News Items

The Lazarus Group, a notorious state-sponsored threat actor with ties to North Korea, has been linked to a new campaign targeting Linux users. According to a new report by ESET, the attacks are part of a persistent and long-running activity known as Operation Dream Job. The findings mark the first instance of the group using Linux malware as part of this social engineering scheme. Operation Dream Job, also known as DeathNote or NukeSped, refers to multiple attack waves in which the group uses fraudulent employment offers as an enticement to convince unsuspecting targets to download malware. In addition, there are overlaps with two other Lazarus clusters called Operation In(ter)ception and Operation North Star. Similarly, the attack chain discovered by ESET delivers a fake HSBC job offer as a decoy within a ZIP archive file, which is then used to initiate a Linux backdoor named SimplexTea distributed via an OpenDrive cloud storage account. This article continues to discuss the Lazarus Group's new campaign against Linux users.

THN reports "Lazarus Group Adds Linux Malware to Arsenal in Operation Dream Job"

Attackers are injecting stealthy backdoors into websites using Eval PHP, an outdated WordPress plugin. Eval PHP is an outdated WordPress plugin that enables site administrators to embed PHP code on WordPress pages and posts, which is then executed when the page is loaded in the browser. The plugin has not been updated in a decade and is generally regarded as abandonware, but it is still accessible via the WordPress plugins repository. According to the website security company Sucuri, the use of Eval PHP to embed malicious code on seemingly harmless WordPress pages increased in April 2023, with an average of 4,000 malicious installations per day of the WordPress plugin. The primary advantage of this method over traditional backdoor injections is that Eval PHP can be used to reinfect cleaned sites while the point of compromise remains relatively hidden. This article continues to discuss attackers' use of the old Eval PHP WordPress plugin to compromise websites.

Bleeping Computer reports "Attackers Use Abandoned WordPress Plugin to Backdoor Websites"

The 3CX Desktop App software has been reportedly compromised via a prior software supply chain breach, with a North Korean actor suspected to be responsible. Security researchers at Mandiant stated the initial compromise was traced back to malware from financial software firm Trading Technologies' website. The researchers noted that the first attack saw hackers place a backdoor into an application available on the website known as X_Trader 1. That infected app, later installed on the computer of a 3CX employee, allowed the hackers to spread their access through 3CX's network. Mandiant said this would be the first observed instance of one software supply chain attack leading to another. The researchers noted that in late March 2023, a software supply chain compromise spread malware via a trojanized version of 3CX's legitimate software that was available to download from their website. The researchers stated that the attack shows the potential reach of this type of compromise, particularly when a threat actor can chain intrusions, as demonstrated in this investigation. The security experts said the affected versions of 3CX were DesktopApp 18.12.416 and earlier, which contained malicious code. The code ran a downloader, Suddenicon, which in turn received additional command and control (C2) servers from encrypted icon files hosted on GitHub. The decrypted C2 server was then used to download a third-stage payload called Iconicstealer, a data miner that steals browser information. Mandiant said the researchers are currently tracking this malicious activity as UNC4736, a suspected North Korean nexus cluster of activity.

Infosecurity reports: "North Korean Hacker Suspected in 3CX Software Supply Chain Attack"

The Artificial Intelligence (AI) chatbot ChatGPT has been generating a great deal of buzz in the news and on social media regarding its ability to write blogs, software source code, and frameworks. People are sharing what they have done with the Large Language Model (LLM)-based bot and what they plan to do in the future. Their applications include product prototyping, virtual assistants, and nearly limitless duties. Cybercriminals have experimented with ChatGPT. Based on dark web forums, cybercriminals are using ChatGPT to generate malicious code. According to Nicole Sette, associate managing director of the cyber risk business at Kroll, a corporate investigation and risk consultancy, most researchers agree that chatbots are not yet optimized for code creation, as they lack the creativity to develop new code. However, in March 2023, Kroll observed hacking forum users discussing methods for bypassing ChatGPT restrictions and using the program to generate code. Sette explains that other forum users shared code for circumventing ChatGPT's Terms of Service, also known as 'jailbreaking ChatGPT,' in various dark web forums. Threat actors have discovered methods to use chatbots to write malware, including information stealers. Check Point Research reported that someone on an underground hacker forum used ChatGPT to recreate a Python-based information stealer using published analyses of prevalent malware. This article continues to discuss how cybercriminals are using ChatGPT.

