Cybersecurity Digest #58: 05/09/2022 – 16/09/2022

Cybersecurity news

• Extended spellcheck features in Google Chrome and Microsoft Edge web browsers transmit form data, including personally identifiable information and in some cases, passwords, to Google and Microsoft respectively. While this may be a known and intended feature of these web browsers, it does raise concerns about what happens to the data after transmission and how safe the practice might be, particularly when it comes to password fields.
• Romanian cybersecurity firm Bitdefender has released a free decryptor to help LockerGoga ransomware victims recover their files without paying a ransom. The free tool is available for download from Bitdefender’s servers and allow to recover encrypted files using instructions in usage guide.
• The NSA has published requirements for quantum-resistant (QR) algorithms to be implemented by suppliers and operators of national security systems to process classified or important information for military and intelligence operations.
• An international law enforcement operation has resulted in the dismantling of WT1SHOP, an online criminal marketplace that specialized in the sales of stolen login credentials and other personal information. The website peddled over 5.85 million records of personally identifying information, including approximately 25,000 scanned driver’s licenses/passports, 1.7 million login credentials for various online shops, 108,000 bank accounts, 21,800 credit cards.
• PQShield published a white paper that lays out the quantum threat to secure end-to-end messaging and explains how post-quantum cryptography (PQC) can be added to the Signal secure messaging protocol to protect it from quantum attacks.
• A new piece of stealthy Linux malware called Shikitega has been uncovered adopting a multi-stage infection chain to compromise endpoints and IoT devices and deposit additional payloads. The findings add to a growing list of Linux malware that has been found in the wild in recent months, including BPFDoor, Symbiote, Syslogk, OrBit, and Lightning Framework.
• QNAP warns customers of an ongoing wave of DeadBolt ransomware attacks, threat actors are exploiting a zero-day vulnerability in Photo Station. Meantime the Taiwanese vendor has addressed the vulnerability.
• A reverse-proxy Phishing-as-a-Service platform called EvilProxy has emerged, promising to steal authentication tokens to bypass multi-factor authentication on Apple, Google, Microsoft, Twitter, GitHub, GoDaddy, and even PyPI. The service enables low-skill threat actors who don’t know how to set up reverse proxies to steal online accounts that are otherwise well-protected.

Cybersecurity Blog Posts

• As speed of business increases, more and more organizations are looking to either buy companies or outsource more services to gain market advantage. With organizations expanding their vendor base, there is a critical need for holistic third-party risk management and comprehensive cybersecurity measures to assess how much risk vendors pose. Todd Boehler, Senior VP of Strategy at ProcessUnity, told about this in his article.
• Michael Hill, UK Editor at CSO has shared his vision of the current threats posed by embedded browsers for business security. He considers their tendency to track user actions, including input forms such as passwords and addresses, as well as clicks on images or links, to be the main threat.
• The Executive Director of Cyolo, Almog Apirion, spoke about the need to implement access systems based on identification data in critical information infrastructure facilities. The article also provides practical advice on the implementation of such solutions.
• Help Net Security has published a list of free online courses on information security from leading US universities. Courses specialize in specific subject areas: Security Management and Compliance, Management and Security of Windows servers, Cryptography and others.

Research and analytics

• According to Sophos the State of Ransomware in Retail 2022 report, retail reported a 75% increase in the rate of ransomware attacks over the last year: 77% of organizations were hit in 2021, up from 44% in 2020. The increased attack rate is part of a cross-sector, global trend. The retail sector reported the second-highest rate of ransomware attacks across all sectors.
• Security firm Cybereason has published a report on the evolution of the PlugX malware family over the past decade. First spotted in 2012, the malware was initially used by Chinese APT groups before spreading to a broader audience across the years. Currently, the malware can function as a loader and remote access trojan.
• Mandiant has published a report on cyber-espionage group APT42 operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). The full published report covers APT42’s recent and historical activity dating back to at least 2015, the group’s tactics, techniques, and procedures, targeting patterns and elucidates historical connections to APT35.
• The Paysafe research revealed that 62% of people are so concerned about fraud they feel it is simply an inevitable risk of online shopping, a major jump from the 45% who said the same in 2021. These fears have caused 58% to not feel comfortable entering their financial data online to pay for goods and services, another jump over the 44% who felt this way in 2021.
• SentinelOne researchers said that several ransomware gangs had adopted intermittent encryption, or partial encryption of victims’ files, as a technical way to speed up encryption operations and possibly evade detection by security tools. Among those who have are Qyick, Agenda, BlackCak/ALPHV, Black Basta, and PLAY.
• Kroll, the leading independent provider of global risk and financial advisory solutions, today announced its report Cyber Risk and CFOs: Over-Confidence is Costly which found chief financial officers (CFOs) to be woefully in the dark regarding cyber security, despite confidence in their company’s ability to respond to an incident.
• Barracuda released its fourth-annual threat research report on ransomware. The new report looks at ransomware attack patterns that occurred between August 2021 and July 2022. The volume of ransomware threats detected spiked between January and June of this year to more than 1.2 million per month.
• Certfa researchers have published a review of Charming Kitten APT operations, focusing on the group’s social engineering tactics, and especially on their recent modus operandi that revolves around impersonating experts in Middle East topics to set up audio or video calls with their targets, hoping to lure them on malicious sites or malware downloads.

Major Cyber Incidents

• Grand Theft Auto 6 gameplay videos and source code have been leaked after a hacker allegedly breached Rockstar Game’s Slack server and Confluence wiki. The videos and source code were first leaked on GTAForums, where a threat actor named ‘teapotuberhacker’ shared a link to a RAR archive containing 90 stolen videos.
• Outdoor apparel brand ‘The North Face’ was targeted in a large-scale credential stuffing attack that has resulted in the hacking of 194,905 accounts on the thenorthface.com website. A credential stuffing attack is when threat actors use email addresses/usernames and password combinations obtained from data breaches to attempt to hack into user accounts on other websites.
• The Singapore division of Starbucks, the popular American coffeehouse chain, has admitted that it suffered a data breach incident impacting over 219,000 of its customers. The first clue that they were breached came, when a threat actor offered to sell a database containing sensitive details of 219,675 Starbucks customers on a popular hacking forum.
• Uber discovered its computer network had been breached, leading the company to take several of its internal communications and engineering systems offline as it investigated the extent of the hack. The breach appeared to have compromised many of Uber’s internal systems, and a person claiming responsibility for the hack sent images of email, cloud storage and code repositories to cybersecurity researchers.
• The country’s central military unit EMGFA was targeted in a cyberattack. The attack resulted in the exfiltration of hundreds of confidential NATO documents sent to Portugal. Reportedly it was a prolonged and unprecedented cyberattack. The stolen files are currently up for sale on the Dark Web.
• Electronics giant Samsung US announced that the personal information of some customers was compromised in a July data breach. As part of the incident, which was identified roughly a month ago, an unauthorized third party gained access to some of Samsung’s US systems and exfiltrated information stored on them.