Top News

• AhRat Android RAT was concealed in iRecorder app in Google Play

"ESET researchers have discovered an Android app on Google Play that was hiding a new remote access trojan (RAT) dubbed AhRat.
The app, named iRecorder – Screen Recorder, has more than 50,000 installs. The app was initially uploaded to the Google Play store without malicious features on September 19th, 2021. Threat actors introduced the support for malicious functionalities in version 1.3.8 which was uploaded on August 2022.
The app was designed to extract microphone recordings and stealing files with specific extensions, a circumstance that suggests it was involved in an espionage campaign. Researchers have not detected the AhRat anywhere else in the wild. "

Link

TLP¹ : Green

• Italy plans full review of all AI tools on market

"Italy’s privacy watchdog says it won’t stop at ChatGPT and plans to create an AI advisory board to closely review the data collection practices of all artificial intelligence platforms currently available online today, plus those released in the future.
The three-person advisory board of AI experts will be tasked with scrutinizing the powerful technology in regard to how compliant the AI platforms are in accordance with EU data privacy rules.
Top officials from Italy's data protection authority Garante said the new AI advisory board will be in addition to its current four-member panel of privacy law experts.
"We plan to kick off a wide-scope review of generative and machine learning AI applications which are available online because we want to understand if these new tools are addressing issues linked to data protection and privacy laws compliance - and we will start new probes if needed," said Garante's board member Agostino Ghiglia."

Link

TLP¹ : Green

• N. Korean Lazarus Group Targets Microsoft IIS Servers to Deploy Espionage Malware

"The infamous Lazarus Group actor has been targeting vulnerable versions of Microsoft Internet Information Services (IIS) servers as an initial breach route to deploy malware on targeted systems.
The findings come from the AhnLab Security Emergency response Center (ASEC), which detailed the advanced persistent threat's (APT) continued abuse of DLL side-loading techniques to deploy malware.
"The threat actor places a malicious DLL (msvcr100.dll) in the same folder path as a normal application (Wordconv.exe) via the Windows IIS web server process, w3wp.exe," ASEC explained. "They then execute the normal application to initiate the execution of the malicious DLL."
DLL side-loading, similar to DLL search-order hijacking, refers to the proxy execution of a rogue DLL via a benign binary planted in the same directory."

Link

TLP¹ : Green

Cybersecurity State: Surveillance, Cyberwarfare, Cybercriminality and Hacktivism

• Arms maker Rheinmetall confirms BlackBasta ransomware attack

"German automotive and arms manufacturer Rheinmetall AG confirms that it suffered a BlackBasta ransomware attack that impacted its civilian business.
Rheinmetall is a German manufacturer of automotive, military vehicles, armaments, air defense systems, engines, and various steel products, which employs over 25,000 people and has an annual revenue of over $7 billion.
On Saturday, May 20th, 2023, BlackBasta posted Rheinmetall on its extortion site along with samples of the data the hackers claimed to have stolen from the German company.
The published data samples include non-disclosure agreements, technical schematics, passport scans, and purchase orders."

Link

TLP¹ : Green

• NATO member websites targeted by pro-Russian hackers

"The pro-Russian hacking group UserSec said that it's launching a new cyber campaign targeting and defacing websites belonging to NATO member nations.
The gang posted an announcement about the campaign on their official UserSec Telegram channel Friday, as first reported by the threat Intelligence platform @FalconFeedsio.
“I want to announce that in the coming days there will be a massive defacement of the websites of NATO countries. No one country will be affected. We will deface several at once. Glory to Russia!,” the post translates from Russian."

Link

TLP¹ : Green

• IGoldenJackal state hackers silently attacking govts since 2019

"A relatively unknown advanced persistent threat (APT) group named 'GoldenJackal' has been targeting government and diplomatic entities in Asia since 2019 for espionage.
The threat actors have maintained a low profile for stealthiness, carefully selecting their victims and keeping the number of attacks at a minimum to reduce the likelihood of exposure.
Kaspersky has been tracking GoldenJackal since 2020, and today reports that the threat actors have had notable activity in Afghanistan, Azerbaijan, Iran, Iraq, Pakistan, and Turkey.
"GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia," explains Kaspersky.
"Despite the fact that they began their activities years ago, this group is generally unknown and, as far as we know, has not been publicly described.""