CACM reports "Turning AI to Crime"

Cisco recently announced patches for critical vulnerabilities impacting its Industrial Network Director and Modeling Labs solutions. Designed for industrial network management, Industrial Network Director (IND) provides visibility into network and automation devices. Cisco released fixes for a critical-severity flaw in the web interface of IND that could be exploited remotely to execute commands on the underlying operating system. Tracked as CVE-2023-20036 (CVSS score of 9.9), the issue exists because input was not properly validated when uploading a device pack. An authenticated attacker could alter the upload request and execute commands with administrative privileges. Cisco IND version 1.11.3 resolves this vulnerability along with a medium-severity bug that could allow an attacker to read application data. This week, Cisco also released patches for a critical-severity flaw in the external authentication mechanism of Modeling Labs, an on-premises network simulation tool. Tracked as CVE-2023-20154 (CVSS score of 9.1), the issue is the result of improper handling of certain messages returned by the external authentication server. The security defect was patched with the release of Modeling Labs version 2.5.1. Cisco noted that an attacker could exploit this vulnerability by logging in to the web interface of an affected server. Under certain conditions, the authentication mechanism would be bypassed, and the attacker would be logged in as an administrator. Successful exploitation of the vulnerability would allow the attacker to access and modify simulations and user-created data. Cisco stated that to exploit this vulnerability, the attacker would need valid user credentials that are stored on the associated external authentication server. Recently the company also announced patches for high-severity vulnerabilities in StarOS software and the BroadWorks network server that could lead to privilege escalation and denial-of-service (DoS), respectively. Cisco warned that proof-of-concept (PoC) exploitation code targeting the StarOS software bug (which is tracked as CVE-2023-20046) has been publicly released. The tech giant says it is unaware of these vulnerabilities being exploited in attacks. However, customers are advised to apply the available fixes as soon as possible, as unpatched Cisco products are known to have been exploited in the wild.

SecurityWeek reports: "Cisco Patches Critical Vulnerabilities in Industrial Network Director, Modeling Labs"

The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) reports that there are about 153,000 public drinking water systems and over 16,000 publicly owned wastewater treatment systems in the US. Therefore, a cyberattack on these systems could result in service interruptions, damage to critical infrastructure, and even illness and death. The Johns Hopkins Applied Physics Laboratory (APL) in Laurel, Maryland, has developed and implemented a cost-effective cyber-physical security situational awareness capability for Industrial Control Systems (ICS) at the Cranberry Water Treatment plant in Westminster, Maryland. The technology is designed to detect and notify operators of malicious activity, including unauthorized access, malicious code, and data exfiltration. In addition, it provides a comprehensive view of the system's health and performance, enabling operators to quickly identify and resolve any problems. This solution integrates network fingerprinting, host-based monitoring, digital twin technology, and advanced event correlation and alerting to provide system operators with a comprehensive understanding of their systems. This article continues to discuss the development of the cost-effective cyber-physical security situational awareness capability for ICS and its testing at the Cranberry Water Treatment plant in Westminster, Maryland.

Johns Hopkins Applied Physics Laboratory reports "Developing Cybersecurity Solutions for Industrial Infrastructures"

The UK government's intelligence and security arm recently issued an alert on Russian state-aligned threat actors aiming to conduct disruptive and destructive attacks against critical infrastructure in Western countries. The National Cyber Security Centre (NCSC) stated that recently these threat groups have focused on distributed denial-of-service (DDoS) attacks, defacements, and misinformation attacks. The NCSC warns that some have stated a desire to achieve a more disruptive and destructive impact against Western critical national infrastructure (CNI), including in the UK. The agency believes these groups will focus on identifying poorly protected critical infrastructure systems to cause disruptions. The NCSC noted that threat actors that pose a threat include not only groups that are actually sponsored by the Russian government but also hacktivists that are sympathetic to Russia. Aligned with Moscow's interests, these threat actors support Russia's invasion of Ukraine, are ideologically motivated, and may not be subject to formal state control, which makes them less predictable, as their targeting is broader compared to that of cybercriminal groups. The NCSC believes these groups are not sophisticated enough and lack the resources to launch destructive attacks on their own. The agency says that without external assistance, they consider it unlikely that these groups have the capability to deliberately cause a destructive, rather than disruptive, impact in the short term. Nonetheless, the NCSC notes that these groups may become more effective over time and recommends that organizations take the necessary precautions to prepare themselves for potential attacks.

