News Items

The New York City Fire Department (NYFD) is seeking cybersecurity consultants to assist it in preventing the doxing of its 16,000 firefighters, emergency medical technicians, and administrative support personnel. Doxing is the weaponization of an individual's personal information to punish, harass, or encourage threats. This activity is becoming a bigger problem, potentially affecting police, poll workers, school officials, and more. In a request for information (RFI), NYFD says it is looking for consultants that provide expertise and software solutions, including managed detection, response services, real-time threat mitigation, and recovery capabilities. NYFD also wants vendor, experienced in working with large organizations, that can provide protection and strategies for addressing the misuse of Personal Identifiable Information (PII). This article continues to discuss NYFD's call for cybersecurity consultants to help protect responders' PII.

GCN reports "NYFD Calls for Help With Doxing"

Syslogk is a newly discovered stealthy piece of Linux malware that delivers a backdoor, which remains hidden on the targeted machine until its controller transmits so-called 'magic packets' from anywhere on the Internet. According to Avast researchers, the Syslogk Linux rootkit distributes the Rekoobe backdoor Trojan and employs various techniques to keep the backdoor hidden until it is required. The version of Syslogk Avast analyzed was discovered to only work on older versions of the Linux kernel. However, the malware appears to be under development. Rekoobe malware has been used by APT31, also known as Zirconium, a Chinese state-sponsored threat actor. It is based on TinyShell, an open-source UNIX backdoor project. There are references in the Syslogk rootkit to TinyShell that date back to December 13, 2018. Meanwhile, Syslogk is primarily based on Adore-Ng, a Chinese open-source kernel rootkit for Linux. Syslogk adds new features to make the user-mode application and kernel rootkit more difficult to detect than Adore-Ng, which can already conceal files, processes, and the kernel module. This article continues to discuss the Avast researchers' findings surrounding the Syslogk Linux malware.

ZDNet reports "Syslogk Linux Malware Has a Sneaky Way of Staying Hidden"

The Strengthening Cybersecurity for Medical Devices Act would require the US Food and Drug Administration (FDA) to review and update its medical device security guidelines more frequently. Senators Jacky Rosen (D-NV) and Todd Young (R-IN) introduced the bipartisan legislation, calling on the FDA to collaborate with the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) to review industry guidance, make appropriate updates every two years, and provide the industry with new information about how to strengthen medical device cybersecurity. This information would include guidelines for identifying and addressing medical device security vulnerabilities, as well as how providers, health systems, and medical device manufacturers can effectively get assistance from CISA, the US Department of Health and Human Services (HHS), and other government entities. The bill would also require the Government Accountability Office (GAO) to produce a report that evaluates the challenges that providers, health systems, and manufacturers face in accessing federal support when addressing medical device security vulnerabilities. The GAO's report would include guidance on how federal agencies can improve coordination to improve medical device security.

HealthITSecurity reports "Bill Calls on FDA to Regularly Update Medical Device Security Guidelines"

An examination of leaked Conti ransomware gang chats revealed that the cybercrime group was planning firmware attacks against the Intel Management Engine (ME). There are several implementations of the firmware, including the Intel Manageability Engine (before SkyLake), the Intel Converged Security and Management Engine (SkyLake and later), the Intel Trusted Execution Environment (Atom processors), and Server Platform Services (Server). Intel ME offers a number of features, including anti-theft protection and out-of-bound management. The compromise would allow threat actors to install a backdoor on Intel devices and execute commands without being detected by operating system-based security tools. Furthermore, the chats appear to confirm the link between the Conti ransomware gang and the Russian Foreign Service Bureau (FSB). The Conti ransomware group intended to exploit ME firmware to gain indirect access to the UEFI/BIOS, drop additional payloads, and gain runtime control of the system beneath the operating system via System Management Mode (SMM). According to the analysis, the attackers attempted to access SPI (i.e., the flash memory used by the UEFI/BIOS system firmware) from the ME to generically bypass other protection. This article continues to discuss the Conti ransomware group's developed proof-of-concept code for firmware attacks, the possible exploitation of the supply chain to deliver firmware malware, and firmware attack deployment scenarios.

