Top News

• US Cellular customer data allegedly up for grabs on the dark web

"A treasure trove of customer data, allegedly stolen from mobile carrier US Cellular, has been offered up for free on the dark web.
A dark web hacker claims to have obtained the stolen data belonging to 144 thousand US Cellular mobile customers and is now offering it up for free on the popular black market leak site BreachForums.
The hacker, known on the site as IntelBroker, posted a download link – accompanied by the official US Cellular logo, on BreachForums Wednesday morning.
The Cybernews research team confirmed the US Cellular website was off line at some point Wednesday morning, but has since been restored.."

Link

TLP¹ : Green

• Over 1,800 Android phishing forms for sale on cybercrime market

"A threat actor named InTheBox is promoting on Russian cybercrime forums an inventory of 1,894 web injects (overlays of phishing windows) for stealing credentials and sensitive data from banking, cryptocurrency exchange, and e-commerce apps.
The overlays are compatible with various Android banking malware and mimic apps operated by major organizations used in dozens of countries on almost all continents.
Being available in such numbers and at low prices, allows cybercriminals to focus on other parts of their campaigns, development of the malware, and to widen their attack to other regions.
Typically, mobile banking trojans check what apps are present on an infected device and pull from the command and control server the web injects corresponding to the apps of interest."

Link

TLP¹ : Green

Cybersecurity State: Surveillance, Cyberwarfare, Cybercriminality and Hacktivism

• North Korean Hackers Exploit Unpatched Zimbra Devices in 'No Pineapple' Campaign

"A new intelligence gathering campaign linked to the prolific North Korean state-sponsored Lazarus Group leveraged known security flaws in unpatched Zimbra devices to compromise victim systems.
That's according to Finnish cybersecurity company WithSecure (formerly F-Secure), which codenamed the incident No Pineapple in reference to an error message that's used in one of the backdoors.
Targets of the malicious operation included a healthcare research organization in India, the chemical engineering department of a leading research university, as well as a manufacturer of technology used in the energy, research, defense, and healthcare sectors, suggesting an attempt to breach the supply chain.
Roughly 100GB of data is estimated to have been exported by the hacking crew following the compromise of an unnamed customer, with the digital break-in likely taking place in the third quarter of 2022.."

Link

TLP¹ : Green

• Digital taxi service offline after cyberattack

"A taxi-booking service in Australia has been forced to shut down after a cyberattack, leaving disabled and child passengers temporarily stranded. Frustrated users have vented their displeasure on Twitter following the announcement on the social media platform.
Another day, another business compromised by threat actors. The latest victim is Black and White Cabs, a digital ride-booking service based in the Australian state of Queensland that prides itself on making taxi bookings “easy.”
Not right now, it would seem. “We’ve been informed Black and White Cabs’ taxi booking system is down this morning – which will impact school transport pick-ups and likely affect wheelchair-accessible taxi bookings,” announced Transport and Main Roads Queensland on Twitter."

Link

TLP¹ : Green

• New Russian-Backed Gamaredon's Spyware Variants Targeting Ukrainian Authorities

"The State Cyber Protection Centre (SCPC) of Ukraine has called out the Russian state-sponsored threat actor known as Gamaredon for its targeted cyber attacks on public authorities and critical information infrastructure in the country.
The advanced persistent threat, also known as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and UAC-0010, has a track record of striking Ukrainian entities dating as far back as 2013.
"UAC-0010 group's ongoing activity is characterized by a multi-step download approach and executing payloads of the spyware used to maintain control over infected hosts," the SCPC said. "For now, the UAC-0010 group uses GammaLoad and GammaSteel spyware in their campaigns.""

Link

TLP¹ : Green

• Experts Warn of 'Ice Breaker' Cyberattacks Targeting Gaming and Gambling Industry

"A new attack campaign has been targeting the gaming and gambling sectors since at least September 2022, just as the ICE London 2023 gaming industry trade fair event is scheduled to kick off next week.
Israeli cybersecurity company Security Joes is tracking the activity cluster under the name Ice Breaker, stating the intrusions employ clever social engineering tactics to deploy a JavaScript backdoor.
The attack sequence proceeds as follows: The threat actor poses as a customer while initiating a conversation with a support agent of a gaming company under the pretext of having account registration issues. The adversary then urges the individual on the other end to open a screenshot image hosted on Dropbox."

Link

TLP¹ : Green

• CISA to Open Supply Chain Risk Management Office

"The US Cybersecurity and Infrastructure Security Agency (CISA) plans to open an office focused on helping the public and private sectors protect their software and IT supply chains.
The new office will help organizations implement recently issued CISA policies and guidance related to managing cybersecurity supply chain risk, including issues stemming from malicious functionality, counterfeit components, or open source software (OSS) vulnerabilities, and more.
Former General Services Administration official Shon Lyublanovits will lead the new supply chain management risk division, Federal News Network (FNN) reported."

Link

TLP¹ : Green

Breaches: Data Breaches and Hacks

• Nearly All Firms Have Ties With Breached Third Parties

"Nearly every company does business with — or uses the products of — a third party that has suffered a compromise, thus increasing their security risks.
That's according to data science firm Cyentia Institute, which has issued an analysis that includes external measurements of security from more than 230,000 organizations provided by cybersecurity risk-management firm SecurityScorecard. It found that the average firm had around 10 third-party relationships, and hundreds of indirect fourth-party relationships, with the typical firm having 60 to 90 times more fourth parties than third parties. Nearly all firms (98%) had at least one third-party partner who had suffered a breach, the report stated."

