Welcome to Cyber Watch series for today, January 19, 2024. At DigitalXForce, our Cyber Intelligence team curates a list of the latest cybersecurity news to keep you informed of stories that matter every week.
This week’s Cyber Watch top 10 list is a compilation of stories from 50+ relevant news sources across the web – all ranked according to the risk impact. We encourage you to review these stories and take steps to protect your organization. Click on each headline to read the full story.
A recent Cyberint report reveals a staggering 55% surge in ransomware attacks in 2023, totaling 4,368 victims globally. Established groups like LockBit3.0 and ALPHV, along with newcomers including 8Base, Play, and Akira, contributed to the alarming rise. The MOVEit campaign, underscoring the threat of supply chain attacks, emerged as the most impactful. The United States bore the brunt, representing 64% of cases, with the business services sector leading in reported incidents.
As the fourth quarter of 2023 alone documented 1,154 ransomware incidents worldwide, the report warns of the industry’s rapid growth despite law enforcement efforts. Looking ahead to 2024, the cybersecurity outlook remains grim, with veteran and emerging groups expected to dominate.
GitHub takes swift action, addressing a high-severity vulnerability discovered through its bug bounty program. The flaw, allowing unauthorized access to credentials, was promptly patched on GitHub.com. The key rotation, a standard security practice following incidents, was initiated to prevent potential unauthorized access to code repositories.
GitHub researchers express confidence that the vulnerability (CVE-2024-0200) had not been previously exploited, highlighting the importance of vigilance and proactive security measures. This incident underscores the critical role of key rotation in maintaining the integrity and security of code repositories. The report emphasizes that, had GitHub not rotated keys, malicious access could have compromised the security and integrity of multiple code repositories.
Security experts stress the significance of periodic key rotation, likening it to rotating passwords but highlighting the complexity associated with cryptographic keys serving various functions in securing communications and access.
Chinese Hackers Target Taiwan Elections in ‘Embarrassment Campaign’ as Geopolitical Tensions Raise Global Economic Concerns
Chinese hackers, identified by Google Cloud’s Mandiant, launched a series of cyber-attacks targeting Taiwan’s elections, aiming to discredit the government and critical infrastructure. The attacks, surging over 3,370%, were strategically timed before the elections, designed as an “embarrassment campaign” to influence voters.
Former FBI Executive James Trugel highlights the goal of dissuading support for the Democratic Progressive Party (DPP) candidate Lai Ching-te. Chinese authorities dismiss the allegations, terming them “disinformation,” while tensions rise amid Taiwan’s historic economic importance and the DPP’s pro-independence stance.
The impact of these cyber threats extends beyond Taiwan, with the nation being a key player in global technology manufacturing. As the DPP emerges victorious, concerns grow about potential conflicts and their significant economic fallout.
A startling 137% increase in Vendor Email Compromise (VEC) attacks has shaken the global financial services industry, warns Abnormal Security. The data reveals a surge in socially engineered email threats, averaging 200 advanced attacks per 1000 mailboxes weekly. Notably, peak attack periods in late January, late September, and mid-December raised concerns. VEC, involving threat actors impersonating business providers, poses a serious risk of manipulating financial transfers, with reported instances targeting millions of dollars, including a staggering $36 million case.
Abnormal Security details the complexity of VEC attacks, citing a $1.4 million incident against an Australian financial holding company. Leveraging legitimate communication patterns and invoices, threat actors successfully altered banking details in what seemed like an innocuous email.
In tandem, the financial sector witnessed a 71% increase in Business Email Compromise (BEC) attacks in 2023, where cybercriminals impersonate executives for fraud. Despite lacking malicious links, BEC attacks easily bypass traditional security tools, with a nearly 28% median open rate for text-based BEC attacks.
SonicWall Firewalls Vulnerable to Remote Code Execution, 178,000 Devices at Risk, Urges Immediate Security Measures
In a critical cybersecurity revelation, 178,000 SonicWall firewalls face exploitation risks due to vulnerabilities allowing remote code execution. Discovered by Bishopfox researchers, the unauthenticated Denial of Service (DoS) flaws, namely CVE-2022-22274 and CVE-2023-0656, affect SonicWall NGFW series 6 and 7. While no wild exploitation has been reported, a proof of concept for CVE-2023-0656 is public, heightening concerns.
Detailed analysis, utilizing tools like Ghidra and BinDiff, revealed an integer overflow in CVE-2022-22274, enabling buffer overflow protection bypass. The patched firmware addresses the issue, emphasizing the significance of immediate action by users. The potential impact of a widespread attack is underscored, as SonicOS defaults to restart after three crashes, leading to maintenance mode.
