Volt Typhoon’s new botnet, China APT hits Tibet, DoD leaker sentenced
Subscribe to Cyber Security Headlines podcast
Spotify, Apple Podcasts , RSS link , add as an Alexa Skill , or search "Cyber Security Headlines" on your favorite podcast app.
In today’s cybersecurity news…
Volt Typhoon rebuilding botnet
In early 2024, the US government announced it had disrupted the botnet used by Volt Typhoon, a threat actor with suspected links to the Chinese government. This botnet predominantly used unpatched Cisco, Fortinet, and Netgear devices. We’re not seeing signs that the group is building a new botnet. Researchers at SecurityScorecard saw a cluster tied to the group covertly routing traffic, primarily made up of compromised Netgear ProSafe, Mikrotik, and Cisco RV320 devices. This appears to be using the same core infrastructure and techniques previously used by Volt Typhoon.?
Chinese group targets Tibetan media
Researchers at the Insikt Group tracked a cyberespionage campaign by the China-linked group TAG-112. This saw the group use Cobalt Strike to compromise the websites for the Tibet Post and Gyudmed Tantric University, likely through their Joomla CMS. Researchers say TAG-112 may be a subgroup of the China-linked threat actor Evasive Panda, as is shows similar tactics, although it lacked the sophistication to drop custom malware. Evasive Panda has also compromised the Tibet Post in previous attacks.??
(The Record )
DoD leaker sentenced
The US attorney for Massachusetts announced it sentenced former Massachusetts Air National Guardsman Jack Teixeira to 15 years in prison for stealing and leaking classified information. Court documents show Teixeira shared classified documents on Discord sometime in 2022, including troop movements and information on equipment provided to Ukraine. The leaks were discovered in March 2023. Teixeira pleaded guilty to six counts related to that in March 2024 as part of a plea deal.???
(NBC )
ShrinkLocker decryptor released
The cybersecurity firm Bitdefender released the decryptor to help victims recover quickly from attacks. Researchers at Kaspersky first documented details on ShrinkLocker in May 2024. The ransomware is written in VBScript and uses Windows’ native BitLocker utility to encrypt files, primarily attacking targets in Indonesia, Jordan, and Mexico. The researchers noted that ShrinkLocker uses Group Policy Objects and scheduled tasks to “encrypt multiple systems within a network in as little as 10 minutes per device.” The researchers recommended proactive monitoring of specific Windows event logs and configuring BitLocker to store recovery information in Active Directory Domain Services as ways to reduce the risk of similar BitLocker-based attacks.?
Huge thanks to our sponsor, ThreatLocker
Hamas-affiliated group targets the Middle East
Researchers at Check Point documented activity by the APT WIRTE, a group believed to be part of the Gaza Cyber Gang and active since August 2018. It’s operated phishing campaigns against Israeli organizations and also targeted the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt. These phishing attacks use a new version of the SameCoin Wiper, which adds the ability to encrypt data on systems and overwrite files with random bytes. It also overwrites the system’s background to display the name of the military wing of Hamas. The researchers say the group continues to iterate with multiple campaigns that show a versatile infiltration and malware toolkit.?
Amazon leaker claims to be an ethical hacker
Last week, 2.8 million lines of Amazon employee data were posted on a dark web forum by someone with the moniker “Nam3L3ss.” They claimed to have obtained information on dozens of companies through the MOVEit file transfer exploit. Researchers at Hudson Rock verified this data, including organizations like Lenovo, Delta, HSNC, and Chares Schwab. This includes names, organization roles, contact information, and department assignments primarily used for social engineering. Nam3L3ss claimed they took this action as an ethical hacker, not obtaining the data with fake credentials and only scraping what was publically available. They said they published the data to raise awareness of the need to encrypt PII data at these organizations and not to hide behind blaming third parties for leaked data. They also told researchers that more data would be revealed in the coming days.
Sheboygan hit up for ransom?
The Wisconsin city has been experiencing network outages since late October. Over the weekend, it was confirmed that this was caused by a threat actor gaining “unauthorized access” to the city’s network. Officials also confirmed that the city received a ransom demand, saying, “we are cooperating fully with law enforcement and incorporating their guidance into our response.” Local news outlets report emergency services are seeing “limited interruptions” but that “all cloud-based services are up and working” for city employees. No group has taken credit for the attack, and city officials have been tight-lipped with details.?
(The Record )
End-of-life D-Link NAS devices under attack
Researchers at Netsecfish discovered a command injection vulnerability on D-Link NAS devices that allows an unauthenticated attacker to use GET requests to inject shell commands. This flaw has been under active exploitation since November 8th. However, the impacted models, DNS-320, 325, and 340L, are now end-of-life, and D-Link said it had no plans to release a patch. Researchers found over 41,000 unique IP addresses for vulnerable devices found online. D-Link advises customers to replace the devices or, at the very least, restrict them from open internet access.??