Top News

• Massive DDoS attack takes Russia’s second-largest bank VTB offline

"Russia's second-largest financial institution VTB Bank says it is facing the worse cyberattack in its history after its website and mobile apps were taken offline due to an ongoing DDoS (distributed denial of service) attack.
"At present, the VTB technological infrastructure is under unprecedented cyberattack from abroad," stated a VTB spokesperson to TASS (translated).
"It is not only the largest cyberattack recorded this year, but in the entire history of the bank."
The bank says its internal analysis indicates the DDoS attack was planned and orchestrated with the specific purpose of causing inconvenience to its customers by disrupting its banking services.
At this time, VTB's online portals are offline, but the institute says all core banking services operate normally. "

Link

TLP¹ : Green

• Microsoft: Hackers target cryptocurrency firms over Telegram

"Microsoft says that cryptocurrency investment companies have been targeted by a threat group it tracks as DEV-0139 via Telegram groups used to communicate with the firms' VIP customers.
"Microsoft recently investigated an attack where the threat actor, tracked as DEV-0139, took advantage of Telegram chat groups to target cryptocurrency investment companies," the company's Security Threat Intelligence team revealed.
"DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members."
On October 19, attackers with broad knowledge of the crypto investment industry invited at least one target (posing as representatives of other crypto asset management firms) to another Telegram group, where they asked for feedback on cryptocurrency exchange platforms' fee structure."

Link

TLP¹ : Green

Cybersecurity State: Surveillance, Cyberwarfare, Cybercriminality and Hacktivism

• Iranian State Hackers Targeting Key Figures in Activism, Journalism, and Politics

"Hackers with ties to the Iranian government have been linked to an ongoing social engineering and credential phishing campaign directed against human rights activists, journalists, researchers, academics, diplomats, and politicians working in the Middle East.
At least 20 individuals are believed to have been targeted, Human Rights Watch (HRW) said in a report published Monday, attributing the malicious activity to an adversarial collective tracked as APT42, which is known to share overlaps with Charming Kitten (aka APT35 or Phosphorus).
The campaign resulted in the compromise of email and other sensitive data belonging to three of the targets. This included a correspondent for a major U.S. newspaper, a women's rights defender based in the Gulf region, and Nicholas Noe, a Lebanon-based advocacy consultant for Refugees International."

Link

TLP¹ : Green

• Meta adds age verification feature to Facebook Dating

"Mark Zuckerberg’s Meta announced it would roll out new age verification technology on Facebook Dating to help make social media safer for younger users. A similar system is already in place on Instagram.
Facebook’s answer to a dating site, Facebook Dating, is going to introduce age verification to the platform in order to ensure that only those over 18 are using the adult section of the app.
The feature will work in two ways. Facebook Dating, online since 2019, will ask users to show proof of their age by uploading an ID document. But if there isn’t one, a technology from the British company Yoti will be used."

Link

TLP¹ : Green

• Antwerp's city services down after hackers attack digital partner

"The city of Antwerp, Belgium, is working to restore its digital services that were disrupted last night by a cyberattack on its digital provider.
The disruption has affected services used by citizens, schools, daycare centers, and the police, which have been working intermittently today."

Link

TLP¹ : Green

• Meta’s data scraping: against the rules yet impossible to stop?

"While we enjoy so many “free” online services like social media, our privacy becomes the price we have to pay.
Every one of us has suffered a data breach. If you’ve heard of our personal data leak checker or password leak checker, you might find that your number, email address, or even password had been leaked at some point.
In some cases, leaks occur due to a cyberattack, a malicious insider, or simply unintentional loss or exposure of data. However, threat actors don’t always have to penetrate the company’s network to obtain our sensitive details.
Just last week, Facebook, long criticized for trading user data, was fined €265 million ($277m at the time) by Ireland’s data privacy regulator over a leak that exposed over 533 million Facebook user records. Roughly a quarter of its users’ phone numbers, names, genders, occupations, email addresses, locations, and even marital statuses are circulating the web for free.
Threat actors are no longer even charging for that data – it’s out there for anyone to take advantage of. Facebook said it took action against data scraping but is that enough?"

Link

TLP¹ : Green

• Rackspace confirms outage was caused by ransomware attack

"Texas-based cloud computing provider Rackspace has confirmed today that a ransomware attack is behind an ongoing Hosted Exchange outage described as an "isolated disruption."
"As you know, on Friday, December 2nd, 2022, we became aware of suspicious activity and immediately took proactive measures to isolate the Hosted Exchange environment to contain the incident," the company said in an update to the initial incident report.
"We have since determined this suspicious activity was the result of a ransomware incident."
Rackspace says that the investigation, led by a cyber defense firm and its own internal security team, is in its early stages with no info on "what, if any, data was affected."
The cloud service provider says it will notify customers if it finds evidence that the attackers gained access to their sensitive information."

Link

TLP¹ : Green

• Chinese Hackers Target Middle East Telecoms in Latest Cyber Attacks

"A malicious campaign targeting the Middle East is likely linked to BackdoorDiplomacy, an advanced persistent threat (APT) group with ties to China.
The espionage activity, directed against a telecom company in the region, is said to have commenced on August 19, 2021 through the successful exploitation of ProxyShell flaws in the Microsoft Exchange Server.
Initial compromise leveraged binaries vulnerable to side-loading techniques, followed by using a mix of legitimate and bespoke tools to conduct reconnaissance, harvest data, move laterally across the environment, and evade detection.
"File attributes of the malicious tools showed that the first tools deployed by the threat actors were the NPS proxy tool and IRAFAU backdoor," Bitdefender researchers Victor Vrabie and Adrian Schipor said in a report shared with The Hacker News."

Link

TLP¹ : Green

Breaches: Data Breaches and Hacks

• Samsung Galaxy S22 hacked twice on first day of Pwn2Own Toronto

"Contestants have hacked the Samsung Galaxy S22 smartphone twice during the first day of the Pwn2Own Toronto 2022 hacking competition, the 10th edition of the consumer-focused event.
The STAR Labs team was the first to successfully exploit a zero-day on Samsung's flagship device by executing their improper input validation attack on their third attempt, earning $50,000 and 5 Master of Pwn points.
Another contestant, Chim, also demoed a successful exploit targeting the Samsung Galaxy S22 and was able to execute an improper input validation attack earning $25,000 (50% of the prize for the second round of targeting the same device) and 5 Master of Pwn points.
"The first winner on each target will receive the full cash award and the devices under test," the competition's organizers explain.
"For the second and subsequent rounds on each target, all other winners will receive 50% of the prize package, however, they will still earn the full Master of Pwn points."
According to the contest's rules, in both cases, the Galaxy S22 devices ran the latest version of the Android operating system with all available updates installed.
During this first day of the competition, contestants have also successfully demoed exploits targeting zero-day bugs in printers and routers from multiple vendors, including Canon, Mikrotik, NETGEAR, TP-Link, Lexmark, Synology, and HP."

Link

TLP¹ : Green

• Hive adds French sports firm to list of victims, local media claims

"French leisure brand Intersport has been hit by ransomware group Hive, which leaked records of its customers’ personal data, including passport details, according to local media reports.
The sports goods maker was allegedly breached by the notorious ransom gang in November, but details were only made available on the dark web – a murky part of the internet popular with hackers good, bad, and indifferent – on December 5, said French-language media outlet Numerama.
The report adds that Intersport was handed a same-day deadline to pay the undisclosed amount but added, “it is possible that the gang is giving the company a little more time to pay, or that negotiations are under way.”
A sample file allegedly leaked on the dark web by Hive and scrutinized by Numerama contains passports, payslips, and other information pertaining to Intersport customers. This is common practice for ransomware gangs, which typically lock or encrypt all data stolen in a company breach before threatening to reveal it online if their financial demands are not met."

Link

TLP¹ : Green

Vulnerabilities: Vulnerability Advisories, Zero-Days, Patches and Exploits

• Android December 2022 security updates fix 81 vulnerabilities

"Google has released the December 2022 security update for Android, fixing four critical-severity vulnerabilities, including a remote code execution flaw exploitable via Bluetooth.
This month’s update addresses 45 vulnerabilities in core Android components with patch level 2022-12-01, and another 36 vulnerabilities impacting third-party components addressed in patch level 2022-12-05.
“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution over Bluetooth with no additional execution privileges needed,” mentions the security bulletin."

Link

TLP¹ : Green

• New Go-based Botnet Exploiting Exploiting Dozens of IoT Vulnerabilities to Expand its Network

"A novel Go-based botnet called Zerobot has been observed in the wild proliferating by taking advantage of nearly two dozen security vulnerabilities in the internet of things (IoT) devices and other software.
The botnet "contains several modules, including self-replication, attacks for different protocols, and self-propagation," Fortinet FortiGuard Labs researcher Cara Lin said. "It also communicates with its command-and-control server using the WebSocket protocol."
The campaign, which is said to have commenced after November 18, 2022, primarily singles out the Linux operating system to gain control of vulnerable devices."

Link

TLP¹ : Green

• Sophos fixed a critical flaw in its Sophos Firewall version 19.5

"Sophos has released security patches to address seven vulnerabilities in Sophos Firewall version 19.5, including some arbitrary code execution bugs.
The most severe issue addressed by the security vendor is a critical code injection vulnerability tracked as CVE-2022-3236.
“A code injection vulnerability allowing remote code execution was discovered in the User Portal and Webadmin.” reads the advisory."

Link

TLP¹ : Green

Incident Response: Infrastructure, Training, SIEM and Incident Handling

• Understanding NIST CSF to assess your organization's Ransomware readiness

"Ransomware attacks keep increasing in volume and impact largely due to organizations' weak security controls. Mid-market companies are targeted as they possess a significant amount of valuable data but lack the level of protective controls and staffing of larger organizations.
According to a recent RSM survey, 62% of mid-market companies believe they are at risk of ransomware in the next 12 months. Cybersecurity leaders' sentiment is somewhere on the spectrum between "top-of-mind" to "this gives me serious migraines."
As ransomware is still the preferred way for actors to monetize their access, there's a dire need to understand organizational levels of preparedness, and to identify and remediate gaps before an attacker can exploit them.
Lean cybersecurity teams can quickly gauge their ransomware readiness by following the NIST CSF framework, asking themselves, "Do we have something like this in place?" for each of the core functions: "Identify," "Protect," "Detect," "Respond," and "Recover""

Link

TLP¹ : Green

Technical Articles: Forensics, Reverse Engineering, Malware, Phishing, Pentesting, Software Security and Cryptography

• Kali Linux 2022.4 adds 6 new tools, Azure images, and desktop updates

"Offensive Security has released ​Kali Linux 2022.4, the fourth and final version of 2022, with new Azure and QEMU images, six new tools, and improved desktop experiences.
Kali Linux is a distribution designed for ethical hackers to perform penetration testing, security audits, and cybersecurity research against networks.
With this release, the Kali Linux Team introduces a variety of new features, including:
Kali Linux distro is back on Microsoft Azure
Six new toys tools.
Release of Kali NetHunter Pro
Gnome and KDE Plasma desktop updates
Enhanced ARM support
Offensive Security decided to release Kali Linux 2022.4 in conjunction with the Black Hat, BSides LV, and DefCon security conference as a "nice surprise for everyone to enjoy!""

Link

TLP¹ : Green

• Elon Musk's Twitter followers targeted in fake crypto giveaway scam

"Giving Elon Musk a follow on Twitter? You might be shortlisted by scammers looking to defraud Elon's newest followers.
New Musk followers are being added to a "Deal of the Year" list on Twitter that lures them into depositing small crypto amounts into the attackers' wallet with the false promise of receiving up to 5000 Bitcoin in return."

Link

TLP¹ : Green

¹Traffic Light Protocol (TLP) [1] for information sharing:

• Red:Not for disclosure, restricted to participants only.
• Amber: Limited disclosure, restricted to participants organizations.
• Green: Limited disclosure, restricted to the community.

[1]https://www.first.org/tlp