Cyber Briefing: 2023.07.31
đ Whatâs happening in cybersecurity today? CherryBlos, FakeTrade, Android Malware, IcedID Malware, BackConnect Module, North Korea APT37, STARK#MULE, BlueBravo APT29, Linux Ransomware Gangs, VMwareâs ESXi, CoinsPaid, Lazarus Group, Cyber Avengers, Israel, HawaiÊ»i Community College, UK Ministry of Defence, Mali, Dark Patterns, Apple API Control, U.S. Cyber Force, Twitterâs Rebranding.
Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe.
đš Cyber Alerts
1. Android Malware Stealing Cryptocurrency
Researchers have identified two malware campaigns, CherryBlos and FakeTrade, targeting Android users for cryptocurrency theft and financial scams. The threat actors distribute the malware through fake Android apps on Google Play, social media platforms, and phishing sites, with CherryBlos having the ability to read mnemonic phrases from images on compromised devices. The campaigns have a global reach, with targeted regions including Malaysia, Vietnam, Philippines, Indonesia, Uganda, and Mexico, and the threat actors employ advanced techniques to evade detection and maintain persistence on infected devices.
2. IcedID Malware Updates
Malware loader IcedID, also known as BokBot, has received updates to its BackConnect (BC) module for post-compromise activities on hacked systems, allowing for easier detection evasion with changes to TCP ports. Team Cymru reported that the number of BC C2s increased from 11 to 34 since January 2023, and the average server uptime reduced significantly from 28 days to eight days. The cybersecurity firm found evidence of IcedID victims being used as proxies in spamming operations due to BCâs SOCKS capabilities, compounding the damage and data loss experienced by the compromised entities.
3. North Korean APT37 Cyber Attack Campaign
In an ongoing cyber attack campaign known as STARK#MULE, Korean-speaking individuals are being targeted using U.S. Military-themed document lures, designed to trick them into executing malware on their compromised systems. Cybersecurity firm Securonix, which is tracking the activity, points out that the attacks resemble past campaigns from typical North Korean groups like APT37, with South Korea historically being a primary target. The attackers have expanded their offensive tactics by using compromised Korean e-commerce websites to stage payloads and command-and-control (C2) operations, evading security solutions.
4. Insecure Direct Object Reference Risks
The Cybersecurity and Infrastructure Security Agency (CISA) issued a warning in collaboration with the Australian Cyber Security Centre (ACSC) and the U.S. National Security Agency (NSA) about the significant risks associated with insecure direct object reference (IDOR) vulnerabilities in web applications. These flaws allow attackers to access and manipulate sensitive data by directly referencing internal objects or resources, without proper validation and authorization checks. The advisory highlights the impact on various web app models, urging vendors, developers, and organizations to implement secure coding practices, conduct regular testing, and prioritize secure-by-design principles to mitigate the occurrence of IDOR vulnerabilities. The warning comes after various data breaches caused by exploiting IDOR flaws, exposing sensitive information from millions of users and consumers.
5. BlueBravoâs GraphicalProton Backdoor
A threat group called BlueBravo, aligned with Russian APT groups APT29 and Midnight Blizzard, has intensified efforts to conceal command-and-control network traffic using legitimate internet services. The group employs various tactics, such as using Notion, Microsoftâs OneDrive, and Dropbox for communication, to deliver malware while evading detection. Their focus is on cyber-espionage against European government sector entities, with a particular interest in diplomatic and foreign policy institutions involved in the Russia-Ukraine conflict.
6. Linux Ransomware Targets VMware ESXi
The rise of virtual machines in the enterprise has attracted the attention of ransomware gangs, leading to the development of Linux encryptors aimed specifically at VMwareâs ESXi platform. This popular virtual machine platform has become a prime target for numerous ransomware operations, including Abyss Locker, Akira, Royal, Black Basta, LockBit, and others. These threat actors breach corporate networks, encrypt devices, and leverage stolen data for double-extortion, putting immense pressure on targeted companies to pay the ransom to avoid data leaks.
đ„ Cyber Incidents
7. CoinsPaid Breach: $37M in Cryptocurrency Taken
Crypto-payment service provider CoinsPaid suffered a cyber attack resulting in the theft of $37.2 million worth of cryptocurrency, attributed to the North Korea-linked APT Lazarus, known for previous attacks on various platforms. While client funds remained unaffected, the attack impacted the availability of CoinsPaidâs platform and its revenue. The company is investigating the security breach, strengthening its systems, and receiving support from blockchain security firms and crypto-exchanges to mitigate the incident.
