Cyber Watch – December 15, 2023

Welcome to the Cyber Watch series for today, December 15, 2023. At DigitalXForce, our Cyber Intelligence team curates a list of the latest cybersecurity news to keep you informed of stories that matter every week.

Cyber Watch | DigitalXForce

This week’s Cyber Watch top 10 list is a compilation of stories from 50+ relevant news sources across the web – all ranked according to the risk impact. We encourage you to review these stories and take steps to protect your organization. Click on each headline to read the full story.

New Trojan-Proxy Malware Infects Mac Users via Pirated Software Downloads

Security researchers at Kaspersky have uncovered a sophisticated malware campaign targeting Apple macOS users through trojanized versions of cracked software. The Trojan-Proxy malware is distributed via unauthorized websites, taking advantage of users seeking pirated multimedia, image editing, and productivity tools.

Unlike authentic software distributed as .DMG files, the malicious variants use .PKG installers with post-install scripts to activate harmful behavior. Disguised as the WindowServer process, the malware evades detection, posing significant risks to infected systems.

The campaign is not limited to macOS, with evidence suggesting a cross-platform threat extending to Windows and Android. Once activated, the malware encrypts DNS requests and communicates with a command-and-control server using DNS-over-HTTPS, ensuring covert operations.

42% of Firms Report Security Incidents As Messaging Apps Become Gateways for Workplace Cyber Threats

Personal apps used for work purposes are increasingly exposing business data to a range of digital threats. That’s according to tech research firm SafeGuard Cyber in a new cautionary report on cybersecurity risks.

Riding the work-from-home trend, popular messaging platforms like WhatsApp and Telegram have informally replaced traditional email for enterprise communications. By allowing employees the convenience of conducting company affairs via private apps, organizations gain productivity.

But in doing so, they also gain vulnerabilities with 42% of firms reporting security incidents as a direct result. Through seemingly harmless chat conversations, hackers have brand new back doors into corporate IT infrastructure and sensitive systems.

Exploiting features such as file-sharing, fraudsters utilize messaging apps to unleash phishing scams, deploy malware infections, and trick users into relinquishing precious login details. And language translation capabilities mean international offices and global clients are just as susceptible.

MITRE Introduces EMB3D: Collaborative Threat Model for Embedded Devices in Critical Infrastructure, Focused on Early Security Integration

MITRE has unveiled EMB3D, a pioneering threat model developed in collaboration with industry experts and the cybersecurity community, aiming to enhance security for embedded devices in critical infrastructure. The collaboration includes Red Balloon Security, Narf Industries, and Niyo ‘Little Thunder’ Pearson of ONE Gas. 

EMB3D is designed to establish a shared framework that fosters a collective understanding of threats targeting embedded devices, offering insights into effective mitigation strategies. This model, recommended for manufacturers, vendors, asset owners, testers, and researchers, extends beyond existing resources like ATT&CK, CVE, and CWE, concentrating specifically on embedded systems. By mapping threats to device properties, EMB3D enables users to tailor threat models for specific devices.

Notably, the suggested mitigations are focused on technical mechanisms implementable by device vendors. Pearson emphasizes that EMB3D empowers ICS device manufacturers to grasp evolving threat landscapes early in the design cycle, potentially leading to inherently more secure devices and reducing the need for post-implementation security measures. The framework is currently in a pre-release review phase, welcoming input from device vendors, asset owners, academics, and researchers before its official launch in early 2024. 

Suspected Sandworm Cyberattack Disrupts Ukraine’s Kyivstar, Crippling Communications, and Air Raid Warnings

Recently, the notorious Sandworm hacking group has been implicated in a cyberattack on Kyivstar, a major Ukrainian mobile and internet provider. The attack, which significantly damaged Kyivstar’s infrastructure, resulted in the company shutting down physically to limit the enemy’s access. 

Though the Ukrainian government hasn’t officially attributed the attack, a group named Solntsepek claimed responsibility on Telegram, alleging ties to Sandworm. Solntsepek asserted that they targeted Kyivstar for providing communications to the Ukrainian Armed Forces and other government agencies.

This incident marks another chapter in Sandworm’s decade-long history of launching disruptive cyberattacks against Ukraine’s critical infrastructure. Kyivstar’s CEO, Oleksandr Komarov, emphasized the cyber threat’s physical impact, highlighting the intersection of digital warfare with traditional conflicts.

UK Ministry of Defence Fined £350,000 for Email Error Exposing Afghan Nationals to Life Threats

The UK Ministry of Defence (MoD) faces a substantial £350,000 fine from the Information Commissioner’s Office (ICO) for a critical email error that compromised the personal details of 265 Afghan nationals seeking evacuation. In a severe breach, the MoD mistakenly sent an email listing eligible evacuees with personal information directly in the “To” field, rather than using a more secure method. This error potentially exposed the individuals to life-threatening situations, as some recipients replied to the entire list, with one disclosing their exact location.

The ICO’s fine underscores the gravity of the situation, emphasizing the potential threat to life resulting from the mishandling of sensitive information. The incident highlights a crucial lapse in the MoD’s data protection measures, particularly concerning the Afghan Relocations and Assistance Policy (ARAP).

Job Recruiters Targeted in Evolving Malware Campaign by FIN6-Linked Group

In a dynamic shift of tactics, cybersecurity researchers have uncovered a highly sophisticated campaign by threat actor TA4557, likely associated with the FIN6 cybercrime group. Targeting recruiters under the guise of job applicants, this evolved attack involves the submission of infected job applications through portals and direct emails. Once a recruiter interacts with specified URLs, a series of sophisticated maneuvers unfold.

The attacker utilizes Living-off-the-Land techniques, employing malicious LNK shortcut files and DLL payloads. The latter, executed through Windows Management Instrumentation and ActiveX Object Run methods, downloads the More_Eggs backdoor. This multi-stage assault not only showcases the adversary’s adept social engineering skills but also emphasizes the need for proactive cybersecurity measures.

EU Reaches Milestone Deal on AI Act, Establishing Stringent Regulations for Foundational and High-Risk AI Systems

In a historic move, the European Union (EU) has secured a provisional agreement on the AI Act after marathon 36-hour negotiations. This groundbreaking legislation sets out to regulate the use of AI systems, covering everything from foundational models like ChatGPT to the deployment of AI in governmental and law enforcement contexts, particularly in biometric surveillance.

The legislation maintains a tiered approach, with foundational models required to adhere to transparency measures, including disclosing training data summaries without compromising trade secrets. AI-generated content must be immediately identifiable. ‘High-risk’ AI practices face strict regulations, encompassing model evaluation, risk assessment, cybersecurity protocols, and reporting on energy consumption. Crucially, a fundamental rights impact assessment is mandated for high-risk AI systems.

Additionally, the legislation outright bans ‘unacceptable risk’ AI practices, such as manipulative techniques and indiscriminate scraping of facial images. Models surpassing specified computing power thresholds are automatically categorized as ‘systemic.’

US Senate Confirms Harry Coker As National Cyber Director

On Tuesday, the Senate officially confirmed cyber intelligence veteran Harry Coker to spearhead the White House cybersecurity office. Coker brings over 17 years of expertise from directing operations at the NSA and CIA. His practitioner background is expected to enable effective guidance of national cyber policies during a notably turbulent period for the cyber landscape. 

Assuming office following three interim directors, Coker faces pressing concerns over implementing legislated incident reporting frameworks while streamlining existing regulations. With mandatory disclosure rules for companies kicking in next week, his leadership will be vital for synchronizing federal accountability. 

Additionally, Coker will need to contend with sophisticated nation-state-sponsored attacks launched amid global conflicts, an explosion of cybercrime targeting critical infrastructure, and emerging AI cyber risks.

Cybersecurity Leaders Fear Phishing Despite Confidence in Password Defense, Axiad Survey Reveals

A recent survey by Axiad on cyberattack response and preparedness reveals a nuanced landscape in cybersecurity concerns and practices. While 39% of security leaders fear phishing attacks the most, a larger portion (49%) acknowledges them as the most likely cyber threat. Despite an 88% confidence level in defending against password-based attacks, over half (52%) of respondents reported falling victim to such attacks in the past year. This suggests a potential gap between perceived preparedness and the reality of cyber threats.

What stands out is the persistence of password usage, with 93% of respondents still relying on passwords for business. Reasons cited include fear of change (64%), concerns about technology replacement (54%), time constraints (51%), and staff shortages (25%). This highlights the ongoing challenges in transitioning away from passwords despite their vulnerabilities. 

New Hacker Group GambleForce Targets APAC Companies with SQL Injection Attacks

In a concerning development, a recently identified hacking group, GambleForce, has surfaced in the Asia-Pacific (APAC) region, employing SQL injection attacks since at least September 2023. This group utilizes basic yet highly effective techniques, focusing on vulnerable website content management systems to extract sensitive data, particularly user credentials. 

Reports from cybersecurity firm Group-IB reveal that GambleForce has successfully infiltrated six out of 24 organizations across various sectors, including gambling, government, retail, and travel, spanning countries such as Australia, Brazil, China, India, Indonesia, the Philippines, South Korea, and Thailand.

What sets GambleForce apart is its reliance on open-source tools like dirsearch, sqlmap, tinyproxy, and redis-rogue-getshell, indicating a pragmatic approach to cyber-attacks. Notably, the group uses the legitimate post-exploitation framework Cobalt Strike, incorporating commands in Chinese, adding an additional layer of complexity to their origins.


That’s all for today. Stay tuned for our next episode. See you next week!

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top

How Can We Help?

Lets collaborate for mutual success