News Items

The US Federal Communications Commission (FCC) issued a Notice of Proposed Rulemaking (NPRM) in October to bolster the security of the nation's Emergency Alert System (EAS) and Wireless Emergency Alerts (WEA). These systems alert the public about emergencies via AM, FM, and satellite radio, as well as through broadcast, cable, and satellite TV on their televisions, radios, and wireless phones. Although EAS participants are required to broadcast presidential alerts, they do so voluntarily for state and local EAS alerts. The NPRM proposes that broadcasters and cable companies must report incidents of unauthorized access to their EAS equipment to the FCC within 72 hours. It also proposes requiring wireless providers that deliver emergency alerts to certify on an annual basis that they have a cybersecurity risk management plan in place and have implemented adequate security measures for their alerting systems. Furthermore, it proposes that wireless providers transmit adequate authentication information to ensure that consumer devices only display valid alerts. Malicious actors exploiting vulnerabilities in the nation's EAS have been a source of concern for years, and it is not entirely theoretical. The FCC describes incidents that have raised concern about what might happen if an attacker breached one or more emergency alert providers. The most well-known of these incidents was the 2018 "zombie attack" warning that was broadcasted over multiple Midwest television stations, a prank made possible by the stations' failure to change the default passwords on their EAS equipment. Ken Pyle, a security researcher at CYBIR, released some research, prompting the commission to issue this latest NPRM. Pyle discovered a flaw in an EAS encoder and decoder, specifically the Monroe Electronics R189 One-Net DASDEC EAS device, which is widely used by EAS providers. The flaw could allow attackers to gain access to credentials, devices, and servers, enabling them to send false messages and lock out legitimate users, effectively disabling all responses. This article continues to discuss the FCC's proposal to strengthen emergency alert security and the need for next-generation technology to take EAS security to the next level.

CSO Online reports "FCC's Proposal to Strengthen Emergency Alert Security Might Not Go Far Enough"

According to Human Rights Watch, hackers backed by the Iranian government targeted human rights activists, journalists, diplomats, and politicians working in the Middle East as part of an ongoing social engineering and credential phishing campaign. Human Rights Watch said the espionage campaign was carried out by APT42, an Iran-backed hacking group first identified by cybersecurity firm Mandiant in September. According to Mandiant, APT42, also known as TA453, Phosphorus, and Charming Kitten, helps Iran's Islamic Revolutionary Guard Corps gather intelligence and has launched more than 30 confirmed operations against various non-profit, education, and government targets worldwide since 2015. Human Rights Watch said it first learned about APT42's latest espionage campaign after one of its employees received suspicious WhatsApp messages from someone claiming to work for a Lebanon-based think tank. The advocacy group discovered a link in the message that directed the recipient to a fraudulent login page that captured their email address and multi-factor authentication (MFA) code. Human Rights Watch identified 18 additional victims who had been targeted as part of the same campaign in its analysis, which was conducted in collaboration with Amnesty International's Security Lab. Of the 18 victims, 15 confirmed that they had received the same WhatsApp messages between September 15 and November 25. On November 23, a second Human Rights Watch staff member received the same WhatsApp messages as the other targets from the same number. Following its investigation, Human Rights Watch is urging Google to strengthen its Gmail account security warnings in order to better protect its most vulnerable users, including journalists and human rights defenders, after discovering inadequacies in Google's security measures. This article continues to discuss an espionage campaign attributed to APT42 that has been targeting activists, journalists, diplomats, and politicians working in the Middle East.

TechCrunch reports "Iran-Backed Hackers Linked to Espionage Campaign Targeting Journalists and Activists"

Security researchers at Lupovis have discovered that Russian hackers are using their presence inside the networks of organizations in the UK, US, and elsewhere to launch attacks against Ukraine. The researchers set up a series of decoys on the web to lure Russian threat actors so they could study their tactics, techniques, and procedures (TTPs). This included fake "honeyfile" documents leaked to cybercrime forums and spoofed to contain what appeared to be critical usernames, passwords, and other information. The researchers noted that other decoys included insecurely configured web portals designed to mimic Ukrainian political and governmental sites and "high interaction and ssh services." The latter were configured to accept the fake credentials from the web portals. The researchers stated that the exercise highlighted just how primed and ready Russian threat actors are to seize on any evidence of Ukrainian targets. Some 50-60 human actors interacted with just five decoys, with many of them reaching the honeypots within just a minute of them going live. The researchers noted that the duped hackers attempted to carry out a variety of attacks, ranging from reconnaissance of the lure information to conscripting them into DDoS botnets and exploitation of SQL injection and other bugs. The researchers stated that the most concerning finding from their study is that Russian cyber-criminals have compromised the networks of multiple global organizations, including a Fortune 500 business, over 15 healthcare organizations, and a dam monitoring system. The researchers stated that these organizations were based in the UK, France, the US, Brazil, and South Africa, and Russian criminals are rerouting through their networks to launch cyberattacks on Ukraine, which effectively means they are using these organizations to carry out their dirty work. The researchers hypothesized that the threat actors may be Russian cybercriminals rather than state actors. The researchers noted that given that their research shows over 15 healthcare organizations had been compromised by Russian criminals, this could suggest the attackers are working under the radar on their networks and using their access to launch attacks on other institutions. The researchers stated that once they are discovered, they then launch ransomware attacks on the healthcare organizations' systems or perform data breaches. This would suggest attackers are maximizing every tool in their arsenal to compromise an organization before moving on to their next victim.

Infosecurity reports: "Russian Hackers Use Western Networks to Attack Ukraine"

Norton has released its top cyber trends to watch in 2023, highlighting that the economy will have the most influence on the spread of cybercrime next year. According to experts, the pressures associated with economic uncertainty and rising costs will create an ideal environment for scammers to prey on people when they are most vulnerable. Cybercriminals will continue to trick victims into handing over personal information, emptying their bank accounts, or paying for products or services that never arrive. There will be an increase in financial-based scams, such as assistance scams that impersonate government assistance programs in order to steal Personally Identifiable Information (PII) and shopping deal scams offering low-cost products in order to steal information or cash out without delivering the order. Companies that operate with fewer employees will see an increase in data breaches and ransomware attacks. Scammers will continue to use Artificial Intelligence (AI) in their criminal activities as the technology becomes more accessible and user-friendly. As language and video AI models improve, scammers can use deepfakes to impersonate real people in real-time, tricking people into disclosing financial and personal information. Cybercriminals are devising new methods to circumvent standard multi-factor authentication (MFA) technologies. Companies that continue to use ineffective two-factor authentication (2FA) practices expose themselves and their customers to serious data breaches, which can result in massive consumer data leaks. There will be more data breaches, making it even more important to encourage people to use unique, complex passwords across all of their accounts. This article continues to discuss how the economy will impact the spread of cybercrime next year and other top cyber trends expected in 2023.

Help Net Security reports "Economic Uncertainty Will Greatly Impact the Spread of Cybercrime"

In Bring Your Own File System (BYOF) attacks, hackers are abusing the open-source Linux PRoot utility to provide a consistent repository of malicious tools that work across multiple Linux distributions. A BYOF attack occurs when threat actors create a malicious file system on their devices containing a standard set of attack tools. This file system is then downloaded and mounted on infected machines, resulting in a preconfigured toolkit that can be used to further compromise a Linux system. According to Sysdig, the attacks typically result in cryptocurrency mining, though more dangerous scenarios are possible. The researchers also warn about how simple it could be to scale malicious operations against Linux endpoints of all kinds using this novel technique. PRoot is an open-source utility that combines the commands 'chroot,' 'mount --bind,' and 'binfmt misc' to allow users to create an isolated root file system within Linux. PRoot processes are normally restricted to the guest file system. However, QEMU emulation can be used to mix host and guest program execution. Furthermore, programs running within the guest file system can use the host system's built-in mount/bind mechanism to access files and directories. Sysdig discovered attacks that use PRoot to install a malicious file system on already compromised systems that have network scanning tools, the XMRig cryptocurrency miner, and their configuration files. This article continues to discuss the abuse of PRoot in BYOF attacks on Linux devices.

Bleeping Computer reports "Hackers Hijack Linux Devices Using PRoot Isolated File Systems"

Due to its poor architecture and programming, an open-source ransomware toolkit called Cryptonite has been observed in the wild with wiper capabilities. Cryptonite, unlike other ransomware strains, is not for sale on the cybercriminal underground and was previously distributed for free by an actor known as CYBERDEVILZ via a GitHub repository. The source code and forks have since been removed. The malware, written in Python, uses the Fernet module of the cryptography package to encrypt files with a ".cryptn8" extension. However, a new sample examined by Fortinet FortiGuard Labs was discovered to lock files with no way to decrypt them, essentially acting as a destructive data wiper. This does not appear to be a deliberate action on the part of the threat actor, but rather the result of a lack of quality assurance, which causes the program to crash when attempting to display the ransom note after the encryption process has been completed. The problem with this flaw is that due to the ransomware's design simplicity, there is no way to recover the encrypted files if the program crashes or is even closed, according to Fortinet researcher Gergely Revay. This article continues to discuss Cryptonite accidentally turning into wiper malware.

THN reports "Open-Source Ransomware Toolkit Cryptonite Turns Into Accidental Wiper Malware"

After Ankr, the hacking of the Web3 infrastructure provider, Binance, one of the last remaining cryptocurrency giants, froze nearly $3 million in cryptocurrency. Ankr stated that $5 million in Binance coin was stolen from the platform. The provider plans to compensate all users for their losses. Helio, another platform, confirmed that it was also targeted in a related attack. According to Binance CEO Changpeng Zhao, the platform was suspending Ankr token withdrawals, and the Ankr attack involved the hacking of a developer's private key. Ankr is a distributed node operator for proof-of-stake networks that allows users to stake their tokens without purchasing the necessary hardware. Someone used the developer's private key to mint six quadrillion aBNBc, Ankr's cryptocurrency. The hacker then exchanged aBNBc for other assets, including about 4.5 million USDC, a cryptocurrency pegged to the US dollar, which it then exchanged for ETH. The hacker transferred approximately $3 million of the stolen funds to Tornado Cash, a popular mixing service used by cybercriminals and nation-states to conceal the source of funds and convert cryptocurrency to fiat currency. The service ensures that the source of the funds is untraceable, providing complete asset privacy. The hacker's wallet now contains more than $1 million in Ethereum, $29,000 in Binance coin, and more than $775,000 in Polygon. It was unclear how much money was stolen in the attack after another cryptocurrency platform, Helio, stated that it had been compromised in connection with Ankr's incident. This article continues to discuss Binance freezing about $3 million worth of cryptocurrency after Ankr was hacked.

The Record reports "Binance Freezes $3 Million Worth of Crypto Stolen in Ankr Hack"

Security researchers at DomainTools have discovered that threat actors are using criminal proxy networks to obfuscate their illegal activities by hiding behind hijacked IP addresses and using the same to create an appearance of legitimacy. The researchers stated that while these networks were initially used as part of botnets, their lucrative nature has turned them into their own criminal enterprises. The researchers noted that they spotted a new and particularly dangerous proxy service called "Black Proxies," which is being marketed to other cybercriminals for its reliability, scope, and vast number of IP addresses. Black Proxies market themselves as having over 1,000,000 residential and other proxy IP addresses worldwide. The researchers stated that the scope and scale of these new offerings show just how large their claimed pool of IP space is. Upon further examination through the service, their pool of IP addresses listed in the Fall of 2022 "online" comes in at just over 180,000 IPs, which is still a factor larger than the traditional services based on other types of tactics and botnets. According to the researchers, the Black Proxies' scale is significant because of not only their focus on both the traditional forms of IP proxying but also their use of compromised websites for their services.

Infosecurity reports: "Black Proxies Enable Threat Actors to Conduct Malicious Activity"

According to a study for BlackFog, conducted by Sapio Research, 50 percent of over 400 Information Technology (IT) security decision-makers in the US and UK have been prevented from adopting a new cybersecurity solution because of integration issues or challenges posed by legacy infrastructure. The study also reveals that 32 percent say a lack of skills within their team to support a new product would also prevent them from deploying new solutions. The proliferation of tools is an issue, as security teams are now using, on average, 20 tools to combat cybersecurity threats, with 22 percent of those surveyed using more than 31 tools. People are also looking for other jobs due to a lack of resources, as indicated by 22 percent of CISOs and IT security decision-makers polled saying they would consider leaving their current position due to a lack of funds to invest in cutting-edge technology. On the bright side, there is evidence of maturity regarding strategies for sourcing and selecting the right tools, with the overwhelming majority, 89 percent, believing they can clearly determine the right new solutions to solve their organization's cybersecurity needs. This article continues to discuss key findings from the survey of IT security decision-makers in the US and UK regarding the adoption of new cybersecurity solutions.

