Top News

• Android malware apps with 2 million installs spotted on Google Play

"A new set of Android malware, phishing, and adware apps have infiltrated the Google Play store, tricking over two million people into installing them.
The apps were discovered by Dr. Web antivirus and pretend to be useful utilities and system optimizers but, in reality, are the sources of performance hiccups, ads, and user experience degradation.
One app illustrated by Dr. Web that has amassed one million downloads is TubeBox, which remains available on Google Play at the time of writing this."

Link

TLP¹ : Green

• Critical Ping Vulnerability Allows Remote Attackers to Take Over FreeBSD Systems

"The maintainers of the FreeBSD operating system have released updates to remediate a security vulnerability impacting the ping module that could be potentially exploited to crash the program or trigger remote code execution.
The issue, assigned the identifier CVE-2022-23093, impacts all supported versions of FreeBSD and concerns a stack-based buffer overflow vulnerability in the ping service.
"ping reads raw IP packets from the network to process responses in the pr_pack() function," according to an advisory published last week."

Link

TLP¹ : Green

• Open source software host Fosshost shutting down as CEO unreachable

"Open source software hosting and cloud computing provider Fosshost will no longer be providing services as it reaches end of life.
Fosshost project volunteers announced the development this weekend following months of difficulties in reaching the leadership including the CEO.
Users are being urged to immediately backup their data and migrate to alternative hosting platforms."

Link

TLP¹ : Green

Cybersecurity State: Surveillance, Cyberwarfare, Cybercriminality and Hacktivism

• Law enforcement agencies can extract data from thousands of cars’ infotainment systems

"Data managed by infotainment systems in modern vehicles are a valuable source of information for the investigation of law enforcement agencies.
Modern vehicles come with sophisticated infotainment systems that are connected online and that could represent an entry point for attackers, as demonstrated by many security experts over the years.
Law enforcement and intelligence worldwide are buying technologies that exploit weaknesses in vehicle systems.
Recently security the security expert researcher Sam Curry warned of vulnerabilities in mobile apps that exposed Hyundai and Genesis car models after 2012 to remote attacks. An attacker could exploit these flaws to unlock and start the vehicles."

Link

TLP¹ : Green

• Microsoft is preparing to defend Ukraine from renewed Russian cyber offensive

"Russia is further pressuring Ukraine with its multi-pronged hybrid technology approach and ever more intense cyberattacks, Microsoft says. The company adds it will help Kyiv and its allies prepare for Moscow’s operations.
Winter has been tough for millions of Ukrainians as Russia continues to attack critical energy infrastructure in order to freeze the country into submission.
The cyber front has been busy as well, Microsoft says in a new report – cyberthreat actors affiliated with Russian military intelligence (GRU) have launched destructive wiper attacks against Ukraine’s networks of critical importance."

Link

TLP¹ : Green

• French Hospital Cancels Operations After Cyberattack

"A hospital complex in Versailles, near Paris, had to cancel operations and transfer some patients after being hit by a cyberattack over the weekend, France's health ministry said.
The Hospital Centre of Versailles -- which consists of Andre-Mignot Hospital, Richaud Hospital and the Despagne Retirement Home -- was affected by the hacking attempt, said the complex's management.
The regional health agency (ARS) said the Andre-Mignot Hospital had cancelled operations, but was doing everything possible to keep walk-in services and consultations running.
Six patients had been transferred since Saturday evening -- three from intensive care and three from the neonatal unit -- said Health Minister Francois Braun, as he visited the hospital Sunday evening. Others might follow, he added.
The cyberattack had led to a "total reorganisation of the hospital", the minister added."

Link

TLP¹ : Green

• SIM swapper gets 18-months for involvement in $22 million crypto heist

"Florida man Nicholas Truglia was sentenced to 18 months in prison on Thursday for his involvement in a fraud scheme that led to the theft of millions from cryptocurrency investor Michael Terpin.
The funds were stolen following a January 2018 SIM swap attack that allowed Truglia's co-conspirators to hijack Terpin's phone number and fraudulently transfer roughly $23.8 million in cryptocurrency from his crypto wallet to an online account under Truglia's control.
According to the indictment, the defendant "agreed to convert the stolen cryptocurrency into Bitcoin, another form of cryptocurrency, and then transfer the Bitcoin to other Scheme Participants, while keeping a portion as payment for his services.""

Link

TLP¹ : Green

• Hackers use new, fake crypto app to breach networks, steal cryptocurrency

"The North Korean 'Lazarus' hacking group is linked to a new attack spreading fake cryptocurrency apps under the made-up brand, "BloxHolder," to install the AppleJeus malware for initial access to networks and steal crypto assets.
According to a joint FBI and CISA report from February 2021, AppleJeus has been in circulation since at least 2018, used by Lazarus in cryptocurrency hijacking and digital asset theft operations.
A new report by Volexity has identified new, fake crypto programs and AppleJeus activity, with signs of evolution in the malware's infection chain and abilities."

