[InfoSec MASHUP] 35/2024
Durov, founder of Telegram, arrested in France; Identity of Cybercriminal USDoD Revealed; Volt Typhoon returns with a new zero-day; Durex leaked...Clients' Data; Iran Threat Actors are busy++;
Welcome to the 40 new members from the last 30 days! This newsletter now has 1,517 subscribers.
Partners and Affiliates
🔐 NordVPN — Save up to 75% + 3 Extra Months
Breaches & Security Incidents
🇺🇸 💰 RansomHub ransomware has breached over 210 victims in the U.S. since February 2024, targeting critical infrastructure sectors. This ransomware group focuses on stealing data and extorting victims rather than encrypting files. Federal agencies advise organizations to strengthen their security measures and discourage paying ransoms.
🇮🇳 🔓 Durex India has exposed sensitive customer data, including names and order details, on its website — A security researcher found that hundreds of customers' information was accessible due to poor security measures. This leak poses risks of identity theft and social harassment for those affected.
🇺🇸 🔓 DICK'S Sporting Goods reported that confidential data was exposed in a cyberattack discovered last Wednesday — The company has hired cybersecurity experts to investigate and contain the breach, which has not disrupted its operations. DICK'S has also informed law enforcement about the incident and is keeping employees updated through personal communication.
🇺🇸 The U.S. Marshals Service denies that their systems were breached by the Hunters International ransomware gang, despite being listed as a victim — The agency claims that the data posted by the gang is not from a new incident and matches data previously for sale in 2023. Hunters International has targeted many organizations this year and demands ransoms ranging from hundreds of thousands to millions of dollars.
🇺🇸 ✈️ Seattle-Tacoma International Airport has faced system outages for three days, likely due to a cyberattack — While travelers can still check in, they are experiencing long delays and limited services. The airport is working to restore systems but has not provided details about the attack.
🇺🇸 💰 The American Radio Relay League (ARRL) confirmed it paid a $1 million ransom to recover its systems after a ransomware attack in May. They reported that the attack was carried out by a sophisticated cyber group, affecting around 150 employees. Most systems have been restored, and the ransom payment was largely covered by insurance.
➝ More breaches:
Patelco Credit Union Says Breach Impacts 726,000 After Ransomware Gang Auctions Data
500,000 Impacted by Texas Dow Employees Credit Union Data Breach
BlackSuit ransomware stole data of 950,000 from software vendor
Cybercrime, Cyber Espionage, APT’s
🇻🇳 A Vietnamese human rights group has been targeted in a multi-year cyberattack by a hacking group known as APT32 — This group uses malware to steal sensitive information and has been active since at least 2012, often employing tactics like spear-phishing. The latest attacks involved compromising multiple hosts to install backdoors that collect user data.
🇷🇺 👀 Google has found that Russian government hackers are using exploits similar to those created by spyware companies NSO Group and Intellexa — These exploits targeted Mongolian government websites, potentially allowing hackers to steal data from visitors using iPhones and Android devices. The exact method of how these hackers acquired the exploits remains unclear, but it highlights the risks of spyware technology falling into the hands of malicious actors.
🇮🇷 🇮🇱 Iranian hackers are using fake job recruitment websites and social media to target potential Israeli spies — They create disguised profiles to collect personal information from users interested in jobs, especially in IT and cybersecurity. This operation helps the Iranian government identify individuals who may be cooperating with foreign adversaries.
🇺🇸 🇧🇾 The US is offering a $2.5 million reward for information about Volodymyr Kadariya, a Belarusian national accused of distributing malware — He was part of a group that used the Angler Exploit Kit to infect millions of computers with various types of malware. Kadariya and his associates allegedly tricked victims into downloading harmful software and stole their personal information for profit.
🇰🇷 A South Korean cyber espionage group, APT-C-60, exploited a critical flaw in Kingsoft WPS Office to deploy a backdoor called SpyGlace. The attack involved a deceptive spreadsheet document that, when clicked, triggered a malware infection. Users are advised to be cautious of this exploit and to remove malicious plugins found in messaging applications.
🇨🇳 🇺🇸 Chinese government-linked hackers targeted U.S. internet providers using a previously unknown software vulnerability. The group, called Volt Typhoon, aims to disrupt critical infrastructure and potentially harm U.S. military responses in future conflicts. Security researchers confirmed the flaw and reported it to U.S. authorities, leading to emergency patches for affected software.
🇧🇷 The hacker known as USDoD, famous for major data leaks, has been identified as Luan B.G., a 33-year-old man from Brazil — Investigations revealed that he did not effectively conceal his identity, and he has acknowledged the accuracy of his identification. Luan may seek a deal with Brazilian authorities to use his cybersecurity skills in exchange for leniency, though he could still face legal consequences.
🇨🇳 A former Verizon employee, Ping Li, pleaded guilty to helping a Chinese spy agency by sharing information about dissidents and cybersecurity incidents — He faces up to five years in prison for his actions, which included using anonymous accounts and traveling to China. Li's attorney noted that while he made a serious mistake, the charges were reduced, highlighting the government's stance on unauthorized information sharing.
🇮🇷 🇺🇸 Iranian hackers targeted the WhatsApp accounts of staffers in both the Biden and Trump administrations, according to Meta Platforms. The hackers posed as tech support agents and are linked to previous attacks on both presidential campaigns. U.S. intelligence officials warn that Iran's cyberattacks aim to disrupt democracy and influence the upcoming election.
🇷🇺 🇦🇷 A 29-year-old Russian man was arrested in Argentina for laundering millions in cryptocurrency linked to North Korean hackers known as Lazarus — He used complex transactions to hide the source of the stolen funds and processed around $100 million from various criminal activities. Authorities seized his electronic devices and cryptocurrency wallets containing significant assets during the investigation.
Government, Politics, and Privacy
🇮🇷 🇺🇸 In response to foreign hacking threats, U.S. officials learned from the 2016 campaign and acted faster to identify Iranian hackers targeting presidential campaigns — They emphasized transparency to help the public recognize and resist foreign influence. This approach reflects a significant change in how the government addresses election security threats.
🇩🇰 🔐 Denmark's Minister of Justice, Peter Hummelgaard, wants to ban encrypted messaging apps like Telegram and Signal to combat rising gang-related crime — Authorities believe these services help criminals communicate and organize without being monitored. The proposal has sparked backlash, especially since many lawmakers, including Hummelgaard, also use these encrypted platforms.
🇳🇱 🇺🇸 Uber has been fined €290 million by the Dutch Data Protection Authority for not protecting drivers' personal information during data transfers to the US. The company plans to appeal the decision, claiming it followed GDPR rules despite uncertainty about data transfer laws. This fine is part of a history of penalties from the Dutch authority, as Uber has faced previous fines for similar issues.
🇳🇱 📱 The Dutch cabinet has banned phones and smartwatches in meetings to prevent espionage — Prime Minister Dick Schoof, a former spy, explained that these devices can be used as microphones. Ministers can check their phones during breaks, but must store them in a vault during official discussions.
Partners and Affiliates
🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.
Malware & Threats
🦠 🗒️ A new malware called "Voldemort" is spreading worldwide by impersonating tax agencies and using phishing emails to target organizations — It stores stolen data and receives commands through Google Sheets, making it harder for security systems to detect. The campaign has affected over 70 organizations, mainly in the insurance, aerospace, transportation, and education sectors.
🦠 🔐 Cybersecurity researchers have revealed a new malware campaign targeting Middle East users by disguising itself as the Palo Alto Networks GlobalProtect VPN tool — This malware can execute commands remotely, steal files, and evade detection, posing a serious threat to organizations. It likely spreads through phishing tactics, tricking users into installing the malicious software.
🦠 👁️🗨️ Hackers are exploiting a serious vulnerability in the AVM1203 security camera to spread Mirai malware — This malware turns infected devices into a network for launching attacks on websites and services. The vulnerability is five years old, and since the camera is no longer supported, there is no fix available.
🦠 🧩 The Pidgin messaging app removed a malicious plugin called ScreenShareOTR after it was found to install keyloggers and malware — This plugin, which claimed to offer screen-sharing features, was linked to a broader campaign that distributed DarkGate malware. To enhance security, Pidgin will now only accept third-party plugins with approved open-source licenses.
🦠 Researchers have discovered a new dropper called PEAKLIGHT that targets Windows systems through malicious movie downloads — This dropper uses a PowerShell script to deliver various types of malware, including information stealers. The attack starts when users download disguised shortcut files from the internet, which then connect to remote servers to execute malicious code.
🦠 🏧 New Android malware called NGate steals payment card data using a device's NFC reader — It relays this information to attackers, allowing them to clone the card for ATM withdrawals. This is the first time such a technique has been seen in the wild.
