Cyber Briefing - 2023.08.30
👉 What's trending in cybersecurity today?
Phishing, AiTM, Microsoft , Android, Trojan, MMRat, Southeast Asia, VMware , Aria Networks, Citrix , FIN8, DarkGate Malware, Japan’s NISC, China, LOUIS GARNEAU SPORTS INT , University of Michigan , Jasper High School, Akira Ransomware, Qakbot Botnet, Federal Bureau of Investigation (FBI) , Gabon, Meta , NordVPN , OpenAI , ChatGPT-4.
Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe.
🚨 Cyber Alerts
Microsoft has issued a warning about the escalating prevalence of adversary-in-the-middle (AiTM) phishing tactics, a key component of the phishing-as-a-service (PhaaS) model. As the cyber threat landscape evolves, AiTM-capable PhaaS platforms are on the rise, with established services like PerSwaysion now incorporating these advanced capabilities. Microsoft's Threat Intelligence team underscores the potential impact, as attackers utilize AiTM techniques to carry out large-scale phishing campaigns aimed at bypassing multi-factor authentication (MFA) safeguards.
Trend Micro Mobile Application Reputation Service researchers have identified a highly elusive Android banking trojan named MMRat that has been discreetly preying on Southeast Asian mobile users since late June 2023. Operating under the radar, MMRat employs a range of tactics including capturing screenshots, taking control of victim devices, and harvesting extensive personal and device data to execute its fraudulent operations. Disguised as official app stores, phishing websites serve as the malware's distribution channels, with MMRat notably avoiding detection on VirusTotal.
VMware takes swift action with crucial software updates aimed at fortifying Aria Operations for Networks against potential security breaches. The company's diligent response addresses two critical vulnerabilities that could open doors to unauthorized access and remote code execution. The most pressing concern, CVE-2023-34039, stems from an authentication bypass loophole, highlighting the need for unique cryptographic key generation. In parallel, CVE-2023-20890 raises alarm with its arbitrary file write vulnerability, allowing administrative adversaries to achieve remote code execution.
Sophos has identified a campaign involving a threat actor, believed to be associated with the notorious FIN8 hacking group, exploiting the CVE-2023-3519 remote code execution vulnerability to compromise vulnerable Citrix NetScaler systems. The actor's tactics involve payload injections, the use of BlueVPS for malware distribution, deployment of obfuscated PowerShell scripts, and the placement of PHP webshells on affected machines. This campaign exhibits resemblances to an earlier attack that Sophos analysts encountered, pointing to a specialization in ransomware operations by the threat actor.
A recently published report from the U.N. human rights office has brought attention to the pervasive issue of cybercrime scams in Southeast Asia, particularly targeting vulnerable workers who are coerced into participating in fraudulent online operations. These criminal gangs have ensnared hundreds of thousands of individuals across the region, exploiting them through false romantic tactics, deceptive investment schemes, and illegal gambling activities. The report highlights the severity of the situation, indicating that many victims are trapped in virtual slavery, subjected to various forms of abuse and mistreatment.
A recent surge in DarkGate malware activity has been attributed to the developer's decision to rent out the malware to a limited number of affiliates, according to a report by Telekom Security. The campaign employs malspam tactics and leverages hijacked email threads to deceive recipients into downloading the malware. DarkGate, available on underground forums and advertised by the actor RastaFarEye, boasts features such as evasion techniques, privilege escalation, data theft from web browsers, and cryptocurrency mining, making it a versatile tool for cybercriminals.
💥 Cyber Incidents
Chinese hackers successfully infiltrated Japan's National Center of Incident Readiness and Strategy for Cybersecurity, potentially gaining access to sensitive data stored on its networks for nearly nine months before detection. Although NISC has not publicly attributed the incident, sources suggest that state-backed Chinese hackers are likely behind the attack. This breach follows recent revelations of Chinese military hackers compromising Japan's defense networks in 2020, highlighting the growing cybersecurity challenges faced by Japan amid escalating geopolitical tensions in the Pacific.
