Ever encountered a “hog slaughtering” fraud? Or a DDoS assault so large it could liquefy your mind? This week’s cybersecurity summary covers a range of topics – governmental standoffs, stealthy software, and even a hint of store antics.
Grab the latest details before it’s too late!
⚡ Menace of the Week
Dual Jeopardy: Evil Corp & LockBit Collapse: A coalition of global law enforcement entities made moves to detain four individuals and dismantle nine servers associated with the LockBit (aka Bitwise Spider) ransomware scheme. Concurrently, authorities exposed a Russian citizen known as Aleksandr Ryzhenkov, who held a prominent role in the Evil Corp cybercrime syndicate and also had ties to LockBit. A total of 16 individuals affiliated with Evil Corp have been penalized by the U.K.
🔔 Major Stories
- DoJ & Microsoft Seize 100+ Russian Hacker Domains: The U.S. Department of Justice (DoJ) and Microsoft declared the confiscation of 107 web domains utilized by a Russian government-backed hacker entity identified as COLDRIVER to coordinate credential theft campaigns aimed at NGOs and think tanks aiding government employees, military, and intelligence staff.
- Unprecedented 3.8 Tbps DDoS Assault: Cloudflare unveiled their prevention of a historic distributed denial-of-service (DDoS) attack hitting 3.8 terabits per second (Tbps) and lasting 65 seconds. This assault is part of a series of over a hundred high-volume L3/4 DDoS attacks ongoing since early September 2024 targeting financial sectors, the Internet, and telecommunications industries. The origin of this activity remains unattributed.
- North Korean Hackers Deploy New VeilShell Malware: Linked to North Korea, a threat group dubbed APT37 has been identified behind a covert campaign targeting Cambodia and potentially other countries in Southeast Asia using a previously unreported backdoor and remote access trojan (RAT) named VeilShell. The malware is likely spread through targeted phishing emails.
- Fraudulent Trading Apps on Apple and Google Marketplaces: A large-scale deceitful operation exploited fake trading apps released on the Apple App Store and Google Play Store, alongside phishing websites, to deceive victims in what’s termed a hog slaughtering scam. The apps are no longer accessible for download. The campaign targeted individuals across Asia-Pacific, Europe, Middle East, and Africa. Additionally, Gizmodo stated that Truth Social users have suffered substantial financial losses due to hog slaughtering tricks.
- Over 700,000 DrayTek Routers Vulnerable to Remote Exploits: Approximately 14 security vulnerabilities, named DRAY:BREAK, have been detected in DrayTek-manufactured residential and enterprise routers, which could be leveraged to seize control of susceptible devices. The flaws have been fixed following responsible disclosure.
📰 Global Cyber Landscape
- Salt Typhoon Breached AT&T, Verizon, and Lumen Networks: A Chinese state-affiliated hacker entity known as Salt Typhoon infiltrated the systems of U.S. broadband providers such as AT&T, Verizon, and Lumen, potentially obtaining “information from systems the federal government utilizes for court-approved network wiretapping requests,” as reported by The Wall Street Journal. “The hackers seem to have conducted extensive data collection from internet service providers that include businesses of all sizes, serving millions of Americans.”
- U.K. and U.S. Alert on Iranian Spear-Phishing Activity: Hackers operating under the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC) have targeted individuals connected to Iranian and Middle Eastern affairs to illicitly access their personal and business accounts through social engineering approaches, typically via email or messaging platforms. “The attackers often try to establish a relationship before urging victims to open a document through a link, redirecting them to a counterfeit email account login page to harvest credentials,” mentioned in an advisory by the agencies. “Victims may be asked to provide two-factor authentication codes, share them via messaging apps, or deal with phone notifications to grant access to the cyber adversaries.”
- NIST NVD BacklogIssue – More than 18,000 CVEs Unanalyzed: An updated examination has revealed that the National Institute of Standards and Technology (NIST), the U.S. government standards body, still has a significant amount of work to do in analyzing recently released CVEs. According to VulnCheck reports, as of September 21, 2024, a staggering 72.4% of CVEs (18,358 CVEs) in the NVD haven’t been assessed. VulnCheck also noted that “46.7% of Known Exploited Vulnerabilities (KEVs) continue to be unexamined by the NVD (contrasted with 50.8% back in May 19, 2024).” It’s essential to highlight that a total of 25,357 new vulnerabilities have been included in NVD since February 12, 2024, when NIST reduced its handling and enrichment of new vulnerabilities.
