Cyber Briefing: 2024.11.22
?? What are the latest cybersecurity alerts, incidents, and news?
China, Gelsemium APT, WolfsBane Backdoor, Linux , North Korea, Impersonate, US, IT Firms, 谷歌 Docs, Weebly , Phishing Attacks, Telecom Industry, Fortinet , FortiClient, VPN, Brute-Force Attacks, Linux Kernel, NVMe, RDMA Vulnerabilities, Andrew Tate, Online University, Grand Forks Public Schools , SafePay Ransomware, Triton Sourcing & Distribution LTD , Snow Brand Australia Pty. Ltd. , France, Direct Assurance , BianLian Ransomware, US Crypto Reforms, Federal Bureau of Investigation (FBI) , 微软 , Meta , U.S. Department of Justice , Global Cybercrime, Fraudulent Networks, Wiz , Dazz Security, Acquisition, Application Security
?Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe.
Chinese advanced persistent threat (APT) group Gelsemium has expanded its operations by introducing WolfsBane, a Linux-based backdoor, marking the group's first documented use of Linux malware. Identified by cybersecurity firm ESET, WolfsBane is a variant of the group’s long-standing Gelsevirine backdoor, previously observed on Windows systems since 2014. The malware was detected in March 2023 through VirusTotal uploads from Taiwan, the Philippines, and Singapore. In addition, researchers uncovered FireWood, another tool linked to a distinct framework called Project Wood, though its attribution to Gelsemium remains uncertain.
North Korean threat actors are using front companies to impersonate U.S.-based IT and software firms, generating revenue to fund the country’s ballistic missile and weapons programs. Operating under aliases and forged identities, these workers secure remote jobs and funnel their earnings back to the Democratic People's Republic of Korea (DPRK). Many front companies are based in China, Russia, Southeast Asia, and Africa, often copying legitimate business websites to appear credible.
A sophisticated phishing campaign targeting the telecommunications and financial sectors was recently uncovered by EclecticIQ researchers in October 2024. The attackers leveraged Google Docs to deliver phishing links that redirected victims to fake login pages hosted on Weebly, taking advantage of the platform's trusted reputation to bypass security filters. The phishing pages, designed to mimic login portals of major brands like AT&T, incorporated fake Multi-Factor Authentication (MFA) prompts to further deceive users.
A critical flaw in FortiClient VPN’s logging mechanism has been discovered, allowing attackers to conduct brute-force attacks without detection. Cybersecurity researchers at Pentera revealed that the vulnerability stems from the way Fortinet handles authentication and authorization. While failed login attempts are logged, successful authentication attempts are not recorded unless a VPN session is created. This creates a blind spot, enabling attackers to test stolen credentials and validate accounts without alerting security teams.
The Linux kernel development team recently patched two critical vulnerabilities affecting various Linux versions, including long-term support (LTS) releases. The first vulnerability, CVE-2024-53093, was identified in the NVMe multipath functionality, where partition scanning could potentially cause a deadlock in certain conditions. The second issue, CVE-2024-53094, affected the RDMA/siw (Software iWARP) driver, triggering warnings related to slab page usage in send_page operations when using iSCSI Extensions for RDMA (iSER).
Hackers have breached Andrew Tate's online course, leaking the personal data of nearly 800,000 users. The breach exposed sensitive information, including email addresses and private chat logs, which were then shared with data breach notification site Have I Been Pwned and nonprofit collective DDoSecrets. In addition to the stolen data, the attackers flooded the platform’s chatroom with disruptive emojis, including symbols such as a transgender flag, a feminist fist, and AI-generated images mocking Tate.
Grand Forks Public Schools in North Dakota lost $2.2 million earlier this year in a phishing scam, where scammers deceived an employee into transferring funds. Business Manager Brandon Baumbach explained that the attack, which occurred on September 13, involved social engineering tactics, with the attackers leveraging insider information to appear legitimate. Phishing, the most common form of cybercrime according to the FBI's Internet Crime Report, continues to be a major threat.