Link

TLP¹ : Green

• A deeper insight into the CloudWizard APT’s activity revealed a long-running activity

"On March 2023, researchers from Kaspersky spotted a previously unknown APT group, tracked as Bad Magic (aka Red Stinger), that targeted organizations in the region of the Russo-Ukrainian conflict. The attackers were observed using PowerMagic and CommonMagic implants.
Looking for other implants with similarities with PowerMagic and CommonMagic, the researchers identified a different cluster of even more sophisticated malicious activities associated with the same threat actor.
The victims of this cluster were located not only in the Donetsk, Lugansk and Crimea regions, but also in central and western Ukraine. The APT group targeted individuals, as well as diplomatic and research organizations in the area of the conflict. In the latest campaign uncovered by Kaspersky, the APT group, used a modular framework dubbed CloudWizard that supports spyware capabilities, including taking screenshots, microphone recording, harvesting Gmail inboxes, and keylogging."

Link

TLP¹ : Green

• Cuba ransomware likely behind The Philadelphia Inquirer attack

"The Philadelphia Inquirer, Pennsylvania’s largest news organization, was listed on the Cuba ransomware gang’s dark web blog, where crooks showcase their victims.
The notorious Cuba ransomware gang, known for its crippling attack against the Montenegro government’s digital infrastructure, was supposedly behind an incident that severely impacted The Philadelphia Inquirer newsroom earlier this month.
The gang listed the Inquirer on its dark web blog, claiming that its affiliates stole data on May 12th. According to the post, the attackers took a variety of sensitive data ranging from financial documents to source code."

Link

TLP¹ : Green

• US sanctions orgs behind North Korea’s ‘illicit’ IT worker army

"The Treasury Department's Office of Foreign Assets Control (OFAC) announced sanctions today against four entities and one individual for their involvement in illicit IT worker schemes and cyberattacks generating revenue to finance North Korea's weapons development programs.
North Korea's illicit revenue generation strategy relies heavily on a massive "army" of thousands of IT workers who hide their identities to get hired by companies overseas, the OFAC said in a press release published on Tuesday.
To secure employment with targeted companies, they employ various deceptive tactics, including using stolen identities, fake personas, and falsified or forged documentation.
While located in China and Russia, they're funneling the generated revenue to funds earned through these endeavors to fuel the Pyongyang regime's weapons programs."

Link

TLP¹ : Green

• Cyber Attacks Strike Ukraine's State Bodies in Espionage Operation

"The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks targeting state bodies in the country as part of an espionage campaign.
The intrusion set, attributed to a threat actor tracked by the authority as UAC-0063 since 2021, leverages phishing lures to deploy a variety of malicious tools on infected systems. The origins of the hacking crew are presently unknown.
In the attack chain described by the agency, the emails targeted an unspecified ministry and purported to be from the Embassy of Tajikistan in Ukraine. It's suspected that the messages were sent from a previously compromised mailbox."

Link

TLP¹ : Green

• TikTok CEO: Montana ban is unconstitutional

"TikTok files suit in Montana seeking to overturn the first US state ban of the short-form video app on grounds the new law is unconstitutional.
TikTok's CEO Shou Chew called the ban “simply unconstitutional” on Tuesday while attending the Qatar Economic Forum in Doha.
The lawsuit was filed Monday in US District Court in Montana claiming the state ban violates First Amendment rights of the Chinese owned company and its users.
Last week, five TikTok users and content creators also filed a lawsuit in federal court seeking to block Montana's new law, which would take effect January 1st."

Link

TLP¹ : Green

• IT employee impersonates ransomware gang to extort employer

"A 28-year-old United Kingdom man from Fleetwood, Hertfordshire, has been convicted of unauthorized computer access with criminal intent and blackmailing his employer.
A press release published yesterday by the South East Regional Organised Crime Unit (SEROCU) explains that in February 2018, the convicted man, Ashley Liles, worked as an IT Security Analyst at an Oxford-based company that suffered a ransomware attack.
Like many ransomware attacks, the threat actors contacted the company's executives, demanding a ransom payment.
Due to his role in the company, Liles took part in the internal investigations and incident response effort, which was also supported by other members of the company and the police."