Link

TLP¹ : Green

• Russian regions attacked by new wiper posing as ransomware

"Judicial courts and mayor offices across several Russian regions have been hit by a new data-wiping trojan. Antivirus maker Kaspersky says it’s a piece of malware that pretends to ask for a ransom.
The malware, named CryWiper, appears at first glance to be a tool created to scramble files and then leave a ransom note demanding money.
However, Kaspersky researchers now say they found evidence of data destruction. It means that even if victims paid the attackers, they would not be able to recover their files, which are permanently deleted. These kinds of cyberweapons are called wipers for precisely this reason."

Link

TLP¹ : Green

• US DHS Cyber Safety Board will review Lapsus$ gang’s operations

"The Department of Homeland Security (DHS) Cyber Safety Review Board announced that it will review cyberattacks linked to the extortion gang Lapsus$, the gang breached multiple high-profile companies in recent years.
“Today, the U.S. Department of Homeland Security (DHS) announced that the Cyber Safety Review Board (CSRB) will review the recent attacks associated with Lapsus$, a global extortion-focused hacker group. Lapsus$ has reportedly employed techniques to bypass a range of commonly-used security controls and has successfully infiltrated a number of companies across industries and geographic areas.” reads the CSRB announcement."

Link

TLP¹ : Green

• Vatican shuts down its website amid hacking attempts

"The Vatican was forced to take down its main vatican.va website on Wednesday and soon admitted it had detected apparent attempts to hack it.
“Technical investigations are ongoing due to abnormal attempts to access the site,” Vatican spokesman Matteo Bruni told Reuters on November 30, without elaboration.
The website was down Wednesday and Thursday but came back up by Friday morning. Yet, attempts by Cybernews to access the Latin version of vatican.va were met with “404” error messages.
It’s not clear who the alleged hackers are, although there is precedent for hacking groups targeting the Vatican because of statements by Pope Francis. A Turkish hacker broke into the Holy See’s website after the pope called the 1915 mass killings of Armenians by Turks a “genocide.”"

Link

TLP¹ : Green

• Police arrest 55 members of 'Black Panthers' SIM Swap gang

"The Spanish National Police have arrested 55 members of the 'Black Panthers' cybercrime group, including one of the organization's leaders based in Barcelona.
The gang was operating four specialized activity cells dedicated to social engineering, vishing (voice phishing), phishing, and carding, having a very organized structure.
The arrested leader coordinated the cells and recruited new members and money mules.
"The criminal group consisted of a network structure, made up of interconnected and perfectly defined action cells, whose division of tasks dealt with knowledge, accessibility to stolen information, and experience," reads the police's announcement.
The ultimate goal of the gang was to perform SIM swapping attacks, which is to port a target's phone number to the attacker's device. By porting the number, the attackers now gain access to the victim's text messages and can use it to bypass 2FA protection on their bank accounts and empty them."

Link

TLP¹ : Green

Breaches: Data Breaches and Hacks

• Report: California Gun Data Breach Was Unintentional

"California’s Department of Justice mistakenly posted the names, addresses and birthdays of nearly 200,000 gun owners on the internet because officials didn’t follow policies or understand how to operate their website, according to an investigation released Wednesday.
The investigation, conducted by an outside law firm hired by the California Department of Justice, found that personal information for 192,000 people was downloaded 2,734 times by 507 unique IP addresses during a roughly 12-hour period in late June. All of those people had applied for a permit to carry a concealed gun."

Link

TLP¹ : Green

Vulnerabilities: Vulnerability Advisories, Zero-Days, Patches and Exploits

• Google Chrome emergency update fixes 9th zero-day of the year

"Google has released Chrome 108.0.5359.94/.95 for Windows, Mac, and Linux users to address a single high-severity security flaw, the ninth Chrome zero-day exploited in the wild patched since the start of the year.
"Google is aware of reports that an exploit for CVE-2022-4262 exists in the wild," the search giant said in a security advisory published on Friday.
According to Google, the new version has started rolling out to users in the Stable Desktop channel, and it will reach the entire user base within a matter of days or weeks.
This update was immediately rolled out to our systems when BleepingComputer checked for new updates from the Chrome menu > Help > About Google Chrome.
The web browser will also automatically check for new updates and will install them without requiring user interaction after the next launch."

Link

TLP¹ : Green

• CISA Warns of Multiple Critical Vulnerabilities Affecting Mitsubishi Electric PLCs

"The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week released an Industrial Control Systems (ICS) advisory warning of multiple vulnerabilities in Mitsubishi Electric GX Works3 engineering software.
"Successful exploitation of these vulnerabilities could allow unauthorized users to gain access to the MELSEC iQ-R/F/L series CPU modules and the MELSEC iQ-R series OPC UA server module or to view and execute programs," the agency said.
GX Works3 is an engineering workstation software used in ICS environments, acting as a mechanism for uploading and downloading programs from/to the controller, troubleshooting software and hardware issues, and performing maintenance operations."

Link

TLP¹ : Green

• A new Linux flaw can be chained with other two bugs to gain full root privileges

"Qualys researchers demonstrated how to chain a new Linux flaw with two other two issues to gain full root privileges on an impacted system.
Researchers at the Qualys’ Threat Research Unit demonstrated how to chain a new Linux vulnerability, tracked as CVE-2022-3328, with two other flaws to gain full root privileges on an affected system.
The vulnerability resides in the snap-confine function on Linux operating systems, a SUID-root program installed by default on Ubuntu.
The snap-confine is used internally by snapd to construct the execution environment for snap applications, an internal tool for confining snappy applications. "

Link

TLP¹ : Green

Incident Response: Infrastructure, Training, SIEM and Incident Handling

• SOC Turns to Homegrown Machine Learning to Catch Cyber-Intruders

"Using an internally developed machine-learning model trained on log data, the information security team for a French bank found it could detect three new types of data exfiltration that rules-based security appliances did not catch.
Carole Boijaud, a cybersecurity engineer with Credit Agricole Group Infrastructure Platform (CA-GIP), will take the stage at next week's Black Hat Europe 2022 conference to detail the research into the technique, in a session entitled, "Thresholds Are for Old Threats: Demystifying AI and Machine Learning to Enhance SOC Detection." The team took daily summary data from log files, extracted interesting features from the data, and used that to find anomalies in the bank's Web traffic."

Link

TLP¹ : Green

Technical Articles: Forensics, Reverse Engineering, Malware, Phishing, Pentesting, Software Security and Cryptography

• How to avoid hacking hangover at the airport this holiday season

"The hustle and bustle of the holiday season finds most of us rushing around, short on time and patience, finalizing travel plans, and buying last-minute gifts. It’s the first holiday travel season for many since COVID-19 officially made its worldwide debut at the end of 2019.
Industry experts are predicting record-breaking numbers of international travelers over the next few months, mainly due to lifted travel restrictions across the globe and the strong position of the US dollar. What’s more, after months of supply chain shortages, holiday shopping is also predicted to make a solid comeback in the fourth quarter of 2022.
While most travelers are thinking about long-awaited family reunions and gingerbread cookies, the October Consumer Cyber Safety Pulse Report by Norton Labs showed that e-commerce scams have more than doubled since 2019. “And we expect even more this holiday season,” said Kevin Roundy, Researcher and Technical Director at Norton Labs."

Link

TLP¹ : Green

• BlackProxies proxy service increasingly popular among hackers

"A new residential proxy market is becoming popular among hackers, cybercriminals, phishers, scalpers, and scammers, selling access to a million claimed proxy IP addresses worldwide.
The new platform was spotted by DomainTools analysts who have been watching the emergence of these services, reporting that ' BlackProxies' is one of the most quickly growing newcomers in the space.
A new entity that claims such a big pool of available proxies is an important development considering that law enforcement has shut down several large proxy providers like RESNET and INSORG in the past couple of years."

Link

TLP¹ : Green

• OpenAI's new ChatGPT bot: 10 coolest things you can do with it

"From precisely spotting security vulnerabilities in your code, to writing an essay or an entire block of functional code on a whim, to opening portals to another dimension, OpenAI's newly launched ChatGPT is a game changer with its possibilities seeming limited only by your limitedness.
Last week, OpenAI research labs unveiled ChatGPT, a chat bot that works from within your web browser—akin to the ones you've seen on websites offering customer support chat.
Except, ChatGPT is powered by GPT-3.5 series of models trained with text and code data on Azure AI supercomputing infrastructure. The AI's capabilities have been driven up to deal with requests that are rather odd, quite technical, abstract or specific.
By putting its advanced chatbot in public preview, OpenAI hopes to crowdsource feedback by learning from what all users ask ChatGPT and how well the technology performs.
A key point is, the current preview is not connected to the internet, so any responses it returns are purely coming from offline trained models. ChatGPT won't be able to answer, for example, "What is Microsoft's current phone number?" or today's weather."

Link

TLP¹ : Green

¹Traffic Light Protocol (TLP) [1] for information sharing:

• Red:Not for disclosure, restricted to participants only.
• Amber: Limited disclosure, restricted to participants organizations.
• Green: Limited disclosure, restricted to the community.

[1]https://www.first.org/tlp