Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe.
The latest in cybersecurity: Mockingjay, npm Campaign, 8Base Ransomware, Gentoo Soko, UCLA, Siemens Energy, LetMeSpy, Fort Worth, Microsoft, EncroChat, Socure, Europol.
Researchers at Censys have identified hundreds of devices within federal networks with exposed management interfaces, posing significant security risks. In their analysis of more than 50 Federal Civilian Executive Branch organizations, they discovered over 13,000 hosts across 100 autonomous systems, with approximately 1,300 accessible online. These findings highlight non-compliance with the BOD 23-02 directive, issued by US CISA to address the risks associated with insecure management interfaces.
A new process injection technique called ‘Mockingjay’ has been discovered by Security Joes, allowing threat actors to execute malicious code undetected by EDR and other security products. Unlike traditional injection methods, Mockingjay utilizes legitimate DLLs with RWX sections, evading EDR hooks and enabling the injection of code into remote processes. By leveraging existing RWX sections and avoiding commonly monitored Windows API calls, Mockingjay presents a significant challenge for security tools, highlighting the need for a comprehensive security approach beyond relying solely on EDR solutions.
A recent report by software supply chain security firm Phylum has shed light on an ongoing campaign within the npm ecosystem that utilizes a distinctive execution chain to deliver an unknown payload to targeted systems. The campaign involves pairs of published packages working together, fetching additional resources that are subsequently decoded and executed. The order in which these packages are installed is crucial, as the first module stores a token obtained from a remote server, while the second package passes this token to acquire a second script, resulting in the execution of a Base64-encoded string.
The 8Base ransomware, previously operating discreetly for over a year, has recently experienced a significant surge in activity during May and June 2023, according to researchers at VMware Carbon Black. Employing a combination of encryption and “name-and-shame” tactics, 8Base compels victims to pay ransoms, targeting organizations across diverse industries. With limited information available about the ransomware’s operators, its origins remain enigmatic, although striking similarities to the RansomHouse group have been identified.
Multiple SQL injection vulnerabilities have been discovered in Gentoo Soko, despite the use of protective measures like an ORM library and prepared statements. These vulnerabilities, tracked as CVE-2023-28424 with a high CVSS score of 9.1, could allow remote attackers to execute arbitrary code due to a database misconfiguration. The issues were promptly addressed within 24 hours of responsible disclosure, but they could have potentially exposed sensitive information and enabled unauthorized access to the PostgreSQL server.
A hacker has gained unauthorized access to the LetMeSpy phone monitoring app, compromising messages, call logs, and location data of thousands of Android users. The spyware, marketed for parental control and employee monitoring, is designed to remain hidden on the device, making detection and removal difficult. The leaked data, obtained by a transparency collective, reveals years of call logs and text messages from over 13,000 compromised devices.
Senior Choice, a management company for three residential facilities, has confirmed a data incident that occurred in April 2023. While internal systems used for business operations were affected, there is no evidence of impact on resident care. The ongoing investigation suggests that unauthorized actors may have accessed various types of personal information, including medical records, financial details, and identification documents. Affected individuals are encouraged to remain vigilant against identity theft and fraud, review account statements, and consider additional monitoring options.
Government officials in Fort Worth, Texas, confirm a cyber incident where a group of hackers accessed a website containing government information. The hackers, known as SiegedSec, claim to have stolen approximately 500,000 files, including work orders, employee lists, invoices, police reports, emails, internal documents, and camera footage, amounting to about 180GB of data. SiegedSec states their actions were motivated by Texas state politics, particularly their opposition to the ban on gender affirming care. The city government confirms the attack but downplays the severity, stating that the leaked information originated from a maintenance management website and not the city’s public-facing intranet. They assert that no sensitive data related to residents, businesses, or employees has been released.
Siemens Energy, a global energy technology company, confirms a breach where data was stolen using a zero-day vulnerability in the MOVEit Transfer platform during Clop ransomware attacks. While no critical data has been leaked, Siemens Energy acknowledges the breach and takes immediate action to secure operations. The fallout of the MOVEit attacks continues, impacting various organizations and government agencies, resulting in widespread data breaches affecting millions of individuals.
Microsoft is currently investigating an ongoing issue that has disrupted access to Exchange Online mailboxes through Outlook on the web. While initially limited to the North American region, user reports suggest that users in South America are also affected. Some South American users have reported issues with the Outlook desktop application, experiencing crashes upon launching it. Microsoft has acknowledged the problem and is actively analyzing recent deployments to identify the root cause and restore normal service.
The University of California, Los Angeles (UCLA) acknowledges falling victim to the widespread MOVEit hack orchestrated by the Cl0p hackers, joining a growing list of affected corporations, governments, and institutions. Cl0p, the group behind the breach, openly boasted about stealing data not only from UCLA but also from Siemens, Abbvie Inc, and Schneider Electric. While UCLA provides limited details on the extent of the breach, they assure that their campus systems remain unaffected and affected parties have been notified.
Data protection company Patented.ai secures $4 million in funding to enhance its on-device solution, LLM Shield, aimed at preventing sensitive data leakage to large language models (LLMs). The tool scans devices, encrypts data, and filters personally identifiable information (PII) and trade secrets before interception, analysis, or storage by LLMs. The company also introduces a personal version of LLM Shield for individuals to safeguard their personal information from AI systems.
Socure, an identity verification company based in Lake Tahoe, Nevada, has purchased Berbix, a document verification startup founded by former members of Airbnb’s Trust and Safety Team, for $70 million. The acquisition will enable Socure to optimize the digital capturing and processing of driver’s licenses and passports, improving speed and accuracy. Additionally, it will allow Socure to expand its verification capabilities to include other identity documents like employer cards. Socure plans to continue exploring further acquisitions in areas such as biometric authentication and consumer verification tools to enhance its offerings in the identity and risk decision life cycle.
San Francisco-based BeeKeeperAI secures $12.1 million in Series A funding for its zero trust collaboration platform designed for AI development on sensitive data, with a focus on healthcare. The platform, called EscrowAI, enables secure integration of AI algorithms with privacy-protected data, such as healthcare information, using Microsoft Azure confidential computing. The funding, led by Sante Ventures and supported by other notable investors, will be utilized to enhance the platform and expand BeeKeeperAI’s commercial operations, aligning with the growing demand for safeguarding AI training models in the cybersecurity sector.
Europol’s operation targeting the EncroChat encrypted mobile communications platform has resulted in the arrest of over 6,600 individuals and the confiscation of $979 million in illegal funds. EncroChat’s secure features, such as unbreakable encryption and message self-destruction, attracted criminals who paid for subscriptions and phones with global coverage. However, law enforcement secretly infiltrated the platform, analyzing millions of messages and leading to the arrest of high-value targets and the seizure of massive amounts of drugs, weapons, vehicles, and cash.