Cyber Briefing: 2023.08.01

CyberMaterial
8 min readAug 1, 2023

--

👉 What’s the latest in the cyber world today? Minecraft, Fruity Trojan, Canon, Ivanti, WikiLoader, Italy, APT31, Call of Duty, Activision, Karakurt, University of Guelph, Meta, Biden, Russia

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.

First time seeing this? Please subscribe.

🚨 Cyber Alerts

1. BleedingPipe: Minecraft Vulnerability

A severe security threat has emerged in the Minecraft community as hackers actively exploit the ‘BleedingPipe’ remote code execution vulnerability found in numerous Minecraft mods. By using incorrect deserialization in the ‘ObjectInputStream’ class in Java, attackers can send manipulated network packets to vulnerable Minecraft mod servers, enabling them to seize control of these servers and, in turn, compromise devices used by players connecting to the servers. The vulnerability, impacting various mods running on 1.7.10/1.12.2 Forge, allows attackers to install malware on players’ devices, posing a significant risk to the gaming community. To safeguard against this threat, the Minecraft security community (MMPA) has recommended downloading the latest mod releases from official channels and migrating to secure forks if necessary, as well as deploying the ‘PipeBlocker’ mod to protect servers and clients from malicious ‘ObjectInputStream’ network traffic. Server administrators and players are also urged to perform scans for suspicious files and malware to detect potential compromises and mitigate the BleedingPipe vulnerability’s impact.

2. Fake Websites Host Stealthy Fruity Trojan

Cyber threat actors have adopted a cunning approach, creating counterfeit websites hosting trojanized software installers to ensnare unsuspecting users into downloading the dangerous downloader malware, Fruity. The ultimate goal is to install remote trojan tools like Remcos RAT, allowing attackers to gain unauthorized access to compromised systems. The deceptive installers act as decoys, luring victims with seemingly legitimate software that conceals the Fruity trojan and its components. Employing various infection vectors, such as phishing, drive-by downloads, and malicious ads, the attackers prompt users to download a ZIP installer package, which initiates a multi-stage infection process, bypassing antivirus detection and activating the Remcos RAT payload via process doppelgänging. Given the potential for distributing other forms of malware through this technique, it is crucial for users to exclusively download software from trusted sources to safeguard against such malicious campaigns.

3. Canon Printer Security Alert

Canon has issued a warning to users of its home, office, and large format inkjet printers, revealing that Wi-Fi connection settings stored in the devices’ memories are not properly wiped during initialization. This oversight presents a significant security and privacy risk, as the exposed data could be accessed by repair technicians, temporary users, or future buyers of the devices, giving unauthorized parties access to your Wi-Fi network details. Depending on the printer model and configuration, the stored information may include the network SSID, password, network type, IP address, MAC address, and network profile, potentially aiding malicious third parties in gaining unauthorized network access, stealing data, and launching privacy-invading attacks. Canon has identified 196 impacted printer models and recommends users wipe their Wi-Fi settings before granting third-party access to the printer, and apply firmware updates while disabling unnecessary services like cloud printing or remote management interfaces to enhance security.

4. Ivanti Endpoint Manager Mobile Vulnerability

CISA has recently updated its Known Exploited Vulnerabilities Catalog, flagging a new and alarming risk: the CVE-2023–35081 Ivanti Endpoint Manager Mobile (EPMM) Path Traversal Vulnerability, which has been actively exploited. Such vulnerabilities serve as common targets for malicious cyber actors, presenting a substantial threat to federal enterprises. While Binding Operational Directive (BOD) 22–01 mandates Federal Civilian Executive Branch (FCEB) agencies to address identified vulnerabilities, CISA strongly advises all organizations to promptly remediate catalog vulnerabilities, even if the directive doesn’t apply to them, as part of a robust vulnerability management practice.

5. Italian Organizations Targeted by WikiLoader

Researchers uncover a malware campaign that has been specifically targeting Italian organizations, including the tax agency, employing a malware downloader known as WikiLoader. The downloader, attributed to the financially motivated threat actor TA544, demonstrates cunning evasion techniques to avoid detection while delivering the notorious Ursnif banking Trojan. The threat landscape remains challenging as these threat actors continuously modify their tactics, signifying a potential shift towards more widespread ransomware attacks, warns Selena Larson, senior threat intelligence analyst at Proofpoint.

6. China-Linked APT31 Strikes Europe

A nation-state actor, suspected to have links to China, has been identified as APT31, responsible for a series of attacks against industrial organizations in Eastern Europe last year. Cybersecurity firm Kaspersky attributes the intrusions to APT31, also known as Bronze Vinewood, Judgement Panda, and Violet Typhoon, citing shared tactics across the attacks. The hacking crew used over 15 distinct implants in three categories to gain persistent remote access, extract sensitive data from air-gapped systems, and transmit the stolen information to infrastructure controlled by the threat actor. The attackers leveraged sophisticated modular malware, cloud services like Dropbox and Yandex, and encrypted payloads to obfuscate their actions, highlighting the complexity and uniqueness of their tactics.

💥 Cyber Incidents

7. Pentagon Investigates Comms Breach

A suspected significant breach of Defense Department communications by an Air Force engineer is under investigation by the Pentagon, as revealed in a recently obtained search warrant by Forbes. The engineer, who worked at the Arnold Air Force Base in Tennessee, is alleged to have stolen government radio technologies valued at nearly $90,000 for personal use. The warrant also disclosed evidence indicating potential compromises of FBI communications, making this a crucial and complex security breach that demands immediate attention and further investigation.

