LastPass says hackers compromised one of its DevOps engineers
Password management software firm LastPass has shared details on a second breach stemming from the 2022 August hack where an unnamed threat actor gained access to portions of its development environment and stole source code and proprietary technical information using a compromised employee account.
LastPass said that the attacker used a remote execution flaw in a vulnerable third-party media software package to hack a home computer of one of its DevOps engineers with access to the decryption keys needed to access the cloud storage service. The attacker then installed a keylogger malware onto employee’s computer and captured the master password needed to gain access the DevOps engineer’s LastPass corporate vault.
Threat actors exploit vulnerabilities faster than ever, researchers warn
Threat actors are developing and deploying exploits for vulnerabilities faster than ever, with 56% of the bugs being exploited within seven days of public disclosure. In 2022, the median time to exploitation was just one day. The researchers say that zero-day exploits decreased 9% compared to 2021, but have still plateaued at a high rate, which keeps the gap between vulnerability disclosure and exploitation small.
Despite consistent ransomware activity only 14 of the analyzed bugs are known to have been exploited to carry out ransomware attacks, a 33% decrease from 2021. The decrease may indicate that ransomware operations have become less reliant on new vulnerabilities, but other factors, including lower reporting of ransomware incidents, may also cause it.
White House unveils National Cybersecurity Strategy
The Biden-Harris administration has published its National Cybersecurity Strategy which aims to provide guidelines regarding how organizations in the US allocate roles, responsibilities and resources in cyber space. The strategy would shift the burden of cybersecurity from individuals and small businesses to organizations that are best equipped to mitigate cyber risks.
The plan will also focus on defending critical infrastructure by expanding minimum security requirements in certain sectors and streamlining regulations, and will treat ransomware as a national security threat, not just a criminal issue.
CISA shares key findings to improve monitoring and hardening of networks
The US Cybersecurity and Infrastructure Security Agency (CISA) shared new guidelines to help security teams to improve their organizations’ cybersecurity posture.
The lengthy advisory describes CISA’s Red Team assessment of an unnamed large critical infrastructure organization with multiple geographically separated sites, and details key findings, as well as the tactics, techniques, and procedures (TTPs) used by the team.
FBI and CISA release advisory on Royal ransomware
The FBI and CISA released a joint security advisory detailing the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Royal ransomware variants. Royal ransomware is a highly sophisticated and quickly evolving malware strain first observed in early 2022. The ransomware operation uses unusual techniques to breach networks before encrypting them and demanding ransom payments. For distribution Royal campaigns use malicious email attachments or malicious advertisements.
A free tool released to help with MITRE ATT&CK mapping
CISA released a new open-source tool called ‘Decider’ to help network defenders, analysts, and researchers in the process of mapping adversary behaviors to the MITRE ATT&CK framework.
Free decryptor released for victims of MortalKombat ransomware
Researchers with Romanian cybersecurity company Bitdefender released a free decryptor that allows to recover files encrypted by the MortalKombat ransomware first spotted in January 2023.
Massive phishing campaign targets Trezor crypto wallets
Cryptocurrency hardware firm Trezor has warned of an ongoing phishing campaign designed to trick users into granting access to their wallets. The threat actors contact the victims via phone call, SMS and/or email to say that there’s been a security breach or suspicious activity on their Trezor account and ask to follow the link provided in the message.
The company says that it found no evidence of ant recent data breach.
Massive “Digital Smoke” investment scam targets users across the globe
An extensive investment fraud campaign has been discovered that aims to defraud internet users from Australia, Canada, China, Colombia, European Union, India, Singapore, Malaysia, United Arab Emirates, Saudi Arabia, Mexico, the US and other regions.
Dubbed “Digital Smoke” by researchers at Resecurity, the campaign involves a massive infrastructure designed to impersonate popular Fortune 100 corporations from the US and the UK and con users out of money. Once payments are collected from the victims, the threat actors abandon previously created resources and set up the next new campaign.
French police arrested two suspects behind Platypus Finance hack
French police arrested two suspects believed to be responsible for the theft of $9.1 million in cryptocurrency from the US-based DeFi platform Platypus Finance. The two brothers, aged 18 and 20, have been arrested in Ile-de-France, just a few days after the hack was perpetrated. As part of the arrest French police seized 210,000 euros ($222,000) worth of cryptocurrency.
