Top News

• Amazon cloud services back up after big outage hits thousands of users

"Amazon.com said cloud services offered by its unit, Amazon Web Services (AWS), were restored after a big disruption on Tuesday affected websites of the New York Metropolitan Transportation Authority and the Boston Globe among others.
Several hours after Downdetector.com started showing reports of outages, Amazon said, "the issue has been resolved and all AWS Services are operating normally."

Link

TLP¹ : Green

• How Europe is Leading the World in the Push to Regulate AI

"Lawmakers in Europe signed off Wednesday on the world’s first set of comprehensive rules for artificial intelligence, clearing a key hurdle as authorities across the globe race to rein in AI.
The European Parliament vote is one of the last steps before the rules become law, which could act as a model for other places working on similar regulations.
A yearslong effort by Brussels to draw up guardrails for AI has taken on more urgency as rapid advances in chatbots like ChatGPT show the benefits the emerging technology can bring — and the new perils it poses."

Link

TLP¹ : Green

• Russian hackers use PowerShell USB malware to drop backdoors

"The Russian state-sponsored hacking group Gamaredon (aka Armageddon or Shuckworm) continues to target critical organizations in Ukraine's military and security intelligence sectors, employing a refreshed toolset and new infection tactics.
Previously, the Russian hackers, who have been linked to the FSB, were observed using information-stealers against Ukrainian state organizations, employing new variants of their "Pteranodon" malware, and also using a default Word template hijacker for new infections.
Symantec's threat research team, part of Broadcom, reports today that the threat actors have recently begun using USB malware to propagate to additional systems inside infected networks.
Another interesting element in Gamaredon's newest campaign is to target HR departments, potentially indicating that the threat actors are aiming for spear-phishing attacks within breached organizations."

Link

TLP¹ : Green

Cybersecurity State: Surveillance, Cyberwarfare, Cybercriminality and Hacktivism

• Spotify fined $5M+ for GDPR violations

"The streaming platform processes tons of personal data. However, it’s difficult for its users to understand what Spotify needs their information for.
The Swedish Privacy Authority (IMY) has fined the streaming platform 58 million Swedish kronor ($5.4 million) after investigating how Spotify handles customers' right to access their personal data.
According to The General Data Protection Regulation (GDPR) that came into force in 2018, customers have the right to find out what personal data businesses handle and how that information is used.
IMY said Spotify needs to inform its customers clearly about how their data is being used.
Karin Ekström, one of the lawyers in charge of the recent investigation, said Spotify should be more specific."

Link

TLP¹ : Green

• US Organizations Paid $91 Million to LockBit Ransomware Gang

"The LockBit ransomware gang has launched roughly 1,700 attacks in the United States and received approximately $91 million in ransom payments, the US government says.
Active since at least January 2020, LockBit operates under the Ransomware-as-a-Service (RaaS) model, where affiliates use the malware and its infrastructure to target organizations in the critical infrastructure, education, energy, government and emergency response, financial services, food and agriculture, healthcare, manufacturing, and transportation sectors."

Link

TLP¹ : Green

• Microsoft links data wiping attacks to new Russian GRU hacking group

"Microsoft has linked a threat group it tracks as Cadet Blizzard since April 2023 to Russia’s Main Directorate of the General Staff of the Armed Forces (also known as GRU).
The company previously connected this new GRU hacking group with the destructive WhisperGate data-wiping attacks in Ukraine that started on January 13, 2022, more than a month before the Russian invasion of Ukraine in February 2022.
Cadet Blizzard was also behind the defacement of Ukrainian websites in early 2022 and several hack-and-leak operations that were promoted on a low-activity Telegram channel known as 'Free Civilian.'
The group is believed to have started operations in 2020, prioritizing targeting of government services, law enforcement, non-profit/non-governmental organizations, IT service providers/consulting, and emergency services in Ukraine."

Link

TLP¹ : Green

• North Korea's Kimsuky Group Mimics Key Figures in Targeted Cyber Attacks

"U.S. and South Korean intelligence agencies have issued a new alert warning of North Korean cyber actors' use of social engineering tactics to strike think tanks, academia, and news media sectors.
The "sustained information gathering efforts" have been attributed to a state-sponsored cluster dubbed Kimsuky, which is also known by the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima.
"North Korea relies heavily on intelligence gained from these spear-phishing campaigns," the agencies said. "Successful compromises of the targeted individuals enable Kimsuky actors to craft more credible and effective spear-phishing emails that can be leveraged against sensitive, high-value targets.""

