Hang in there folks, because the cybersecurity landscape has been terrifying this past week! We’ve seen everything from North Korean hackers landing their “dream jobs” to expose new malware to a surprising twist in the Apple vs. NSO Group saga. Even in the seemingly mundane world of domain names and cloud configurations, there was some drama. Let’s dig into the details and see what lessons we can learn from last week.
⚡ Threat of the week
Raptor Train botnet dismantled: The US government announced taking down the Raptor Train botnet controlled by a China-linked threat actor known as Flax Typhoon. As of June 2024, the botnet had more than 260,000 devices, with victims spread across North America, Europe, Asia, Africa and Oceania, as well as South America. He also attributed the Flax Typhoon threat to a publicly traded Beijing company known as Integrity Technology Group.
🔔 Top news
- New Lazarus Group Malware: A cyber espionage group linked to North Korea known as UNC2970 (aka TEMP.Hermit) has been spotted using job-themed phishing lures to target potential victims in the energy and aerospace verticals and infect them with a previously undocumented backdoor called MISPPEN. The activity is also tracked as Operation Dream Job.
- iServer and Ghost are uninstalled: Europol announced another major victory for law enforcement liquidation of the international criminal network which used a phishing platform to unlock stolen or lost mobile phones. The agency, in cooperation with the Australian Federal Police (AFP), dismantled an encrypted communication network called Ghost, which facilitated the development of serious organized crime around the world.
- Iranian APT acts as an initial access provider: The Iranian threat actor is tracked as UNC1860 acting as an initial access broker which provides remote access to target networks by deploying various passive backdoors. This access is then used by other Iranian hacking groups linked to the Ministry of Intelligence and Security (MOIS).
- Apple drops lawsuit against NSO Group: Apple has filed a motion to “voluntarily” dismiss the lawsuit it is pursuing against an Israeli commercial supplier of spyware NSO Group, citing a changing risk landscape that could lead to exposure of critical “threat intelligence” information. The lawsuit was filed in November 2021.
- Phishing attacks using HTTP headers: A new wave of phishing attacks abuse of update entries in HTTP headers to deliver fake email login pages designed to collect user credentials. The companies are targeting organizations in South Korea and the United States
📰 Around the cyber world
- Sandvine leaves 56 “non-democratic” countries: Sandvine, the company behind the intermediate companies that have relieved The company that supplied the commercial spyware as part of the targeted attacks said it had withdrawn from 32 countries and was in the process of ceasing operations in another 24, citing increased threats to digital rights. Earlier in February of this year, the company was added to the US Subject List. “The misuse of deep packet inspection technology is an international problem that threatens free and fair elections, basic human rights and other digital freedoms that we believe are inalienable,” the statement said. said. It does not disclose the list of countries from which it exits as part of the overhaul.
- .mobi domain purchased for $20: Researchers from watchTowr Labs spent just $20 to purchase an old WHOIS server domain associated with the .mobi top-level domain (TLD) and set up a WHOIS server on that domain. This led to the discovery that more than 135,000 unique systems were still querying the old WHOIS server during the five-day period ending September 4, 2024, including cybersecurity tools and mail servers for government, military and university organizations. Research too showed that the TLS/SSL process for the entire .mobi TLD was undermined as it was discovered that many Certificate Authorities (CAs) were still using a “fake” WHOIS server to “determine domain owners and where verification information should be sent”. ” Google since then is called for ending the use of WHOIS data for TLS domain verification.
- Sensitive data leaked due to ServiceNow misconfigurations: Thousands of companies are inadvertently exposing the secrets of their internal Knowledge Base (KB) articles through ServiceNow misconfigurations. AppOmni attributed to the problem is “outdated configurations and misconfigured knowledge base access controls”, which likely indicates “systematic misunderstanding of knowledge base access controls, or perhaps accidental replication of at least one poor control in another instance via cloning”. ServiceNow has published instructions on how to configure their instances to prevent unauthenticated access to knowledge base articles.
- Google Cloud Document AI bug fixed: Speaking of misconfigurations, researchers have found that overly permissive settings in the Google Cloud Document AI service can be used by threat actors to hack Cloud Storage buckets and steal sensitive information. Vectra AI described the vulnerability as a case of transitive access abuse.
- Microsoft plans to end kernel access for EDR software: After mass precipitation from CrowdStrike update failed in July 2024, Microsoft highlighted Windows 11’s “enhanced security and default security settings” that provide additional security capabilities for security software vendors outside of kernel mode access. It also said it will work with ecosystem partners to achieve “increased reliability without compromising security.”
🔥 Cyber security resources and information
— Upcoming webinars
- Zero Trust: Anti-Ransomware Armor: Join our next webinar with Zscaler’s Emily Laufer for an in-depth look at the 2024 Ransomware Report, revealing the latest trends, emerging threats and zero-trust strategies that can protect your organization. Don’t become another statistician – register now and fight back!
- SIEM Reboot: From Overload to Neglect: Drowning in data? Your SIEM should be a lifesaver, not another headache. Join us to learn how legacy SIEM went wrong and how a modern approach can simplify security without compromising performance. We’ll delve into the origins of SIEM, its current challenges, and our community-driven solutions to cut through the noise and expand your security. Sign up now for a new perspective on SIEM!
— Ask an Expert
- Q: How is Zero Trust fundamentally different from traditional Perimeter Defense, and what are the main challenges and benefits of transitioning an organization from a Perimeter Defense model to a Zero Trust architecture?
- A: Zero trust and perimeter protection are two ways to protect computer systems. Zero trust is like having multiple locks on the door AND checking IDs in every room, meaning it doesn’t trust anyone and constantly checks anyone and anything trying to access anything. This is great for stopping hackers even if they manage to get in, and works well when people are working from different locations or using cloud services. Perimeter defense is like a strong wall around your castle that focuses on keeping the bad guys out. But if someone breaks in, they have easy access to everything inside. This age-old approach fights against today’s remote work threats and situations. Moving to Zero Trust is similar to upgrading your security system, but it takes time and money. It’s worth it because it provides much better protection. Remember, it’s not just one thing, it’s a whole new way of thinking about security, and you can start small and build up over time. Also, don’t ditch the wall completely, it’s still useful for basic defense.
— Cybersecurity jargon speaker
- Polymorphic Malware: Imagine an insidious virus that constantly changes its disguise (signature) to fool your antivirus. It’s like a chameleon, so it’s hard to catch.
- Metamorphic Malware: It’s even more difficult! It’s like a shape-shifter who doesn’t just change clothes, but completely changes his body. It rewrites its own code every time it infects, making it virtually impossible for an antivirus to detect.
— Tip of the week
Think before you click maze: Navigate through a series of decision-making points based on real-life scenarios, choosing the safest option to avoid phishing traps and other online threats.
Conclusion
“To err is human; to forgive is divine.” – Alexander Pope. But in cyber security, forgiveness can be costly. Let’s learn from these mistakes, strengthen our defenses and make the digital world safer for everyone.
