InfoSec News 20220708
Top News
-
Microsoft rolls back decision to block Office macros by default
"While Microsoft announced earlier this year that it would block VBA macros on downloaded documents by default, Redmond said on Thursday that it will roll back this change based on "feedback" until further notice.
The company has also failed to explain the reason behind this decision and is yet to publicly inform customers that VBA macros embedded in malicious Office documents will no longer be blocked automatically in Access, Excel, PowerPoint, Visio, and Word.
"Based on feedback, we're rolling back this change from Current Channel," the company notified admins in the Microsoft 365 message center (under MC393185 or MC322553) on Thursday."
TLP1 : Green
-
QNAP warns of new Checkmate ransomware targeting NAS devices
"Network-attached storage (NAS) vendor QNAP warned customers to secure their devices against attacks using Checkmate ransomware to encrypt data.
QNAP says the attacks are focused on Internet-exposed QNAP devices with the SMB service enabled and accounts with weak passwords that can easily be cracked in brute-force attacks.
"A new ransomware known as Checkmate has recently been brought to our attention," the NAS maker said in a security advisory published Thursday.
"Preliminary investigation indicates that Checkmate attacks via SMB services exposed to the internet, and employs a dictionary attack to break accounts with weak passwords."
Checkmate is a recently discovered ransomware strain, first deployed in attacks around May 28, that appends a .checkmate extension to encrypted files and drops a ransom note named !CHECKMATE_DECRYPTION_README."
TLP1 : Green
Cybersecurity State: Surveillance, Cyberwarfare, Cybercriminality and Hacktivism
-
TrickBot Gang Shifted its Focus on "Systematically" Targeting Ukraine
"In what's being described as an "unprecedented" twist, the operators of the TrickBot malware have resorted to systematically targeting Ukraine since the onset of the war in late February 2022.
The group is believed to have orchestrated at least six phishing campaigns aimed at targets that align with Russian state interests, with the emails acting as lures for delivering malicious software such as IcedID, CobaltStrike, AnchorMail, and Meterpreter.
Tracked under the names ITG23, Gold Blackburn, and Wizard Spider, the financially motivated cybercrime gang is known for its development of the TrickBot banking trojan and was subsumed into the now-discontinued Conti ransomware cartel earlier this year.
But merely weeks later, the actors associated with the group resurfaced with a revamped version of the AnchorDNS backdoor called AnchorMail that uses SMTPS and IMAP protocols for command-and-control communications."
TLP1 : Green
-
Discussing the risks of bullying for anonymous social app NGL
"This is a transcription of my complete interview with the program NEWSFEED at TRT, during which we discussed NGL software and the risks of bullying. (...)"
TLP1 : Green
-
Lawyers Urged to Stop Advising Clients to Pay Ransomware Demands
"The legal profession has been urged to stop advising clients to pay ransomware demands in a joint letter issued today by the UK’s National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO).
The open letter asked the Law Society to remind its members that they should not advise clients to pay ransomware demands when they fall victim to a cyber-attack. It emphasized that paying ransoms does not reduce the risk of future attacks on individuals or even guarantee the decryption of networks or return of stolen data. In addition, paying ransomware groups “will not reduce any penalties incurred through ICO enforcement action.”"
TLP1 : Green
-
Over 1,200 NPM Packages Found Involved in "CuteBoi" Cryptomining Campaign
"Researchers have disclosed what they say could be an attempt to kick-off a new large-scale cryptocurrency mining campaign targeting the NPM JavaScript package repository.
The malicious activity, attributed to a software supply chain threat actor dubbed CuteBoi, involves an array of 1,283 rogue modules that were published in an automated fashion from over 1,000 different user accounts.
"This was done using automation which includes the ability to pass the NPM 2FA challenge," Israeli application security testing company Checkmarx said. "This cluster of packages seems to be a part of an attacker experimenting at this point.""
TLP1 : Green
-
Chinese Cyber Espionage Groups Increasingly Targeting Russia
"Chinese APT groups are increasingly targeting Russian organizations following the war in Ukraine, according to research by SentinelLabs.
The latest investigation indicated that a Chinese state-sponsored cyber espionage group launched a “cluster” of phishing emails to deliver remote access Trojan (RAT) malware, most commonly Bisonal, against Russian targets in recent weeks. SentinelLabs researchers attributed this threat activity “with high confidence” to a Chinese state-backed group, although “specific actor attribution is unclear at this time.”
The new analysis follows other campaigns by Chinese APT groups targeting Russia in recent months. These include Scarab, Mustang Panda and Space Pirates, which were also identified by SentinelLabs. Additionally, in May, Google’s Threat Analysis Group (TAG) highlighted the growing targeting of Russia by Chinese threat groups."
TLP1 : Green
-
Election Officials Face Security Challenges Before Midterms
"Election officials preparing for the upcoming midterms face a myriad of threats, both foreign and domestic, as they look to protect voting systems and run a smooth election while fighting a wave of misinformation that has been undermining public confidence in U.S. elections.
The nation’s top state election officials gathered Thursday for the start of their annual summer conference, with a long list of challenges that begins with securing their voting systems.
While a top concern heading into the 2020 presidential election was Russia or another hostile nation waging a disruptive cyberattack, the landscape has expanded to include ransomware, politically motivated hackers and insider threats. Over the last year, a small number of security breaches have been reported at local election offices in which authorities are investigating whether office staff improperly accessed or provided improper access to sensitive voting technology."
TLP1 : Green
Breaches: Data Breaches and Hacks
-
Aon Hack Exposed Sensitive Information of 146,000 Customers
"Aon recently disclosed that 145,889 of its North American customers had their sensitive information exposed in a large data breach.
The British multinational financial services firm that sells a range of risk-mitigation products announced that hackers breached its systems “at various times” from December 29 2020 to February 26 2022.
Aon disclosed the breach in a Securities & Exchange Commission filing in February. Further details were disclosed three months later, on May 26.
In a letter dated May 27, Aon told affected individuals that affected personally identifiable information includes driver’s license numbers, Social Security numbers and “in a small number of cases, benefits enrolment information.”"
TLP1 : Green
-
Hack Allows Drone Takeover Via ‘ExpressLRS’ Protocol
"A radio control system for drones is vulnerable to remote takeover, thanks to a weakness in the mechanism that binds transmitter and receiver.
The popular protocol for radio controlled (RC) aircraft called ExpressLRS can be hacked in only a few steps, according to a bulletin published last week.
ExpressLRS is an open-source long range radio link for RC applications, such as first-person view (FPV) drones. “Designed to be the best FPV Racing link,” wrote its authors on Github. According to the report the hack utilizes “a highly optimized over-the-air packet structure, giving simultaneous range and latency advantages.”
The vulnerability in the protocol is tied to the fact some of the information sent over via over-the-air packets is link data that a third-party can use to hijack the connection between drone operator and drone."
TLP1 : Green
Vulnerabilities: Vulnerability Advisories, Zero-Days, Patches and Exploits
-
10 Vulnerabilities Found in Widely Used Robustel Industrial Routers
"Cisco’s Talos threat intelligence and research unit has identified several critical vulnerabilities in a widely used industrial cellular IoT gateway made by Chinese company Robustel.
The affected product is the R1510 router, which is designed to provide high-speed wireless network bandwidth in harsh environments. The device has been used worldwide and it has been certified by more than 20 mobile network operators in the United States, Europe and Southeast Asia.Robustel industrial router vulnerabilities
Talos told SecurityWeek that the vendor patched the vulnerabilities while its researchers were still investigating. However, Robustel did not release a security advisory and it did not assign CVE identifiers to the flaws.”
TLP1 : Green
Incident Response: Infrastructure, Training, SIEM and Incident Handling
-
Empower Your Security Operations Team to Combat Emerging Threats
"The implementation of defense-in-depth architectures and operating system hardening technologies have altered the threat landscape. Historically, zero-click, singular vulnerabilities were commonly discovered and exploited. The modern-day defensive posture requires attackers to successfully chain together multiple exploit techniques to gain control of a target system. The increased utilization of dynamic analysis systems has driven attackers to evade detection by requiring input or action from the user. Sometimes, the victim must perform several manual steps before the underlying payload is activated. Otherwise, it remains dormant and undetectable through behavioral analysis."
TLP1 : Green
Technical Articles: Forensics, Reverse Engineering, Malware, Phishing, Pentesting, Software Security and Cryptography
-
Fake copyright complaints push IcedID malware using Yandex Forms
"Website owners are being targeted with fake copyright infringement complaints that utilize Yandex Forms to distribute the IcedID banking malware.
For over a year, threat actors tracked as TA578 have been conducting these attacks where they use a website's contact page to send legal threats to convince recipients to download a report of the offending material.
These reports allegedly contain proof of DDoS attacks or copyrighted material used without permission but instead infect a target's device with various malware, including BazarLoader, BumbleBee, and IcedID."
TLP1 : Green
-
Experts Uncover 350 Browser Extension Variants Used in ABCsoup Adware Campaign
"A malicious browser extension with 350 variants is masquerading as a Google Translate add-on as part of an adware campaign targeting Russian users of Google Chrome, Opera, and Mozilla Firefox browsers.
Mobile security firm Zimperium dubbed the malware family ABCsoup, stating the "extensions are installed onto a victim's machine via a Windows-based executable, bypassing most endpoint security solutions, along with the security controls found in the official extension stores."
The rogue browser add-ons come with the same extension ID as that of Google Translate — "aapbdbdomjkkjkaonfhkkikfgjllcleb" — in an attempt to trick users into believing that they have installed a legitimate extension.
The extensions are not available on the official browser web stores themselves. Rather they are delivered through different Windows executables that install the add-on on the victim's web browser."
TLP1 : Green
-
Online programming IDEs can be used to launch remote cyberattacks
"Security researchers are warning that hackers can abuse online programming learning platforms to remotely launch cyberattacks, steal data, and scan for vulnerable devices, simply by using a web browser.
At least one such platform, known as DataCamp, allows threat actors to compile malicious tools, host or distribute malware, and connect to external services.
DataCamp provides integrated development environments (IDEs) to close to 10 million users that want to learn data science using various programming languages and technologies (R, Python, Shell, Excel, Git, SQL).
As part of the platform, DataCamp users gain access to their own personal workspace that includes an IDE for practicing and executing custom code, uploading files, and connecting to databases."
TLP1 : Green
1Traffic Light Protocol (TLP) [1] for information sharing:
- Red:Not for disclosure, restricted to participants only.
- Amber: Limited disclosure, restricted to participants organizations.
- Green: Limited disclosure, restricted to the community.