π What’s trending in cybersecurity today?
Turkiye, MSSQL Servers, Mimic Ransomware,Water Curupira’s PikaBot, Malicious Spam Campaigns, Cacti Network Monitoring, Critical Vulnerability, Microsoft, Security Flaws, Patch Tuesday, Fake ‘Ethical Hackers’, U.S. Securities and Exchange Commission, Bitcoin ETF, Ukraine, Alfa-Bank Records, Russia, M9com, German Craft Chambers, China, Decrypting Apple’s AirDrop, U.S. Federal Trade Commission, Outlogic, Sensitive Location Data, Cisco Talos, Dutch Police, Decryptor for Tortilla Ransomware, Nigerian Man, Elder Fraud, HP Enterprise, Juniper Networks.
π¨Β Cyber Alerts
A financially motivated group of Turkish hackers is orchestrating the RE#TURGENCE campaign, targeting Microsoft SQL (MSSQL) servers globally to encrypt files with the notorious Mimic (N3ww4v3) ransomware. The Securonix Threat Research team, who detected the ongoing attacks, revealed that the threat campaign unfolds with the sale of compromised host “access” or the ultimate delivery of ransomware payloads. Exploiting insecure configurations on MSSQL servers, the hackers employ a sophisticated sequence involving the xp_cmdshell procedure, obfuscated Cobalt Strike payloads, and the deployment of Mimikatz-extracted credentials to compromise servers, culminating in the deployment of Mimic ransomware and a distinctive encryption/payment notice.
Water Curupira, a menacing threat actor, has been actively spreading the PikaBot loader malware through sophisticated spam campaigns throughout 2023. In a recent report, Trend Micro highlighted the two-pronged assault strategy, involving a loader and a core module, granting unauthorized remote access and executing commands via a secure connection to the command-and-control (C&C) server. The surge in PikaBot-related phishing campaigns is attributed to the disruption of QakBot in August, with DarkGate emerging as its replacement, signaling a dynamic shift in cybercriminal tactics.
A critical blind SQL injection vulnerability (CVE-2023-51448) in Cacti, a widely-used network monitoring framework, poses a serious threat, potentially leading to information disclosure and remote code execution. Cacti, commonly employed in network operation centers of telecoms and web hosting providers, is susceptible due to a flaw in its SNMP Notification Receivers feature.
In its latest Patch Tuesday updates for January 2024, Microsoft has tackled a total of 48 security vulnerabilities across its software. Of these, two are classified as Critical, and the remaining 46 are deemed Important.
Some organizations affected by Royal and Akira ransomware have fallen prey to a threat actor masquerading as a security researcher, offering to hack back the original attackers and delete stolen victim data.
π₯ Cyber Incidents
The U.S. Securities and Exchange Commission’s X account faced a security breach, leading to the issuance of a fake announcement regarding the approval of Bitcoin ETFs on security exchanges. The fraudulent tweet, now deleted, claimed that the SEC had granted approval for Bitcoin ETFs with a commitment to ongoing surveillance and compliance measures for investor protection. This incident adds to the growing trend of X account breaches, with various organizations falling victim to cryptocurrency scams and wallet-draining schemes, highlighting the challenges of securing online platforms against malicious actors.
Ukrainian hackers, part of the collective KibOrg, have exposed the entire customer database of Russia’s largest commercial bank, Alfa-Bank, online, affecting 38 million clients and millions of legal entities. The leaked data spans two decades, beginning in 2004, and includes sensitive information such as customer names, dates of birth, account numbers, and phone numbers. Notably, this cyber incident follows reports from Ukraineβs SBU security service about Ukrainian cyber specialists hacking Alfa-Bank, with the hackers even contacting the bank’s owner, Mikhail Fridman, to discuss his stance on the war in Ukraine before abruptly ending the call.
In a retaliatory move for the December cyberattack on Ukraine’s Kyivstar, Ukrainian hacktivists, likely affiliated with the Security Service of Ukraine (SBU), targeted Russian internet provider M9com. Identified as the Blackjack group, these hackers allegedly destroyed M9com’s servers, causing widespread disruptions to internet and television services for nearly half the population of Moscow. The attack impacted M9com’s official website, mail servers, cyber protection services, and all branch websites, confirming reports of the network being forced offline, according to sources and internet monitoring site NetBlocks.
Multiple Chambers of Crafts in Germany face website and online service disruptions following a “security incident” that impacted a managed service provider’s data center. The cyberattack led to the shutdown of systems in the affected chambers, with network connections severed. While the affected chambers are currently inaccessible online due to a “system failure,” efforts are underway to assess and resolve the incident, although the statement warns that a data leak cannot be ruled out.
A non-password-protected database containing 112,605 records, including sensitive traveler information and passport images, was discovered by cybersecurity researcher Jeremiah Fowler. The exposed database belonged to Australian-owned travel company Inspiring Vacations and was promptly secured after Fowler’s responsible disclosure. The incident highlights the potential risks associated with the travel industry, where cybercriminals could exploit personal data stored by agencies for identity theft or other malicious activities.
π’ Cyber News
A state-backed Chinese research institute asserts to have cracked the code to decrypt device logs for Apple’s AirDrop, allowing the government to unveil the phone numbers and email addresses of those utilizing the feature. China, known for stringent censorship measures, has a history of restricting access to mobile apps and encrypted messaging services. Initially used as a workaround for censorship during protests, Apple’s AirDrop became a tool for sharing information, prompting the Chinese government to enhance controls, and now researchers claim to have found a way to extract sender information from AirDropped images.
The U.S. Federal Trade Commission (FTC) has issued a ban on data broker Outlogic, formerly known as X-Mode Social, preventing the company from sharing or selling sensitive location data, especially related to places like medical clinics, religious sites, and domestic abuse shelters. This action comes as part of a settlement over allegations that the company sold precise location data that could be used to track individuals’ visits to such sensitive locations. The ban marks the first-ever prohibition on the use and sale of sensitive location data, emphasizing the need for stringent privacy measures in the handling of location information.
Researchers from Cisco Talos collaborated with the Dutch police to obtain a decryption tool for the Tortilla variant of Babuk ransomware, leading to the arrest of the operator. Tortilla, an offshoot of Babuk, targeted Microsoft Exchange servers using ProxyShell exploits for deploying data-encrypting malware. The cooperative effort enabled law enforcement to identify and apprehend the threat actor in Amsterdam, with the decryption key shared with Avast to update their Babuk decryptor for victims.
Olugbenga Lawal, also known as Razak Aolugbengela, has been sentenced to 10 years and one month in prison for conspiring to launder millions stolen from elderly victims in internet fraud schemes. Elder fraud, targeting adults aged 60 or older, involves the misuse or theft of financial assets, savings, income, or personal identification data. Lawal collaborated with the Nigerian Black Axe organized crime group, exploiting deceitful tactics to trick elderly victims into transferring large sums of money under various pretexts. In total, he oversaw deposits exceeding $3.6 million across various bank accounts, contributing to a surge in elder fraud cases reported to the FBI, with victims experiencing average losses surpassing $35,000.
Hewlett Packard Enterprise (HPE) has made a groundbreaking move in the tech world by announcing its $14 billion all-cash acquisition of network equipment manufacturer Juniper Networks. The deal is set to double HPE’s networking business and enhance its portfolio with AI-driven networking solutions. Juniper’s expertise in cloud-delivered networking, software, and services, coupled with HPE’s Aruba Networking, aims to provide secure, unified technology solutions catering to the rising demand for AI and hybrid cloud-driven business.
Copyright Β© 2024 CyberMaterial. All Rights Reserved.