Vastaamo hacker Julius Kivimaki extradited to Finland
Julius Kivimaki, a serial hacker suspected of stealing tens of thousands of psychotherapy patient records was extradited to Finland after his arrest in France earlier in February. Kivimaki has been charged with eight offenses tied to Vastaamo including hacking, leaking people's private information and falsifying evidence.
Russia’s invasion of Ukraine disrupted cybercriminal ecosystem
The ongoing Russia’s war in Ukraine has disrupted the vast cybercriminal threat landscape in Russia due to mobilization of some threat actors and a wave of IT “brain drain,” according to a new report from Recorded Future’s Insikt Group. The cybersecurity firm notes that the economic consequences of the war in Ukraine will likely lead to a rise in the value of payment card fraud on the dark web, despite an overall decrease in carding volume last year. Mobilization and emigration of cybercriminals has also led to decreased activity on Russian-language dark web and special-access forums in 2022.
Dutch police arrested three data thieves that extorted hundreds of companies
The Dutch police arrested three men for their suspected involvement in what appears to be one of the biggest data extortion cases to date. The criminal scheme saw personal data belonging to tens of millions of people stolen and caused millions of euros worth of damage.
The data stolen during the hacks included names, addresses, phone numbers, dates of birth, bank account numbers, credit card numbers, passwords, license plates, citizen identification numbers, and passport information of tens of millions of people.
Once an organization was breached and its data stolen, the thieves threatened the victim to destroy its digital infrastructure or make the stolen information public if a ransom was not paid. The threat actors demanded between €100,000 and €700,000, depending on the size of the organization they hacked. The group's suspected leader is believed to have made more than €2.5 million alone.
ChromeLoader malware distributed via malicious VHDs for Nintendo and Steam games
Threat actors behind the ChromeLoader browser hijacking and adware campaign are now using VHD files disguised as hacks or cracks for popular Nintendo and Steam games. Among the game titles and software abused for adware distribution purposes are Elden Ring, ROBLOX, Dark Souls 3, Red Dead Redemption 2, Need for Speed, Call of Duty, Portal 2, Minecraft, Legend of Zelda, Pokemon, Mario Kart, Animal Crossing, Microsoft Office, and more.
BlackLotus UEFI bootkit is capable of running on fully patched Windows 11 machines
ESET researchers shed some light on a UEFI bootkit called “Black Lotus,” which they say is the first publicly known UEFI bootkit that is capable of running on even fully-up-to-date Windows 11 systems with UEFI Secure Boot enabled. Black Lotus exploits a Windows Secure Boot security features bypass vulnerability (CVE-2022-21894) fixed in January 2022 to bypass UEFI Secure Boot and set up persistence for the bootkit.
Notably, the bootkit features geofencing capabilities to avoid infecting systems located in Romania, Moldova, Ukraine, Armenia, Kazakhstan, Russia, and Belarus.
Chinese APT Mustang Panda uses new custom backdoor to evade detection
China-linked Mustang Panda APT group has been observed using a new custom backdoor, dubbed “MQsTTang,” in an ongoing campaign that targets government organizations in Europe and Asia. Mustang Panda has been known to target European governmental entities since at least 2020 and has increased its activity in Europe even further, since Russia’s invasion of Ukraine.
Essentially, MQsTTang is a barebones backdoor that allows the attacker to execute arbitrary commands on a victim’s machine. However, it has some interesting characteristics such as the use of the MQTT protocol for C&C server communications, which is notable, because the use of MQTT is rarely seen in malware families.
Iron Tiger/APT27 updates its SysUpdate custom malware with Linux version
Chinese state-backed hackers APT27 aka Iron Tiger have updated SysUpdate, one of their custom malware families, to include new features and add malware infection support for the Linux platform. The group first tested the Linux version in July 2022, but only in October 2022 did multiple payloads begin circulating in the wild.
US Marshals Service suffers ransomware breach that compromised sensitive data
The US Marshals Service (USMS) was hit by a ransomware attack that resulted in the theft of sensitive law enforcement data. The breach is said to have affected a USMS system that holds law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and some USMS employees.
Darkweb carding shop BidenCash offers two million credit cards for free
Darkweb carding market BidenCash is giving away data on over two million valid credit cards for free as a birthday anniversary promotion. The leaked dataset includes cardholders’ full names, card numbers, bank details, expiration dates, card verification value (CVV) numbers with the expiration dates ranging from early 2023 up to 2052, and home and email addresses linked to the credit cards.
The majority of the cards are issued in the US, and a large number of entries appear to be from China, Mexico, the UK, Canada, India, Italy, South Africa, Australia, and Brazil.