Top News

• Twitter claims leaked data of 200M users not stolen from its systems

"Twitter finally addressed reports that a dataset of email addresses linked to hundreds of millions of Twitter users was leaked and put up for sale online, saying that it found no evidence the data was obtained by exploiting a vulnerability in its systems. 
"In response to recent media reports of Twitter users' data being sold online, we conducted a thorough investigation and there is no evidence that data recently being sold was obtained by exploiting a vulnerability of Twitter systems," the company said."

Link

TLP¹ : Green

• The reason behind the first US nationwide grounding since 9/11 remains unclear

"The US Department of Transportation has been tasked with investigating the root cause of a glitch in a Federal Aviation Administration (FAA) alert system that quickly halted all domestic flights in the US – the first time a nationwide grounding has occurred since the 9/11 terror attacks.
As first reported by our Cybernews team, the FAA announced the system failure at exactly 8:28 p.m. EST Tuesday. The critical alert system was not back online until 9 a.m. Wednesday morning.
Although an official statement by The White House Wednesday morning tried to squash rumors of a possible cyberattack, as of 2:36 p.m. EST, the cause of the IT failure, as aviation regulators described it, was still unknown by the FAA. The US Secretary of Transportation told President Joe Biden there was no evidence of cybersecurity attack at that time."

Link

TLP¹ : Green

• Cisco warns of auth bypass bug with public exploit in EoL routers

"Cisco warned customers today of a critical authentication bypass vulnerability with public exploit code affecting multiple end-of-life (EoL) VPN routers.
The security flaw (CVE-2023-20025) was found in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, and RV082 routers by Hou Liuyang of Qihoo 360 Netlab.
It is caused by improper validation of user input within incoming HTTP packets. Unauthenticated attackers can exploit it remotely by sending a specially crafted HTTP request to vulnerable routers' web-based management interface to bypass authentication."

Link

TLP¹ : Green

Cybersecurity State: Surveillance, Cyberwarfare, Cybercriminality and Hacktivism

• Royal Mail is suffering service disruption due to a ‘cyber incident’

"Royal Mail, the British multinational postal service and courier company, announced this week that a “cyber incident” has a severe impact on its operation. The incident only impacted Royal Mail’s international export services, the company said it is temporarily unable to despatch items to overseas destinations."

Link

TLP¹ : Green

• Mental health company KoKo testing AI chatbot on patients causes public outcry

"As AI becomes more integrated with our lives, we grow increasingly concerned about ethical and legal regulations that should accompany its use. These are the questions a mental health company KoKo had to ask itself, having provided AI-written counseling to 4,000 people without informing them.
KoKo is a peer-to-peer non-profit mental health service that connects those in need of counseling to volunteers through various platforms like Telegram and Discord. Typically, users would chat with a Koko bot which will forward their message to an anonymous volunteer, who will then respond back.
But not this time. An experiment, which included 30,000 messages, employed a ‘co-pilot’ approach. Once a person in need types in their message, it gets forwarded to a volunteer who could then use OpenAI's GPT3 large language model to provide an answer. The AI-powered program is capable of writing anything from poems to code and providing articulate responses on a variety of topics."

Link

TLP¹ : Green

• Gootkit malware abuses VLC to infect healthcare orgs with Cobalt Strike

"The Gootkit loader malware operators are running a new SEO poisoning campaign that abuses VLC Media Player to infect Australian healthcare entities with Cobalt Strike beacons.
The campaign goal is to deploy the Cobalt Strike post-exploitation toolkit on infected devices for initial access to corporate networks.
From there, the remote operators can perform network scans, move laterally throughout the network, steal account credentials and files, and deploy more dangerous payloads such as ransomware."

Link

TLP¹ : Green

• World Economic Forum warns of cyber insecurity in times of “epochal change”

"The annual Global Risks Report by the World Economic Forum (WEF) has named widespread cybercrime and cyber insecurity among the top global threats for the first time.
The report said that Russia’s war in Ukraine and the COVID-19 pandemic had set in motion “an epochal change” to the global order and would accelerate other global threats over the next decade.
These include concerns over widespread cybercrime and cyber insecurity, a new entry into the report’s ranking of the top 10 most severe global risks that could potentially shake up the world in the next decade.
It said cyber insecurity would remain a persistent threat and a strong driver of other risks such as digital power concentration, digital inequality, and breakdown of critical information infrastructure."

