In today’s episode, we explore cybersecurity developments, including a cyber battle in the Israeli-Palestinian conflict, a GNOME Linux vulnerability, Magecart’s 404 page exploit, the HelloKitty ransomware source code leak, Grayling’s attacks on Taiwan, and a massive Citrix NetScaler hack.
Recent evets involve a cyberattack on a Facebook page, pro-Palestinian hackers using a Red Alert app to disrupt Israel, a pediatric privacy breach in NL Health Services, and a cyberattack disrupting cable manufacturer Volex.
Amid the escalating Israeli-Palestinian conflict, both pro-Israeli and pro-Palestinian hacktivists are taking the battle to the cyber realm, with a focus on industrial control systems as lucrative targets. These attacks include distributed denial of service attacks against Israeli government and media organizations, and even non-partisan threat actors like ThreatSec are joining in. The exposure of critical ICS infrastructure on both sides raises concerns about potential disruptions to essential services and highlights the urgent need for improved cybersecurity measures to safeguard against these attacks and their potentially catastrophic consequences.
A critical memory corruption vulnerability in the open-source libcue library has been discovered, exposing Linux systems running the GNOME desktop environment to potential remote code execution attacks. This vulnerability, known as CVE-2023-43641, can be exploited when users download a maliciously crafted .CUE file, which is then stored in the ~/Downloads folder. Attackers can take advantage of Tracker Miners automatically indexing downloaded files, making it possible for them to execute arbitrary code on the compromised GNOME Linux devices.
A new Magecart card skimming campaign has emerged, employing an innovative tactic of hijacking online retailers’ 404 error pages to conceal malicious code aimed at stealing customers’ credit card data. This campaign, detected by researchers from the Akamai Security Intelligence Group, specifically targets Magento and WooCommerce sites, with some high-profile food and retail organizations falling victim. The attackers cleverly manipulate the default 404 error page, hiding and executing their card-stealing code in a way not seen in previous Magecart campaigns.
A threat actor going by the name ‘kapuchin0’ has leaked the source code of the 2020 variant of the HelloKitty ransomware on a Russian-speaking cybercrime forum. This development raises concerns among cybersecurity experts as threat actors could potentially use the leaked code to create new versions of this ransomware. The HelloKitty ransomware gang, also known as FiveHands, has been active since January 2021 and is known for launching DDoS attacks on victims who refuse to pay the ransom.
A previously unknown threat actor, named Grayling, has emerged, launching a series of targeted attacks on organizations in Taiwan, spanning sectors such as manufacturing, IT, and biomedicine. Symantec’s Threat Hunter Team has attributed these attacks to an advanced persistent threat known as Grayling, with evidence suggesting that the campaign began in February 2023 and has persisted until at least May 2023. Grayling’s distinctive use of a DLL side-loading technique, coupled with its deployment of various payloads, including Cobalt Strike, NetSpy, and the Havoc framework, underscores the motivation behind these attacks: intelligence gathering.
Facebook’s official page was hacked, leaving users surprised by bizarre posts demanding the release of ex-Pakistani Prime Minister Imran Khan. This incident, occurring on October 6th, 2023, highlights concerns regarding the security of Facebook accounts and pages. While social media hacks are not uncommon, the peculiar focus on cricket visa issues and political demands has raised eyebrows.
Pro-Palestinian hackers known as AnonGhost targeted the Red Alert app, designed to send missile alerts to Israelis during the Israel-Hamas conflict. The cyberattack exploited an API vulnerability, allowing hackers to send fake rocket alerts and fabricated messages of a “nuclear bomb” attack, causing panic and disruption among app users. This digital warfare parallels the physical conflict, with hacktivist groups on both sides engaging in cyberattacks, further escalating tensions in the region.
NL Health Services has disclosed another privacy breach, this time involving an email sent to 253 pediatric patients’ parents and guardians regarding diabetes-related information. Unfortunately, the recipients of the email were not blind-copied, inadvertently exposing everyone on the list to each other’s email addresses. NL Health Services’ CEO, David Diamond, expressed regret and apologized for the error, emphasizing the importance of maintaining patient privacy.
UK-based cable manufacturing giant Volex recently fell victim to a cyberattack involving unauthorized access to its IT systems and data. While the company confirmed that all its sites remain operational and expects minimal financial impact, there has been some disruption to global production levels. Volex promptly enacted its IT security protocols and engaged third-party consultants to investigate the incident, though details regarding the nature of the attack remain limited. The incident, which may be ransomware-related, raises concerns about the cybersecurity vulnerabilities faced by organizations in today’s digital landscape.
In a disturbing development, an audio clip depicting UK opposition leader Keir Starmer verbally abusing his staff surfaced on social media, garnering more than 1.4 million views. However, analysis conducted by both private-sector experts and the British government revealed that the audio was AI-generated and manipulated. The incident highlights the growing threat of deepfake technology in influencing political narratives, with authorities bracing for similar interference in the upcoming general election.
A $12,288 bounty has been announced for anyone who can crack the NIST elliptic curves seeds and unveil the original phrases that were hashed to generate them. Cryptography specialist Filippo Valsorda, along with prominent figures in cryptography and cybersecurity, initiated this challenge to shed light on the origin of these crucial cryptographic components.
Check Point’s Global Threat Index revealed significant changes in the cyber threat landscape. A phishing campaign in Colombia led to the rise of the Remcos Remote Access Trojan, making it the second most prevalent malware. Simultaneously, Formbook claimed the top spot as the most prevalent malware globally, known for its potent evasion techniques and data-stealing capabilities. Despite the FBI’s disruption of Qbot, the group responsible for it continues to distribute new malware, signaling ongoing cyber threats.
Amidst growing concerns about privacy, discrimination, and human rights, more than 65 British lawmakers and 31 civil society organizations have signed a petition calling for an immediate halt to the use of real-time facial recognition technology in the United Kingdom. The petition denounces both private sector and law enforcement use of this AI technology, citing issues ranging from incompatibility with human rights to the lack of safeguards and evidence for its legality and democratic mandate.
Copyright © 2023 CyberMaterial. All Rights Reserved.