π What’s happening in cybersecurity today?
Agent Racoon, Mac Pirated Software, Unitronics PLC, ChatGPT, OpenAi, Turtle, macOS Ransomware, Patrick Wardle, US Credit Unions, Ziv Medical Center, Safe Wallet, Tipalti, Israel, ALPHV, Proliance Surgeons, UK, Digital Protection Bill, Google Chrome, Back/Forward Cache, BlueVoyant, Conquest Cyber, Google AdSense, US Department of Justice, TrickBot malware.
π¨Β Cyber Alerts
1. New Backdoor Agent Racoon
Β Palo Alto Networks Unit 42 has uncovered a new backdoor named Agent Racoon, targeting organizations in the Middle East, Africa, and the U.S. Attributed to an unknown nation-state-aligned threat actor, the malware utilizes the .NET framework and DNS protocol to establish a covert channel. Identified as cluster CL-STA-0002, the attacks span diverse sectors and involve tools like Mimikatz and Ntospy for credential theft. Agent Racoon, executed through scheduled tasks, disguises itself as Google and Microsoft binaries, enabling command execution and file manipulation. The threat actor has exhibited sophistication since at least July 2022, with versatile tool deployment across various campaigns.
2. Mac Users Targeted by Proxy Trojan Threat
Mac users are under threat from a proxy trojan malware campaign exploiting popular macOS software on warez sites. Cybercriminals leverage users seeking premium apps for free, distributing 35 trojanized software, including Sketch and Downie 4. The trojanized versions, delivered as PKG files, pose heightened security risks by executing scripts during installation with administrator rights. This compromise enables malicious activities, turning infected computers into traffic-forwarding terminals for hacking and phishing. Kaspersky detected the campaign, revealing cybercriminals’ exploitation of users’ willingness to compromise security in pursuit of free versions of commercial software.
3. CISA warns of Iranian cyber threat
CISA, FBI, NSA, EPA, and INCD issue advisory on Iranian cyber actors exploiting Unitronics programmable logic controllers, targeting U.S. Water and Wastewater Systems facilities. The advisory recommends reviewing and implementing specified actions and mitigations for all organizations with internet-facing PLCs.
4. Attack extracts ChatGPT training data
Researchers, including those from Google, discovered a vulnerability in ChatGPT, allowing them to extract megabytes of its training data by prompting it to repeat a word forever. The attack, costing a couple of hundred dollars, revealed real email addresses, phone numbers, and more from the model’s training dataset. OpenAI addressed the issue by preventing the specific exploit but did not fix the underlying vulnerability. The attack highlights concerns about model memorization and data leakage, prompting the need for improved safeguards in language models to protect sensitive information during training and deployment.
5. Turtle macOS ransomware alert
Β Researcher Patrick Wardle dissects the macOS ransomware “Turtle,” highlighting its non-sophisticated nature. Uploaded on VirusTotal, it was flagged by 24 anti-malware solutions as malicious. The code, initially developed for Windows, seems to have been ported to macOS. Only one AV engine detects it as “Ransom.Turtle.” While the ransomware lacks sophistication and its detection by Gatekeeper is expected, the presence of a macOS version indicates an increasing trend in cybercrime. Strings in Chinese hint at ransomware-related operations, but attribution remains unclear. Though not an immediate threat, Turtle underscores the growing interest of ransomware authors in macOS.
6. Credit Union Ransomware Outage Concerns
Approximately 60 credit unions are facing outages following a ransomware attack on cloud services provider Ongoing Operations, owned by Trellance. The National Credit Union Administration is coordinating with affected credit unions, ensuring members’ deposits are insured up to $250,000. The incident, reported on November 26, prompted immediate action, with ongoing investigations involving third-party specialists. The NCUA has informed federal law enforcement, the U.S. Department of the Treasury, and the Cybersecurity and Infrastructure Security Agency. The attack has downstream effects, impacting other credit union technology providers, including FedComp, which is experiencing a countrywide outage
7. Hackers Breach Israeli Hospital
Iran-linked hackers claim responsibility for stealing 500 GB of data, including 100,000 IDF medical records, in a cyberattack on Ziv Medical Center, Safed, Israel. Despite authorities containing the situation, the hackers posted screenshots of medical documents on Telegram. Ziv Medical Center implemented safeguards, temporarily restricting external emails. The Privacy Protection Authority issued a criminal prohibition on leaked information’s use or distribution, intending to press charges. This marks the third cyberattack on the hospital in four months. The Health Ministry and Israel National Cyber Directorate confirmed the incident, assuring no operational impact on medical center functions.
