Cyber Briefing 2023.08.23

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe.

In today’s edition: Agniane Stealer, Malware, Cryptocurrencies, Spacecolon Toolset, Ransomware, OfficeNote, macOS Malware, XLoader, Akira Ransomware, Cisco VPNs, TP-Link, Ivanti Zero-Day, Snatch Gang, South Africa, Iraq, University of Minnesota, Gadsden County, Threads Security, Bart Stephens, SIM-Swapping, Grip Security.

🚨 Cyber Alerts

1. Discovery of Agniane Stealer Cyberthreat

A recent discovery by the Zscaler ThreatLabz team has unveiled a fresh threat on the cybersecurity horizon: Agniane Stealer. Unlike typical malicious cyberattacks, this newly identified information stealer family specializes in absconding with credentials, system details, and session information from browsers, tokens, and file transfer tools. Of particular concern, Agniane Stealer is significantly drawn to cryptocurrency extensions and wallets, adding to the array of compromised data. By transmitting the stolen information to command-and-control servers, the perpetrators behind Agniane Stealer can exploit their ill-gotten gains. This development is indicative of the evolving landscape of cyber threats, highlighting the need for continual vigilance and thorough investigation.

2. Scarab Ransomware Dissemination

A malicious toolset named Spacecolon has been identified as the driving force behind the global distribution of various Scarab ransomware variants. The toolset is believed to exploit vulnerable web servers or engage in brute-force attacks on Remote Desktop Protocol credentials to infiltrate victim organizations. ESET’s investigation also revealed Turkish strings in some Spacecolon versions, indicating a potential Turkish-speaking developer’s involvement. Despite ongoing campaigns and extensive analysis, the true identity of the threat actor remains unknown, leading ESET to refer to them as “CosmicBeetle.”

3. Loader macOS Variant as OfficeNote

A new variant of the XLoader macOS malware, known as “OfficeNote,” has been discovered by SentinelOne security researchers. This malware disguises its malicious activities under the appearance of an office productivity app and utilizes programming languages such as C and Objective C to overcome limitations posed by Java Runtime Environment requirements. This iteration of XLoader targets macOS users in work environments, attempting to steal browser and clipboard data for potential use or resale by other threat actors, demonstrating an ongoing threat to macOS security.

4. Akira Ransomware Exploits Cisco VPNs

The Akira ransomware group is utilizing Cisco VPN products as a means to breach organizational networks and initiate data theft and encryption. This emerging ransomware operation, established in March 2023, has now incorporated a Linux encryptor to target VMware ESXi virtual machines alongside its existing tactics. As Cisco VPN solutions are widely employed to facilitate secure communication between remote employees and corporate networks, this targeting represents a significant security concern for various industries.

5. TP-Link Tapo Bulb Security Flaws Discovered

Academic researchers from Italy and the UK have uncovered four vulnerabilities in the TP-Link Tapo L530E smart bulb and its associated mobile application, potentially putting households at risk of hacker attacks. The flaws can allow attackers to gain access to local Wi-Fi network passwords, compromising both the smart bulb and user credentials. The vulnerabilities range from a lack of authentication between the smart bulb and the app to hardcoded secrets, emphasizing the significance of these issues and the potential impact they could have on users’ security.

6. Ivanti Alerts on Exploited Zero-Day

Ivanti, a software services provider, has issued a warning about an actively exploited critical zero-day flaw affecting Ivanti Sentry (formerly MobileIron Sentry). Tracked as CVE-2023-38035, the vulnerability allows unauthorized access to sensitive APIs used to configure Ivanti Sentry due to an insufficiently restrictive Apache HTTPD configuration. While the risk of exploitation is low for customers not exposing port 8443 to the internet, successful exploitation could allow attackers to modify configurations, run system commands, and write files. This comes shortly after Ivanti resolved stack-based buffer overflow flaws in its Avalanche software.

💥 Cyber Incidents

7. Snatch Group Targets South African Defense

The Snatch ransomware group has declared responsibility for hacking the Department of Defence South Africa, showcasing the military organization on its leak site. This cyberattack has reportedly exposed significant amounts of sensitive data, including military contracts, internal call signs, and personal information, accumulating to a staggering 1.6 Tera Bytes of compromised data. The potential disclosure of such confidential information poses a severe risk to entities associated with the affected contracts. As of now, the leak site remains inaccessible, leaving organizations and security experts concerned about the extent of the breach and its implications.