Link

TLP¹ : Green

Breaches: Data Breaches and Hacks

• Carvin Software faces lawsuit after data breach put 350k clients at risk

"Six million stolen credit card details on the dark web have been analyzed to reveal that more than half belong to US residents or citizens. Worse still, many of these come bundled for sale with other personal data such as names and addresses.
NordVPN found that while the average set of stolen card details was sold for $7 on the dark web, some are even leaked for free. This is not a good development for Americans, whose details constituted 58% of analyzed payment details, equivalent to 3.5 million sets.
What’s more, around six in ten stolen credit cards were offered for sale alongside addresses, names, and Social Security numbers."

Link

TLP¹ : Green

• Suzuki Motorcycle India breach forces plant shutdown

"Suzuki Motorcycle India, one of the largest bike manufacturers in the country, was forced to halt production of tens of thousands of vehicles over a data breach.
A cyberattack hit the manufacturer earlier this May, forcing the company to stop production lines. According to Autocar India, the country’s car & bike news outlet, the breach delayed the production of over 20,000 vehicles.
Cybernews has reached out to the company about the alleged data breach, with Suzuki Motorcycle India’s spokesperson confirming that the enterprise is “aware of the incident.”
“We are aware of the incident and have promptly reported to the concerned Government department. The matter is currently under investigation, and for security purposes we are unable to provide further details at this point in time,” the spokesperson told Cybernews."

Link

TLP¹ : Green

• Hackers attack medical equipment provider, almost 2M people affected

"Cybercriminals have attacked Apria Healthcare LLC, stealing the credit card information of nearly two million customers.
The notice to affected clients on May 22nd stated that “an unauthorized third party”
accessed select Apria systems storing personal information. Apria is a leading US home medical equipment delivery and clinical support provider.
Reportedly, the attackers stole financial data, including account numbers and credit/debit card numbers. The account's security code, access code, password, and PIN were also accessed."

Link

TLP¹ : Green

Vulnerabilities: Vulnerability Advisories, Zero-Days, Patches and Exploits

• Mikrotik Belatedly Patches RouterOS Flaw Exploited at Pwn2Own

"Latvian network equipment manufacturer MikroTik has shipped a patch for a major security defect in its RouterOS product and confirmed the vulnerability was exploited five months ago at the Pwn2Own Toronto hacking contest.
In a barebones advisory documenting the CVE-2023-32154 flaw, Mikrotik confirmed the issue affects devices running MikroTik RouterOS versions v6.xx and v7.xx with enabled IPv6 advertisement receiver functionality. 
According to ZDI, organizers of the Pwn2Own software exploitation event, the vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Mikrotik RouterOS. 
“Authentication is not required to exploit this vulnerability,” ZDI warned in an advisory."

Link

TLP¹ : Green

• Windows 11 KB5026436 fixes printing and audio playback issues

"Microsoft has released the May 2023 optional cumulative update for Windows 11, version 21H2, with fixes for audio and printer install problems.
KB5026436 is a monthly non-security preview release designed to enable Windows administrators to test improvements that will be incorporated in the upcoming June 2023 Patch Tuesday release.
According to Microsoft, it addresses a problem encountered by some printers during installation when they connect to Wi-Fi automatically.
The update also fixes an audio playback issue that occurs only on devices equipped with specific processors and a Message Block (SMB) issue preventing users from accessing SMB shared folders because of "Not enough memory resources" or "Insufficient system resources.""

Link

TLP¹ : Green

Incident Response: Infrastructure, Training, SIEM and Incident Handling

• The Rising Threat of Secrets Sprawl and the Need for Action

"The most precious asset in today's information age is the secret safeguarded under lock and key. Regrettably, maintaining secrets has become increasingly challenging, as highlighted by the 2023 State of Secrets Sprawl report, the largest analysis of public GitHub activity.
The report shows a 67% year-over-year increase in the number of secrets found, with 10 million hard-coded secrets detected in 2022 alone. This alarming surge in secrets sprawl highlights the need for action and underscores the importance of secure software development.
Secrets sprawl refers to secrets appearing in plaintext in various sources, such as source code, build scripts, infrastructure as code, logs, etc. While secrets like API tokens and private keys securely connect the components of the modern software supply chain, their widespread distribution among developers, machines, applications, and infrastructure systems heightens the likelihood of leaks."

