Cyber Briefing: 2023.07.19
👉 What’s trending in cybersecurity today? Citrix Vulnerability, FIN8’s New Backdoor, Google Bad.Build, APT 41, WyrmSpy, DragonEgg, New Android Spywares, SophosEncrypt, Elderly Scams, Phoenician Medical Center, Fortescue Metals, Clop, VirusTotal, FIA, White House, Cyber Trust Mark, Germany, Pro-Russia Bot Farm.
Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe.
🚨 Cyber Alerts
1. Google’s Cloud Build Vulnerability Fix
Google has addressed a vulnerability in its Cloud Build service known as “Bad.Build,” which allowed hackers to tamper with application images and potentially infect users. While the fix was released in June, researchers recently published a detailed breakdown of the flaw, comparing it to notable supply chain attacks like SolarWinds and 3CX. The vulnerability centered around default service accounts’ permissions in the Cloud Build service, enabling attackers to impersonate these accounts and manipulate builds, injecting malicious code that could lead to various consequences, including Denial-of-Service attacks, data theft, and malware distribution. Although Google implemented a fix, security experts recommend organizations take additional measures to protect against supply chain risks.
2. APT41 Unleashes Advanced Android Spyware
The infamous APT41, a China-linked nation-state actor, has been identified as the source of two new strains of Android spyware, known as WyrmSpy and DragonEgg. These sophisticated mobile malware strains were detected by Lookout, raising concerns about the targeting of high-value corporate and personal data on mobile endpoints. APT41 has a history of targeting a wide range of industries for intellectual property theft, and its latest attacks have leveraged the Google Command and Control (GC2) red teaming tool for campaigns aimed at media and job platforms in Taiwan and Italy. Both WyrmSpy and DragonEgg pose serious threats, with intrusive permissions, data collection, exfiltration capabilities, and sophisticated evasion techniques.
3. Critical Citrix Vulnerabilities and Patches
Citrix is urgently warning its customers about a critical-severity vulnerability, CVE-2023–3519, found in NetScaler ADC and NetScaler Gateway. Hackers have already been exploiting the flaw, enabling them to execute remote code without authentication. The company strongly advises users to install the updated versions immediately to prevent further attacks. Additionally, Citrix has released fixes for two other high-severity vulnerabilities, CVE-2023–3466 and CVE-2023–3467, addressing reflected cross-site scripting (XSS) and privilege escalation issues. Organizations using NetScaler ADC and Gateway appliances are urged to prioritize updating to safeguard their systems.
4. FIN8 Cybercrime Group: Ransomware Shift
The FIN8 cybercrime group is shifting its focus towards ransomware attacks, utilizing an updated version of the Sardonic backdoor. Symantec’s Threat Hunter Team discovered the group deploying this new variant before delivering ransomware known as Black Cat or AlphV. While the backdoor has been revamped to evade detection and avoid similarities with previously disclosed details, FIN8’s evolution highlights its determination to maximize profits through its cyberattacks.
5. SophosEncrypt Impersonates Sophos
A new ransomware-as-a-service named SophosEncrypt is using cybersecurity vendor Sophos’ name for its operation, posing a significant threat to victims. Initially believed to be part of a red team exercise by Sophos, it was later clarified by the company that they did not create the encryptor and are investigating the situation. The ransomware encryptor, written in Rust, demands a token from the affiliate associated with the victim, and when a valid token is entered, it proceeds to encrypt files using AES256-CBC encryption with PKCS#7 padding, creating ransom notes in affected folders. SophosEncrypt also has the capability to change the Windows desktop wallpaper to display the ‘Sophos’ brand it impersonates.
6. Surge in Tech Support Scams Targeting Elderly
The FBI warns of a concerning increase in tech support scams specifically targeting older adults across the US. Scammers are departing from conventional tactics and instructing victims to send cash concealed within magazines or similar items through shipping firms. They pose as legitimate company representatives, gain remote access to victims’ computers, deposit large sums of money into their accounts, and request the excess cash to be sent back via shipping companies.
💥 Cyber Incidents
7. Google’s VirusTotal Leak: Defense Data Exposed
Google’s VirusTotal, a malware scanning platform, accidentally exposed the names and email addresses of hundreds of individuals working for defense and intelligence agencies worldwide. The leaked list includes personnel affiliated with U.S. Cyber Command, the National Security Agency, the Pentagon, the FBI, and various U.S. military service branches. Additionally, the leak affects ministries and organizations in Germany, Japan, the United Arab Emirates, France, and other countries. The primary concern is the potential for phishing attempts targeting these leaked emails. Google has acknowledged the incident and is reviewing its internal processes and technical controls to prevent future breaches.
8. Data Breach: FIA World Endurance Championship
Researchers discover over 1.1 million files, including passports and government-issued IDs, publicly exposed in misconfigured Google Cloud Storage buckets. The leaked data belonged to elite racers participating in the prestigious FIA World Endurance Championship (FIA WEC), featuring renowned car brands and the iconic 24 hours at Le Mans race. While the exposed datasets have been secured, the incident raises concerns regarding the unauthorized disclosure of personal data and potential GDPR violations.
9. Fortescue Cyber Attack: Cl0p Claims
Australian iron ore miner Fortescue Metals faced a cyber-attack, and the Russian ransomware group Cl0p took responsibility, including the theft of data. Fortescue described the incident as a “low-impact cyber incident” that occurred on May 28, with a small portion of non-confidential data disclosed from their networks. The company notified the Australian Cyber Security Centre, and their internal investigation and remediation actions have been completed. Cl0p, known for its financial motivation in cyber-attacks, claims to have no political agenda and has reported over 100 companies as victims of its ransomware activities. Fortescue Metals, the fourth-largest iron ore exporter globally, has a chance to negotiate with the group over any potential ransom demand as no documents or data have been leaked yet.
10. Healthcare Data Breaches: PMC and PHMC
Phoenician Medical Center, Inc. and Public Health Management Corporation have recently reported security incidents impacting their IT systems, potentially compromising sensitive patient information. Phoenician Medical Center detected unauthorized access to protected health data, affecting up to 162,500 patients, while Public Health Management Corporation discovered suspicious activity that may have exposed information of at least 501 individuals. Both organizations are conducting forensic investigations and taking measures to enhance their security protocols to prevent future breaches.
📢 Cyber News
11. White House Launches Device Security Labeling
The White House and FCC are set to launch a new cybersecurity labeling initiative, the U.S. Cyber Trust Mark, in 2024, with major retailers like Amazon, Best Buy, Google, Logitech, and Samsung participating. Manufacturers who commit to meeting NIST’s cybersecurity criteria, covering default passwords, data protection, software updates, and incident detection, will earn the trust mark for their products, allowing consumers to make informed choices on secure devices, such as smart refrigerators, microwaves, TVs, and fitness trackers.
12. Ukraine Cyber Police Bust Pro-Russia Bot Farm
Ukraine’s Cyber Police have dismantled a significant bot farm involved in spreading pro-Russia disinformation about the war in Ukraine on social media. The farm, comprising over 100 individuals from different locations across Ukraine, operated with around 150,000 SIM cards to create fake accounts on various platforms. These bots were used to carry out information and psychological operations, justifying the actions of Russian soldiers and distributing illegal content. The police also accused the administrators of internet fraud, including the illegal sharing of personal data and spreading fake security threats. During the investigation, law enforcement conducted 21 searches and seized computer equipment, mobile phones, and SIM cards, exposing Russia’s attempts to manipulate public opinion during the war.
13. Germany’s Cyber Chief and European Rules
Claudia Plattner, the newly appointed president of Germany’s Federal Office for Information Security (BSI), plans to intensify and focus the agency’s efforts on using the levers of the European Union to enhance cybersecurity in Germany and across the continent. She believes that cross-border cooperation is crucial, likening it to water flowing freely across a lake. With her background as a trained mathematician and former director general for information systems at the European Central Bank, Plattner aims to leverage the BSI’s role in shaping European rules to drive cybersecurity improvements and foster strong partnerships while maintaining the agency’s political independence.
14. Misdirected US Military Emails: Typo Chaos
Millions of emails intended for .mil US military addresses have been mistakenly directed to .ml addresses, belonging to Mali’s top-level domain, due to a one-character typo. This decade-long issue has resulted in sensitive information, including medical data and travel itineraries, being sent to the wrong destinations. Johannes Zuurbier, who manages Mali’s top-level domain, discovered the problem and collected around 117,000 missives in 2023, revealing a potential risk of adversaries exploiting this situation to their advantage.
15. Nigerian Cybercriminal Sentenced to Prison
Olalekan Jacob Ponle, also known as Mark Kain and Mr Woodbery, a Nigerian national residing in the United Arab Emirates, has been sentenced to over eight years in a US prison for orchestrating an $8 million cybercrime scheme. Ponle was involved in a business email compromise (BEC) operation that spanned nine months in 2019, using phishing attacks to gain access to email accounts and then sending fraudulent emails instructing victims to wire money to their controlled bank accounts. He will also be required to pay restitution of over $8 million to victims and forfeit luxury cars and watches obtained through the cybercrime proceeds.
Subscribe and Comment.
Copyright © 2023 CyberMaterial. All Rights Reserved.
Follow CyberMaterial on:
LinkedIn, Twitter, Reddit, Instagram, Facebook, YouTube, and Medium
