Cyber News - 19/01/2024
Your Cyber News of the day ! "Be Cyber Smart, Be Cyber Secure."
New Docker Malware Steals CPU for Crypto & Drives Fake Website Traffic
Description:
A new malware campaign is targeting Docker services, deploying a multi-faceted approach for financial gain. It uses XMRig, a cryptocurrency miner, and 9Hits Viewer software. This software generates fake website traffic by visiting sites in an exchange for credits. The infection method for Docker hosts is unclear, but likely involves searching for vulnerable targets online. Once infected, the malware strains system resources, affecting server performance. Security experts warn this could lead to more severe breaches
Date: Thu, 18 Jan 2024
Source: https://thehackernews.com/2024/01/new-docker-malware-steals-cpu-for.html
Russian COLDRIVER Hackers Expand Beyond Phishing with Custom Malware
Description:
The Russian hacker group COLDRIVER has advanced its tactics by developing custom malware. This group, known by various names and active since 2019, has shifted from phishing and credential harvesting to using a Rust-based malware named SPICA. Their method involves decoy PDF documents and a fake decryption tool to install the malware. This change in strategy targets high-profile individuals in NGOs, defense, and government sectors, especially in the UK, US, and NATO countries. Google's Threat Analysis Group has been monitoring this activity and has added associated domains and files to their Safe Browsing blocklists.
Date: Thu, 18 Jan 2024
Source: https://thehackernews.com/2024/01/russian-coldriver-hackers-expand-beyond.html
PixieFail UEFI Flaws Expose Millions of Computers to RCE, DoS, and Data Theft
Description:
The cybersecurity community has identified a set of nine vulnerabilities in UEFI firmware, collectively named "PixieFail." These flaws, found in the TianoCore EFI Development Kit II's TCP/IP stack, pose risks of remote code execution, denial of service, DNS cache poisoning, and data theft. Major firmware providers like AMI, Intel, Insyde, and Phoenix Technologies are affected. These vulnerabilities are particularly concerning due to their presence in the pre-boot environment, where they can be exploited even without an operating system running.
Date: Thu, 18 Jan 2024
Source: https://thehackernews.com/2024/01/pixiefail-uefi-flaws-expose-millions-of.html
Top Official Says Kansas Courts Need at Least $2.6 Million to Recover From Cyberattack
Description:
The Kansas court system is seeking at least $2.6 million to recover from a ransomware cyberattack that occurred in October. This funding is needed to restore computer systems, pay vendors, enhance cybersecurity, and hire three additional cybersecurity officials. The attack, attributed to a Russian-based group, disrupted electronic filing and online access to records for weeks. The total cost may increase, as it doesn't include potential future recovery costs, notification expenses, or victim support services like credit monitoring.
Date: Fri, 19 Jan 2024
Energy Department to Invest $30 Million in Clean Energy Cybersecurity Solutions
Description:
The U.S. Department of Energy (DoE) has announced an investment of $30 million for securing the clean energy infrastructure against cyber threats. This initiative supports the research, development, and demonstration of innovative cybersecurity tools as part of the Biden-Harris administration's commitment to enhancing national energy and security. The funding, managed by the Office of Cybersecurity, Energy Security, and Emergency Response (CESER), will focus on projects that identify and mitigate cyber threats to various energy infrastructure components.
Date: Thu, 18 Jan 2024
List Containing Millions of Credentials Distributed on Hacking Forum, but Passwords Old
Description:
A large list named Naz.API, containing over 70 million unique email addresses and passwords, was discovered on a hacking forum. The list, sourced from malware logs and a defunct data breach search engine, includes mostly old passwords. Australian researcher Troy Hunt, who runs the Have I Been Pwned service, confirmed the legitimacy of the email addresses but noted the passwords' age. The data has been added to the Have I Been Pwned database, allowing users to check if their credentials are compromised.
Date: Thu, 18 Jan 2024
TeamViewer abused to breach networks in new ransomware attacks
Description:
Ransomware attackers are exploiting TeamViewer, a popular remote access tool, to infiltrate networks. These attacks, resembling the tactics of the leaked LockBit ransomware builder, involve gaining control of TeamViewer to deploy ransomware payloads. While the exact method of gaining control remains unclear, the attackers don't rely on exploiting a software vulnerability but possibly use compromised credentials. This approach has been noted before, with TeamViewer advising users to strengthen security settings. The attacks highlight the need for robust cybersecurity measures in remote access tools.
Date: Thu, 18 Jan 2024
CISA: Critical Ivanti auth bypass bug now actively exploited
Description:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns of active exploitation of a critical authentication bypass bug in Ivanti's Endpoint Manager Mobile and MobileIron Core device management software. This flaw, identified as CVE-2023-35082, affects multiple software versions and enables attackers to access personal information of mobile device users and potentially backdoor compromised servers. Ivanti released a patch and RPM script in August 2023. The vulnerability has been added to CISA's Known Exploited Vulnerabilities Catalog, and U.S. federal agencies are directed to patch it by February 2.
Date: Thu, 18 Jan 2024
Credentials are Still King: Leaked Credentials, Data Breaches and Dark Web Markets
Description:
The article from BleepingComputer discusses the persistent threat of leaked credentials in cybersecurity. It emphasizes the widespread issue of password reuse and the risks associated with credential leaks from various sources, including third-party breaches and infostealer malware. The article categorizes leaked credentials into tiers based on their source and associated risks, providing insights into how threat actors exploit these credentials. It also highlights the limitations of multi-factor authentication in preventing unauthorized access when credentials are compromised.
Date: Thu, 18 Jan 2024
Google: Russian FSB hackers deploy new Spica backdoor malware
Description:
Google's Threat Analysis Group (TAG) has revealed that the Russian hacking group ColdRiver is deploying a new backdoor malware, Spica. The group uses phishing emails with PDF documents that appear encrypted. When recipients seek to decrypt these documents, they are directed to download a fake decryption tool, Proton-decrypter.exe, which installs Spica. This malware allows execution of arbitrary shell commands and data exfiltration. ColdRiver, also known as Callisto Group, Seaborgium, and Star Blizzard, is linked to Russia's FSB and has been active since 2015.
Date: Thu, 18 Jan 2024
644 NDIS users not told which medical records leaked, seven months after HWL Ebsworth hack
Description:
Almost 650 National Disability Insurance Scheme (NDIS) participants and prospective participants have still not been told which of their health records were leaked on the dark web in June last year.
HWL Ebsworth, which represented the National Disability Insurance Agency (NDIA) at the Administrative Appeals Tribunal (AAT), had documents covering several years of some impacted individuals’ medical and psychological histories at the time of the breach.
Date: Fri, 19 Jan 2024
Last updated
