Top News

• Bluebottle hackers used signed Windows driver in attacks on banks

"A signed Windows driver has been used in attacks on banks in French-speaking countries, likely from a threat actor that stole more than $11 million from various banks.
The activity and targets fit the profile of the OPERA1ER hackers that have been attributed at least 35 successful attacks between 2018 and 2020.
The gang is believed to have French-speaking members and to operate from Africa, targeting organizations in the region, although they also hit companies in Argentina, Paraguay, and Bangladesh."

Link

TLP¹ : Green

• 200 million Twitter users' email addresses allegedly leaked online

"A data leak described as containing email addresses for over 200 million Twitter users has been published on a popular hacker forum for about $2. BleepingComputer has confirmed the validity of many of the email addresses listed in the leak.
Since July 22nd, 2022, threat actors and data breach collectors have been selling and circulating large data sets of scraped Twitter user profiles containing both private (phone numbers and email addresses) and public data on various online hacker forums and cybercrime marketplaces."

Link

TLP¹ : Green

Cybersecurity State: Surveillance, Cyberwarfare, Cybercriminality and Hacktivism

• Facial recognition error leads to wrong man’s arrest

"Louisiana authorities love to use facial recognition technology, but it has now led to a wrongful arrest of a black man from Georgia, his lawyer said. The case yet again brought attention to racial disparities in the use of the digital tool.
Randal Reid, 28, has never actually visited Louisiana, but in November, facial recognition technology blamed him for a purse theft in the state. The man had been arrested and thrown in jail for six days before the mistake was finally corrected.
Reid was jailed on November 25 in DeKalb County, Georgia, after authorities misidentified him as an offender in purse thefts in Jefferson Parish and Baton Rouge, Louisiana."

Link

TLP¹ : Green

• LastPass sued over “woefully insufficient” security

"A class action lawsuit against LastPass was put forward following two data breaches the company suffered last year.
Someone has filed a petition for a lawsuit against the password management service provider LastPass. The plaintiff alleges that the company’s “data security failures” led to two data breaches last year.
In August 2022, attackers accessed LastPass’ development environment, source code, and technical information through an internal account.
Three months later, it was later revealed that threat actors succeeded in exploiting the information obtained in August to access a third-party cloud-based storage service and “copy a backup of customer vault data.”
The lawsuit alleges that LastPass mishandled the August data breach, understating the attack’s impact, which resulted in the December breach, potentially exposing sensitive user data."

Link

TLP¹ : Green

• CircleCI Urges Customers to Rotate Secrets Following Security Incident

"DevOps platform CircleCI on Wednesday urged its customers to rotate all their secrets following an unspecified security incident.
The company said an investigation is currently ongoing, but emphasized that "there are no unauthorized actors active in our systems." Additional details are expected to be shared in the coming days.
"Immediately rotate any and all secrets stored in CircleCI," CircleCI's chief technology officer, Rob Zuber, said in a terse advisory. "These may be stored in project environment variables or in contexts.""

Link

TLP¹ : Green

• Irish Regulators Fine Facebook $414 Million for Forcing Users to Accept Targeted Ads

"The Irish Data Protection Commission (DPC) has fined Meta Platforms €390 million (roughly $414 million) over its handling of user data for serving personalized ads in what could be a major blow to its ad-fueled business model.
To that end, the privacy regulator has ordered Meta Ireland to pay two fines – a €210 million ($222.5 million) fine over violations of the E.U. General Data Protection Regulation (GDPR) related to Facebook, and a €180 million ($191 million) for similar violations in Instagram.
The latest enforcement comes in the wake of concerns that the social media company used its Terms of Service to gain users' forced consent to allow targeted advertising based on their online activity. The complaints were filed on May 25, 2018, the date when GDPR came into effect in the region."

Link

TLP¹ : Green

Breaches: Data Breaches and Hacks

• Database of the Cricketsocial.com platform left open online

"The Social platform for the cricket community exposed over 100k entries of private customer data and credentials.
The database, hosted by Amazon Web Services (AWS) in the US, contained admin credentials and private customer data, including email, phone numbers, names, hashed user passwords, dates of birth, and addresses. The experts noticed that most of the records in the database seem to be test data, however, the experts discovered it also includes personally identifiable information (PII) of legitimate site users. The data stored in the database includes posts, comments, number of likes, and links to images kept on the AWS storage bucket."

Link

TLP¹ : Green

• US. rail and locomotive company Wabtec hit with Lockbit ransomware

"Wabtec Corporation is an American company formed by the merger of the Westinghouse Air Brake Company (WABCO) and MotivePower Industries Corporation in 1999. It manufactures products for locomotives, freight cars and passenger transit vehicles, and builds new locomotives up to 6,000 horsepower.
The company employs approximately 25,000 people and has 50 plants all over the world.
According to a statement published by Wabtec, threat actors breached the company network and infected internal systems as early as March 15th, 2022.
The unusual activity was detected by the company on June 26th, then the rail giant launched an investigation into the security incident."