Link

TLP¹ : Green

• Pro-Russian bot farm busted in Ukraine

"Cyber police in Ukraine have taken down a large-scale bot farm outside of Kyiv – they say was used to create thousands of fake online accounts to push a pro-Russian agenda and discredit Ukrainian forces.
Investigators say the “Botoferma” had at least 4,000 fake social media accounts made to look like the accounts of ordinary citizens of Ukraine.
The bots were used to troll social media platforms, publish fake posts, and leave comments on other posts and profile accounts, badmouthing the Defense Forces of Ukraine while justifying the armed aggression of the Russian Federation, police said.
The Botoferma was used to “inform public opinion among Ukrainians in the interests of the enemy, and destabilize the socio-political situation in the country,” cybercrime investigators said."

Link

TLP¹ : Green

• UPS latest Anonymous Sudan target, Microsoft time-out

"Following a week-long attack on Microsoft, the pro-Russian hacktivist gang Anonymous Sudan has claimed global shipping giant United Parcel Service (UPS) as the latest target in an ongoing campaign against the US.
The UPS website was reportedly knocked offline by the hackers around 6 p.m. ET Monday night.
The monitoring site Downdetector showed the UPS website was down for thousands of users in the US at the time, as well as for users in Canada and the UK."

Link

TLP¹ : Green

Vulnerabilities: Vulnerability Advisories, Zero-Days, Patches and Exploits

• Microsoft: Windows Kernel CVE-2023-32019 fix is disabled by default

"Microsoft has released an optional fix to address a Kernel information disclosure vulnerability affecting systems running multiple Windows versions, including the latest Windows 10, Windows Server, and Windows 11 releases.
While it has a medium severity range CVSS base score of 4.7/10, Redmond has tagged this security flaw (CVE-2023-32019) as important severity.
Reported by Google Project Zero security researcher Mateusz Jurczyk, the bug lets authenticated attackers access the heap memory of privileged processes running on unpatched devices.
While successful exploitation doesn't require threat actors to have administrator or other elevated privileges, it does depend on their ability to coordinate their attacks with another privileged process run by another user on the targeted system."

Link

TLP¹ : Green

• Windows 11 KB5027231 update breaks Google Chrome for Malwarebytes users

"Malwarebytes confirmed today that the Windows 11 22H2 KB5027231 cumulative update released this Patch Tuesday breaks Google Chrome on its customers' systems.
Windows admins and users report that devices are affected by this issue after rolling out yesterday's Windows 11 updates.
While uninstalling the KB5027231 update fixes the issue, admins report that it's not possible to do so via WSUS because of a "catastrophic error."
"Rolled KB5027231 to a bunch of users, and I have Chrome broken everywhere. Attempting to rollback via wusa shows a 'catastrophic error' in the Event Viewer, and WSUS shows I cannot roll this back," one admin said."

Link

TLP¹ : Green

Incident Response: Infrastructure, Training, SIEM and Incident Handling

• Four Things to Consider as You Mature Your Threat Intel Program

"When ESG recently asked security professionals to identify the attributes of a mature threat intelligence program, the top response was “information dissemination with reports customized for consumption by specific individuals and groups”. However, many organizations don’t have mature threat intelligence programs and have yet to achieve this. ESG’s Jon Oltsik cites the 80/20 rule, where “80% of organizations have basic threat intelligence programs while only 20% are more advanced.”
Sharing customized threat intelligence with key users is not just a sign that your threat intel program is maturing, it’s a great way to build deeper understanding, demonstrate value, and garner broader support for the program. If you want to begin, or improve, sharing customized intelligence with key users, consider these four aspects as you develop your process."

Link

TLP¹ : Green

Technical Articles: Forensics, Reverse Engineering, Malware, Phishing, Pentesting, Software Security and Cryptography

• WannaCry ransomware impersonator targets Russian "Enlisted" FPS players

"A ransomware operation targets Russian players of the Enlisted multiplayer first-person shooter, using a fake website to spread trojanized versions of the game.
Enlisted is a legitimate game published by Gaijin Entertainment in 2021, having between 500,000 and a million active monthly players.
The game is free, so threat actors could easily download the installer from the publisher and modify it to distribute malicious payloads to unsuspecting users.
The ransomware bundled with the game installer pretends to be the third major version of the notorious WannaCry, even using the '.wncry' file extension on encrypted files."

