CyberNEXT CISO Daily – January 31, 2024
| CyberNEXT CISO Daily |
| January 31, 2024 |
NEW DEVELOPMENTS
| China-Linked Hackers Target Myanmar’s Top Ministries with Backdoor Blitz |
| Source: The Hacker News |
| China-based threat actor Mustang Panda, also known as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, and TEMP.Hex, is suspected of targeting Myanmar’s Ministry of Defence and Foreign Affairs in twin cyber campaigns to deploy backdoors and remote access trojans. The attacks, identified by CSIRT-CTI, occurred in November 2023 and January 2024, utilizing tactics such as DLL search order hijacking and disguising command-and-control (C2) traffic as Microsoft update traffic. Mustang Panda has previously been linked to cyberespionage operations aligned with the geopolitical interests of the Chinese government. |
| Article Link |
| Hundreds Of Network Operators’ Credentials Found Circulating In Dark Web |
| Source: Security Affairs |
| Resecurity has identified over 1,572 compromised credentials of customers from RIPE, APNIC, AFRINIC, and LACNIC circulating on the dark web. The compromised data includes records from Azorult, Redline, Vidar, Lumma, and Taurus infostealers. The victims, including a major data center and telecom providers in Africa, were notified with responses indicating varying levels of awareness and action. The compromised credentials pose risks of unauthorized access, configuration alterations, and potential service and security breach disruptions. |
| Article Link |
| Brazilian Feds Dismantle Grandoreiro Banking Trojan, Arresting Top Operatives |
| Source: The Hacker News |
| In partnership with Slovak cybersecurity firm ESET, Brazilian law enforcement has dismantled the Grandoreiro banking Trojan operation, with arrests of many key operatives. Grandoreiro is a Latin American banking Trojan active since 2017 and primarily targets Spain, Mexico, Brazil, and Argentina. The Federal Police of Brazil led the operation, including arrest warrants and search and seizure warrants in several states. |
| Article Link |
| Microsoft Teams phishing pushes DarkGate malware via group chats |
| Source: Bleeping Computer |
| Threat actors exploit Microsoft Teams to conduct phishing attacks–sending malicious attachments and delivering DarkGate malware. The attackers use compromised Teams user accounts to send over 1,000 malicious group chat invites. Once the targets accept the chat request, they are tricked into downloading a file with a double extension named ‘Navigating Future Changes October 2023.pdf.msi,’ a common DarkGate tactic. This phishing attack takes advantage of Microsoft Teams’ default setting which allows external users to message other tenants’ users. |
| Article Link |
| Online ransomware decryptor helps recover partially encrypted files |
| Source: Bleeping Computer |
| CyberArk has developed an online version of the “White Phoenix” ransomware decryptor to assist victims of ransomware strains that use intermittent encryption. Intermittent encryption is a technique some ransomware operations employ to accelerate the encryption process by encrypting files in stages. White Phoenix aims to recover partially encrypted files by exploiting intermittent encryption flaws and focuses on the unencrypted portions of the files. While an online version has been launched to help non-tech-savvy victims, anyone dealing with sensitive information should download and utilize the program locally. |
| Article Link |
| ChatGPT Violated European Privacy Laws, Italy Tells Chatbot Maker OpenAI |
| Source: Security Week |
| Garante, the Italian data protection office, has told OpenAI that its ChatGPT artificial intelligence chatbot allegedly breaches the EU’s General Data Protection Regulation (GDPR). The probe began last year when Garante temporarily banned ChatGPT in Italy due to concerns about user privacy and a lack of age verification. OpenAI has thirty days to reply to the charges. This event demonstrates the rising regulatory scrutiny of generative AI systems and their adherence to data protection standards. |
| Article Link |
| US charges two more suspects with DraftKing account hacks |
| Source: Bleeping Computer |
