π What’s going on in the cyber world today?
Chinese Drones, iShutdown, Hidden Spyware, iOS Devices, Iranian Hackers, Backdoor Malware, GPU Vulnerability, LeftoverLocals, PixieFail UEFI, Foxsemicon, LockBit, Swiss Government, Bigpanzi Cybercrime, Android TV, DENHAM, Akira Ransomware, Anonymous Sudan, Israel, Bazan Group, FTC, Privacy Enforcement Collaboration, Google, Crypto-Fueled Crime, Southeast Asia, Tether, Financial Industry, Email Attacks, Vicarius.
Listen to the full podcast
π¨Β Cyber Alerts
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) alerts to the rising threat of Chinese-manufactured unmanned aircraft systems (UAS) in critical infrastructure. CISA, in collaboration with the FBI, emphasizes the risk of sensitive information exposure to Chinese authorities due to the legal obligations of prominent Chinese-owned UAS manufacturers. The guidance urges critical infrastructure operators to transition to secure-by-design UAS systems with robust security measures, as Chinese-manufactured or insecure UAS devices pose a national security concern, risking unauthorized access to systems and data, according to Bryan Vorndan, FBI Cyber Division Assistant Director.
Cybersecurity researchers have identified a lightweight method named iShutdown to reliably detect spyware on Apple iOS devices, including threats like Pegasus, Reign, and Predator. The method involves analyzing a file named “Shutdown.log” on compromised iPhones, recording reboot events and characteristics. Kaspersky found traces of spyware-related processes causing reboot delays, offering a straightforward and accessible approach to identify spyware, with the log file serving as a valuable forensic artifact for analyzing anomalous entries over several years.
Microsoft reports Iranian-backed hackers targeting high-profile individuals in Europe and the U.S., using spear phishing attacks and a new backdoor malware called MediaPl. The APT35 subgroup, known as Mint Sandstorm, focuses on stealing sensitive data from researchers, professors, and individuals with knowledge of security and policy issues, aligning with Iranian interests. The hackers employ custom-tailored phishing emails and advanced post-intrusion techniques, including the use of MediaPl and a PowerShell-based backdoor malware called MischiefTut, highlighting the ongoing sophistication of cyberespionage campaigns.
A newly discovered graphics processing units (GPUs) vulnerability, ‘LeftoverLocals,’ affects AMD, Apple, Qualcomm, and Imagination Technologies, allowing attackers to retrieve data from local memory. Discovered by Trail of Bits researchers Tyler Sorensen and Heidy Khlaaf, the flaw exposes sensitive information, including model inputs, outputs, weights, and intermediate computations. While mitigation efforts are underway, GPU vendors are urged to implement an automatic local memory clearing mechanism, balancing potential performance overhead with the severity of security implications.
Multiple vulnerabilities in the UEFI’s TCP/IP stack, collectively known as PixieFail, expose millions of computers to remote code execution (RCE), denial-of-service (DoS), and data theft risks. The flaws, identified in the TianoCore EFI Development Kit II (EDK II), impact UEFI firmware from AMI, Intel, Insyde, and Phoenix Technologies. The vulnerabilities in the EDK II’s NetworkPkg include overflow bugs, out-of-bounds read, infinite loops, and weak pseudorandom number generator use, potentially leading to DNS and DHCP poisoning, information leakage, DoS, and data insertion attacks at the IPv4 and IPv6 layer.
π₯ Cyber Incidents
Foxsemicon faced a ransomware attack from LockBit, threatening to expose 5TB of data. While the website was later recovered, experts are concerned about potential operational impacts. The cyberattacks on Taiwan have surged, possibly linked to the recent presidential election, with Chinese hackers suspected to be behind many incidents.
Switzerland believes that the cyberattack carried out by pro-Russia group NoName disrupted access to some government websites, following Ukrainian President Volodymyr Zelenskyβs visit to Davos. The pro-Russian group launched a series of DDoS attacks against several government websites, causing temporary disruptions in their accessibility. Switzerlandβs National Cyber Security Centre (NCSC) claims that the cyberattack was promptly detected and immediately took the necessary measures to restore access to the targeted websites.
