Attacks, Threats, and Vulnerabilities
Google notifies 14,000 Gmail users of targeted APT28 attacks (The Record by Recorded Future) Google has sent email notifications to more than 14,000 Gmail users that they’ve been the target of a spear-phishing attack orchestrated by a state-sponsored hacking group.
Google warns 14,000 Gmail users targeted by Russian hackers (BleepingComputer) Google has warned about 14,000 of its users about being targeted in a state-sponsored phishing campaign from APT28, a threat group that has been linked to Russia.
Google warns of APT28 attack attempts against 14,000 Gmail users (Security Affairs) Google warned more than 14,000 Gmail users that they have been the target of nation-state spear-phishing campaigns. On Wednesday, Google announced to have warned approximately 14,000 Gmail users that they had been targeted by nation-state hackers. Shane Huntley, the head of the Threat Analysis Group (TAG), wrote on Twitter that his group had sent an above-average batch […]
FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets (Mandiant) Today, Mandiant Intelligence is releasing a comprehensive report detailing FIN12, an aggressive, financially motivated threat actor behind prolific ransomware attacks since at least October 2018. FIN12 is unique among many tracked ransomware-focused actors today because they do not typically engage in multi-faceted extortion and have disproportionately impacted the healthcare sector.
Aggressive Ransomware Group FIN12 Moves Fast, Targets Big Companies (SecurityWeek) Mandiant has detailed the operations of FIN12, a highly aggressive ransomware group that moves fast — it only encrypts files and does not steal data — and targets big companies.
Rapid RYUK Ransomware Attack Group Christened as FIN12 (Dark Reading) Prolific ransomware cybercrime group’s approach underscores a complicated, layered model of cybercrime.
FIN12 hits healthcare with quick and focused ransomware attacks (BleepingComputer) While most ransomware actors spend time on the victim network looking for important data to steal, one group favors quick malware deployment against sensitive, high-value targets.
No honor among thieves: One in five targets of FIN12 hacking group is in healthcare (ZDNet) The group strikes big game targets with annual revenues of over $6 billion.
REvil Continues Its Reemergence, Joins Groove-led RAMP Forum (Flashpoint) On October 7, cybersecurity analysts at Flashpoint discovered a post on the REvil leaks site, the Happy Blog, inviting users to join the ransomware group on RAMP.
Actors Target Huawei Cloud Using Upgraded Linux Malware (Trend Micro) We have recently noticed another Linux threat evolution that targets relatively new cloud service providers (CSPs) with cryptocurrency-mining malware and cryptojacking attacks. In this article, we discuss a new Linux malware trend in which malicious actors deploy code that removes applications and services present mainly in Huawei Cloud.
FontOnLake: Previously unknown malware family targeting Linux (WeLiveSecurity) ESET researchers uncover FontOnLake, a malware family that uses custom and well-designed modules to target operating systems running Linux.
Hackers of SolarWinds stole data on U.S. sanctions policy, intelligence probes (Reuters) The suspected Russian hackers who used SolarWinds and Microsoft software to burrow into U.S. federal agencies emerged with information about counter-intelligence investigations, policy on sanctioning Russian individuals and the country’s response to COVID-19, people involved in the investigation told Reuters.
Ransomware hackers find vulnerable target in U.S. grain supply (NBC News) At least three U.S. grain distributors’ systems have been infected with ransomware in recent weeks, raising concerns that hackers have found an easy target in
Iran-linked MalKamak Hackers Targeting Aerospace, Telcos With ShellClient RAT (SecurityWeek) Researchers have discovered a previously unknown advanced threat actor, likely of Iranian origin, using a previously undocumented RAT targeting largely aerospace and telecommunications organizations.
Microsoft: Russia Behind 58% of Detected State-Backed Hacks (SecurityWeek) Russia accounted for most state-sponsored hacking over the past year, with a 58% share, according to Microsoft’s Digital Defense Report, which covers July 2020 through June 2021.
Report links Indian company to spyware that targeted Togolese activist (The Record by Recorded Future) A new report from Amnesty International links an Indian cybersecurity firm called Innefu Labs to spyware used to target an unidentified “prominent human rights defender” in Togo.
Togo: Prominent activist targeted with Indian-made spyware linked to notorious hacker group (Amnesty International) New research reveals activists in Togo risk being targeted by shadowy cyber-mercenaries who use covert digital attacks to steal victims’ private information
NSO ended Pegasus contract with UAE over Dubai leader’s hacking (Reuters) The Israeli-based NSO Group ended its contract with the United Arab Emirates to use its powerful “Pegasus” state spyware tool because Dubai’s ruler was using it to hack the phones of his ex-wife and some close to her, her lawyers told England’s High Court.
Twitch Blog | Updates on the Twitch Security Incident (Twitch Blog) 10/7/2021 @ 1:00AM PT]
Updates regarding Stream Keys
Out of an abundance of caution, we have reset all stream keys. You can get your new stream key here: https://dashboard.twitch.tv/settings/stream.
Twitch blames data breach on server configuration error (CNET) The massive data leak allegedly included the streaming platform’s source code and data on creator payouts.
Twitch blames server misconfiguration for massive data breach, resets all stream keys (Computing) Steaming platform faces a difficult future as sensitive data posted online
Twitch Data Leak Shows Some Streamers Make Hundreds of Thousands Per Month (Wall Street Journal) Twitch broadcasters’ earnings and other company information were made public Wednesday on the leak announced on 4chan by a user who claimed to have posted it there to hurt the Amazon.com unit’s business.
Twitch streamers respond after huge leak of creator payout data (TechCrunch) Twitch confirmed yesterday that a massive cache of internal data, including creator payouts, was published online after a breach. The streaming platform said in a blog post that the leak was caused by an error in a Twitch server configuration change, which was then accessed by a malicious third par…
The Twitch Hack Is Worse for Streamers Than for Twitch (Vice) The leak of source code and some internal security files does not expose sensitive data, according to a former Twitch employee.
Twitch Streamers’ Earnings Were Exposed. Now, It’s a Meme (Wired) “I’d never want to hide how much I make, so I’m down to make a meme out of it,” one top streamer told WIRED.
Destiny banned by Twitch for sharing staffer’s personal info (WIN.gg) Political streamer Steven “Destiny” Bonnel has been suspended from Twitch. On October 7, Destiny told his fans on Discord that he was suspended for – October 7, 2021 – WIN.gg
To get big Twitch payouts, you have to be among the top .01% of streamers (pcgamer) Leaked Twitch data shows who’s been making the most money from subscribers and ad revenue.
Hackers are waging a guerrilla war on tech companies, revealing secrets and raising fears of collateral damage (Washington Post) A resurgence of ‘hacktivism’ has sought to portray cyberattacks as a moral crusade, but everyday users can also end up having their private information exposed
Botnet abuses TP-Link routers for years in SMS messaging-as-a-service scheme (The Record by Recorded Future) Since at least 2016, a threat actor has hijacked TP-Link routers as part of a botnet that abused a built-in SMS capability to run an underground Messaging-as-a-Service operation.
From match fixing to data exfiltration – a story of Messaging as a Service (MaaS) (VB2021 localhost) When someone first approached us with the question of whether we had heard of malware sending out unsolicited SMS messages, we almost immediately replied positively – there are plenty such malicious applications on Android. The next question caught us rather by surprise: have you seen such malware on a 4G/LTE capable broadband router?
Read that link carefully: Scammers scoop up misspelled cryptocurrency URLs to rob your wallet (Washington Post) These aren’t typos: wwwblockchain.com, conibase.com
Phishing Attacks Are Top Cyber Crime Threat, Easier Than Ever to Create and Deploy (Security Intelligence) Phishing attacks continue to increase in number. See why phishing kits make them easier and how to defend against the way attackers deploy them today.
Borrowed a School Laptop? Mind Your Open Tabs (Wired) Students—many from lower-income households—were likely to use school-issued devices for remote learning. But the devices often contained monitoring software.
QR codes are a privacy problem — but not for the reasons you’ve heard (Washington Post) The little black-and-white squares aren’t inherently bad
UK’s Weir Group hit by attempted cyber attack at end of Q3 (Reuters) Engineering firm Weir Group said on Thursday it was the target of an attempted ransomware attack in the second half of September, which impacted third-quarter profit.
Cyber experts warn Virginians of fake job listings (WTVR) The VEC admitted that the agency gave out $930 million dollars last year in incorrect payments. 7 percent of the money was fraudulently obtained.
Security Patches, Mitigations, and Software Updates
Microsoft to disable Excel 4.0 macros, one of the most abused Office features (The Record by Recorded Future) Microsoft plans to disable a legacy feature known as Excel 4.0 macros, also XLM macros, for all Microsoft 365 users by the end of the year, according to an email the company has sent customers this week, also seen by The Record.
Cisco Patches High-Severity Vulnerabilities in Security Appliances, Business Switches (SecurityWeek) Cisco this week released patches for multiple high-severity vulnerabilities affecting its Web Security Appliance (WSA), Intersight Virtual Appliance, Small Business 220 switches, and other products.
Apache Issues Another Emergency Patch for Exploited Flaws (GovInfoSecurity) Apache HTTP Server users are being warned to install yet another patch, as a fix released Wednesday was incomplete and introduced a new flaw. The U.S. Cybersecurity
Johnson Controls exacqVision Server Bundle (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Exacq Technologies, a subsidiary of Johnson Controls, Inc.
Equipment: exacqVision Server Bundle
Vulnerability: Improper Privilege Management=
2.
Mobile Industrial Robots Vehicles and MiR Fleet Software (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Mobile Industrial Robots (MiR)
Equipment: MiR100, MiR200, MiR250, MiR500, MiR1000, MiR Fleet
Vulnerabilities: Improper Access Control, Integer Overflow or Wraparound, Exposure of Resource to Wrong Sphere, Missing Authentication for Critical Function, Missing Encryption of Sensitive Data, Exposure of Sensitive Information to an Unauthorized Actor, Weak Encoding for Password, Incorrect Default Permissions, Failure to Handle Incomplete Element
Johnson Controls exacqVision (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Exacq Technologies, a subsidiary of Johnson Controls, Inc.
Equipment: exacqVision Server 32-bit
Vulnerability: Integer Overflow or Wraparound
2.
Mitsubishi Electric MELSEC iQ-R Series C Controller Module (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 6.8
ATTENTION: Exploitable remotely
Vendor: Mitsubishi Electric
Equipment: MELSEC iQ-R Series C Controller Module…
Google’s TAG spots Fancy Bear. FIN12 concentrates on healthcare. Ag-sector attacks.