Cyber Briefing: 2024.11.05

Cyber Briefing: 2024.11.05

👉 What's the latest in the cyber world today?

 APT36, India, ElizaRAT Malware, Phishing, Backdoor, Linux Virtual Machines, Windows, Stealthy Access, APT37, South Korea, Google , Android Flaw, Docusign , API, Fake Invoice, Impersonating Brands, Schneider Electric , Australia, Anu Enterprises , Ransomware, IT Systems, Online Casino, MetaWin , Exploit $4 Million, Japan, Hakubun Eikodo, MWI VETERINARY SUPPLY CO , CISA, FBI, Foreign Threats, US Elections, Bangladesh, Cyber Security Act, Meta , Llama, AI Model, Military, US National Security, Snowflake , Canadian Suspect, Arrest, Singapore, Keppel Ltd. , AI-Ready, Data Center, Mitsui Fudosan , Japan



 Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.

First time seeing this? Please subscribe.



🚨 Cyber Alerts


1. APT36 Targets Windows Devices with ElizaRAT

APT36, a cyber espionage group also known as Transparent Tribe, has launched a sophisticated campaign targeting Indian organizations with a malware toolkit that includes ElizaRAT and ApoloStealer. ElizaRAT leverages cloud-based services, such as Google Drive and Slack, for covert command-and-control (C2) communication, allowing it to mask malicious activity within regular network traffic. The recent campaigns utilize a dual approach, where ElizaRAT and ApoloStealer deploy through malicious CPL files attached to spear-phishing emails.


2. Windows Compromised by Backdoored Linux VMs

A new phishing campaign, identified as CRON#TRAP, is targeting Windows systems by stealthily installing backdoored Linux virtual machines (VMs) to gain unauthorized access to corporate networks. Researchers from Securonix discovered that the campaign utilizes phishing emails disguised as “OneAmerica survey” invitations, containing a large ZIP archive. When opened, this archive deploys a QEMU-managed TinyCore Linux VM named “PivotBox,” which includes a pre-installed backdoor known as Chisel.


3. South Korean Entities Targeted by APT37

APT37, a North Korean state-sponsored cyber threat group, has been actively conducting sophisticated reconnaissance operations against various South Korean entities, including human rights organizations, defectors, and journalists. Recent analyses from the Genius Security Center (GSC) reveal that APT37 is employing advanced tactics to collect sensitive information, such as IP addresses and operating system details, by using disguised shortcut files to deliver malware like RoKRAT.


4. Google Warns of Exploited Android Flaw

Google has issued a warning regarding a critical vulnerability in its Android operating system, which is currently under active exploitation. This flaw, identified as a privilege escalation issue within the Android Framework component, could potentially allow unauthorized access to various sensitive directories, including "Android/data," "Android/obb," and "Android/sandbox." Although specific details about how this vulnerability is being exploited in real-world attacks remain undisclosed, Google has acknowledged that there are indications of limited, targeted exploitation.


5. DocuSign API Exploited for Fake Invoice Scam

Threat actors are exploiting DocuSign's Envelopes API to create and distribute counterfeit invoices that appear legitimate, impersonating well-known brands like Norton and PayPal. By using actual DocuSign accounts, attackers bypass standard email security measures, as the fraudulent invoices are sent from the legitimate DocuSign domain, docusign.net. The goal is to deceive recipients into electronically signing these documents, which can then be used to authorize unauthorized payments, circumventing the company's billing departments.



💥 Cyber Incidents


6. Schneider Electric Suffers Data Breach

Schneider Electric has confirmed a significant cybersecurity breach affecting its developer platform, with a hacker claiming to have stolen approximately 40GB of data from the company's JIRA server. The threat actor, identified as "Grep," reported accessing the system through exposed credentials and utilized a MiniOrange REST API to scrape sensitive information, including 400,000 rows of user data containing 75,000 unique email addresses and full names of Schneider Electric employees and customers.


7. ANU Enterprise Hit by Ransomware Attack

ANU Enterprise, a subsidiary of the Australian National University (ANU), has confirmed a ransomware attack that compromised its systems. The incident was previously noted on the dark web by the ThreeAM ransomware gang, which claimed to have exfiltrated data but has not yet published any information. According to an ANU spokesperson, the ransomware incident resulted in the encryption and exfiltration of certain files, although they emphasized that the affected systems are entirely separate from ANU's core infrastructure, ensuring that no internal university systems were impacted.


