Top News

• US govt shares top flaws exploited by Chinese hackers since 2020

"NSA, CISA, and the FBI revealed today the top security vulnerabilities most exploited by hackers backed by the People's Republic of China (PRC) to target government and critical infrastructure networks.
The three federal agencies said in a joint advisory that Chinese-sponsored hackers are targeting U.S. and allied networks and tech companies to gain access to sensitive networks and steal intellectual property.
"NSA, CISA, and FBI continue to assess PRC state-sponsored cyber activities as being one of the largest and most dynamic threats to U.S. government and civilian networks," the advisory says.
"This joint CSA builds on previous NSA, CISA, and FBI reporting to inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs)."
The advisory also bundles recommended mitigations for each of the security flaws most exploited by Chinese threat actors, as well as detection methods and vulnerable technologies to help defenders spot and block incoming attack attempts."

Link

TLP¹ : Green

• Linux Kernel 5.19.12 bug could damage Intel laptop displays

"Linux users have reported seeing weird white flashes and rapid blinking on their Intel laptop displays after upgrading to Linux kernel version 5.19.12, leading to warnings that the bug may damage displays.
Linux kernel version 5.19.12 isn't experimental or beta but a point release of the stable branch that came out on September 28, 2022.
Besides being a visual annoyance, the unexpected screen flickering prevents users from doing anything on their systems, and Intel Linux kernel engineer Ville Syrjäl warns that it could also damage the display.
After analyzing the Linux logs of users affected by the issue, Syrjäl replied to the kernel mailing list saying that the problem lies in bogus panel power sequencing delays, which may harm the panels."

Link

TLP¹ : Green

Cybersecurity State: Surveillance, Cyberwarfare, Cybercriminality and Hacktivism

• Hacker stole $566 million worth of Binance Coins from Binance Bridge

"Hackers have reportedly stolen $566 million worth of Binance Coins (BNB) from the Binance Bridge.
It seems that threat actors were able to exploit an issue with the bridge, the attack took place at 2:30 PM EST today. The attackers were able to transfer the funds to their wallet through two transactions [1, 2], each of 1,000,000 BNB.
Binance co-founder and CEO Changpeng “CZ” Zhao confirmed the attack and explained that the vulnerability has been contained."

Link

TLP¹ : Green

• Meta sues app dev for stealing over 1 million WhatsApp accounts

"Meta has sued several Chinese companies doing business as HeyMods, Highlight Mobi, and HeyWhatsApp for developing and allegedly using "unofficial" WhatsApp Android apps to steal over one million WhatsApp accounts starting May 2022.
Meta's complaint says these malicious apps were available for download from the three companies' sites and from Google Play Store, APK Pure, APKSFree, iDescargar, and Malavida.
Once installed, the apps (including AppUpdater for WhatsPlus 2021 GB Yo FM HeyMods and Theme Store for Zap) used bundled malware to harvest sensitive info, including account authentication, to hijack their WhatsApp accounts to send spam messages.
"After victims installed the Malicious Applications, they were prompted to enter their WhatsApp user credentials and authenticate their WhatsApp access on the Malicious Applications," the complaint adds."

Link

TLP¹ : Green

• Eternity Group Hackers Offering New LilithBot Malware-as-a-Service to Cybercriminals

"The threat actor behind the malware-as-a-service (MaaS) known as Eternity Group has been linked to new piece of malware called LilithBot.
"It has advanced capabilities to be used as a miner, stealer, and a clipper along with its persistence mechanisms," Zscaler ThreatLabz researchers Shatak Jain and Aditya Sharma said in a Wednesday report.
"The group has been continuously enhancing the malware, adding improvements such as anti-debug and anti-VM checks."
Eternity Project came on the scene earlier this year, advertising its warez and product updates on a Telegram channel. The services provided include a stealer, miner, clipper, ransomware, USB worm, and a DDoS bot."

Link

TLP¹ : Green

• Insurance Giant Lloyd's of London Investigating Cybersecurity Incident

"Insurance giant Lloyd’s of London is investigating a cybersecurity incident that has forced it to disconnect some systems.
The company says it has detected unusual activity and decided to ‘reset’ its network and systems as a precaution. It shut down all external connectivity, including its delegated authority platforms, in response to the incident.
“Following the unusual activity detected on Lloyd’s network, our precautionary work to secure systems has been completed overnight,” a Lloyd’s spokesperson told SecurityWeek on Thursday.
“Working with specialist partners and a dedicated team, we are currently evaluating the best options for reconnecting these systems. and we continue to investigate the issue. We continue to keep market participants and relevant parties updated,” the spokesperson added."

Link

TLP¹ : Green

• FBI warns of disinformation threats before 2022 midterm elections

"The Federal Bureau of Investigation (FBI) warned today of foreign influence operations that might spread disinformation to affect the results of this year's midterm elections.
The federal law enforcement agency warned that foreign actors are actively spreading election infrastructure disinformation to manipulate public opinion, discredit the electoral process, sow discord, and encourage a lack of trust in democratic processes and institutions.
As the FBI added, foreign actors might also target the public with attempts to incite violence before and after the midterms.
"Foreign actors may intensify efforts to influence outcomes of the 2022 midterm elections by circulating or amplifying reports of real or alleged malicious cyber activity on election infrastructure," the FBI said in a public service announcement jointly issued with CISA."

Link

TLP¹ : Green

Breaches: Data Breaches and Hacks

• Hackers Can Use 'App Mode' in Chromium Browsers' for Stealth Phishing Attacks

"In what's a new phishing technique, it has been demonstrated that the Application Mode feature in Chromium-based web browsers can be abused to create "realistic desktop phishing applications."
Application Mode is designed to offer native-like experiences in a manner that causes the website to be launched in a separate browser window, while also displaying the website's favicon and hiding the address bar.
According to security researcher mr.d0x – who also devised the browser-in-the-browser (BitB) attack method earlier this year – a bad actor can leverage this behavior to resort to some HTML/CSS trickery and display a fake address bar on top of the window and fool users into giving up their credentials on rogue login forms."

Link

TLP¹ : Green

Vulnerabilities: Vulnerability Advisories, Zero-Days, Patches and Exploits

• Cisco fixed two high-severity bugs in Communications, Networking Products

"Cisco announced it has addressed high-severity vulnerabilities affecting some of its networking and communications products, including Enterprise NFV, Expressway and TelePresence.
“Multiple vulnerabilities in the API and in the web-based management interface of Cisco Expressway Series Software and Cisco TelePresence Video Communication Server (VCS) Software could allow a remote attacker to bypass certificate validation or conduct cross-site request forgery attacks on an affected device.” reads the advisory published by the IT giant.
The first vulnerability, tracked as CVE-2022-20814, is an improper certificate validation issue, a remote, unauthenticated attacker can trigger it to access sensitive data through a man-in-the-middle attack."

Link

TLP¹ : Green

• Details Released for Recently Patched new macOS Archive Utility Vulnerability

"Security researchers have shared details about a now-addressed security flaw in Apple's macOS operating system that could be potentially exploited to run malicious applications in a manner that can bypass Apple's security measures.
The vulnerability, tracked as CVE-2022-32910, is rooted in the built-in Archive Utility and "could lead to the execution of an unsigned and unnotarized application without displaying security prompts to the user, by using a specially crafted archive," Apple device management firm Jamf said in an analysis."

Link

TLP¹ : Green

• Dex patches authentication bug that enabled unauthorized access to client applications

"OpenID Connect (OIDC) identity service Dex has patched a critical vulnerability that would allow an attacker to fetch an ID token through an intercepted authorization code and potentially gain unauthorised access to client applications.
Dex uses OIDC , a simple identity layer on top of the OAuth 2.0 protocol, to power authentication for other apps. It acts as a portal to other identity providers through ‘connectors’, allowing it to defer authentication to LDAP servers, SAML providers, or identity providers such as GitHub, Google, and Active Directory.
Dex, an open source sandbox project from the Cloud Native Computing Foundation, has been downloaded 35.6 million times."

Link

TLP¹ : Green

• The exploitability advisory: CISA’s VEX offers fresh take on tackling known vulnerabilities

"A new twist on security advisories promises to optimize the triaging of vulnerabilities by highlighting whether flaws are not just present within software but practically exploitable, too.
Developed by the US government, the vulnerability exploitability exchange (VEX) enables “both suppliers and users to focus on vulnerabilities that pose the most immediate risk” and avoid wasting time on bugs with no impact, according to use cases (PDF) published by the US Cybersecurity & Infrastructure Security Agency (CISA) in April 2022."

Link

TLP¹ : Green

Incident Response: Infrastructure, Training, SIEM and Incident Handling

• The Ultimate SaaS Security Posture Management Checklist, 2023 Edition

"It's been a year since the release of The Ultimate SaaS Security Posture Management (SSPM) Checklist. If SSPM is on your radar, here's the 2023 checklist edition, which covers the critical features and capabilities when evaluating a solution.
The ease with which SaaS apps can be deployed and adopted today is remarkable, but it has become a double-edged sword. On the one hand, apps are quickly onboarded, employees can work from anywhere, and there is little need for operational management."

Link

TLP¹ : Green

• Sharing Knowledge at 44CON

"After a two-year break, London's information security conference 44CON returned on Sept. 16-16, 2022. Passionate security evangelists were joined by architects and managers from leading technology companies to enjoy a two-day festival of cybersecurity research from global headliners. People came to meet, do business, talk, and learn, with the 44CON crew providing fun, great food, and cybersecurity-themed entertainment."

Link

TLP¹ : Green

Technical Articles: Forensics, Reverse Engineering, Malware, Phishing, Pentesting, Software Security and Cryptography

• Windows 11 22H2 breaks provisioning with 0x800700b7 errors

"Microsoft says the Windows 11 2022 Update is breaking provisioning, leaving Windows 11 enterprise endpoints partially configured and failing to finish installing.
According to Microsoft, this known issue most likely affects provisioning packages (.PPKG files used to configure new endpoints on enterprise or school networks without imaging) during the initial setup phase.
"Using provisioning packages on Windows 11, version 22H2 (also called Windows 11 2022 Update) might not work as expected," Redmond explained.
"Windows might only be partially configured, and the Out Of Box Experience might not finish or might restart unexpectedly.""

Link

TLP¹ : Green

• CrowdSec Raises $14 Million for Crowdsourced Threat Intelligence Solution

"French cybersecurity startup CrowdSec on Thursday announced raising €14 million ($14 million) in Series A funding for its crowdsourced threat intelligence solution.
The funding round, which brings the total investment in the company to more than $21 million, was led by Supernova Invest, with participation from Breega. The money will be used to improve CrowdSec’s technical capabilities and expand operations to the United States.
Founded in 2020, CrowdSec has created a participative and open source intrusion prevention and detection system that assesses the reputation of an IP address based on its behavior.
CrowdSec says its software has been installed more than 100,000 times, including by governments, financial institutions, ecommerce companies, and media organizations across 175 countries."

Link

TLP¹ : Green

• FBI, CISA, and NSA Reveal How Hackers Targeted a Defense Industrial Base Organization

"U.S. cybersecurity and intelligence agencies on Tuesday disclosed that multiple nation-state hacking groups potentially targeted a "Defense Industrial Base (DIB) Sector organization's enterprise network" as part of a cyber espionage campaign.
"[Advanced persistent threat] actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim's sensitive data," the authorities said."

Link

TLP¹ : Green

¹Traffic Light Protocol (TLP) [1] for information sharing:

• Red:Not for disclosure, restricted to participants only.
• Amber: Limited disclosure, restricted to participants organizations.
• Green: Limited disclosure, restricted to the community.

[1]https://www.first.org/tlp