Cyber Briefing - 2023.12.14

👉 What's going on in the cyber world today?

Apache Struts Exploit, BazarCall, Phishing Emails, Volt Typhoon, KV-Botnet, GambleForce Targets APAC, JetBrains TeamCity, SKTB Biofizpribor, District of March, MSK Cancer Center, Meow Ransomware Group, CITY OF DEFIANCE , Tri-City Medical Center , Double Extortion, AI Caller, Microsoft Takes Down Storm-1152, Google Fortifies Android, LockBit recruits BlackCat and NoEscape, UN Cybercrime Treaty.

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.

First time seeing this? Please subscribe.

🚨 Cyber Alerts

1. Apache Struts RCE Exploit Alert

Hackers are actively exploiting a recently patched critical vulnerability (CVE-2023-50164) in Apache Struts, a widely-used open-source web application framework. The flaw, allowing remote code execution, poses a significant threat, with attackers leveraging publicly available proof-of-concept exploit code. Organizations, including government entities, are urged to update to the patched versions (6.3.0.2 and 2.5.33) to mitigate the risk of unauthorized access, data theft, service disruption, and potential lateral movement in compromised networks.

2. BazarCall Misuses Google Forms for Phishing

BazarCall phishing attacks have evolved by leveraging Google Forms to send fake payment receipts, enhancing the appearance of legitimacy in phishing emails. The attackers create a Google Form with false transaction details, exploiting the service's legitimacy and email security tools to deceive recipients and potentially lead to malware installation or other malicious activities.

3. Volt Typhoon's Espionage with KV-Botnet

The Chinese state-sponsored APT group, Volt Typhoon, is in the spotlight for its sophisticated 'KV-botnet,' a tool employed since 2022 to target high-value entities via SOHO routers. The group focuses on routers, firewalls, and VPN devices to execute attacks that proxy malicious traffic, allowing them to blend with legitimate traffic for stealth. A joint report by Microsoft and the US government raises concerns about Volt Typhoon's infrastructure building, suggesting capabilities aimed at disrupting critical communications infrastructure between the United States and the Asia region during future crises.

4. GambleForce Emerges in APAC

A newly identified hacking group named GambleForce has been conducting SQL injection attacks since at least September 2023, targeting organizations primarily in the Asia-Pacific region. The group employs basic yet effective techniques, exploiting SQL vulnerabilities and targeting vulnerable website content management systems, with a focus on stealing sensitive information from organizations in the gambling, government, retail, and travel sectors across several countries, including Australia, China, India, and South Korea.

5. CISA Warns on SVR Cyber Threat

CISA, FBI, NSA, SKW, CERT.PL, and NCSC jointly issued a Cybersecurity Advisory warning about Russian SVR-affiliated actors exploiting JetBrains TeamCity CVE since September 2023. The advisory includes details on the compromise, indicators of compromise, and encourages organizations to implement recommended mitigations for enhanced cybersecurity.

💥 Cyber Incidents

6. Twelve Hacks Russian Bio Lab

Pro-Ukraine group Twelve claims responsibility for breaching the systems of SKTB Biofizpribor, a Russian organization specializing in science and medical research. The announcement on a public forum criticizes the organization's security flaws and offers a disruptive "New Year's promotion" for others seeking assistance in disrupting their company's operations.

7. Swiss Court Hit by Cyber Attack

Switzerland's District Court in the German-speaking March district, home to 45,000 residents, has fallen victim to a cyberattack, potentially a ransomware incident. The court's IT system has been shut down to protect data, with the duration of the outage uncertain. While phone lines are temporarily down, scheduled hearings are expected to proceed, marking another cybersecurity incident affecting Swiss government entities following a ransomware attack in November on Zollikofen, a suburb of Bern.

8. MSK Cancer Center Hit by Novice Group

 The Meow ransomware group claims Memorial Sloan Kettering Cancer Center (MSKCC) as its victim on their dark leak site, potentially exposing sensitive data of hundreds of thousands of patients and donors. This incident underscores the evolving threats to healthcare institutions and the need for enhanced cybersecurity measures to protect critical data in the face of ransomware attacks.

9. City of Defiance Under Knight Attack

 The notorious Knight ransomware group has targeted the City of Defiance in a cyberattack, announcing their intrusion with a chilling message on the dark web. Knight claims to have breached the city's internal network, gaining access to a substantial 390 gigabytes of sensitive data. The ominous countdown on the dark web adds to the gravity of the situation, intensifying concerns about the growing threat posed by ransomware groups employing double extortion tactics.

10. Tri-City Faces Ransomware Threats

 Tri-City Medical Center, hit by a November ransomware attack, faces ongoing extortion efforts as the cybercriminal group "INC RANSOM" posts stolen data on the dark web, including health records and financial information. Cybersecurity experts warn that such incidents are used to pressure organizations into paying ransoms and may involve threats of further data exposure or even direct contact with affected individuals for extortion purposes.

📢 Cyber News

11. AI Campaign Caller Debut

Democrats in Pennsylvania have introduced Ashley, an AI-powered campaign chatbot, to engage with voters ahead of the 2024 elections. Developed by Civox, Ashley uses generative AI technology similar to OpenAI's ChatGPT, enabling personalized conversations with voters and sparking concerns about potential disinformation in political campaigning.

12. Microsoft Halts Storm-1152 Cybercrime

 Microsoft's Digital Crimes Unit seized domains linked to Vietnam's Storm-1152 cybercrime group, which sold over 750 million fraudulent Outlook accounts. The group provided cybercrime-as-a-service, with its accounts used by various criminal groups involved in ransomware, data theft, and extortion, causing damages estimated in the hundreds of millions of dollars.

13. Google Shields Android Against Cellular Flaws

 Google enhances Android's baseband security with Clang sanitizers, including IntSan and BoundSan, to detect undefined behavior and mitigate vulnerabilities. These compiler-based measures are implemented in security-critical areas like message parsing, format encoding/decoding, IMS, TCP/IP stacks, and messaging functions, despite the performance overhead.

14. LockBit recruits BlackCat and NoEscape affiliates

 The LockBit ransomware operation is actively recruiting affiliates and developers from BlackCat/ALPHV and NoEscape following recent disruptions and exit scams by the latter groups. LockBitSupp, the manager of LockBit, is enticing affiliates with promises of utilizing his data leak site and negotiation panel for continuing extortion if they possess backups of stolen data from the distressed gangs.

15. UN Cybercrime Treaty Raises Concerns

 The latest draft of the UN Cybercrime Treaty has faced criticism from cybersecurity experts and human rights groups, with concerns that it could criminalize cybersecurity research and overlook human rights. The draft broadens its scope beyond defined cybercrimes and raises issues related to surveillance powers, evidence collection, and human rights protections.

Subscribe and Comment.

Copyright © 2023 CyberMaterial. All Rights Reserved.

Follow CyberMaterial on:

LinkedIn, Twitter, Reddit, Instagram, Facebook, YouTube, and Medium.