Link

TLP¹ : Green

Breaches: Data Breaches and Hacks

• Follow-up: Guardian confirms ransomware attack, employee records compromised

"Guardian executives say ransomware was the cause of the debilitating cyberattack that shuttered its UK offices' this past December.
Guardian Media Group chief executive, Anna Bateson, and editor-in-chief, Katharine Viner described the incident as “a highly sophisticated ransomware attack involving unauthorized third-party access to parts of our network.”
An email was sent out to Guardian employees Wednesday. The attack, originally covered by the Cybernews team, was responsible for disrupting access to the newspapers internal corporate and financial systems, as well as Wi-Fi connections in most buildings."

Link

TLP¹ : Green

• Social marketplace Trustanduse exposes nearly half a million users

"Disclosing personal data on platforms providing digital services is always risky. The Cybernews research team identified a publicly accessible database storing up to 855GB of sensitive user and business data that belongs to social marketplace trustanduse.com.
The leaked database was first found on June 21 and remained potentially accessible to threat actors for at least six months. We reached out to trustanduse.com, and the company fixed the issue."

Link

TLP¹ : Green

Vulnerabilities: Vulnerability Advisories, Zero-Days, Patches and Exploits

• Severe Vulnerabilities Allow Hacking of Asus Gaming Router

"Cisco’s Talos security researchers have published technical information on three severe vulnerabilities impacting Asus RT-AX82U routers.
A Wi-Fi 6 gaming router, the RT-AX82U can be configured via an HTTP server that is running on the local network, but also supports remote management and monitoring.
Last year, Cisco’s Talos researchers identified three critical- and high-severity security defects that could be exploited to bypass authentication, leak information, or cause a denial-of-service (DoS) condition on a vulnerable RT-AX82U router."

Link

TLP¹ : Green

• Threema claims encryption flaws never had a real-world impact

"A team of researchers from ETH Zurich has published a paper describing multiple security flaws in Threema, a secure end-to-end encrypted communications app.
Threema is a privacy-focused and security-enhanced Swiss-made communications app used by the country's government, army services, and over 10 million users and 7,000 organizations worldwide.
The ETH Zurich team devised seven attacks against Threema's protocol that could have consequences for the privacy of communication over the app, including stealing private keys, deleting messages, breaking authentication, spoofing servers, and more."

Link

TLP¹ : Green

• Experts Detail Chromium Browser Security Flaw Putting Confidential Data at Risk

"Details have emerged about a now-patched vulnerability in Google Chrome and Chromium-based browsers that, if successfully exploited, could have made it possible to siphon files containing confidential data.
"The issue arose from the way the browser interacted with symlinks when processing files and directories," Imperva researcher Ron Masas said. "Specifically, the browser did not properly check if the symlink was pointing to a location that was not intended to be accessible, which allowed for the theft of sensitive files."
Google characterized the medium-severity issue (CVE-2022-3656) as a case of insufficient data validation in File System, releasing fixes for it in versions 107 and 108 released in October and November 2022."

Link

TLP¹ : Green

• Alert: Hackers Actively Exploiting Critical "Control Web Panel" RCE Vulnerability

"Malicious actors are actively attempting to exploit a recently patched critical vulnerability in Control Web Panel (CWP) that enables elevated privileges and unauthenticated remote code execution (RCE) on susceptible servers.
Tracked as CVE-2022-44877 (CVSS score: 9.8), the bug impacts all versions of the software before 0.9.8.1147 and was patched by its maintainers on October 25, 2022.
Control Web Panel, formerly known as CentOS Web Panel, is a popular server administration tool for enterprise-based Linux systems.
"login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter," according to NIST."

Link

TLP¹ : Green

Incident Response: Infrastructure, Training, SIEM and Incident Handling

• Increasing trust, commitment, and predictability during a remote incident response

"In this blog post, Cisco Talos Incident Response (Talos IR) presents some of the key benefits of remote IR support and offers a list of recommendations for working on a remote incident.
Some organizations see added value in having incident responders on site during an emergency. While this approach may offer certain benefits in terms of coordination, in Talos IR’s experience, the physical presence of a team on site is not crucial for the success of the overall IR. Cybersecurity threats are by definition intangible and bringing people physically together does not automatically facilitate an investigation. The traces of the malicious actors involved in a ransomware case, for example, are in the cyberspace made up by an organization’s network and the Internet, which means that, with sufficient connectivity, a remote responder team can work on the case from anywhere.
As a remote-first, follow-the-sun global team, Talos IR has extensive experience in creating a healthy, effective, and collaborative environment for customers and responders regardless of the stressful nature of IR activities. Trust needs to be built over time and proactive IR services offer the means to do this preemptively, ensuring that when an emergency happens, the responders will be able to gain appropriate access in a timely manner. Specific recommendations on how to strategically use proactive services in building this relationship are outlined in section “Adopting a ‘trust but verify’ approach.”"