BetaNews reports "Integration, Legacy Tech and Lack of Skills Prevent Implementation of Security Solutions"

According to a new report from Reversing Labs, software supply chain attacks show no signs of slowing or decreasing nearly two years after the SolarWinds hack. The report highlights that attacks leveraging malicious open-source modules have continued to increase in the commercial sector. Since 2020, there has been an exponential increase in supply chain attacks, followed by a slower but steady rise in 2022. The popular open-source repository Node Package Manager (NPM) is a favorite among hackers. From January to October, 7,000 malicious package uploads to NPM were detected, a nearly 100-fold increase over the 75 malicious packages discovered in 2020 and a 40 percent increase in malicious packages discovered in 2021. One attack detailed in August by Reversing Labs involved over two dozen NPM packages containing obfuscated JavaScript. The malicious packages were designed to steal data from individuals who used applications or websites where the malicious packages were installed. The Python Package Index (PyPI), was also discovered to be flooded with tainted open-source modules designed to mine cryptocurrency, plant malware, and more. The attacks matched what researchers saw in 2021, when attackers often used dependency confusion and typosquatting tactics. Secrets exposed through open-source repositories maintained internally or by third-party contractors impacted high-profile organizations such as Samsung and Toyota Motor. This article continues to discuss key findings from Reversing Labs' new report on supply chain attacks.

SiliconANGLE reports "Report Finds Software Supply Chain Attacks Show No Sign of Slowing Down"

According to officials at the Department of Homeland Security (DHS), the Cyber Safety Review Board (CSRB), a federal board tasked with studying major hacks and their consequences, will focus its next review on the Lapsus$ criminal extortion group. The federal board, led by DHS and comprised of top federal cybersecurity officials and private sector experts, will investigate the group's tactics for breaking into the networks of some of the world's largest organizations, and will develop "actionable recommendations" to protect organizations, customers, and employees. The first report from the board focused on the Log4j vulnerability. In this next case, they will focus on a highly successful group of hackers who have gained access to high-level accounts at major corporations through various phishing and vishing schemes. Secretary of Homeland Security Alejandro Mayorkas said the review would focus on helping the public defend against innovative social engineering tactics and support the role of international partnerships in combating cybercriminals as cyber threats evolve. The decision to focus on Lapsus$ is the latest effort by the US and its international allies to increase pressure on the hacking and extortion group following a string of successful and high-profile breaches over the past year. Seven alleged members of the group, all between the ages of 16 and 21, were arrested in London in March, while the FBI issued a public alert the same month seeking tips on the group and its members. The Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and other federal agencies already routinely collaborate on public advisories and alerts focusing on specific hacking groups, the tactics they employ, and how to defend against their attacks. Board members stated that a Lapsus$ review by the CSRB would be different from those developments due to the board's unique public-private composition and its ability to obtain cooperation from victim companies in order to obtain insights. This article continues to discuss the Lapsus$ criminal extortion group being the focus of the CSRB's latest review.

SC Media reports "Cyber Safety Review Board Turns Its Sights on Lapsus$ Extortion Group in Latest Review"

According to Microsoft, Russia is increasingly combining cyberattacks against Ukraine with conventional weaponry, such as missiles, in a multi-pronged offensive approach that could extend beyond the conflict's borders. Microsoft found that 55 percent of the 50 or so Ukrainian organizations hit by Russian malware since February support critical infrastructure such as energy, water, emergency services, and healthcare, all of which have been the target of intense missile strikes. In recent months, impacted organizations have largely been in and around the areas of the country's most intense physical conflict, such as Kyiv and the south. Microsoft has pointed to mounting evidence that Russia seeks to launch cyberattacks outside of Ukraine as cyber and kinetic attacks continue to line up. In addition to the ongoing bombardment of Ukrainian targets, these have caused strategic damage to the country's supporters. Attacks on European countries may be carried out to disrupt supply chains critical to maintaining support for Ukraine, according to Microsoft, citing recent warnings about the Prestige ransomware targeting Poland as evidence that such a campaign has already begun. Microsoft has warned that attacks on Ukraine's Critical National Infrastructure (CNI) will most likely continue throughout the winter. At the end of October, missile strikes left 80 percent of Kyiv without running water and 10 million premises without power, causing particular concern as Ukraine enters its coldest months. Russian cyberattacks on Ukraine have largely been carried out by the IRIDIUM threat group, which has close ties to Russia's Main Intelligence Directorate, known as the GRU. This article continues to discuss Russia combining cyberattacks with missile strikes against Ukraine.

ITPro reports "Microsoft: Russia Increasingly Timing Cyberattacks With Missile Strikes in Ukraine"

Resecurity, a cybersecurity firm that protects major Fortune 500 companies, has discovered a new underground dark web marketplace geared toward mobile malware developers and operators. The marketplace is known as "In The Box," and it has been available for cybercriminals in the TOR network since at least the beginning of May 2020, but it has since evolved from a private cybercriminal service into the largest marketplace known today for the number of unique tools and web-injects offered for sale. Web-injects are implanted in mobile malware to intercept credentials for banking, payment systems, social media, and email, but these malicious tools also collect other sensitive information such as credit card information, address details, phone numbers, and other Personally Identifiable Information (PII). The Man-in-The-Browser (MiTB) attacks and web-injects designed for traditional PC-based malware such as Zeus, Gozi, and SpyEye are driving this trend. Cybercriminals have successfully applied the same approach on mobile devices because modern digital payments are highly interconnected regarding consumer mobile applications. According to Resecurity, the "In The Box" marketplace could be the largest and most significant catalyst for mobile device banking theft and fraud. The quality, quantity, and scope of the available malicious arsenal highlight the significance of the findings. Cybercriminals are currently selling over 1,849 malicious scenarios designed for major financial institutions, eCommerce, payment systems, online retailers, and social media companies from over 45 countries, including the US, the UK, Canada, Brazil, Colombia, Mexico, Saudi Arabia, Bahrain, Turkey, and Singapore. Cybercriminals have targeted organizations such as Amazon, PayPal, Citi, Bank of America, Wells Fargo, and DBS Bank. In November 2022, the actor organized a major update of nearly 144 injects and improved their visual design. This article continues to discuss the new underground marketplace in the dark web oriented towards mobile malware developers and operators.

Security Affairs reports "The Largest Mobile Malware Marketplace Identified by Resecurity in the Dark Web"

The information security team at a French bank discovered that an internally developed Machine Learning (ML) model trained on log data could detect three new types of data exfiltration undetectable by rules-based security appliances. The team extracted features from daily summary data stored in log files and used them to find anomalies in the bank's web traffic. According to Carole Boijaud, a cybersecurity engineer with Credit Agricole Group Infrastructure Platform (CA-GIP), the study focused on how to better detect data exfiltration by attackers, and it resulted in the identification of attacks that the company's previous system had missed. In order to identify the most important features to track in their analysis, the cybersecurity engineering team used a data-analysis technique called clustering. The popularity of domains, the number of times systems reached out to specific domains, and whether the request used an IP address or a standard domain name were among the most important features. The team used an "isolation forest" technique to find outliers in the data after selecting the features that are most significant in classifications. The isolation forest algorithm divides data into several logical trees based on their values and then analyzes the trees to identify outliers. This method scales easily to handle many features and is relatively light in terms of processing. Initially, the model learned to detect three types of exfiltration attacks that the company would not have detected using existing security appliances. Overall, nearly half of the exfiltration attacks were detectable with a low false-positive rate. This article continues to discuss the ML system that helped a French bank detect three types of exfiltration attacks missed by current rules-based systems.

Dark Reading reports "SOC Turns to Homegrown Machine Learning to Catch Cyber-Intruders"

Recent discoveries from Volexity reveal that the Lazarus Group threat actor has been seen using fake cryptocurrency apps as a lure to distribute a previously undocumented variant of the AppleJeus malware. According to researchers, this activity is notable for targeting cryptocurrency users and organizations through malicious Microsoft Office documents containing an AppleJeus malware variant. The North Korean government is known to employ a three-pronged strategy by using malicious cyber activity that is planned to gather information, carry out attacks, and generate illegal revenue for the country subject to sanctions. According to the 2021 Annual Threat Assessment published by US intelligence agencies, North Korea has engaged in cyber theft against financial institutions and cryptocurrency exchanges around the world, potentially stealing hundreds of millions of dollars to fund government priorities, including its nuclear and missile programs. This article continues to discuss the delivery of AppleJeus malware by the Lazarus Group through fake cryptocurrency apps.

THN reports "North Korean Hackers Spread AppleJeus Malware Disguised as Cryptocurrency Apps"

According to researchers at the University of Edinburgh, by fighting Artificial Intelligence (AI) with AI, digital assistants could help prevent users from unknowingly revealing their views on social, political, and religious issues. Their findings imply that automated assistants could provide users with real-time advice on how to modify their online behavior in order to mislead AI opinion-detection tools and keep their opinions private. The study is the first to show how Twitter users can hide their opinions from opinion-detecting algorithms that help authoritarian governments or fake news sources target them. Previous research has focused on steps that social media platform owners can take to improve privacy, though the team notes that such actions can be difficult to enforce. Data from over 4,000 Twitter users in the US was used by Edinburgh researchers and academics from New York University Abu Dhabi. The team used the data to examine how AI can predict people's opinions based on their online activities and profile. They also tested designs for an automated assistant to help Twitter users keep their views on potentially divisive topics private. Their findings suggest that a tool could assist users in hiding their views on their profiles by identifying key indicators of their opinions, such as accounts they follow and interact with. This article continues to discuss the team's study on how AI can help strengthen social media users' privacy.

University of Edinburgh reports "AI Tools Could Boost Social Media Users' Privacy"

Although Google develops its open-source Android mobile Operating System (OS), the Original Equipment Manufacturers (OEMs) that make Android smartphones, such as Samsung, play a significant role in customizing and securing the OS for their devices. However, a recent discovery made public by Google reveals that several digital certificates used by vendors to authenticate essential system applications were recently compromised and have already been used to certify malicious Android apps. Similar to nearly every other computer OS, Google's Android is built with a "privilege" model. As a result, the software running on an Android phone, from third-party apps to the OS itself, is limited as much as possible and only given system access based on their needs. This enables the photo editing app to access the camera roll while preventing a game from covertly collecting all of a user's passwords. Digital certificates signed with cryptographic keys enforce the entire structure. Attackers can give their own software access to resources it should not be allowed to have if the keys are stolen. According to Google, manufacturers of Android-based devices have implemented mitigations, rotating keys, and automatically distributing updates to users' phones. Additionally, the company has implemented scanner detections to look for malware that tries to exploit the compromised certificates. Google says there is no proof that the malware was on the Google Play Store, indicating that it spread through third parties. Through a group known as the Android Partner Vulnerability Initiative, information about the threat was disclosed, and action was coordinated to address it. An attacker would be able to develop malware that has numerous permissions by abusing the compromised platform certificates without having to trick users into giving them permission. Lukasz Siewierski, an Android reverse engineer, provided some malware samples from his Google report that exploited the stolen certificates. Among other manufacturers whose certificates were compromised, they list Samsung and LG as two of them. This article continues to discuss the compromise of digital certificates by vendors to validate critical system applications.

Wired reports "Android Phone Makers' Encryption Keys Stolen and Used in Malware"

A researcher discovered that a security flaw on the Florida Department of Revenue website exposed the bank account and Social Security numbers of at least hundreds of taxpayers. By changing the portion of the website address that contains the taxpayers' application number, Kamran Mohsin said the security flaw, which has since been fixed, allowed him or anyone else who was logged in to the state's business tax registration website to access, modify, and delete the personal data of business owners whose information is on file with the state's tax authority. According to Mohsin, application numbers are sequential, making it possible for anyone to compile data on taxpayers by simply increasing the application number by one digit. There were over 713,000 applications in the system. A server vulnerability called Insecure Direct Object Reference (IDOR) exposes files or data stored on the server because there are insufficient or no security controls in place. It is similar to having a key that opens a mailbox and every other mailbox in a neighborhood. In comparison to other bugs, IDOR vulnerabilities have the advantage of typically being quickly fixed at the server level. Mohsin provided screenshots of the website bug, showing examples of names, residential and commercial addresses, bank account and routing numbers, Social Security numbers, and other special tax identifiers used for submitting paperwork to the state and federal governments. Scammers and cybercriminals often target tax identifiers, such as Social Security numbers, to file false tax returns and steal tax refunds, costing taxpayers billions of dollars annually. On October 27, Mohsin contacted the Florida Department of Revenue, which gave him an email address to report the vulnerability. Soon after the flaw was reported, it was fixed. According to the Florida Department of Revenue, the vulnerability was fixed four days after Mohsin reported it, and two unnamed security firms have verified the website's security. This article continues to discuss the exposure of taxpayers' data by the Florida Department of Revenue website.

TechCrunch reports "Florida State Tax Website Bug Exposed Filers' Data"

Qualys' Threat Research Unit recently showed how a new Linux vulnerability could be chained with two other apparently harmless flaws to gain full root privileges on an affected system. The researchers stated that the new vulnerability, tracked as CVE-2022-3328, is a race condition in Snapd, a Canonical-developed tool used for the Snap software packaging and deployment system. Specifically, the flaw impacts the "snap-confine" program used by Snapd to construct the execution environment for Snap applications. The researchers noted that the affected program is present by default in Ubuntu, whose developers described CVE-2022-3328 as a high-severity flaw that can be exploited for local privilege escalation and arbitrary code execution. Qualys researchers have shown how CVE-2022-3328 could be combined with other innocuous vulnerabilities for a high-impact attack. The researchers chained CVE-2022-3328 (this issue was introduced in February 2022 by the patch for a flaw tracked as CVE-2021-44731) with two recently discovered issues affecting Multipathd. The researchers noted that Multipathd is a daemon in charge of checking for failed paths that is running as root in the default installation of Ubuntu and other distributions. The researchers stated that Multipathd is affected by an authorization bypass issue that can be exploited by an unprivileged user to issue privileged commands to Multipathd (CVE-2022-41974) and a symlink attack (CVE-2022-41973) that can be used to force the execution of malicious code. The researchers noted that chaining the Snapd vulnerability with the two Multipathd flaws can allow any unprivileged user to gain root privileges on a vulnerable device. The researchers have verified the vulnerability, developed an exploit, and obtained full root privileges on default installations of Ubuntu. The vulnerability is not exploitable remotely, but the researchers warn that it's dangerous because it can be exploited by an unprivileged user.

SecurityWeek reports: "Three Innocuous Linux Vulnerabilities Chained to Obtain Full Root Privileges"

Cyber extortion affects businesses of all sizes worldwide, with 82 percent of cases observed being small businesses, up from 78 percent last year. According to Orange Cyberdefense's latest Security Navigator report, there was a noticeable slowdown in cybercrime at the start of the Ukraine war, but the intensity quickly increased again. For example, the number of cyber extortion victims in East Asia and South East Asia has increased by 30 percent and 33 percent, respectively, in the last six months. Furthermore, from 2021 to 2022, victim volumes increased by 18 percent in the EU, 21 percent in the UK, and 138 percent in the Nordic countries. However, volumes fell by 8 percent in North America and 32 percent in Canada. Small businesses are targeted four and a half times more than medium and large businesses combined, while the public sector accounts for the fifth highest proportion of incidents in Orange's CyberSOCs. The manufacturing sector remains the most vulnerable to cyber extortion, despite ranking fifth among industries most willing to pay ransoms, according to the research. Criminals in this sector are compromising conventional Information Technology (IT) systems rather than the more specialized Operational Technology (OT). In 2021, 547 Android vulnerabilities and 357 iOS vulnerabilities were reported. In comparison, only 24 percent of iOS vulnerabilities have a low attack complexity. Due to the ecosystem's uniformity, the findings show that a higher number of iPhone users are vulnerable when a security issue is first disclosed. Users migrate to a new version quickly, with 70 percent updating within 51 days of the patch's release. Since the Android ecosystem is more fractured, devices are often left open to more old exploits, while fewer may be vulnerable to new exploits. This article continues to discuss key findings from Orange Cyberdefense's latest Security Navigator report.

BetaNews reports "Cyber Extortion Dominates the Threat Landscape"

Group-IB found almost three dozen groups of Russian hackers using the stealer-as-a-service model to spread infostealer malware. An infostealer is a type of malware that collects browser credentials, payment card numbers, and cryptocurrency wallet credentials and sends them to threat actor-controlled servers. According to the researchers, the threat groups have infected 890,000 user devices with infostealers, stealing 50 million passwords in the first seven months of 2022, which is an increase of 80 percent over the previous period. Furthermore, threat actors stole 2,117,626,523 cookie files, 113,204 cryptocurrency wallets, and 103,150 credit cards. The digital risk protection team at Group-IB discovered that 34 groups of Russian hackers used Raccoon and Redline infostealer malware to steal passwords from Steam, Roblox, Amazon, PayPal, cryptocurrency wallets, and credit card information. PayPal and Amazon are the most targeted, accounting for 16 percent and 13 percent of all stolen data, respectively. The report discovered that Russian hackers coordinated their hacking activities through Russian-speaking Telegram groups with an average of 200 active members, most of whom were previously involved in Classiscam. Although they communicate in Russian, they target victims in 111 countries, mainly the US, Brazil, India, Germany, and Indonesia. Redline was ranked as the most popular malware by Group-IB researchers, with the variant being used by 23 of 34 groups. Raccoon infostealer malware came in second place, with only eight groups using it, while custom infostealers have only three groups dedicated to them. Group administrators provide their employees with both Redline and Raccoon infostealers and claim a cut of the stolen data or profits. Some organizations employ up to three infostealer malware variants, while others employ only one. Cybercriminals can rent malware from the dark web for as little as $150-200 per month. This article continues to discuss Group-IB's findings regarding groups of Russian hackers spreading infostealer malware.