New Zealand-based importer Triton Sourcing & Distribution has confirmed it was the victim of a ransomware attack by the emerging SafePay gang. The group, which has been active since October 2024, leaked at least 10GB of data, primarily consisting of XML files related to Triton's Exo order system and operational processes. Despite the breach, Triton stated that no personal data was affected, and it hasn't identified any significant risks to staff or third parties. The company acknowledged the disruption to its operations but recovered quickly and is working to catch up on delayed orders.
Direct Assurance, a subsidiary of the Axa insurance group, has confirmed a data breach that has compromised the personal information of 15,000 customers. The breach occurred after a cyberattack on one of the company’s suppliers, exposing sensitive data such as names, dates of birth, addresses, email addresses, phone numbers, and IBANs. Although the breach affects only about 1% of Direct Assurance’s total customer base, the incident has raised concerns, especially with the leak of IBANs, which could be exploited for fraudulent transactions.
Snow Brand Australia has confirmed it was targeted in a ransomware attack by the newly emerged SafePay group, which recently listed the company on its darknet leak site. The breach, which exposed nearly 24 GB of data, included sensitive financial records such as invoices and purchase orders, along with employee information like medical certificates and superannuation details. The company detected unusual activity on its network and immediately took steps to secure its systems.
?? Cyber News
A recent cyberattack on U.S. telecommunications networks has been described as the "worst telecom hack in our nation’s history" by Senator Mark Warner, chairman of the Senate Intelligence Committee. The breach, allegedly linked to China, compromised sensitive surveillance data, including U.S. customer call records and communications from individuals involved in government or political activities. The hackers, identified as part of the group "Salt Typhoon," infiltrated several telecom companies' networks, allowing them to listen to phone conversations and read text messages.
At the North American Blockchain Summit on November 21, 2024, Commodity Futures Trading Commission (CFTC) Commissioner Summer Mersinger called for structured cryptocurrency regulations in the United States. Mersinger criticized the current “regulation by enforcement” approach and emphasized the need for clearer, proactive policies to guide the crypto industry. She pointed out that decentralized finance (DeFi) and decentralized autonomous organizations (DAOs) often face charges under existing laws without the ability to register officially, making it difficult for businesses to comply.
The FBI, alongside Australian law enforcement, has identified a significant shift in the tactics of the BianLian ransomware group, which is likely based in Russia. Previously known for encrypting victims' data and demanding ransom, BianLian has now transitioned to a data extortion model, focusing solely on stealing sensitive information and threatening to leak it unless the ransom is paid. The group has been targeting public-facing applications, including Windows and ESXi systems, and exploiting known vulnerabilities like ProxyShell and CVE-2022-37969 to gain initial access.
Microsoft, Meta, and the U.S. Department of Justice (DoJ) have taken significant actions to combat cybercrime and fraudulent networks. Microsoft’s Digital Crimes Unit seized 240 fraudulent websites linked to an Egypt-based cybercriminal, Abanoub Nady, who sold a phishing kit named ONNX. This kit was used in widespread phishing campaigns targeting sectors like finance, bypassing security measures like two-factor authentication. Meanwhile, the DoJ shut down PopeyeTools, a marketplace selling stolen financial data and fraud tools, and charged its administrators from Pakistan and Afghanistan.
Wiz, a leading Cloud Native Application Protection Platform (CNAPP) provider, has announced its acquisition of Dazz Security in a deal valued at $450 million. This strategic move will significantly enhance Wiz's ability to strengthen application security and remediation across the software development lifecycle. Dazz Security, recognized for its leadership in Application Security Posture Management (ASPM), offers advanced capabilities for managing application risks and pinpointing vulnerabilities.
Subscribe and Comment.
Copyright ? 2024 CyberMaterial. All Rights Reserved.
Follow CyberMaterial on: