Security News – November 2022

Read our roundup of cybersecurity news from November 2022. Each month, we’ll bring you security cases and interesting insights to help you stay secure. 

Politics 

A series of ransomware attacks on transport and logistics organizations in Ukraine and Poland have been linked to an elite Russian military hacking group known as Sandworm. Microsoft has published detection options that can help the admins.

Kaspersky is phasing out VPN services in Russia. Roskomnadzor, the Russian censorship authority, has banned the use of 15 VPN networks in the country. The reasons for this were demands for the application of censorship and the ability to identify entities within the VPN network.

The pro-Russian group APT29 (Cozy Bear) is exploiting a flaw in  Windows in its attacks on diplomats from various countries. The vulnerability allows remote access to devices without authorization. An update that fixes the vulnerability was released back in September.

Researchers have reinforced the theory of Russian cybercrime groups’ ties to the Russian government. They pointed out a correlation between the increasing number of ransomware attacks on Western countries just before their national elections in order to interfere with the elections.

An Iranian hacker group hacked a US government agency through Log4Shell vulnerability. This was possible due to an outdated VMware Horizon server.

A Russian vulnerability trader increased the bid for vulnerabilities targeting the Signal application to three times the price that was offered by competitors. This is most likely due to Russia’s strong desire to improve its significantly limited capabilities of intelligence operations in Ukraine.

The European Parliament has been the target of a DDoS attack by the pro-Russian group Killnet. This happened just after the European Parliament passed a resolution labelling Russia as a country that supports terrorism. This has once again reinforced suspicions that Russian criminal groups are at least to some extent coordinated with government structures.

Investigations and research

Ukrainian police, in cooperation with Europol and other countries, arrested 5 key members of an international group of investment fraudsters responsible for losses of €200 million a year. They were employing over 2,000 people, mainly in call centers.

A number of PyPi packages are causing a malware installation designed to steal data. In order to do so, they exploit the visual similarity with already existing and popular packages. When browsing or installing, it is recommended to check the name searched for typos.

More than a half of the US government officials are using smartphones with an outdated operating system (iOS or Android). This puts them at significantly higher risk of having their vulnerabilities exploited during attacks on government agencies.

In Canada, a prominent member of the LockBit gang was arrested under suspicion of launching multiple attacks and making ransom demands in the total amount of tens of millions of dollars. The trial is expected to take place in the US.

Nearly 80% of companies admitted in a survey that they have used a cyber insurance policy. More than a half of them have used it multiple times. This reflects the prevalence of cyber attacks among businesses which lead to insurers significantly re-evaluating (or even canceling) this product.

GitHub has launched a separate communication channel. Their aim is to simplify the communication between cybersecurity researchers and people maintaining open source projects.

The Red Cross is exploring possibilities for creating its “digital symbol”. In military conflicts, the Red Cross identifies people who are providing help and therefore are not to be attacked. They want to establish something similar in the digital world.

LinkedIn has begun an effort to combat fake profiles, which are often behind the spread of malware or cyber-espionage. The users themselves will be able to verify some parts of other people’s profiles.

Dutch police arrested a 19-year-old hacker. He is suspected of penetrating a healthcare provider’s systems and stealing tens of thousands of documents that contained sensitive personal and medical information.

The UK is starting to explore its digital space. The objectives include a better understanding of the vulnerabilities and security of UK organizations, the ability to respond quicker to new challenges and the ability to advise system owners on their security.

Attacks

Steganography was used to hide malware in PNG images. The hacking group called Worok uses “sideloading” to execute malware in the system’s memory. In the next stage, it uses CLRLoader, extracts specific bytes from the PNG image and creates two executable binaries from them.

The Azov Ransomware, which is significantly spreading around the world, has proven to be a wiper (irreversibly damaging data). It operates in a loop where it destroys 666 bytes and leaves 666 bytes untouched. It spreads mainly through fake pirate software.

There is a new service available to criminals. Clipboard hijacker Laplas replaces the address in the user’s crypto wallet with the attacker’s, which can look very similar to the original one. This can lead to users to accidentally send their funds to a wrong address.

Cybercriminals are exploiting the growing popularity of the football World Cup in Quatar. They are creating a number of domains copying the appearance of the original domain. The aim is to install spyware. Interestingly, this is actually competing with the mandatory pro-government spyware that all participants have to install.

A successful phishing campaign led to a Dropbox employee’s credentials being obtained. Unknown hackers subsequently gained access to 130 Dropbox repositories on GitHub.

This supply-chain attack caused hundreds of online news sites to spread malware.

A Chinese pro-government hacking group has launched a new spear phishing campaign targeting mostly Southeast Asia and Australia. To reduce the likelihood of detection, they are sending the malware in the form of a link to Google Drive or Dropbox. The email recipient is listed in “CC” instead of “To”.

The new type of crypto scam can pass two-factor authentication. This happens because of a fake website, fictional support, and the TeamViewer app. Basically, the attacker lures all the necessary data from the victim, who sends it via chat. The attacker causes a “problem” by inserting a random character into the password entered, using the TeamViewer connection.

How much does it cost to hack an account on WhatsApp, Viber, or Telegram? The price starts at 350$, but if you use VKontakte, the amount can be as low as 10$. This is the price range on the dark market.

A major phishing campaign by the Chinese group Fangxiao is underway, encouraging people to download malware. The group imitates more than 400 well-known brands through more than 42,000 unique domains. Most of their infrastructure is protected by the legitimate CloudFlare service.

Other

Eset continues its cyber security awareness campaign. They have published a list of 10 common mistakes that users make. If you’re interested in this topic, you can also read the challenges for 2023. You can also check out the five reasons from ESG researchers explaining why achieving cybersecurity gets more challenging.

Microsoft released new updates in November. They are targeting e.g. 6 previously unknown vulnerabilities that are being actively exploited. In total, these updates address 68 security vulnerabilities.
U.S. financial institutions experienced approx. $1.2 billion worth of losses linked to ransomware. This is a 200% increase compared to 2020.