Link

TLP¹ : Green

Vulnerabilities: Vulnerability Advisories, Zero-Days, Patches and Exploits

• Researchers Uncover New Bugs in Popular ImageMagick Image Processing Utility

"Cybersecurity researchers have disclosed details of two security flaws in the open source ImageMagick software that could potentially lead to a denial-of-service (DoS) and information disclosure.
The two issues, which were identified by Latin American cybersecurity firm Metabase Q in version 7.1.0-49, were addressed in ImageMagick version 7.1.0-52, released in November 2022.."

Link

TLP¹ : Green

• EV chargers vulnerable to attack

"Many EV chargers, both home and public devices, have been shown to have security flaws – and strong standards are still lacking.
Last April, drivers on the UK's Isle of Wight were startled to discover pornography appearing on the screen of electric vehicle charging points in the local council's car parks.
The chargers had been hacked to redirect to a porn website following a change of network.
Similarly, and around the same time, charging stations along Russia’s M11 motorway between Moscow and Saint Petersburg started displaying pro-Ukranian messages after being hacked.

Link

TLP¹ : Green

• Command-Injection Bug in Cisco Industrial Gear Opens Devices to Complete Takeover

"A security vulnerability has been found in Cisco gear used in data centers, large enterprises, industrial factories, power plants, manufacturing centers, and smart city power grids that could allow cyberattackers unfettered access to these devices and broader networks.
In a report published on Feb. 1, researchers from Trellix revealed the bug, one of two vulnerabilities discovered that affect the following Cisco networking devices: Cisco ISR 4431 routers, 800 Series Industrial ISRs, CGR1000 Compute Modules, IC3000 Industrial Compute Gateways, IOS XE-based devices configured with IOx, IR510 WPAN Industrial Routers, Cisco Catalyst Access points"

Link

TLP¹ : Green

• Discrepancies Discovered in Vulnerability Severity Ratings

"A new study this week is sure to raise more questions for enterprise security teams on the wisdom of relying on vulnerability scores in the National Vulnerability Database (NVD) alone to make patch prioritization decisions.
An analysis by VulnCheck of 120 CVEs with CVSS v3 scores associated with them shows almost 25,000 — or some 20% — had two severity scores. One score was from NIST, which maintains the NVD, and the other from the vendor of the product with the bug. In many cases, these two scores differed, making it hard for security teams to know which to trust."

Link

TLP¹ : Green

Incident Response: Infrastructure, Training, SIEM and Incident Handling

• Cybersecurity Budgets Are Going Up. So Why Aren't Breaches Going Down?

"Over the past few years, cybersecurity has become a major concern for businesses around the globe. With the total cost of cybercrime in 2023 forecasted to reach $8 Trillion – with a T, not a B – it's no wonder that cybersecurity is top of mind for leaders across all industries and regions.
However, despite growing attention and budgets for cybersecurity in recent years, attacks have only become more common and more severe. While threat actors are becoming increasingly sophisticated and organized, this is just one piece to the puzzle in determining why cybercrime continues to rise and what organizations can do to stay secure."

Link

TLP¹ : Green

• Dealing With the Carcinization of Security

"Recently, a friend brought up the term “carcinization” and I must admit, I had to look it up! Turns out the term was coined more than 100 years ago to describe the phenomenon of crustaceans evolving into crab-shaped forms. Today, there are even memes for it. So, what does this example of convergent evolution have to do with security? It’s an apt description of how the security industry has evolved and why security leaders often struggle to determine the right security investments for their organization."

Link

TLP¹ : Green

Technical Articles: Forensics, Reverse Engineering, Malware, Phishing, Pentesting, Software Security and Cryptography

• New HeadCrab malware infects 1,200 Redis servers to mine Monero

"New stealthy malware designed to hunt down vulnerable Redis servers online has infected over a thousand of them since September 2021 to build a botnet that mines for Monero cryptocurrency.
Discovered by Aqua Security researchers Nitzan Yaakov and Asaf Eitani, who dubbed it HeadCrab, the malware has so far ensnared at least 1,200 such servers, which are also used to scan for more targets online.
"This advanced threat actor utilizes a state-of-the-art, custom-made malware that is undetectable by agentless and traditional anti-virus solutions to compromise a large number of Redis servers," the researchers said.
"We discovered not only the HeadCrab malware but also a unique method to detect its infections in Redis servers. Our method found approximately 1,200 actively infected servers when applied to exposed servers in the wild.""

Link

TLP¹ : Green

• AIs as Computer Hackers

"Hacker “Capture the Flag” has been a mainstay at hacker gatherings since the mid-1990s. It’s like the outdoor game, but played on computer networks. Teams of hackers defend their own computers while attacking other teams’. It’s a controlled setting for what computer hackers do in real life: finding and fixing vulnerabilities in their own systems and exploiting them in others’. It’s the software vulnerability lifecycle.
These days, dozens of teams from around the world compete in weekend-long marathon events held all over the world. People train for months. Winning is a big deal. If you’re into this sort of thing, it’s pretty much the most fun you can possibly have on the Internet without committing multiple felonies."

Link

TLP¹ : Green

¹Traffic Light Protocol (TLP) [1] for information sharing:

• Red:Not for disclosure, restricted to participants only.
• Amber: Limited disclosure, restricted to participants organizations.
• Green: Limited disclosure, restricted to the community.

[1]https://www.first.org/tlp