039, enables privilege escalation in Windows Task Scheduler, potentially allowing unauthorized users to execute restricted RPC functions.
A phishing scam targeting a prominent GIGA token investor resulted in the theft of $6.09 million after the victim clicked on a fake Zoom link. On November 12, the investor, known as "Still in the Game," revealed that their wallet had been drained following the phishing attack. The scam involved a deceptive Zoom invitation that led to a website designed to steal wallet information. Once malware was installed on the victim's device, the hacker stole 95.3 million GIGA tokens and converted them into Solana (SOL) and stablecoins like Tether (USDT) and USD Coin (USDC).?
A Chinese state-sponsored hacking group, believed to be linked to the Chinese government, has compromised two websites with ties to the Tibetan community in a cyber espionage campaign. The targeted sites, Tibet Post and Gyudmed Tantric University, were hacked to install malware on visitors' computers. When users visited these sites, they were prompted to download a malicious executable file disguised as a security certificate.
Familylinks Inc., a nonprofit organization based in Pittsburgh, Pennsylvania, has disclosed a data security breach involving personal and protected health information. The breach, identified on May 3, 2024, was caused by suspicious activity in one of its employee's email accounts. Following an investigation, it was confirmed that certain emails and attachments may have been acquired without authorization, affecting individuals' names, Social Security numbers, medical information, and health insurance details.
A recent cyber attack disrupted operations at the Southern Oregon Veterinary Specialty Center (SOVSC) over the weekend, forcing the closure of its urgent care and limiting its emergency room capabilities. The breach was discovered when doctors attempted to access patient files, only to be met with a ransom note demanding payment to regain access. In response, SOVSC immediately shut down its network, isolating the attackers and working with cybersecurity experts to identify and replace 30 affected devices.
BBS Financial, LLC recently confirmed a data breach following a ransomware attack that took place in January 2024. According to a notice filed with the Attorney General of Maine on November 11, 2024, the breach exposed sensitive information, including names, addresses, dates of birth, Social Security numbers, government-issued IDs, and financial account numbers. The breach occurred after an unauthorized party accessed BBS’s systems and demanded a ransom for the deletion of the stolen data.
?? Cyber News
Despite significant criticism from Western tech and cybersecurity firms, the Biden administration has pledged its support for a United Nations cybercrime treaty. Initially proposed by Russia in 2017, the treaty has faced pushback due to concerns that it could criminalize essential cybersecurity research and expand police surveillance. While industry leaders, including major companies like Microsoft, argue that the treaty's language is overly broad and could negatively impact whistleblowers, journalists, and security researchers, U.S. officials maintain that the treaty holds potential for improving international law enforcement cooperation against cybercrime.
The CHERI Alliance, a collaborative project designed to combat memory-based cyberattacks, has gained significant momentum with new additions from UK government agencies and tech giant Google. The initiative, focused on promoting Capability Hardware Enhanced RISC Instructions (CHERI), aims to address critical vulnerabilities such as buffer overflows and heap use-after-free issues, which are linked to a majority of cyberattacks.
Daren Li, a 41-year-old Chinese dual citizen, has pleaded guilty to his involvement in laundering $73 million stolen through various cryptocurrency scams. Li admitted to conspiring in the scheme, which included notorious scams like "pig butchering," operating between August 2021 and April 2024. He facilitated the laundering by instructing others to open U.S.-based bank accounts under shell companies to disguise the funds’ origins.
A U.S. district court has finalized an $8 million settlement in a class action lawsuit against the law firm Orrick, Herrington & Sutcliffe, stemming from a 2023 data breach that affected over 638,000 individuals. The breach, which occurred between November 2022 and March 2023, exposed sensitive information, including names, Social Security numbers, and health data, for clients such as EyeMed and Delta Dental of California.
Snyk, a leading developer security company, has acquired Portuguese dynamic application security testing firm Probely to bolster API security, particularly for AI-driven applications. With the growing demand for API security due to the rise of AI-native applications, the acquisition integrates Probely’s API-first approach with Snyk’s existing security offerings, providing more robust protection throughout the software development lifecycle (SDLC).
Subscribe and Comment.
Copyright ? 2024 CyberMaterial . All Rights Reserved.
Follow CyberMaterial on: