In the rapidly changing world of cybersecurity, recent developments include QakBot Affiliates persisting with Ransom Knight and Remcos RAT in recent phishing attacks, Chinese cyberspies targeting semiconductor firms with Cobalt Strike, WebWyrm scam tricking job seekers with cryptocurrency deception, Supermicro IPMI firmware flaws exposing servers to critical risks, and malicious Python packages evolving in a data theft campaign.
Amid the ever-evolving cyber landscape, events unfold: YouTube Channels Hijacked for Elon Musk Crypto Scams, President Herzog’s Telegram Account Hacked in Suspected Criminal Incident, 2023 Chemistry Nobel Laureates Unintentionally Exposed, Pro-Russia Hacker Group Targets Australian Government Website Over Ukraine Support, and Giant Really Simple Systems Exposes Sensitive Data.
Embarking on a cybersecurity journey, we witness Belgium closely monitoring Alibaba amid espionage concerns, hacktivists mocking Red Cross guidelines in armed conflicts, GitHub expanding validity checks for exposed credentials, Amazon’s mandatory MFA implementation for AWS root accounts in 2024, and the acceleration of cybercriminals’ ransomware attacks in 2023.
Despite efforts to disrupt their infrastructure, the operators behind the QakBot malware have resurfaced in an ongoing phishing campaign since August 2023. This campaign has resulted in the delivery of Ransom Knight ransomware and the Remcos RAT. Cisco Talos researcher Guilherme Venere suggests that law enforcement actions may have impacted the malware’s command-and-control servers rather than its spam delivery infrastructure.
Hackers engaged in cyber espionage have set their sights on Chinese-speaking semiconductor companies, deploying TSMC-themed lures to infect them with Cobalt Strike beacons. The campaign, focused on firms in Taiwan, Hong Kong, and Singapore, exhibits tactics, techniques, and procedures similar to those linked to Chinese state-backed threat groups. Employing spear-phishing emails as the likely initial compromise channel, the threat actors distribute the HyperBro loader, which installs a Cobalt Strike beacon on compromised devices, providing them with remote access.
A newly uncovered scam operation known as “WebWyrm” is preying on job seekers, luring them into cryptocurrency schemes by enticing them with the promise of earnings through completing seemingly pointless tasks. This operation, flagged by CloudSEK, has already ensnared over 100,000 victims in more than 50 countries and impersonated more than 1,000 companies across ten different industries, potentially accumulating over $100 million for the scammers. The scammers primarily use WhatsApp to approach victims, tailoring their schemes using data from recruitment portals to find individuals more likely to fall for the ruse.
Multiple security vulnerabilities have been unveiled in the Intelligent Platform Management Interface firmware used in Supermicro baseboard management controllers, potentially leading to privilege escalation and the execution of malicious code on affected systems. These seven vulnerabilities, with varying severity from High to Critical, could allow unauthenticated actors to gain root access to the BMC system. Supermicro has addressed the flaws by releasing a BMC firmware update to patch these critical vulnerabilities, which could be exploited to compromise server systems.
A sophisticated campaign involving malicious Python packages has been discovered by Checkmarx’s Supply Chain Security team, with over 272 packages designed to steal sensitive data. These packages, which have evolved significantly over time, have been downloaded approximately 75,000 times from open-source platforms.
Scammers have seized control of prominent YouTube channels to endorse cryptocurrency scams, particularly those related to Elon Musk and Tesla. These schemes involve rebroadcasting authentic content alongside QR codes or links leading to fraudulent cryptocurrency websites. Researchers from cybersecurity firm Bitdefender labeled this practice “stream-jacking” and discovered that phishing kits were used to automate the attacks, although the identity of the kit’s operator remains unknown.
President Isaac Herzog’s Telegram account was recently hacked in an incident believed to have criminal ties, according to an announcement from the President’s Residence. The Shin Bet is overseeing the situation, and while there is no concern about data leakage, the hack has been resolved, and the account is now secure. Dr. Gilad Leibovitch, an academic director specializing in cybersecurity at Haifa’s Technion, suggested that such attacks are typically aimed at gathering high-level intelligence information and often involve techniques like phishing. He emphasized the importance of implementing two-step verification on apps like Telegram to enhance security.
The Nobel Academy inadvertently disclosed the names of the 2023 Chemistry laureates, including Moungi G. Bawendi of MIT, Louis E. Brus from Columbia University, and Alexei I. Ekimov of Nanocrystals Technology Inc., who were honored for their contributions to quantum dot discovery and synthesis. The premature announcement came ahead of the final decision, leaving the laureates surprised by the revelation. Although the mishap raised questions, it did not impact the selection process, according to Hans Ellegren, the Nobel academy’s secretary general.
Australia’s cybersecurity, national security, and immigration department faced a distributed denial-of-service attack that temporarily took its website offline for about five hours. A pro-Russia hacker group, reacting to Australia’s announcement of sending Slinger technology to Ukraine to counter drones in response to the Russian invasion, claimed responsibility for the attack. The group had posted on Telegram that it was launching the DDoS attack to protest Australia’s support for Ukraine, highlighting the global Russophobic trend.
A major data security lapse by global B2B CRM provider Really Simple Systems has come to light as cybersecurity researcher Jeremiah Fowler uncovered a non-password-protected database containing over 3 million records. The exposed documents included internal invoices, communications, and customer CRM files. While the database belonged to Really Simple Systems, it contained files from various organizations, including sensitive data like medical records, tax documents, and legal agreements.
Belgian intelligence agencies are reportedly closely monitoring the activities at a logistics hub operated by Chinese tech giant Alibaba amid concerns that the company may be using software to gather sensitive economic data. The State Security Service in Belgium has expressed apprehensions about possible espionage or interference activities linked to Chinese entities, including Alibaba. This surveillance is driven by concerns over China’s National Intelligence Law, which grants the Chinese government the authority to compel Chinese individuals and businesses to cooperate with intelligence agencies.
Hacktivists in Ukraine and Russia have derided the recent ethical guidelines issued by the Red Cross for civilian hackers involved in armed conflicts. Pro-Ukrainian hacker group Hdr0 defaced the website of the Russian branch of the Red Cross in protest, emphasizing that “there are no rules in war.” They asserted their intent to use any means to harm their enemy.
GitHub has announced significant improvements to its secret scanning feature, now allowing users to validate exposed credentials for major cloud services. This enhancement aims to help organizations and developers quickly identify and address potentially exposed secrets in their repositories. By expanding the validity checks to tokens from AWS, Google, Microsoft, and Slack, GitHub is providing users with valuable information to triage alerts and enhance remediation efforts, ultimately boosting code security and analysis within the platform.
Amazon has announced a significant security enhancement for its AWS accounts by making multi-factor authentication mandatory for privileged users, starting in mid-2024. MFA adds an extra layer of protection against unauthorized access, even if login credentials are compromised. This move aims to mitigate risks associated with unauthorized access, data breaches, and service disruptions due to malicious activities.
Cybercriminals are now deploying ransomware within the first day of initially compromising their targets, a dramatic drop on the 4.5 days that the task had been taking last year, according to a new threat report by cybersecurity company Secureworks. The report warns that 2023 may be the most prolific year for ransomware attacks to date, with three times as many victims listed on leak sites in May this year as there were in the same month a year ago.
Copyright © 2023 CyberMaterial. All Rights Reserved.