Cyber Watch – Friday 10th May, 2024

Xforce cyber watch banner

Welcome to the Cyber Watch series for today, Friday 10th, 2024. At DigitalXForce, our Cyber Intelligence team curates a list of the latest cybersecurity news to keep you informed of stories that matter every week.  

This week’s Cyber Watch top 10 list is a compilation of stories from 50+ relevant news sources across the web – all ranked according to the risk impact. We encourage you to review these stories and take steps to protect your organization. Click on each headline to read the full story.

Malicious Android Apps Impersonate Popular Services to Steal Credentials

Cybersecurity researchers have uncovered a concerning campaign involving malicious Android applications masquerading as popular services like Google, Instagram, Snapchat, WhatsApp, and X (formerly Twitter). These rogue apps are designed to trick users into installing them on their devices and granting them extensive permissions, ultimately enabling the theft of sensitive credentials and personal data.

According to a report from SonicWall Capture Labs, the malicious apps leverage familiar icons and branding to mislead users into believing they are legitimate. Once installed, the apps request access to accessibility services and the device administrator API, granting them broad control over the compromised device.

With these elevated privileges, the malware can perform various malicious activities without the user’s knowledge, including accessing contact lists, SMS messages, call logs, and installed apps. It can also send SMS messages, open phishing pages in the web browser, and even toggle the camera flashlight. 

UK Ministry of Defence Hit by Cyberattack Exposing Military Personnel Data

The UK’s Ministry of Defence has fallen victim to a significant cyberattack that compromised armed forces personnel’s personal information and bank details. The attack targeted a system operated by a third-party company, highlighting the vulnerabilities posed by supply chain security risks.

Work and Pensions Minister Mel Stride confirmed the incident, which has raised concerns about the potential exposure of sensitive data belonging to current and former members of the armed forces, including their addresses in some instances.

While the UK government has not officially attributed the attack, former minister Tobias Ellwood, an ex-soldier and former chairman of a parliamentary defense committee, alleged that the incident bears the characteristics of a Chinese cyberattack. 

Ellwood suggested that targeting the payroll system and service personnel’s bank details could be part of a broader strategy by China to identify individuals who might be susceptible to coercion.

Ohio Lottery Cyberattack Impacts Over 500,000, Exposes Social Security Numbers

The Ohio Lottery has disclosed that a ransomware attack conducted last year by a group known as DragonForce has impacted more than half a million individuals. The incident, which came to light in late December 2023, prompted the lottery to shut down some systems to contain the breach.

According to a report submitted to the Maine Attorney General and letters sent to affected individuals, the cyberattack has compromised sensitive personal information, including full names and social security numbers of approximately 538,000 individuals.

The DragonForce ransomware group initially claimed to have stolen over 3 million records containing employee and player information, such as names, email and postal addresses, winnings, dates of birth, and social security numbers. However, the Ohio Lottery has stated that it currently has no evidence suggesting the misuse of the stolen data.

Nonetheless, the organization has decided to offer free credit monitoring and identity theft protection services to impacted individuals as a precautionary measure.

CISA Launches Vulnrichment to Fortify Vulnerability Management

In a groundbreaking move to enhance cybersecurity defenses, the Cybersecurity and Infrastructure Security Agency (CISA) has unveiled the Vulnrichment project. This game-changing initiative promises to transform the way organizations tackle vulnerabilities. 

With a laser-sharp focus on arming organizations with actionable intelligence, Vulnrichment is enriching public CVE records with critical data points, including Common Platform Enumeration, Common Vulnerability Scoring System, Common Weakness Enumeration, and Known Exploited Vulnerabilities.

Already, CISA has fortified 1,300 CVEs with this invaluable information, prioritizing new and recent vulnerabilities. But the agency isn’t stopping there. It’s calling upon all CVE Numbering Authorities to provide comprehensive vulnerability details, fueling a collaborative effort to stay ahead of emerging threats.

Russian Hackers Hijack Latvian TV to Broadcast Victory Parade

Russian hackers targeted a TV provider in Latvia, seizing control of television broadcasts to air footage of Russia’s military parade commemorating Victory Day over Nazi Germany. The cyberattack, which Latvian authorities attribute to the Kremlin’s ongoing hybrid warfare tactics, affected communications operator Balticom, causing a temporary loss of control over television retransmissions.

According to Ivars Abolinš, chairman of the National Electronic Mass Media Council, the hackers didn’t directly breach Balticom’s systems. Instead, they compromised an interactive TV server in Bulgaria, a content delivery partner, allowing them to alter the broadcast content received by Balticom for retransmission. 

The provocative footage of the May 9th military parade outside the Kremlin in Moscow was then aired on all of Balticom’s rebroadcast television programs. 

UnitedHealth Paid $22M Ransom After Massive Healthcare Data Breach

In a shocking revelation, UnitedHealth Group CEO Andrew Witty disclosed that the healthcare giant paid a staggering $22 million ransom to cybercriminals after a massive data breach at its subsidiary, Change Healthcare. 

