Top News

• Microsoft survey says people are ready for AI tools at workplace

"Microsoft is seemingly preparing to introduce more artificial intelligence (AI) features into its toolkit. Results of a new survey suggest the majority of Western business leaders want to automate daily tasks.
The American technology corporation says it has surveyed 2,700 employees and 1,800 business decision-makers in the United States, the United Kingdom, and Japan recently. They were all asked, among other things, “can new technology like AI and low-code and no-code tools help solve their challenges and open up new opportunities.”
The answers were more than clear. “9 out of 10 people want simpler ways to automate daily tasks so they can focus on the work that matters,” Microsoft’s WorkLab, a site devoted to the future of work, said."

Link

TLP¹ : Green

• Pro-Russia group Killnet targets Germany due to its support to Ukraine

"The Pro-Russia group Killnet is behind the DDoS attacks that last week hit the websites of German airports, administration bodies, and banks. The attacks are the hacktivists’ response to the German government’s decision to send Leopard 2 tanks to Ukraine.
Chancellor Olaf Scholz announced the decision to send 14 tanks – and allow other countries to send theirs too (which was restricted until now under export regulations) – at a cabinet meeting on Wednesday.
The Federal Cyber Security Authority (BSI) is investigating the attacks."

Link

TLP¹ : Green

Cybersecurity State: Surveillance, Cyberwarfare, Cybercriminality and Hacktivism

• Sandworm APT group hit Ukrainian news agency with five data wipers

"On January 17, 2023, the Telegram channel “CyberArmyofRussia_Reborn” reported the compromise of the systems at the Ukrainian National Information Agency “Ukrinform”.
The Ukrainian Computer Emergency Response Team (CERT-UA) immediately investigated the claims and as of January 27, 2023, found five samples of data wipers: CaddyWiper (Windows), ZeroWipe (Windows), SDelete (Windows), AwfulShred (Linux), BidSwipe (FreeBSD)"

Link

TLP¹ : Green

• NIST Is Updating Its Cybersecurity Framework

"NIST is planning a significant update of its Cybersecurity Framework. At this point, it’s asking for feedback and comments to its concept paper.
Do the proposed changes reflect the current cybersecurity landscape (standards, risks, and technologies)?
Are the proposed changes sufficient and appropriate? Are there other elements that should be considered under each area?
Do the proposed changes support different use cases in various sectors, types, and sizes of organizations (and with varied capabilities, resources, and technologies)?
Are there additional changes not covered here that should be considered?
For those using CSF 1.1, would the proposed changes affect continued adoption of the Framework, and how so?
For those not using the Framework, would the proposed changes affect the potential use of the Framework?"

Link

TLP¹ : Green

• Russia-Linked APT29 Uses New Malware in Embassy Attacks

"Russia-linked cyberespionage group APT29 has been observed staging new malware for attacks likely targeting embassy-related individuals, Recorded Future reports.
Also referred to as Cozy Bear, the Dukes, Nobelium, and Yttrium, APT29 is a Russian advanced persistent threat (APT) group believed to be sponsored by the Russian Foreign Intelligence Service (SVR). It’s also believed to have orchestrated multiple high-profile attacks, including the 2020 SolarWinds attack.
In October 2022, Recorded Future identified new infrastructure and malware that the cyberespionage group likely set up for attacks targeting embassy staff or an ambassador."

Link

TLP¹ : Green

• Alleged member of ShinyHunters group extradited to the US, could face 116 years in jail

"Sebastien Raoult, a French national who is suspected of being a member of ShinyHunters cybercrime gang known as “Seyzo Kaizen,” has been extradited from Morocco to the United States.
The 22-year-old man was arrested in Morocco at Rabat international airport in Morocco on May 31, 2022, while trying to take a flight to Brussels.
Raoult and two other co-conspirators are charged with having hacked into protected computers of corporate entities and for the theft of stolen proprietary information. 
“According to the indictment, Raoult was a participant in a hacking group that dubbed itself the “ShinyHunters.”  The conspirators allegedly hacked into protected computers of corporate entities for the theft of proprietary and corporate information.  The group advertised sensitive stolen data for sale and sometimes threatened to leak or sell stolen sensitive files if the victim did not pay a ransom.” reads the press release published by DoJ. “Since early 2020, ShinyHunters Group has marketed and promoted data stolen from more than 60 companies in Washington State and elsewhere around the world.”
The group offered the stolen data for sale and sometimes threatened to leak it if the victim did not pay a ransom."

Link

TLP¹ : Green

• Australian police warns parents about gaming predators

"Does your child play video games online? Do they use chat functions, as well? If so, be extra careful – sexual predators like to lurk in the digital shadow and befriend unsuspecting children, Australian federal police (AFP) warned.
According to its press release, parents and carers should seek to be more readily involved in their children’s online activities – specifically online gaming. The police say predators often use chat functions on these platforms to contact children.
Hilda Sirec, Acting Assistant Commissioner, said many adults did not actually realize how offenders can use in-game chatting to initiate conversations with their offspring.
“These offenders may pretend to be young themselves or use details from the child’s profile to portray themselves as a ‘friend of their friends’,” Sirec said."

