π What’s the latest in the cyber world today?
Anonymous Arabic, Silver RAT, Lumma Malware,YouTube, GitHub Repositories, Malicious Code Injection, CISA, Exploited Vulnerabilities, Kyocera Device Manager, Maldives, QNAP, Toronto Zoo, Ransomware Attack, IntelBroker, US Department of Transportation, Data Breach, Midwives of Windsor, Email Data Breach, NoName Ransomware, Ukrainian Government Websites, DDoS Attack, Synthetic Data, Duolingo, AI, NY Health Center, Merck, NotPetya
π¨Β Cyber Alerts
Cyber threat group Anonymous Arabic has introduced a potent remote access trojan (RAT), named Silver RAT, designed to elude security measures and execute covert applications, as reported by cybersecurity firm Cyfirma. Originating from Syria, the group is associated with the development of another RAT known as S500 RAT, and actively engages on various hacker forums and social media platforms. Operating a Telegram channel, the threat actors offer a range of services, including distributing cracked RATs, leaked databases, carding activities, and the sale of social media bots for platforms like Facebook and X (formerly Twitter), which are then utilized by other criminals for automatic engagement with user content.
Cyber threat actors are employing YouTube videos with content related to cracked software to trick users into downloading Lumma, an information-stealing malware, warns Fortinet FortiGuard Labs researcher Cara Lin. These YouTube videos, often featuring content associated with cracked applications, present users with deceptive installation guides and malicious URLs, frequently shortened using services like TinyURL and Cuttly. This strategy, not new to the cyber landscape, has previously been observed delivering various types of malware, including stealers, clippers, and crypto miners, allowing threat actors to compromise machines for information and cryptocurrency theft, as well as resource abuse for illicit mining.
Security researchers have identified a vulnerability affecting thousands of public GitHub repositories that allows malicious code injection via self-hosted GitHub Actions runners. This vulnerability poses a significant risk of high-impact supply chain attacks, enabling attackers to execute arbitrary code on self-hosted runners. The researchers found that by exploiting fork pull requests, attackers could introduce malicious code into workflows, potentially compromising software releases and leading to supply chain compromises with far-reaching consequences, highlighting the need for organizations to adjust repository settings and ensure that outside contributions require approval to mitigate such risks.
CISA has added six vulnerabilities to its Known Exploited Vulnerabilities Catalog, highlighting the active exploitation of flaws such as Adobe ColdFusion deserialization, Apache Superset insecure initialization, Apple products code execution, D-Link DSL-2750B devices command injection, and Joomla! improper access control. These vulnerabilities, frequently targeted by malicious actors, pose significant risks to federal enterprises, emphasizing the importance of prompt remediation. While Binding Operational Directive 22-01 specifically targets Federal Civilian Executive Branch agencies, CISA urges all organizations to prioritize timely vulnerability remediation to reduce exposure to cyber threats.
Kyocera’s Device Manager faced a security flaw, identified as CVE-2023-50916, enabling attackers to manipulate authentication attempts and potentially gain unauthorized access to clients’ accounts and data. Trustwave reported that the vulnerability could be exploited by bad actors to coerce authentication attempts towards malicious SMB shares, capturing or relaying Active Directory hashed credentials. This path traversal issue was promptly addressed in Kyocera Device Manager version 3.1.1213.0, mitigating the risk of unauthorized access and potential data theft.
π₯ Cyber Incidents
The notorious threat actor, IntelBroker, has asserted responsibility for a significant data breach targeting the United States Department of Transportation (DOT). Revealed on Breachforums, the breach, which occurred on January 7, 2024, has exposed a database containing 5.8 million flight logs from 2015, encompassing critical details like airline, flight number, and departure time. As the cybersecurity community anxiously awaits official statements from the U.S. Department of Transportation, the breach highlights ongoing concerns about the cybersecurity measures in place across government agencies.
The Toronto Zoo, Canada’s largest, reported a ransomware attack on January 5th, affecting systems and visitor records, but assuring the safety of its animals. The zoo does not store credit card information and is actively working with cybersecurity experts to investigate the incident’s extent. While operations continue, the zoo urges patience in communication, emphasizing the resilience of its upgraded technology infrastructure.
A data breach affecting the Midwives of Windsor in Ontario, Canada, has exposed the personal and pregnancy information of an undisclosed number of clients. The breach, related to an email account compromise in April 2023, was disclosed months later, prompting concerns about the delay in notifying affected individuals. While the midwifery practice has taken steps to secure the compromised email account and engage third-party experts for an investigation, clients are advised to be vigilant for suspicious communications linked to the incident. The breach has been reported to the Information and Privacy Commissioner of Ontario and law enforcement.
The NoName ransomware group has reportedly targeted various Ukrainian government websites, causing disruption to entities such as Accordbank, Zaporizhzhya Titanium-Magnesium Plant, and the State Tax Service. The group boasted about the attack on the dark web, listing its victims, including the Central and Western Interregional Tax Administrations. Screenshots from the dark web post circulated on Twitter, with the attackers expressing their continued assault on Ukrainian sites.
Over the weekend, the official websites of the Maldives Presidentβs office, Foreign Ministry, and Tourism Ministry experienced a cyberattack, causing disruptions for several hours. The incident followed derogatory remarks about Indiaβs Prime Minister Narendra Modi made by three Maldives ministers. While the government attributed the downtime to technical issues, speculation emerged about the motives, with some suggesting a connection to diplomatic tensions and Chinese hackers aiming to discredit India. The websites have been restored, but the incident adds to the broader context of strained relations and emphasizes the need for responsible freedom of expression.
π’ Cyber News
The U.S. federal government is on the lookout for a machine capable of generating synthetic data to enhance machine learning models and test systems, particularly in the realm of cybersecurity. Synthetic data, or artificially generated data, becomes crucial when real-world data is unavailable or poses privacy and security risks. With the Department of Homeland Security’s Science and Technology Directorate offering contracts worth up to $1.7 million over three years, the initiative aims to overcome challenges in utilizing sensitive real-world data while safeguarding privacy.
Duolingo, a language-learning platform with over 500 million registered learners, has started using generative artificial intelligence (genAI) for content creation, leading to a 10% reduction in contractors. The move aims to leverage AI for tasks previously performed by individuals, such as generating text and images, without phasing out all contractors. Duolingo’s CEO, Luis Von Ahn, highlighted the use of genAI in November, emphasizing its role in creating voices within the app and providing AI-generated feedback and conversations, especially in the Duolingo Max subscription.
In a settlement concluding an investigation into a 2021 ransomware attack, the Refuah Health Center in Spring Valley, N.Y., faces fines of up to $450,000 from the New York attorney general. The federally funded health center, catering to underserved communities, must invest over $1 million in enhancing data security and pay at least $350,000, with a potential additional $100,000 fine suspension contingent on bolstering its cybersecurity program. The settlement mandates Refuah to allocate $1.2 million between 2024 and 2028 for developing and maintaining an improved information security program, highlighting a significant enforcement action in the aftermath of a cyberattack affecting patient data.
14.Twilio Sunsets Authy Desktop Apps
Twilio, the vendor behind Authy, has announced the discontinuation of Authy’s desktop apps for Windows, macOS, and Linux in August 2024. Users are strongly recommended to switch to the mobile versions of the 2FA app available on iOS or Google Play. Authy gained popularity for its offline code generation, cross-device syncing, encrypted cloud backups, and strong token encryption, but Twilio is streamlining its focus amid restructuring efforts, urging users to transition to mobile alternatives or other desktop apps like 1Password, KeepassXC, Authenticator, Step Two, and Secrets.
Merck has reportedly reached a settlement with insurers over a court decision that denied the insurance companies’ ability to invoke “hostile warlike action” exclusions in rejecting claims related to the 2017 NotPetya cyberattack. Although the settlement terms are undisclosed, Merck alleged $1.4 billion in damages from the CryptoLocker attack, affecting about 40,000 computers. This development follows an appellate court ruling affirming Merck’s entitlement to reimbursement under its “all risks” property insurance policies.
Copyright Β© 2024 CyberMaterial. All Rights Reserved.
