Updated on 2022-11-29

The education sector is being constantly targeted by Ransomware actors. Today, we have two schools that fell victim to cyberattacks that disrupted operations and compromised sensitive information. Have you heard of the invisible man challenge on TikTok? Attackers have started using even that to their advantage. Read along to know what transpired in the past 24 hours.

More highlights from the past 24 hours

• The Durham District School Board (DDSB), Ontario, confirmed suffering a cyberattack that disrupted the school’s access to email and phone services, along with emergency contact. Read more: DDSB recovering from cyber attack that left schools without access to email or emergency contact information

• North Carolina-based Guilford College revealed that an October ransomware attack exposed the sensitive data of faculty, staff, and students. Vice Society ransomware claimed credits. Read more: North Carolina college confirms ransomware group stole sensitive data

#HiveLeaks #ransomware group claims to have #hacked Guilford College (@GuilfordCollege), a private liberal arts college in North Carolina, 🇺🇸… pic.twitter.com/3aAVM6aMms

— BetterCyber (@_bettercyber_) November 25, 2022

• Group-IB tracked over 16,000 scam domains and 40 malicious apps on the Google Play Store abusing the FIFA World Cup in Qatar to target fans. Read more: Experts Find 16,000+ Scam FIFA World Cup Domains
• Binarly researchers discovered that Dell, HP, and Lenovo are still using outdated versions of the OpenSSL cryptographic library, posing a risk to the supply chain. Read more: Dell, HP, & Lenovo System Found Using Outdated OpenSSL Cryptographic Library
• Latest research by Akamai disclosed that the number of API and web app attacks on the financial services sector increased by 3.5 times year-on-year in the past 12 months. Read more: Web App and API Attacks Surge 257% in Financial Services
• A fake Android app on the Google Play Store was found acting as a secret relay for account creation services for Microsoft, Google, Facebook, and others. It has garnered 100,000 downloads. Read more: Malicious Android app found powering account creation service

Found new #Android #malware that read all the sms and send to a server 👀

A website sells account creations (Fb, Google..) it uses infected phones to make the registrations with auth sms 🥷🏻

N°1 in new sms app in Play Store in #India it has infected 100k+ people there 👾 pic.twitter.com/VH6DHWEG4y

— Maxime Ingrao (@IngraoMaxime) November 28, 2022

• Hackers are using the popular “Invisible Challenge” on TikTok to lure people into downloading an info-stealing malware, WASP. Read more: Attacker Uses a Popular TikTok Challenge to Lure Users Into Installing Malicious Package
• Law enforcement across 27 countries, along with Europol, took down 12,526 websites hosting illegal content related to counterfeiting and online piracy. Read more: Police Shutter 13,000 Sites in Piracy Crackdown
• The EU Council issued a new cybersecurity directive, NIS2, which would set standards for cyber risk management and reporting obligations across every sector. Read more: EU Council adopts NIS2 directive to harmonize cybersecurity across member states
• The Australian government awarded up to $25.4 million in grants under the second round of the Cyber Security Skills Partnership Innovation Fund. Read more: Govt awards $25m in grants from cybersecurity skills fund

Vanuatu ransomware attack

Almost a month after a ransomware attack that crippled its IT network, the government of the small Pacific island of Vanuatu has yet to recover from the incident. ABC News reports that government workers are using their personal email services and hotspots to conduct government business and that local hospitals are still limited to using pen and paper. The Australian government is currently helping Vanuatu rebuild its IT network following the attack. Read more:

• Vanuatu island hit by ransom attack, cripples government
• Vanuatu hospital staff using pen and paper after cyber attack that crippled public sector

Local IKEA incidents

Swedish furniture retailer IKEA confirmed that its local franchises in Kuwait and Morocco are dealing with a cyber-attack. The company confirmed the incident after data from both franchise chains was published on the leak site of the Vice Society ransomware and data extortion group. Read more: IKEA investigating cyberattacks on outlets in Kuwait, Morocco

IKEA in Morocco and Kuwait have allegedly been breached by Vice Society.

/ikea.com/ma/
/ikea.com/kw/@IKEA #ikea #databreach #cybersecurity #infosec #vicesociety pic.twitter.com/HFyfsyc2Uq

— Dominic Alvieri (@AlvieriD) November 28, 2022

New REvil leaks

The REvil ransomware group has added two new companies on its dark web data leak portal, a US school district and a major services provider for the US healthcare sector. Two two updates are of note because they come after a period of two weeks of inactivity, following REvil’s high-profile leak of Medibank patient data. The leak of Medibank patient information prompted the Australian government to issue a threat of repercussions and offensive operations against cybercrime groups. It remains to be seen if the new leaks will trigger a response from the ASD or if the Australian agency will be contempt to sit on its possible offensive operations until another ransomware gang hits an Australian entity.

🌐 REvil #Ransomwar team added Sunknowledge Services to the victims list 🚨

Sunknowledge Services is a leading global provider of Business and Knowledge Process Outsourcing services
with $550 million in revenue from The United States 🇺🇸#REvil pic.twitter.com/I3pIfGDMll

— DarkFeed (@ido_cohen2) November 28, 2022

Facebook fined €265 million

Ireland’s data protection agency fined Meta €265 million in connection to the company’s April 2021 data breach. The Irish Data Protection Commission said that Meta failed to safeguard its Facebook platform from data scraping, which allowed a threat actor to compile details on more than 530 million Facebook users. This data was later sold on an underground cybercrime forum. Responding to the fine, Facebook told TechCrunch that they have since rolled out protections to detect scraping operations. With this fine, the Irish data protection agency has fined all of Meta’s three main platforms after it also fined Instagram €405 million in September 2022 and fined WhatsApp €228 million in September 2021. Read more:

• Meta hit with ~$275M GDPR penalty for Facebook data-scraping breach
• Data Protection Commission announces decision in Instagram Inquiry
• Data Protection Commission announces decision in WhatsApp inquiry

EDF fine

French privacy watchdog CNIL has fined nuclear energy group EDF €600,000 for multiple security and privacy lapses. CNIL said that EDF failed to inform users of its web portal how their data was collected and handled, in a clear violation of the EU GDPR regulation. In addition, CNIL said that EDF had also failed to secure passwords for 2.5 million users, which were hashed using the insecure MD5 algorithm and were not salted, according to industry-accepted security best practices. Read more: Prospection commerciale et droits des personnes : sanction de 600 000 euros à l’encontre d’EDF

NIS2

After passing a provisional agreement in May, the European Council has formally adopted NIS2, a new EU directive that enforces a tougher set of cybersecurity incident reporting rules for crucial sectors, such as energy, transport, healthcare, space, public administration, and digital infrastructure. NIS2 replaces the older cybersecurity reporting framework NIS and widens reporting rules from large operators to also include mid-sized companies as well. The EU Parliament also formally passed the NIS2 regulations in October, and member states will have 21 months to incorporate the new NIS2 provisions into their national law. Read more:

• Strengthening EU-wide cybersecurity and resilience – provisional agreement by the Council and the European Parliament
• EU decides to strengthen cybersecurity and resilience across the Union: Council adopts new legislation
• Cybersecurity: Parliament adopts new law to strengthen EU-wide resilience

South Korean cyber sanctions

The Seoul government said last week that it was considering imposing sanctions on North Korean individuals linked to the regime’s cyber operations. The US Treasury Department has already sanctioned multiple North Korean individuals and threat actors it said are behind a cybercrime spree that has stolen funds from banks and cryptocurrency platforms. The US government said these funds were later laundered and diverted to North Korea’s nuclear missile program. South Korean officials said they are now considering applying the same type of sanctions against North Korean cyber units after their northern neighbor has intensified nuclear missile tests over the past months, despite political promises not to do so. Read more: South Korea to review unilateral cyber sanctions if North Korea tests nuke

AIVD threat actor assessment report

Dutch intelligence agency AIVD has published an assessment of current state-backed threat actors. The agency has identified China and Russia as the biggest threats, highlighting China’s penchant for using state groups for intellectual property theft and Russia’s use of cyber for sabotage and physical espionage operations. Other potential threats, but to a lesser degree to impact the Netherlands, were Iran and North Korea, with state-backed groups from both countries engaging in both cyber-espionage and cyber-crime at the same time. Read more: Dreigingsbeeld Statelijke Actoren 2

CYBERCOM hunt forward operations in Ukraine

US Cyber Command has published details for the first time on its “hunt forward” mission the agency conducted in Ukraine ahead and after Russia’s invasion. Officials said the mission consisted of a joint team of Navy and Marine Corps operators, who worked together with local Ukrainian teams to hunt and detect malicious cyber activity on Ukrainian networks. CYBERCOM said the mission lasted from December 2021 to March 2022, and its operators were present in Ukraine when Russia began executing destructive cyber-attacks in mid-January. CYBERCOM described its Ukrainian mission as the “largest hunt forward team” the agency has deployed in the field so far. Read more: Before the Invasion: Hunt Forward Operations in Ukraine

Scam group detained in Spain

The Spanish National Police has detained six suspects on Tuesday for their alleged role in a criminal gang that has defrauded and stolen more than €12 million from more than 300 victims across Europe. Spanish authorities said the group ran several websites posing as banks and cryptocurrency portals through which they tricked users into making fraudulent investments that sent money to the group’s bank accounts. The group then proceeded to launder the money through accounts at several Spanish banks before transferring the money overseas. At the same time, Europol also announced it took down more than 12,500 websites across Europe that were being used to sell counterfeit goods and digitally pirated content. Read more:

• La Policía Nacional desarticula una organización criminal que defraudó más de 12 millones de euros mediante phishing
• International operation shuts down websites offering counterfeit goods and pirated content

EmBEARassment Disclosures

A Telegram channel titled EmBEARassment Disclosures claims to have found links between Swiss software company NeoSoft AG and the Russian intelligence agency FSB. The channel claims NeoSoft is a front company for Russian individuals associated with the FSB to sell spyware and surveillance tools to autocratic regimes from a safe European country. Documents shared in the channel claim to show that NeoSoft’s “tactical software and hardware solutions” have been sold to governments in Egypt, Ecuador, Vietnam, India, Pakistan, and Kazakhstan, but also to EU countries such as Sweden.

ArvinClub evolution

Threat intelligence analyst Marco A. De Felice has published a report on ArvinClub and how the group has recently and suddenly changed from a ransomware and data extortion gang to a hacktivist group that now regularly targets Iranian governmental structures. Read more: The metamorphosis of Arvin Club, from a ransomware group to a group of activists against the Iranian Islamic regime

Pushwoosh linked to malware operation

Investigative infosec reporter Brian Krebs and security researcher Zach Edwards have found links between mobile software company Pushwoosh and the Pincer malware operation from the early 2010s. Pushwoosh rose to infamy this month after a Reuters report found that the company’s code was recently removed from several US government mobile applications after US officials discovered that the company pretended to be based in the US but was actually based in Russia. Krebs says that one of Pushwoosh’s employees is a man he identified in 2013 as the author of Pincer, an Android trojan that was capable of intercepting and forwarding text messages from Android mobile devices. Read more:

• U.S. Govt. Apps Bundled Russian Code With Ties to Mobile Malware Developer
• EXCLUSIVE Russian software disguised as American finds its way into U.S. Army, CDC apps
• Who Wrote the Pincer Android Trojan?

WASP Stealer TikTok campaign

Security firm Checkmarx has spotted a malware campaign built around “Invisible Challenge,” a viral TikTok trend where users film themselves naked and use a special filter to remove their body from the video footage. Researchers say that a threat actor is currently promoting a Python package that can remove this effect, but in reality, the Python app installs a version of the WASP Stealer malware on their devices. Read more: ATTACKER USES A POPULAR TIKTOK CHALLENGE TO LURE USERS INTO INSTALLING MALICIOUS PACKAGE

UK Crypto-fraud on the rise

According to a freedom of information request to UK police unit Action Fraud from the Financial Times, UK crypto fraud rose by a third in one year, police data show, with criminals stealing hundreds of millions of pounds from consumers. Read more: Crypto fraud jumps by a third in UK

KEV update

CISA has updated its KEV database with two vulnerabilities that are currently being actively exploited in the wild. The two are a Chrome zero-day (CVE-2022-4135) patched last week and an auth bypass in Oracle Access Manager from 2021 (CVE-2021-35587) that recently came under attack. Read more: CISA Adds Two Known Exploited Vulnerabilities to Catalog

Botnet creation app

Evina security researcher Maxime Ingrao has discovered a malicious Android app available on the Google Play Store that turns infected smartphones into virtual phone numbers that can be used to register accounts on various social media networks. Ingrao said the malicious app appears to be the backend of a website that allows users to buy bulk accounts on social media sites. The researcher said the app has been downloaded more than 100,000 times already and is currently ranked first in India for the SMS tools category. Read more: Malicious Android app found powering account creation service

CashRewindo

Ad security platform Confiant says that a malvertising group it is tracking as CashRewindo is using domains registered years before to bypass security protections on advertising platforms and run malicious ads. While the group could be buying old domains from domain-reputation-building markets, Confiant researchers believe the group is registering domains themselves and then sitting on the URLs for years before deploying them in their malvertising operation. Read more: CashRewindo: How to age domains for an investment scam like fine scotch

New DFIR Report analysis

We all love DFIR Report write-ups, and they just published another one—detailing how a phishing campaign delivering LNK shortcut files turned into an Emotet infection and then a domain-wide ransomware attack. Read more: Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware

Laplace Clipper

OALABS has some tips and IOCs for those looking to improve their detection and threat-hunting of Laplace, a Go-based malware strain designed to steal data from OS clipboards currently sold on underground cybercrime forums.

RansomBoggs

ESET has a short blog post on RansomBoggs, a new ransomware strain deployed last week in Ukraine and which the company linked to Sandworm, a cyber-espionage group linked to the Russian military intelligence services. ESET spotted and warned about this new ransomware last Friday. Read more: RansomBoggs: New ransomware targeting Ukraine

Kimsuky

Qihoo 360 has published a report on the Kimsuky APT and its recent campaigns employing the BabyShark malware. Read more: APT-C-55（Kimsuky）组织以IBM公司安全产品为诱饵的攻击活动分析

Lyceum

Chinese security firm QiAnXin has published a report on the Lyceum APT, reviewing recent spear-phishing and malware delivery TTPs, most of which have used military-themed lures for distribution. Read more: 瞄准能源企业：Lyceum组织以军事热点事件为诱饵针对中东地区的定向攻击

Lazarus

QiAnXin also has a report on Lazarus attacks targeting Japan. Read more: 求职陷阱：Lazarus组织以日本瑞穗銀行等招聘信息为诱饵的攻击活动分析

UNC4191

US cybersecurity firm Mandiant has discovered a new cyber-espionage group that is heavily active in the Southeast Asian region, where it has targeted public and private sector entities using a novel piece of malware that is currently being spread via infected USB devices. Mandiant said it tracks the group under the temporary name of UNC4191 and that current evidence suggests the group might have a Chinese nexus. Mandiant researchers say the group has heavily focused on targets physically located in the Philippines, although the group’s malware has been seen in other countries, most likely due to it spreading via its target’s internal network. UNC4191 attacks rely on a malware strain named MistCloak that is usually introduced inside networks via an infected USB device. From this initial entry point, the attackers leverage MistCloak to download other Windows trojans named DarkDew and BlueHaze, which act as a backdoor for the group and allow MistCloak to spread to other removable USB devices connected to the compromised network. Read more: Always Another Secret: Lifting the Haze on China-nexus Espionage in Southeast Asia

Acer Secure Boot bypass

Hardware vendor Acer has patched a vulnerability (CVE-2022-4020) that could be abused to disable the Secure Boot option inside the company’s BIOS firmware.The vulnerability was discovered by Slovak cybersecurity firm ESET earlier this year and is a variation of the same bug also impacted Lenovo devices. Lenovo shipped patches at the start of November. If exploited, both vulnerabilities could allow a threat actor to tamper with an operating system’s loading process. Read more Security Vulnerability Regarding Vulnerability That May Allow Changes to Secure Boot Settings

In addition to #Lenovo vulnerabilities we disclosed earlier this month, we discovered another similar vulnerability in #Acer laptops. Same as in Lenovo case, it allows deactivating UEFI Secure Boot by creating NVRAM variable directly from OS. @smolar_mhttps://t.co/zsDjKGIAjQ 1/3

— ESET research (@ESETresearch) November 28, 2022

Log4Shell

Almost one year after the Log4Shell vulnerability was disclosed, around one in four downloads of the Log4j library are still for a version that’s vulnerable to the Log4Shell exploit, according to Sonatype CTO and co-founder Brian Fox. Nonetheless, Fox notes that the company has seen “a little uptick in [the download of] safe versions in the last few months.” Read more: Log4j Vulnerable Downloads Dashboard