Link

TLP¹ : Green

Breaches: Data Breaches and Hacks

• IT Army of Ukraine hacked Gazprom’s archive

"IT Army of Ukraine claims to have accessed a 1.5 GB archive of files belonging to the Russian state-controlled energy giant, Gazprom.
“The IT Army of Ukraine gained access to information on the activities of the largest filler of the state budget, and accordingly the main sponsor of terrorism and the invasion of Ukraine — Gazprom,” hackers stated in their Telegram channel.
According to them, the archive contains more than 6,000 files of the Gazprom group of companies regarding financial and economic activities, namely reports on testing and drilling, implementation and adjustment of automated systems at the Koviktinsky well (Irkutsk region), which is considered one of Russia’s largest gas fields.
To support their claims, hackers also released a statement of confidentiality, which was likely included in Gazprom’s agreement."

Link

TLP¹ : Green

Vulnerabilities: Vulnerability Advisories, Zero-Days, Patches and Exploits

• ISC Releases Security Patches for New BIND DNS Software Vulnerabilities

"The Internet Systems Consortium (ISC) has released patches to address multiple security vulnerabilities in the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite that could lead to a denial-of-service (DoS) condition.
"A remote attacker could exploit these vulnerabilities to potentially cause denial-of-service conditions and system failures," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory released Friday.
The open source software is used by major financial firms, national and international carriers, internet service providers (ISPs), retailers, manufacturers, educational institutions, and government entities, according to its website."

Link

TLP¹ : Green

• Vulnerabilities in OpenEMR Healthcare Software Expose Patient Data

"Vulnerabilities in the OpenEMR healthcare software could allow remote attackers to steal sensitive patient data or execute arbitrary commands and take over systems.
OpenEMR is an open source software used for the management of health records. It also allows patients to schedule appointments, get in touch with physicians, and pay invoices.
Security researchers at Sonar Source identified and reported three vulnerabilities in OpenEMR, including two that can be chained to achieve remote code execution (RCE).
“A combination of these vulnerabilities allows remote attackers to execute arbitrary system commands on any OpenEMR server and to steal sensitive patient data. In the worst case, they can compromise the entire critical infrastructure,” Sonar warns."

Link

TLP¹ : Green

Incident Response: Infrastructure, Training, SIEM and Incident Handling

• The Effect of Cybersecurity Layoffs on Cybersecurity Recruitment

"On Friday, January 20, 2023, Google announced it would lay off 12,000 employees. Amazon and Microsoft have laid off a combined 28,000 people; Twitter has reportedly lost 5,200 people; Meta (Facebook, etcetera) is laying off 11,000… This is just the tech giants, and almost all the staff looking for new positions are, by definition, tech-savvy – and some will be cybersecurity professionals.
Layoffs are not limited to the tech giants. Smaller cybersecurity vendor firms are also affected. OneTrust has laid off 950 staff (25% of employees); Sophos has laid off 450 (10%); Lacework (300, 20%); Cybereason (200, 17%); OwnBackup (170, 17%); OneTrust (950, 25%) and the list goes on.
SecurityWeek examined how this layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment in cybersecurity."

Link

TLP¹ : Green

Technical Articles: Forensics, Reverse Engineering, Malware, Phishing, Pentesting, Software Security and Cryptography

• Gootkit Malware Continues to Evolve with New Components and Obfuscations

"The threat actors associated with the Gootkit malware have made "notable changes" to their toolset, adding new components and obfuscations to their infection chains.
Google-owned Mandiant is monitoring the activity cluster under the moniker UNC2565, noting that the usage of the malware is "exclusive to this group."
Gootkit, also called Gootloader, is spread through compromised websites that victims are tricked into visiting when searching for business-related documents like agreements and contracts via a technique called search engine optimization (SEO) poisoning.
The purported documents take the form of ZIP archives that harbor the JavaScript malware, which, when launched, paves the way for additional payloads such as Cobalt Strike Beacon, FONELAUNCH, and SNOWCONE."

Link

TLP¹ : Green

• Shady reward apps on Google Play amass 20 million downloads

"A new category of activity tracking applications has been having massive success recently on Google Play, Android's official app store, having been downloaded on over 20 million devices.
The applications promote themselves as health, pedometer, and good habit-building apps, promising to give users random rewards for staying active in their daily lives, reaching distance goals, etc.
According to a report by the Dr. Web antivirus, though, the rewards may be impossible to cash out or are only made available partially after forcing users to watch a large number of advertisements."

Link

TLP¹ : Green

• Titan Stealer: A New Golang-Based Information Stealer Malware Emerges

"A new Golang-based information stealer malware dubbed Titan Stealer is being advertised by threat actors through their Telegram channel.
"The stealer is capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files," Uptycs security researchers Karthickkumar Kathiresan and Shilpesh Trivedi said in a recent report.
Details of the malware were first documented by cybersecurity researcher Will Thomas (@BushidoToken) in November 2022 by querying the IoT search engine Shodan."

Link

TLP¹ : Green

• Phylum Identifies 101 Malicious npm Packages

"NPM has made great strides in improving the security of the ecosystem, adding nice features like identifying potential typosquats before the packages are published. Despite this, however, malicious packages continue to be published to unsuspecting users.
On January 29, 2023, the Phylum platform notified us of 101 malicious NPM packages."

Link

TLP¹ : Green

¹Traffic Light Protocol (TLP) [1] for information sharing:

• Red:Not for disclosure, restricted to participants only.
• Amber: Limited disclosure, restricted to participants organizations.
• Green: Limited disclosure, restricted to the community.

[1]https://www.first.org/tlp