Cybersecurity Digest #70: 07/03/2023 – 21/03/2023

Cybersecurity news

• A new malware botnet was discovered targeting Realtek SDK, Huawei routers, and Hadoop YARN servers to recruit devices into DDoS (distributed denial of service) swarm with the potential for massive attacks.
• Cybercriminals are abusing Adobe Acrobat Sign, an online document signing service, to distribute info-stealing malware to unsuspecting users. The service is being abused to send malicious emails that originate from the software company to bypass security protections and trick recipients into trusting the received email.
• Researchers at the School of Cyber Security at Korea University, Seoul, have presented a new covert channel attack named CASPER can leak data from air-gapped computers to a nearby smartphone at a rate of 20bits/sec.
• The European Central Bank will conduct cyber stress for top banks across the region to determine their resilience against cyberattacks. The regulator will invest “significant amount of time and resources” in the process, which is set to be completed by mid-2024.
• An updated version of a botnet malware called Prometei has infected more than 10,000 systems worldwide since November 2022. The infections are both geographically indiscriminate and opportunistic, with a majority of the victims reported in Brazil, Indonesia, and Turkey.
• GitHub is set to require two-factor authentication (2FA) for all developers who contribute code to any project on the platform, a move designed to bolster the software supply chain.
• A previously known Windows-based ransomware strain known as IceFire has expanded its focus to target Linux enterprise networks belonging to several media and entertainment sector organizations across the world.
• Emotet is back after another months-long lull since a spate of attacks in November 2022, the notorious malware operation that has already survived a law enforcement takedown and various periods of inactivity began sending out malicious emails.

Cybersecurity Blog Posts

• Illyas Kooliyankal shared an article in which he spoke about the effectiveness of a holistic approach to ensuring information security in an organization, which allows integrating cybersecurity solutions in accordance with business processes.
• The SecureWorks published an article about building effective communication between the head of the security department and the heads of other departments of the company. The author focuses on the need to learn more about the tasks of other managers in order to link information risks with their impact on business.
• Billy Lynch, a specialist from the Chainguard, published an article about the vulnerability in GitHub, which allows to pass off as legitimate ” imposter commits” received not from the parent repository, but from the fork.
• Linda Rosencrance spoke in detail about 6 reasons why the company’s anti-phishing strategy may not bring results. Among the reasons: the use of static rules for detecting attacks, the lack of consistency in the approach, and others.

Research and analytics

• Specops Software has announced the release of its annual Weak Password Report which analysed over 800 million breached passwords and suggests that passwords continue to be a weak spot in an organisation’s network. The study found 88% of passwords used in successful attacks consisted of 12 characters or less, with the most common being 8 characters.
• A new report by research and advisory firm Forrester reveals that more than two-thirds of European organizations are developing a strategy to use zero trust security. The public sector is leading the way in adoption, with 79% of German organizations prioritizing the technology, and the U.K. (68%) and France (66%) not far behind.
• Wallarm released its 2022 Year-End API ThreatStats™ Report, providing in-depth analysis into published API vulnerabilities, exploits, and attack data for the year. The results clearly illustrate that the API threat landscape is becoming more dangerous. In 2022 there was a huge increase in attacks against Wallarm’s customers’ APIs, which ballooned over 197% from H1 to H2, also there was significant increase in API-related CVEs, growing +78% from H1 to H2.
• A study from Trend Micro suggests that the cyber underground “provides an open environment for individuals of any gender to find employment or a side business”. Its analysis suggested gender was not a barrier to finding work as a cybercriminal, while a text analysis suggested at least 30 percent of underground forum participants may be women.
• According to the Secureworks State of the Threat report, ransomware remained the most prevalent form of attack – and the median time between initial access and detonation dropped to 4.5 days in 2022. This infographic illustrates how time is of the essence when ransomware strikes, and the steps security teams must take to evict the threat actor while the clock ticks.
• The Office of the Director of National Intelligence (ODNI) has published its yearly threat assessment, a report that aggregates intelligence insights on the US’ main adversaries. ODNI views China as the broadest, most active, and persistent cyber espionage threat to US Government and private-sector networks.
• Sophos is tracking a new version of the PlugX USB Trojan. The researchers say the “novel aspects of this variant are a new payload and callbacks to a C2 server previously thought to be only tenuously related to this worm.”
• Egress released its Email Security Risk Report 2023. The report uncovers findings that demonstrate the prevalence of inbound and outbound email security incidents in Microsoft 365, with 92% of organizations falling victim to successful phishing attacks in the last 12 months, while 91% of organizations admit they have experienced email data loss.

Major Cyber Incidents

• The NBA (National Basketball Association) is notifying fans of a data breach after some of their personal information, “held” by a third-party newsletter service, was stolen.
• Hitachi Energy confirmed it suffered a data breach after the Clop ransomware gang stole data using a zero-day GoAnyway zero-day vulnerability.
• Latitude Financial Services has disclosed a data breach after suffering a cyberattack, causing the company to shut down internal and customer-facing systems. Latitude is one of Australia’s largest personal loans provider and the country’s largest non-bank consumer credit lender.
• A ransomware gang is threatening to release SpaceX’s prized business secret: the design of its rockets. The Lockbit gang claimed it breached Maximum Industries, a fabricator of rocket parts for Elon Musk’s rocket company based in Texas, and pilfered “3,000 drawings” from the contractor, according to the gang’s website.
• On a hacker forum, data that unknown hackers stole from Acronis was published in the public domain. Among other things, the dump contains certificate files, command logs, system configurations, and so on.
• Telecommunications giant AT&T confirmed this week that a breach exposed the sensitive information of about 9 million customers. A spokesperson told The Record that the leaked dataset was several years old and related to device upgrade eligibility.
• Black & McDonald, an engineering multinational headquartered in Canada, has been reportedly hit by a ransomware attack. The company works with the country’s military, power, and transportation infrastructure.
• The FBI is investigating a data breach affecting U.S. House of Representatives members and staff after their account and sensitive personal information was stolen from DC Health Link’s servers.