8. Hacker Targets Safe Wallet, Stealing $2M
A crypto hacker specializing in “address poisoning attacks” has stolen over $2 million from Safe Wallet users in a week, totaling 21 victims. Scam Sniffer reported ten Safe Wallets losing $2.05 million since November 26, with the attacker amassing at least $5 million from 21 victims in four months. Address poisoning involves creating a similar-looking address to the victim’s regular one, tricking them into sending funds to the hacker’s wallet. Another recent attack saw real-world asset lending protocol Florence Finance lose $1.45 million. Scam Sniffer revealed hackers exploiting Ethereum’s ‘Create2’ function, accumulating around $60 million from almost 100,000 victims in six months.
9. Tipalti Hackers Threaten Data Leak
Β The hacker group ALPHV claims to have accessed Israeli fintech unicorn Tipalti’s computers, retrieving over 265GB of confidential business data, including information about the company, its employees, and clients such as Roblox and Twitch. The group threatens to leak the data and plans to disclose details just before the market opens to maximize the impact on Roblox’s stock price. Tipalti is currently investigating the claim and emphasizes its commitment to customer information security, stating it has not detected any loss of information or system hacking at the moment
10. Surgery Center Alerts 437K on Data Theft
Β Seattle-based Proliance Surgeons, a large surgical group treating over 800,000 patients, faces a data breach affecting 437,400 individuals. The incident involved ransomware and unauthorized access, compromising sensitive data such as names, birthdates, social security numbers, and medical information. Proliance initiated an investigation, informed law enforcement, and is enhancing cybersecurity measures. A class-action lawsuit alleges negligence in data security. Healthcare sector hacking incidents, responsible for 92% of affected individuals in major breaches, highlight increasing cyber threats. Experts recommend robust security strategies, including regular assessments, employee training, encryption, and incident response plan.
11. UK AI Data Bill Advances Despite Concerns
British Conservative lawmakers are advancing the Digital Protection and Digital Information Bill, aiming to modify the U.K.’s codification of European privacy law. Despite objections from privacy advocates and concerns about its impact on European trade, government backers assert that the bill will enhance data security, prevent fraud, and strengthen the domestic artificial intelligence industry. Critics argue that the bill raises privacy concerns, potentially weakening safeguards and amplifying biases in AI applications, as it moves to the House of Lords for further consideration.
12. Chrome’s cache update may enhance speed
Β Google Chrome is making a significant change to its Back/Forward Cache behavior, allowing web pages to be stored in the cache even when a webmaster specifies not to store a page in the browser’s cache. This change aims to improve performance by increasing the instances of instant back/forward navigations, resulting in a better user experience. However, some concerns have been raised about potential conflicts with promises made to web developers who assume that the “Cache-control: no-store” header means the browser will not cache the webpage. Google is working to address these concerns and plans to roll out the feature to test channels first.
13. BlueVoyant Expands Cybersecurity Capabilities
Β BlueVoyant has acquired Conquest Cyber, an adaptive risk management vendor, to expand its software-as-a-service presence, focusing on U.S. government and defense industrial organizations. The New York-based managed detection and response vendor aims to offer cyber risk maturity and compliance assessments to federal and commercial customers. Conquest Cyber’s clients will benefit from BlueVoyant’s external supply chain defense capabilities. The acquisition comes after BlueVoyant secured over $140 million in Series E funding, led by Liberty Strategic Capital and ISTARI, with the goal of enhancing its capabilities in cybersecurity and resilience.
14. Google reduces ad personalization in AdSense
Β Google is overhauling its publisher products, including AdSense for Search, AdSense for Shopping, and Programmable Search Engine. From November 2023, these services will transition from “google.com” to new domains like “https://www.adsensecustomsearchads.com.” This move, driven by privacy enhancements and Google’s phasing out of third-party cookies in Chrome, means users will encounter fewer personalized ads based on their browsing history. Notably, modifying ad settings through Google Ad Settings for these features will no longer be possible. The shift aligns with industry trends prioritizing user privacy amid increased scrutiny and regulatory changes in the digital advertising realm.
15. TrickBot Developer Convicted
Russian national Vladimir Dunaev, 40, has been found guilty for his role in developing TrickBot malware. Arrested in South Korea in September 2021 and later extradited to the U.S., Dunaev developed browser modifications and malicious tools that aided in TrickBot activities, leading to over $3.4 million in fraud from 10 victims. He pleaded guilty to computer fraud, identity theft, and conspiracy to commit wire and bank fraud. Scheduled for sentencing on March 20, 2024, Dunaev faces a maximum of 35 years in prison. This follows the arrest of another TrickBot gang malware developer, Latvian national Alla Witte, in June 2023.