SecurityWeek reports: "UK Warns of Russian Hackers Targeting Critical Infrastructure"

Fortra, the company developer of Cobalt Strike, is bringing further attention to the zero-day Remote Code Execution (RCE) flaw in its GoAnywhere MFT tool that ransomware actors are actively exploiting to steal sensitive data. The critical flaw, tracked as CVE-2023-0669, with a CVSS score: of 7.2, is a pre-authenticated command injection vulnerability that could be exploited for code execution. The company patched the vulnerability in version 7.1.2 of the software in February 2023, but not before it had been weaponized as a zero-day exploit since January 18. On January 30, 2023, Fortra, which collaborated with Palo Alto Networks Unit 42, was made aware of suspicious activity associated with some file transfer instances. According to the company, the unauthorized entity used the flaw to create unauthorized user accounts in certain MFTaaS customer environments. The unauthorized party leveraged user accounts for a subset of these customers to download files from their hosted MFTaaS environments. Cl0p, a Ransomware-as-a-Service (RaaS) provider, exploited the GoAnywhere vulnerability and was the most active threat actor observed, with a total of 129 victims, according to NCC Group. Cl0p's exploitation spree is the second time since September 2021 that LockBit has been dethroned from the top spot. Royal, BlackCat, Play, Black Basta, and BianLian were other prevalent ransomware strains. This article continues to discuss the zero-day RCE vulnerability in Fortra's GoAnywhere MFT tool that ransomware actors have actively exploited to steal sensitive data.

THN reports "Fortra Sheds Light on GoAnywhere MFT Zero-Day Exploit Used in Ransomware Attacks"

Hackers are infiltrating inadequately protected and Internet-exposed Microsoft SQL (MS-SQL) servers in order to deploy Trigona ransomware and encrypt all files. The MS-SQL servers are being compromised by brute-force or dictionary attacks that exploit account credentials that are easy to guess. After connecting to a server, the threat actors deploy malware called CLR Shell by researchers from the South Korean cybersecurity company AhnLab who discovered the attacks. This malware collects system information, modifies the compromised account's configuration, and escalates privileges to LocalSystem by exploiting a flaw in the Windows Secondary Logon Service, which is required to initiate the ransomware as a service. This article continues to discuss the hacking of MS-SQL servers to deploy Trigona ransomware payloads.

Bleeping Computer reports "Microsoft SQL Servers Hacked to Deploy Trigona Ransomware"

E2EE was proposed as an additional layer of encryption for the Global System for Mobile Communication and Terrestrial Trunked Radio mobile communications standards when the need and value of private and secure communications came of age. Nearly all consumer-oriented information-sharing services provide data encryption today, but not all are E2EE, and there is still confusion regarding what true E2EE entails. E2EE is a secure communication method that encrypts data at the sender's device and decrypts it only at the recipient's device, preventing anyone in between from reading or modifying the data. True E2EE offers a very high level of security because it prevents unauthorized parties from intercepting communications. In addition, unlike simpler encryption techniques, E2EE can provide mathematical proof of security through public/private key cryptography, algorithms that factor large prime numbers, and digital signatures that guarantee the sender's authenticity. This definition articulates the security functions and requirements necessary for government agencies to deploy E2EE services securely. True E2EE services are robust and fortified to help organizations meet the complex and stringent security and privacy requirements that most enterprises require. They enable agencies to minimize risk and maximize compliance, while providing the ability to communicate quickly and securely. Adopting best practices allows organizations in the public and private sectors to integrate E2EE successfully into their communications and file-sharing platforms. This article continues to discuss key attributes of secure communications that enterprises should consider when designing their E2EE models.

