Cybersecurity Digest #75: 16/05/2023 – 30/05/2023

Cybersecurity news

• The Python Package Index (PyPI) has announced that it will require every account that manages a project on the platform to have two-factor authentication (2FA) turned on by the end of the year.
• A new ‘File Archivers in the Browser’ phishing kit abuses ZIP domains by displaying fake WinRAR or Windows File Explorer windows in the browser to convince users to launch malicious files.
• A team of researchers at Georgia Tech, the University of Michigan, and Ruhr University Bochum have developed a novel attack called “Hot Pixels,” which can retrieve pixels from the content displayed in the target’s browser and infer the navigation history.
• The QBot malware operation has started to abuse a DLL hijacking flaw in the Windows 10 WordPad program to infect computers, using the legitimate program to evade detection by security software.
• The iRecorder app for Android is infected with the AhRat Trojan. The application can not only steal recordings from the device’s microphone, but also make them without the user’s knowledge and upload them to the attacker’s server.
• Researchers at Tencent Labs and Zhejiang University have presented a new attack called ‘BrutePrint,’ which brute-forces fingerprints on modern smartphones to bypass user authentication and take control of the device. Brute-force attacks rely on many trial-and-error attempts to crack a code, key, or password and gain unauthorized access to accounts, systems, or networks.

Cybersecurity Blog Posts

• Nik Hewitt highlighted the main aspects in the detection and prevention of Lateral movement, a cybersecurity concept that involves identifying the techniques attackers use to move through a network in search of targeted data or system vulnerabilities. The author also noted the importance of developing zero confidence in the safety of lateral movement.
• Javvad Malik in his article said that companies are not recommended to invest large sums in the latest technologies on the market, since social engineering is the preferred way to attack ransomware. The main problem that needs to be solved is the psychological behavior of employees.
• Paul Trulove has identified 7 access control issues during mergers and acquisitions. Identity and access management is crucial for business continuity and security even during unexpected business shocks. Organizations should use a combination of methods to provide multi-level protection against unauthorized access.
• An Elastic expert has published a PoC for PPLFault and GoldFault, two new attacks using vulnerabilities in Windows Protected Process Light. The PPL mechanism protects antivirus software and critical Windows services from unauthorized access. This status is implemented by Windows Code Integrity, which ensures that PPL processes run code only with special signatures.

Research and analytics

• Proofpoint has published the 2023 edition of Voice of the CISO, a yearly report featuring insights and experiences from more than 1,600 CISOs from around the world. The report covers recent threat actor trends, insights into better defenses, and the latest dynamics in board-CISO relations.
• PowerSploit has been the most popular post-exploitation framework with three actors over the last six months, according to  Sophos. Meterpreter and Empire were runners up in the second and third spots, while Cobalt Strike and Brute Ratel detections were low, suggesting they are primarily the go-to tools for targeted intrusions where stealth is crucial.
• Snyk published the Top 10 most common code vulnerabilities it found across the JavaScript, Java, Python, Go, PHP, Ruby, and C# ecosystems last year. We won’t list the entire Top 10 here, but #1 went to Directory Traversal.
• As part of Mental Health Awareness Week, Virtually Informed has published a report on the current state of mental health in the cybersecurity industry.
• McAfee revealed findings from the new “Safer Summer Holidays” Travel Report. The research reveals 30% of adults have fallen victim or know someone who has fallen victim to an online scam while trying to save money when booking travel. 34% of those who had money stolen have lost over $1,000 before their trip has even begun, while 66% lost up to $1,000.
• The Identity Theft Resource Center (ITRC) has documented incidents of identity theft reported during 2022 and the first quarter of 2023, highlighting the use of strategies by criminals to convince people to willingly share protected information. 55 % (8,199) of cases were related to compromised credentials, 40 % (5,961) reported cases were due to misuse of credentials, and 1% (220) of cases were due to victims being notified about attempted but unsuccessful misuse of their credentials.
• Thirty-five million business email compromise (BEC) attempts were detected in the last year, according to the latest Microsoft Cyber Signals report.  There have been 417,678 takedowns of unique phishing URLs directed by the DCU between May 2022 and April 2023. Microsoft detected and investigated 35 million BEC attempts with an average of 156,000 attempts daily.
• Navex introduced 2023 Risk & Compliance Hotline & Incident Management Benchmark Report. Reporting data shows an increase in the prominence of workplace behavior-type issues, growth in caution among reporters, and more. People still want to talk to a person when they have a concern, but are more likely to experience a substantiated outcome when they write it down and submit via the web.
• The DIR Report team has published a deep dive into infection chains that use the Ice dead malware to deploy the Nokoyawa ransomware.

Major Cyber Incidents

• The city of Augusta in Georgia, U.S., has confirmed that the most recent IT system outage was caused by unauthorized access to its network. The administration has not disclosed the nature of the cyberattack but the BlackByte ransomware gang has published the City of Augusta as one of its victims.
• Emby says it remotely shut down an undisclosed number of user-hosted media server instances that were recently hacked by exploiting a previously known vulnerability and an insecure admin account configuration.
• Tesla has failed to adequately protect data from customers, employees and business partners and has received thousands of customer complaints regarding the carmaker’s driver assistance system, Germany’s Handelsblatt has reported, citing 100 gigabytes of confidential data leaked by a whistleblower.
• German automotive and arms manufacturer Rheinmetall AG confirms that it suffered a BlackBasta ransomware attack that impacted its civilian business. BlackBasta posted Rheinmetall on its extortion site along with samples of the data the hackers claimed to have stolen from the German company.
• Pharmacy services provider PharMerica has disclosed a massive data breach impacting over 5.8 million patients. Hackers breached PharMerica’s system, stealing the full names, addresses, dates of birth, social security numbers (SSNs), medications, and health insurance information of 5,815,591 people.
• Discord is notifying users of a data breach that occurred after the account of a third-party support agent was compromised. The security breach exposed the agent’s support ticket queue, which contained user email addresses, messages exchanged with Discord support, and any attachments sent as part of the tickets.