Link

TLP¹ : Green

• Cutting Through the Noise: What is Zero Trust Security?

"The Zero Trust framework has emerged as the leading security protocol for complex enterprises.
According to ZTEdge, 80% of organizations have plans to embrace a zero-trust security strategy this year, and global spending on Zero Trust will more than double between now and 2025.
This rapid growth comes more than a decade after Forrester’s John Kindervag first coined the term “Zero Trust” and nearly 30 years since the concept’s genesis was first published. Zero Trust has become so popular recently as organizations have seen its value in multi-faceted environments that feature cloud, on-premise, and legacy architecture."

Link

TLP¹ : Green

Technical Articles: Forensics, Reverse Engineering, Malware, Phishing, Pentesting, Software Security and Cryptography

• Windows 11 getting native support for 7-Zip, RAR, and GZ archives

"Microsoft is adding native support for RAR, 7-Zip, and GZ archives to an upcoming version of Windows 11 expected this week.
Today, Microsoft announced a flurry of news at the Build 2023 conference, including tomorrow's Windows 11 Moment 3 update and the new AI-powered Windows Copilot.
In a new blog post, Microsoft's Chief Product Officer, Panos Panay, described these new features and when they would become available to the general public.
As first spotted by TheVerge, hidden in a section discussing a new Windows 11 developer feature called Dev Home, Panay mentioned that Windows 11 would soon have native support for RAR, 7-Zip, and gz archives."

Link

TLP¹ : Green

• Credible Handwriting Machine

"In case you don’t have enough to worry about, someone has built a credible handwriting machine:
This is still a work in progress, but the project seeks to solve one of the biggest problems with other homework machines, such as this one that I covered a few months ago after it blew up on social media. The problem with most homework machines is that they’re too perfect. Not only is their content output too well-written for most students, but they also have perfect grammar and punctuation ­ something even we professional writers fail to consistently achieve. Most importantly, the machine’s “handwriting” is too consistent. Humans always include small variations in their writing, no matter how honed their penmanship."

Link

TLP¹ : Green

• North Korean Kimsuky Hackers Strike Again with Advanced Reconnaissance Malware

"The North Korean advanced persistent threat (APT) group known as Kimsuky has been observed using a piece of custom malware called RandomQuery as part of a reconnaissance and information exfiltration operation.
"Lately, Kimsuky has been consistently distributing custom malware as part of reconnaissance campaigns to enable subsequent attacks," SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a report published today.
The ongoing targeted campaign, per the cybersecurity firm, is primarily geared towards information services as well as organizations supporting human rights activists and North Korean defectors.
Kimsuky, active since 2012, has exhibited targeting patterns that align with North Korea's operational mandates and priorities."

Link

TLP¹ : Green

• HTB Investigation Walkthrough

"In this walkthrough, we will tackle the Investigation BOX, which is one of my favorite BOXes from Hack The Box's most demanding challenges because it has a great section on reverse engineering. This machine calls for even the savviest cyber wizards to be put to the test in a variety of cyber skills, from thorough enumeration to shrewd privilege escalation and lateral maneuvering. I will uncover the steps taken to solve this challenge, leading you through each pivotal step. So buckle up, and let's commence this electrifying journey!"

Link

TLP¹ : Green

• New WinTapix.sys Malware Engages in Multi-Stage Attack Across Middle East

"An unknown threat actor has been observed leveraging a malicious Windows kernel driver in attacks likely targeting the Middle East since at least May 2020.
Fortinet Fortiguard Labs, which dubbed the artifact WINTAPIX (WinTapix.sys), attributed the malware with low confidence to an Iranian threat actor.
"WinTapix.sys is essentially a loader," security researchers Geri Revay and Hossein Jazi said in a report published on Monday. "Thus, its primary purpose is to produce and execute the next stage of the attack. This is done using a shellcode.""

Link

TLP¹ : Green

¹Traffic Light Protocol (TLP) [1] for information sharing:

• Red:Not for disclosure, restricted to participants only.
• Amber: Limited disclosure, restricted to participants organizations.
• Green: Limited disclosure, restricted to the community.

[1]https://www.first.org/tlp