GCN reports "Not All Encryption Is Created Equal"

Researchers continue to work toward realizing a future populated by autonomous vehicles, but the threat of cyberattacks is one of the most pressing issues to resolve. To address this critical issue, a new research team is exploring methods to mitigate the effects of cyberattacks on transportation infrastructure and Connected Autonomous Vehicle (CAV) systems on road traffic safety. As part of its University Transportation Centers (UTC) program, the Department of Transportation (DOT) has awarded a $10 million, five-year grant in support of the work. Dr. Yunpeng (Jack) Zhang will lead the Transportation Cybersecurity Center for Advanced Research and Education (CYBER-CARE) at the University of Houston (UH). Texas A&M University-Corpus Christi, Embry-Riddle Aeronautical University, Rice University, the University of Cincinnati, and the University of Hawaii at Honolulu are members of the CYBER-CARE consortium. The work will include researching, developing, and testing various technologies to specify, evaluate, and enforce cybersecurity and safety policies for CAV accident management policies. This article continues to discuss the research effort to bolster transportation cybersecurity.

Texas A&M University-Corpus Christi reports "TAMU-CC Researchers Part of Cybersecurity Research Team Funded by $10M Department of Transportation Grant"

The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI are collaborating with international partners' cybersecurity agencies to publish cybersecurity best practices for smart cities. Smart cities incorporate public services into a connected environment to increase efficiencies and improve the quality of life in different communities. Seven agencies from five countries have published the Cybersecurity Information Sheet, "Cybersecurity Best Practices for Smart Cities," highlighting how the integration of Operational Technology (OT) in a connected environment has many benefits but can also be an attractive target for malicious cyber actors seeking to steal data from critical infrastructure and proprietary information, perform ransomware operations, or execute destructive cyberattacks. The report explores risks stemming from three areas, including a large interconnected attack surface, the Information and Communications Technology (ICT) supply chain and vendors, and infrastructure operations automation. This article continues to discuss the agencies' release of a report aimed at strengthening cybersecurity for smart cities.

NSA reports "NSA Part of Coalition Highlighting Cybersecurity Best Practices for Smart Cities"

Cybersecurity professionals need help remembering all the various names companies use to refer to threat actors. For example, some use a number system, while others use colors, animals, and adjectives such as "fancy" and "charming." Microsoft has announced that it is moving away from a taxonomy based on chemical elements to one that uses weather-themed names to classify hacking groups, adding yet another naming scheme. The tech giant outlined its new naming scheme, explaining that countries will be assigned weather conditions such as blizzard for Russia, sleet for North Korea, typhoon for China, and sandstorm for Iran, while specific groups within nations will be categorized by an adjective such as a color. An Iranian nation-state group will be renamed "Mint Sandstorm" after previously being referred to as "Phosphorus." Microsoft's John Lambert stated that the increasing complexity, scale, and volume of threats calls for reimagining not only how Microsoft communicates threats but also how the company enables customers to understand these threats quickly and with clarity. With the new taxonomy, consumers and security researchers who are already overwhelmed by threat intelligence data will be provided with more context. Lambert explained that the new system would enable them to better organize the threat groups they are tasked with monitoring and provide easier classification methods. Simply by reading the name, researchers and security teams will immediately have an idea about the type of threat actor they are facing. He added that Microsoft is currently tracking over 300 threat actors, including 160 nation-state groups, 50 ransomware gangs, and hundreds of other types of attackers. Using its new naming taxonomy, Microsoft has reclassified every actor it tracks. This article continues to discuss Microsoft's new naming scheme for threat actors.