Researchers advise SonicWall users to conduct thorough vulnerability checks, remove the web management interface from public access, and promptly upgrade to the latest firmware. While the current likelihood of remote code execution is deemed low, securing devices becomes imperative to mitigate potential Denial of Service risks.
A newly discovered vulnerability, named LeftoverLocals, has raised alarm bells for major GPU brands, including Apple, Qualcomm, and AMD, as researchers from Trail of Bits unveil potential data leakage risks. Unlike CPUs with robust security measures, GPUs, pivotal in AI development, lack comparable data privacy features.
LeftoverLocals could allow attackers, with established operating system access, to illicitly access GPU memory, extracting significant amounts of data ranging from 5 to 180 megabytes. This poses a critical security concern as GPUs witness increasing demand for large language models (LLMs) and data-intensive AI applications.
Trail of Bits’ proof of concept, aptly demonstrating the LeftoverLocals attack, reveals the swift extraction of LLM-generated responses with minimal code, emphasizing the urgency for enhanced GPU security.
Cyberint Identifies 3 New Players—3AM, Rhysida, and Akira—Shaping the 2024 Cybersecurity Threat Landscape
Cyberint recently unveiled insights into the rise of three new ransomware entities—3AM, Rhysida, and the Akira Group. 3AM, coded in Rust, has made a limited yet impactful debut, notably employing an outdated PHP script for potential obscurity. Rhysida, posing as a “Cybersecurity team,” gained infamy for public disclosures and targeting diverse sectors, showcasing a wide array of tactics, including masquerading and phishing. The Akira Group, associated with the notorious Conti ransomware, operates as a ransomware-as-a-service, demonstrating a strong connection and emphasizing the importance of multi-factor authentication.
Cyberint’s report illuminates the shifting dynamics in the ransomware landscape, with emerging threats displaying unique coding choices, diverse attack methodologies, and connections to established cybercriminal entities.
In a cyber onslaught orchestrated by the notorious Bigpanzi syndicate, the ‘Pandoraspear’ DDoS botnet has emerged as a significant threat, infecting millions of smart TVs and set-top boxes, predominantly those running on Android.
Exploiting users visiting questionable streaming sites, the malware discreetly infiltrates devices, allowing cybercriminals to use them as conduits for various cybercrimes. Disturbingly, a recent incident in the United Arab Emirates showcased the potential for content hijacking, replacing regular broadcasts with imagery from the Israel-Palestine conflict.
Pandoraspear inherits its DDoS capabilities from the infamous Mirai malware, incorporating 11 additional Mirai-related attack vectors, marking a concerning evolution in cybercrime tactics. Bigpanzi, operational since at least 2015 with a focus on Brazil, demonstrated resilience by shifting its DDoS operations to another botnet, indicating a strategic move towards more lucrative cyber activities.
Cybersecurity Professionals Advised to Confront Legal Risks and Embrace Transparency Amid Escalating Threats
At the ShmooCon hacker conference, legal experts emphasized the increasing legal challenges faced by cybersecurity professionals. The panel, featuring startup lawyer Elizabeth Wharton, former SEC prosecutor Danette Edwards, and tech investor Cyndi Gula, discussed the implications of the SEC’s new cyber reporting rules, requiring swift disclosure of “material” security incidents.
The conversation delved into the potential flood of initial reports and subsequent disclosures, reflecting the evolving nature of cyber threats. The panel acknowledged the intersection of transparency, remote work, and heightened documentation, presenting both opportunities for investigators and complexities for cybersecurity practitioners.
Addressing the SolarWinds CISO case, where Timothy Brown faced SEC charges, the experts encouraged cybersecurity professionals not to shy away from their roles due to growing legal oversight. Instead, they advocated for proactive documentation and transparency as vital strategies for navigating legal complexities and maintaining trust within organizations. The advice extended to executives seeking change, urging them to obtain written approvals for plans or budget requests, providing a shield amid increased legal scrutiny.
In a joint advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a stark warning about the Androxgh0st malware, exposing its potent capabilities in constructing a sophisticated botnet to identify and exploit susceptible networks.
Crafted in Python, the malware specializes in targeting .env files, housing critical credentials for services like AWS and Microsoft Office 365. The advisory underscores its utilization of Simple Mail Transfer Protocol (SMTP) for scanning, exploiting stolen credentials, and deploying web shells. The alert sheds light on the malware’s advanced techniques, including the use of scripts to identify websites with specific vulnerabilities such as the PHPUnit bug (CVE-2017-9841).
Notably, the malware focuses on websites using the Laravel framework, extracting sensitive information from root-level .env files and employing the Laravel application key for encryption. The threat actors behind Androxgh0st exhibit a multifaceted approach, emphasizing the urgent need for cybersecurity measures.
That’s all for today. Stay tuned for our next episode. See you next week!