← Cybersecurity Headlines
Loading summary
Transcript3 lines
- [00:00]
A
From the CISO series, it's Cybersecurity Headlines.
- [00:07]
B
These are the cybersecurity headlines for Friday, December 6, 2024. I'm Rich Stroffolino. Feds find cybercriminal tools used by sextortion group According to a joint intelligence note from the Joint Regional Intelligence center and the Central California Intelligence center seen by Cyberscoop the Child Sextortion Group 764 uses traditional cybercrime techniques in its operation, including SIM swapping, social engineering and IP grabbing. Much of this comes from a telegram channel operated by the group 6996, which associates with a wider collective called the COM. This documentation offers resources and tools for committing fraud, grooming minors for self harm and forming a culture. Further, FBI notes seen by Cyberscoop show Group 764 operates a fake telegram channel that offers suicide prevention support, but ultimately is used to dox and extort victims. Russian hackers hack hackers in no honor among thieves News A new report from Lumen's Black Lotus Labs details how the Russian cyber espionage group Turla used the infrastructure of the Pakistani link group storm 0156 launch their own attacks. Researchers have been observing operations by storm 0156, finding a C2 server on an Indian government network. This server began interacting with three IP addresses known to be linked to Turla. Further research shows Turla used the Pakistani group's infrastructure since 2022, using the servers to launch various backdoors and other malware. Eventually, Turla got more ambitious, moving laterally into Storm 0156's network and gaining direct access to their data and tooling. Researchers at Microsoft contributed to the report said Turla used this access to target Afghan government agencies. This isn't a new tactic for turla. Back in 2019, the NSA put out an advisory that it hijacked infrastructure by the Iran backed Group oil rig to carry out attacks. Amazon's post Quantum Migration Plan AWS published a blog post with an overview of how it will roll out support for Post Quantum Cryptography or pqc. Some features will be enabled by default for all customers, while others will be up to customers to activate. The company won't re encrypt data at rest already encrypted using 256 bit symmetric cryptography, but its first PQC rollout will be with negotiating shared symmetric keys with public endpoints. It will also add PQC mitigations when offering the ability to create key pairs that will act as a root of trust. AWS has also deployed PQC to its open source AWS LC cryptographic library, which it uses in its TLS implementation. The blog post also contains recommendations for organizations starting their own PQC migration, so look for the details in our show Notes Chinese group linked to another long term intrusion Researchers at Symantec report that a Chinese linked threat actor carried out a long term attack against an unnamed US organization operating since at least April 11, 2024, likely a lot longer. The attacks used a DLL sideloading attack showing similarities to the larger Crimson palace espionage campaign sofas discovered back in September. The threat actors used their access for credential theft and targeted access around exchange servers. While we don't know the name of the victim, researchers said it previously suffered an attack linked back to the Chinese based group daggerfly in in 2023 and now thanks to today's episode sponsor Vanta as third party breaches continue to rise, companies are increasingly vigilant, which means more time spent on manual security reviews. With Vanta questionnaire Automation, security and compliance teams can complete security reviews up to five times faster, giving you time back to focus on running your security and compliance programs. Over 8,000 global companies like ZoomInfo, smart recruiters and NOIBU use Vanta to save time on security reviews. Visit vanta.com to learn more about Questionnaire Automation. That's V A N T a dot com Cisco switches hit with bootloader vulnerability the flaw impacts over 100 device models across Cisco's MDS, Nexus and UCS fabric interconnect lines, allowing an attacker to bypass the bootloader verification process and load software. The flaw doesn't require any authentication, but does require physical access to the switches. Cisco released several nxos updates to patch the flaws and will roll out the updates to all devices by the end of the month, excluding one discontinued Nexus model. It did caution that no mitigations for this flaw will be available other than preventing physical access to the switches. WeChat bug used to target Uighurs Researchers at Trend Micro discovered a Chinese link threat group called Earth Minotaur that uses the Moonshine exploit kit on WeChat and chromium based browsers to install the Dark Nimbus backdoor on Android and Windows devices. Researchers described Dark Nimbus as a comprehensive Android surveillance tool. The attackers used messaging lures tied to government announcements with embedded malicious links to get Moonshine on devices disguising themselves as different characters on chats to increase the success of their social engineering attacks. Based on the lures used in the messages. These attacks target Tibetan and Uyghur ethnic minorities in China. Russians put spyware on detainee phone Russian programmer Kirill Perubets spent two weeks in government custody. Soon after his release, he noticed unusual activity, including atypical notifications after contacting a Russian legal assistance group. Citizen lab analyzed the device and found authorities loaded the Trojanized application Cube call recorder on his phone while in custody. Code samples show similarities to the Monocle spyware Lookout Mobile Security documented back in 2019. The app can access location data, read and send SMS messages, record the screen and answer phone calls. Per Ubet said authorities pressured him into becoming an informant on Ukrainian aid activity and physically beat him while in custody. Gen AI boosting financial fraud A new alert from the FBI's Internet Crime Complaint center details how threat actors are using generative AI tools for fraud on a larger scale and with more unbelief ability. This includes using tools like ChatGPT to assist with language translation for romance and investment scams, enabling faster and more elaborate lures. Image generation tools allow for believable social media profile photos and other supporting evidence used in financial fraud schemes. And deepfakes are seeing increased usage either for short audio only voice clips, bypassing visual verification checks, or just on video calls. Not surprisingly, the FBI recommended creating a secret word or phrase to verify your identity with friends and family. Do you have your AI security perfectly thought out? Congratulations, you're the only one. For the rest of us mortals, you might want to check out our latest Super Cyber Friday discussion all about hacking the AI supply chain. It's one thing to have a handle on what information is going into models you're directly using in your organization, but it's another thing to understand and secure the full AI chain reaching into all your SaaS apps. It starts at 1pm Eastern, 10am Pacific. Head on over to our events page@cisoseries.com to register. Reporting for the CISO series, I'm Rich Droffalino reminding you to have a super sparkly day.
- [08:10]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories. Behind the headlines.