CPO Magazine reports "Conti Ransomware Develops Proof-of-Concept Code for Firmware Attacks"

A leading US healthcare provider, Kaiser Permanente, has warned that as many as 70,000 individuals may have had personally identifiable information (PII) stolen by a malicious third party. A data breach notice sent to customers earlier this month claimed that the company discovered the unauthorized access incident on April 5. The IT team terminated the unauthorized access within hours after it began and promptly commenced an investigation to determine the scope of the incident. During the investigation, it was determined that protected health information was contained in the emails accessed by the malicious third party, and while they have no indication that the unauthorized party accessed the information, they cannot completely rule out the possibility. The protected health information potentially exposed included first and last name, medical record number, dates of service, and laboratory test result information. Kaiser Permanente noted that the information did not include sensitive information such as Social Security numbers and credit card numbers. The healthcare provider said it reset the affected employee's password and provided them with additional training to mitigate the risk of such an incident happening again.

Infosecurity reports: "Attack on Kaiser Permanente Exposes Data on 70,000 Customers"

The Drupal security team has recently released an advisory to call attention to serious vulnerabilities in a third-party library and warned that hackers can exploit the bugs to hijack Drupal-powered websites remotely. The security team stated that the vulnerabilities, tracked as CVE-2022-31042 and CVE-2022-31043, were found and fixed in Guzzle, a third-party library that Drupal uses to handle HTTP requests and responses to external services. The security team noted that the vulnerabilities do not affect Drupal core but may affect some contributed projects or custom code on Drupal sites. Guzzle has rated these vulnerabilities as high-risk. The security team recommends its users install the latest versions (Drupal 9.2 through Drupal 9.4). The security team noted that it is important to note that all versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage.

SecurityWeek reports: "Drupal Patches 'High-Risk' Third-Party Library Flaws"

Security researchers at Microsoft discovered a recently patched Confluence Server vulnerability is being exploited by multiple cybercrime and state-sponsored threat groups. The security hole, tracked as CVE-2022-26134, can be exploited by an unauthenticated attacker for remote code execution. The researchers stated that it affects all supported versions of Confluence Server and Data Center, and it has been patched by Atlassian with the release of versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1. The researchers noted that the zero-day vulnerability was exploited before its existence came to light, but the volume of attacks has increased significantly following disclosure. The researchers stated that in the days immediately after the disclosure of the flaw, researchers reported seeing thousands of internet-exposed Confluence servers that could have been vulnerable to attacks. The researchers noted that the initial attacks exploiting CVE-2022-26134 appeared to come from China and focused on delivering web shells. Threat intelligence company GreyNoise has so far seen more than 1,700 unique IP addresses attempting to exploit the vulnerability. Microsoft named two groups that have been observed targeting CVE-2022-26134: DEV-0401 and DEV-0234. The former is a China-based ransomware operator that has been known to deploy various ransomware families, including LockFile, AtomSilo, and Rook. The researchers stated that in the attacks aimed at Confluence Server instances, they had seen the delivery of a piece of ransomware named Cerber2021.

SecurityWeek reports: "Cybercriminals, State-Sponsored Threat Actors Exploiting Confluence Server Vulnerability"

Gallium, a Chinese Advanced Persistent Threat (APT) group, has been spotted deploying a previously unknown Remote Access Trojan (RAT) in its espionage attacks targeting companies in Southeast Asia, Europe, and Africa. According to new research published by Palo Alto Networks Unit 42, the RAT called "PingPull" is a difficult-to-detect backdoor that uses the Internet Control Message Protocol (ICMP) for command-and-control (C2) communications. PingPull is a Visual C++-based malware that allows a threat actor to access a reverse shell and execute arbitrary commands on a compromised computer, which includes carrying out file operations, enumerating storage volumes, and timestamping files. Researchers have also identified PingPull variants relying on HTTPS and TCP to communicate with its C2 server instead of ICMP and more than 170 IP addresses associated with the group since late 2020. This article continues to discuss the history of the Gallium APT group, its expanded victimology, and its use of the new PingPull malware in cyberespionage attacks.

THN reports "Chinese 'Gallium' Hackers Using New PingPull Malware in Cyberespionage Attacks"

Tesla released an upgrade last year that made it easier to start its vehicles after unlocking them with their NFC key cards. A researcher has now demonstrated how the function may be used to steal cars. For years, drivers who used their Tesla NFC key card to unlock their vehicles had to place the card on the center console before they could start driving. Following the change, drivers could immediately operate their vehicles after unlocking them with the card. The NFC card is one of three means for unlocking a Tesla, with a key fob and a phone app being the other two. Martin Herfurt, a security researcher in Austria, spotted something strange about the new function right away. It not only enabled the car to start automatically after 130 seconds of being unlocked with the NFC card, but it also enabled the car to accept new keys with no authentication and notification provided by the in-car display. This article continues to discuss Herfurt's discovery of how the key card feature introduced by Tesla could be exploited to add an unauthorized key that enables an attacker to open and start a Tesla vehicle.

Ars Technica reports "Gone in 130 Seconds: New Tesla Hack Gives Thieves Their Own Personal Key"

Netacea has published new research on how businesses are dealing with bot attacks, revealing one critical area where companies are failing to combat such attacks. According to Netacea's report, bots have been going undetected for an average of 16 weeks, an increase of two weeks from last year's findings. The study polled 440 organizations in the travel, entertainment, eCommerce, financial services, and telecommunications sectors in the US and the UK. It is a follow-up to last year's research, and it reveals that businesses appear to be doing worse than last year in the battle against bots in almost every measure. In addition to finding that bot attacks are going undiscovered for a longer time, Netacea discovered a shift among bot owners, with 60 percent of businesses detecting attacks on Application Programming Interfaces (APIs) and 39 percent detecting attacks on mobile apps (up from 46 percent and 23 percent from 2021 respectively). Each of the four major forms of bot attacks--sniper, account checker, scalper, and scraper--has increased by 7 to 9 percent since 2021. Account checker bot attacks are currently detected by 53 percent of companies. Nearly 97 percent of all businesses reported that bot attacks have impacted consumer satisfaction. This article continues to discuss key findings from Netacea's research into how businesses are handling bot attacks.

Help Net Security reports "Businesses Are Leaving Bot Attacks Unchallenged for Almost Four Months"

Researchers at Florida International University's (FIU) College of Engineering and Computing have been awarded $2 million by the US Department of Energy (DOE) in support of developing technology for preventing, detecting, analyzing, and mitigating cyberattacks on US energy systems. The FIU team, experienced in cybersecurity and smart energy grids, will lead the project to advance state-of-the-art methods in cyberattack detection and bolster the security of power grids. The project, called "Artificial Intelligence-Enabled Tools (ArtIT) for Cyber Hardening of Power Grids," entails developing Artificial Intelligence (AI) methods and analytics for identifying attacks in real-time and creating intelligent controllers to improve the attack resiliency of the bulk power system. The team will validate and test their tools with utility and industry partners. Each element of the project will address a specific problem. For example, one of the goals of this project is to enhance Moving Target Defense (MTD), a strategy used to confuse cyberattackers. This project is one of six new DOE-funded research, development, and demonstration projects totaling $12 million. These awards are also being given to university teams at Iowa State University, New York University, Texas A&M Engineering Experiment Station, the University of Illinois at Chicago, and Virginia Polytechnic Institute and State University. This article continues to discuss the support and goals of FIU's project on ArtIT for strengthening the cybersecurity of power grids.

FIU reports "FIU Awarded $2 Million to Develop Artificial Intelligence Cybersecurity Tools"

Security researchers at SEC Consult have discovered that InfiRay thermal cameras are affected by vulnerabilities that could allow malicious hackers to tamper with industrial processes. InfiRay is a brand of China-based iRay Technology that manufactures optical components. InfiRay specializes in the development and manufacturing of infrared and thermal imaging solutions, with its products being sold in 89 countries and regions. The security researchers discovered that at least one of the vendor's thermal cameras, the A8Z3 model, is affected by several potentially serious vulnerabilities. According to the researchers, the product is affected by five types of potentially critical vulnerabilities. One issue is related to hardcoded credentials for the camera's web application. Since these accounts cannot be deactivated and their passwords cannot be changed, they can be considered backdoor accounts that can provide an attacker access to the camera's web interface. From there, an attacker can leverage another vulnerability for arbitrary code execution. The researchers also found a buffer overflow in the firmware and multiple outdated software components that are known to contain vulnerabilities. They also found a Telnet root shell that, by default, is not protected by a password, giving an attacker on the local network the ability to execute arbitrary commands as root on the camera. The A8Z3 is used in industrial environments to check/control temperatures. The researchers stated that an attacker would be able to report wrong temperatures and thus create inferior products or halt the production. SEC Consult reported its findings to the vendor more than a year ago, but the company has been unresponsive, so it's unclear if patches are available.

SecurityWeek reports: "InfiRay Thermal Camera Flaws Can Allow Hackers to Tamper With Industrial Processes"

Security researchers at SentinelOne have analyzed the operations of a Chinese cyberespionage group that has been actively targeting education, government, and telecommunication organizations in Australia and Southeast Asia since at least 2013. The researchers dubbed the group Aoqin Dragon. The group was observed switching from the use of malicious documents to employing a fake antivirus, and more recently using a fake removable drive to lure intended victims into installing malware on their systems. The researchers stated that the group heavily relies on the USB shortcut technique to infect additional targets. The group typically drops one of two backdoors on a compromised system, namely Mongall or a modified variant of Heyoka. According to the researchers, the ongoing Aoqin Dragon activity has focused on spying on organizations in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Between 2012 and 2015, it mainly targeted victims with malicious documents exploiting CVE-2012-0158 and CVE-2010-3333. The researchers stated that the targeting of Aoqin Dragon closely aligns with the Chinese government's political interests. Considering this long-term effort and continuous targeted attacks for the past few years, the researchers assess the threat actor's motives are espionage-oriented.

SecurityWeek reports: "Chinese Cyberspy Group 'Aoqin Dragon' Targeting Southeast Asia, Australia Since 2013"

Carrier's LenelS2 HID Mercury access control system, which is widely used in healthcare, education, transportation, and government buildings, has been discovered to contain eight zero-day vulnerabilities. According to Trellix security researchers Steve Povolny and Sam Quinn, the vulnerabilities discovered allowed them to demonstrate the ability to remotely unlock and lock doors, manipulate alarms, and degrade logging and notification systems. The critical security flaws could be weaponized by a threat actor to gain complete system control, including the ability to control door locks. One of the bugs involves an unauthenticated remote execution vulnerability with a CVSS severity rating of 10 out of 10. The other flaws could lead to command injection, Denial-of-Service (DoS), user modification, information spoofing, and arbitrary file write. This article continues to discuss the critical flaws discovered in the Carrier's widely used LenelS2 HID Mercury access control system.

THN reports "Researchers Disclose Critical Flaws in Industrial Access Control System from Carrier"

A decryptor for a new ransomware called 'WannaFriendMe' is being sold on the Roblox gaming platform using the service's in-game Robux currency. Roblox is a popular game, with more than 50 million daily active users worldwide. The gaming platform allows users to make their own games and monetize them by selling Game Passes, providing players access to in-game products, unique features, and more. Members must use Robux, a virtual currency, to purchase these Game Passes. According to the MalwareHunter Team, the WannaFriendMe ransomware imitates the Ryuk ransomware, but it is a variation of the Chaos ransomware. In June 2021, a malicious actor began selling a Chaos ransomware builder, which allowed would-be criminals to customize ransom notes, encrypted file extensions, and other aspects of their ransomware epidemic. This article continues to discuss the WannaFriendMe ransomware and the decryptor made available for purchase on the Roblox gaming platform.

CyberIntelMag reports "Strange Ransomware Markets Decryptor on Roblox Game Pass Store"

According to the APWG's latest Phishing Activity Trends Report, 1,025,968 total phishing assaults were observed in the first quarter of 2022, marking the first time the three-month total surpassed one million. In March 2022, APWG observed a record monthly total of 384,291 phishing attacks. APWG founding member OpSec Security revealed in the first quarter of 2022 that phishing attacks against the financial sector, including banks, account for 23.6 percent of all phishing. Attacks on webmail and Software-as-a-Service (SaaS) providers were still prevalent, while attacks on retail/eCommerce sites decreased from 17.3 to 14.6 percent following the holiday shopping season. Phishing against social media sites increased dramatically, from 8.5 percent of all attacks in the fourth quarter of 2021 to 12.5 percent in the first quarter of 2022. Phishing attacks targeting cryptocurrency exchanges and wallet providers grew from 6.5 percent to 6.6 percent. This article continues to discuss key findings shared in APWG's new Phishing Activity Trends Report.

Security Magazine reports "Phishing at All-Time High; 1 Million Attacks in Q1 2022"

Threat actors can use Machine Learning (ML) to execute strong attacks that steal information in difficult-to-prevent and often-difficult-to-study ways. Data that leaks between software programs running on the same machine can be captured by attackers. They can then decode the signals using ML techniques, thus allowing them to extract passwords or other secret information. These are referred to as "side-channel attacks" since the information is obtained using a channel not meant for communication. Researchers at MIT have shown that side-channel attacks assisted by ML are both highly robust and poorly understood. Using ML algorithms is a challenge because their complexity makes them difficult to fully understand. In a new paper, the researchers studied a documented attack thought to work by capturing signals leaked when a computer accesses memory. They discovered that the mechanisms behind this attack were misidentified, preventing researchers from developing effective defenses. In order to study the attack, they removed all memory accesses and noticed the attack became even more powerful. Then they looked for sources of information leakage and found that the attack monitors events interrupting other programs on a computer. The team demonstrated the possible use of this ML-assisted attack by an adversary to exploit a security hole and determine what website a user is browsing. With this information, they devised two tactics to counter this attack. The first security strategy they developed involves a browser extension that generates frequent interrupts (i.e., pinging random websites to create bursts of activity). The added noise makes signal decoding significantly more difficult for the attacker. This reduced the attack's accuracy from 96 percent to 62 percent but decreased the computer's performance. For their second countermeasure, they altered the timer to return values close to, but not identical to, the actual time, making it more difficult for an attacker to measure the computer's activities over time. This mitigation reduced the attack's accuracy from 96 percent to 1 percent. This article continues to discuss the MIT researchers' analysis of a website-fingerprinting attack and the strategies they developed to reduce the attack's chances of success.

MIT News reports "Keeping Web-Browsing Data Safe From Hackers"

Researchers at Encore have discovered that 54% of UK and US cybersecurity leaders have complained that their boards aren't providing enough funding for vital initiatives. The researchers polled 100 C-level executives, 100 CISOs, and 500 workers on both sides of the Atlantic to better understand how aligned security teams are with business leaders. The researchers found that although 50% of boards across both regions claim to have cybersecurity at the top of their agenda, over 60% of CISOs feel unsupported. The researchers stated that many boards fail to invest properly until an incident has already happened. The researchers noted that this kind of piecemeal and reactive approach to security is the opposite of the proactive, strategic stance that leading organizations adopt. The researcher found that more than one in 10 C-level executives surveyed still only discuss cybersecurity once a breach has occurred. The researchers also found that 82% of participants said they've felt pressured to downplay the severity of cyber risks to their board, while 90% claimed their business would be willing to compromise on cybersecurity in favor of digital transformation or other goals.

Infosecurity reports: "Over Half of CISOs Struggling for Board Investment"

The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that threat actors have already started exploiting a severe vulnerability that Owl Labs addressed in its video conferencing devices earlier this week. Tracked as CVE-2022-31460 (CVSS score of 7.4), the security bug can be exploited to turn a vulnerable device into a rogue access point to the Wi-Fi network it is connected to. CISA noted that the vulnerability is impacting Owl Labs' Meeting Owl Pro and Whiteboard Owl devices and that the issue exists because, when in access point (AP) mode, the devices do not disconnect from the Wi-Fi but instead start routing all traffic to the network. The bug was discovered by security researchers with Modzero, who also discovered that the video conferencing devices create their AP with the hardcoded passcode "hoothoot" and that the vulnerability can be exploited by an attacker within Bluetooth range without authentication. Patches that Owl Labs started rolling out this week disable the routing of network traffic when Meeting Owl Pro and Whiteboard Owl devices are in Wi-Fi AP tethering mode, which essentially prevents their use as rogue APs. CISA noted that owners of Meeting Owl Pro and Whiteboard Owl video conferencing devices are advised to update to firmware version 5.4.1.4 as soon as possible. CISA has instructed federal agencies to address the vulnerability by June 22.

SecurityWeek reports: "Threat Actors Start Exploiting Meeting Owl Pro Vulnerability Days After Disclosure"

The Emotet botnet is now attempting to infect potential targets with a credit card stealer module that collects credit card information from Google Chrome user profiles. The malware sends the stolen credit card information, including name, expiration month, year, and card number, to command-and-control (C2) servers other than the ones the Emotet card stealer module uses. Emotet is known for dropping the QBot and Trickbot malware Trojan payloads on infected devices, which are then used to install additional malware such as Cobalt Strike beacons and ransomware such as Ryuk and Conti. In early 2021, Emotet's infrastructure was shut down as part of an international law enforcement operation that also led to the arrest of two people. German law enforcement used Emotet's own infrastructure against the botnet on April 25, 2021, supplying a module that eliminated the malware from affected devices. This article continues to discuss observations surrounding the Emotet malware stealing credit card information from Google Chrome users, as well as the history of this malware.

CyberIntelMag reports "Emotet Malware Stealing Credit Card Info From Users of Google Chrome"

The BlackBerry Threat Research & Intelligence team, in collaboration with Intezer security researcher Joakim Kennedy, detailed a new form of Linux malware dubbed Symbiote, which is said to be almost impossible to detect because of its parasitic nature. According to the team, Symbiote differs from typical Linux malware in that it acts as a Shared Object (SO) library that is loaded on all active processes via LD PRELOAD rather than attempting to compromise running processes. The team says the SO library "parasitically" infects a target machine, and once it is thoroughly implanted in the system, the malware gives rootkit functionality to the attackers. One of the several interesting features of Symbiote is that it employs Berkeley Packet Filter (BPF) hooking, a capability designed to conceal malicious traffic on an infected machine. The first sample dates back to November 2021 and appears to have been created to be used against banking firms in Latin America. However, because the malware is new and evasive, the researchers are unsure whether Symbiote is being used in targeted or broad attacks, if at all. This article continues to discuss the discovery and capabilities of the Symbiote Linux malware.

ZDNet reports "Symbiote Is Parasitic Malware That Provides Rootkit-Level Functionality"

The University of Jyvaskyla's "Seamless Authentication for Everyone" (SAFE) Project aims to develop a solution that addresses the security challenges associated with passwords. Password management is critical not only for individual users' security but also for the security of businesses. Passwords are also required by the military, governments, electricity grids, railway networks, and air traffic control to maintain security. However, users often choose convenience over security when creating and managing their passwords, thus leaving them vulnerable to various security issues. According to the researchers behind the project, existing alternative solutions for password and authentication problems have failed to replace passwords because of their own security issues and the fact that users either do not trust them or often find them to be difficult to use. Therefore, the SAFE Project is working on developing an authentication method that can be implemented across all operating systems, services, and devices, and is easy to use. This article continues to discuss the goal and progress of the SAFE Project.

JYU reports "University of Jyvaskyla Project Wants to Replace Passwords with a More Secure Solution"

Researchers discovered a large-scale phishing campaign that exploited Facebook Messenger to trick millions of users into entering their account credentials and viewing adverts on phishing pages. The campaign operators used stolen accounts to send more phishing messages to victims' friends, thus resulting in the generation of significant revenue through online advertising commissions. According to PIXM, a New York-based AI-focused cybersecurity firm, the phishing campaign peaked between April and May 2022, but it has been active since at least September 2021. PIXM traced the threat actor and mapped the campaign because one of the identified phishing pages hosted a link to a traffic monitoring app that was publicly accessible without authentication. Although it is unclear how the campaign initially began, PIXM found that victims were sent to phishing landing pages via a series of redirects from Facebook Messenger. As the threat actors stole more Facebook accounts, they employed automated tools to send additional phishing links to the compromised accounts' friends, resulting in a tremendous increase in the number of stolen accounts. Facebook has security mechanisms in place to prevent the spread of phishing URLs, but the threat actors utilized a method to circumvent these safeguards. Their phishing mails used legitimate URL generating services that are difficult to block because legitimate apps use them. The researchers discovered they could acquire unauthenticated access to the phishing campaign stats pages and discovered that 2.7 million users visited one of the phishing portals in 2021. This number increased to 8.5 million in 2022, indicating the campaign's massive expansion. This article continues to discuss findings surrounding the large-scale Facebook Messenger phishing campaign.

Bleeping Computer reports "Massive Facebook Messenger Phishing Operation Generates Millions"

The Cybersecurity and Infrastructure Security Agency (CISA) published a new advisory warning public and private sector organizations about China-based state-sponsored cyberattacks against US firms. The document describes a series of common vulnerabilities and exposures (CVEs) associated with network devices that would have been regularly exploited by the unnamed cyber-actors since 2020. Such devices included small office/home office (SOHO) routers and Network Attached Storage (NAS) devices, which were exploited to gain extensive and/or persistent access to organizations' networks, and as a command-and-control (C2) tactic to pivot to other targets. After successfully gaining access to organizations' network devices, the actors would have then executed router commands to route, capture, and exfiltrate traffic out of the network to actor-controlled infrastructure. According to the advisory, the threat actors also consistently evolved and have adapted tactics to bypass defenses, modifying their infrastructure and toolsets immediately following the release of information related to their ongoing campaigns. A complete list of the CVEs and network commands used during the China-based state-sponsored cyberattacks is available in the advisory. CISA noted that to mitigate the vulnerabilities listed in the advisory, organizations should apply any available patches to their systems, replace end-of-life infrastructure, and implement a centralized patch management program. The advisory comes days after the Agency issued a joint statement with the Department of Energy (DoE) warning of attacks against internet-connected uninterruptible power supply (UPS) devices.

Infosecurity reports: "CISA Reveal Chinese Hackers Tactics Targeting US Telecoms and Network Service Providers"