Today’s stories include ShellBot malware’s new tactics, LinkedIn Smart Link phishing, info-stealing malware using certificate abuse, a new WordPress plugin masquerading as malware, state hackers exploiting Atlassian Confluence zero-day, and a critical cURL vulnerability.
Recent events include a ransomware attack on ASVEL Basketball, Simpson Manufacturing’s disruption, West Texas Gas data breach, and Knight Ransomware Group’s claim of responsibility for the Indian National Health Mission cyberattack.
In a series of latest developments, Disinformation Impact on Israel-Hamas Conflict via Social Media; Ukraine’s Road Map for AI Regulation Towards EU Integration; Twitter Faces SEC Scrutiny Over 2018 Security Flaw; The Ever-Changing Landscape of Data Breaches; McLaren Health Care Faces Legal Action Over Ransomware Attack.
🚨 Cyber Alerts
1. ShellBot Deploys DDoS via Hex IPs
ShellBot, a notorious DDoS malware, is now using hexadecimal IP addresses as part of its strategy to compromise poorly managed Linux SSH servers, warns the AhnLab Security Emergency Response Center. These transformed IP addresses, such as are an attempt to evade URL-based detection signatures. ShellBot, also known as PerlBot, is infamous for exploiting servers with weak SSH credentials through dictionary attacks, using them as a staging ground for DDoS attacks and deploying cryptocurrency miners.
2. LinkedIn Smart Links Exploited in Phishing
In a recent wave of cyberattacks, hackers are leveraging LinkedIn Smart Links to conduct phishing campaigns aimed at stealing Microsoft account credentials. Smart Links, a feature used in LinkedIn’s Sales Navigator service, have become a tool for attackers to bypass email protection measures and deceive victims. These Smart Links, which appear to originate from trusted sources due to their LinkedIn domain structure, have been used to target individuals across various sectors, including finance, manufacturing, energy, construction, and healthcare.
3. New Certificate Tactic in Data Theft
An emerging SEO poisoning campaign is employing an innovative certificate abuse strategy to propagate info-stealing malware, with a primary objective of acquiring sensitive credentials and cryptocurrency from Windows systems. This campaign leverages SEO poisoning to promote malicious web pages offering illegal software cracks and downloads, while secretly distributing remote access Trojans, LummaC2, and RecordBreaker (also known as Raccoon Stealer V2). These malware variants employ abnormal certificates with unusually long strings, including non-English languages and special characters, making them challenging to detect, allowing them to infiltrate certain defenses.
4. Malware Disguised as WordPress Plugin
Cybersecurity researchers have uncovered a sophisticated strain of malware camouflaged as a WordPress plugin. This rogue code infiltrates websites, creating administrator accounts, remotely controlling compromised sites, and enabling various malicious functions such as altering content and injecting spam links. The malware poses a significant threat to website security and user privacy, as it can evade easy detection by inexperienced users. Researchers are working to determine the scale of the attacks and the initial intrusion methods used to breach sites.
5. Threat Group Storm-0062 Targeting Atlassian
Microsoft reveals that a Chinese-backed threat group known as ‘Storm-0062’ has been actively exploiting a critical privilege escalation zero-day vulnerability in Atlassian Confluence Data Center and Server since September 14, 2023. Although Atlassian had previously informed customers about the exploitation, they had not disclosed specific threat groups involved. Microsoft Threat Intelligence analysts have now shared more information about Storm-0062’s activities and posted the associated IP addresses on Twitter.
6. Critical Vulnerability in cURL Addressed
A critical memory corruption vulnerability in cURL has been patched, putting enterprise operating systems, applications, and devices at risk. The flaw directly impacts the SOCKS5 proxy handshake process and can be exploited remotely in certain configurations. The bug, known as CVE-2023-38545, exists in the libcurl library used for data exchange between devices and servers, posing a significant security concern. The issue was reported through HackerOne and resulted in the largest cURL bug bounty to date.
💥 Cyber Incidents
7. Ransomware Targets Tony Parker’s ASVEL
In a concerning development, ASVEL Basket, a prominent French basketball team owned by former NBA star Tony Parker, has fallen victim to a ransomware cartel known as NoEscape. The attackers claim to have stolen player data and confidential agreements, posting details on their dark web blog. This breach raises concerns about the security of sensitive information related to players, financial data, and more, highlighting the increasing threat of ransomware attacks in the sports industry.
