In today’s edition: Android Malware, Google Play, Microsoft, Azure, Rilide Malware, Google, Serco, Anonymous Sudan, Veilid, Endor, Team Bangladesh
Threat actors are exploiting a technique known as versioning to outsmart Google Play Store’s malware detection and target unsuspecting Android users, a concerning trend highlighted in the August 2023 Threat Horizons Report by Google Cybersecurity Action Team (GCAT). Versioning campaigns typically focus on stealing users’ credentials, data, and finances, making it a serious security threat. This tactic involves initially releasing an innocuous app version on the Play Store that passes Google’s checks, only to later introduce a hidden malware component through an update, effectively converting the app into a backdoor. Such stealthy maneuvers underscore the need for robust defense-in-depth strategies, emphasizing trusted app sources like Google Play and implementing mobile device management (MDM) solutions, especially in enterprise environments.
Microsoft’s latest addition, the Azure Active Directory Cross-Tenant Synchronization (CTS) feature, has inadvertently opened up a potential attack surface for threat actors to spread laterally to other Azure tenants. Introduced in June 2023, the CTS feature allows synchronization of users and groups across multiple tenants, enhancing collaboration and automating B2B project management. However, if misconfigured, attackers with elevated privileges in a compromised tenant may exploit this feature to move laterally to connected tenants and establish persistence, according to cybersecurity firm Vectra’s report. Though not yet observed in the wild, defenders are urged to understand and monitor for possible abuse of this feature.
Cybersecurity researchers have uncovered a new version of malware called Rilide, which poses a serious threat to Chromium-based web browsers. This sophisticated malware exhibits higher levels of sophistication through code obfuscation, adopting the Chrome Extension Manifest V3, and employing features like data exfiltration to a Telegram channel and interval-based screenshot captures. Rilide is being sold on dark web forums by an actor named “friezer” for $5,000, and it is equipped with a range of capabilities, including disabling other browser add-ons, harvesting browsing history, stealing login credentials, taking screenshots, and performing malicious scripts to withdraw funds from cryptocurrency exchanges.
Russia-linked cyberespionage group APT29, also known as SVR group, Cozy Bear, Nobelium, Midnight Blizzard, and The Dukes, conducted Microsoft Teams phishing attacks against dozens of organizations and government agencies worldwide. The group employed highly targeted social engineering attacks using credential theft phishing lures sent as Microsoft Teams chat messages. By leveraging previously compromised Microsoft 365 tenants owned by small businesses and sending Teams messages, the threat actors attempted to steal credentials from targeted organizations, gaining access to victims’ Microsoft 365 accounts.
On August 3, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) issued a set of five Industrial Control Systems (ICS) advisories, shedding light on prevailing security concerns, vulnerabilities, and potential exploits affecting ICS. The advisories include specific details about the following systems: Mitsubishi Electric GOT2000 and GOT SIMPLE, Mitsubishi Electric GT and GOT Series Products, TEL-STER TelWin SCADA WebInterface, Sensormatic Electronics VideoEdge, and Mitsubishi Electric CNC Series. CISA strongly recommends that both users and administrators take prompt action by thoroughly reviewing these advisories to gain insights into the technical intricacies and to implement necessary mitigation measures to safeguard ICS infrastructure.
A suspected cyberattack caused a system wide IT problem leading the Eastern Connecticut Health Network (ECHN) to divert patients from its hospital emergency rooms. The issue affected ERs at Manchester Memorial Hospital and Rockville General Hospital, prompting ambulance and EMS companies to redirect patients to other facilities. Prospect Medical Holdings facilities, which are part of ECHN, also faced IT complications, resulting in the closure of several locations until further notice.
Serco Inc., the Americas division of global outsourcing company Serco Group, recently revealed a major data breach affecting over 10,000 individuals. The breach occurred after attackers targeted a third-party vendor’s MoveIT managed file transfer server, stealing sensitive personal information. Serco emphasized that their own systems remained secure, and they are actively collaborating with CBIZ, their benefits administration provider, to investigate the breach and bolster security measures for the future.
Anonymous Sudan has taken responsibility for a bold cyber attack on Nigeria’s prominent mobile telecommunication company, MTN, causing widespread disruption. The hacker group announced the attack on their Telegram channel, boasting about crippling multiple MTN services, including internet, data calls, SMSes, and the MTN app and website. The incident has also raised concerns about cyber insurance policies, with industry experts cautioning organizations to carefully review terms and conditions to avoid potential pitfalls. As the situation unfolds, MTN is yet to respond to the claims made by Anonymous Sudan.
Researchers have uncovered a concerning risk in the sale of decommissioned medical infusion pumps through the secondary market. The study revealed that many of these pumps, purchased from platforms like eBay, still contain wireless authentication data from their original medical organizations, potentially exposing sensitive information. Infusion pump models from various manufacturers were analyzed, and the data obtained through the study highlights the urgent need for medical organizations to implement proper policies and processes to safeguard critical data during device acquisition and de-acquisition.
The “Cult of the Dead Cow” (cDc), a long-standing US hacktivist group, is introducing Veilid, a privacy framework aimed at creating applications that evade targeted advertising and data collection. The initiative is an open-source, peer-to-peer, mobile-first networked application framework, providing users the ability to opt-out of data collection and online tracking to prioritize privacy and user experience. Veilid will be officially launched at DEF CON, where the group plans to demonstrate its capabilities and offer a faster and privacy-centric alternative to existing options like IPFS and Tor.
Endor Labs, a finalist in the RSA Innovation Sandbox contest, has successfully raised $70 million in its first major funding round. The Silicon Valley-based company, under the leadership of co-founder and CEO Varun Badhwar, aims to expand its focus from code security to safeguarding the CI/CD pipeline and ensuring the security of validated secrets and configuration repositories. This funding, led by Lightspeed Venture Partners and Coatue, will enable Endor Labs to advance its mission of enhancing software supply chain security and pipeline protection, a vital need in today’s evolving threat landscape.
Microsoft warns of expanding cyber risks in stadium operations and live sporting events, with malicious actors targeting valuable information on athletic performance and personal data. Major sports teams, global sporting associations, and entertainment venues are vulnerable due to interconnected networks and devices. To defend against attacks, Microsoft recommends implementing security measures such as network scanning, securing apps and devices, patching point-of-sale devices, and creating logical network segmentations.
Mysterious Team Bangladesh, an active hacktivist collective, has been identified as the force behind over 750 distributed denial-of-service (DDoS) attacks and 78 website defacements since June 2022. Targeting primarily logistics, government, and financial sectors in India and Israel, the group operates with religious and political motivations, according to cybersecurity firm Group-IB. Their reach extends to countries like Australia, the Netherlands, Sweden, and more. The group’s tactics involve exploiting known security flaws or weak passwords to gain unauthorized access to web servers and administrative panels.
In a landmark two-year investigation, INTERPOL has successfully dismantled a global network of websites profiting from explicit material involving children, putting an end to the exploitation and re-victimization of innocent victims. The international operation, aptly named Narsil after a legendary sword, not only targeted the websites but also disrupted the financial mechanisms supporting their illicit activities. Criminals who had operated undetected for years were apprehended, and arrests were made in several countries, highlighting the collaborative efforts to combat the technological complexities enabling these heinous crimes.