Link

TLP¹ : Green

• Patch where it Hurts: Effective Vulnerability Management in 2023

"A recently published Security Navigator report data shows that businesses are still taking 215 days to patch a reported vulnerability. Even for critical vulnerabilities, it generally takes more than 6 months to patch.
Good vulnerability management is not about being fast enough in patching all potential breaches. It's about focusing on the real risk using vulnerability prioritization to correct the most significant flaws and reduce the company's attack surface the most. Company data and threat intelligence need to be correlated and automated. This is essential to enable internal teams focus their remediation efforts. Suitable technologies can take the shape of a global Vulnerability Intelligence Platform. Such a platform can help to prioritize vulnerabilities using a risk score and let companies focus on their real organizational risk."

Link

TLP¹ : Green

• Get 400 hours of cybersecurity training for just $79 in this deal

"Cyber threats really can come from just about anywhere these days, from innocuous e-mails to fake Pokemon fansites. That's why the best thing that budding cybersecurity professionals can have is a diverse portfolio.
The Complete 2023 Cyber Security Developer & IT Skills Bundle can be a great career investment — especially now that it's available at a price you won't find anywhere else on the web.
This e-learning bundle is a compilation of courses from iCollege, whose who have a strong expertise on cybersecurity (and information technology in general)."

Link

TLP¹ : Green

• Investors Bet Big on Subscription-Based Security Skills Training

"Hack The Box, a British startup working on technology to simplify cybersecurity skills training, has banked a $55 million funding round as venture capital investors place big bets on the subscription-based talent assessment space.
Hack the Box said the $55 million Series B was led by global investment firm Carlyle. Paladin Capital Group, Osage University Partners, Marathon Venture Capital, Brighteye Ventures, and Endeavor Catalyst Fund also invested.
Since its founding in 2017, Hack the Box has raised $69.5 million and built a platform to help organizations with the continuous need to assess and train cybersecurity talent. "

Link

TLP¹ : Green

Technical Articles: Forensics, Reverse Engineering, Malware, Phishing, Pentesting, Software Security and Cryptography

• Scattered Spider hackers use old Intel driver to bypass security

"A financially motivated threat actor tracked as Scattered Spider was observed attempting to deploy Intel Ethernet diagnostics drivers in a BYOVD (Bring Your Own Vulnerable Driver) attack to evade detection from EDR (Endpoint Detection and Response) security products.
The BYOVD technique involves threat actors using a kernel-mode driver known to be vulnerable to exploits as part of their attacks to gain higher privileges in Windows.
Because device drivers have kernel access to the operating system, exploiting a flaw in them allows threat actors to execute code with the highest privileges in Windows.

Link

TLP¹ : Green

• Better Phishing, Easy Malicious Implants: How AI Could Change Cyberattacks

"Artificial intelligence and machine learning (AI/ML) models have already shown some promise in increasing the sophistication of phishing lures, creating synthetic profiles, and creating rudimentary malware, but even more innovative applications of cyberattacks will likely come in the near future.
Malware developers have already started toying with code generation using AI, with security researchers demonstrating that a full attack chain could be created. 
The Check Point Research team, for example, used current AI tools to create a complete attack campaign, starting with a phishing email generated by OpenAI's ChatGPT that urges a victim to open an Excel document. The researchers then used the Codex AI programming assistant to create an Excel macro that executes code downloaded from a URL and a Python script to infect the targeted system. "

Link

TLP¹ : Green

¹Traffic Light Protocol (TLP) [1] for information sharing:

• Red:Not for disclosure, restricted to participants only.
• Amber: Limited disclosure, restricted to participants organizations.
• Green: Limited disclosure, restricted to the community.

[1]https://www.first.org/tlp