8.Simpson Manufacturing Cyberattack Disruption
Simpson Manufacturing, a prominent American producer of building and structural materials, has been compelled to suspend its operations due to a cybersecurity incident. The disruption, initially detected as IT problems and application outages, was promptly identified as the result of a cyberattack, prompting Simpson to take affected systems offline to contain the threat. The ongoing remediation process is expected to cause extended disruptions, which are often associated with the complexity of ransomware attacks, involving data encryption and potential data theft.
9. West Texas Gas Data Breach
West Texas Gas has officially reported a data breach affecting more than 56,000 individuals, notifying the Attorney General of Maine about the unauthorized access to their systems, copying of files, and deletion of others. This breach resulted in sensitive consumer information, including names, Social Security numbers, and personal details, being accessed by an unauthorized party. In response, WTG initiated an investigation, discovering the breach in May 2023, which prompted them to send out data breach notification letters to affected individuals.
10. Knight Ransomware Targets Health Mission
The notorious Knight ransomware group has openly declared its involvement in the recent National Health Mission cyberattack. The announcement was made through a dark web channel frequently used by such threat actors, where they provided screenshots of their claims regarding the National Health Mission cyberattack. The breach of the National Health Mission, an integral part of the Department of Health & Family Welfare under the Government of Uttar Pradesh, has raised significant concerns due to the sensitive nature of the healthcare data it handles.
📢 Cyber News
11. Disinformation in Israel-Hamas Conflict
Social media platforms, including X and Meta, have become breeding grounds for disinformation surrounding the conflict between Hamas and Israel. The spread of fake news, manipulated video game clips, and malicious accounts impersonating reputable sources has plagued these platforms. Despite efforts to remove blatantly fake content, harmful disinformation continues to thrive, often unchecked. Additionally, European Commissioner Thierry Breton has cautioned X’s owner, Elon Musk, about the platform’s role in spreading illegal content and disinformation, further highlighting the challenges of combating disinformation during the Israel-Hamas conflict.
12. Ukraine’s AI Regulation Strategy
The Ukrainian government is taking proactive steps to introduce artificial intelligence regulations, positioning this move as a means to align more closely with the European Union, which is nearing the final stages of AI system rule approval. Ukraine’s Ministry of Digital Transformation plans to begin developing a regulatory proposal next year, paving the way for access to global markets and a deeper integration with the EU. The three-year regulatory roadmap outlines an initial focus on fostering self-regulation through voluntary codes, followed by the adoption of a law similar to the AI Act, which imposes stricter limits on AI based on its societal risks.
13. SEC Investigates Twitter’s 2018 Data Breach
In 2018, Twitter suffered a security flaw that exposed users’ personal information, triggering an investigation by the Securities and Exchange Commission. The bug allowed email addresses to be viewed when passwords were reset, potentially compromising user identities. The SEC is scrutinizing how Twitter executives managed the situation at the time, focusing on whether they properly disclosed the flaws to shareholders and implemented necessary controls. This issue resurfaced last year when Elon Musk sought to distance himself from his Twitter takeover bid, emphasizing the company’s history of operational challenges and data protection shortcomings.
14. Decade-Long Data Breach Costs
The cybersecurity landscape has witnessed significant changes, and the Ponemon / IBM Cost of a Data Breach reports provide valuable insights into these developments. Notably, the average cost of a data breach has surged by nearly 30%, reaching $4.45 million per breach in recent years. The United States continues to lead in data breach costs, with an average of $9.48 million per breach, reflecting a 75.5% increase since 2013.
15. Lawsuits Follow Ransomware at McLaren
In the wake of a ransomware attack by a Russian group that exposed 2.5 million patients’ data at McLaren Health Care, three proposed federal class action lawsuits have been filed, alleging negligence by the healthcare provider in safeguarding patient privacy. These legal actions, which emerged shortly after the cyber incident, claim that McLaren failed to adequately protect patients’ sensitive information. While McLaren announced it had informed law enforcement, it remained uncertain whether the company had officially reported the data breach to regulators.
Copyright © 2023 CyberMaterial. All Rights Reserved.