Welcome to the Cyber Watch series for today, January 26, 2024. At DigitalXForce, our Cyber Intelligence team curates a list of the latest cybersecurity news to keep you informed of stories that matter every week.
This week’s Cyber Watch top 10 list is a compilation of stories from 50+ relevant news sources across the web – all ranked according to the risk impact. We encourage you to review these stories and take steps to protect your organization. Click on each headline to read the full story.
In a stark revelation, a recent Menlo Security report has unveiled a staggering 198% surge in browser-based phishing attacks during the latter half of 2023 compared to the first half of the year. Delving into evasive threats, the study showcases a concerning 206% increase, constituting 30% of all browser-based phishing attacks.
Evasive tactics, including SMS phishing (smishing), Adversary in the Middle (AITM) frameworks, image-based phishing, brand impersonation, and Multi-Factor Authentication (MFA) bypass, demonstrate an evolving sophistication among cyber threat actors.
The report underscores the prevalence of over 550,000 browser-based phishing attacks in the past 12 months, with Legacy Reputation URL Evasion (LURE) attacks witnessing a significant 70% uptick since 2022. Of particular concern is the revelation that more than 73% of LURE attacks originate from seemingly trustworthy websites, exposing the intricacies of these attacks.
In a recent cybersecurity incident, the U.S. Securities and Exchange Commission (SEC) blamed a SIM swapping attack as the cause of the hijacking of its official Twitter account. Hackers took advantage of the compromised account to falsely announce the approval of Bitcoin futures exchange-traded funds (ETFs).
This misinformation triggered a temporary surge in Bitcoin’s value, followed by a drop when the SEC corrected the announcement. The SEC revealed that multi-factor authentication (MFA), a critical security measure, had been disabled on the account for several months, enabling the attackers to reset the password once they gained control of the phone number via the telecom carrier.
SIM swapping involves redirecting calls and texts to a rogue device, allowing cybercriminals to intercept verification codes and compromise accounts. Despite the breach, the SEC emphasized that there was no evidence of unauthorized access to its systems, data, devices, or other social media accounts. Law enforcement, including the FBI and CISA, is actively investigating the incident, focusing on the methods used by the attackers to convince the carrier to change the SIM and identify the associated phone number.
The UK’s National Cyber Security Centre (NCSC) issued a sobering forecast, predicting a surge in ransomware attacks propelled by artificial intelligence (AI) advancements. In a comprehensive report, the NCSC underscores the current utilization of AI by threat actors, particularly in refining cyber operations like reconnaissance, phishing, and coding.
The agency anticipates this trend persisting and escalating beyond 2025. Notably, the report emphasizes the imminent role of AI in optimizing phishing attacks, a critical initial step for cybercriminals orchestrating ransomware campaigns.
The NCSC’s analysis extends to the aftermath of attacks, expressing concerns about AI’s potential to accelerate the analysis of exfiltrated data. This enhanced efficiency enables threat actors to train AI models swiftly, intensifying the impact of cyber attacks, including ransomware. The report serves as a crucial warning for the cybersecurity community, urging proactive measures to counteract evolving threats in the AI-driven landscape.
The cryptocurrency wild west continues, albeit with fewer bank robberies. According to blockchain analysis firm Chainalysis, the total value of cryptocurrency stolen by hackers decreased significantly to $1.7 billion in 2023. However, hack incidents increased to over 230, indicating ongoing vulnerabilities. The decline is attributed to fewer decentralized finance (DeFi) protocol mega-heists compared to prior years.
DeFi hacks fueled massive theft spikes in 2021 and 2022 but dropped 64% in 2023 to $1.1 billion. Yet hackers are becoming more sophisticated, even as platforms step up security efforts. North Korean state-sponsored groups, who fund weapons programs with stolen crypto, pulled off 20 major hacks in 2023, more than in 2022. Their haul dropped from $1.7 billion to over $1 billion, but the threat remains serious.
Major exchange breaches still resulted in hundreds of millions in losses, including at Euler Finance, Mixin Network, and Kyber Network. However, prompt action by targeted platforms aided recovery and law enforcement seizures.
Israel-based spyware company NSO Group is desperately trying to salvage its reputation and reverse US sanctions, according to a recent report. NSO, the developer of the notorious Pegasus spyware used to target thousands worldwide, has faced intense backlash since 2021 revelations about Pegasus enabling surveillance of journalists, activists, and politicians.
In response, NSO has gone on a massive lobbying and public relations offensive, spending millions of dollars on DC consultants and law firms. It recently published a new transparency report portraying itself as a defender of human rights. However, experts remain highly skeptical of NSO’s claims and motives. They see the report as more spin than substance.