A cybercrime group named ‘Bigpanzi’ has been infecting Android TV and eCos set-top boxes worldwide since 2015, controlling a botnet with approximately 170,000 daily active bots. The threat group monetizes these infections by transforming the devices into nodes for illegal media streaming platforms, traffic proxying networks, DDoS swarms, and OTT content provision. Bigpanzi uses sophisticated malware tools, including ‘pandoraspear’ and ‘pcdn,’ to hijack DNS settings, establish command and control communication, and execute various commands on infected devices.
Akira ransomware targets DENHAM the Jeanmaker, a renowned denim brand, prompting concerns about a potential data breach. Despite the alleged incident, the company’s website remains operational, casting doubt on the authenticity of the attack claim. The cyber threat landscape intensifies with escalating double-extortion tactics and unverified claims targeting prominent organizations like DENHAM.
Hacking collective Anonymous Sudan claims responsibility for a major cyberattack on Bazan Group, Israel’s top oil refining and petrochemical company. The assault raises concerns about potential repercussions for Israel’s economic hub. Despite a temporary operational slowdown confirmed by Bazan Group, the extent of the attack remains uncertain, with the company’s website showing no immediate signs of compromise. NetBlocks, a reputable source on cyber disruptions, validates the incident, emphasizing a significant network disruption at Bazan Group’s petrochemical facilities.
π’ Cyber News
The Federal Trade Commission (FTC) has announced its participation in the Global Cooperation Arrangement for Privacy Enforcement (Global CAPE), aiming to enhance intelligence sharing and assist privacy investigators worldwide. The move allows the FTC to seamlessly collaborate with international partners on law enforcement investigations related to privacy and data security without the need for individual memoranda of understanding. Originally associated with APEC CBPR, Global CAPE has evolved into a global partnership, fostering extensive information exchange on public opinion, enforcement initiatives, legislation updates, and more among member countries.
Google CEO Sundar Pichai has informed employees about anticipated job cuts at the Alphabet-owned company this year, focusing on simplifying execution and driving velocity in certain areas. Pichai mentioned in the internal memo that these layoffs won’t be on the scale of last year’s reductions and won’t affect every team. The move aligns with the broader trend of companies turning to artificial intelligence and automation to streamline operations. Despite the job cuts, Pichai expressed the company’s commitment to ambitious goals and continued investment in key priorities.
Cryptocurrency is fueling organized crime in Southeast Asia, with experts warning of its role in money laundering and generating illicit revenue. The UN reports that Tether plays a significant role in this criminal activity in Myanmar, Thailand, and beyond. Criminal syndicates leverage under-regulated online gambling platforms and crypto exchanges for fast, anonymized transactions, and Tether, a stablecoin pegged to the US dollar, is identified as the coin of choice for fraudsters involved in various scams. The UN report highlights the challenges posed by Tether in tracking transactions, its lower fees, and its perceived difficulty of tracing on the Tron blockchain, raising concerns about its role in cybercrime and money laundering.
The global financial services sector experienced a 137% surge in Vendor Email Compromise (VEC) attacks in the past year, primarily driven by socially engineered email threats. On average, the industry encountered 200 advanced attacks per 1000 mailboxes weekly, with peak periods noted in late January, late September, and mid-December. These attacks, often leveraging authenticity to manipulate financial transfers, pose a substantial risk, with reported instances targeting millions of dollars, emphasizing the need for enhanced email security measures.
Israeli startup Vicarius has raised $30 million in a Series B funding round led by Bright Pixel Capital. The cybersecurity firm developed an autonomous end-to-end vulnerability remediation platform called vRx, assisting security teams in safeguarding critical apps and assets against software exploitation. With over 400 customers, including PepsiCo, HPE, Bupa, and Equinix, the funds will be utilized to accelerate global expansion and support a growing customer base worldwide.
