Cyber Briefing - 2023.05.09

Cyber Briefing - 2023.05.09

The latest in cybersecurity: Phishing, Dragon Breath, Intel, MSI, Cactus Ransomware, QR Code Scams, NextGen, Western Digital, Fullerton, India, MFA Fatigue, DDoS.

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.

First time seeing this? Please subscribe.



No alt text provided for this image

🚨 Cyber Alerts


1. Ukraine's CERT warns of SmokeLoader phishing

Ukraine's CERT-UA warns of an ongoing phishing campaign spreading the SmokeLoader malware through polyglot files. The threat actors are sending emails with the subject "bill/payment" containing an attachment in the form of a ZIP archive, with the JavaScript employed in the attack using a PowerShell to download and execute an executable that launches the malware. The financially motivated threat actor UAC-0006 is attributed to the campaign, which has been active since at least 2013.


2. Dragon Breath APT group's new DLL sideloading

Security researchers discovered that the APT group, Dragon Breath, has developed a new DLL sideloading technique that increases the complexity and layers of the classic DLL sideloading. Dragon Breath has been active since 2020, targeting online-gambling industries and their customers, particularly Chinese-speaking Windows users. The malware is distributed via Telegram, and most of the victims are located in China, the Philippines, Japan, Taiwan, Singapore, and Hong Kong.


3. Leaked Intel Boot Guard Keys Impact Devices

Intel is investigating a leak of alleged private keys that are used by the Intel Boot Guard security feature. This could potentially impact the feature's ability to block malicious UEFI firmware installation on MSI devices. Ransomware group, Money Message, attacked MSI in March and claimed to have stolen 1.5TB of data during the attack.


4. Cactus ransomware targets VPNs for big payouts

Cactus ransomware is a new threat exploiting vulnerabilities in VPN appliances to access large commercial entities' networks. The hacker's modus operandi is the same as most ransomware attacks, with data encryption and theft, but with a unique touch to avoid detection. Cactus encrypts itself, making it difficult to detect, and it evades antivirus and network monitoring tools. It also uses a modified variant of the open-source PSnmap tool, which is a PowerShell equivalent of the nmap network scanner. The threat actor aims for big payouts from its victims, and even if the hackers steal data, they have not yet set up a leak site like other ransomware operations involved in double-extortion.


5. Pakistan-Linked SideCopy targets Indian entities

The suspected Pakistan-aligned threat actor, SideCopy, has been spotted using India's Defence Research and Development Organization (DRDO) as a decoy to deploy malware capable of collecting sensitive information. Fortinet FortiGuard Labs has revealed the ongoing phishing campaign in a new report. The hacking group, believed to have ties to Pakistan's government, has been active since 2019 and has previously been linked to another Pakistani hacking group called Transparent Tribe.


No alt text provided for this image

💥 Cyber Incidents


6. Kabarak University's Facebook hacked

Kabarak University has been the latest target of cyber criminals who hijacked the university’s Facebook account to spread malicious and misleading content that contradicts the institution’s Christian values. The university has announced that all necessary measures have been taken to regain control of the page and prevent further unauthorized access. The university urges its followers and prospective students to disregard information posted by these criminals and to contact them directly through their official website or other verified channels.


7. QR code scams increase globally

A Singaporean woman lost $20,000 in a QR code scam after scanning a code on a bubble tea shop's glass door to fill out a "survey" for a "free cup of milk tea". Meanwhile, the use of fake car parking citations with QR codes has also been observed across the US and UK. Scammers are becoming more innovative, which is making it increasingly difficult to differentiate between legitimate and malicious QR codes.


8. NextGen Healthcare reports data breach

NextGen Healthcare has suffered a data breach that impacted over one million individuals. The breach occurred between March 29 and April 14, 2023, during which personal data such as names, addresses, birth dates, and Social Security numbers were accessed by an unauthorized party. The healthcare solutions provider claims that there is no evidence the attackers accessed health or medical records, and it reset passwords and informed law enforcement of the incident.


9. Western Digital Warns of Data Breach

Western Digital has sent data breach notification letters to its customers to inform them that their personal information was compromised in a ransomware attack that occurred in March 2022. According to the company's press release, an unauthorized third party gained access to several of its systems, including the online store database that contained limited personal information of its online store customers. The stolen data included customer names, billing and shipping addresses, email addresses, and telephone numbers. Western Digital is recommending customers to be cautious of any unsolicited communications that ask for their personal information or refer them to a web page asking for personal information.


10. Hong Kong healthcare group hit by cyberattack

The personal data and medical history of approximately 100,000 patients at a Hong Kong healthcare group may have been compromised following a cyberattack. The group, OT&P Healthcare, has eight clinics across Hong Kong, and both patient identity and medical records were held on the system. While financial data was not accessed, some patients' passport and identity card numbers were stored on the system. The Office of the Privacy Commissioner for Personal Data has been informed and is following up on the case.


11. LockBit 3.0 leaks Fullerton India data

The LockBit 3.0 ransomware group has leaked 600 gigabytes of critical data stolen from Indian lender Fullerton India, two weeks after the group demanded a $3 million ransom from the company. Fullerton India, which operates 699 branches across India that offer doorstep credit services to around 2.1 million customers, was listed as a victim on the data leak site of the ransomware group after refusing to engage with them. The group then initiated triple-extortion tactics to force the company to pay, which involved contacting Fullerton India's clients, business partners, vendors, and customers to make the breach public.


No alt text provided for this image

📢 Cyber News


12. Google Launches Open Source Bazel Plugin

Google introduces new Bazel plugin for container image building with improved security features. The open-source plugin, called rules_oci, replaces rules_docker and offers better supply chain trust by using dependencies' integrity hashes. The plugin allows the use of trusted third-party toolchains, supports native signing of images, and provides users with a software bill of materials to verify the source of dependencies. The new plugin supports native support for oci indexes, improved caching and fetching, and signed attestation for Distroless images.


13. Microsoft introduces number matching for MFA

Microsoft is enforcing number matching in its Authenticator push notifications to combat MFA fatigue attacks. These attacks flood targets with mobile push notifications requesting approval of login attempts. The new feature will block such attempts beginning May 8, 2023, and it will be deployed gradually.


14. Sheriff's Department pays $1.1M ransom

San Bernardino County Sheriff’s Department paid a $1.1M ransom to the ransomware gang that attacked its systems in early April. The attack forced the department to temporarily shut down some of its systems to prevent the threat from spreading. Despite the FBI's recommendation not to pay ransom, the department likely had no other way to recover the encrypted systems or avoid the disclosure of sensitive data.


15. US seizes 13 DDoS-for-hire domains

The US Justice Department has announced the seizure of 13 domains linked to DDoS-for-hire platforms, in a coordinated international law enforcement effort to disrupt online platforms allowing anyone to launch massive distributed denial-of-service (DDoS) attacks against any target for the right amount of money. The seizure of these internet domains is part of an ongoing initiative targeting computer attack 'booter' services. The FBI also targeted top stresser services in December 2022, seizing another 48 domains, but ten of the previously disrupted platforms registered new domains, allowing them to stay online.


No alt text provided for this image

Subscribe and Comment.

Copyright © 2023 CyberMaterial. All Rights Reserved.

Follow CyberMaterial on:

LinkedInTwitterRedditInstagramFacebookYoutube, and Medium.


To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics