Top News

• DeepFakes Are The Cybercriminal Economy’s Latest Business Line

"According to cybersecurity experts, this may be used for political propaganda, foreign influence activity, disinformation, scams, and fraud. 
Introduced by Canadian researchers to the public in 2014, Generative Adversarial Networks (GANs), typically imitate people’s faces, speech, and unique facial gestures, they have become known to online communities as DeepFakes.
One of the recently identified underground services – “RealDeepFake”, readily available through Telegram groups. For a small fee, the service allows actors to create a deepfake instance with their selected character which they then apply a voice over from a chosen script, they can also include effects and text. The service leverages technologies such as VoiceR and Lipsing to change the voice so it sounds like the chosen character."

Link

TLP¹ : Green

• US airports' sites taken down in DDoS attacks by pro-Russian hackers

"The pro-Russian hacktivist group 'KillNet' is claiming large-scale distributed denial-of-service (DDoS) attacks against websites of several major airports in the U.S., making them unaccessible.
The DDoS attacks have overwhelmed the servers hosting these sites with garbage requests, making it impossible for travelers to connect and get updates about their scheduled flights or book airport services.
Notable examples of airport websites that are currently unavailable include the Hartsfield-Jackson Atlanta International Airport (ATL), one of the country's larger air traffic hubs, and the Los Angeles International Airport (LAX), which is intermittently offline or very slow to respond."

Link

TLP¹ : Green

Cybersecurity State: Surveillance, Cyberwarfare, Cybercriminality and Hacktivism

• UK Spy Chief to Warn of 'Huge' China Tech Threat

"Britain's GCHQ spy agency chief will warn Western countries Tuesday of the "huge threat" from China seeking to exploit its tech dominance to control its own citizens and gain influence abroad.
Jeremy Fleming, the director of the cybersecurity agency, is set to tell a British defence studies body that the Chinese Communist Party views technologies such as satellite systems and digital currencies as a "tool to gain advantage".
In excerpts of his speech released late Monday, Fleming will use the annual "security lecture" at RUSI think tank to argue China could act in ways representing "a huge threat to us all".
He will urge the UK and its allies to respond urgently."

Link

TLP¹ : Green

• Hacking group POLONIUM uses ‘Creepy’ malware against Israel

"Security researchers reveal previously unknown malware used by the cyber espionage hacking group 'POLONIUM,' threat actors who appear to target Israeli organizations exclusively.
According to ESET, POLONIUM uses a broad range of custom malware against engineering, IT, law, communications, marketing, and insurance firms in Israel. The group's campaigns are still active at the time of writing.
Microsoft's Threat Intelligence team first documented the group's malicious activities in June 2022, linking POLONIUM threat actors in Lebanon with ties to Iran's Ministry of Intelligence and Security (MOIS)."

Link

TLP¹ : Green

• Researchers Detail Malicious Tools Used by Cyber Espionage Group Earth Aughisky

"A new piece of research has detailed the increasingly sophisticated nature of the malware toolset employed by an advanced persistent threat (APT) group named Earth Aughisky.
"Over the last decade, the group has continued to make adjustments in the tools and malware deployments on specific targets located in Taiwan and, more recently, Japan," Trend Micro disclosed in a technical profile last week.
Earth Aughisky, also known as Taidoor, is a cyber espionage group that's known for its ability to abuse legitimate accounts, software, applications, and other weaknesses in the network design and infrastructure for its own ends.
While the Chinese threat actor has been known to primarily target organizations in Taiwan, victimology patterns observed towards late 2017 indicate an expansion to Japan."

Link

TLP¹ : Green

Breaches: Data Breaches and Hacks

• Toyota discloses data leak after access key exposed on GitHub

"Toyota Motor Corporation is warning that customers' personal information may have been exposed after an access key was publicly available on GitHub for almost five years.
Toyota T-Connect is the automaker's official connectivity app that allows owners of Toyota cars to link their smartphone with the vehicle's infotainment system for phone calls, music, navigation, notifications integration, driving data, engine status, fuel consumption, and more.
Toyota discovered recently that a portion of the T-Connect site source code was mistakenly published on GitHub and contained an access key to the data server that stored customer email addresses and management numbers.
This made it possible for an unauthorized third party to access the details of 296,019 customers between December 2017 and September 15, 2022, when access to the GitHub repository was restricted."

Link

TLP¹ : Green

Vulnerabilities: Vulnerability Advisories, Zero-Days, Patches and Exploits

• Follow-up: CVE-2022-40684 flaw in Fortinet products is being exploited in the wild

"Fortinet has confirmed that the recently disclosed critical authentication bypass issue (CVE-2022-40684) is being exploited in the wild.
Last week, Fortinet addressed a critical authentication bypass flaw, tracked as CVE-2022-40684, that impacted FortiGate firewalls and FortiProxy web proxies.
An attacker can exploit the vulnerability to log into vulnerable devices."

Link

TLP¹ : Green

• Critical Zimbra RCE Vulnerability Exploited in Attacks

"Virtualization giant VMware on Thursday announced patches for a vCenter Server vulnerability that could lead to arbitrary code execution.
A centralized management utility, the vCenter Server is used for controlling virtual machines and ESXi hosts, along with their dependent components.
Tracked as CVE-2022-31680 (CVSS score of 7.2), the security bug is described as an unsafe deserialization vulnerability in the platform services controller (PSC).
“A malicious actor with admin access on vCenter server may exploit this issue to execute arbitrary code on the underlying operating system that hosts the vCenter Server,” the company explains in an advisory."

Link

TLP¹ : Green

• Android Security Updates Patch Critical Vulnerabilities

"The October 2022 security updates for Android started rolling out last week with patches for roughly 50 vulnerabilities, including a critical-severity flaw in the Framework component.
Tracked as CVE-2022-20419 and described as an information disclosure bug, the critical flaw has been resolved with the ‘2022-10-01 security patch level’, along with five other vulnerabilities in Framework that could lead to elevation of privilege, information disclosure and denial of service (DoS).
“The most severe of these issues is a critical security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed,” Google notes in its advisory."

Link

TLP¹ : Green

Incident Response: Infrastructure, Training, SIEM and Incident Handling

• 6 Things Every CISO Should Do the First 90 Days on the Job

"Not too long ago, the role of chief information security officer was a purely technical position designed to help an organization overcome cybersecurity challenges. Today, however, the CISO role has evolved — growing both in responsibility and stature within a company. The CISO is now a critical member of the executive team, responsible for tying not only cybersecurity, but overall risk management, to the company's business strategy and operations.
The modern CISO is involved in strategic decision-making, for example, ensuring the business securely embraces digital transformation while assuring the board, clients, and investors that cyber capabilities and defenses are active and evolving with current threats. And they are responsible for leveraging people, processes, and technologies to enable their organization to fulfill its overarching business objectives securely.
Given this evolution in responsibilities, a CISO's first 90 days on the job should look a lot different today than it did even several years ago.

Link

TLP¹ : Green

Technical Articles: Forensics, Reverse Engineering, Malware, Phishing, Pentesting, Software Security and Cryptography

• Windows 11 22H2 blocked due to Windows Hello issues on some systems

"Microsoft is now blocking the Windows 11 22H2 update from being offered on some systems because signing in using Windows Hello might not work after upgrading.
As the company explains, customers will experience problems signing in via Windows Hello after installing the Windows 11 2022 Update only on devices that also use Enhanced Sign-in Security.
On impacted systems, the known issue affects both PIN and biometric (face and fingerprint) sign-ins.
"This issue might be encountered on devices which already have Windows Hello when upgrading but should not happen on devices which enable Windows Hello after upgrading or installing Windows 11, version 22H2," Microsoft said."

Link

TLP¹ : Green

• New Report Uncovers Emotet's Delivery and Evasion Techniques Used in Recent Attacks

"Threat actors associated with the notorious Emotet malware are continually shifting their tactics and command-and-control (C2) infrastructure to escape detection, according to new research from VMware.
Emotet is the work of a threat actor tracked as Mummy Spider (aka TA542), emerging in June 2014 as a banking trojan before morphing into an all-purpose loader in 2016 that's capable of delivering second-stage payloads such as ransomware.
While the botnet's infrastructure was taken down as part of a coordinated law enforcement operation in January 2021, Emotet bounced back in November 2021 through another malware known as TrickBot.
Emotet's resurrection, orchestrated by the now-defunct Conti team, has since paved the way for Cobalt Strike infections and, more recently, ransomware attacks involving Quantum and BlackCat."

Link

TLP¹ : Green

• Caffeine service lets anyone launch Microsoft 365 phishing attacks

"A phishing-as-a-service (PhaaS) platform named 'Caffeine' makes it easy for threat actors to launch attacks, featuring an open registration process allowing anyone to jump in and start their own phishing campaigns.
Caffeine doesn't require invites or referrals, nor does it require wannabe threat actors to get approval from an admin on Telegram or a hacking forum. Due to this, it removes much of the friction that characterizes almost all platforms of this kind.
Another distinctive characteristic of Caffeine is that its phishing templates target Russian and Chinese platforms, whereas most PhaaS platforms tend to focus on lures for Western services.
Mandiant's analysts discovered and tested Caffeine thoroughly, and today report that it's a worryingly feature-rich PhaaS considering its low barrier for entry.
The cybersecurity firm first spotted Caffeine after investigating a large-scale phishing campaign run through the service, targeting one of Mandiant's clients to steal Microsoft 365 account credentials."

Link

TLP¹ : Green

• Hackers behind IcedID malware attacks diversify delivery tactics

"The threat actors behind IcedID malware phishing campaigns are utilizing a wide variety of distribution methods, likely to determine what works best against different targets.
Researchers at Team Cymru have observed several campaigns in September 2022, all following slightly different infection pathways, which they believe is to help them evaluate effectiveness.
Moreover, the analysts have noticed changes in the management of command and control server (C2) IPs used in the campaigns, now showing signs of sloppiness."

Link

TLP¹ : Green

• Phishing com visualizadores de PDF impactam utilizadores

"Desde sensivelmente do inicio do quarto semestre de 2022 que uma campanha de engenharia social está em ascensão.  A campanha consiste no envio de um link para um ficheiro PDF, ficheiro esse que contém um endereço (URL) que aponta para o verdadeiro ataque de malicioso.
Este passo extra na apresentação da página tem por objetivo dificultar a detecção do ataque pelos serviços de monitorização de ameaças online. Estes serviços verificam se a página e documento são potenciais ataques mas baseiam-se em verificar apenas a primeira página recebida por email (neste caso, um ficheiro PDF integrado num visualizador online), ou seja, não é detetado qualquer tipo de risco. Essa proteção desaparece quando é aberto o link dentro do PDF."

Link

TLP¹ : Green

¹Traffic Light Protocol (TLP) [1] for information sharing:

• Red:Not for disclosure, restricted to participants only.
• Amber: Limited disclosure, restricted to participants organizations.
• Green: Limited disclosure, restricted to the community.

[1]https://www.first.org/tlp