CPO Magazine reports "Russian Hackers Steal 50 Million Passwords From 111 Countries Using Infostealer Malware"

A previously unknown Go-based malware is targeting Redis servers with the intent of taking control of infected systems and likely establishing a botnet network. According to cloud security firm Aqua, the attacks involve exploiting a critical security vulnerability in the open-source, in-memory, key-value store Redigo, which was disclosed earlier this year. The vulnerability, tracked as CVE-2022-0543 and assigned a CVSS score of 10.0, is related to a case of sandbox escape in the Lua scripting engine that could be exploited to gain Remote Code Execution (RCE). This is not the first time the flaw has been actively exploited. in March 2022, Juniper Threat Labs discovered attacks carried out by the Muhstik botnet to execute arbitrary commands. The Redigo infection chain is similar in that the adversaries search for exposed Redis servers on port 6379 to gain initial access before downloading a shared library called "exp lin.so" from a remote server. This library file comes with an exploit for CVE-2022-0543 to execute a command in order to retrieve Redigo from the same server, in addition to taking steps to mask its activity by simulating legitimate Redis cluster communication over port 6379. According to Aqua researcher Nitzan Yaakov, the dropped malware mimics Redis server communication, allowing the adversaries to conceal communications between the targeted host and the command-and-control (C2) server. This article continues to discuss the exploitation of the Redis vulnerability to deploy Redigo malware on servers.

THN reports "Hackers Exploiting Redis Vulnerability to Deploy New Redigo Malware on Servers"

Netwrix has released additional findings from its global 2022 Cloud Security Report for the financial and banking sectors. Financial institutions are much more concerned about users who have legitimate access to their cloud infrastructure than other industries surveyed. In this sector, 44 percent believe their own IT staff is the greatest threat to cloud data security, while 47 percent are concerned about contractors and partners, compared to 30 percent and 36 percent in the other verticals polled. Phishing is the most common type of attack reported by all sectors. On the other hand, ninety-one percent of financial institutions say they can detect phishing within minutes or hours, compared to 82 percent of respondents in other verticals. Financial organizations are more likely than other industries to experience accidental data leakage, with 32 percent of them reporting this type of security incident in the last 12 months, compared to an average of 25 percent. This is a valid reason for them to be concerned about users who may inadvertently disclose sensitive information. To address this threat, organizations should adopt a zero-standing privilege approach in which elevated access rights are granted only when and for as long as they are required, according to Dirk Schrader, VP of security research at Netwrix. This article continues to discuss key findings from the 2022 Cloud Security Report.

Help Net Security reports "Financial Organizations More Prone to Accidental Data Leakage"

The US Cybersecurity and Infrastructure Security Agency (CISA) has warned of the continued threat posed by the Cuba ransomware variant, which has made its affiliates and developers $60m as of August. CISA revealed in a new alert that the ransomware had compromised at least 100 entities worldwide, having doubled its victim count in the US since last December. CISA noted that the group and its affiliates mainly target financial services, government, healthcare, critical manufacturing, and IT companies. CISA stated that, disappointingly, ransoms are increasingly being paid. The group has demanded $145m to date in recorded attacks. CISA said that threat actors use one of several tried-and-tested techniques to gain initial access: phishing campaigns, vulnerability exploitation, compromised credentials, and remote desktop protocol (RDP) tools. Once inside, the ransomware itself is distributed via a loader known as "Hancitor." CISA noted, however, since spring this year, the group has modified some of its tactics, techniques, and procedures (TTPs). CISA stated that it uses a dropper that writes a kernel driver to the file system called ApcHelper.sys, in order to terminate any security products running on victims' machines. It also exploits CVE-2022-24521 to steal system tokens and elevate privileges and CVE-2020-1472 to gain domain administrator privileges.

Infosecurity reports: "Cuba Ransomware Actors Pocket $60m"