8. Call of Duty Servers Halted Over Worm Virus

Activision, the publisher of Call of Duty: Modern Warfare II, has taken the game’s servers offline due to a self-propagating worm infecting PC players. Unusual behavior was noticed by players shortly after the game’s return, sparking discussions on the Steam discussion page about a self-spreading worm virus affecting the PC version of the game. The severity of the issue prompted Activision to investigate, leading to the game being taken down temporarily. Meanwhile, researchers are analyzing the malware and investigating why hackers are distributing it, while the problem escalates with thousands of account bans for cheating and hacking in the game.

9. Health Center Hacked by Karakurt Group

The McAlester Regional Health Center in Oklahoma is facing a distressing situation as the notorious ransom group, Karakurt, claims to have stolen a staggering 126GB of data from the facility, including sensitive DNA patient records, which they intend to auction off to the highest bidder. The group, known for their aggressive tactics and double extortion practices, is threatening to publish samples of the stolen information before the auction on August 1st. Such genetic data theft could lead to nefarious activities like blackmail, fake paternity results, and discrimination based on medical conditions, affecting employment prospects, insurance premiums, and social stigma.

10. Guelph University Data Breach

Students at the University of Guelph are being notified about a data breach that affected the health, dental, and wellness benefits provider, Gallivan. The breach, discovered on March 10, 2023, involved personal information such as student ID, name, and date of birth. While the incident impacted over 100 organizations globally, Gallivan has assured students that limited personal information was compromised and is offering credit monitoring and identity theft protection to affected individuals. The university clarified that the data breach did not involve its systems but rather a third-party security company used for secure file transfer, and they are supporting Gallivan in notifying impacted students.

📢 Cyber News

11. Biden’s Cyber Workforce Strategy

The Biden administration has taken a significant step in addressing the pressing issue of cyber workforce shortages with the release of a comprehensive national strategy. With over 400,000 unmet cybersecurity job demands in 2022, the administration considers this workforce gap a matter of national security urgency. The strategy, a result of a year’s worth of effort and collaboration, aims to cultivate a more diverse and agile cyber workforce while emphasizing lifelong learning and broader accessibility to cyber education. It also involves partnership with various stakeholders, including federal agencies, private sector entities, and educators, to shape a more secure digital future for America.

12. Ukraine Busts Money Laundering Network

Ukrainian authorities have successfully disrupted an illegal money laundering network operating across the country, utilizing sanctioned Russian payment systems and cryptocurrency exchanges to convert Russian rubles into Ukrainian hryvnia. The “black money exchanges” network processed over $4 million monthly, with its primary clients including hackers and suspicious businesses conducting transactions within Russia. Following raids on currency exchange centers in various cities, approximately $1.6 million in cash and computer equipment were seized by the Ukrainian Security Intelligence Service, sending a strong message against illicit financial activities.

13. EU Sanctions Russian Disinformation Network

The European Union has taken a strong stance against Russia’s information war on Ukraine by imposing sanctions on a Kremlin-controlled disinformation network known as Recent Reliable News (RRN). This network, set up right after Russia’s invasion of Ukraine in February 2022, aimed to undermine Western support for Ukraine by running fake accounts on social media and posing as EU government agencies and local media to spread propaganda about the war. The EU sanctions target seven Russian individuals and five entities involved in the operation, including the InfoRos news agency and the Institute of the Russian Diaspora. The move follows similar actions taken by the U.S., U.K., Canada, and Australia, and reflects the EU’s determination to prevent and respond effectively to threats of foreign information manipulation and interference.

14. Google Warns Inactive Accounts

Google has sent out a stern warning to its customers, notifying them that it will commence the deletion of inactive accounts on December 1st, 2023. The company’s new rule will apply to accounts that have not been used or logged into within a two-year period. To avoid account deletion, Google urges users to keep their accounts active by logging in at least once every two years, engaging in various activities like reading or sending emails, using Google Drive, downloading apps from the Play Store, or watching YouTube while logged on. The policy comes as part of Google’s efforts to protect users’ private information and prevent unauthorized access, especially for accounts that may have been compromised due to inactivity, with potential misuse by threat actors.

15. Meta’s Subsidiaries Fined $14M in Australia

Meta, formerly Facebook, faces fresh legal challenges as two of its subsidiaries are ordered to pay $14 million for undisclosed data collection practices. The Australian case, which has been ongoing for over two years, centers around the now-defunct Virtual Private Network (VPN) app Onavo, which was acquired in 2013. Users were misled into believing their data would only be used to provide Onavo Protect’s services, but it was found that data was sent to Facebook, leading to privacy concerns and legal action. Despite these fines, some critics argue that social networks may see such penalties as merely a cost of doing business, raising questions about the long-term impact on their practices.

Subscribe and Comment.

Copyright Š 2023 CyberMaterial. All Rights Reserved.

Follow CyberMaterial on:

LinkedIn, Twitter, Reddit, Instagram, Facebook, YouTube, and Medium.

--

--

CyberMaterial
CyberMaterial

Written by CyberMaterial

World's #1 Cybersecurity Repository of data. Subscribe to Cyber Briefing.