- The financially motivated FIN7 cybercrime gang has masqueraded as yet another fictitious cybersecurity company called “Bastion Secure” to recruit unwitting software engineers under the guise of penetration testing in a likely lead-up to a ransomware scheme.
- Avast expert reported 80 apps belonging to a premium SMS scam campaign, which signs victims up for expensive premium SMS services. The apps that he discovered are part of the UltimaSMS campaign, consisting of 151 apps that at one point or another had been available for download on the Google Play Store.
- A critical vulnerability that exists in the WinRAR file archiver has been detected recently by the security expert of Positive Technologies, Igor Sak-Sakovskiy. And this security flaw enables the hackers to execute arbitrary code on Windows systems.
- Discourse team has released an urgent patch to fix a critical vulnerability. The vulnerability allows remote code execution using a specially crafted request. The vulnerability (CVE-2021-41163) is a validation error in the aws-sdk-sns gem upstream stream that can be exploited to remotely execute code using a specially crafted request.
- Microsoft has asked system administrators to patch PowerShell 7 against two vulnerabilities allowing attackers to bypass Windows Defender Application Control (WDAC) enforcements and gain access to plain text credentials. PowerShell is a cross-platform solution that provides a command-line shell, a framework, and a scripting language focused on automation for processing PowerShell cmdlets.
- The Hive ransomware gang now also encrypts Linux and FreeBSD using new malware variants specifically developed to target these platforms. However, as Slovak internet security firm ESET discovered, Hive’s new encryptors are still in development and still lack functionality.
Cybersecurity Blog Posts
- According to Proofpoint researchers, TA551 (aka Shathak) has been mounting cyberattacks that start with email thread hijacking – an increasingly popular tactic in which adversaries insert themselves into existing email conversations.
- Cybercriminals are investing in deepfake technology to make social engineering and authentication bypass campaigns more effective. Michael Hill listed strategies for defending against the most notable deepfake cyberthreats.
- Amy L. Robertson from MITRE revealed all the updates and features in ATT&CK v10. The v10 release includes the next episode in data sources saga, as well as new content and usual enhancements to (sub-)Techniques, Groups, and Software across Enterprise, Mobile and ICS.
- Where trust hides when you are using a SIEM-like tool, especially the cloud-based one? Anton Chuvakin explored the issue of trust as it applies to SIEM.
Research and analytics
- The October 2021 v10 ATT&CK release updates Techniques, Groups, and Software for Enterprise, Mobile, and ICS. The biggest change is the addition of a new set of Data Source and Data Component objects in Enterprise ATT&CK, complementing the ATT&CK Data Source name changes released in ATT&CK v9.
- Check Point Research issues Q3 Brand Phishing Report, highlighting the leading brands that hackers imitated in attempts to lure people into giving up personal data. 29% of all brand phishing attempts were related to Microsoft, down from 45% in Q2 2021. Amazon has replaced DHL in second position, accounting for 13% of all phishing attempts versus 11% in the previous quarter.
- Financial Crimes Enforcement Network (FinCEN) published Financial Trend Analysis focused on ransomware trends in bank secrecy act data between January 2021 and June 2021. The total value of suspicious activity reported in ransomware-related Suspicious Activity Reports during the first six months of 2021 was $590 million, which exceeds the value reported for the entirety of 2020 ($416 million).
- Cybersecurity and Infrastructure Security Agency (CISA) released Ongoing Cyber Threats to U.S. Water and Wastewater Systems and provided recommended mitigation measures.
- CISA/FBI/NSA issued an alert providing information to critical infrastructure entities on BlackMatter ransomware. According to the Alert, BlackMatter ransomware has been targeting critical infrastructure entities since July of 2021, including two U.S. Food and Agriculture Sector organizations.
- Gartner Survey of Over 2,000 CIOs reveals the need for enterprises to embrace business composability in 2022. Cyber and information security is at the top of the list of planned investments for 2022, with 66% of all respondents expecting to increase associated investments in the next year. This is followed by business intelligence/data analytics (51%) and cloud platforms (48%).
- According to Palo Alto Networks IoT Security Report 2021 by, 78% of IT decision-makers who have IoT devices connected to their organization’s network reported an increase in non-business IoT devices on corporate networks in the last year. Smart lightbulbs, heart rate monitors, connected gym equipment, coffee machines, game consoles, and even pet feeders are among the list of the strangest devices identified on such networks in this year’s study.
- The Secureworks® Counter Threat Unit™ (CTU) research team analyzes security threats and helps organizations protect their systems. During July and August 2021, CTU™ researchers observed notable developments in threat behaviors, the global threat landscape, and security trends, and identified lessons to consider.
- In the latest Fact or Fiction Survey, Webroot experts asked IT pros and consumers in the US, UK, Australia/New Zealand, and Japan how much they know about AI, ML, and the roles they play in cybersecurity and business continuity. According to the report, 93% of enterprises use AI/ML-enabled security, yet 55% aren’t sure what that means.
- Jfrog specialists presented in their blogpost results from a large-scale unauthenticated scraping of publicly available and non-secured Prometheus endpoints, which contain many types of sensitive data that were exposed, often without the developer’s knowledge. They also demonstrated how developers and other users can deploy Prometheus in a more secure manner.
- CyberArk researcher demonstrated how easily and with little equipment unsecure WiFi passwords can be cracked, thus hacking the WiFi network. He gathered 5,000 WiFi network hashes as the study group by strolling the streets in Tel Aviv with WiFi sniffing equipment. At the end of the research, he was able to break more than 70% of the sniffed WiFi networks passwords with relative ease.
Major Cyber Incidents
- A hacker appears to have compromised a section of former President Donald Trump’s website and replaced it with a slogan and a speech from Turkish President Recep Tayyip Erdogan. Visitors to a subdomain of Trump’s website were greeted Monday with a message from someone claiming to be a Turkish hacktivist.
- Rampant hacker group REvil—known for using ransomware to extort companies for millions and selling data on the dark web when it doesn’t get its way—has gone silent after finally receiving some penance. According to reports (via Tech Crunch), the group’s Tor payment portal and data leak blog have been hijacked, leaving the group crippled and platformless.
- A hacker has breached the Argentinian government’s IT network and stolen ID card details for the country’s entire population, data that is now being sold in private circles. The hack, which took place last month, targeted RENAPER, which stands for Registro Nacional de las Personas, translated as National Registry of Persons.
- Acer has suffered a second cyberattack in just a week by the same hacking group that says other regions are vulnerable. Last week, threat actors known as ‘Desorden’ emailed journalists to say they hacked Acer India’s servers and stole data, including customer information.
- Tesco has been hit by hackers, leaving thousands of frustrated shoppers unable to buy groceries online at Britain’s biggest supermarket. The outage leaves its grocery website and app were down for several days, with people unable to book deliveries or amend existing orders.
- Japanese tech giant Olympus fell victim to ransomware for the second time in two months. This time, the attack was carried out by the cybercriminal group Evil Corp, against which the US government has imposed sanctions. The malware encrypted company systems in the United States, Canada and South America.
- At least eight email service providers have been hit by large distributed denial of service (DDoS) attacks over the weekend resulting in prolonged outages. Victims were targeted with a DDoS attack, and an email was later sent to the organizations, asking for a 0.06 BTC (~$4,000) ransom demand. Companies were given three days to pay, with the attackers threatening to take their networks offline if they didn’t pay.