Cyber Briefing: 2024.12.12
👉 What's going on in the cyber world today?
Secret Blizzard, Amadey, Kazuar Backdoor, Ukraine, EagleMsgSpy, Android Spyware, ZLoader, DNS Tunneling, C2 Communications, WordPress , Hunk Companion, Microsoft Windows, UI Framework, EDR Detection, Krispy Kreme , Disruption, Online Orders, Bitcoin Inc. , ATM, Byte Federal, Inc , OpenAI , Global Outage, ChatGPT , Sora, India, Delhi Police , X Account, MagIC Edem, Fundación Arturo López Pérez (FALP) , Oncology Institute, Ransomware, US Cyber Director, Cybersecurity Policy, Dutch Central Bank, BeReal. , Privacy Complaint, European Union , noyb.eu , Europol , Operation PowerOFF, DDoS Providers, Fortinet , Acquisition, Perception Point , Email Security
Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe.
The Russian nation-state actor Secret Blizzard, also known as Turla, has been linked to a sophisticated campaign deploying the Kazuar backdoor in Ukrainian systems by leveraging the Amadey malware-as-a-service (MaaS) platform. Between March and April 2024, the group utilized Amadey bots to deliver tailored PowerShell droppers encoded with Turla-controlled command-and-control (C2) URLs, enabling precise targeting of Ukrainian military assets. This operation exemplifies Secret Blizzard's strategy of co-opting third-party malware infrastructure to obscure its activities, a tactic designed to complicate attribution and intelligence efforts.
Researchers have uncovered EagleMsgSpy, a sophisticated Android spyware active since 2017 and allegedly linked to Chinese law enforcement. Developed by Wuhan Chinasoft Token Information Technology Co., Ltd., the malware collects vast amounts of data, including messages, call logs, audio recordings, and location data, using an installer APK and a headless surveillance client. It targets popular apps like WhatsApp, Telegram, and WeChat while employing advanced obfuscation techniques to evade detection.
ZLoader malware has resurfaced with significant updates, introducing a custom Domain Name System (DNS) tunneling protocol for command-and-control (C2) communications. This new version, identified as ZLoader 2.9.4.0, enhances the malware’s evasion tactics by incorporating an interactive shell that supports over a dozen commands, enabling more flexibility for ransomware attacks. The malware, which has been linked to Black Basta ransomware campaigns, now uses a combination of DNS tunneling and traditional HTTPS communications to mask its network traffic, providing additional resilience against detection.
A critical vulnerability in the WordPress Hunk Companion plugin (CVE-2024-11972) is being actively exploited by attackers to install vulnerable or closed plugins, which can lead to severe security risks, including Remote Code Execution (RCE), SQL Injection, and Cross-Site Scripting (XSS) attacks. Affecting all versions prior to 1.9.0, this flaw, which has a CVSS score of 9.8, allows unauthenticated users to bypass permission checks when installing plugins. This enables malicious actors to deploy plugins with known vulnerabilities, such as the RCE bug in the WP Query Console plugin, potentially giving attackers control over WordPress sites.
A newly discovered malware technique leverages Windows' UI Automation (UIA) framework, a feature initially designed to aid assistive technologies, to carry out malicious activities without triggering endpoint detection and response (EDR) tools. This technique allows attackers to stealthily execute commands, steal sensitive data, redirect browsers to phishing websites, and manipulate messaging apps like Slack and WhatsApp. By using the Component Object Model (COM) for inter-process communication, malicious actors can interact with hidden UI elements and perform actions like writing messages without them appearing on the screen.
Krispy Kreme has reported a significant cybersecurity incident that is impacting its operations, particularly in the area of online ordering. In a filing with U.S. federal regulators, the company revealed that it detected unauthorized activity on its network on November 29, 2024. Although physical stores remain operational and deliveries to retail partners are unaffected, some online ordering services in the U.S. have been temporarily disrupted. The incident is expected to have a material impact on business operations until recovery efforts are completed.