The Record reports "'Denim Tsunami' and 'Mulberry Typhoon': Microsoft Alters the Way It Names Hacking Groups"

Researchers from Finland's Aalto University published a report titled "Cyber Citizen Skills and Their Development in the European Union," urging EU member states to develop a unified, people-centered approach to cyber skills and cybersecurity. It was discovered that there are significant differences in the quality of cybersecurity education and other digital skills across the EU. The researchers' study was conducted as part of the Cyber Citizen Initiative. Its primary objective is to create a "cybersecurity civic skills learning model and a learning portal for all Europeans," according to the report's authors. According to the report, the online learning portal will contain content aimed at various audiences. It will include a cybersecurity game that facilitates practical and entertaining cybersecurity education. The researchers found that a unified learning model would help the EU in focusing its efforts to ensure that all citizens have at least a moderate level of cybersecurity competence based on their analysis of the various methodologies EU countries use to develop citizens' cybersecurity skills. This article continues to discuss the new EU cyber citizen report calling on EU member states to develop a cohesive cybersecurity skills plan for all citizens.

Silicon Republic reports "New Report Calls on EU to Develop Cohesive Cybersecurity Skills Plan for All"

According to Mila Kofman, Executive Director of the District of Columbia Health Benefit Exchange Authority, the recent data breach of personal information for thousands of users of Washington D.C.'s health insurance exchange, including members of Congress, was caused by basic human error. The data breach was first discovered in early March and included basic personal information, including date of birth, Social Security numbers, and contact information for "56,415 current and past customers including members of Congress, their families, and staff." Kofman stated that her office immediately brought in the FBI Cyber Security Task Force, and the security flaw was quickly tracked down to a particular computer server that was "misconfigured to allow access to the reports on the server without proper authentication. Based on their investigation to date, they believe the misconfiguration was not an intentional but human mistake." Kofman noted that this security flaw enabled an unidentified hacker to steal two reports that contained the client information, some of which were later offered up for sale in an online forum. Kofman stated that the stolen data "included that of 17 Members of the House and 43 of their dependents, and 585 House staff members and of their 231 dependents."

NBC Washington reports: "DC Health Link Data Breach Blamed on Human Error"

Researchers have emphasized that Large Language Model (LLM)-driven malware assessments should not be used in place of human analysis because the Artificial Intelligence (AI) technology underlying them can be deceived and manipulated. They have warned that the prevalence of malicious packages in repositories such as PyPI and npm continues to rise. Researchers from Endor Labs stated that the creation of fake accounts and the distribution of malicious packages can be automated to such an extent that the marginal costs of creating and spreading a malicious package are close to zero. Therefore, the company conducted an experiment and helped identify malicious packages by using a combination of AI techniques and examining the source code and metadata of packages. Researchers explained that the source code is examined for the presence of typical malware behaviors such as droppers, reverse shells, and information exfiltration. GPT-3.5 was queried for 1,874 artifacts. Although LLMs can be beneficial in day-to-day operations, Endor Labs has determined that they cannot replace human review. This article continues to discuss GPT being tricked into believing malware is benign.

Cybernews reports "GPT Tricked by Analysts Into Believing Malware Is Benign"

Security researchers at Akamai have discovered that last year was a record-breaker in terms of API and application-based attacks on the EMEA retail sector, with detected threats surging 189%. During the study, Akamai analyzed intelligence gathered from 340,000 servers in 4000 locations on 1300 networks in 134 countries. The researchers saw a significant spike in attacks last year across the high-tech (176%) and social media (404%) sectors in EMEA. Globally, the financial services sector also saw an increase in attacks based on 2021 figures. However, in the UK, recorded threats declined by 4%, making this the only region to experience a decrease in this vertical. The researchers suggested that this could be down to threat actors targeting individual account holders rather than large banking institutions. Retail, high tech, and financial services remained by far the most popular targets for web attacks in 2022, accounting for over 70% of total detected threats during the year. The researchers noted that elsewhere, attacks on the healthcare industry globally surged 55% from 2021 to 2022, driven by greater adoption of IoT equipment, which has expanded organizations' attack surfaces. The researchers also found that Local File Inclusion (LFI) remained the top attack vector in EMEA, with attacks growing 115% from 2021 to 2022. Globally they surged by even more (193% year-on-year).