Testifying before Congress, Witty acknowledged that personal data from an estimated one-third of Americans could have been compromised in this unprecedented cyberattack. The breach, which occurred in late February, saw hackers exploit compromised credentials to infiltrate Change Healthcare’s systems, eventually deploying ransomware that encrypted the network. 

Alarmingly, the initial portal accessed lacked the crucial protection of multi-factor authentication, a security lapse that has since been addressed across all UnitedHealth’s external-facing systems.

“TunnelVision” Flaw Exposes VPN Traffic to Snooping Attacks

Security researchers have unveiled a new technique dubbed “TunnelVision” that exposes a fundamental flaw in routing-based Virtual Private Networks or VPNs. This flaw potentially allows attackers to snoop on users’ online activities, even when they believe their traffic is securely encrypted through the VPN tunnel.

The TunnelVision technique, uncovered by Lizzie Moratti and Dani Cronce from Leviathan Security Group, exploits the way computers handle multiple network connections and routing tables. By manipulating the routing rules, attackers can divert traffic away from the VPN tunnel and onto other networks, effectively decloaking the traffic that should otherwise be protected.

At the core of the vulnerability is the abuse of a built-in feature of the Dynamic Host Configuration Protocol or DHCP, which automatically assigns IP addresses and network settings to devices. Specifically, TunnelVision takes advantage of DHCP option 121, allowing a DHCP server to supply classless static routes that manipulate the VPN software’s routing tables.

Massive ‘BogusBazaar’ Scam Loots Millions from Online Shoppers

Security researchers have issued a stark warning to online shoppers after uncovering a vast network of fake e-commerce stores aimed at stealing payment card details and cash. Dubbed “BogusBazaar,” this extensive fraud operation, primarily based in China, has processed over one million orders since 2021, ensnaring an estimated 850,000 victims from Western Europe and the United States.

According to Security Research (SR) Labs, unsuspecting shoppers have ordered over $50 million worth of non-existent items from these bogus bazaars, though the actual financial damage is expected to be lower due to failed payments. However, even when payments are unsuccessful, the scammers can harvest victims’ card details and personal information through fake payment pages.

The fraudsters lure shoppers with legitimate-looking websites offering luxury and branded goods at alluringly low prices. These fake stores often run on popular e-commerce platforms like WooCommerce, Zen Cart, or OpenCart, using expired domains with good Google reputations.

RSAC 2024 Highlights 

The annual RSA Conference in San Francisco was abuzz with discussions around the rapidly advancing capabilities of artificial intelligence in cybersecurity. With over 80,000 attendees descending on the city, vendors showcased how AI is being applied to enhance threat detection, data analysis, and decision-making for cyber defenders.

However, amid the excitement, a common refrain emerged – AI is a powerful tool, but not a silver bullet. Responsible adoption with proper governance is key. Rehan Jalil of Securiti AI outlined best practices like cataloging AI models, assessing risks against regulations, and governing unstructured data inputs.

While AI promises advantages like sustained “Context Memory” for better situational awareness, CISO’s raised concerns about adversaries harnessing AI to generate novel malware strains. Detecting AI-powered threats early in the attack chain has become imperative.

Beyond AI, the conference highlighted other emerging focus areas. Mobile device security, long an afterthought, is now being prioritized as a gaping hole in many strategies. Global threat telemetry analysis allows organizations to benchmark their posture against wider industry trends.

As innovations like Microsoft’s Co-Pilot show AI assistance integrating with human analysts, RSA 2024 drove home that no single product can solve cybersecurity challenges alone. AI capabilities must complement holistic strategies aligning security investments with overarching business objectives.

North Korea’s Kimsuky Hackers Deploy Novel ‘Durian’ Malware Targeting Crypto Firms

The North Korean state-sponsored hacking group Kimsuky has been observed utilizing a previously undocumented Golang-based malware dubbed “Durian” in highly targeted cyber attacks aimed at South Korean cryptocurrency companies. According to Kaspersky’s APT trends report for Q1 2024, Durian boasts comprehensive backdoor functionality, enabling remote code execution, file downloads, and data exfiltration.

The attacks, which occurred in August and November 2023, leveraged legitimate South Korean software as an infection vector, leading to the retrieval of malicious payloads and establishing persistence on compromised hosts. Durian facilitated the introduction of additional malware, including Kimsuky’s staple AppleSeed backdoor, a custom proxy tool called LazyLoad, and other legitimate utilities like ngrok and Chrome Remote Desktop.

Notably, the use of LazyLoad has previously been associated with the Andariel sub-cluster of the infamous Lazarus Group, suggesting potential collaboration or tactical overlap between the two North Korean threat actors. Ultimately, the attackers implanted the malware to pilfer browser-stored data, including cookies and login credentials from the targeted cryptocurrency firms.

Kimsuky, also known as APT43, Black Banshee, and Emerald Sleet, is a subordinate element to North Korea’s Reconnaissance General Bureau (RGB) intelligence agency. The group primarily focuses on stealing data and insights by compromising policy analysts and experts, enabling more credible and effective future spear-phishing campaigns against high-value targets.

That’s all for today. Stay tuned for our next episode. See you next week!

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top

How Can We Help?

Lets collaborate for mutual success