News Items

Hackers aligned with the Private Military Corporation (PMC) Wagner attacked Dozor-Teleport, a satellite communications provider used by Russia's Ministry of Defense and security services. Attackers targeted the infrastructure of the satellite communication provider, causing damage to user terminals. Herm1t, a pro-Ukrainian hacker and malware historian, says that attackers could have significantly damaged client equipment and the network core. According to the Internet Intelligence Research Lab's Internet Outage Detection and Analysis (IODA) project, the Dozor network went offline for over 10 hours. Russia's Ministry of Defense, ships of the Northern Fleet, the Federal Security Service (FSB), Rosatom, and other organizations use Dozor-Teleport. Users on a Telegram channel managed by Herm1t observed that the attack resembles Russia's cyberattack on Viasat's satellites. This article continues to discuss hackers targeting the Russian satellite communications provider Dozor-Teleport.

Cybernews reports "Russian Satellite Telecom Dozor Allegedly Hit by Hackers"

Over 200,000 WordPress websites have recently been exposed to ongoing attacks targeting a critical vulnerability in the Ultimate Member plugin. The plugin is designed to make it easy for users to register and log in on sites and allows site owners to add user profiles, define roles, create custom form fields and member directories, and more. The vulnerability is tracked as CVE-2023-3460 (CVSS score of 9.8). It allows attackers to add a new user account to the administrator's group. Some of the plugin's users have observed the creation of rogue accounts and reported them this week, but the attacks appear to have been ongoing at least since the beginning of June. According to researchers at WPScan, the issue is rooted in a conflict between the plugin's blocklist logic and the way WordPress treats metadata keys. The researchers noted that Ultimate Member uses blocklists to store metadata keys that users should not manipulate and checks these lists whenever users attempt to register these keys when creating accounts. Due to the difference in operation between the plugin and WordPress, attackers were able to trick the plugin into updating metadata keys, including one that stores user roles and capabilities. The plugin's maintainers, who describe the issue as a privilege escalation bug, have attempted to address it in the last two versions of Ultimate Member, but they have reportedly failed to patch it fully. However, they did acknowledge the ongoing in-the-wild exploitation. Site owners are advised to disable Ultimate Member to prevent exploitation of the vulnerability. They should also audit all administrator roles on their sites to identify rogue accounts.

SecurityWeek reports: "200,000 WordPress Sites Exposed to Attacks Exploiting Flaw in 'Ultimate Member' Plugin"

National Hazard Agency, a sub-group of the LockBit ransomware gang, has recently posted the name of Taiwan Semiconductor Manufacturing Company (TSMC), the world's largest chip manufacturer, on LockBit's dark web leak site on June 29, 2023. The threat actor has demanded TSCM pay a $70m ransom to prevent them from leaking the data they allegedly possess. The victim was initially given seven days to respond, but the deadline has since been extended to August 6. Currently, there is no information on the type of data LockBit may have extorted or whether they have any TSMC data at all. At the same time, it has been reported that Kinmax Technologies, one of TSMC's suppliers, which also works with Cisco, HPE, Microsoft, Citrix, VMware, and Nvidia has suffered a cyberattack, which led to the leak of information pertinent to server initial setup and configuration. Kinmax Technologies did not mention TSMC directly, and there is no official communication from the chip manufacturer currently If the breach is confirmed, it would be the fourth-largest ransom demand in ransomware history, according to William Thomas, a cyber threat intelligence researcher at Equinix. TSMC produces 65% of the world's semiconductors and 90% of the most advanced nodes. It has an estimated annual revenue of over $74bn in 2023.

Infosecurity reports: "LockBit Claims TSMC Hack, Demands $70m Ransom"

Cybersecurity researchers have shared details regarding the "Fluhorse" Android malware family. According to Fortinet FortiGuard Labs, the malware represents a significant transition because it includes malicious components directly within the Flutter code. Check Point first documented Fluhorse in early May 2023, describing its attacks on users in East Asia via rogue apps masquerading as ETC and VPBank Neo, which are widely used in Taiwan and Vietnam. Phishing is the initial vector of infection for the malware. The malicious apps aim to steal credentials, credit card information, and two-factor authentication (2FA) codes. The most recent findings from Fortinet, which reverse-engineered a Fluhorse sample uploaded to VirusTotal on June 11, 2023, indicate that the malware has evolved by hiding the encrypted payload within a packer. This article continues to discuss the latest findings regarding the Fluhorse Android malware family.