8. 572GB of Student and Faculty Records Leaked
Cybersecurity researcher Jeremiah Fowler discovered an unprotected database belonging to the Southern Association of Independent Schools, Inc. that exposed 682,438 records related to educational institutions, including student and teacher records, financial data, and security reports.The data leak, spanning from 2012 to 2023, amounted to 572.8 GB of sensitive information, potentially leading to identity theft, financial crimes, and security risks. Schools and accreditation bodies must implement robust security measures to prevent such breaches and comply with data protection laws like FERPA and COPPA.
9. Cyber Avengers Target BAZAN Group
Israelâs major oil refinery operator, BAZAN Group, faced a significant cyber threat as their corporate websites were rendered inaccessible worldwide due to a suspected DDoS attack. An Iranian hacktivist group called Cyber Avengers claimed responsibility for the breach and even leaked alleged screenshots of BAZANâs SCADA systems. While the company downplayed the impact and dismissed the leaked materials as fabricated, the incident highlights the escalating risks posed by cyber adversaries in critical industries.
10. Hawaiʻi College Pays Ransom to NoEscape Gang
HawaiÊ»i Community College, part of the University of Hawaiâi with over 50,000 students, disclosed that it paid a ransom to prevent the leakage of personal data belonging to approximately 28,000 individuals after falling victim to a ransomware attack by the NoEscape gang. The cybercriminals threatened to publish 65 GB of stolen data if their demand was not met, prompting the college to take action to safeguard sensitive information.
11. Mali Receives Misrouted Emails
The UKâs Ministry of Defence (MoD) is investigating a typing error that resulted in classified emails being sent to Mali instead of the intended recipients in the US military. The mistake, omitting the letter âiâ in â.mil,â led the messages to be routed to Mali, known for its ties with Russia. The incident involved fewer than 20 emails, and the MoD clarified that none of them were classified as top secret, but the situation highlights the importance of cyber training and reinforcing positive security behaviors within organizations.
đą Cyber News
12. Senate Targets Dark Patterns
In an effort to protect online consumers, Sen. Mark Warner and colleagues reintroduced a bipartisan bill targeting âdark patterns,â deceptive user interfaces used by platforms to trick users into disclosing personal data and violating their privacy. The DETOUR Act aims to prevent platforms from intentionally impairing user autonomy and decision-making through manipulative designs that encourage undesirable behaviors. The bill proposes independent review boards to supervise platformsâ privacy efforts and specifically prohibits tools designed to fuel compulsive usage among children and teens under 17.
13. Apple Enhances App Privacy
Apple has announced its decision to implement a new policy requiring developers to submit reasons for using specific APIs in their apps, starting later this year with the release of iOS 17, iPadOS 17, macOS Sonoma, tvOS 17, and watchOS 10. This move aims to prevent the misuse of APIs for data collection purposes and ensure that apps utilize them only for their intended functions. With the policy enforcement taking effect in Fall 2023 and extending to visionOS, developers will need to accurately declare the reasons for using these ârequired reason APIsâ in their appâs privacy manifest, and failure to do so will result in app rejections starting Spring 2024.
14. Cyber Force Proposal Gains Momentum
In a significant step towards establishing a U.S. Cyber Force, the Senate passed the $886 billion National Defense Authorization Act with an 86â11 vote. The bill includes an amendment from Sen. Kirsten Gillibrand (D-NY) that directs the Defense Department to assess the possibility of a separate Armed Force dedicated to cyber operations. The move comes as existing military branches face challenges in providing trained personnel for Cyber Command, prompting policymakers to consider a dedicated Cyber Force to address evolving threats in the cyber domain.
15. Microsoft Edge Warns Twitter âXâ Rebrand
Microsoft Edge web browser has been displaying security warnings after Twitter changed its name to âXâ. Amid its rapid rebranding over the last few days, Twitter (or X) has also ditched the famed bird icon for a Unicode character which resembles the letter X but infact bears Mathematical meaning. But Microsoft Edge warns this is a potential security issue â and itâs working as intended. Itâs got to do with a security feature dubbed âProgressive Web App Icon changeâ, designed to alert users of app icon or name changes, possibly indicating a scam. If your web browser rings alarm bells post Twitterâs rushed rebranding, donât panic.
Subscribe and Comment.
Copyright © 2023 CyberMaterial. All Rights Reserved.
Follow CyberMaterial on:
LinkedIn, Twitter, Reddit, Instagram, Facebook, YouTube, and Medium.