Byte Federal, one of the largest Bitcoin ATM operators in the U.S., has revealed that the personal data of 58,000 users was compromised in a recent security breach. The breach, which occurred on September 30, was discovered by Byte Federal on November 18. Hackers exploited a vulnerability in third-party software, specifically within the GitLab developer platform, to gain access to sensitive customer information. The exposed data includes names, addresses, phone numbers, government-issued IDs, Social Security numbers, transaction activity, and user photographs.
Recommended by LinkedIn
ChatGPT, OpenAI’s widely used AI chatbot, experienced a global outage on December 12, 2024, affecting millions of users for nearly three hours. The disruption, which began shortly before 7 PM ET, also impacted OpenAI’s API and Sora services, leading to widespread frustration as users were unable to log in and faced error messages. With over 28,000 complaints registered on Downdetector, the outage highlighted the reliance on AI tools in both personal and business operations. OpenAI quickly acknowledged the issue and worked to restore services, successfully bringing ChatGPT, API, and Sora back online.
The Delhi Police's X account was briefly hacked on December 10, 2024, by the cyber group MagIC Edem. This breach occurred just after a cyber challenge event hosted by the police, which aimed to promote digital security awareness. The hack raised concerns about the security of high-profile government accounts, especially as the Delhi Police had recently shared posts urging citizens to safeguard their digital privacy.
The FALP Oncology Institute in Chile is currently dealing with a ransomware attack that has rendered its website, customer portal (My FALP), and appointment booking services unavailable. In an internal statement, the institute advised users to disconnect their devices from the network if they detect an "inc-readme.txt" file, a sign of the attack. The IT team, supported by external security providers, is working to contain the incident and prevent further compromises to FALP's systems.
A recent report by the Center for Cybersecurity Policy and Law urges the incoming Trump administration and Congress to strengthen the Office of the National Cyber Director (ONCD). Established in 2021, the ONCD has been instrumental in developing a national cybersecurity strategy and coordinating efforts across the federal government. However, the report suggests that the office's mission needs clearer definition and public visibility to distinguish it from other key agencies like CISA and OMB.
The Dutch central bank (DNB) has advised citizens to keep cash at home in light of rising cyberattack threats, particularly from Russia, that could disrupt payment systems. In a statement issued on December 12, 2024, the DNB warned that if digital payment infrastructure is compromised, people may struggle to make purchases using bank cards or conduct online transfers. While the bank did not specify an exact amount of cash to keep, it pledged to release more detailed guidance in the new year on how to prepare financially for such disruptions.
BeReal, the popular selfie-sharing app, is facing a privacy complaint in Europe after altering its consent process for tracking following its acquisition by French mobile games publisher Voodoo. The complaint, filed by the European privacy group noyb, claims that BeReal is using manipulative tactics, also known as "dark patterns," to pressure users into agreeing to ad tracking, violating the General Data Protection Regulation (GDPR). Since July 2024, European users who reject tracking are repeatedly shown a consent banner every time they try to post, while those who agree never see the banner again.
Europol’s Operation PowerOFF has successfully disrupted a major DDoS-for-hire network by shutting down 27 popular "booter" and "stresser" websites, which cybercriminals use to launch Distributed Denial-of-Service attacks. Coordinated across 15 countries, the operation led to the arrest of three administrators and the identification of over 300 users planning malicious activities. The festive season is historically a peak period for these types of attacks, which can cause significant financial and reputational damage.
Fortinet has completed the acquisition of Perception Point, a leader in advanced email and collaboration security, enhancing its Security Fabric portfolio. This strategic move allows Fortinet to better protect organizations against the growing complexity of digital threats, particularly in modern communication platforms like email, Slack, and Microsoft Teams. Perception Point’s AI-powered capabilities, including advanced threat detection, real-time protection, and patented sandboxing technology, will now be integrated into Fortinet’s comprehensive cybersecurity solutions.
Subscribe and Comment.
Copyright © 2024 CyberMaterial. All Rights Reserved.
Follow CyberMaterial on: