In today’s episode, we explore cybersecurity developments, including a cyber battle in the Israeli-Palestinian conflict, a GNOME Linux vulnerability, Magecart’s 404 page exploit, the HelloKitty ransomware source code leak, Grayling’s attacks on Taiwan, and a massive Citrix NetScaler hack.
Recent evets involve a cyberattack on a Facebook page, pro-Palestinian hackers using a Red Alert app to disrupt Israel, a pediatric privacy breach in NL Health Services, and a cyberattack disrupting cable manufacturer Volex.
In a series of recent developments: Keir Starmer targeted by AI-generated smear campaign; Bounty challenge to decrypt NIST Elliptic Curve Seeds; Remcos RAT and Formbook rise amid shifting cyber threats; UK lawmakers and rights groups demand an immediate halt to live facial recognition; Google launches a capture-the-flag competition centered around their Chrome V8 JavaScript Engine.”
🚨 Cyber Alerts
1. Cyber Clash Amid Mideast Crisis
Amid the escalating Israeli-Palestinian conflict, both pro-Israeli and pro-Palestinian hacktivists are taking the battle to the cyber realm, with a focus on industrial control systems as lucrative targets. These attacks include distributed denial of service attacks against Israeli government and media organizations, and even non-partisan threat actors like ThreatSec are joining in. The exposure of critical ICS infrastructure on both sides raises concerns about potential disruptions to essential services and highlights the urgent need for improved cybersecurity measures to safeguard against these attacks and their potentially catastrophic consequences.
2. GNOME Linux Vulnerability Allows RCE
A critical memory corruption vulnerability in the open-source libcue library has been discovered, exposing Linux systems running the GNOME desktop environment to potential remote code execution attacks. This vulnerability, known as CVE-2023-43641, can be exploited when users download a maliciously crafted .CUE file, which is then stored in the ~/Downloads folder. Attackers can take advantage of Tracker Miners automatically indexing downloaded files, making it possible for them to execute arbitrary code on the compromised GNOME Linux devices.
3. Magecart Exploits 404 Pages
A new Magecart card skimming campaign has emerged, employing an innovative tactic of hijacking online retailers’ 404 error pages to conceal malicious code aimed at stealing customers’ credit card data. This campaign, detected by researchers from the Akamai Security Intelligence Group, specifically targets Magento and WooCommerce sites, with some high-profile food and retail organizations falling victim. The attackers cleverly manipulate the default 404 error page, hiding and executing their card-stealing code in a way not seen in previous Magecart campaigns.
4. HelloKitty Ransomware Source Code Leak
A threat actor going by the name ‘kapuchin0’ has leaked the source code of the 2020 variant of the HelloKitty ransomware on a Russian-speaking cybercrime forum. This development raises concerns among cybersecurity experts as threat actors could potentially use the leaked code to create new versions of this ransomware. The HelloKitty ransomware gang, also known as FiveHands, has been active since January 2021 and is known for launching DDoS attacks on victims who refuse to pay the ransom.
5. Grayling’s Cyber Threat in Taiwan
A previously unknown threat actor, named Grayling, has emerged, launching a series of targeted attacks on organizations in Taiwan, spanning sectors such as manufacturing, IT, and biomedicine. Symantec’s Threat Hunter Team has attributed these attacks to an advanced persistent threat known as Grayling, with evidence suggesting that the campaign began in February 2023 and has persisted until at least May 2023. Grayling’s distinctive use of a DLL side-loading technique, coupled with its deployment of various payloads, including Cobalt Strike, NetSpy, and the Havoc framework, underscores the motivation behind these attacks: intelligence gathering.
6. Zero-Day Exploit Targets Citrix Servers
Hackers are exploiting a critical flaw, CVE-2023-3519, in Citrix NetScaler Gateways to steal user credentials. This flaw, discovered in July as a zero-day, affects Citrix NetScaler ADC and NetScaler Gateway, and by mid-August, it had led to backdooring at least 2,000 Citrix servers. IBM’s X-Force reports that despite warnings to update Citrix devices, hackers have been using CVE-2023-3519 to inject malicious JavaScript, harvesting login credentials since September. The attack involves injecting a credential-stealing JavaScript script into the NetScaler device’s login page and exfiltrating collected credentials to attackers.
💥 Cyber Incidents
7. Facebook’s Official Page Hacked
Facebook’s official page was hacked, leaving users surprised by bizarre posts demanding the release of ex-Pakistani Prime Minister Imran Khan. This incident, occurring on October 6th, 2023, highlights concerns regarding the security of Facebook accounts and pages. While social media hacks are not uncommon, the peculiar focus on cricket visa issues and political demands has raised eyebrows.
8. AnonGhost Hacks Red Alert App
Pro-Palestinian hackers known as AnonGhost targeted the Red Alert app, designed to send missile alerts to Israelis during the Israel-Hamas conflict. The cyberattack exploited an API vulnerability, allowing hackers to send fake rocket alerts and fabricated messages of a “nuclear bomb” attack, causing panic and disruption among app users. This digital warfare parallels the physical conflict, with hacktivist groups on both sides engaging in cyberattacks, further escalating tensions in the region.
9. NL Health Services Data Breach
NL Health Services has disclosed another privacy breach, this time involving an email sent to 253 pediatric patients’ parents and guardians regarding diabetes-related information. Unfortunately, the recipients of the email were not blind-copied, inadvertently exposing everyone on the list to each other’s email addresses. NL Health Services’ CEO, David Diamond, expressed regret and apologized for the error, emphasizing the importance of maintaining patient privacy.
10. Volex Hit by Cyberattack
UK-based cable manufacturing giant Volex recently fell victim to a cyberattack involving unauthorized access to its IT systems and data. While the company confirmed that all its sites remain operational and expects minimal financial impact, there has been some disruption to global production levels. Volex promptly enacted its IT security protocols and engaged third-party consultants to investigate the incident, though details regarding the nature of the attack remain limited. The incident, which may be ransomware-related, raises concerns about the cybersecurity vulnerabilities faced by organizations in today’s digital landscape.
📢 Cyber News
11. Deepfake Audio Controversy in UK
In a disturbing development, an audio clip depicting UK opposition leader Keir Starmer verbally abusing his staff surfaced on social media, garnering more than 1.4 million views. However, analysis conducted by both private-sector experts and the British government revealed that the audio was AI-generated and manipulated. The incident highlights the growing threat of deepfake technology in influencing political narratives, with authorities bracing for similar interference in the upcoming general election.
12. Bounty for NIST Elliptic Curve Seeds
A $12,288 bounty has been announced for anyone who can crack the NIST elliptic curves seeds and unveil the original phrases that were hashed to generate them. Cryptography specialist Filippo Valsorda, along with prominent figures in cryptography and cybersecurity, initiated this challenge to shed light on the origin of these crucial cryptographic components.
13. Formbook Tops Malware List
Check Point’s Global Threat Index revealed significant changes in the cyber threat landscape. A phishing campaign in Colombia led to the rise of the Remcos Remote Access Trojan, making it the second most prevalent malware. Simultaneously, Formbook claimed the top spot as the most prevalent malware globally, known for its potent evasion techniques and data-stealing capabilities. Despite the FBI’s disruption of Qbot, the group responsible for it continues to distribute new malware, signaling ongoing cyber threats.
14. UK Lawmakers Urge Halt to Facial Recognition
Amidst growing concerns about privacy, discrimination, and human rights, more than 65 British lawmakers and 31 civil society organizations have signed a petition calling for an immediate halt to the use of real-time facial recognition technology in the United Kingdom. The petition denounces both private sector and law enforcement use of this AI technology, citing issues ranging from incompatibility with human rights to the lack of safeguards and evidence for its legality and democratic mandate.
15. Google’s v8CTF Cyber Challenge
Google’s research team has introduced the v8CTF, a capture-the-flag competition centered around their Chrome browser’s V8 JavaScript engine. Open to exploit writers, the challenge invites participants to identify and exploit vulnerabilities in the deployed version, with the goal of capturing the flag. Contestants can hunt for known vulnerabilities or discover new ones (zero-days), but their exploits must meet certain stability criteria, such as a runtime of less than five minutes and an 80% success rate. Successful submissions will be rewarded with $10,000 and may also be eligible for additional rewards through Google’s Chrome Vulnerability Reward Program.
Copyright © 2023 CyberMaterial. All Rights Reserved.