With its business prospects constrained by US blacklisting, NSO is aggressively pitching officials on the security necessity of its spyware, particularly for Israel. But the Biden administration seems unmoved so far. The spyware firm’s credibility on human rights continues to suffer from Pegasus’ dark legacy of enabling serial abuse and intrusive surveillance. Despite the lobbying blitz, NSO still faces an uphill battle to rehabilitate its battered image and reverse American sanctions. Its latest transparency report appears to be more smoke and mirrors than meaningful reform.
Two threat actors, CyboDevil and UNIT8200, affiliates of the CYBOCREW group, have advertised a colossal 1.8TB database with 750 million Indian phone numbers. Cybersecurity firm CloudSEK discovered the database, which allegedly includes names, addresses, and Aadhaar details. Priced at $3,000, the dataset affects major Indian telecom providers, impacting over half the country’s population. CloudSEK’s analysis reveals a comprehensive breach across the telecom sector.
The threat actors deny direct involvement, claiming acquisition through undisclosed work within law enforcement channels. The CYBOCREW, emerging in July 2023, has quickly become active in major breaches across various sectors. This incident raises concerns about the compromise of sensitive personal information and underscores the evolving tactics of cybercriminal groups targeting large databases for financial gain or other malicious purposes.
Microsoft revealed in a regulatory filing that the Russian hacking group Nobelium, linked to the 2020 SolarWinds breach, accessed email accounts of some top executives. The attack, detected last week, targeted a legacy non-production test tenant account, escalating to compromise a small percentage of corporate email accounts, including senior leadership members. Microsoft clarified that there’s no evidence of customer data, production systems, or proprietary source code access.
The disclosure aligns with new U.S. cybersecurity incident reporting rules, emphasizing transparency amid heightened global tensions. While Microsoft downplayed the material impact, it underscores the risks during geopolitical conflicts. Nobelium, also known as APT29 or Cozy Bear, has historical ties to Russian intelligence (SVR) and played a pivotal role in major cyber intrusions, including the SolarWinds compromise.
Microsoft faced criticism, with Senator Ron Wyden citing “negligence” and urging a reevaluation of government dependence on Microsoft. The FBI is actively involved in addressing the incident, while Microsoft continues its investigation, pledging further actions based on findings.
Hewlett Packard Enterprise (HPE) confronted a breach by the notorious nation-state actor Cozy Bear, discovered on December 12, 2023. The breach targeted HPE’s cloud-based email system, posing critical questions about the extent of the damage and future data security. Cozy Bear, also known as Midnight Blizzard, had potentially been infiltrating HPE’s systems since May 2023, extracting data from specific mailboxes, including those within the cybersecurity department.
This alarming revelation followed a previous intrusion in June 2023, involving compromised SharePoint files. Responding decisively, HPE swiftly mobilized its cybersecurity forces and collaborated with external experts. The company is actively cooperating with law enforcement agencies to trace the perpetrators and is assessing regulatory notifications to ensure transparency and compliance.
While the immediate financial and operational impacts seem limited, the incident underscores the ongoing challenges organizations face against sophisticated nation-state cyber threats.
Security researchers from Kaspersky’s Digital Footprint Intelligence service have detected a substantial increase in dark web discussions related to the unlawful exploitation of Large Language Models (LLMs), particularly ChatGPT. Throughout 2023, nearly 3000 dark web posts have surfaced, covering a spectrum of cyber threats, from the creation of malicious chatbots to the exploration of alternative LLM projects like XXXGPT and FraudGPT.
The peak in discussions, observed in March of the previous year, indicates a sustained interest among cybercriminals in leveraging AI technologies for illicit purposes. Kaspersky’s data reveals that threat actors are actively exploring various schemes, including the development of malware and the unauthorized use of language models for processing stolen user data and parsing files from compromised devices.
Digital footprint analyst, Alisa Kulishenko, emphasizes the integration of automated responses from ChatGPT or its equivalents into cybercriminal forums, showcasing the increasing prevalence of AI tools in nefarious activities. Additionally, threat actors are sharing jailbreaks through dark web channels, unlocking additional functionalities, and finding ways to exploit legitimate tools, such as those used in penetration testing, for malicious purposes.
Veolia North America Faces Ransomware Attack on Internal Systems; Critical Water Operations Unaffected
Veolia North America, a prominent water management company, fell victim to a ransomware attack targeting its internal back-end systems. The attack prompted Veolia to take swift defensive action, temporarily taking affected systems offline until restoration could be completed. While the incident resulted in temporary disruptions to online bill payment systems, the company assures customers that payments made during this period have been properly applied, and late fees or interest charges will not be incurred.
Crucially, Veolia emphasizes that the ransomware attack did not extend to impact its water or wastewater treatment operations, assuring the public of the security and integrity of critical infrastructure. The incident serves as a stark reminder of the persistent threat posed by ransomware to organizations across sectors. Veolia’s proactive response and commitment to customer transparency underscore the importance of robust cybersecurity measures to mitigate risks and ensure the continuity of essential services.
That’s all for today. Stay tuned for our next episode. See you next week!