π What are the latest cybersecurity alerts, incidents, and news?
COLDRIVER, SPICA Backdoor, Cyber Intrusions, Malicious npm Package, Trojan, Windows, Docker, Dual Monetization, Ransomware Actors, TeamViewer, LockBit, TensorFlow, CI/CD Misconfigurations, Supply Chain Attacks, Credentials Stolen, Data Dump, Kansas State University, Electrostim Medical Services, Data Breach, Gallup-McKinley County Schools, ELO Cyberattack, Cybersecurity Measures for Pipeline Safety, South Africa,JPMorgan, Oleria, Identity Security, Ireland, GDPR Fines.
Listen to the full podcast
π¨Β Cyber Alerts
COLDRIVER, the Russia-linked threat actor, known for its sophisticated cyber operations, has introduced a new and advanced custom malware named SPICA. Google’s Threat Analysis Group (TAG) has uncovered this development, signaling a shift in COLDRIVER’s tactics. Employing the Rust programming language, the threat actor has moved beyond traditional methods, using decoy PDFs in spear-phishing campaigns to deliver the SPICA backdoor. High-profile individuals in sectors such as defense, governmental organizations, and NGOs are the primary targets of these targeted and limited cyber intrusions.
A malicious npm package, named “oscompatible,” surfaced on the npm registry, deploying a sophisticated remote access trojan on compromised Windows machines. Published on January 9, 2024, the package, which attracted 380 downloads before being taken down, contained strange binaries, including an executable file, a DLL, and an encrypted DAT file. The JavaScript file in the package executed a batch script, specifically designed to target Microsoft Windows machines, triggering a series of actions that involved DLL search order hijacking and establishing connections with an actor-controlled domain. This incident highlights the increasing threat of supply chain attacks on open-source software ecosystems.
Attackers are exploiting vulnerable Docker services to execute a dual monetization strategy by deploying an XMRig miner and the 9hits viewer app on compromised hosts. The 9hits app, typically used for web traffic exchange, is harnessed to generate credits for the attackers, utilizing the compromised system’s resources. Simultaneously, the XMRig miner mines Monero cryptocurrency, causing resource exhaustion on the compromised servers and disrupting legitimate workloads.
Ransomware actors are exploiting TeamViewer for initial access, attempting to deploy LockBit ransomware. Huntress discovered connections from the same source in both cases, indicating a common attacker. While the attacks resemble LockBit encryptors created using a leaked builder, TeamViewer emphasizes the importance of strong security practices, including complex passwords and regular updates, to prevent unauthorized access.
Continuous integration and continuous delivery (CI/CD) misconfigurations in TensorFlow allowed potential supply chain attacks, as researchers discovered vulnerabilities that could lead to compromising TensorFlow releases on GitHub and PyPi. Exploiting these issues could enable an attacker to orchestrate a supply chain compromise by manipulating TensorFlow’s build agents through a malicious pull request. The misconfigurations have since been addressed by TensorFlow maintainers, emphasizing the growing risk of CI/CD attacks as organizations increasingly automate their processes.
π₯ Cyber Incidents
A staggering 71 million unique credentials, including those for websites like Facebook, Roblox, eBay, and Yahoo, have been circulating on the internet for at least four months. Discovered by Troy Hunt, the operator of Have I Been Pwned?, this data was posted on an underground market known for trading compromised credentials. What sets this breach apart is that nearly 25 million of the passwords have never been leaked before, indicating a significant volume of new data, possibly collected through “stealer logs” or malware capturing credentials from compromised machines.
Kansas State University (K-State) grapples with a cyberattack affecting VPN, emails, Canvas, and more. The public research university, with 20,000 students, promptly took impacted systems offline and engaged third-party forensic experts for investigation. While guiding academic deans on educational continuity, K-State advises vigilance and reports ongoing efforts to restore affected services.
Florida-based Electrostim Medical Services, Inc., revealed a cyberattack in May 2023, impacting 542,990 patients. Detected on May 13, 2023, the breach involved unauthorized access to patient data in the network. While data theft was not confirmed, the individuals had access to parts of the network containing patients’ protected health information, potentially copying the information. The company has taken steps to enhance network security and has not found instances of misuse of patient data resulting from the incident.
The Hunters International ransomware group boasts about targeting Gallup-McKinley County Schools in New Mexico, leaving the educational community and experts uncertain about the extent and motives of the attack. The lack of disruption to the schoolβs online presence raises skepticism about the authenticity of the claim. The potential fallout of the cyberattack on the school is significant, given the sensitive information held by educational institutions and the rising trend of ransomware attacks targeting K-12 schools globally, highlighting vulnerabilities in the education sector.
Thousands affected as accounting services company ELO reports a cyberattack exposing credit card numbers and account PINs. The breach, discovered over a week ago, impacted over 15,000 clients, with stolen data already used in reported cases of fraud. ELO is conducting an inquiry and offers free credit monitoring to affected individuals, emphasizing its commitment to privacy and security.
π’ Cyber News
A top official from the Pipeline and Hazardous Materials Safety Administration (PHMSA) revealed that the agency is launching initiatives to counter the rise in cyberattacks on U.S. pipelines. Following the 2021 Colonial Pipeline cyberattack, Tristan Brown emphasized the need for improved collaboration between federal agencies and the private sector to enhance pipeline security. PHMSA, along with the Transportation Security Administration and the Department of Energy, aims to ensure coordinated efforts to address cybersecurity challenges in pipeline transportation.
South Africa, recognized as the world’s most internet-addicted country, grapples with a surge in ransomware attacks, ranking as the most targeted nation in Africa and eighth globally. Despite extensive digital reliance, the country’s cybersecurity strategy is inadequately funded, lacking clear governance positions. Researchers emphasize the need for South Africa to prioritize cybersecurity, enhance global cyber leadership, and address shortcomings in cyber defense, urging the government to allocate resources and play a more influential role in shaping cyber diplomacy.
At the World Economic Forumβs summit in Davos, Mary Callahan Erdoes, head of JPMorganβs asset and wealth management division, emphasized the escalating challenge of fending off cyber criminals. Fraudsters are becoming smarter and more devious, making the task increasingly difficult for financial institutions. A PYMNTS Intelligence study revealed a 65% rise in fraud losses from $2.3 million in 2022 to $3.8 million in 2023, urging companies to prioritize good cyber hygiene and embrace modern innovations like artificial intelligence for a robust defense against cyber threats.
Oleria, a pioneer in adaptive identity security, secured $33.1 million in a Series A funding round led by Evolution Equity Partners. With total funding surpassing $40 million, Oleria aims to boost hiring and enhance its innovative AI-driven products, addressing identity-based threats. The company’s CEO, Jim Alkove, emphasizes their unique approach, providing continuous, context-based access management to protect against evolving cyber threats while ensuring business agility.
Ireland, housing the European headquarters of major tech companies, leads in GDPR fines since the regulation’s inception, totaling $2 billion. A report by DLA Piper reveals that European data protection authorities issued β¬1.8 billion ($1.9 billion) in fines in 2023, marking a 14% increase. Ireland’s prominence is attributed to its popularity among tech firms, with the Irish Data Protection Commission playing a pivotal role in shaping GDPR interpretations and imposing seven of the top 10 largest fines.
