The latest in cybersecurity: China, Armageddon, Russia – Ukraine, AVrecon, AIOS, Silentbob, WormGPT, Shutterfly, JumpCloud, CSU, Charles SchwaB, BreachForums
The Intelligence and Security Committee (ISC) report reveals that Chinese state-sponsored hackers have been frequently targeting parliamentarians in the UK, with operations becoming “increasingly sophisticated.” The 207-page China report highlights the inadequacy of the resources dedicated to tackling the cybersecurity threat posed by Beijing. It warns that China’s “whole-of-state” approach extends to espionage and interference operations overseas, co-opting companies, academic institutions, and ordinary citizens in their cyber activities.
The Ukrainian computer Emergency Response Team (CERT-UA) has uncovered a sophisticated cyberattack campaign launched by the Russian hacking group Armageddon. The hackers targeted several thousand Ukrainian government information systems using malicious Telegram and WhatsApp messages, which contained the GammaSteel info stealer disguised as image or document attachments. Once enabled, the malware remained active for 30 to 50 minutes, infecting media files and Microsoft Office Word templates, allowing it to generate 80 to 120 malicious files each week and simultaneously infect thousands of systems belonging to various Ukrainian public offices.
Aqua security researchers have discovered an aggressive cloud campaign named “Silentbob” launched by the TeamTNT group, infecting as many as 196 hosts. Unlike previous attempts focused on deploying cryptominers, this campaign aims to infect systems and test the botnet’s capabilities, targeting Docker and Kubernetes environments, Redis servers, Postgres databases, Hadoop clusters, and more. The attackers use rogue container images hosted on Docker Hub to scan the internet for vulnerable instances and propagate the Tsunami malware to create a powerful botnet.
Researchers from SlashNext have uncovered the dangers of WormGPT, a new generative AI cybercrime tool, which enables cybercriminals to launch sophisticated phishing campaigns and BEC attacks with impeccable grammar and convincing content. Unlike ChatGPT, this tool has no ethical boundaries or limitations, allowing crooks to automate the creation of malicious emails and carry out a broad range of illegal activities. The report highlights the significant threat posed by generative AI technologies like WormGPT, even in the hands of novice cybercriminals, and emphasizes the need for enhanced security measures and training to combat AI-driven BEC attacks.
Lumen Black Lotus Labs has exposed a long-running hacking campaign using the AVrecon malware to target small office/home office (SOHO) routers. The malware has been operating undetected for over two years, infecting more than 70,000 devices across 20 countries. The threat actors behind this campaign aim to build a large botnet for various criminal activities, including password spraying and digital advertising fraud. The malware targets ARM-embedded devices and communicates with multiple command-and-control servers, making it one of the largest SOHO router botnets in recent history. It employs stealthy tactics, such as interacting with Facebook, Google ads, and Microsoft Outlook, to launder malicious activity and evade detection.
The widely-used All-In-One Security (AIOS) WordPress plugin, used by over a million WordPress sites, was discovered to be logging plaintext passwords from user login attempts to the site’s database, posing a significant risk to account security. Despite a user reporting the issue three weeks ago, the plugin’s developer, Updraft, initially labeled it as a “known bug” without providing an immediate fix. The flaw was finally addressed in the release of AIOS version 5.2.0, which prevents saving plaintext passwords and clears out old entries, but a large number of sites still remain vulnerable.
Colorado State University recently disclosed that the Clop ransomware group had stolen sensitive personal information from both current and former students and employees during the MOVEit Transfer data-theft attacks. As a renowned public research university with a substantial student and staff population, CSU was targeted in the cyber incident that led to the compromise of personally identifiable information, including names, dates of birth, identification numbers, and even social security numbers.
Charles Schwab Corp., the parent company of TD Ameritrade, Inc., has fallen victim to a significant data breach caused by vulnerabilities in the MOVEit file transfer software. While the computer systems of both companies remain intact, customer data stored on Ameritrade’s MOVEit server was compromised. This breach has far-reaching implications, affecting millions of Americans and exposing them to potential identity theft and fraudulent activities. Affected customers are urged to stay vigilant and take necessary precautions upon receiving breach notifications from TD Ameritrade or Charles Schwab.
Shutterfly, an online retail and photography platform, fell victim to the Clop ransomware gang, exploiting the MOVEit File Transfer utility’s vulnerability to breach multiple companies and extort their data. Clop recently listed Shutterfly on its data leak site, revealing their involvement. However, a Shutterfly spokesperson confirmed that customer and employee data remain secure, as they quickly took action, applied patches, and conducted forensic reviews after discovering the vulnerability.
Last week, JumpCloud, an enterprise software firm, disclosed a security incident involving a nation-state threat actor that targeted some of its customers. The company reset all its API keys, potentially impacting thousands of customers, including well-known organizations like Cars.com and GoFundMe. The sophisticated attacker gained unauthorized access through a spear-phishing campaign, leading JumpCloud to take immediate action, notify impacted customers, and collaborate with law enforcement to secure their systems and protect against future threats. As organizations rely heavily on JumpCloud’s platform for critical services, the impact of this targeted attack is considered severe and highlights the importance of enhanced security measures and collaboration among defenders.
Crowe LLP, a global accounting and tax advisory firm, confirms its limited impact in the recent Cl0p MOVEit breach. The company took swift action, disabling access and applying patches to mitigate the vulnerability. Crowe engaged external experts for a thorough investigation, and less than 100 impacted clients have been notified.
Maritime IT Security has compiled over 160 cyber incidents in the maritime sector, including ships, ports, and other facilities worldwide. The database aims to enhance industry awareness and provide valuable data for further research and realistic simulations. This initiative by NHL Stenden’s research group highlights the need to address growing cyber threats in the maritime industry and promotes preparedness among companies, organizations, and ports.
Conor Brian Fitzpatrick, known as Pompompurin, has agreed to plead guilty to multiple hacking charges, including conspiracy to commit access device fraud and possession of child pornography. Fitzpatrick was the owner of the BreachForums, a cybercrime marketplace where illicit data, access devices, and cybercrime tools were traded among members. Following his arrest in March 2023, law enforcement seized evidence from Fitzpatrick’s residence. If convicted, he could face significant penalties, including imprisonment and hefty fines.
SaaS management platform Zluri has successfully raised $20 million in a Series B funding round, totaling $32 million in raised funds for the company. Led by Lightspeed and supported by existing investors Endiya Partners, Kalaari Capital, and MassMutual Ventures, Zluri’s platform enables organizations to efficiently manage and optimize their SaaS applications, mitigate risks, and control costs from a centralized dashboard. With the new funding, Zluri aims to enhance its generative AI capabilities in its SaaSOps platform and expand its market presence in North America and Europe.
In a privacy controversy, Spotify is facing scrutiny as users allege that the music streaming service made their private playlists public without their consent. This incident has raised concerns over a possible ongoing privacy issue, with reports dating back to March highlighting similar problems. Users have taken to Twitter and Spotify’s community forums to express their frustration and demand answers, as they claim their playlists were initially marked as private upon creation and were inexplicably made public without their knowledge or permission. Spotify’s response in March, denying bulk changes, has not reassured users, leaving uncertainty about the cause and scope of the privacy breach.