π What’s the latest in the cyber world today?
Apple, Zero-Day, Vulnerability, ScarCruft, Cyber Espionage, North Korea, Atlassian Confluence, DNS-Linked Malware, macOS, Java-Based NS-STEALER, Discord, Data Theft, UK Southern Water, Black Basta Ransomware, Monobank, DDoS, AerCap, Aviation Industry, BianLian Ransomware, North Star Tax and Accounting, LockBit, TV Jahn Rheine, French Cyber Unit, Olympics Security, The American Federation of Musicians Negotiates, AI Protections, Riot Games,F5, Samir Sherif, Russia’s REvil, Aleksandr Ermakov, Australia.
Listen to the full podcast
π¨Β Cyber Alerts
Apple responds to an actively exploited zero-day flaw, CVE-2024-23222, with security updates across iOS, iPadOS, macOS, tvOS, and Safari. The vulnerability, a type confusion bug, poses a risk of arbitrary code execution through malicious web content. Apple acknowledges reports of exploitation and addresses the issue with improved checks, marking its first patched zero-day vulnerability this year, emphasizing the company’s commitment to security.
A cyber threat campaign by ScarCruft in December 2023 focuses on media organizations and North Korean affairs experts, experimenting with new infection chains. The North Korea-linked adversary, APT37, is known for spear-phishing lures to deliver RokRAT and other backdoors for covert intelligence gathering. The recent attack chain poses as a member of the North Korea Research Institute, targeting experts with malicious files, highlighting ScarCruft’s commitment to acquiring strategic intelligence.
Malicious actors are actively exploiting a recently disclosed critical security flaw in Atlassian Confluence Data Center and Server, impacting out-of-date versions of the software. Tracked as CVE-2023-22527, the vulnerability allows unauthenticated attackers to achieve remote code execution on susceptible installations. Within three days of public disclosure, nearly 40,000 exploitation attempts have been recorded, with threat actors opportunistically scanning for vulnerable servers for follow-on exploitation.
Hackers are employing a discreet method to distribute information-stealing malware to macOS users through DNS records, camouflaging malicious scripts. Targeting macOS Ventura and later users, the campaign utilizes cracked applications repackaged as PKG files containing a trojan. Operating stealthily, the malware contacts a command and control server through a DNS server, retrieving a base64-encoded Python script to execute arbitrary commands on the compromised device, demonstrating the sophistication of threat actors in delivering payloads through innovative methods.
Researchers have uncovered NS-STEALER, a sophisticated Java-based information stealer that employs a Discord bot for data exfiltration from compromised systems. The malware, distributed through ZIP archives posing as cracked software, deploys a malicious JAR file via a rogue Windows shortcut. NS-STEALER captures sensitive information, such as screenshots, cookies, credentials, system details, and more, storing it in a designated folder before sending it to a Discord Bot channel for exfiltration. The malware’s advanced features, including the use of X509Certificate for authentication, enable swift data theft from victim systems, making it a potent threat.
π₯ Cyber Incidents
The Black Basta ransomware group has claimed responsibility for hacking the UK water utility Southern Water, a significant player in the country’s water industry. Southern Water, responsible for wastewater collection and treatment in multiple regions, including Hampshire, Isle of Wight, and Kent, serves approximately half of the mentioned area’s public water supply. With over 6,000 employees and an annual turnover exceeding Β£1 billion, the company prioritizes delivering high-quality water and wastewater services. The ransomware group, known for a double-extortion model, threatened to leak stolen data, including 750 gigabytes of sensitive information, on February 29, 2024, although the demanded ransom remains undisclosed.
Monobank, Ukraine’s largest mobile-only bank, encountered a massive denial of service (DDoS) attack on January 21, paralyzing its operations with 580 million service requests. CEO Oleh Horokhovskyi, expressing concern over the severity, revealed the bank’s status as “one of the most attacked IT targets in the country.” The cyberattack, following a similar incident on January 20, is part of a larger trend of cyber warfare in Europe, with Russia suspected of involvement, raising fears about destabilization through cyber threats.
Global aviation leasing giant AerCap falls victim to ransomware, marking the fourth cyberattack on an aviation company in the past six months. In a disclosure to the US Securities and Exchange Commission, AerCap, considered one of the world’s largest owners of commercial aircraft, reported a cybersecurity incident on January 17, 2024. Despite having full control of IT systems with no financial losses reported, the extent of potential data impact remains uncertain, leading AerCap to initiate an investigation involving third-party cybersecurity experts and law enforcement notification.
The BianLian ransomware group targets North Star Tax and Accounting, among others, claiming three new victims in its cyber assault. Despite the group’s assertions, the official websites of the targeted companies, including North Star Tax, remain fully functional, casting doubt on the authenticity of the claims. The potential impact is especially concerning for North Star Tax and Accounting, a reputable financial firm entrusted with sensitive data, as a compromise could lead to severe repercussions, including identity theft and financial fraud, jeopardizing the company’s standing in the industry.
LockBit ransomware attack, the notorious threat actor has claimed three new victims, including TV Jahn Rheine in Germany. The dark web portal announcement provides specific details about the targeted organizations, with TV Jahn Rheine, operating in the health and fitness industry, facing the theft of sensitive data such as accounting information, email conversations, and human resources records. Despite the cyberattack, the websites of the victims show no immediate signs of compromise, indicating that the LockBit ransomware group may have targeted company databases instead of the front end of their websites.
π’ Cyber News
In preparation for the upcoming Olympics, the French National Police’s dedicated cybercrime unit, OFAC, is gearing up operations amid warnings of cyberattacks posing a significant threat to the event. Operating under the National Directorate of the Judicial Police, OFAC aims to combat online fraud and enhance intelligence sharing with global law enforcement agencies. With its headquarters unveiled in Nanterre, the agency, established in December, is set to expand its operations and create cybercrime units for each French territorial department over the next three years, emphasizing its crucial role in identifying and preventing cybercriminal activities.
The American Federation of Musicians (AFM) has initiated talks with the Alliance of Motion Picture and Television Producers (AMPTP) in Los Angeles, rallying for AI protections, better wages, healthcare, and crucially, residual payments for streaming content. The union, representing around 70,000 members, contends that musicians are facing financial challenges as streaming work surpasses traditional film/TV opportunities, leading to a 75% income decrease. While addressing AI concerns, the AFM aims to ensure technology complements human musicians, emphasizing the need for consent, compensation, and credit in the creative process.
Riot Games, the developer of the popular βLeague of Legends,β is undergoing a workforce reduction, laying off 11% of its staff. In a statement to employees, CEO Dylan Jadeja and co-founder Marc Merrill cited the need to “create focus and move us toward a sustainable future.” The company, owned by Tencent, is cutting 530 jobs, acknowledging the necessity of the decision to streamline operations and prioritize game development.
Samir Sherif is named Senior VP and Chief Information Security Officer at F5, where he will lead the cybersecurity strategy, security culture, and standards. With extensive experience as CISO at Absolute Software and Imperva, and over two decades at Citigroup, Sherif takes over from Gail Coury, who retires on March 1 after leading F5’s security efforts for the past three years.
Australia has taken a significant step in its response to cyber threats by publicly naming and imposing sanctions on Russian hacker Aleksandr Ermakov, a member of the notorious REvil ransomware gang. Ermakov is allegedly responsible for a 2022 ransomware attack on Medibank, one of Australia’s largest private health insurers, which exposed sensitive data of 9.7 million customers. The sanctions make it a criminal offense to provide assets to Ermakov, and a travel ban has also been imposed. Australian authorities collaborated with international agencies and private companies, including Microsoft and Medibank, in the investigation.
