Security News – October 2022

During the partial mobilization of soldiers in Russia, a variety of services proliferated – from the delivery of false documents, to erasure of data in the database of local military administrations which is in charge of conscriptions, to “gray” SIM cards to conceal identities. Some of these, however, are fraudulent schemes. You can find a sample price list here.

The pro-Russian hacker group KillNet is behind DDoS attacks on the websites of several major airports in the US, however, the attacks had no impact on their standard operation.

In Germany, the head of the Federal Cyber Security Office is expected to be dismissed due to possible contacts with the Russian intelligence service.

Pro-Ukrainian hackers OneFist allegedly hacked the Gonets network designed for satellite communication on the Earth’s orbit. By deleting records in the CRM database, they prevented clients from accessing the network.

The NSA, CISA, and the FBI publicly revealed the most common weaknesses exploited by Chinese hackers who target government institutions and critical infrastructure in the US and its allies.

The FBI has issued a warning about the risk of disinformation threats that could affect decision-making in the 2022 elections. The warning also includes the possibility of inciting violence before and after the elections. In recent elections, efforts by China, Russia and Iran were identified. 

Pro-government Chinese hackers APT27 (Emissary Panda) attacked the US legislative network. The extent of the damage they caused is not yet clear. There has been a significant increase in activity of the pro-government Chinese hacking groups recently.

A pro-Russian group has created a crowdsource project, DDOSIA. They pay volunteers to launch DDoS attacks targeting organizations in countries that support Ukraine in the current war. The number of possible volunteers on the Telegram channel reaches 13,000.

The White House continues to raise cybersecurity standards in health care, drinking water supply, and emergency communications. They are also planning to announce the standards that will apply to organizations across sectors at the end of October.

Morgan Stanley Bank has agreed to pay a $35 million fine for leaking large amounts of data. While disposing 53 RAID arrays with nearly 1,000 hard drives, they hired a firm that was not checked properly to ensure that the data was securely wiped from the drives. It turned out that the drives were being sold at an auction.

Lloyd’s detected an unusual activity on its network. Due to a suspected hacker attack, they shut down and reset their systems as a precautionary measure. An investigation is currently underway.

A new npm timing attack can lead to a supply chain attack. Private software packages return the same message as non-existent ones. Due to the different response times in the reply, attackers can detect the existence of private packages and create their clones or packages with similar names.

International cooperation between France, Lithuania and Spain helped to arrest 31 suspects for high-tech car thefts. They specialized in stealing cars with keyless entry and keyless engine starting (i.e., the person unlocking the car only needs to have the key in their pocket). They were using software to do this, which replaced the original software in the cars.

An international operation led by Interpol helped to arrest 75 members of the Black Axe cybercrime group, who were involved in a number of (not only) online scams. 

Avast has published a decryptor for the MafiaWare666 ransomware (also known as Jcrypt, RIP Lmao, or BrutusptCrypt).

Texas is suing Google for allegedly collecting and exploiting users’ biometric data without proper consent. It is the most recent lawsuit in a series of lawsuits criticizing the giant’s negligent approach to data privacy.

The era of the metaverse hasn’t properly begun yet, but the first cases of attacks on the platform have already emerged. It’s hard to predict the cyber threats of something that doesn’t properly exist yet. At the same time, there is a great risk of the so-called darkverse – a metaverse for the dark web. Investigations will face major challenges.

Numerous apps were identified as adware – 75 on Google Play and 10 on the App Store. Adware software floods mobile devices with advertising. These apps have up to several million downloads. The full list of apps can be found here.

Meta (Facebook) has identified more than 400 malicious apps designed to steal Facebook login credentials in order to gain access to a user’s account. The list can be found here.

An exploited vulnerability in FortiOS and FortiProxy (from Fortinet) allows unauthenticated attackers to perform operations in the administrative interface via specially crafted HTTP(S) resource requests. The update is now available.

Lenovo has fixed serious vulnerabilities in the BIOS on its devices. Several of these vulnerabilities allowed attackers to access the device or data stored on it without authentication and authorization.

Some of the personal information of Toyota customers were at risk of being leaked due to a forgotten access key on GitHub. These were the users of the official Toyota T-Connect app. 

The cyber espionage group LuckyCat (TA413) is using a previously unknown type of backdoor in its attacks targeting Tibetan entities around the globe. To do so, it exploits two vulnerabilities in Sophos Firewall and Microsoft Office. 

The Covid-19 pandemic was an excellent opportunity for social engineers in various cybercriminal organizations. People were much more likely to click on emails dedicated to this theme and at the same time it was a topic that connected the whole world.

The attack against CommonSpirit caused operational disruption of several hospitals in the US (e.g. Tennessee, Seattle) in the CHI network, which is the second largest chain of non-profit hospitals in the US. As a result of an early precautionary measure, it was possible to prevent the entire chain from being compromised.

Fake adult websites are helping to spread fake ransomware. However, instead of encrypting the files on the user’s computer, the ransomware tries to delete them. Even though it displays a ransom note, the files cannot be recovered.

Caffeine’s phishing-as-a-service platform makes it easy to launch a phishing campaign that targets Microsoft 365. The pre-prepared templates mainly target Russian and Chinese platforms. The disadvantage is the ease of acquiring new clients who may not be approved.

The OldGremlin Ransomware Gang targets Russian organizations using the Linux OS. They are behind a smaller number of campaigns but they demand a high ransom. First they research the victim’s network for more than a month to find out which data has a high value.

Google Forms was misused in a phishing campaign targeting Covid-19. The campaign was exploiting the existing business support during the pandemic by impersonating one of them. However, government agencies did not use Google Forms for data collection.

Up to 45% of users in the survey stated that they send critically important information via Microsoft Teams on a regular basis. The usage of such corporate tools increases the need for security and protection of corporate data.

Healthcare organizations in the U.S. are requesting cybersecurity guidelines from NIST, written in plain English. They are demanding access to the guidelines even for small, resource-constrained organizations. By doing so, they are also criticizing the existing guidelines in the sector.

Cybersecurity experience can be applied to other domains as well. One CISO (Chief Information Security Officer) has used his knowledge to evacuate people from Ukraine. A short video interview with him is also included in the article.

New AI-based software can, with a very high success rate, identify counterfeits. It can help fight billion-dollar leaks in the fashion industry alone. Similarly, it can be used to identify, for example, gold mines where child labour is used.

Do you have or are you considering buying a home security camera? Have a look at this article from Eset with 8 related topics before doing so.

Darkweb service BidenCash has published the details of 1.2 million credit cards as part of a promotional campaign to advertise their services. The data appears to be genuine and a significant amount of the cards are still valid and could easily be used in a fraud.

Even if an Android user has the “Block connection without VPN” or “Always-on VPN” options turned on, some of the traffic still goes outside VPN networks. This option was made by the creators, but it’s poorly documented and might pose a risk for users who need to protect themselves.

Eset has published 5 rules for minimizing cyber attacks that are targeting schools.

The number of patients whose personal data was exposed due to a poorly used Meta Pixel (formerly Facebook Pixel) has risen to more than 3 million in the US. Data such as the type of medical screening, information about the insurance policy or insurance company was sent to Meta.

Are you concerned about protecting your online privacy? You can have a look at a series of recommendations on what browsers to use, how to set them up, or what extensions to install in browsers in order to maximize your protection.

Experts are warning against underestimating beginner hackers (aka “script kiddies”). These attacks can be very destructive, because an unsophisticated attack doesn’t mean it is also an unsuccessful one.

An ongoing awareness campaign was launched in the hospitals in Czech Republic. The aim of this campaign is to teach medical staff the basic rules of cybersecurity. You can find the materials here.