Recommended by LinkedIn
Louis Garneau Sports, a Canadian sportswear brand, discovered an "unauthorized code" on their systems between June 8th and July 28th. This breach led to the theft of customer card information during the purchase process. The compromised data includes personal details like names, emails, addresses, as well as account numbers and credit or debit card information. While there's no immediate evidence of misuse, the company is taking precautionary measures by notifying affected customers and offering free credit monitoring services for a year. The breach affected around 2,966 individuals, according to the Office of the Maine Attorney General.
The University of Michigan has been forced to take its entire network offline in response to a significant cybersecurity incident, causing widespread disruptions to online services just on the eve of the new academic year. The university, renowned for its academic excellence, made the challenging decision to sever its ties with the internet to address the security concern thoroughly and cautiously. This abrupt network shutdown affected critical services like Google, Canvas, Wolverine Access, and email, impacting both the administrative and academic aspects of the institution.
In a concerning turn of events, the Akira ransomware group has set its sights on Jasper High School, underscoring the growing menace of cyber threats faced by educational institutions. The group's audacious claim of breaching the school's security highlights the severity of the situation. With over 60GB of sensitive data purportedly compromised, the incident raises concerns about the safety of confidential student and staff information. Despite the group's ominous warning of an impending data dump, details remain scant, leaving Jasper High School and its stakeholders anxiously awaiting an official response amidst this unsettling breach.
📢 Cyber News
The FBI, in collaboration with the Justice Department and international partners, has successfully dismantled the Qakbot malware and botnet. This operation, spanning across multiple countries including the U.S., France, Germany, and the UK, marks one of the largest-ever U.S.-led actions against a cybercriminal botnet. Qakbot, responsible for ransomware attacks and financial fraud, infected computers through malicious emails, later granting control to cybercriminals. The FBI's lawful access to the botnet's infrastructure and redirection of traffic to Bureau-controlled servers enabled the neutralization of this extensive criminal network, preventing further malware installations and safeguarding individuals and businesses globally.
Amidst national elections, Gabon is grappling with a prolonged internet shutdown, now in its third day. Officials initiated the blackout as a measure to control information dissemination during the election period. The central African country is in the midst of a crucial election with President Ali Bongo Ondimba seeking a third term and a former education minister, Albert Ondo Ossa, vying for leadership. Communication Minister Rodrigue Mboumba Bissawou announced the curfews and internet suspension to curb the spread of misinformation and potential violence. The blackout affects more than a dozen internet providers, and international news media also face restrictions, indicating a broader clampdown on information flow in the nation.
Meta has unveiled the dismantling of a significant covert influence operation involving thousands of fake accounts on Facebook. The operation, described as the "largest known cross-platform covert influence operation in the world," is believed to be associated with individuals connected to Chinese law enforcement. Despite its extensive scale, the operation's attempts to manipulate public opinion were of notably low quality and often failed to effectively target audiences in several countries. The operation, initially named "Spamouflage" and tracked since 2019, was discovered by analyzing separate clusters of fake posts and propaganda.
NordVPN introduces NordLabs, a pioneering platform that provides developers and engineers with the opportunity to delve into emerging technologies such as AI. Starting in September, registered users can begin testing NordLabs, which serves as a creative space for crafting new tools and services through the exploration of AI and other cutting-edge technologies. This initiative reflects NordVPN's commitment to advancing internet security while inviting tech enthusiasts beyond their own ranks to participate in driving innovation to the forefront of technology.
OpenAI has introduced its ChatGPT-4 enterprise platform tailored specifically for large businesses. With a tagline boasting "Get enterprise-grade security & privacy and the most powerful version of ChatGPT yet," the advanced AI model aims to enhance various aspects of corporate operations. Prominent companies like Block, Canva, PwC, and more have already embraced ChatGPT-4 for tasks ranging from clear communication to coding acceleration and creative assistance.
Subscribe and Comment.
Copyright © 2023 CyberMaterial. All Rights Reserved.
Follow CyberMaterial on: