===== OUR SPONSOR ===================
Real-Time Hands-On Self-Service POV’s of Cybersecurity products
Kim Crawley, https://www.linkedin.com/in/kimcrawley/ … CROWGIRL … “Mistress of the Dark Web”
Craig Ellrod, https://www.linkedin.com/in/craigellrod/
HACKERverse TOP 20 News for Jan 2023 – brought to you by KiKrr – Self Service POV’s for Cybersecurity
Hacker Files – Top 20 – Feb 2023
1. SOC Prime
New Phishing Attack Detection Attributed to the UAC-0050 and UAC-0096 Groups Spreading Remcos Spyware
On February 21, 2023, CERT-UA researchers issued a new alert warning cyber defenders of another phishing attack spreading Remcos spyware. The ongoing fraudulent email campaign follows familiar behavioral patterns observed in earlier February’s attacks. Threat actors masquerade the sender as the Pechersk District Court of Kyiv and apply a lure RAR file striving to trick targeted users into opening it. The infection chain is triggered by extracting the archive, which contains a TXT file and another password-protected RAR file. The latter, in turn, contains the malicious executable lure file with a fraudulent digital signature disguised as a legitimate one. Launching the latter EXE file will end up dropping Remcos spyware on the compromised system.
After gaining access to the targeted system and successfully spreading infection, threat actors proceed with data exfiltration and can exploit the compromised computer for network reconnaissance and further attacks on the organization’s infrastructure.
Security performers can also streamline their threat hunting activities by searching for relevant indicators of compromise by leveraging the novel version of Uncoder.IO tool that helps to covert IoCs into curated hunting queries ready to run in a chosen SIEM & XDR environment.
More vulnerabilities in industrial systems raise fresh concerns about critical infrastructure hacks
Researchers have revealed details about flaws in industrial systems that could give hackers access to the most sensitive networks.
In just the past few weeks, researchers revealed flaws that in some cases could let hackers bypass security systems or give them remote access to equipment that runs manufacturing facilities and energy companies.
That increased attention means that both researchers trying to defend critical systems — along with malicious hackers looking to infiltrate them — are more focused than ever on industrial systems.
We’re seeing capabilities out there that could have destructive capabilities, safety impacts: think Triton and Trisis, and think Pipedream.
In fact, cybersecurity firm SynSaber pointed out that the number of industrial control systems vulnerability advisories released by the Cybersecurity and Infrastructure Security Agency has jumped from 550 in 2020 to 1342 in 2022, a 144% increase in just two years.
3. Frontline PBS
A global spyware scandal – sold by an Israeli company called he NSO group
Governments are using it to spy on journalists around the globe.
Unprove-able, but it is being released to harmful government regines.
Royal Family members
Understand this… “The device in your pocket is spying on you.”
4. John Oliver HBO
Artificial Intelligence – a creepy comedy spoof
But, this is timely as the ChatGPT and OpenAI platform was down Monday morning for several hours.
Schneier followed up with a blog stating that ChatGPT is swallowing Corporate Secrets – Internal Company Data.
This is because, you work inside of a corporate firewall, but you take sensitive data and plug it into the public site ChatGPT, and viola. They own you now.
How to stop copy and paste from internal to external, private to public interfaces becomes the question?
5. SOC Prime
Proxy Shell miner
Hackers exploiting Microsoft Exchange using ProxyShell Vulnerabilities to deploy crypto miners.
Possible ProxyShellMiner Campaign Exploiting CVE-2021-34473 and CVE-2021-34523 [ProxyShell] Vulnerabilities by Detecting Associated Files (via file_event).
Computer World also issued some zero-day CVE’s for Microsoft Exchange.
Microsoft’s February Patch Tuesday update deals with 76 vulnerabilities that affect Windows, Exchange, Office, and Microsoft development tools — and three Windows vulnerabilities (CVE-2023-21823, CVE-2023-21715 and CVE-2023-23376) have been reported as exploited in the wild and require immediate attention.
There is a Sigma rule that can be automatically translated into 20 SIEM, EDR, and XDR solutions shaving seconds off cross-platform threat detection.
6. Bleeping Computer
The RIG Exploit Kit is undergoing its most successful period, attempting roughly 2,000 intrusions daily and succeeding in about 30% of cases, the highest ratio in the service’s long operational history.
First: Who uses Internet Exploder anyways?
*** Read up on the report in the link above.
RIG EK’s sordid history
RIG EK was first released eight years ago, in 2014, and promoted as an “exploit-as-a-service” rented to other malware operators to spread their malware on vulnerable devices.
When a user visits these sites, the malicious scripts will be executed and attempt to exploit various vulnerabilities in the browser to install malware on the device automatically.
In 2015, the kit’s authors released the second major version of the kit, laying the ground for more extensive and successful operations.
In 2017 though, RIG suffered a significant blow following a coordinated takedown action that wiped out large parts of its infrastructure, severely disrupting its operations.
In 2019, RIG returned, this time focusing on ransomware distribution, helping Sodinokibi (REvil), Nemty, and ERIS ransomware, compromise organizations with data-encrypting payloads.
In 2021, RIG’s owner announced the service would shut down; however, RIG 2.0 returned in 2022 with two new exploits (CVE-2020-0674 and CVE-2021-26411 in Internet Explorer), reaching an all-time high successful breach ratio.
In April 2022, Bitdefender reported that RIG was being used to drop the Redline information-stealer malware onto victims.
While many of the exploits targeted by RIG EK are for Internet Explorer, which Microsoft Edge has long replaced, the browser is still used by millions of Enterprise devices, which are a primary target.
Prodaft says RIG EK currently targets 207 countries, launching an average of 2,000 attacks per day and having a current success rate of 30%. This rate was 22% before the exploit kit resurfaced with two new exploits, says Prodaft.
Banning TikTok – and Free internet and freedom of speech?
70% of young people use TikTok.
Congress is thinking of banning anyone in the US from using the app.
Brings up issues of constitutional rights.
If we want to get serious about protecting national security, we have to get serious about data privacy.
But Free speech always wins.
Ok but, the EU also announced on Feb 23, it will ban the social media app, for the same reasons the US wants to ban it.
So the question is, does the US and UK government know something we don’t know?
There is some on-the-record justification for the ban: In early November, TikTok acknowledged that certain employees based in China had access to user data from the app’s European users.
8. Schneier – FLipper Zero?
A hacker used his FLipper zero to mimic the traffic light transmitters to turn the lights green in the path he was travelling.
Pretty funny and ingenious.
Could have easily been done with an Arduino.
9. Schnierer again
Cropped images, still contain the data to buld the full image. So be careful with cropped images, you could still be leaking sensitive data.
Images can be uncropped using the metadata.
Mac Crypto Mining XMRig spreads through Final Cut Pro, Photoshop and Logix X.
Identitifed by the threat labs at JamF.
What is XMRig?
XMRig has the following characteristics:
Rather than Tor, it uses the Invisible Internet Project (i2P) communications protocol to communicate, download malware, and send mined currency to the attacker’s wallet.
The attack has managed to evade detection on VirusTotal, even though the malware family has been detected.
The attack also attempts to trick users who have downloaded a malware-infested app into completely disabling Apple’s Gatekeeper protection to make the application run.
Jamf Threat Labs managed to trace three generations of this particular malware, which first appeared around August 2019.
Ok, so there is a “Trans Atlantic Data Policy Framework” being proposed to the EU by the United States.
The EU committee rejected the proposal stating the proposal doesn’t fully comply with the EU’s GDPR.
In short, the committee said that US domestic law is simply incompatible with the GDPR framework, and that no agreement should be reached until those laws are more in alignment.
Open SSL released some vulnerability patches
Feb 7th, 2023 – OpenSSL Vulnerability Overview:
OpenSSL releases vulnerability patches for two freely supported open-source binary trains (3.0 and 1.1.1x). It also patched the paid subscription release train, version 1.0.2
13. Cybersecurity News
There is a new stealer called WhiteSnake – yup just like the rock band.
Windows, Linux, – can steal passwords, cookies, credit card numbers, debit card numbers, can take screenshots, gather personal data, financial data.
It is malware as a service, costing around $120/month and is delivered as a pdf, that contains an executable bat file (typical delivery method)
14. Cybersecurity News
A russion national was charged for suggling devices from the United States to Russia – used in CounterIntelligence operations.
47 year old Ilya Balakaev. He faces up to 75 years in prison.
15. Cybersecurity News
This is useful.
You remember the lastpass and Symantec password manager breaches. There are alternatives.
Okta (Owns Auth0)
15. Dark Reading
The war between Russia and Ukraine is having some odd effects on the Cybercrime world.
Many Ukrainian cyber criminals have also fled the country, because they don’t want to be conscripted into the Russian Cyber Crime gangs.
They are migrating to neighboring countries like Goergia.
Now with the war, Russian Cybercriminals and Ukrianian Cybercriminals are attacking each other, when… in the past they groups used to work together.
Strange twist of fate.
In fact our researchers have noticed many popular dark web marketplaces have been down lately, meaning that the cyber crime underworld is shifting,
not going away, it is shifting, to other countries and other locations. More to be seen.
16. Dark Reading
87% of container images in production have critical or high severity vulnerabilities
Based on findings fro SysDig.
17. Dark Reading
Yes another Crypto Scam.
Forsage Founders indicted in a $340 MM DeFi Crypto Scheme
According to court documents, Vladimir Okhotnikov, aka Lado; Olena Oblamska, aka Lola Ferrari; Mikhail Sergeev, aka Mike Mooney, aka Gleb, aka Gleb Million; and Sergey Maslakov, all Russian nationals, allegedly touted Forsage as a decentralized matrix project based on network marketing and “smart contracts,” which are self-executing contracts on the blockchain.
They scammed $340MM from investors.
IT WAS A CRYPTO PONZI SCHEME:
According to court documents, the defendants allegedly coded and deployed smart contracts that systematized their combined Ponzi-pyramid scheme on the Ethereum (ETH), Binance Smart Chain, and Tron blockchains. Analysis of the computer code underlying Forsage’s smart contracts allegedly revealed that, consistent with a Ponzi scheme, as soon as an investor invested in Forsage by purchasing a “slot” in a Forsage smart contract, the smart contract automatically diverted the investor’s funds to other Forsage investors, such that earlier investors were paid with funds from later investors.
Standard University was breached, attackers got a hold of private information from Economics Ph.D. Applicants. 897 people.
Misconfigured folder settings. (Oopsie)
19. Infosecurity Magazine
Your kids use steam and nintendo, do they visit websites for those games using Chrome?
Then you might have been attacked.
Attackers are distributing ChromeLoader Malware via those sites.
20. Infosecurity Magazine
Great – now attachers are using Discord links to distribute malware.
An unknown threat actor is targeting APAC and North American governments with info-stealing malware and ransomware, according to Menlo Security.
The group’s attacks begin with a phishing email containing a malicious Discord link, which points to a password-protected zip file. That in turn contains a .NET malware downloader known as PureCrypter.
For all of you discord users, and we know there are alog of them in Cybersecurity, be on the lookout for malicious discord links in emails.