Link

TLP¹ : Green

• Slack's private GitHub code repositories stolen over holidays

"Slack suffered a security incident over the holidays affecting some of its private GitHub code repositories.
The immensely popular Salesforce-owned IM app is used by an estimated 18 million users at workplaces and digital communities around the world.
BleepingComputer has come across a security incident notice issued by Slack on December 31st, 2022.
The incident involves threat actors gaining access to Slack's externally hosted GitHub repositories via a "limited" number of Slack employee tokens that were stolen.
While some of Slack's private code repositories were breached, Slack’s primary codebase and customer data remain unaffected, according to the company."

Link

TLP¹ : Green

Vulnerabilities: Vulnerability Advisories, Zero-Days, Patches and Exploits

• Fortinet and Zoho Urge Customers to Patch Enterprise Software Vulnerabilities

"Fortinet has warned of a high-severity flaw affecting multiple versions of FortiADC application delivery controller that could lead to the execution of arbitrary code.
"An improper neutralization of special elements used in an OS command vulnerability in FortiADC may allow an authenticated attacker with access to the web GUI to execute unauthorized code or commands via specifically crafted HTTP requests," the company said in an advisory."

Link

TLP¹ : Green

• Critical flaws found in Ferrari, Mercedes, BMW, Porsche, and other carmakers

"The vulnerabilities could have been exploited by threat actors to perform a broad range of malicious activities, from unlocking cars to tracking them.
The flaws discovered by the experts affected vehicles of popular brands, including Kia, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Genesis, BMW, Rolls Royce, Ferrari, Ford, Porsche, Toyota, Jaguar, Land Rover. The research team also discovered flaws in the services provided by Reviver, SiriusXM, and Spireon."

Link

TLP¹ : Green

Incident Response: Infrastructure, Training, SIEM and Incident Handling

• Virtual Insanity: Protecting the Immersive Online World

"The concept of a virtual world in which people live, work, and interact with others without leaving their living room in the physical world gained more momentum during the pandemic. In fact, Gartner predicts that by 2026, a quarter of the population will spend a minimum of an hour each day in some type of immersive virtual environment for work, shopping, education, social media and/or entertainment.
Cities are among the first to enter this new iteration of the internet powered by virtual reality (VR), augmented reality (AR) and mixed reality (MR) technology. These virtual cities—Dubai being the first—promise to replicate real-life experiences and places. Individuals create avatars that can then work, shop, play and more in a virtual space. While these new virtual spaces will provide untold opportunities, they also set the stage for an unparalleled rise in cybercrime."

Link

TLP¹ : Green

Technical Articles: Forensics, Reverse Engineering, Malware, Phishing, Pentesting, Software Security and Cryptography

• Rackspace confirms Play ransomware was behind recent cyberattack

"Texas-based cloud computing provider Rackspace has confirmed that the Play ransomware operation was behind a recent cyberattack that took down the company's hosted Microsoft Exchange environments.
This follows a report last month by cybersecurity firm Crowdstrike, which detailed a new exploit used by the ransomware group to compromise Microsoft Exchange servers and gain access to a victim's networks.
The exploit (dubbed OWASSRF) allowed the attackers to bypass ProxyNotShell URL rewrite mitigations provided by Microsoft by likely targeting a critical flaw (CVE-2022-41080) that allows remote privilege escalation on Exchange servers."

Link

TLP¹ : Green

• SpyNote Strikes Again: Android Spyware Targeting Financial Institutions

"Financial institutions are being targeted by a new version of Android malware called SpyNote at least since October 2022.
"The reason behind this increase is that the developer of the spyware, who was previously selling it to other actors, made the source code public," ThreatFabric said in a report shared with The Hacker News. "This has helped other actors [in] developing and distributing the spyware, often also targeting banking institutions."
Some of the notable institutions that are impersonated by the malware include Deutsche Bank, HSBC U.K., Kotak Mahindra Bank, and Nubank."

Link

TLP¹ : Green

• The Evolving Tactics of Vidar Stealer: From Phishing Emails to Social Media

"The notorious information-stealer known as Vidar is continuing to leverage popular social media services such as TikTok, Telegram, Steam, and Mastodon as an intermediate command-and-control (C2) server.
"When a user creates an account on an online platform, a unique account page that can be accessed by anyone is generated," AhnLab Security Emergency Response Center (ASEC) disclosed in a technical analysis published late last month. "Threat actors write identifying characters and the C2 address in parts of this page."
In other words, the technique relies on actor-controlled throwaway accounts created on social media to retrieve the C2 address."

Link

TLP¹ : Green

• NIST Finalizes Cybersecurity Guidance for Ground Segment of Space Operations

"The National Institute of Standards and Technology (NIST) has published the final version of its guidance on applying the Cybersecurity Framework to the ground segment of space operations, specifically satellite command and control.
NIST’s widely used Cybersecurity Framework consists of standards, guidelines and practices for protecting critical infrastructure. This voluntary framework is designed to help organizations manage their cybersecurity risks.
The NIST Interagency Report (IR) 8401 aims to apply the Cybersecurity Framework to satellite command and control, creating a profile for the space sector’s ground segment in an effort to help stakeholders manage risk. The goal of the profile is to complement existing security measures in an organization."

Link

TLP¹ : Green

¹Traffic Light Protocol (TLP) [1] for information sharing:

• Red:Not for disclosure, restricted to participants only.
• Amber: Limited disclosure, restricted to participants organizations.
• Green: Limited disclosure, restricted to the community.

[1]https://www.first.org/tlp