Top News

• Hackers abuse Google Ads to spread malware in legit software

"Malware operators have been increasingly abusing the Google Ads platform to spread malware to unsuspecting users searching for popular software products.
Among the products impersonated in these campaigns include Grammarly, MSI Afterburner, Slack, Dashlane, Malwarebytes, Audacity, μTorrent, OBS, Ring, AnyDesk, Libre Office, Teamviewer, Thunderbird, and Brave.
The threat actors the clone official websites of the above projects and distribute trojanized versions of the software when users click the download button."

Link

TLP¹ : Green

• LockBit claims an attack on the Port of Lisbon

"​The notorious cybergang LockBit posted the data stolen from the Portuguese port on their leak site.
The administration of the Port of Lisbon suffered a cyberattack over Christmas. While the administration of Portugal’s third largest port said the attack didn’t impact operational activity, the company’s website was unavailable at the time of writing this article.
The Portuguese authorities didn’t specify the nature of the attack or who was behind it. However, the LockBit ransomware gang uploaded Port of Lisbon to its leak site, a darknet website where cybercriminals announce their victims.
The gang claims to have stolen all of the data available on the port’s systems. Threat actors intentionally publicize what data was stolen to force victims into paying the ransom. LockBit demands close to $1.5m to download or destroy the data."

Link

TLP¹ : Green

Cybersecurity State: Surveillance, Cyberwarfare, Cybercriminality and Hacktivism

• Japanese police successful in decrypting data attacked by LockBit ransomware

"Japan's National Police Agency has been successfully decrypting networks encrypted with the LockBit ransomware, the country’s press reported. At least three companies had data recovered without paying the attackers.
Japanese police have succeeded in decrypting corporate data locked by LockBit ransomware, a virus that encrypts data and demands a payment.
It seems the country’s law enforcement now has a new tool to fight cybercrime – thanks to the Cyber Police Department and the Cyber Special Investigation Team, newly established by the National Police Agency in April this year."

Link

TLP¹ : Green

Breaches: Data Breaches and Hacks

• Black Basta stole data from numerous US electric utilities - media

"Sargent & Lundy, a Chicago-based construction and engineering firm that designed hundreds of power stations in the US, fell victim to a ransomware attack attributed to the Black Basta cyber gang.
Sargent & Lundy suffered a data breach on October 15, resulting in threat actors stealing personal identifiable information (PII) from the company systems.
According to Turke & Strauss, a law firm that issued the breach notification on the company’s behalf, exposed information may include names and social security numbers of over 6,900 individuals.
The breach piqued the interest of US authorities since Sargent & Lundy is a US government contractor working on critical national infrastructure (CNI) projects and handles nuclear security issues.

Link

TLP¹ : Green

• Royal ransomware claims attack on Intrado telecom provider

"The Royal Ransomware gang claimed responsibility for a cyber attack against telecommunications company Intrado on Tuesday.
While Intrado is yet to share any information regarding this incident, sources have told BleepingComputer early this month that the attack started on December 1 and the initial ransom demand was $60 million.
The Royal Ransomware group, made up of experienced threat actors and operating without affiliates, has reportedly stolen some data from Intrado's systems and is now threatening to publish it on their data leak site unless the company pays the ransom."

Link

TLP¹ : Green

• Toy maker Jakks Pacific victimized by a second cybergang

"BlackCat ransomware cartel claims to have obtained Jakks Pacific data. Two weeks ago, Hive ransomware posted Jakks Pacific on their leak site.
US-based toy maker Jakks Pacific joined a growing list of companies forced to deal with a ransomware attack. Threat actors first hacked the maker of Super Mario, Sonic, Disney Princess, and other toys in early December.
“On December 8, 2022, JAKKS experienced what many other companies have been and are experiencing: a ransomware attack by bad actors who inserted malware into JAKKS’ computer network and locked up our servers,” the company said in a statement.
At the time, Jakks Pacific believed that threat actors accessed personal information such as names, emails, home addresses, taxpayer ID numbers, and ‘banking information.’ The company said individuals and businesses were affected by the leak pointing to the attack impacting many customers."

Link

TLP¹ : Green

Vulnerabilities: Vulnerability Advisories, Zero-Days, Patches and Exploits

• Thousands of Citrix servers vulnerable to patched critical flaws

"Thousands of Citrix ADC and Gateway deployments remain vulnerable to two critical-severity security issues that the vendor fixed in recent months.
The first flaw is CVE-2022-27510, fixed on November 8. It’s an authentication bypass that affects both Citrix products. An attacker could exploit it to gain unauthorized access to the device, perform remote desktop takeover, or bypass the login brute force protection.
The second bug is tracked as CVE-2022-27518, disclosed and patched on December 13. It allows unauthenticated attackers to perform remote command execution on vulnerable devices and take control of them."

Link

TLP¹ : Green

• Several DoS, Code Execution Vulnerabilities Found in Rockwell Automation Controllers

"Organizations using controllers made by Rockwell Automation have been informed recently about several potentially serious vulnerabilities.
The US Cybersecurity and Infrastructure Security Agency (CISA) last week published three advisories to describe a total of four high-severity vulnerabilities. Rockwell Automation has published individual advisories for each security hole.
One flaw is CVE-2022-3156, which impacts the Studio 5000 Logix Emulate controller emulation software. The vulnerability is caused by a misconfiguration that results in users being granted elevated permissions on certain product services. An attacker could exploit the weakness for remote code execution.

Link

TLP¹ : Green

Incident Response: Infrastructure, Training, SIEM and Incident Handling

• There’s a career in cybersecurity for everyone,’ Microsoft Security CVP says

"With the number of cyberattacks rising and a widening gap in the cybersecurity talent pool, companies are taking a harder look at resources needed to combat a growing workforce issue. In the U.S. alone, there are more than 700,000 unfilled cybersecurity positions.
While some higher-level cybersecurity positions require advanced certifications, many entry-level positions can be filled by people who have less training. This could include upskilling courses, self-training, or learning on the job. While four-year degrees or master’s degrees aren’t always required to land a cybersecurity job, some companies and organizations are working to develop workforce training with community colleges and other educational institutions to prepare the future cyber workforce. "

Link

TLP¹ : Green

Technical Articles: Forensics, Reverse Engineering, Malware, Phishing, Pentesting, Software Security and Cryptography

• Stupid security 2022 – this year’s infosec fails

"As 2022 draws to a close, The Daily Swig is revisiting some of the year’s most notable web security wins and egregious infosec fails.
Tomorrow we’ll publish some examples of the year’s cybersecurity successes, but today we’re kicking off with some amusing vulnerabilities, security disasters, and ‘must do better’ scorecards."

Link

TLP¹ : Green

• Twitter’s short-lived global outage: normality restored, but for how long?

"Twitter experienced a short global outage late Wednesday, and even if the service was restored soon to more than 10,000 affected users, observers and analysts say the future is not promising.
Thousands of users globally were unable to access Twitter or use its key features for several hours Wednesday evening. It was the social media site’s first widespread service disruption since billionaire Elon Musk took over the company in late October.
Downdetector, a website that tracks outages through a range of sources including user reports, showed more than 10,000 affected users from the United States, about 2,500 from Japan and about 2,500 from the United Kingdom at the peak of the disruption."

Link

TLP¹ : Green

• Threat Hunting with File Entropy

"What is Entropy?
Entropy is a measure of randomness within a set of data. When referenced in the context of information theory and cybersecurity, most people are referring to Shannon Entropy. This is a specific algorithm that returns a value between 0 and 8 were values near 8 indicate that the data is very random, while values near 0 indicate that the data is very homodulous.
How does this apply to intrusion detection?
Shannon entropy can be a good indicator for detecting the use of packing, compression, and encryption in a file. Each of the previously mentioned techniques tends to increase the overall entropy of a file. This makes sense intuitively. Let’s take compression for example. Compression algorithms reduce the size of certain types of data by replacing duplicated parts with references to a single instance of that part. The end result is a file with less duplicated contents. The less duplication there is in a file, the higher the entropy will be because the data is less predictable than it was before.
As it turns out, malware authors also tend to rely heavily on packing, compression, and encryption to obfuscate their tools on order to evade signature based detection systems."

Link

TLP¹ : Green

• Yes, It’s Time to Ditch LastPass

"YOU'VE HEARD IT again and again: You need to use a password manager to generate strong, unique passwords and keep track of them for you. And if you finally took the plunge with a free and mainstream option, particularly during the 2010s, it was probably LastPass. For the security service's 25.6 million users, though, the company made a worrying announcement on December 22: A security incident the firm had previously reported (on November 30) was actually a massive and concerning data breach that exposed encrypted password vaults—the crown jewels of any password manager—along with other user data."

Link

TLP¹ : Green

¹Traffic Light Protocol (TLP) [1] for information sharing:

• Red:Not for disclosure, restricted to participants only.
• Amber: Limited disclosure, restricted to participants organizations.
• Green: Limited disclosure, restricted to the community.

[1]https://www.first.org/tlp