Rising infrastructure attacks, Sponsor backdoor, Sri Lanka loses data in attack
UK government sees record critical IT infrastructure attacks
The Record’s Alexander Martin reports that according to data obtained in a Freedom of Information Act request, in the first half of 2023, critical IT infrastructure service companies reported 13 cyber attack that significantly disrupted operations. This shows an increase from four such attacks in each of the last two years. IT companies must report disruptive cyber incidents to relevant authorities under the Network & Information Systems Regulations. Experts consulted by The Record suggest this increased reporting comes from a better understanding of regulatory requirements, rather than increased attack volume.?
Charming Kitten unleashes Sponsor backdoor
Security researchers at ESET identified a campaign by the Iranian-linked threat group, dating ba0ck to March 2021. This utilized the Sponsor backdoor malware, which resides in configuration files and deployed by batch scripts. Charming Kitten targeted government agencies, healthcare, financial services, and manufacturing organizations. Israel, Brazil, and the UAE saw the most attacks. These attacks uses an Exchange vulnerability for initial access, then installed the Sponsor backdoor. ESET said it found signs of a second version of Sponsor, but noted that all IP addresses used in the campaign are now offline.?
Ransomware costs Sri Lankan government months of data
Sri Lanka’s Information and Communication Technology Agency, or ICTA confirmed its Lanka Government Cloud or LCA System suffered a massive ransomware attack. The attack began on August 26th, after government domain users reported receiving suspicious links. The ICTA estimates the attack impacted all gov[dot]lk email addresses. While IT workers restored systems within 12 hours of the attack, a lack of available backups resulted in data from May 17th through August 26, 2023 permanently lost. ICTA CEO Mahesh Perera said the attackers used vulnerabilities in Microsoft Exchange Version 2013 utilized by LCA.
CISA warns to patch iPhones
The US Cybersecurity and Infrastructure Security Agency added a zero-click iMessage vulnerability to its? Known Exploited Vulnerabilities catalog. This flaw came from recent disclosure by Citizen Lab, which found the flaw used to compromise up-to-date iPhones used at a civil society organization. It dubbed the exploit chain BLASTPASS, which uses malicious images in PassKit attachments to infect devices, eventually allowing for remote code execution. Apple released patches for the exploits. CISA urged federal employees with a high likelihood of being targeted to turn on Lockdown mode on iOS as a further precaution.?
领英推荐
Thanks to our sponsor, Conveyor
Alibaba continues its cloud shuffle
Reuter’s source says Alibaba’s Daniel Zhang informed staff he will step down from his role as CEO of the company’s cloud unit. Zhang previously served as CEO of Alibaba since 2015, succeeding co-founder Jack Ma. Alibaba announced restructuring back in May, which saw Zhang shifting to take over the company’s highly profitable cloud unit. The company plans to spin out its cloud business with an IPO by May 2024. While stepping down from the role, Zhang will establish a technology fund with $1 billion in Alibaba investment.?
(Reuters)
Anonymous Sudan launches Telegram DDoS
The threat group Anonymous Sudan has had a busy summer. In June it launched disruptive DDoS attacks against Microsoft 365 and Azure. It followed up with another DDoS against the microblogging service X in August. Now the threat intelligence firm SOCRadar reports it began a DDoS campaign against the messaging service Telegram. The group did not announce any pretext for the attacks, although SOCRadar believes it may be related to changes impacting bot accounts on X. Analysts previously noted that Anonymous Sudan does not appear to operate out of that country and seems to show ties to the Russian threat group KillNet.?
New phishing attacks hit Facebook Messenger
Guardio Labs researchers published details on a new campaign on Messanger it dubbed MrTonyScam. The threat actors indicate an origin in Vietnam, and seeks to get victims to? click on an archive attachment. This deploys a dropper that pulls down a Python-based next stage malware. This operates as part of an account hijack scheme. Once the payload deploys, it steales on device cookies and deletes them locally. THis allows the attackers to log out legitimate users and seize account control. Researchers found that given it requires clickthrough, about 1 out of 250 potential victims became infected in the last 30 days.?
Wyze webcams showed other owners’ feeds
Late last week, some owners of Wyze security cameras reported seeing unrelated camera feeds from other users. This included access to raw camera feeds and all recorded events. This appeared to only occur on Wyze’s web viewer, not its app. Wyze informed its subreddit it took the page down for maintenance. It later told The Verge the issue came from a web caching issue and persisted for roughly 30 minutes. Wyze maintains a checkered past with unauthorized camera access. Last year, the security research firm Bitdefender reported Wyze knew about a vulnerability in its V1 cameras for three years that could allow for unauthorized access, but opted to discontinue the product rather than fix it.??