8. MetaWin Online Casino Hacked for $4 Million

Online casino platform MetaWin experienced a significant security breach on November 3, 2024, resulting in the loss of approximately $4 million. The exploit targeted MetaWin's hot wallets through a vulnerability in its frictionless withdrawal system, leading the platform to temporarily halt all withdrawals. Despite the incident, MetaWin's CEO, Skel, reported that the stolen funds have since been replenished and that 95% of customer withdrawals have been restored.


9. Hakubun Eikodo Breach Exposes Customer Info

The Hakubun Eikodo online shop in Japan, managed by Tozai Philosophy Publishing, has reported a significant data breach affecting 18,394 customers, leading to the unauthorized disclosure of credit card information and personal details. Discovered on May 29, 2024, the breach was caused by vulnerabilities in the payment application, which allowed attackers to access sensitive data. The compromised credit card information includes cardholder names, numbers, expiration dates, and security codes of 15,986 customers who made purchases between April 7, 2021, and May 29, 2024.


10. MWI Veterinary Supply Hit With Breach

MWI Veterinary Supply, Inc. recently disclosed a data security incident affecting the personal information of current and former employees, their dependents, and certain individuals associated with customers. On September 30, 2024, MWI confirmed that unauthorized access to its systems had occurred, leading to potential exposure of sensitive data, including names, addresses, dates of birth, Social Security numbers, medical insurance information, and financial details. 



📢 Cyber News


11. CISA Releases Statement on Foreign Threats

The Office of the Director of National Intelligence (ODNI), along with the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), has issued a statement highlighting ongoing foreign influence operations targeting U.S. elections. The statement, released on November 4, 2024, emphasizes that Russia is the primary threat, engaging in activities designed to undermine public confidence in election integrity, particularly in swing states.


12. Bangladesh Set to Repeal Cyber Security Act

Bangladesh is set to repeal its contentious Cyber Security Act within a week, a decision announced by Nahid Islam, adviser to the Ministry of Posts, Telecommunications, and Information Technology. In a recent meeting with Norway's Ambassador Hakon Arald Gulbrandsen, Islam emphasized that all cases filed under the act would be withdrawn as part of a broader review of laws that impede freedom of expression. He indicated that the government aims to implement reforms based on consultations with stakeholders and to ensure a national consensus for the upcoming parliamentary elections.


13. Meta Unveils Llama AI for US Military Use

Meta has officially opened access to its artificial intelligence model, Llama, for the United States military and defense contractors, marking a significant step in leveraging advanced AI technologies for national security. In a statement by Nick Clegg, Meta's president of global affairs, the company outlined that Llama will assist in streamlining complex logistics, tracking terrorist financing, and bolstering cyber defenses. This initiative comes as part of a broader partnership with major tech firms like Microsoft, Amazon, and IBM, aiming to enhance the U.S. military's technological capabilities against competitors like China.


14. Canadian Arrested Over Snowflake Data Breach

Canadian law enforcement has arrested Alexander "Connor" Moucka, also known as Judische and Waifu, for his alleged involvement in a series of cyberattacks linked to the data breach of the cloud data warehousing platform Snowflake earlier this year. Apprehended on October 30, 2024, following a request from U.S. authorities, the exact charges against Moucka remain undisclosed. Snowflake had previously reported that a targeted campaign in June 2024 impacted a "limited number" of its customers, with around 165 organizations, including major corporations like AT&T and Ticketmaster, being affected.


15. Keppel Acquires Japanese AI Data Center

Singapore's Keppel Corporation has announced its agreement to acquire a cutting-edge, artificial intelligence-ready data center facility currently being developed by Mitsui Fudosan, Japan's largest property group, in Tokyo. This strategic move comes as Keppel aims to expand its data center funds from S$9 billion ($6.84 billion) to S$19 billion in response to the growing demand driven by the AI boom. Under the arrangement, Mitsui Fudosan will handle the core and shell construction of the facility, while Keppel's private fund will manage the fit-out works.



Subscribe and Comment.

Copyright © 2024 CyberMaterial. All Rights Reserved.

Follow CyberMaterial on:

LinkedIn, Twitter, Reddit, Instagram, Facebook, YouTube, and Medium.




To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics