26 May 2023

Cyber security week in review: May 26, 2023


Cyber security week in review: May 26, 2023

Suspected Russian CosmicEnergy malware capable of disrupting energy grid

Researchers from cybersecurity firm Mandiant published a report on a Russia-linked piece of malware dubbed ‘CosmicEnergy’ designed to target industrial control systems (ICS), more specifically, electric grids.

The malware is similar to Industroyer used by suspected Russian hackers in attacks against Ukraine’s energy infrastructure in 2022 and 2016. CosmicEnergy is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia.

A comment found in the CosmicEnergy code suggests that the malware was created as a red teaming tool for simulated power disruption exercises hosted by Rostelecom-Solar, a Russian cyber security company that received a government subsidy in 2019 to begin training cyber security experts and conducting electric power disruption and emergency response exercises. Mandiant says that it's also possible that a different threat actor - either with or without permission - reused code associated with the cyber range to develop CosmicEnergy.

Barracuda’s email gateway appliances breached via zero-day bug

Barracuda, a provider of email and network security solutions, has warned its customers that some of its Email Security Gateway (ESG) appliances have been compromised using a zero-day vulnerability in one of the modules.

Tracked as CVE-2023-2868, the flaw is an OS command injection issue that can be exploited by a remote hacker to execute arbitrary Perl commands on the target system.

The vulnerability was identified on May 19 and a security patch to address the bug was applied to all ESG appliances worldwide on May 20, 2023.

Samsung ASLR bypass flaw actively exploited in attacks

Samsung smartphones are affected by a security vulnerability that is being actively exploited by hackers.

Tracked as CVE-2023-21492, the zero-day is an information disclosure flaw that could be exploited by a privileged attacker to bypass address space layout randomization (ASLR) protections. Samsung says the bug impacts select Samsung devices running Android versions 11, 12, and 13.

The vendor did not reveal details on attacks exploiting the flaw, only saying that it “was notified that an exploit for this issue had existed in the wild.”

Chinese hackers target critical infrastructure in the US

Microsoft says it uncovered a cyber-espionage campaign aimed at critical infrastructure organizations in the United States. The tech giant has linked this malicious activity with “moderate confidence” to a China-linked state-backed threat actor it tracks as Volt Typhoon.

Active since at least mid-2021, the group is focused on espionage and information gathering and has been known to target critical infrastructure organizations in Guam and elsewhere in the US. As for the goal of the recent Volt Typhoon’ campaign, Microsoft believes it “is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.”

According to SecureWorks, which tracks this group as ‘Bronze Silhouette,’ the threat actor has also been collecting military intelligence from US companies for at least two years.

In a separate cyber-espionage campaign an undisclosed China-linked hacker group targeted the Kenyan government in an attempt to obtain information on the country's mounting debt owed to Beijing in a cyber-espionage operation spanning several years.

Chinese cyber intrusions began in late 2019 and continued to at least 2022, targeting the office of Kenya's president, its defense, information, health, land and interior ministries, its counter-terrorism center and other institutions.

The US sanctions entities linked to North Korean hackers

The US Treasury Department sanctioned four North Korean entities and one individual for their involvement in malicious cyber activities that helped to Pyongyang to raise money to support its weapons program.

The list of sanctioned entities includes Pyongyang University of Automation, described by the authorities as “one of the DPRK’s premier cyber instruction institutions,” Technical Reconnaissance Bureau, and the 110th Research Center - two other entities controlled by the Reconnaissance General Bureau (RGB), North Korea’s primary intelligence service and main entity responsible for the country’s malicious cyber activities.

Technical Reconnaissance Bureau leads the DPRK’s development of offensive cyber tactics and tools and operates several departments, including those affiliated with the Lazarus Group, one of the most well-known hacker groups linked to North Korea. More recently, Lazarus has been observed targeting Windows IIS web servers to launch espionage attacks.

Ukrainian hacktivists expose Russian GRU officer wanted for 2016 US election interference

Ukrainian hacktivist group Kiber Sprotyv (Cyber Resistance) and the volunteer intelligence community InformNapalm released the personal information and photo of Viktor Borisovich Netyksho, an officer in Russia’s Intelligence Directorate of the General Staff (GRU) wanted in the United States for his alleged involvement in the 2016 US presidential election hack.

Netyksho is one of the 12 military hackers indicted in the US for hacking offences related to the 2016 US presidential election, and this is the first time his photo has been exposed. While the FBI had photos of 11 suspects, Viktor Netyksho remained faceless, as the intelligence agencies were unable to obtain his photo

Ukraine, Israel, India, and Kazakhstan targeted in cyber-espionage campaign

Ukraine's computer emergency response team (CERT-UA) spotted a cyber-espionage operation targeting an unnamed state entity in Ukraine.

Tracked as UAC-0063, the activity appears to be part of a broader effort targeting organizations in Mongolia, Kazakhstan, Kyrgyzstan, Israel, and India.

CERT-UA, which has been tracking UAC-0063 since 2021, said that the group’s goal is cyber-espionage. The origins of this threat actor is currently unclear.

NSO’s Pegasus spyware found in Armenia and Azerbaijan amid Nagorno-Karabakh war

The government of Azerbaijan used spyware developed by Israeli surveillance software firm NSO Group to target a government worker, journalists, activists and the human rights ombudsperson in Armenia as part of a years long conflict in the disputed region of Nagorno-Karabakh. This is the first known case when the Pegasus spyware has been used in the middle of the war.

Digital rights organization Amnesty International says it have seen evidence suggesting that a commercial Android spyware named “Predator” developed by Israeli company Intellexa (formerly known as Cytrox) was deployed with server infrastructure located in Armenia. Cisco Talos has a detailed technical report on this spyware.

Former FinFisher execs charged with selling spyware to Turkey

German authorities have charged four former executives of the now-defunct surveillance technology company FinFisher for supplying Turkey's intelligence services with the FinSpy surveillance software that could be used to hack into phones and computers.

The prosecutors say the accused intentionally violated licensing requirements for dual-use goods by selling surveillance software to non-EU countries.

Specifically, the four suspects are charged with commercial violations of the German trade and payments act in three separate cases. According to the authorities, the Turkish opposition movement was targeted in 2017 using the FinSpy tool that was offered for download via a fake website.

Infosec analyst pleads guilty to hijacking ransom payment from his employer

A former IT security analyst at the UK-based gene and cell therapy company Oxford Biomedica admitted to posing as a ransomware gang to steal ransom payment from his employer. According to the police, Ashly Liles abused his role as a security analyst at the company to gain unauthorized access to a board member’s email account and change the payment address provided in the original blackmail email to one under his control in the hopes to divert any future payments to himself.

Furthermore, Liles also created an almost identical email address to the original attacker and began emailing his employer to pressurize them to pay the money.

Researchers identify second developer behind Golden Chickens MaaS

Researchers from cybersecurity firm eSentire exposed the identity of a second developer behind Golden Chickens (More_Eggs), a Malware-as-a-Service (MaaS) used by several financial crime groups - Russia-based FIN6, Evilnum and Cobalt Group, causing losses totaling more than $1.5 billion. Identified as ‘Jack,’ the developer is believed to be the mastermind behind the Golden Chickens operation, which he launched in 2017.

In August 2022, eSentire revealed the real-world identity of one of the operators behind Golden Chickens known as ‘badbullzvenom’ and ‘Chuck from Montreal’, a Moldavian national living in Canada.

Mastermind behind iSpoof scam website sentenced to 13 years in prison

The mastermind behind an online fraud website used to defraud victims out of more than £100 million has been jailed for more than 13 years.

Tejay Fletcher, 35, was the founder and leading administrator of iSpoof.cc website, shut down in November 2022 as a result of the UK’s biggest fraud crackdown.

iSpoof was a website that allowed criminals and fraudsters to masquerade as banks like Barclays, Santander, or HSBC, tax offices and other official bodies as they attempted to defraud victims. Using iSpoof services, threat actors could call unsuspecting bank customers pretending to be genuine employees, and – with the assistance of other iSpoof tools – obtain passwords, PIN codes, and then access customers’ bank accounts and empty them.

Brazilia-linked Operation Magalenha targets credentials of 30 Portuguese banks

SentinelLabs has a report out on ‘Operation Magalenha,’ an information stealing campaign that has been targeting users of 30 Portuguese financial institutions, including government, government-backed, and private institutions. The campaign, which has been linked to a Brazilian threat actor, involves two variants of a backdoor called PeepingTitle, “aiming to maximize the potency of their attacks.”

New Dark Frost Botnet is targeting the gaming industry

Researchers at Akamai have spotted a new DDoS botnet called ‘Dark Frost Botnet’ that is targeting the gaming industry. The malware was created using stolen code from several popular malware families (Mirai, Gafgyt, and Qbot. At present, the botnet comprises 414 devices running various instruction set architectures such as ARMv4, x86, MIPSEL, MIPS, and ARM7.

Google offers up to $30K for vulns in Android applications

Google announced a new bug bounty program called the Mobile Vulnerability Rewards Program (Mobile VRP) that will offer monetary rewards of up to $30,000 for vulnerabilities in the tech giant’s Android applications.

BrutePrint: A new technique to bypass phone fingerprint authentication

A group of Chinese researchers devised a new attack method they dubbed “BrutePrint” that can bypass user authentication on modern smartphones by brute-forcing fingerprints. The BrutePrint attack involves the exploitation of two security weaknesses called Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), which allows to bypass existing security measures.


Back to the list

Latest Posts

Five Eyes partners detail new tactics of Russian military hackers APT29

Five Eyes partners detail new tactics of Russian military hackers APT29

In the past year, APT29 has been observed pilfering system-issued access tokens to infiltrate victim accounts.
26 February 2024
Canada's national police force targeted in a cyberattack

Canada's national police force targeted in a cyberattack

The RCMP has initiated an investigation into the incident to assess the full extent of the breach.
26 February 2024
Threat actor UAC-0149 targets Armed Forces of Ukraine with Cookbox backdoor

Threat actor UAC-0149 targets Armed Forces of Ukraine with Cookbox backdoor

The campaign has been ongoing since at least autumn 2023.
26 February 2024