THN reports "Fluhorse: Flutter-Based Android Malware Targets Credit Cards and 2FA Codes"

Generative Artificial Intelligence (AI), ChatGPT, OpenAI, and Large Language Models (LLMs) are now almost daily topics of conversation within the cybersecurity community. Some small and large security vendors have incorporated AI chatbots into their offerings. Currently, investment in GPT-based AI security is one of the most active startup funding areas, and it is impossible to avoid encountering research on potential generative AI-related cybersecurity threats and countermeasures. This article continues to discuss how the security conversation regarding the new generation of AI is beginning to deepen.

Dark Reading reports "6 Ways Cybersecurity Is Gut-Checking the ChatGPT Frenzy"

The US Department of Homeland Security (DHS) Science and Technology Directorate (S&T) has issued a new solicitation for the development, improvement, and implementation of a new set of tools that protect the privacy of individuals when using digital credentials for various purposes. The solicitation, "Privacy-Preserving Digital Credential Wallets & Verifiers," is administered by S&T's Silicon Valley Innovation Program (SVIP). It seeks advanced solutions to support a privacy-preserving digital credentialing ecosystem for DHS components and offices. Melissa Oh, managing director of SVIP, emphasizes that in an increasingly interconnected world, protecting the privacy of individuals who store their credentials in digital wallets is crucial to ensuring the security and confidentiality of their digital interactions. The solicitation builds on the success and global adoption of the open, standards-based digital credentialing solutions developed in response to SVIP's previous "Preventing Forgery & Counterfeiting of Certificates and Licenses" topic call. This article continues to discuss the new solicitation announced by DHS S&T to create solutions for privacy-preserving digital credential wallets and verifiers.

DHS reports "DHS S&T Seeks Solutions for Privacy-Preserving Digital Credential Wallets & Verifiers"

The Department of Education (DOE) recently experienced a data breach incident on Saturday, June 24. The DOE stated that the third-party file-sharing software MOVEit, which is used by the DOE to transfer documents and data internally and to vendors, including special education providers, was targeted in the incident. While a review is still ongoing, the DOE said approximately 45,000 students, in addition to DOE staff and related service providers, were affected by the system intrusion. Roughly 19,000 documents were accessed without authorization. The data impacted by the breach includes Social Security numbers, employee ID numbers, and student ID numbers. The DOE stated that it is working to determine exactly which confidential information was exposed and the impact for each affected individual.

Queens Chronicles "DOE Suffers Data Breach; 45K Students Affected"

According to security researchers at VMware, a ransomware gang named 8Base was the second most active group in June 2023. 8Base has been active since March 2022 and mainly focused on small businesses. The researchers noted that the group engages in double extortion tactics, publicly naming and shaming victims to compel them to pay the ransom. To date, the 8Base gang has hit approximately 80 organizations across sectors such as automotive, business services, construction, finance, healthcare, hospitality, IT, manufacturing, and real estate. While analyzing the group's activity, the researchers identified a resemblance with another relatively unknown ransomware gang, RansomHouse, which is known for purchasing leaked data and then extorting companies for money. According to the researchers, similarities were found in communication style and ransom notes, with the leak sites of the groups using nearly identical language, albeit different visuals. The main difference between the two groups is the fact that, while RansomHouse is openly recruiting for partners, 8Base is not. 8Base was seen using ransom notes that match both RansomHouse and Phobos. The researchers noted that it is possible that 8Base has used different types of ransomware as part of its normal operation. Whether 8Base is an offshoot of Phobos or RansomHouse remains to be seen.

SecurityWeek reports: "Dozens of Businesses Hit Recently by '8Base' Ransomware Gang"

Pub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers.

More victims of the MOVEit hack have recently come to light, with a total of over 130 organizations and millions of individuals believed to be impacted. Brett Callow, a threat analyst at cybersecurity firm Emisoft, stated that he is aware of 138 organizations to have been impacted by the campaign, with the data breaches resulting in the personal information of more than 15 million people being compromised. The Russia-linked cybercrime group known for operating the Cl0p ransomware has taken credit for the attack. Cl0p has claimed to have hit many organizations, and they have started naming those that have refused to pay up or enter negotiations. They have recently named over 60 entities that appear to have been targeted through the MOVEit vulnerability, which the group may have been testing since 2021. Callow stated that the list includes major organizations such as Shell (they have already leaked data allegedly stolen from the energy giant), Siemens Energy, Schneider Electric, UCLA, Sony, EY, PwC, Cognizant, and AbbVie. Law firms Kirkland & Ellis and K&L Gates have also been added to Cl0p's leak website.

SecurityWeek reports: "Over 130 Organizations, Millions of Individuals Believed to Be Impacted by MOVEit Hack"

"Andariel," a threat actor aligned with North Korea, used "EarlyRat," a previously undocumented malware, in attacks exploiting the Log4j Log4Shell vulnerability. According to researchers, Andariel infects machines by executing a Log4j exploit, which then downloads additional malware from the command-and-control (C2) server. Andariel, also known as "Silent Chollima" and "Stonefly," is associated with North Korea's Lab 110, a primary hacking unit that also includes APT38 (also known as "BlueNoroff") and other subordinate elements tracked collectively under the name "Lazarus Group." In addition to conducting espionage attacks against foreign government and military entities of strategic interest, the threat actor is known to conduct cybercrime as an extra source of income. Some of the cyber weapons in its arsenal include the Maui ransomware strain and numerous Remote Access Trojans (RATs) and backdoors such as Dtrack, NukeSped, MagicRAT, and YamaBot. This article continues to discuss the North Korea-aligned threat actor Andariel using the new EarlyRat malware.

THN reports "North Korean Hacker Group Andariel Strikes With New EarlyRat Malware"

A former GitHub employee claims that a vulnerability in Node Package Manager (npm) could enable anyone to hide malicious dependencies and scripts within their packages. Npm, owned by GitHub, is used for sharing JavaScript code among over 17 million developers. In a June 27 blog post, Darcy Clarke, the former staff engineering manager for npm's command line interface team, described a site flaw he called "manifest confusion." The "confusion" stems from the fact that npm does not validate the metadata associated with a given package, allowing any publisher to hide certain information about their packages, such as the scripts it executes and the dependencies on which it relies. In recent months, an increasing number of hackers have devised novel methods to poison packages and spread malware along the code supply chain, putting pressure on npm and other similar repositories. This article continues to discuss the manifest confusion weakness in npm.

Dark Reading reports "NPM Plagued With 'Manifest Confusion' Malware-Hiding Weakness"

The National Science Foundation (NSF) has awarded a $1.2 million grant to a team of researchers from Purdue University and Michigan State University to continue enhancing the security of cellular 911 calls. In the US, the Federal Communications Commission (FCC) has enacted regulations to make it easier for cell phone users to contact 911 in an emergency. The research team became interested in how US cell phone services comply with regulations. They discovered that compliance with the regulations could compromise security. For example, companies cannot apply encryption and integrity protection to emergency calls as they would to non-emergency calls. This can create a security vulnerability in cellular 911 communications. The team will perform various research tasks to facilitate an interdisciplinary understanding of emergency service attacks against the mobile ecosystem. They will also analyze associated research issues as well as develop algorithms, tools, and platforms to bolster the security of cellular emergency services. This article continues to discuss the project aimed at reducing cybersecurity risks to protect cellular 911 calls.

Purdue University reports "Making 911 Calls More Secure"

The Cybersecurity and Infrastructure Security Agency (CISA) has released the first series of final security guidance resources under its Secure Cloud Business Applications (SCuBA) project: the Extensible Visibility Reference Framework (eVRF) Guidebook and a Technical Reference Architecture (TRA) document. With input from the public comment period in 2022, the final guidance documents will help public and private entities in implementing cloud security and resilience best practices. The eVRF Guidebook provides an overview of the eVRF framework, which allows organizations to identify visibility data, mitigate threats, understand the extent to which products and services offer visibility data, and identify potential data gaps. Organizations can use the TRA Document as a security guide to adopting technology for cloud deployment, adaptable solutions, secure architecture, and zero trust frameworks. This article continues to discuss CISA's release of the first series of final security guidance resources under its SCuBA project.

CISA reports "CISA Releases Cloud Services Guidance and Resources"

Bitcoin is the most well-known cryptocurrency in the world today, but there are numerous others, each implementing a different set of technical features. To exchange one cryptocurrency for another, so-called "bridges" are used, which are typically provided by companies that hold significant sums of various cryptocurrencies and offer to exchange them. However, this has often led to security issues and criminal cases involving the theft of cryptocurrencies worth billions. Researchers at TU Wien developed a novel protocol to enable the exchange of one cryptocurrency for another efficiently and securely. "Glimpse" is the name of the new protocol, which will provide the cryptocurrency world with entirely new options. The "USENIX Security Symposium" accepted the paper presenting this new tool. This article continues to discuss the novel protocol developed at TU Wien that enables the exchange of one cryptocurrency for another in an efficient and secure manner.

TU Wien reports "A Bridge Between Different Cryptocurrencies"

Wagner ransomware infects user devices and invites them to join the Wagner Group, which is a Russian Private Military Corporation (PMC). Cyble researchers say that the recently detected ransomware likely targets Russians. Instead of demanding payment, the ransomware demands that victims join the PMC led by Yevgeny Prigozhin. "Official Wagner PMCs employment virus," reads the ransom note on victim devices in Russian. The note also calls on the victim to "wage war" against Sergei Shoigu, Russia's longtime Minister of Defense. Cyble reports that while the ransom note mimics the bio section of the Wagner Group Telegram channel, the PMC itself has not publicly claimed responsibility for the ransomware campaign. The strain seems to be a variant of Chaos ransomware, which evolved from the RYUK ransomware. Wagner ransomware targets data stored on the C: drive, encrypting documents, contacts, and more. This article continues to discuss the Wagner ransomware campaign.

Cybernews reports "Wagner Ransomware Wants to Recruit Its Victims"

Researchers at SonarSource discovered two SQL injection vulnerabilities in Gentoo Soko, tracked collectively as CVE-2023-28424 with a CVSS score of 9.1, which a remote attacker can exploit to execute arbitrary code on vulnerable systems. Soko is deployed in the Gentoo Linux infrastructure. The researchers explained that exploiting the vulnerabilities is possible due to improper database configuration. The misconfiguration likely stems from the database's Docker containerization. It was noted that containers frequently "enjoy elevated privileges" due to their status as a security boundary between software components. According to SonarSource's report, a threat actor can inject specially crafted code to evade the escaping feature in the module and introduce SQL injections, resulting in the exposure of sensitive data. This article continues to discuss the SQL injection vulnerabilities in Gentoo Soko that could lead to remote code execution (RCE) on impacted systems.

Security Affairs reports "Critical SQL Injection Flaws in Gentoo Soko Can Lead To Remote Code Execution"

Europol recently announced that dismantling an encrypted chat platform used by organized crime gangs (OCGs) has led to 6558 arrests in the past three years, including 197 "high-value targets." Europol noted that EncroChat was used by tens of thousands of criminals to communicate without fear of being snooped on by law enforcers. Special devices were sold for $1095 each, and six-month subscriptions were priced at $548, featuring 24/7 support, remote wipe, and a PIN code to wipe the phone if apprehended. Since EncroChat was infiltrated, police have analyzed over 115 million conversations from over 60,000 users worldwide, with Europol providing 700 "actionable intelligence packages" compiled from this information to investigators globally. Over the past three years, law enforcers have seized 740m euros in cash, frozen 154m euros in assets or bank accounts, seized 31 million pills, 104 tonnes of cocaine, 163 tonnes of cannabis, and 3.3 tonnes of heroin, seized 923 weapons, 21,750 rounds of ammunition and 68 explosives, and seized 83 boats and 40 planes. Europol stated that subsequent convictions have led to a total combined sentence of 7134 years of imprisonment.

Infosecurity reports: "EncroChat Bust Leads to 6500 Arrests in Three Years"

Radeal, the Polish developer of Android stalkerware "LetMeSpy," is informing users that their personal information and collected data was stolen due to a cyberattack. LetMeSpy is a free application that collects information from the phones it has been installed on, including call logs, text messages, and device location. The phone monitoring application is marketed as offering parental control and employee monitoring capabilities, but it essentially allows users to spy on others after installing the software on their devices, likely without their knowledge. Once up and running on a device, LetMeSpy hides its icon from the phone's home screen to prevent detection and removal. The application uploads the collected information to remote servers, where the user who installed it can access it, essentially tracking a person in real time. Radeal stated that it fell victim to a cyberattack that resulted in unauthorized access to the data of website users. As a result of the attack, the criminals gained access to email addresses, telephone numbers, and the content of messages collected on accounts. The application developer suspended all account-related functions of the website, promising to restore them after mitigating the attack. Law enforcement was also informed about the incident. According to security researcher Maia Arson Crimew, who received a copy of the allegedly stolen data, the attackers got their hands on call logs, messages, user IDs, email addresses, password hashes, geolocation logs, IP addresses, payment logs, and phone information.

SecurityWeek reports: "Sensitive Information Stolen in LetMeSpy Stalkerware Hack"

Jscrambler has released a free tool to help businesses check the JavaScript code on their e-commerce sites and bring it into compliance with Payment Card Industry Data Security Standards (PCI DSS) 4.0. In March 2022, the PCI Security Standards Council released PCI DSS 4.0 and started a two-year phase-out of the previous versions. By March 31, 2025, all retailers and e-commerce sites, as well as anyone else who processes payment cards online, will be required to comply with PCI DSS 4.0 requirements. The PCI DSS JavaScript Compliance Tool from Jscrambler helps organizations determine whether the JavaScript on their e-commerce websites complies with two 4.0 requirements: protecting against and detecting skimming attacks on all scripts from a merchant or its third-party or fourth-party contractors. Attackers carry out web skimming campaigns by injecting malicious code into Magento, WooCommerce, Shopify, and WordPress websites, so the anti-skimming requirements are necessary. Two million websites, including those of Ticketmaster and British Airways, have been found to contain Magecart skimmers. This article continues to discuss the free tool released to help companies check the JavaScript code running on their e-commerce sites and bring it into compliance with the latest PCI DSS.

Dark Reading reports "Jscrambler Launches JavaScript Scanner for PCI DSS 4.0 Compliance"

Researchers wanted to know whether ChatGPT can reliably detect phishing sites. They tested 5,265 URLs (2,322 phishing and 2,943 safe). They asked ChatGPT (GPT-3.5) the question: "Does this link lead to a phish website?" The Artificial Intelligence (AI)-driven chatbot had an 87.2 percent detection rate and a 23.2 percent false positive rate based solely on the URL form. According to the researchers, although the rate of detection is high, the rate of false positives is unacceptable. The results were much worse when they asked a slightly different question: "Is this link safe to visit?" The detection rate was 93.8 percent and the false positive rate was 64.3 percent. The more general prompt is more likely to result in a conclusion that the link is malicious. Both approaches yielded unsatisfactory results, but the researchers still believe it is possible to use this type of technology to aid human analysts by highlighting suspicious URL parts and suggesting potential attack targets. This article continues to discuss the potential use of ChatGPT to detect phishing sites.

Help Net Security reports "ChatGPT Shows Promise in Detecting Phishing Sites"

Cybersecurity Snapshots #43 -

Rorschach Ransomware

Computer scientists at the University of Waterloo have discovered an attack technique that can bypass voice authentication security systems with a success rate of up to 99.9 percent after only six attempts. Voice authentication, which enables businesses to verify the identity of their clients through a unique "voiceprint," has become increasingly implemented in remote banking, call centers, and other security-sensitive situations. In order to enroll in voice authentication, the user must repeat a specific phrase in their own voice. The system then extracts a unique vocal signature (voiceprint) from the provided phrase and stores it on a server, explains Andre Kassis, a Computer Security and Privacy Ph.D. candidate and the study's lead author. For future authentication attempts, they are asked to repeat a different phrase, and the features extracted from it are compared to the voiceprint stored in the system to determine if they should be granted access. Following the introduction of voiceprints, malicious actors soon realized they could apply Machine Learning (ML)-enabled "deepfake" software to create convincing copies of a victim's voice using as little as five minutes of recorded audio. This article continues to discuss the attack method that can bypass voice authentication security with a high success rate.

The University of Waterloo reports "Attackers Can Break Voice Authentication With up to 99 Percent Success Within Six Tries"

A new process injection technique called "Mockingjay" may enable threat actors to evade Endpoint Detection and Response (EDR) and other security products in order to secretly execute malicious code on compromised systems. Researchers at the cybersecurity company Security Joes discovered the technique, which uses legitimate DLLs with read, write, and execute sections to bypass EDR hooks and inject code into remote processes. Process injection is a technique for executing arbitrary code in the address space of another running process trusted by the operating system, giving threat actors the ability to run malicious code without being detected. Examples of process injection techniques include DLL injection, PE injection, reflective DLL injection, thread execution hijacking, process hollowing, mapping injection, and more. All these methods require using Windows Application Programming Interfaces (APIs) and different system calls, creating processes/threads, and writing process memory. Mockingjay distinguishes itself from other methods because it does not use commonly abused Windows API calls, set special permissions, perform memory allocation, or even start a thread, thus removing many potential detection opportunities. This article continues to discuss findings regarding the new Mockingjay process injection method.

Bleeping Computer reports "New Mockingjay Process Injection Technique Evades EDR Detection"