Cybersecurity Digest #64: 28/11/2022 – 12/12/2022

Cybersecurity news

• A new attack method named COVID-bit uses electromagnetic waves to transmit data from air-gapped systems, which are isolated from the internet, over a distance of at least two meters, where it’s captured by a receiver. The information emanating from the isolated device could be picked up by a nearby smartphone or laptop, even if a wall separates the two.
• A security researcher has found a way to exploit the data deletion capabilities of widely used endpoint detection and response and antivirus software from Microsoft, SentinelOne, TrendMicro, Avast, and AVG to turn them into data wipers.
• MuddyWater hackers, a group associated with Iran’s Ministry of Intelligence and Security (MOIS), used compromised corporate email accounts to deliver phishing messages to their targets.
• The Iranian Agrius APT hacking group is using a new ‘Fantasy’ data wiper in supply-chain attacks impacting organizations in Israel, Hong Kong, and South Africa. The campaign started in February and unfolded at full scale in March 2022, breaching an IT support services firm, a diamond wholesaler, a jeweler, and an HR consulting company.
• The Swiss government has asked Parliament to amend the Information Security Act to make it mandatory for critical infrastructure providers to report cyber-attacks to the National Cyber Security Centre. The move would be aimed at shedding light on hackers and sounding the alarm more widely on cyber-threats in the country.
• A new malware has appeared – CryWiper. A new malicious program acts exactly like crypto-ransomware – overwriting and renaming files, then dropping a text file with a ransom note and a Bitcoin address for payment – but the program instead deletes the contents of a victim’s files.
• The maintainers of the FreeBSD operating system released updates to address a critical flaw, tracked as CVE-2022-23093, in the ping module that could be potentially exploited to gain remote code execution.

Cybersecurity Blog Posts

• Equinix security researcher William Thomas has written an article on how Infostealer infrastructure can be detected using IoT search engines to fingerprint their control panels. 
• Ramil Khantimirov, CEO and co-founder of StormWall, shared his opinion on global trends affecting DDoS attacks, the motives of modern hackers and the main threats associated with DDoS attacks. 
• Robin Brattel, CEO of Lab 1, shared his experience on how to find hidden data leaks and identify threats in the supply chain. This article explains how violations can remain hidden, whether supplier relationships increase risk, and how to assess the impact on the entire supply chain. shared his experience on how to find hidden data leaks and identify threats in the supply chain. 
• Researchers from Legit Security have issued a recommendation about a vulnerability found in the GitHub software development work environment. It was discovered that the fact that a hacker sent changes to an open source repository on GitHub could lead to lower-level software projects compiling updates with malicious code.

Research and analytics

• MIT Technology Review Insights  released The Cyber Defense Index 2022/23. The Cyber Defense Index is a ranking of 20 of the world’s major economies according to their collective cybersecurity assets, organizational capabilities, and policy stances. Topping the list for the year is Australia, the Netherlands, and South Korea.
• Google Cloud said that half of the 500 companies it surveyed in a report released last week have experienced at least one API security incident over the past 12 months. Furthermore, the same survey identifies misconfigurations as the main threat to API infrastructure.
• According to NordPass’ latest list of top 200 most common passwords in 2022, “password” is the most popular choice, followed by “123456”, “123456789”, “guest” and “qwerty“. The entire list of top 200 most common passwords in 2022 can be viewed here, and the passwords have been also categorized by country to show more localized choices.
• Elastic released the 2022 Elastic Global Threat Report, detailing the evolving nature of cybersecurity threats, as well as the increased sophistication of cloud and endpoint-related attacks. 33% of attacks in the cloud leverage credential access, indicating that users often overestimate the security of their cloud environments and consequently fail to configure and protect them adequately.
• BlueFort Security has announced the results of its 2022 CISO survey, which revealed that while CISOs are still experiencing challenges around visibility, intelligence and control, 47% are proactively focused on digital transformation and cloud migration.
• Check Point Research (CPR) has analyzed the files that are for sale on the Dark Web, whose sellers claim are from WhatsApp users, revealing the leak includes 360 million phone numbers from 108 countries.
• With more and more data breaches affecting businesses around the globe, the Singapore Computer Emergency Response Team (SingCERT) has released a report documenting important findings from this trend. The report highlights the most common causes of data breaches, how to prevent them and includes a list of major data breaches from the past decade, including Sony Pictures in 2014, Yahoo in 2016 and this year’s Optus breach.
• Georgia State University  research shows that, like most legal commodities, stolen data products flow through a supply chain consisting of producers, wholesalers and consumers. But this supply chain involves the interconnection of multiple criminal organizations operating in illicit underground marketplaces. Data from 30 dark web underground markets over a period of eight months suggests that cybercrime groups made roughly $140 million from the sale of stolen data.

Major Cyber Incidents

• Indian cybersecurity firm CloudSEK says a threat actor gained access to its Confluence server using stolen credentials for one of its employees’ Jira accounts. While some internal information, including screenshots of product dashboards and three customers’ names and purchase orders, was exfiltrated from its Confluence wiki, CloudSEK says the attackers didn’t compromise its databases.
• CommonSpirit Health has confirmed that threat actors accessed the personal data for 623,774 patients during an October ransomware attack. This figure was published on the U.S. Department of Health breach portal, where healthcare organizations are legally obligated to report data breaches impacting over 500 individuals.
• A previously unknown investment scam group named ‘CryptosLabs’ has stolen up to $505 million from victims in France, Belgium, and Luxembourg, since the launch of its operation in 2018. The crime group uses its own scam kit to set up websites that impersonate over 40 well-known European companies engaged in fin-tech, cryptocurrency and NFT investments, asset management, and banking services.
• The city of Antwerp, Belgium, is working to restore its digital services that were disrupted by a cyberattack on its digital provider. The disruption has affected services used by citizens, schools, daycare centers, and the police, which have been working intermittently.
• Medibank confirmed that the threat actors behind the devastating cyber attack have posted another dump of data stolen from its systems on the dark web after its refusal to pay a ransom
• LastPass says unknown attackers breached its cloud storage using information stolen during a previous security incident from August 2022. The company added that, once in, the threat actors also managed to access customer data stored in the compromised storage service.