- Significant RPKI Weaknesses Revealed in BGP’s Cryptographic Defense: A team of German researchers has discovered that existing implementations of Resource Public Key Infrastructure (RPKI), established to introduce a cryptographic layer to Border Gateway Protocol (BGP), “lack robustness suitable for production and are riddled with software vulnerabilities, inconsistent specifications, and operational difficulties.” These vulnerabilities span from denial-of-service attacks and authentication bypasses to cache manipulation and remote code execution.
- Shift in Telegram’s Data Policy Drives Cybercriminals to Alternate Applications: In response to valid legal demands, Telegram’s recent policy update to disclose users’ IP addresses and phone numbers to authorities is compelling cybercriminal groups to explore other options for messaging platforms, such as Jabber, Tox, Matrix, Signal, and Session. The Bl00dy ransomware gang has announced its departure from Telegram, while activist hacking groups like Al Ahad, Moroccan Cyber Aliens, and RipperSec have indicated a shift towards Signal and Discord. Nevertheless, neither Signal nor Session support functionalities like Telegram’s bots and APIs, nor do they offer extensive group messaging capabilities. Jabber and Tox, however, have already been utilized by adversaries operating on clandestine forums. Intel 471 stated that “Telegram’s extensive global user base still offers significant outreach, vital for cybercriminal activities like disseminating information, recruiting associates, or trading illegal goods and services.” Despite this, Telegram CEO Pavel Durov downplayed the adjustments, mentioning that the platform has been sharing data with law enforcement since 2018 in response to valid legal requests, citing examples from various regions, including Brazil and India.
🔥 Cybersecurity Assets & Perspectives
- Live Online Seminars
- Consult the Specialist
- Q: In what ways can enterprises trim down compliance expenses while fortifying their security protocols?
- A: To cut compliance costs while enhancing security, integrate modern technologies and frameworks intelligently. Begin by embracing unified security models like NIST CSF or ISO 27001 to cover an array of compliance requirements, thereby simplifying audits. Target high-risk areas utilizing techniques such as FAIR to focus on the most critical threats. Automate compliance validations with tools like Splunk or IBM QRadar, and leverage AI for swift threat identification. Centralize your security solutions into platforms like Microsoft 365 Defender for cost savings and streamlined management. Utilize cloud services with inherent compliance from providers such as AWS or Azure to reduce infrastructure expenses. Elevate your team’s security awareness through interactive training platforms to cultivate a culture that minimizes errors. Automate compliance reporting with ServiceNow GRC for hassle-free documentation. Implement Zero Trust strategies like micro-segmentation and continuous user authentication to bolster defenses. Monitor your systems closely with tools like Tenable.io to detect and resolve vulnerabilities promptly. By adhering to these steps, you can minimize compliance outlays while upholding robust security measures.
- Cybersecurity Utilities
- capa Explorer Web is a web-based application that facilitates interactive exploration of program capabilities identified by capa. It offers a straightforward method to scrutinize and present capa’s findings within your web browser. capa, developed by the FLARE team, is a free, open-source tool for extracting capabilities from executable files, aiding in categorizing unknown files, guiding reverse engineering, and hunting for malicious software.
- Ransomware Tool Matrix presents an updated inventory of tools employed by ransomware and extortion factions. As these cyber adversaries frequently reuse tools, this data can be leveraged to detect threats, enhance incident responses, identify behavioral patterns, and replicate their strategies in security exercises.
🔒 Weekly Tip
Maintain an “Ingredients List” for Your Software: Your software resembles a recipe crafted from diverse components—third-party elements and open-source libraries. By generating a Software Bill of Materials (SBOM), a detailed enumeration of these elements, you can swiftly identify and rectify security flaws as they arise. Regularly update this inventory, integrate it into your development workflow, monitor for fresh vulnerabilities, and educate your team on these components. This practice diminishes latent risks, expedites issue resolution, meets regulatory requirements, and fosters trust through transparency.
Wrap-Up
This week’s events have underscored that cyber perils can manifest unexpectedly, even in platforms and networks we entrust. The key takeaway? Stay vigilant, question everything, and keep evolving. Let’s continue to combat cyber threats collectively and intelligently. Until next time, stay safe!
About Author