| The United States Department of Justice has arrested and prosecuted two more defendants in connection with the November 2022 credential stuffing assault that compromised almost 68,000 DraftKings accounts. Nathan Austad (aka Snoopy) and Joseph Garrison, along with a third defendant previously indicted, were suspected of utilizing stolen credentials from other breaches to access DraftKings accounts. They allegedly sold access to the hacked accounts, stealing approximately $635,000 from over 1,600 compromised accounts. The defendants developed a means for buyers to withdraw money from the stolen accounts, which included adding a new payment method, making a $5 deposit to prove its legitimacy, and withdrawing existing funds to a separate financial account under their control. |
| Article Link |
| Alpha Ransomware Group Launches Data Leak Site on the Dark Web |
| Source: Infosecurity Magazine |
| A new ransomware group named Alpha has emerged, launching its Dedicated/Data Leak Site (DLS) on the Dark Web, featuring data from six victims. Despite its recent appearance, Alpha ransomware has been observed since May 2023. The ransomware appends a random 8-character alphanumeric extension to encrypted files and has shown an iterative process in refining ransom notes to victims. The DLS, titled “MYDATA,” is considered unstable–a likely indication that the group is still setting up operations. Victims span various sectors and locations, including the UK, the US, and Israel. Ransom demands lack consistency, suggesting a potential mix of talent and experience operating behind the scenes. |
| Article Link |
VULNERABILITIES TO WATCH
| Chinese Hackers Exploiting VPN Flaws to Deploy KrustyLoader Malware |
| Source: The Hacker News |
| Chinese threat actor UTA0178, also known as UNC5221, has been exploiting zero-day vulnerabilities in Ivanti Connect Secure (ICS) virtual private network (VPN) devices to deploy the Rust-based KrustyLoader malware. The vulnerabilities tracked as CVE-2023-46805 and CVE-2024-21887 enable unauthenticated remote code execution to vulnerable appliances. The flaws have been used as zero-days since December 3, 2023, and are part of a broader campaign targeting organizations. |
| Article Link |
| New Glibc Flaw Grants Attackers Root Access on Major Linux Distros |
| Source: The Hacker News |
| A new security vulnerability identified as CVE-2023-6246, has been discovered in the GNU C library (glibc), allowing malicious local attackers to acquire complete root access on Linux devices. The exploit is a heap-based buffer overflow in the __vsyslog_internal() method used for system logging. It was accidently introduced in glibc 2.37 in August 2022. Additionally, it affects popular Linux distributions, including Debian, Ubuntu, and Fedora. Attackers could exploit the vulnerability by sending specially crafted inputs to apps using syslog() and vsyslog() methods. |
| Article Link |
SPECIAL REPORTS
| Best Methods for Storing, Protecting Digital Company Files: Secure Strategies for Data Safety |
| Source: Hackread |
| Businesses generate massive volumes of data; therefore, protecting and efficiently managing digital files is critical. Adopting safe data storage procedures is critical to maintaining confidentiality and preventing data leaks. This comprehensive guide delves into secure file storage strategies: selecting the right storage solutions, implementing strong access controls, using encryption methods, optimizing file organization, safeguarding against data loss and theft, and ensuring legal compliance and record-keeping. |
| Article Link |
| The Ransomware Threat in 2024 is Growing: Report |
| Source: Security Week |
| Ransomware threats are on the rise in 2024, with criminals adapting and evolving their tactics, as revealed in a survey report by Delinea. Based on responses from over 300 US IT and security decision-makers, the report highlights an increase in ransomware attacks and the persistence of extortion as a primary criminal strategy. The success of ransomware attacks is evidenced by a rise in the number of victims paying the ransom, reaching 76%. The survey also indicates a potential influence of cyber insurance on victims’ decisions to pay, with insurance acting as a financial safety net. The shifting motivations behind ransomware attacks include a growing focus on data exfiltration, supply chain attacks, creating chaos, and geopolitical or activist-driven motives. |
| Article Link |