Switzerland Xplain attack, BlackSuit resembles Royal, Microsoft retires Cortana

Xplain hack impacts Swiss cantonal police and Fedpol

Swiss police have launched an investigation into a cyberattack that hit the Bernese IT service provider Xplain, which provides its services to several Swiss federal and regional government departments, as well as the army, customs, and the Federal Office of Police (Fedpol). Threat actors have already published alleged stolen data from the Federal Office of Police (Fedpol) and the Federal Office for Customs and Border Security (FOCBS) on a Darknet forum, but representatives from these offices state the threat actors only had access to simulated, anonymous data for test purposes.

(Security Affairs)

New Linux ransomware strain BlackSuit shows similarities to Royal

This according to Trend Micro, which examined an x64 VMware ESXi version targeting Linux machines. Their researchers stated, “they’re nearly identical, with 98% similarities in functions, 99.5% similarities in blocks, and 98.9% similarities in jumps based on BinDiff, a comparison tool for binary files.” In line with other ransomware groups, it runs a double extortion scheme that steals and encrypts sensitive data in a compromised network in return for monetary compensation. Data associated with a single victim has been listed on its dark web leak site.

(The Hacker News)

Microsoft is retiring Cortana on Windows starting late 2023

After introducing a string of AI-powered assistants for its products, Microsoft has now announced that it will soon end support for the Windows standalone Cortana app. Initially introduced as part of the Windows Phone operating system, Cortana has since expanded to other platforms, including Windows 10, Android, and iOS. It’s now deeply integrated into Microsoft’s ecosystem and was designed to work closely with other Microsoft products. It will be retired in late 2023, 8 years after its inclusion in Windows 10 in 2015. This only impacts Cortana in Windows. It will still be available in Outlook mobile, Teams mobile, Microsoft Teams display, and Microsoft Teams rooms.

(Bleeping Computer)

AI-automated malware campaigns coming soon, says Mikko Hypp?nen

Cybersecurity pioneer Mikko Hypp?nen began his cybersecurity career 32 years ago at Finnish cybersecurity company F-Secure, two years before Tim Berners-Lee released the world’s first web browser, and is now the chief research officer at WithSecure. In an interview with CSO Online. He states it is “mandatory for the cybersecurity industry to embrace AI technology…It will only be a matter of months before malicious threat actors use widely available AI source code to perfect their techniques for complete automation of malware campaigns.”

(CSOOnline)

Thanks to this week’s episode sponsor, Trend Micro

Beware of the new zip domain phishing technique “file archiver in the browser”?

This new phishing technique can be used by phishers to “emulate” a file archiver software in a web browser when a victim visits a .ZIP domain, according to security researcher mr.d0x. As we have been covering here on Cyber Security Headlines, the new top-level domains .zip and .mov. are causing concern among security experts. For this technique, an attacker exploits either the WinRAR file archive utility, or the Windows 11 File Explorer window, using a ‘Scan’ icon to the WinRAR sample. When users click on the icon, a message box reassuring them that the files are secure is displayed, thereby preventing suspicion.

(Security Affairs)

Canadian university dealing with ransomware attack on email system

The University of Waterloo, a Canadian university near Toronto, confirmed last week that it is dealing with a ransomware attack. School vice president Jacinda Reitsma explained that their on-campus Microsoft Exchange email services were affected by the ransomware attack, sparing those who only use their cloud-based email. As a result, students were not able to log in or sign into other educational platforms with their email credentials. A reset was successfully completed by Friday morning. No ransomware group has taken credit for the attack.

(The Record)

US research agency examines cyber psychology to outwit criminal hackers

A new project at the Intelligence Advanced Research Projects Activity — the U.S. intelligence community’s moonshot research division — is trying to better understand hackers’ psychology, discover their blind spots and build software that exploits these deficiencies to improve computer security. “When you look at how attackers gain access, they often take advantage of human limitations and errors, but our defenses don’t do that,” Kimberly Ferguson-Walter, the IARPA program manager overseeing the initiative, told CyberScoop. Dubbed Reimagining Security with Cyberpsychology-Informed Network Defenses or “ReSCIND,” the IARPA initiative is an open competition inviting expert teams to submit proposals for how they would study hackers’ psychological weaknesses and then build software exploiting them.?

(CyberScoop)

Last week in ransomware

Last week numerous companies reported having data stolen after threat actors utilized a zero-day vulnerability in the MOVEit Transfer program to breach servers. While no one has claimed responsibility for this attack, it resembles Clop ransomware attacks using GoAnywhere MFT and Accellion FTA zero-days to steal files. Also last week it was put forward that the attack on the City of Dallas may have put the Royal ransomware operation in the crosshairs, scaring them into the BlackSuit rebrand mentioned earlier in this episode. Last week IBM released a report about BlackCat/ALPHV’s new ‘Sphynx’ encryptor and other tools used by the operation. We also reported on ransomware attacks on the legal eDiscovery company Casepoint, the City of Augusta, Georgia, and MCNA Dental.

(Bleeping Computer?and?Cyber Security Headlines)