Cybersecurity Digest #72: 04/04/2023 – 18/04/2023

Cybersecurity news

• The Vice Society ransomware gang is deploying a new, rather sophisticated PowerShell script to automate data theft from compromised networks. Vice Society’s new data exfiltrator is fully automated and uses “living off the land” binaries and scripts that are unlikely to trigger alarms from security software, keeping their activities stealthy before the final step of the ransomware attack, the encrypting of data.
• Windows 11 is getting a new privacy setting that allows users to control whether applications can detect when actively interacting with the device. The new privacy setting is called ‘Presence sensing’ and allows you to configure whether applications can use APIs to determine if a user is active or inactive in Windows.
• SAP fixed two critical bugs that affect the Diagnostics Agent and the Business Objects Business Intelligence Platform. SAP security updates include a total of 24 notes, 19 of which are new vulnerabilities.
• Researchers said the spyware, which is made by an Israeli company called QuaDream, infected some victims’ phones by sending an iCloud calendar invitation to mobile users from operators of the spyware. Victims were not notified of the calendar invitations because they were sent for events logged in the past, making them invisible to the targets of the hacking.
• Home Security Heroes recently published a study that delves into the world of AI-powered password cracking, focusing on a tool called PassGAN. The researchers employed PassGAN to analyze a list of over 15 million passwords, revealing some startling findings.
• Google announced a new account deletion policy for Android apps, which means that apps that offer account creation must have an easy way to delete the account as well. Google also mentioned that with this new policy, the company will tweak the Data Safety section on the Play Store to better reflect the data controls available to them.
• Chromium-based web browsers are the target of a new malware called Rilide. The malware is disguised as a legitimate Google Drive extension and enables threat actors to carry out a broad spectrum of malicious activities.
• A new ransomware nicknamed “Rorschach” has been detected and is noted for being fast and evasive. Rorschach combines tactics from multiple well-known attacks plus new unique features for maximum damage and evasion from cybersecurity solutions.

Cybersecurity Blog Posts

• Tristan Gilmour, Incident Response Manager at Easygo, has prepared a brief excursion into the history of Windows vulnerabilities. The article describes the principles of attacks such as “buffer overflow”, “Ping of Death”, Trojan “Back Orifice”, as well as measures taken by Windows to improve the security of operating systems.
• Todd Shell, Senior Product Manager at Ivanti, published his forecast for the release of security “patches” for April 2023. The security update is expected in the operating systems and browsers of Microsoft, Google and others.
• Samuel Brown, Solutions Marketing Manager at Ping Identity, told about how the “password-free” authentication approach can strengthen the information security of an organization, as well as what obstacles arise in the way of implementing password-free authentication solutions. In conclusion, the author gives a description of the main functionality of such solutions.
• Ariel Brukman, Senior Security Researcher at Microsoft Defender for Cloud, discuss threats face in DevOps environment, introducing their new threat matrix for DevOps. Using this matrix, experts show the different techniques an adversary might use to attack an organization from the initial access phase and forward.

Research and analytics

• Trend Micro research paper titled Inside the Halls of a Cybercrime Business closely examines small, medium, and large criminal groups based on cases from law enforcement arrests and insider information.
• Sysdig published a report that described how cybercriminals are exploiting the Log4j vulnerability to gain access to IP addresses that are then sold to entities that resell them. Dubbed proxyjacking, the attacks enable cybercriminals to resell bandwidth to providers of proxyware services that allow someone to hide their physical location.
• Cyberint published Ransomware Trends 2023, Q1 Report. With 831 victims, Q1 2023’s victim count was much higher than the first quarter of 2022, with just 763 victims. Unsurprisingly, LockBit3.0 remained the number one group claiming an average of around 23 victims per week and almost 33% of all ransomware cases this quarter.
• A new report by cybersecurity firm WithSecure, based on a survey of more than 400 global cybersecurity and IT decision-makers conducted by Forrester Consulting, suggests that many organizations are reactive in their approach to defending against threats, and piecemeal when it comes to cybersecurity investments. As a result, security goals become detached from business goals, resulting in organizations investing in defenses against threats that aren’t relevant to their business or goals.
• While transparency and prompt reporting are important steps following an attack, Bitdefender found that many IT professionals were told to maintain confidentiality after a breach. More than 42% of the total IT/security professionals surveyed said they have been told to keep a breach confidential when they knew it should be reported and 30% said they have kept a breach confidential.
• Despite the decline in network-detected malware in Q4 2022, endpoint ransomware spiked by 627%, while malware associated with phishing campaigns persisted as a threat, according to WatchGuard.
• UK non-profit RUSI has published a report on how the cyber insurance industry could play a role in slowing down the current ransomware and data extortion ecosystem.
• Threat intel outfit published a report with the current main dark web marketplaces, one year after law enforcement took down Hydra. The big five are now Mega, Black sprint, Solaris, Kraken, and OMG!OMG! Market.
• Resecurity researchers in the new report focus on the relatively new STYX darknet platform, which implements financial fraud services. STYX opened on January 19 and implements an escrow system to mediate transactions between buyers and sellers.

Major Cyber Incidents

• Hyundai has disclosed a data breach impacting Italian and French car owners and those who booked a test drive, warning that hackers gained access to personal data. The incident has exposed the following types of data: E-mail addresses, physical addresses, telephone numbers, vehicle chassis numbers.
• A cyber attack hit several water controllers of irrigation and wastewater treatment systems in the Upper Galilee. The water controllers of scooters for irrigating fields in the Hula Valley were damaged, as well as the control systems of the Galil Sewage Corporation.
• Taiwanese PC company MSI officially confirmed it was the victim of a cyber attack on its systems. The company said it “promptly” initiated incident response and recovery measures after detecting “network anomalies.”
• Samsung employees are in hot water after they reportedly leaked sensitive confidential company information to OpenAI’s ChatGPT on at least three separate occasions. The leaks highlight both the widespread popularity of the popular new AI chatbot for professionals and the often-overlooked ability of OpenAI to suck up sensitive data from its millions of willing users.
• A group of hackers calling themselves “Anonymous Sudan” attacked the websites of several Israeli media, including that of i24NEWS, which was out of service for nearly two hours. Other media outlets that were targeted included the Kan Public Broadcaster, The Jerusalem Post and Channel 12. This cyberattack comes less than a day after the same hacker group targeted several major universities across the country.
• eFile.com, an IRS-authorized e-file software service provider used by many for filing their tax returns, has been caught serving JavaScript malware. Security researchers state the malicious JavaScript file existed on eFile.com website for weeks.
• Data storage giant Western Digital has confirmed that hackers exfiltrated data from its systems during a “network security incident”. An unauthorized third party gained access to “a number” of its internal systems. The company hasn’t confirmed the nature of the incident or revealed how it was compromised, but its statement suggests the incident may be linked to ransomware.
• Capita has acknowledged that a cyberattack. Many clients across the UK, including government organizations, experienced disruption due to the incident, which disrupted access to internal Microsoft Office 365 apps at the IT services and consultancy firm. In a statement sent to shareholders, Capita stated that the hack did not compromise data.