Infosecurity reports: "Triple-digit Increase in API and App Attacks on Tech and Retail"

Through an infected third-party library, malware capable of stealing data and committing click fraud has infiltrated 60 mobile apps. Researchers discovered that the infected apps have been downloaded more than 100 million times from the official Google Play store and are available in other app stores in South Korea. Goldoson, discovered and named by researchers at McAfee Labs, is capable of various malicious activities on Android-based devices. The malware can compile lists of installed apps and determine the location of nearby devices via Wi-Fi and Bluetooth. In addition, it can commit ad fraud by clicking on advertisements in the background without the user's consent or knowledge. L.POINT with L.PAY, Swipe Brick Breaker, Money Manager Expense & Budget, Lotte Cinema, Live Score, and GOM are among the popular apps affected by Goldoson. This article continues to discuss the Goldoson malware.

Dark Reading reports "'Goldoson' Malware Sneaks into Google Play Apps, Racks Up 100M Downloads"

The Biden administration's National Cybersecurity Strategy recommends a security-by-design approach, which includes holding software vendors accountable for upholding a "duty of care" to consumers and designing systems to "fail safely and recover quickly." The strategy identifies the need to implement a "national cyber-informed engineering strategy" for energy infrastructure in order to achieve significantly more effective cybersecurity protections. To ensure high levels of safety and reliability, the engineers who build complex infrastructure systems adhere to standards and procedures. However, most of these procedures were developed before the start of modern cybersecurity and, therefore, do not make engineers consider cyber threats and design cybersecurity defenses. Through its cyber-informed engineering initiative, the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) of the Department of Energy (DOE) aims to address this issue. CESER is working with National Laboratories to educate engineers on designing systems to eliminate cyberattack entry points and mitigate their effects. Early in the system design process, engineers can identify the system's critical functions and determine how to engineer them to mitigate the effects of digital disruption or misuse. This cyber-informed engineering, when coupled with a robust Information Technology (IT) security strategy, provides the opportunity to defend systems much more effectively than IT security alone can. The Idaho National Laboratory pioneered cyber-informed engineering concepts and is collaborating with CESER to educate industry, academia, and government on how to apply these concepts to real-world problems. This article continues to discuss cyber-informed engineering.

Harvard Business Review reports "Engineering Cybersecurity into US Critical Infrastructure"

Salesforce surveyed over 400 healthcare employees to explore perceived weaknesses in healthcare security programs. As generative Artificial Intelligence (AI) and other new technologies gain popularity, security experts face the challenge of keeping up with the security risks these new tools bring. Almost a quarter of Salesforce survey respondents believe generative AI tools such as ChatGPT or DALL-E are safe to use at work. Furthermore, 15 percent of respondents said they have already tested these technologies. However, despite increased interest in these developments, only 55 percent of respondents felt their organization's security policies were keeping up with emerging tools and technology. Cybersecurity risks will continue to evolve as more patient data is stored and transmitted online. Healthcare workers are essential to the security of patient data. Organizations could empower their workforce by cultivating a strong security-first culture that highlights the importance of security at all levels and provides secure digital tools. Most healthcare employees appear to grasp their duty to protect patient data, with 76 percent agreeing that patient data protection is their responsibility. Yet, about a third of respondents said they did not know what to do in the case of a breach, indicating a need for more security training and awareness. Over two-thirds of respondents stated their organization had a security-first culture, but only 31 percent were familiar with internal security practices. This article continues to discuss key findings from Salesforce's survey of healthcare workers regarding gaps in healthcare security programs.

HealthITSecurity reports "55% of Surveyed Healthcare Workers Believe Security Policies Keep Up With New Tech"

The latest individual CyberForce Program competition led by Argonne National Laboratory, a US Department of Energy (DOE) national laboratory, challenged college-aged students to solve anomalies in a seven-hour cyber sprint. Cameron Whitehead of the University of Central Florida was named the winner of the 2023 CyberForce Conquer the Hill: Adventurer Edition competition by Argonne National Laboratory. Whitehead was one of 213 students from 95 accredited US colleges and universities that competed digitally over a seven-hour energy sector-related adventure to resolve over 57 anomalies, which are work-based cybersecurity tasks and challenges. The goals of the DOE's Conquer the Hill competitions and the overall CyberForce Program, which Argonne leads, are to provide college students with hands-on education, raise awareness about the critical infrastructure and cybersecurity nexus, and promote basic understanding of cybersecurity in real-world scenarios. According to a 2022 study, the US lacks 410,695 cybersecurity professionals. With the volume of information on the Internet rising, enhancing security and establishing a cybersecurity workforce is a top issue. The National Institute of Standards and Technology (NIST) National Initiative for Cybersecurity Education framework was used to map all of the anomalies in this year's Conquer the Hill: Adventurer competition. DOE and Argonne believe that by developing the challenges within this framework, students will be able to better understand where they are proficient in cybersecurity abilities and where they may need to improve. This article continues to discuss the 2023 CyberForce Conquer the Hill: Adventurer Edition competition.