Link

TLP¹ : Green

• Strava heatmap might reveal your home address, researchers claim

"It’s possible to identify your home address, especially if you’re choosing less popular Strava routes, researchers claim.
Strava, one of the most popular fitness-tracking apps, introduced its heatmap feature in 2018. As you might’ve guessed, it shows ‘heated’ public spaces popular among athletes. Updated monthly, the heatmap feature aggregates data anonymously and lets you opt-out.
However, researchers from North Carolina State University demonstrated that it’s possible to identify the home addresses of highly active users. By analyzing the data from Strava’s heatmap feature and combining it with OpenStreetMaps and even voter registration data, researchers said there was a 37.5% chance of successfully revealing the address."

Link

TLP¹ : Green

• Credential Dumping – Active Directory Reversible Encryption

"According to MITRE, an adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The AllowReversiblePasswordEncryption property specifies whether reversible password encryption for an account is enabled or disabled. By default, this property is disabled (instead of storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software requires it.
MITRE TACTIC: Credential Dumping (ID: TA0006)
MITRE Technique Modify Authentication Process (T1556)
MITRE SUB ID: Reversible Encryption (T1556.005)
In Domain Controller user account reversible encryption is enabled, which means the encrypted data can be reversed back to the user’s password. The password stored with a reversible encryption policy is not a hash since a function can be called to get back to the original clear-text password."

Link

TLP¹ : Green

• New ‘Shampoo’ Chromeloader malware pushed via fake warez sites

"A new ChromeLoader campaign is underway, infecting visitors of warez and pirated movie sites with a new variant of the search hijacker and adware browser extension named Shampoo.
This discovery of the new campaign comes from HP's threat research team (Wolf Security), who report that the operation has been underway since March 2023."

Link

TLP¹ : Green

• On the Need for an AI Public Option

"Artificial intelligence will bring great benefits to all of humanity. But do we really want to entrust this revolutionary technology solely to a small group of US tech companies?
Silicon Valley has produced no small number of moral disappointments. Google retired its “don’t be evil” pledge before firing its star ethicist. Self-proclaimed “free speech absolutist” Elon Musk bought Twitter in order to censor political speech, retaliate against journalists, and ease access to the platform for Russian and Chinese propagandists. Facebook lied about how it enabled Russian interference in the 2016 US presidential election and paid a public relations firm to blame Google and George Soros instead."

Link

TLP¹ : Green

• Inside Win32k Exploitation: Background on Implementations of Win32k and Exploitation Methodologies

"In late January 2022, several reports on social media indicated that a new Microsoft Windows privilege escalation vulnerability (CVE-2022-21882) was being exploited in the wild. These reports prompted us to do an analysis of CVE-2022-21882, which turned out to be a vulnerability in the Win32k.sys user-mode callback function xxxClientAllocWindowClassExtraBytes.
In 2021, a very similar vulnerability (CVE-2021-1732) was reported to – and patched by – Microsoft. We decided to take a closer look at both vulnerabilities to better understand the code involved in each. In our initial analysis we wanted to determine why the patch for CVE-2021-1732 was not sufficient to prevent CVE-2022-21882.
This is part one of a series that will cover Win32k internals and exploitation in general using these two vulnerabilities and their related proof-of-concept (PoC) exploits as examples."

Link

TLP¹ : Green

• Chinese hackers use DNS-over-HTTPS for Linux malware communication

"The Chinese threat group 'ChamelGang' infects Linux devices with a previously unknown implant named 'ChamelDoH,' allowing DNS-over-HTTPS communications with attackers' servers.
The particular threat actor was first documented back in September 2021 by Positive Technologies; however, the researchers only focused on the Windows toolkit.
A report published yesterday by Stairwell and shared with BleepingComputer describes a new Linux implant written in C++ that expands the threat actor's intrusion arsenal and, by extension, the attackers' indicators of compromise.
The link between ChamelGang and the new Linux malware is based on a domain previously associated with the threat actor and a custom privilege elevation tool observed by Positive Technologies in past ChamelGang campaigns."

Link

TLP¹ : Green

¹Traffic Light Protocol (TLP) [1] for information sharing:

• Red:Not for disclosure, restricted to participants only.
• Amber: Limited disclosure, restricted to participants organizations.
• Green: Limited disclosure, restricted to the community.

[1]https://www.first.org/tlp