Top News

• Hacker claims to be selling Twitter data of 400 million users

"A threat actor claims to be selling public and private data of 400 million Twitter users scraped in 2021 using a now-fixed API vulnerability. They're asking $200,000 for an exclusive sale.
The alleged data dump is being sold by a threat actor named 'Ryushi' on the Breached hacking forum, a site commonly used to sell user data stolen in data breaches.
The threat actor claimed to have collected the data of 400+ million unique Twitter users using a vulnerability. They warned Elon Musk and Twitter that they should purchase the data before it leads to a large fine under Europe's GDPR privacy law."

Link

TLP¹ : Green

• Facebook to Pay $725 Million to settle Lawsuit Over Cambridge Analytica Data Leak

"​Meta Platforms, the parent company of Facebook, Instagram, and WhatsApp, has agreed to pay $725 million to settle a long-running class-action lawsuit filed in 2018.
The legal dispute sprang up in response to revelations that the social media giant allowed third-party apps such as those, including Cambridge Analytica to access users' personal information without their consent for political advertising.
The proposed settlement, first reported by Reuters last week, is the latest penalty paid by the company in the wake of a number of privacy mishaps through the years. It still requires the approval of a federal judge in the San Francisco division of the U.S. District Court.
It's worth noting that Facebook previously sought to dismiss the lawsuit in September 2019, claiming users have no legitimate privacy interest in any information they make available to their friends on social media."

Link

TLP¹ : Green

• Crooks impersonate brands using search engine advertisement services

"The FBI is warning of cyber criminals using search engine advertisement services to impersonate brands and direct users to websites that were used to defraud users. The sites host ransomware and are used to steal login credentials and other financial information from users.
Crooks purchase advertisements through search engine advertisement services, feds observed threat actors using a domain that is similar to an actual business or service. When online users search for that business or service, advertisements appear at the top of search results produced by the search engine. The advertisements link to a webpage that impersonated a legitimate business."

Link

TLP¹ : Green

Cybersecurity State: Surveillance, Cyberwarfare, Cybercriminality and Hacktivism

• Arresting IT Administrators

"This is one way of ensuring that IT keeps up with patches:
Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by alleged Iranian hackers.
Prosecutors said the five IT officials of the public administration department had failed to check the security of the system and update it with the most recent antivirus software."

Link

TLP¹ : Green

• Privacy-minded DuckDuckGo engine will now block Google Sign-in pop-ups

"DuckDuckGo, a popular privacy-focused platform, has announced its apps and extensions would now block Google Sign-in prompts. It claims such pop-ups are annoying and cause privacy risks for users.
The popularity of DuckDuckGo stems from the fact that it offers a privacy-focused search engine, an email service, mobile apps that include numerous privacy features, and data-protecting browser extensions.
The firm is now taking another step users will most probably enjoy. It has announced that all its Chrome, Firefox, Brave, and Microsoft Edge apps and browser extensions will now actively block Google sign-in prompts displayed on sites.
“Have you seen these Google sign-in pop-ups lately? They may seem helpful but signing in actually gives consent to being tracked,” DuckDuckGo said on Twitter."

Link

TLP¹ : Green

• 2022 Top Five Immediate Threats in Geopolitical Context

"As we are nearing the end of 2022, looking at the most concerning threats of this turbulent year in terms of testing numbers offers a threat-based perspective on what triggers cybersecurity teams to check how vulnerable they are to specific threats. These are the threats that were most tested to validate resilience with the Cymulate security posture management platform between January 1st and December 1st, 2022."

Link

TLP¹ : Green

Breaches: Data Breaches and Hacks

• BetMGM Confirms Breach as Hackers Offer to Sell Data of 1.5 Million Customers

"MGM Resorts-owned online sports betting company BetMGM confirmed suffering a data breach the same day hackers offered to sell a database containing the information of 1.5 million BetMGM customers.
In a statement posted on its website on December 21, BetMGM said “patron records were obtained in an unauthorized manner”.
The company said the compromised information includes name, email address, postal address, phone number, date of birth, hashed Social Security number, account identifier, and information related to transactions."

Link

TLP¹ : Green

Vulnerabilities: Vulnerability Advisories, Zero-Days, Patches and Exploits

• Critical Vulnerability in Premium Gift Cards WordPress Plugin Exploited in Attacks

"Defiant’s Wordfence team warns of a critical-severity vulnerability in the YITH WooCommerce Gift Cards premium WordPress plugin being exploited in attacks.
The YITH WooCommerce Gift Cards plugin allows online merchants to create gift cards that their customers can purchase for their friends to use on the ecommerce store. The premium plugin has more than 50,000 installations, its developer says.
Tracked as CVE-2022-45359 (CVSS score of 9.8), the exploited vulnerability was reported in November and a patch for it was made available soon after.
The issue is described as an arbitrary file upload, allowing attackers to upload executable files to the WordPress sites that use a vulnerable version of the plugin. No authentication is required for successful exploitation, Wordfence says."

Link

TLP¹ : Green

• Critical Linux Kernel flaw affects SMB servers with ksmbd enabled

"A critical Linux kernel vulnerability (CVSS score of 10) exposes SMB servers with ksmbd enabled to hack. KSMBD is a Linux kernel server that implements SMB3 protocol in kernel space for sharing files over the network. An unauthenticated, remote attacker can execute arbitrary code on vulnerable installations of the Linux Kernel.
The flaw resides in the processing of SMB2_TREE_DISCONNECT commands.
“This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability, but only systems with ksmbd enabled are vulnerable.” reads the advisory published by ZDI. “The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the kernel.”"

Link

TLP¹ : Green

• Microsoft Patches Azure Cross-Tenant Data Access Flaw

"Microsoft has silently fixed an important-severity security flaw in its Azure Container Service (ACS) after an external researcher warned that a buggy feature allowed cross-tenant network bypass attacks.
The vulnerability, documented by researchers at Mnemonic, effectively removed the entire network and identity perimeter around  internet-isolated Azure Cognitive Search instances and allowed cross-tenant access to the data plane of ACS instances from any location, including instances without any explicit network exposure.
According to Mnemonic researcher Emilien Socchi, the flaw was silently fixed by Microsoft at the end of August, 2022, approximately six months after it was first reported.
The exposure, nicknamed ACSESSED, impacted all Azure Container Service instances that enabled the “Allow access from portal” feature."

Link

TLP¹ : Green

• Corsair keyboard bug makes it type on its own, no malware involved

"Corsair has confirmed that a bug in the firmware of K100 keyboards, and not malware, is behind previously entered text being auto-typed into applications days later.
The company's statement comes after multiple K100 users have reported that their keyboards are typing text on their own at random moments.
This behavior was first reported on the Corsair forums in August 2022, leaving people puzzled and concerned that some form of keylogging or malware was behind the behavior."

Link

TLP¹ : Green

Incident Response: Infrastructure, Training, SIEM and Incident Handling

• Invest in lifelong learning with StackSkills Unlimited, now just $69

"If you work in a technical field, then chances are good you trained for years to get to where you are. But here’s the thing — technology evolves really quickly. And if you learned something even just a few years ago, it’s probably no longer relevant today. Which is why, if you want to remain at the top of your field, you’re going to need a resource like StackSkills Unlimited.
StackSkills Unlimited is one of the top resources for web-based training today. A lifetime subscription, which was recently price dropped to just $69, provides access to over 1,000 courses that cover a wide range of topics."

Link

TLP¹ : Green

Technical Articles: Forensics, Reverse Engineering, Malware, Phishing, Pentesting, Software Security and Cryptography

• New info-stealer malware infects software pirates via fake cracks sites

"A new information-stealing malware named ‘RisePro’ is being distributed through fake cracks sites operated by the PrivateLoader pay-per-install (PPI) malware distribution service.
RisePro is designed to help attackers steal victims’ credit cards, passwords, and crypto wallets from infected devices.
The malware was spotted by analysts at Flashpoint and Sekoia this week, with both cybersecurity firms confirming that RisePro is a previously undocumented information stealer now being distributed via fake software cracks and key generators."

Link

TLP¹ : Green

• Windows Privilege Escalation: Server Operator Group

"The Windows Server operating system uses two types of security principals for authentication and authorization: user accounts and computer accounts. These accounts are created to represent physical entities, such as people or computers, and can be used to assign permissions to access resources or perform specific tasks. Additionally, security groups are created to include user accounts, computer accounts, and other groups, in order to make it easier to manage permissions. The system comes pre-configured with certain built-in accounts and security groups, which are equipped with the necessary rights and permissions to carry out functions."

Link

TLP¹ : Green

• GuLoader Malware Utilizing New Techniques to Evade Security Software

"Cybersecurity researchers have exposed a wide variety of techniques adopted by an advanced malware downloader called GuLoader to evade security software.
"New shellcode anti-analysis technique attempts to thwart researchers and hostile environments by scanning entire process memory for any virtual machine (VM)-related strings," CrowdStrike researchers Sarang Sonawane and Donato Onofri said in a technical write-up published last week.
GuLoader, also called CloudEyE, is a Visual Basic Script (VBS) downloader that's used to distribute remote access trojans such as Remcos on infected machines. It was first detected in the wild in 2019.
In November 2021, a JavaScript malware strain dubbed RATDispenser emerged as a conduit for dropping GuLoader by means of a Base64-encoded VBScript dropper."

Link

TLP¹ : Green

¹Traffic Light Protocol (TLP) [1] for information sharing:

• Red:Not for disclosure, restricted to participants only.
• Amber: Limited disclosure, restricted to participants organizations.
• Green: Limited disclosure, restricted to the community.

[1]https://www.first.org/tlp