8. Baghdad’s Public Billboards Breached

Iraqi authorities have taken swift action in response to a shocking incident where explicit adult content was broadcast on electronic advertising boards in Baghdad. The digital billboards were temporarily switched off after the incident, during which pornographic footage was displayed to passers-by in a bustling part of the city. Following the incident, a man has been arrested by the police, and an official statement from the Iraqi Interior Ministry’s Federal Intelligence and Investigation Agency reveals that the accused cited financial disputes with the company owning the display screen as his motive. This incident highlights the challenges that modern technology poses to maintaining public decorum and prompt governmental responses to safeguard societal values.

9. University of Minnesota Data Breach

Just a month ago, the University of Minnesota was alerted to a potential major data breach and swiftly engaged law enforcement and regulatory agencies at state and federal levels, university officials confirmed on Tuesday. The breach, first discovered on July 21, was reported by an unauthorized party who claimed access to sensitive data from the university’s systems. Although the exact scope of the breach remains uncertain, a report from the Cyber Express indicated that the hacker boasted access to around 7 million Social Security numbers dating back to 1989. As the investigation continues, the university is working diligently to ascertain the veracity of the claims and the extent of the compromised data.

10. Dual Data Breaches Affect Gadsden County

Gadsden County is grappling with the aftermath of two distinct data breaches that have affected its court system and Emergency Medical Services (EMS). The 2nd Judicial Circuit recently revealed that a data breach involving Gadsden County court records is under investigation, with initial assessments suggesting exposure of “personal identifying information.” Concurrently, Gadsden EMS reported an incident impacting patient data, where an unknown actor gained unauthorized access to sensitive information including names, social security numbers, and billing codes. Both breaches underscore the pressing need for robust cybersecurity measures in safeguarding sensitive data across critical sectors.

📢 Cyber News

11. Surge in Health Data Breach Litigation

Amid a steady rise in cyberattacks targeting companies handling health data, a Bloomberg Law analysis reveals a substantial increase in litigation rates for health data breach cases. The monthly average of new class actions filed over health data breaches in 2023 is nearly double the rate from the previous year. These lawsuits, seeking civil damages in the millions of dollars, underscore the growing concern over privacy breaches in the health industry, which remains a prime target for cybercriminals seeking valuable personal information for illegal use.

12. Threads Rank Low in Privacy Protection

New research by Home Security Heroes, a cybersecurity firm, has exposed Threads, the microblogging platform owned by Meta, as the worst social media platform for protecting user privacy. The study also found Instagram, the Meta app tied to the new Twitter/X rival, to be among the least private social media platforms. Threads has been highlighted for collecting 50% more personal user data than comparable platforms, including data related to health, financial information, location, and more. Privacy concerns have led Meta to delay the launch of Threads in the EU due to regulatory requirements.

13. Lawsuit Filed After $6.3M Crypto Hack Loss

Bart Stephens, the cofounder of crypto fund Blockchain Capital, is taking legal action against an anonymous hacker known as Jane Doe who stole $6.3 million worth of bitcoin, ether, and other cryptocurrencies from his digital wallets. The lawsuit claims that the hacker employed a SIM-swap attack by exploiting Stephens’ personal information available online and on the dark web to change account passwords and take control of his cellular network account. The FBI had warned of such attacks, which targeted individuals likely to possess substantial cryptocurrency holdings, and estimates $72 million was stolen in similar incidents last year.

14. Delgatti Sentenced to 20 Years in Jail

Hacker Walter Delgatti has been sentenced to 20 years in prison for his involvement in the 2019 Operation Spoofing case. The verdict was handed down by Judge Ricardo Leite of the 10th Federal Court in Brasilia, following Delgatti’s arrest in 2019 for hacking into Telegram accounts of authorities, including members of the Lava Jato task force. Delgatti’s claims of hacking to “fight injustices” were dismissed by the judge, who emphasized that the hacker’s intentions appeared to be motivated by financial gain, casting a shadow over his purported motives.

15. Grip Security Secures $41M to Expand

Grip Security has secured $41 million in Series B funding, spearheaded by Third Point Ventures, with participation from YL Ventures, Intel Capital, and The Syndicate Group. This funding, pushing Grip Security’s total funding to $66 million, marks a significant milestone for the company, further advancing its go-to-market strategy and product development. Despite an overall 15% decrease in total breaches during the first half of 2023, the report underscores a notable 31% surge in the number of individuals impacted by data breaches, indicating the critical need for proactive SaaS identity risk management.