Security News – June 2023

Read our roundup of cybersecurity news from June 2023. Each month, we’ll bring you security cases and interesting insights to help you stay secure. 

Discussions, regarding the implementation of the European NIS2 directive and the assessment of supply chain risks, are underway in the Czech Republic. The proposed law is currently in the consultation process and aims to enable the restriction or prohibition of suppliers from unreliable countries.

Currently, two different APT groups associated with North Korea are conducting campaigns. One group aims to conduct financial gain to further finance the North Korean regime, which is under international sanctions. The other group employs social engineering tactics to obtain strategic information.

The North Korean APT group Lazarus was involved in the attack on Atomic Wallet, resulting in a theft of over $35 million. To hide the origin of the stolen funds, the attackers used various techniques, including wallets, mixers, and money laundering methods.

Mandiant believes that a Chinese cyber espionage group carried out an attack campaign targeting the VMWare hypervisor. Interestingly, the attackers are promptly adapting their tactics (e.g. changing file names and hashes), as more information about their activity is being published.

Ukrainian hackers from Cyber.Anarchy.Squad are responsible for a successful attack on the Russian operator Infotel JSC. This attack caused disruptions in several banks and institutions that are clients of Infotel JSC.

Swiss institutions have experienced DDoS and ransomware attacks from the pro-Russian group NoName. The group is particularly targeting countries supporting Ukraine in its conflict with Russia. Several federal websites became temporarily unavailable. These attacks happened after parliament discussions regarding support for Ukraine were held.

A deepfake technology was used to impersonate the Russian president. A fabricated news report was broadcasted in three Russian regions, falsely declaring a state of emergency due to an attack from Ukraine.

The APT group Kimsuky, linked to North Korea, pretends to be journalists and members of the academic community to conduct spear-phishing campaigns. Their targets include think tanks, research centers, and other organizations. Effective protection against them can be achieved by implementing robust defenses, such as resilience and multi-factor authentication.

The Federal Trade Commission (FTC) imposed a $30 million fine on Amazon for privacy violations related to Alexa and Ring products. One of the violations involved the storage of data and recordings on children for Amazon’s own purposes.

Two Russians have been accused of stealing 647,000 Bitcoins from Mt. Gox, leading to the exchange’s collapse. If found guilty, they could face up to 20 years in prison.

Google is currently investigating a vulnerability associated with Brand Indicators for Message Identification (BIMI), in Gmail. This feature adds a verification symbol to emails sent by specific companies. The vulnerability seems to be caused by SPF and DMARC records that are improperly configured on the sender’s side.

The FBI participated in the takedown of the hacking forum BreachForums. They also arrested its owner, a prominent member of RaidForums and the cybercrime underworld. He is accused of trading data belonging to millions of Americans and hundreds of American companies. 

Cybercriminals are migrating from the dark web, especially TOR sites, to Telegram. The shift is motivated by Telegram’s speed, higher level of anonymity, and the availability of specialized channels.

Harvard Pilgrim Health Care, a nonprofit healthcare provider in the USA, fell victim to a ransomware attack. The attack affected over 2.5 million individuals, resulting in the theft of their personal data – names, addresses, dates of birth, and more.

There is a new wave of online scams specifically aimed at stealing credit card information. The scammers start with compromising well-established websites and subsequently deploying malicious scripts. They exploit known vulnerabilities in platforms such as WordPress, Magento, WooCommerce, Shopify, and others. These scams also employ code obfuscation techniques, making the detection of the presence of malicious scripts and the extraction of data, difficult.

The FBI has issued a warning about a new type of sextortion. This form involves the creation of sexually explicit content using easily accessible photos and videos with the assistance of AI (deepfake) technology. The victims are then blackmailed with this explicit content. To avoid such incidents, it is recommended to limit the sharing of photos and videos to a trusted group of people.

The heatmap feature in the Strava application has the potential to expose the home addresses of active users- particularly in areas with fewer users. Attackers can exploit this information to build profiles of the users. It is recommended to disable this feature to mitigate the risk.

Leading fashion brands, including Puma, Nike, and Adidas, became targets of a large-scale fraudulent campaign. The attackers mimic their websites and employ sophisticated SEO methods to ensure prominent visibility in search results. The success of this campaign indicates a long before-hand planning. The brand’s customers may disclose their login credentials or credit card information while interacting with these fake websites.

Following the attack, rural hospitals in Idaho faced a critical situation where they had to redirect patients to other facilities because their information systems were no longer accessible. These hospitals, along with their partner clinics, play a vital role in delivering essential healthcare services to a population of 68,000 residents.

The University of Manchester fell victim to a targeted attack that led to the unauthorized copying of 7TB of data. The compromised information contained personal details of students, alumni, and university staff.

The Chinese APT group known as Mustang Panda is responsible for a espionage campaign targeting the European healthcare sector. This group utilized USB keys as a means of infecting and spreading their malicious activities.

An attack targeted American military personnel by sending unsolicited smartwatches to their mailboxes. Once activated, these watches automatically connect to Wi-Fi networks and establish unauthorized connections with mobile phones, allowing access to sensitive information such as banking details, contacts, names, and passwords. It is strongly advised not to activate these devices upon receipt.

Support for Windows 10 version 21H2 has ended this month for Home, Pro, Pro Education, and Pro for Workstations editions. Starting next month, these versions will become vulnerable, and the vulnerabilities addressed by updates for other versions will become evident. The vulnerabilities in version 21H2 will remain unresolved.

Microsoft has announced the retirement of the AI assistant Cortana from the Windows operating system. This change is expected to take place by the end of this year, and it will be replaced by Windows Copilot. However, Cortana will still be available, for example, within Microsoft Teams.

32 malicious Chrome browser extensions have been removed from the Chrome Web Store. These extensions reached over 75 million downloads over the years. In addition to their legitimate functionality, they were stealing sensitive information and injecting unwanted advertisements into web pages.

GIGABYTE motherboards are prone to a man-in-the-middle attack. The firmware update software checks one of the three Gigabyte websites, of which only two use HTTP. This makes the connection vulnerable to an interception by the attacker who can then manipulate the content with malicious intent. The latest firmware update addresses this issue.

According to Moody’s, cyber security and risk management are deeply connected with a company’s economic health and even national security. While it may be tempting to ignore requests for increased resources in the short term, the medium and long-term consequences can significantly jeopardize a business.

The new OWASP API Security TOP10 list has been released, updating the vulnerabilities affecting API interfaces. Six vulnerabilities have remained unchanged since 2019, while four have been modified or added based on the current state.

The password manager in Chrome is now including new security features, such as a separate link for independent management, biometric authentication for desktop, and password import from other managers. For iOS users, it also provides an overview of reused passwords across different sites and potentially compromised login credentials.

Meta threatens to block links to news articles on Facebook and Instagram for users in California. This is in response to the platform’s attempt to impose taxes on them and their decision to redirect revenue to media houses in the state. A similar action in Australia resulted in media houses receiving $140 million.

CISA issued a directive for federal agencies to install the latest updates on their iPhones. The update addresses previously unknown vulnerabilities that could be exploited for deploying spyware. Similarly, a directive was issued to remove vulnerabilities actively exploited by pro-Russian hackers with connections to Russian military intelligence, GRU.

Millions of GitHub accounts may be prone to RepoJacking. This happens when the repository name is altered, leading to redirection in order to avoid disruptions in project dependencies. However, if someone registers the previous name, the redirection becomes ineffective, allowing an attacker to potentially inject malware and gain control over the dependencies.