CyberNEXT CISO Daily – February 22, 2024
| CyberNEXT CISO Daily |
| February 22, 2024 |
NEW DEVELOPMENTS
| Executive Order on Port Cybersecurity Points to IT/OT Threat Posed by Chinese Cranes |
| Source: Security Week |
| A new executive order released by the Biden administration intends to improve the cybersecurity of US ports, with a special emphasis on tackling dangers linked with Chinese-made cranes. The directive expands the Coast Guard’s power to combat maritime cyber risks and requires establishing cybersecurity standards for marine transportation systems. |
| Article Link |
| Ransomware Declines as InfoStealers and AI Threats Gain Ground: IBM X-Force |
| Source: Security Week |
| The IBM X-Force 2024 Threat Index study reveals major swings in cybersecurity patterns, with a decrease in ransomware attacks and increased information theft and threats to critical infrastructures. The paper also highlights the growing threat of artificial intelligence (AI) in cyberattacks. Key findings include a decrease in ransomware, a large increase in information theft instances, an increase in attacks utilizing legitimate credentials, and geopolitical implications on cyber activity due to global tensions. The paper also examines the emerging threat posed by AI technology, while tangible manifestations of AI-driven attacks have yet to appear. |
| Article Link |
| Mustang Panda Targets Asia with Advanced PlugX Variant DOPLUGS |
| Source: The Hacker News |
| The China-linked threat group Mustang Panda has been targeting various Asian countries, primarily Taiwan and Vietnam, using a customized variant of the PlugX backdoor called DOPLUGS. This variant, distributed through spear-phishing campaigns, exhibits sophisticated tactics including DLL side-loading and using the Nim programming language for malicious DLLs. DOPLUGS is a downloader for PlugX malware, with additional capabilities such as integrating the KillSomeOne module for information theft and USB drive-based distribution. Mustang Panda, also known as BASIN, RedDelta, and other aliases, has a history of deploying tailored malware variants, indicating ongoing refinement and activity in both Europe and Asia. |
| Article Link |
| New ‘VietCredCare’ Stealer Targeting Facebook Advertisers in Vietnam |
| Source: The Hacker News |
| VietCredCare, a newly discovered information stealer, specifically targets Facebook advertisers in Vietnam since at least August 2022. This malware is notable for its ability to filter out Facebook session cookies and credentials, primarily focusing on accounts managing business profiles with a positive Meta ad credit balance. Operated under a stealer-as-a-service model, VietCredCare is advertised on various platforms and managed by Vietnamese-speaking individuals. The malware’s core functionality poses a significant risk to organizations, as compromised accounts can be used for political content dissemination, phishing, or affiliate scams. |
| Article Link |
| Exclusive: eSentire Confirms Rhysida Ransomware Victims |
| Source: Infosecurity Magazine |
| The Rhysida Ransomware Group has intensified its attacks, targeting critical infrastructure including hospitals, power plants, and schools across the UK, Europe, and the Middle East. Partnering with eSentire’s Threat Response Unit (TRU), the group identified 77 victimized companies and public institutions, confirming the authenticity of Rhysida’s dark web leak site. Rhysida operates as a Ransomware-as-a-Service (RaaS) provider, leasing tools to affiliates, and shows striking similarities in tactics with the Vice Society Ransomware Group, particularly in targeting sectors like education and healthcare. |
| Article Link |
| Hackers Abuse Google Cloud Run in Massive Banking Trojan Campaign |
| Source: Bleeping Computer |
| Hackers are exploiting Google Cloud Run to disseminate banking trojans such as Astaroth, Mekotio, and Ousaban, leveraging phishing emails and malicious MSI installer files to distribute malware payloads. This campaign, observed by Cisco Talos researchers, highlights the increasing attractiveness of Google Cloud Run to cybercriminals due to its cost-effectiveness and ability to evade standard security measures. |
| Article Link |
| DC-Area School System Says Data of 100,000 People Affected in Ransomware Attack |
| Source: The Record |
| Prince George’s County Public Schools (PGCPS) is a school district in Washington, DC region revealed that the personal information of approximately 100,000 people was exposed in a ransomware attack just before the autumn semester started last year. The problem, found on August 14 and publicly publicized shortly thereafter, caused a network outage in the Maryland district, which serves around 130,000. PGCPS finished its investigation in February and confirmed that the leaked data set contained personal information such as names, financial account details, and Social Security numbers. The attack, linked to the Rhysida ransomware group, began on August 3, with reports of the group uploading PGCPS data on a leak site in November. |
| Article Link |
| Control Systems Firm PSI Struggles to Recover From Ransomware Attack |
| Source: Security Week |
| Leading German supplier of control system solutions, PSI Software, is having trouble getting past a ransomware incident earlier this month. As a precaution against data exfiltration, PSI disconnected its systems from the internet following the event, which was first made public on February 15. The company then released an update confirming that ransomware was used in the cyberattack and stating that its internal IT infrastructure is still offline. When the attack was discovered, PSI quickly shut down all external connections and services, including its mail system. |
| Article Link |
VULNERABILITIES TO WATCH
| ‘KeyTrap’ DNS Bug Threatens Widespread Internet Outages |
| Source: Darkreading |
| A 24-year-old security vulnerability, known as CVE-2023-50387 or “KeyTrap,” poses a significant threat to Internet stability by potentially causing widespread outages through DNS servers. Exploiting a fundamental flaw in DNS security extensions, attackers can force DNS servers into resolution loops, consuming their computing power and causing them to stall. While patches have been developed, they are temporary fixes and long-term revisions to DNSSEC standards are underway to address the underlying design flaw. |
| Article Link |
| New Wi-Fi Vulnerabilities Expose Android and Linux Devices to Hackers |
| Source: The Hacker News |
| Two authentication bypass flaws have been uncovered in open-source Wi-Fi software for Android, Linux, and ChromeOS devices. Tracked as CVE-2023-52160 and CVE-2023-52161, these vulnerabilities could allow attackers to deceive users into connecting to malicious networks or gain unauthorized access to trusted networks without a password, potentially leading to various security risks such as data interception and malware infections. |
| Article Link |
| Chrome 122, Firefox 123 Patch High-Severity Vulnerabilities |
| Source: Security Week |
| Patches for Google and Mozilla’s browsers, Chrome and Firefox, have been made available to fix many vulnerabilities, including significant problems related to memory safety. Firefox 123 addresses 12 vulnerabilities, including four high-severity issues, whereas Chrome 122 addresses 12 security problems, including two high-severity issues that were made public. |
| Article Link |
SPECIAL REPORTS
| Navigating the Maze: Tips to Consider When Choosing SOC as a Service |
| Source: The Cyber Express |
| Choosing the right SOC as a Service (SOCaaS) provider is crucial for enhancing cybersecurity posture and resilience against threats. This blog post offers essential tips for navigating the selection process, including assessing the provider’s expertise in threat detection, incident response capabilities, 24/7 monitoring, data center security, collaboration tools, and scalability. |
| Article Link |
| Supply Chain Cybersecurity Insights | 2024 |
| Source: Security Week |
| The supply chain cybersecurity landscape in 2024 is marked by growing threats and increasing complexity. Criminals and nation-state actors exploit vulnerabilities in software and hardware supply chains, simultaneously targeting multiple downstream victims. While government initiatives like CISA’s Software Bill of Materials (SBOM) aim to enhance supply chain security, challenges remain in widespread adoption and effective implementation. Consolidation within the supply chain and the proliferation of open-source software (OSS) compound the risk, requiring organizations to prioritize risk management strategies and proactive defenses. |
| Article Link |