🦠 🐧 Cybersecurity researchers have discovered a new Linux malware called sedexp that hides credit card skimmers and uses udev rules for persistence on infected systems. This malware allows attackers to maintain remote access and conceal their activities, making it harder to detect. Sedexp highlights the increasing sophistication of cybercriminals focused on financial gain.
AI, Tech & Tools
🤖 🇺🇸 California is moving forward with a new law to regulate large AI models, requiring companies to test their systems and share safety protocols — The bill aims to prevent risks, like potential attacks on critical infrastructure, and is backed by some tech companies while facing opposition from others. Governor Gavin Newsom will decide whether to sign it into law by the end of September.
🤖 🫱🏻🫲🏼 Cisco plans to acquire Robust Intelligence to enhance AI security for businesses — This partnership aims to protect AI applications from various threats and simplify security operations.
🇷🇺 🇫🇷 Pavel Durov, the founder of Telegram, was arrested in France while leaving his private jet — French authorities reportedly claim he is linked to serious crimes due to Telegram's lack of content moderation. Durov, who has a net worth of $15.5 billion, now lives in Dubai and has over 950 million active users on the app.
Durov arrest boosts Telegram app downloads
French Authorities Charge Telegram CEO with Facilitating Criminal Activities on Platform
Vulnerabilities, Research, and Threat Intelligence
Google Warns of CVE-2024-7965 Chrome Security Flaw Under Active Exploitation
Google Now Offering Up to $250,000 for Chrome Vulnerabilities
Fortra Patches Critical Vulnerability in FileCatalyst Workflow
🔓 ✈️ Security researchers found a vulnerability in the FlyCASS system, which could allow unauthorized individuals to bypass airport security and access aircraft cockpits — They discovered that an SQL injection flaw enabled attackers to log in as airline administrators and manipulate employee data. Despite reporting this issue to the Department of Homeland Security, their attempts to ensure proper disclosure were met with resistance, and the TSA downplayed the severity of the vulnerability.
🪳 🔓 A serious security flaw in Atlassian Confluence has been exploited by hackers for cryptocurrency mining — The vulnerability, known as CVE-2023-22527, allows attackers to execute remote code and has been used to install mining software on unpatched systems. Organizations are urged to update their Confluence software to prevent these attacks.
🪳 🇷🇺 Bug bounty programs are growing in Russia due to international sanctions and the need for improved cybersecurity. Russian companies and even government institutions are now establishing their own programs to encourage ethical hacking and vulnerability reporting. This shift could have significant implications for cybersecurity, potentially enabling Russian hackers to sell vulnerabilities to local companies instead of reporting them to Western platforms.
🇨🇳 🦠 Chinese hacking group Volt Typhoon is exploiting a new security flaw in Versa Director servers to steal credentials from customer networks — This vulnerability has been added to the CISA must-patch list after being confirmed to allow malware installation. Researchers warn that Volt Typhoon's attacks have targeted many organizations in the U.S., particularly in critical sectors.
🪳 🔓 Researchers have found over 20 vulnerabilities in MLOps platforms, which could allow attackers to execute arbitrary code or load harmful datasets — These vulnerabilities stem from both inherent flaws in the technology and implementation weaknesses, such as insufficient authentication. As a result, organizations using these platforms need to ensure their environments are secure and isolated to prevent potential attacks.
🪳 📍 Two serious security flaws have been found in the Traccar GPS tracking system, allowing attackers to execute remote code. These vulnerabilities can be exploited if the default guest registration setting is enabled. Traccar has released an update to fix these issues and improve security.
ICS, OT & IoT
🪳 🩹 Cybersecurity firm Nozomi Networks has discovered several vulnerabilities in Beckhoff Automation’s TwinCAT/BSD operating system, which could allow attackers to tamper with PLCs and launch denial of service (DoS) attacks. Two high-severity flaws could enable unauthorized access and manipulation of PLC programming, while two medium-severity issues can make devices unresponsive. Beckhoff has released patches and advisories to address these vulnerabilities.
🔄 Two ICS/OT security companies announced updates to their products — Dragos enhanced its platform for better asset visibility and vulnerability management, while Nozomi Networks partnered with Mandiant to improve threat intelligence. These updates aim to strengthen security for critical industrial infrastructure.
🇮🇷 📡 Iranian hackers are using custom malware called Tickler to target sectors like satellite, oil and gas, and government in the US and UAE — Microsoft links these attacks to a group known as Peach Sandstorm, which is associated with the Iranian Revolutionary Guard Corps. The hackers have successfully compromised several organizations using this new tool and other methods.