Top News

• Couple sentenced to prison for trying to sell nuclear warship secrets

"A Navy nuclear engineer and his wife were sentenced to over 19 years and more than 21 years in prison for attempting to sell nuclear warship design secrets to what they believed was a foreign power agent. 
The two defendants, Jonathan and Diana Toebbe, however, tried selling restricted information (such as printouts, digital media files containing technical details, and operations manuals) to an undercover FBI agent."

Link

TLP¹ : Green

• APT29 Exploited a Windows Feature to Compromise European Diplomatic Entity Network

"The Russia-linked APT29 nation-state actor has been found leveraging a "lesser-known" Windows feature called Credential Roaming following a successful phishing attack against an unnamed European diplomatic entity.
"The diplomatic-centric targeting is consistent with Russian strategic priorities as well as historic APT29 targeting," Mandiant researcher Thibault Van Geluwe de Berlaere said in a technical write-up.
APT29, a Russian espionage group also called Cozy Bear, Iron Hemlock, and The Dukes, is known for its intrusions aimed at collecting intelligence that align with the country's strategic objectives. It's believed to be sponsored by the Foreign Intelligence Service (SVR)."

Link

TLP¹ : Green

Cybersecurity State: Surveillance, Cyberwarfare, Cybercriminality and Hacktivism

• Reddit and TikTok score low on preventing disinformation campaigns

"Social media platforms used by US political leaders often lack the security controls necessary to prevent disinformation, researchers said after analyzing the safety features of Twitter, Facebook, Reddit, TikTok, and Instagram.
“Despite their continued growth as the news medium of choice for voters, the US does not have security standards or oversight for social media platforms. Until this changes, politicians and voters should expect a continued assault from nation-states looking to execute disinformation campaigns,” researchers concluded.
Security company Cerby judged prominent platforms across critical areas, such as privacy, multi-factor authentication, and enterprise readings, using a scale of 0 to 5. Facebook turned out to be the safest platform for politicians to use, with a 3.34 rating. Twitter came second at 2.75, followed by Instagram (2.68), TikTok (2.00), and Reddit (1.95)."

Link

TLP¹ : Green

• No Cyberattacks Affected US Vote Counting, Officials Say

"No instances of digital interference are known to have affected the counting of the midterm vote after a tense Election Day in which officials were closely monitoring domestic and foreign threats.
A few state and local governments appeared to be hit by a relatively rudimentary form of cyberattack that periodically made public websites unreachable. But U.S. and local officials said Wednesday that none breached vote-counting infrastructure.
“We have seen no evidence that any voting system deleted or lost votes, changed votes, or was any way compromised in any race in the country,” Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Agency, said in a statement."

Link

TLP¹ : Green

• Two men arrested on suspicion of defrauding thousands Koreans of millions

"Two persons suspected of defrauding 2,000 Korean victims of approximately €28 million ($28.143 million) have been arrested in Greece and Italy with the help of INTERPOL.
The suspects are detained in connection to their role in an international Ponzi scheme. Both persons – a Polish citizen (49) and a German citizen (61) – were wanted by INTERPOL.
Promising attractive investment returns, the scheme operated via social media chat rooms to promote FutureNet – a global pyramid scheme that urged users to join and invite others between 2016 and 2020. This follows a classic Ponzi scheme model, where threat actors use assets from newcomers to pay earlier investors who made a profit by recruiting new people.
Two suspects managed to defraud thousands of victims of millions by leading them to believe that they could profit from their investment by buying advertisement packs and re-selling them at a higher price to YouTube and Facebook users."

Link

TLP¹ : Green

Breaches: Data Breaches and Hacks

• 15,000 sites hacked for massive Google SEO poisoning campaign

"Hackers are conducting a massive black hat search engine optimization (SEO) campaign by compromising almost 15,000 websites to redirect visitors to fake Q&A discussion forums.
The attacks were first spotted by Sucuri, who says that each compromised site contains approximately 20,000 files used as part of the search engine spam campaign, with most of the sites being WordPress.
The researchers believe the threat actors' goal is to generate enough indexed pages to increase the fake Q&A sites' authority and thus rank better in search engines.

Link

TLP¹ : Green

• Some 98% of Global Firms Suffer Supply Chain Breach in 2021

"Just 2% of global organizations didn’t suffer a supply chain breach last year, with visibility into cyber risk getting harder as these ecosystems expand, according to BlueVoyant.
The security firm polled 2100 C-level execs with responsibility for supply chain and cyber risk management from companies with 1000+ employees to compile its study, The State of Supply Chain Defense: Annual Global Insights Report 2022."

Link

TLP¹ : Green

Vulnerabilities: Vulnerability Advisories, Zero-Days, Patches and Exploits

• Lenovo warns of flaws that can be used to bypass security features

"Lenovo has released security updates to address a couple of high-severity vulnerabilities impacting various ThinkBook, IdeaPad, and Yoga laptop models. An attacker can exploit the flaws to disable UEFI Secure Boot.
Secure Boot is a security feature of the latest Unified Extensible Firmware Interface (UEFI) 2.3.1 designed to detect tampering with boot loaders, key operating system files, and unauthorized option ROMs by validating their digital signatures. “Detections are blocked from running before they can attack or infect the system specification.”
An attacker that is able to bypass the Secure Boot could bypass any security measure running on the machine and achieve persistence even in case the OS is reinstalled."

Link

TLP¹ : Green

• High-Severity Flaw Reported in Critical System Used by Oil and Gas Companies

"Cybersecurity researchers have disclosed details of a new vulnerability in a system used across oil and gas organizations that could be exploited by an attacker to inject and execute arbitrary code.
The vulnerability, tracked as CVE-2022-0902 (CVSS score: 8.1), is a path-traversal vulnerability in ABB Totalflow flow computers and remote controllers.
"Attackers can exploit this flaw to gain root access on an ABB flow computer, read and write files, and remotely execute code," industrial security company Claroty said in a report shared with The Hacker News.
ABB, a Swedish-Swiss industrial automation firm, has since released firmware updates as of July 14, 2022, following responsible disclosure."

Link

TLP¹ : Green

• CSS injection flaw patched in Acronis cloud management console

"A security researcher has disclosed a CSS injection flaw in Acronis software which could be abused for data theft.
On November 4, ‘Medi’ (under the alias ‘mr-medi’), published a technical analysis of the vulnerability, a client-side path traversal attack they described as the “favorite bug” they’ve ever found.
The vulnerability existed in the Acronis cloud management console. The software manages Acronis services, including cloud backups and resource monitoring."

Link

TLP¹ : Green

Incident Response: Infrastructure, Training, SIEM and Incident Handling

• Re-Focusing Cyber Insurance with Security Validation

"The rise in the costs of data breaches, ransomware, and other cyber attacks leads to rising cyber insurance premiums and more limited cyber insurance coverage. This cyber insurance situation increases risks for organizations struggling to find coverage or facing steep increases.
Some Akin Gump Strauss Hauer & Feld LLP's law firm clients, for example, reported a three-fold increase in insurance rates, and carriers are making "a huge pullback" on coverage limits in the past two years. Their cybersecurity practice co-head, Michelle Reed, adds, "The reduced coverage amount can no longer shield policyholders from cyber losses. A $10 million policy can end up with a $150,000 limit on cyber frauds.""

Link

TLP¹ : Green

Technical Articles: Forensics, Reverse Engineering, Malware, Phishing, Pentesting, Software Security and Cryptography

• New StrelaStealer malware steals your Outlook, Thunderbird accounts

"A new information-stealing malware named 'StrelaStealer' is actively stealing email account credentials from Outlook and Thunderbird, two widely used email clients.
This behavior deviates from most info-stealers, which attempt to steal data from various data sources, including browsers, cryptocurrency wallet apps, cloud gaming apps, the clipboard, etc.
The previously unknown malware was discovered by analysts at DCSO CyTec, who report that they first saw it in the wild in early November 2022, targeting Spanish-speaking users."

Link

TLP¹ : Green

• New hacking group uses custom 'Symatic' Cobalt Strike loaders

"A previously unknown Chinese APT (advanced persistent threat) hacking group dubbed 'Earth Longzhi' targets organizations in East Asia, Southeast Asia, and Ukraine.
The threat actors have been active since at least 2020, using custom versions of Cobalt Strike loaders to plant persistent backdoors on victims' systems.
According to a new Trend Micro report, Earth Longzhi has similar TTP (techniques, tactics, and procedures) as 'Earth Baku,' both considered subgroups of the state-backed hacking group tracked as APT41."

Link

TLP¹ : Green

¹Traffic Light Protocol (TLP) [1] for information sharing:

• Red:Not for disclosure, restricted to participants only.
• Amber: Limited disclosure, restricted to participants organizations.
• Green: Limited disclosure, restricted to the community.

[1]https://www.first.org/tlp