Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe.
The latest in cybersecurity: Anatsa Malware, JokerSpy, BIND, VANGUARD PANDA, Mario Bros, American Airlines, MOVEit, Blizzard, Petro-Canada, Meta, Monopoly Dark Market, Google Bug Bounty.
A new mobile malware campaign dubbed Anatsa has been targeting online banking customers in multiple countries, including the U.S., the U.K., Germany, Austria, and Switzerland, since March 2023. The attackers are distributing the Android banking trojan via the official Google Play Store, with over 30,000 installations reported so far. The malicious apps, posing as legitimate PDF viewer and editor apps and office suites, were submitted to the Play Store in clean form and later updated with malicious code to evade detection.
Earlier this month, an unknown cryptocurrency exchange in Japan fell victim to a targeted attack deploying JokerSpy, a sophisticated Apple macOS backdoor. Elastic Security Labs, tracking the intrusion under the name REF9134, discovered the installation of Swiftbelt, a Swift-based enumeration tool inspired by SeatBelt. The threat actor behind the attack remains largely unidentified, utilizing Python and Swift programs to gather data and execute arbitrary commands on compromised hosts, including bypassing TCC permissions and leveraging disguised software development applications for initial access.
The Internet Systems Consortium (ISC) has released security updates to address three high-severity denial-of-service (DoS) vulnerabilities in the DNS software suite BIND. The vulnerabilities, identified as CVE-2023-2828, CVE-2023-2829, and CVE-2023-2911, can be exploited remotely and may lead to memory saturation or crashes of the BIND daemon ‘named’. ISC recommends updating to BIND versions 9.16.42, 9.18.16, or 9.19.14 to mitigate these vulnerabilities.
CrowdStrike researchers have discovered the China-linked APT group VANGUARD PANDA, also known as Volt Typhoon, using a new tradecraft to gain initial access to targeted networks. The group, active since mid-2021, has targeted various sectors including communications, manufacturing, government, and education. Employing living-off-the-land techniques and hands-on-keyboard activity, VANGUARD PANDA evades detection by leveraging ManageEngine Self-service Plus exploits, custom webshells, and living-off-the-land techniques for lateral movement. This sophisticated attack demonstrates the group’s deep knowledge of target environments and their ability to cover their tracks while maintaining persistent access.
Researchers have discovered threat actors distributing a trojanized Super Mario Bros game installer, bundling it with multiple malware, including an XMR miner, SupremeBot mining client, and the Umbral stealer. The attackers target gamers who possess powerful hardware ideal for cryptocurrency mining. By tampering with the installer file, the malicious executables are covertly installed, conducting mining activities, capturing sensitive information, and causing financial losses and system performance decline.
American Airlines and Southwest Airlines, two of the largest airlines globally, have revealed data breaches caused by a hack on third-party vendor Pilot Credentials, which manages pilot applications and recruitment portals for multiple airlines. The breach, discovered on May 3, affected the systems of the third-party vendor but did not compromise the airlines’ own networks. The unauthorized individual accessed Pilot Credentials’ systems on April 30 and stole documents containing personal information provided by pilot and cadet applicants.
The New York City Department of Education (NYC DOE) experienced a major data breach when hackers targeted its MOVEit Transfer server, compromising documents containing sensitive personal information of up to 45,000 students. The breach occurred before security updates could address the exploited vulnerability, with the Clop ransomware gang claiming responsibility. The FBI is investigating the broader breach that has impacted numerous entities, while NYC DOE is collaborating with NYC Cyber Command to address the incident and support affected individuals.
Gamers worldwide were left frustrated and disappointed as popular games from Activision Blizzard, including Diablo IV, World of Warcraft, and Call of Duty, became inaccessible due to a prolonged distributed denial-of-service (DDoS) attack. The attack, lasting over 10 hours, targeted the servers used for user authentication and game connections, rendering gameplay impossible for avid fans. While the company has mitigated the attack and restored services, the identity of the hacker group behind the incident remains unknown.
Customers at Petro-Canada gas stations across Canada are experiencing technical difficulties as a result of a cyberattack on parent company Suncor Energy. The attack has disrupted credit card and rewards point payments, impacting transactions with customers and suppliers. While Suncor Energy has taken measures to address the situation and assures no evidence of data compromise, the incident is expected to cause ongoing disruptions until resolved.
The notorious Clop ransomware group has struck again, targeting industrial powerhouses Schneider Electric and Siemens Energy. These companies, known for providing critical Industrial Control Systems (ICS) used in national infrastructures worldwide, have fallen victim to the group’s MOVEit attacks. Exploiting the recently disclosed MOVEit Transfer vulnerability CVE-2023-34362, the threat actors claim to have hacked hundreds of companies, leaving a trail of compromised organizations in their wake, including the likes of UCLA and Abbie.
Milomir Desnica, the alleged leader of the notorious Monopoly darknet market, has been extradited to the United States to face charges related to drug distribution, money laundering, and operating the illicit online marketplace. The U.S. Department of Justice revealed that Desnica, a citizen of Croatia and Serbia, had been accused of launching Monopoly in 2019 and profiting from commissions on drug sales. The joint investigation by the FBI and Germany’s Cybercrime Unit led to the identification and location of Desnica, resulting in his arrest and subsequent extradition.
Joseph James O’Connor, also known as PlugwalkJoe, has been sentenced to five years in prison for his involvement in the 2020 Twitter hack and cybercrime offenses. The U.S. Department of Justice indicted O’Connor in November 2021 for stealing $784,000 worth of cryptocurrency through SIM swap attacks. These attacks involve tricking mobile operators into transferring victims’ phone numbers to SIM cards controlled by fraudsters, allowing them to gain access to accounts, steal money and personal information. O’Connor and his co-conspirators used SIM swaps to target executives of a Manhattan-based cryptocurrency company, from which they stole significant amounts of Bitcoin Cash, Litecoin, Ethereum, and Bitcoin. O’Connor also faced charges related to social media account exploitation, online extortion, cyberstalking, and swatting attacks. As part of his sentencing, he was ordered to forfeit $794,000.
Microsoft is bolstering security in Windows 11 by introducing passkeys, unique codes linked to devices, for logging into websites and apps using biometric authentication. Passkeys offer protection against phishing attacks and provide a more secure and convenient alternative to passwords. With passkeys, users can utilize personal identification numbers (PINs) or biometric authentication such as fingerprints or facial recognition, eliminating the need to remember multiple passwords and enhancing overall security and user experience.
Meta Platforms, Inc., the parent company of Instagram, is facing a lawsuit accusing them of violating federal law by allowing a hacker to maintain control over a Chicago gun violence prevention nonprofit’s Instagram account for the promotion of nonfungible tokens (NFTs). The lawsuit, filed in Illinois, claims that Meta repeatedly prevented the nonprofit, Cappin4Capo Inc., from accessing their hacked social media profile. The hacker impersonated the plaintiffs and encouraged the account’s followers to invest in NFTs, causing confusion and deception among the followers.