Cyber Briefing - 2023.11.20
👉 What's happening in cybersecurity today?
LummaC2, Gamaredon, LitterDrifter, 8BASE, Phobos Ransomware, Google Ad, Malicious PyPI, Kronos Research , Lockbit, Illinois Casino, Glendale Community College , Canada, FCC, SIM-Swapping, Microsoft , OpenAI , Third-Party Cookies, Royal Mail
Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe.
🚨 Cyber Alerts
LummaC2, a notorious stealer malware, adopts a sophisticated anti-sandbox technique based on trigonometry, detecting human mouse activity to delay its detonation, making it harder to analyze and extract additional payloads. The malware, available in underground forums since December 2022, now requires customers to use a crypter for added concealment. LummaC2's trigonometry-based evasion showcases the constant evolution of malware techniques, posing increased threats to organizations and individuals in the cyber landscape.
In its latest cyber operations, Russian state-sponsored hacking group Gamaredon, affiliated with the FSB, has employed a USB-propagating worm named LitterDrifter to target Ukrainian entities. This sophisticated worm not only spreads via USB drives but also communicates with the threat actor's command-and-control servers, showcasing Gamaredon's evolving tactics. Known for large-scale campaigns followed by espionage-focused data collection, Gamaredon's LitterDrifter appears designed for a widespread collection operation, utilizing innovative techniques to reach a broad range of targets in the region.
Researchers from Cisco Talos observed the 8Base ransomware group leveraging a Phobos ransomware variant in recent attacks. This variant, embedded within SmokeLoader payloads, targeted small to medium-sized businesses, exhibiting features such as file encryption below a specific threshold, network scanning capabilities, and persistence methods, along with sophisticated encryption techniques that hinder brute-force decryption efforts. The analysis found similarities in the code between 8Base samples and previous Phobos variants, signaling a potential shared code base and operational characteristics in their malicious activities.
Threat actors are utilizing manipulated search results and deceptive Google ads to ensnare users seeking to download legitimate software like WinSCP, tricking them into installing malware instead. Cybersecurity company Securonix, tracking this ongoing activity as SEO#LURKER, notes that the attackers leverage Google's Dynamic Search Ads to serve malicious ads, redirecting victims to an infected site.
A covert threat actor has unleashed 27 malicious packages on the Python Package Index (P y P I) over six months, disguising them as popular Python libraries. These packages, including pyefflorer and pywool, attracted thousands of downloads globally, with a focus on the U.S., China, and Europe. Employing steganography to conceal a malicious payload within an innocuous image file, the attack utilized setup.py scripts and VBScript to achieve persistence.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog by adding three vulnerabilities with evidence of active exploitation. Among them, CVE-2023-1671 stands out as a critical pre-auth command injection flaw, potentially allowing arbitrary code execution, while CVE-2023-36584 has been linked to spear-phishing attacks by the pro-Russian APT group Storm-0978. Federal agencies are urged to apply fixes by December 7, 2023, to safeguard their networks.
Quantitative trading firm Kronos Research faced a substantial blow as a hacker made off with $25 million after gaining access to compromised API keys. The breach prompted Kronos to halt its trading services, revealing that the unauthorized entity had successfully executed transactions totaling 12,800 ETH. While investigations are underway to track down the culprit, Kronos remains optimistic, stating that the potential losses are not a significant portion of its equity, and the goal is to resume trading as soon as possible.
Recommended by LinkedIn
The notorious Russian hacking group responsible for disrupting Royal Mail earlier this year has now claimed responsibility for a cyberattack on Sabena Engineering, a Belgian aerospace company involved in supplying fighter jets to Ukraine. Lockbit, known for its previous attacks on major entities like Boeing and Industrial and Commercial Bank of China, has threatened to leak sensitive data from Sabena Engineering unless a ransom in cryptocurrency is paid. The aerospace company, engaged in delivering F-16 fighter jets to Ukraine as part of a NATO deal, faces the looming threat of data exposure by Lockbit, highlighting the potential geopolitical implications of cybercrime.
Rivers Casino, Illinois' largest, faces a major cybersecurity breach as hackers gain unauthorized access to sensitive personal information, including Social Security numbers and driver's license details. Although the casino discovered the breach on November 2, the incident occurred around August 12. While the casino claims there's no indication of fraud yet, the exposed data poses a potential threat, affecting both employees and gamblers.
On November 10, 2023, Glendale Community College was thrust into a cybersecurity crisis as a ransomware attack compelled the institution to take multiple Information Technology Systems offline. The college swiftly initiated an investigation, implementing measures to secure its information systems while apologizing for the inconvenience and expressing gratitude for the community's patience and support during the restoration process.
The Canadian government issued a warning to current and former public service workers, RCMP, and military personnel following a data breach linked to Brookfield Global Relocation Services (BGRS) and SIRVA Worldwide Relocation & Moving Services. The breach, occurring on October 19th, potentially compromises personal and financial data of employees dating back to 1999, prompting officials to address the situation despite difficulties in identifying specific impacted individuals. The government is actively working to mitigate the breach's impact and protect those affected by this extensive data exposure.
📢 Cyber News
The U.S. Federal Communications Commission (FCC) is rolling out robust regulations to safeguard consumers against SIM-swapping attacks and port-out fraud schemes that compromise personal information. These rules aim to thwart scammers covertly swapping SIM cards or transferring phone numbers to new carriers without physical access. The regulations mandate wireless providers to implement secure customer authentication methods and ensure immediate customer notifications for any SIM changes or port-out requests.
OpenAI's co-founders, Sam Altman and Greg Brockman, are set to lead an advanced AI research team at Microsoft, marking a strategic move after their departure from OpenAI. Microsoft's CEO, Satya Nadella, expressed enthusiasm about the collaboration, highlighting the company's history of providing founders with the space to build innovative cultures. Meanwhile, OpenAI's decision not to reinstate Altman and Brockman has led to a wave of resignations within the organization, signaling potential challenges ahead for the AI research institute.
Google plans to gradually eliminate third-party cookies as part of its Privacy Sandbox initiative, starting with a 1% user testing period in early 2024 and a broader phase-out in Q3 2024. Third-party cookies, commonly used for online advertising, track user behavior across websites, raising privacy concerns. Google aims to reduce user tracking while maintaining essential online services, introducing temporary solutions and user controls during the testing phase.
Royal Mail, the British postal service, discloses a multimillion-pound expenditure to address the aftermath of a severe ransomware attack earlier this year, causing significant disruptions in international mail services. Despite refusing to pay the demanded $80 million ransom, the company faces operational costs, including £10 million allocated for remediation and systems resilience improvement.
Subscribe and Comment.
Copyright © 2023 CyberMaterial. All Rights Reserved.
Follow CyberMaterial on: