News Items

A critical Application Programming Interface (API) vulnerability in the Expo open source framework enabled the harvesting of auth credentials via the Open Authorization (OAuth) protocol. According to researchers at Salt Labs, the vulnerability, while affecting a relatively small number of developers, could have impacted many users logging into online services such as Facebook, Twitter, or Spotify via the open source framework. A successful attack could have let an adversary take over accounts and steal credentials on a mobile app or website configured to use the Expo AuthSession Redirect Proxy. A victim could have triggered an attack by clicking on a malicious link. Developers use Expo (auth.expo.io) to create native apps for iOS, Android, and web platforms with a single set of tools, libraries, and services. It is regarded as an efficient method to accelerate the application development process. According to Salt Labs, the vulnerability may affect hundreds of companies using Expo, including Codecademy. However, researchers emphasize the small surface area of auth.expo.io, which reduces the number of social sign-on instances involved. This article continues to discuss the potential manipulation of steps in the OAuth sequences via the Expo API to hijack sessions and take over accounts.

SC Media reports "API Bug in OAuth Dev Tool Opened Websites, Apps to Account Hijacking"

During the 44th Symposium on Security and Privacy, the Institute of Electrical and Electronics Engineers (IEEE) gave two "Test of Time" awards to papers co-authored by faculty members at Carnegie Mellon University's (CMU) CyLab Security and Privacy Institute. Initiated in 2019, the Test of Time award honors published papers previously presented at the annual symposium that have had a significant and lasting impact on computer security and privacy research and practice. This year, the award committee considered papers presented from 2011 through 2013. The first paper that won the award is titled "Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms." Researchers examined 12,000 passwords collected under seven composition policies and developed an efficient distributed method for calculating the effectiveness of different heuristic password-guessing algorithms. The second award-winning paper is titled "Pinocchio: Nearly Practical Verifiable Computation." In 2013, researchers recognized the need to instill greater confidence in cloud-based computations and enable clients to verify the accuracy of the returned results. A team of Microsoft and IBM researchers, including now CMU Computer Science and Electrical and Computer Engineering Associate Professor Bryan Parno, developed Pinocchio, a system for efficiently verifying general computations while relying solely on cryptographic assumptions. This article continues to discuss the papers that earned CyLab faculty members two Test of Time awards at the IEEE Symposium on Security and Privacy.

CyLab reports "CyLab faculty earn two 'Test of Time' awards at IEEE Symposium on Security and Privacy"

A new ransomware operation, "Buhti," targets Windows and Linux systems using leaked code from the LockBit and Babuk ransomware families. Although the threat actors behind Buhti, now tracked as "Blacktail," have not developed their own ransomware strain, they have created a custom data exfiltration tool to double-extort victims. In February 2023, Palo Alto Networks' Unit 42 team identified Buhti as a Linux-targeting ransomware written in Go. Symantec's Threat Hunter team has published a new report showing that Buhti also targets Windows using a modified LockBit 3.0 variant named "LockBit Black." Blacktail uses the Windows LockBit 3.0 builder leaked by a disgruntled developer on Twitter in September 2022. For Linux attacks, Blacktail uses a payload based on the Babuk source code posted on a Russian-language hacking forum in September 2021. Malware reuse is typically a sign of less sophisticated actors. However, in this case, multiple ransomware groups gravitate towards Babuk due to its demonstrated ability to compromise VMware ESXi and Linux systems. Targeting these systems has been profitable for cybercriminals. This article continues to discuss the use of leaked Windows and Linux encryptors by the Buhti ransomware gang.

Bleeping Computer reports "New Buhti Ransomware Gang Uses Leaked Windows, Linux Encryptors"

An investigation conducted by Microsoft reveals that China-backed threat actors have established persistent access to telecommunications networks and other critical infrastructure targets in the US for espionage and, potentially, to disrupt communications in the event of military conflict in the South China Sea and broader Pacific. Microsoft calls the Advanced Persistent Threat (APT) "Volt Typhoon." Researchers from Microsoft, Mandiant, and other organizations have previously observed this state-sponsored group conducting cyber espionage. According to the analysis, Microsoft has moderate confidence that the Volt Typhoon campaign is pursuing the development of capabilities that could disrupt critical communications infrastructure between the US and Asia during future crises. This article continues to discuss findings regarding the Volt Typhoon China-backed APT.

Dark Reading reports "'Volt Typhoon' China-Backed APT Infiltrates US Critical Infrastructure Orgs"

The pro-Russian hacking group Anonymous Sudan compromised Scandinavian Airlines (SAS) for the second time this year, knocking the SAS website and app offline for hours. The group tried to extort SAS with a $3,500 ransom to stop the attack. According to the SAS corporate website, the airline carrier for Denmark, Norway, and Sweden typically offers more than 800 scheduled flights per day to over 130 destinations worldwide. In February, Anonymous Sudan claimed the airlines as part of a Valentine's Day attack against Sweden, rendering the SAS website inaccessible for hours and compromising sensitive passenger data. Several Swedish media agencies were also targeted during the Valentine's Day attacks. The group claimed to have attacked Swedish companies in retaliation for the burning of a Koran by a well-known Swedish/Danish activist during a January protest in Stockholm supporting Sweden's bid to join NATO. This article continues to discuss the recent attack on the SAS company by the pro-Russian hacking group Anonymous Sudan.

Cybernews reports "SAS Airlines Breached by Pro-Russian Hackers - Again"

Google released eight new Top-Level Domains (TLDs) at the beginning of May. These are the suffixes at the end of URLs, such as ".com" or ".uk." The new TLDs include ".zip" and ".mov," which are expected to invite phishing and other forms of online fraud. Since both of them are also common file extension names, they stand out. The former, ".zip," is used for data compression, whereas ".mov" is an Apple-developed video format. The concern is that URLs resembling file names will increase opportunities for digital scams such as phishing, which deceive web users into clicking on malicious links disguised as legitimate. In addition, the two domains may exacerbate the issue of programs mistaking file names for URLs and automatically adding links to the file names. Scammers could purchase ".zip" and ".mov" URLs that are also common file names, so online references to files with those names could automatically link to a malicious website. This article continues to discuss the new top-level domains that could be used in phishing attacks.

Wired reports "The Real Risks in Google's New .Zip and .Mov Domains"

Security researchers at Veeam discovered that 85% of organizations have suffered at least one ransomware attack over the past 12 months. The researchers warned that if this trend continues, "more organizations will suffer a ransomware attack than turn a profit." The researchers also found that in 93% of ransomware incidents, the threat actors target the backup repositories, resulting in 75% of victims losing at least some of their backups during the attack and more than one-third (39%) of backup repositories being completely lost. Organizations are still ill-prepared to face this threat. The researchers noted that most (80%) continue to pay the ransom despite multiple advisories against it. They primarily do that to get their data back, yet 21% don't, even after paying the ransom. Additionally, many respondents to the researcher's survey acknowledge that progress needs to be made in incident response. For example, despite 87% claiming they have a risk management program that drives their security roadmap, only 35% believe their program is working well, and 52% are seeking to improve their situation. Moreover, while respondents cited "clean backup copies" and "recurring verification that the backups are recoverable" as the most common elements of the incident response playbook in preparation against a cyberattack, 60% of organizations say there is insufficient alignment between their backup and cyber teams.

Infosecurity reports: "Backup Repositories Targeted in 93% of Ransomware Attacks"

Cyber Scene #80 -

Digitization: Making Money Makes the World Go Round

Cybersecurity Snapshots #42 -

New Ransomware Gang Discovered: The RA Group

Latvian network equipment manufacturer MikroTik has recently released a patch for a major security defect in its RouterOS product and confirmed the vulnerability was exploited five months ago at the Pwn2Own Toronto hacking contest. The flaw, CVE-2023-32154, affects devices running MikroTik RouterOS versions v6.xx and v7.xx with enabled IPv6 advertisement receiver functionality. According to ZDI, organizers of the Pwn2Own software exploitation event, the vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Mikrotik RouterOS. ZDI warned that authentication is not required to exploit this vulnerability. MikroTik stated that the specific flaw exists within the Router Advertisement Daemon. "The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of root." The Pwn2Own organizers decided to go public with an advisory prior to the availability of patches after waiting five months for MikroTik to acknowledge and fix the already-exploited security flaw. ZDI noted that it reported the issue to MikroTik during the event last December and asked again for an update in May this year, five months later. On May 10, ZDI said it "re-disclosed the report at the vendor's request" and gave the company an extra week to provide fixes. In its response, MikroTik said it could not find a record of the December disclosure from ZDI and that it was not present at the Toronto event in December to discuss the exploit.

SecurityWeek reports: "Mikrotik Belatedly Patches RouterOS Flaw Exploited at Pwn2Own"

Billions of people worldwide use end-to-end encrypted messaging apps such as WhatsApp, Telegram, and Signal. In theory, end-to-end encryption ensures that only the sender and recipient possess the keys necessary to decrypt their message. Not even an app's owners can look in. According to some encryption advocates, this privacy tool now faces its greatest challenge: legislation enacted in the name of a safer Internet. The UK's Online Safety Bill, expected to become law later this year, is the most recent example. Similar laws are proposed in other democratic countries. According to their opponents, these laws would undermine the foundation of end-to-end encryption for protecting privacy. Clause 110 of the Online Safety Bill, which authorizes the Brig broadcasting and telecommunications regulator, Ofcom, to issue takedown orders for messages "whether communicated publicly or privately by means of the service," worries encryption advocates. To accomplish this, the law requires services to monitor messages using "accredited technology" that has been approved by Ofcom. Observers believe service providers cannot comply with Clause 110 takedown orders without jeopardizing encryption. This article continues to discuss the bills raising concerns among privacy advocates.

IEEE Spectrum reports "Could These Bills Endanger Encrypted Messaging?"

Since 2019, a relatively unknown Advanced Persistent Threat (APT) group called GoldenJackal has been conducting espionage against government and diplomatic entities in Asia. The threat actors have maintained a low profile for hiding, carefully selecting their victims, and limiting the number of attacks to reduce the likelihood of being discovered. Since 2020, researchers have been monitoring GoldenJackal, now reporting that the threat actors have been active in Afghanistan, Azerbaijan, Iran, Iraq, Pakistan, and Turkey. GoldenJackal uses a collection of custom .NET malware tools for various functions, including credential dumping, data theft, malware loading, lateral movement, file exfiltration, and more. The primary payload used to infect a system is JackalControl, which grants the perpetrators remote control of the infected computer. The malware can establish persistence by adding Registry keys, Windows scheduled tasks, or Windows services. This article continues to discuss the GoldenJackal APT group.

Bleeping Computer reports "GoldenJackal State Hackers Silently Attacking Govts Since 2019"

iRecorder - Screen Recorder is a trojanized Android app discovered by ESET researchers. It was available as a legitimate app on Google Play in September 2021, and malicious functionality was likely introduced in August 2022. During its existence, more than 50,000 devices installed the app. The malicious code that was introduced to the clean version of iRecorder is based on the open-source AhMyth Android Remote Access Trojan (RAT) and has been changed into what ESET researchers call AhRat. The malicious app's ability to record audio using the device's microphone and steal files suggests it may be part of an espionage operation. Other than the Google Play Store, ESET Research has not found AhRat in the wild. However, this is not the first time AhMyth-based Android malware has been available on the official store. In 2019, ESET published research on a similar trojanized app. In the past, the spyware, which was based on AhMyth, circumvented Google's app-vetting process twice as a malicious app that provided radio streaming. However, the iRecorder app is also available on unofficial and alternative Android markets, and the developer offers other apps on Google Play that do not contain malicious code. This article continues to discuss findings regarding the trojanized Android app iRecorder - Screen Recorder.

Help Net Security reports "Legitimate Android App Transforms Into Data-Snooping Malware"

A massive credential-harvesting campaign uses the legitimate email newsletter program SuperMailer to send out a large number of phishing emails designed to circumvent Secure Email Gateway (SEG) protections. Cofense reported on May 23 that SuperMailer-created emails account for a significant 5 percent of all credential phishing attempts within the company's telemetry for the month of May. The monthly volume of the activity has more than doubled in three of the past four months, which is notable even in a time when credential phishing is on the rise. Combining SuperMailer's customization features and sending capabilities with evasion techniques, threat actors behind the campaign sent customized, legitimate-looking emails to inboxes across all industries, according to Brad Haas, cyber threat intelligence analyst at Cofense and author of the study. According to Cofense, the threat actors behind the activity are casting a wide net, hoping to catch victims in a variety of industries, including construction, consumer goods, energy, financial services, food service, government, healthcare, information and analytics, insurance, manufacturing, media, mining, professional services, retail, transportation, and utilities. This article continues to discuss the credential-harvesting SuperMailer campaign.

Dark Reading reports "SuperMailer Abuse Bypasses Email Security for Super-Sized Credential Theft"

The National Security Agency (NSA) and several partners have released the "#StopRansomware Guide" Cybersecurity Information Sheet (CSI) to help network defenders protect against malicious cyber actors' evolving ransomware tactics. The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing and Analysis Center (MS-ISAC) originally released the guidance in 2020, but the new update incorporates additional best practices and recommendations based on operational insight from CISA, MS-ISAC, NSA, and the FBI. Additional recommendations address the prevention of common initial infection vectors, cloud backups, and Zero Trust Architecture (ZTA). CISA and the National Institute of Standards and Technology (NIST) devised the Cross-Sector Cybersecurity Performance Goals (CPGs), which these recommended practices align with. The CSI expands the ransomware response checklist to include recommendations for threat hunting and analysis. This article continues to discuss the #StopRansomware Guide.

NSA reports "#StopRansomware Guide Released by NSA and Partners"

Security researchers at ClearSky have discovered a sophisticated watering hole attack targeting multiple Israeli websites. The malicious attempt, believed to be conducted by a nation-state actor from Iran, has raised concerns about the security of shipping and logistics companies operating in the region. The researchers stated that in watering hole attacks, the attacker compromises a website that is frequently visited by a specific group of people, such as government officials, journalists, or corporate executives. Once compromised, the attacker can inject malicious code into the website, which will be executed when users visit it. The researchers noted that currently, the campaign focuses on shipping and logistics companies, aligning with Iran's focus on the sector for the past three years. The researchers attributed the attack with low confidence to Tortoiseshell, also known as TA456 or Imperial Kitten, a hacking group traditionally linked to Iranian cyber operations.

Infosecurity reports: "Fata Morgana Watering Hole Attack Targets Shipping, Logistics Firms"

Different information-stealing malware strains have been distributed using websites posing as the TikTok video editor CapCut in different campaigns. A Cyble report revealed that the threat actors behind the first campaign used fraudulent CapCut websites to facilitate the distribution of the Offx Stealer with a PyInstaller-compiled binary on Windows 8, 10, and 11 devices. Offx Stealer's execution would enable the exfiltration of web browser passwords, cookies, and certain file types, as well as information from cryptocurrency wallet apps, messaging apps, and remote access software. The second campaign involved the delivery of a batch script-containing file that triggered a PowerShell script facilitating the delivery of the RedLine stealer and a .NET executable. RedLine would enable data theft, whereas the other payload would ensure the data thief remains undetected on the compromised systems. This article continues to discuss the distribution of information-stealing malware strains through fraudulent CapCut websites.

SC Media reports "Infostealers Distributed via Fraudulent CapCut Websites"

Google recently introduced Mobile VRP (vulnerability rewards program), a new bug bounty program for reporting vulnerabilities found in the company's mobile applications. The Mobile VRP runs alongside the Android and Google Devices security reward program, which rewards security researchers for issues identified in the Android OS, Pixel phones, and Google Nest and Fitbit devices. Google noted that the new program is specifically designed for first-party Android applications, which fall into three categories. Tier 1 apps include Google's own Play Services, AGSA (Android Google Search app), Chrome, Cloud, Gmail, and Chrome Remote Desktop software. Applications published by Developed with Google, Research at Google, Red Hot Labs, Google Samples, Fitbit LLC, Nest Labs Inc., Waymo LLC, and Waze are also within scope. Google stated that as part of Mobile VRP, it is looking for reports describing flaws leading to arbitrary code execution and theft of sensitive data (credentials and personal information) but may also accept submissions of other types of bugs with a security impact, such as path traversal, intent redirections, unsafe usage of pending intents, and orphaned permissions. The internet giant is willing to pay up to $30,000 for vulnerabilities in Tier 1 apps that can be exploited remotely without user interaction to achieve arbitrary code execution. The lowest reward for this type of bug is $2,250. Researchers reporting issues in Tier 2 and Tier 3 apps may earn up to $25,000 and $20,000, respectively, for similar vulnerabilities. Flaws leading to sensitive data theft and other types of issues will be awarded between $750 and $7,500 for Tier 1 apps, between $625 and $6,250 for Tier 2 software, and between $500 and $5,000 for Tier 3 applications. Google notes it may also award $1,000 bonuses for surprising vulnerabilities or exceptional writeups. Google stated that researchers are encouraged to present their findings in a succinct manner, adding a short proof-of-concept (PoC) if possible. It was noted that researchers interested in participating in the Mobile VRP should only target their own accounts and should submit their findings through Google's report page. Additional information on the program can be found on the new Mobile VRP page.

SecurityWeek reports: "Google Launches Bug Bounty Program for Mobile Applications"

A team of scientists from the Department of Energy's (DOE) Pacific Northwest National Laboratory (PNNL), Purdue University, Carnegie Mellon University (CMU), and Boise State University has turned to Artificial Intelligence (AI), threading together three large databases of information regarding computer vulnerabilities, weaknesses, and likely attack patterns. The AI-based model automatically links vulnerabilities with specific attack vectors that adversaries may use to compromise computer systems. The work should help defenders detect and prevent attacks more frequently and promptly. A portion of the work is now available on GitHub as open source. The team will release the remaining code soon. The new AI model uses Natural Language Processing (NLP) and supervised learning to connect information in three different cybersecurity databases. The team's model automatically links vulnerabilities to the corresponding weaknesses with an accuracy of up to 87 percent, and links weaknesses to the appropriate attack patterns with an accuracy of up to 80 percent. According to the researchers, these numbers are significantly better than what current tools provide, but they warn that their new methods still need to be tested more widely. This article continues to discuss the new AI model developed to improve threat prioritization and spot attacks more quickly.

Pacific Northwest National Laboratory reports "New AI Model Aims to Plug Key Gap in Cybersecurity Readiness"

Since at least May 2020, an unknown threat actor has been observed using a malicious Windows kernel driver in attacks likely targeting the Middle East. Fortinet Fortiguard Labs, which labeled the artifact WINTAPIX (WinTapix.sys), links the malware, with low confidence, to an Iranian threat actor. According to security researchers, WinTapix.sys is a loader, so its primary objective is to produce and execute the next phase of the attack, which is achieved using a shellcode. Samples and telemetry data analyzed by Fortinet indicate that Saudi Arabia, Jordan, Qatar, and the United Arab Emirates are the primary targets of the campaign. The activity has not been attributed to a previously identified threat actor or group. Using a malicious kernel mode driver aims to subvert or disable security mechanisms and gain access to the targeted host. This article continues to discuss researchers' observations and findings regarding the new WinTapix.sys malware.

THN reports "New WinTapix.sys Malware Engages in Multi-Stage Attack Across Middle East"

Meta, the owner of Facebook and Instagram, was fined $1.3 billion by the Irish Data Protection Commission for violating the European Union's (EU) General Data Protection Regulation (GDPR). Meta violated the GDPR by transferring the personal data of EU users to US servers. This is the largest penalty imposed since the EU's strict data privacy policies went into effect in 2016. It exceeds Amazon's previously record-breaking $808 million fine in 2021 for data protection violations. As a result of the European Court of Justice's nullification of the Privacy Shield, the EU and the US continue to explore alternatives on a new data flow. Originally, Privacy Shield served as a data transfer mechanism under the GDPR, allowing participating companies to comply with EU requirements regarding transferring personal data to third countries. Although a replacement is expected later in the year, a number of multinational corporations, including Meta, continue to unlawfully rely on the previous agreement, specifically the use of standard contractual clauses. This article continues to discuss Meta being fined for GDPR violations.

Dark Reading reports "Meta Hit With $1.3B Record-Breaking Fine for GDPR Violations

The Picus Red Report 2023, based on the analysis of over 550,000 active malware strains, uncovered more than 5 million malicious activities. In the report, researchers identified the top cybercriminal tactics used in 2022. The findings also highlighted the increasing prevalence of "Swiss Army knife" malware, which can execute various destructive actions throughout the whole cyber kill chain while evading security measures. The analysis conducted by Picus Labs brings further attention to the adaptability of modern malware. According to the research, one-third of the entire sample uses more than 20 different tactics, techniques, and procedures (TTPs). Modern malware can exploit legitimate software, move laterally within systems, and encrypt files, which is considered exceptionally sophisticated. Picus notes that the advanced level of malware development is likely attributable to the vast resources of well-funded ransomware groups. The findings emphasize the need for security defenders to develop innovative behavior-based detection methods. This article continues to discuss the concept of multi-purpose malware, the growing versatility of malware, and how to improve anti-malware security efforts.

Security Intelligence reports "Swiss Army Knife Malware Slices Through Systems In so Many Ways"

The cybercrime group FIN7, which has previously used ransomware strains created by groups such as REvil and Maze, has added a new strain to its arsenal. Researchers from Microsoft's security team observed the group deploying the Clop ransomware in April. This was the group's first ransomware campaign since late 2021. Microsoft noted that FIN7, which it now refers to as Sangria Tempest, was observed deploying multiple tools to gain a foothold on victim systems before moving laterally within a network and launching the Clop ransomware. Prior to managing the now-retired DarkSide and BlackMatter ransomware operations, the group deployed REvil and Maze. In November, SentinelOne researchers linked the cybercrime group to the Black Basta ransomware operation, which was responsible for high-profile attacks against the American Dental Association and the German wind farm operator Deutsche Windtechnik. Since 2012, FIN7, formerly known as Carbanak, has conducted dozens of cybercriminal operations. Around 2020, the group went from using point-of-sale malware to ransomware. Between 2015 and 2018, FIN7 was accused of attacking over 100 US companies and orchestrating breaches of many US retailers. This article continues to discuss the FIN7 cybercrime family being tied to Clop ransomware.

The Record reports "Researchers Tie FIN7 Cybercrime Family to Clop Ransomware"

A man has recently been sentenced to 13 years and four months for running a multi-million-dollar fraud website that led to at least $124.2m being stolen globally. Of this, $53.4m was taken from UK victims. Law enforcement believes the actual losses to be far higher because fraud is a heavily underreported crime. Tejay Fletcher, 35, from London, UK, was handed the jail term after pleading guilty to charges of making or supplying articles for use in fraud, encouraging or assisting the commission of an offense, possessing criminal property, and transferring criminal property. The crimes took place between November 30, 2020, and November 8, 2022. The sentence followed a large international law enforcement operation led by London's Metropolitan Police in coordination with the City of London Police, the National Crime Agency, Europol, Eurojust, Dutch authorities, and the FBI. The police noted that while Fletcher was not directly responsible for the scams, his website offered tools for hire that enabled its users to launch sophisticated financial scams. Criminals used the service's technology to pose as representatives of banks, including Barclays, Santander, HSBC, Lloyds, and Halifax. They would call members of the public to warn of suspicious activity on their accounts, and ask them to disclose sensitive security information, such as one-time passcodes, to access their money. The police stated that the software allowed users to mask their phone numbers to trick victims into believing they were calling from their bank. iSpoof users could choose from a number of packages, allowing them to purchase the number of minutes they wanted to use the software for in Bitcoin. The police said that at its peak, the site had 59,000 registered users. Before it was shut down in November 2022, iSpoof was growing at a rate of 700 new users every week. In the 12 months until August 2022, around 10 million fraudulent calls were made globally via iSpoof, with roughly 3.5 million of those made in the UK.

Infosecurity reports: "UK Man Sentenced to 13 Years for Running Multi-Million Fraud Website"