Argonne National Laboratory reports "Emerging Cyberpros Tried to Conquer The Hill in Argonne's Latest CyberForce Program Challenge"

Cybersecurity researchers at ESET have discovered that the RedLine information stealer's operations have recently been disrupted after the takedown of GitHub repositories used by the malware's control panels. A piece of commodity malware active since at least early 2020, the RedLine stealer is written in .NET and packs broad data exfiltration capabilities. The researchers noted that the malware targets system information, cookies and other browser data, login credentials for various applications and services, credit card information, and crypto wallets. Available under the stealer-as-a-service business model, RedLine was seen being offered by 23 of 34 Russian-speaking groups that were distributing infostealers last year. Each of the groups had an average of 200 members. The researchers stated that RedLine is sold on underground forums and Telegram channels. Affiliates purchase access to an all-in-one control panel that acts as a command-and-control (C&C) server, allowing them to generate new samples and to manage stolen information. The researchers noted that the removal of these repositories should break authentication for panels currently in use. While this doesn't affect the actual back-end servers, it will force the RedLine operators to distribute new panels to their customers. Stealer-as-a-service is one of the top three crime-as-a-service categories likely to be prevalent in 2023, along with ransomware-as-a-service and victims-as-a-service.

SecurityWeek reports: "Takedown of GitHub Repositories Disrupts RedLine Malware Operations"

A year ago, Apple introduced a new feature called Lockdown Mode for iPhone users who feared being targeted by sophisticated spyware, such as journalists and human rights activists. Researchers have now discovered evidence that Lockdown Mode helped thwart an attack by hackers involving spyware developed by the infamous mercenary hacking provider NSO Group. Citizen Lab, a cybersecurity and human rights research organization, published a report analyzing three new zero-day exploits in iOS 15 and iOS 16, indicating that Apple was unaware of the vulnerabilities when at least two Mexican human rights defenders were targeted. The researchers discovered that one of these exploits was blocked by Lockdown Mode. This is the first known instance in which Lockdown Mode effectively prevented a targeted attack. In the recent cases, Citizen Lab researchers reported that the iPhones belonging to the targets blocked hacking attempts and displayed a notification stating that Lockdown Mode prevented access to the Home app. However, the researchers emphasized that NSO's exploit developers may have figured out a solution to the notification issue at some point, such as by fingerprinting Lockdown Mode. This article continues to discuss Apple's Lockdown Mode blocking NSO spyware.

TechCrunch reports "Apple's High Security Mode Blocked NSO Spyware, Researchers Say"

The National Security Agency (NSA), the UK's National Cyber Security Centre (NCSC), the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA) have collaborated to publish a joint Cybersecurity Advisory (CSA) report on the tactics, techniques, and procedures (TTPs) related to APT28's exploitation of Cisco routers. APT28 is also known as Russian General Staff Main Intelligence Directorate (GRU) 85th Special Service Center (GTsSS) military intelligence unit 26165, Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang, and Sofacy. The coalition disclosed the vulnerability that APT28 exploits to conduct reconnaissance and distribute malware on Cisco routers. APT28 cyber actors masqueraded Simple Network Management Protocol (SNMP) to exploit the vulnerability, tracked as CVE-2017-6742, and gain access to vulnerable Cisco routers worldwide. This included government institutions in the US, about 250 Ukrainian victims, and a small number of European victims. This article continues to discuss the joint CSA on APT28 exploiting a known vulnerability to carry out reconnaissance and deploy malware on Cisco routers.

NSA reports "NCSC-UK, NSA, and Partners Advise about APT28 Exploitation of Cisco Routers"