π What’s the latest in the cyber world today?
Russia, Phishing, Ukraine, MESHAGENT, DeathGrip, Ransomware-as-a-Service, Windows, Blue Screen of Death, Grayfly, Google Safety Centre, Scam, Malware, DDoS, Musk-Trump, Interview, X, North Korea, South Korea, Military, Schlatter Industries, IT Network, East Valley Institute of Technology, Kootenai Health, Breach, Patient Information, Radar/Dispossessor Group, Crackdown, Sharjah, Finance Department, Cyber Defense Center, UAE, DARPA, AI, US, SEC, NovaTech, Crypto Fraud, Off-Chain, Decentralized Finance, Compromised Keys, Halborn.
Listen to the full podcast
π¨Β Cyber Alerts
CERT-UA has issued a warning about a Russia-linked phishing campaign targeting Ukrainian government entities, identified as UAC-0198. Active since July 2024, the attackers impersonate the Security Service of Ukraine (SSU), distributing emails with a link to download a file named “Documents.zip.” When the link is clicked, an MSI file is downloaded, executing the ANONVNC malware, also known as MESHAGENT. This malware allows attackers to remotely control infected systems.
A new Ransomware-as-a-Service (RaaS) platform called DeathGrip has surfaced, providing sophisticated ransomware tools to cybercriminals of all skill levels. Promoted on Telegram and underground forums, DeathGrip offers easy access to potent ransomware, including LockBit 3.0 and Chaos Builders, crafted from leaked ransomware builders. This development significantly lowers the barrier to entry for cybercriminals, enabling them to launch fully developed ransomware attacks without extensive technical knowledge.
A newly discovered security vulnerability, CVE-2024-6768, is affecting all versions of Windows 10, Windows 11, and Windows Server 2022, leading to frequent blue screen of death (BSOD) errors. Reported by Fortra on August 12, 2024, the flaw involves an issue with the common log file system driver that triggers the BSOD due to improper validation of input data. Despite multiple efforts to alert Microsoft since December 2023, including detailed proof-of-concept demonstrations, a fix has yet to be provided.
Grayfly has significantly expanded its operations from the Indo-Pacific region to a global scale, targeting various sectors including healthcare, media, government, and education. The threat actor has evolved its attack strategies by leveraging public-facing applications like IIS servers for initial access and deploying the Godzilla webshell for control. Recently, Grayfly introduced new loaders, such as StealthVector and StealthReacher, and a new modular backdoor, SneakCross. During post-exploitation, Grayfly uses tools like iox, Rakshasa, and Tailscale for persistence, alongside MEGAcmd for data exfiltration.
A sophisticated phishing campaign has emerged, impersonating the Google Safety Centre to trick users into downloading a malicious file disguised as Google Authenticator. This deceptive file installs two types of malware: Latrodectus, a downloader that executes commands from a command-and-control server, and ACR Stealer, which uses Dead Drop Resolver to obscure its C&C server details.
π₯ Cyber Incidents
On August 12, 2024, a highly anticipated interview between Tesla CEO Elon Musk and former President Donald Trump, streamed on the social media platform X (formerly Twitter), was disrupted by a significant distributed denial-of-service (DDoS) attack. The attack caused severe technical glitches, including system overloads and interruptions, which Musk attributed to a flood of malicious traffic overwhelming the platform. Despite the issues, the interview proceeded with a reduced audience, and Trump later shared a playback of the event, which garnered over 15 million views.
South Korea’s ruling People Power Party (PPP) has reported that North Korean hackers have stolen sensitive information on the country’s K2 tanks and “Baekdu” and “Geumgang” spy planes. The PPP is concerned that this breach could allow North Korea to evade South Korean military surveillance and gain a tactical advantage. The theft involved detailed technical data, including design blueprints and operational manuals.
Switzerlandβs Schlatter Industries, a leading provider in the wire and track construction sectors, reported a severe cyberattack on its IT network on August 9, 2024. The sophisticated malware breach is suspected to be part of a professional extortion attempt. Immediate response efforts by Schlatterβs internal IT team, alongside external experts, focused on containing the damage and restoring system functionality.
The East Valley Institute of Technology (EVIT) in Arizona has reported a significant data breach affecting over 200,000 individuals. The breach, which occurred on January 9, 2024, exposed sensitive personal and health information, including names, Social Security numbers, medical records, and financial details of students, staff, faculty, and parents. The institute has notified those impacted and engaged a third-party firm to review the breach.
Kootenai Health in Coeur d’Alene, Idaho, has reported a significant data security breach affecting personal and health information of employees, their dependents, and patients. Discovered on March 2, 2024, the breach involved unauthorized access to the network, potentially compromising names, Social Security numbers, medical records, and other sensitive data. The healthcare provider swiftly secured its systems, engaged cybersecurity experts, and notified federal authorities.
π’ Cyber News
On August 12, 2024, a coordinated international effort led by law enforcement agencies from the US, Germany, and the UK resulted in the successful disruption of the Radar/Dispossessor ransomware group. This notorious gang, active since August 2023, targeted a wide range of sectors including healthcare, education, and finance, exploiting weak passwords and vulnerable systems to launch their attacks.The operation led to the takedown of 24 servers and nine domains used by the group, and identified 12 individuals associated with the ransomware ring.
On August 13, 2024, the Sharjah Finance Department in the UAE launched its new Cyber Defense Center, strengthening the country’s cybersecurity infrastructure. Led by Sheikh Rashid bin Saqr Al Qasimi, the center aims to protect sensitive government information through advanced threat monitoring and incident response. The center also focuses on cybersecurity education, playing a vital role in building national talent and enhancing Sharjah’s overall digital resilience.
In a significant development for cybersecurity, the Defense Advanced Research Projects Agency (DARPA) has awarded $14 million to seven top teams in its AI Cyber Challenge (AIxCC) following the Semifinal Competition held at DEF CON 32. The challenge, which focused on developing AI systems capable of identifying and patching vulnerabilities in critical open-source software, saw impressive results with teams discovering and fixing numerous synthetic and one real-world bug in prominent projects like Jenkins, Linux kernel, and SQLite3.
The U.S. Securities and Exchange Commission (SEC) has charged Cynthia and Eddy Petion, founders of NovaTech Ltd., along with several top promoters, in connection with a massive $650 million crypto fraud scheme. The SEC alleges that NovaTech, operating from 2019 to 2023, deceived over 200,000 investors by promising high returns through investments in crypto assets and foreign exchange markets. Instead, the scheme operated as a Ponzi scheme, using new investor funds to pay returns to earlier investors while the Petions allegedly diverted millions for personal use.
Off-chain attacks in decentralized finance (DeFi) are rapidly increasing, with compromised private keys emerging as a significant threat, according to a report by Halborn. From 2016 to 2023, off-chain attacks represented 29% of DeFi incidents and 35% of stolen funds, with a sharp rise in 2023. Halborn emphasizes the need for stronger security measures, including advanced private key storage solutions and thorough auditing processes, to combat this growing risk.
Copyright Β© 2024 CyberMaterial. All Rights Reserved.