Swatting incident

Bot Sentinel Founder Christopher Bouzy said that he was swatted over the weekend at his home in New Jersey. Police said they intervened after they received a call about a child screaming in Bouzy’s home. Nobody was hurt in the incident. Read more: Bot Sentinel founder says he was ‘swatted,’ North Bergen police probing possible ‘trolling’

***

Updated on 2022-11-28

Twitter users are definitely having a perplexing time over at the social media platform. Millions of personal user details were found on a dark web forum, and that too, for free. Ragnar Locker is back in the news by attacking a Belgian police force and stealing loads of highly sensitive information. In other news, another small U.S. college fell victim to the Vice Society ransomware group. Here’s everything that happened this weekend.

More highlights from the past 24 hours

• Scammers abused the official website of FC Barcelona in an advanced third-party fraud campaign. The suspicious link led to an online gambling portal. Read more: FC Barcelona’s Website Used by Scammers for Fraud

• African police arrested 10 individuals associated with $800,000 worth of global fraud, following a four-month-long operation. The police took action against 200,000 malicious cyber infrastructure elements. Read more: African Police Bust $800K Fraud Schemes
• Dragos reported that Russian hacker groups, Xenotime and Kamacite, are conducting “exploratory research” into Dutch LNG terminal systems. Read more: Russian Hackers Target Dutch LNG Terminal
• Harry Rosen, Canadian menswear retailer, confirmed that it suffered a cyberattack last month. The acknowledgment comes after the BianLian ransomware group listed the company on its leak site. Read more: Canadian menswear chain Harry Rosen confirms cyber attack

No WhatsApp breach

A threat actor has been circulating an alleged leak of WhatsApp data. It’s fake. It’s just a list of phone numbers, according to Alon Gal of Hudson Rock.

More Windows 11 protections

Microsoft will add a new detection and logging capability to Windows 11 that will allow security tools to detect when malware might attempt to bypass KASLR protections for the Windows kernel. The feature, a new ETW event, is undergoing testing in Windows 11 23H2 insider versions. Read more: An End to KASLR Bypasses?

Digital sovereignty

Speaking at a digital forum last week, Russia’s Minister of Digital Transformation said that after most foreign IT companies have left Russia following EU and US sanctions, Russia has now achieved “digital sovereignty” (I don’t think that’s how digital sovereignty works, but ok, whatever). In addition, the Russian official also said that even if a large number of IT specialists have left Russia, the number is not so large to “cause irreparable damage to the [IT] industry.” These are some very funny statements to make on the same day that rumors emerged that Russia’s largest IT company—Yandex—was looking to leave the country for greener pastures. Read more:

• Минцифры объявило о достижении цифрового суверенитета: иностранные IT-компании ушли
• ‘Russia’s Google’ wants to sell its Russian businesses and flee the country with its most promising tech

Defense Cyber Index

While the Belfer Center is known for its national offensive cyber index, MIT has joined the rank-your-country party with an index on which state has the best defensive capabilities. Topping the list for the year is Australia, the Netherlands, and South Korea. Read more: The Cyber Defense Index 2022/23

Darknet market takedown

Interpol said that authorities in Eritrea have taken down a darknet market that was selling hacking tools and cybercrime-as-a-service components. The takedown was part of a joint operation with AFRIPOL to crack down on African cybercrime gangs active inside African countries. This operation has also led to the arrest of ten suspects linked to online scams and fraud activities, the recovery of $150,000 from groups involved in data infringement and copyright cases, and takedowns of server infrastructure hosting malware, botnets, phishing sites, and online extortion operations. Read more: Operation across Africa identifies cyber-criminals and at-risk online infrastructure

Russian scammer gang detained

Russian authorities said they detained three suspects from the city of Kolpino, near Sankt Petersburg, for their alleged role in an international phone fraud network. Officials said the gang used more than 12,000 SIM cards to call victims as part of a scheme where they warned them about an impending theft from their bank account and tricked them into transferring funds into so-called “safe accounts”—that were under their control. The three suspects hosted IT infrastructure for the gang, which also consisted of members located outside Russia’s borders, according to the Russian Ministry of Internal Affairs. Read more: Полицейские Санкт-Петербурга задержали подозреваемых в организации технической поддержки международной сети телефонных мошенников

Malicious Docker Hub images

Cloud security firm Sysdig said it identified 1,652 malicious Docker images uploaded on the official Docker Hub portal. More than a third contained cryptomining code, while others contained hidden secret tokens that an attacker could later use as a backdoor into a server. Other Docker images contained proxy malware or dynamic DNS tools. Read more: Analysis on Docker Hub malicious images: Attacks through public container images

Potao source code

A threat actor is claiming to sell the source code of Potao, a malware strain historically linked to the Sandworm APT. Gonna chuck this into the “very likely scam” bin. Read more: Operation Potao Express: Analysis of a cyber‑espionage toolkit

Infostealer fingerprinting

Equinix security researcher William Thomas has a write-up on how you can discover infostealer infrastructure by using IoT search engines to fingerprint their control panels. Read more: Detecting and Fingerprinting Infostealer Malware-as-a-Service platforms

New npm malware

Check out GitHub’s security advisory portal for details.

Twitter amnesty watch

After super-genius Elon Musk announced plans to reinstate banned accounts on Twitter, threat researchers are now keeping an eye on how many of the old Russian political propaganda accounts will be coming back online. An archive of those can be found here. In the meantime, enjoy watching Twitter devolve into a right-wing cesspool with conspiracy theories constantly trending on the platform, driven by abhorrent bot networks. Oh, and death threats, personal attacks, and account reporting raids. Read more: ‘Opening the gates of hell’: Musk says he will revive banned accounts

Zanubis

Something we missed two months ago is this technical report on Zanubis, a new Android banking trojan. More on how to find samples from VT. Read more: Zanubis LATAM Banking Trojan

Koxic and Wiki

AhnSec researchers have reports on Koxic and Wiki, two new ransomware strains they’re seeing distributed in South Korea. Read more:

• Koxic Ransomware Being Distributed in Korea
• Wiki Ransomware Being Distributed in Korea

APT-C-09

Qihoo 360 researchers published a report on recent attacks carried out by the APT-C-09 (Patchwork) threat actor, where they used spear-phishing to infect their targets with the BADNEWS backdoor. Read more: APT-C-09（摩诃草）组织针对巴基斯坦最新攻击活动

CVE-2022-34721

CYFIRMA researchers said they believe that a threat actor is using an exploit for CVE-2022-34721 to target Windows systems that have yet to be patched. The vulnerability is a remote code execution in the Windows IKE protocol that Microsoft patched in September. CYFIRMA said the attacks are linked to a campaign named “流血你”—which translates from Chinese to “bleed you.” An exploit for this was shared on GitHub in September. Read more:

• Windows Internet Key Exchange (IKE) Remote Code Execution Vulnerability Analysis
• Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability: CVE-2022-34721
• 78ResearchLab/PoC

API security

Google Cloud said that half of the 500 companies it surveyed in a report released last week have experienced at least one API security incident over the past 12 months. Furthermore, the same survey identifies misconfigurations as the main threat to API infrastructure. Read more: 2022 API Security Research Report: Latest Insights and Key Trends

Updated on 2022-11-27

A leak details Apple’s secret dirt on security startup Corellium

Corellium, a cybersecurity startup that sells virtual iPhones and Android phones for app and pen-testing, offered or sold its tools to makers of government spyware and hacking tools, according to a leaked document prepared by Apple that contains internal Corellium communications. The document says Corellium offered iOS spyware maker NSO Group a trial, as well as offered to provide a quote to purchase its software to DarkMatter, a former cybersecurity company with close ties to the UAE. Corellium says it later denied NSO and DarkMatter requests to purchase the full version following its vetting process, which it explained more in a blog post after Wired’s story went up. But Corellium didn’t answer questions about why it allowed phone hacking companies Cellebrite or Elcomsoft to use its tech, or why Pwnzen was allowed to be a customer, despite helping to hack the phone of a suspected Chinese dissident back in 2019. Read more:

• A Leak Details Apple’s Secret Dirt on a Trusted Security Startup
• How We Vet Our Customers
• How the Biden administration wants to tackle foreign commercial spyware