Transcript
Rich Stroffolino (0:00)
From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Thursday, November 14, 2024. I'm Rich Stroffolino. Volt Typhoon rebuilding botnet in early 2024, the US government announced it had disrupted the botnet used by Volt Typhoon, a threat actor with suspected links to the Chinese government. This botnet largely used unpatched Cisco, Fortinet and Netgear devices. We're now seeing signs that the group is building a new botnet. Researchers at Security Scorecards saw a cluster tied to the group covertly routing traffic largely made up of compromised Netgear Pro, Safe Microtik and Cisco RV320 devices. This appears to be using the same core infrastructure and techniques previously seen from Volt Typhoon. Chinese Group Targets Tibetan Media Researchers at the INSICT group tracked a cyber espionage campaign by the Chinalink Group. Tag 112 this saw the group use Cobalt Strike to compromise the websites of the Tibet Post and Giud Med Tantric University, likely through their Jumla. CMS researchers say tag 112 may be a subgroup of the channeling threat actor Evasive Panda, as it shows similar tactics, although it lacks the sophistication to drop custom malware. Evasive Panda has also compromised the Tibet Post in previous attacks. DoD Leaker sentenced the US Attorney for Massachusetts announced it sentenced former Massachusetts Air National Guardsman Jack Teixeira to 15 years in prison for stealing and leaking classified information. Court documents show Teixeira shared classified documents on discord sometime in 2022, including troop movements and information on equipment provided to Ukraine. The leaks were discovered in March 2023 to share a pleaded guilty to six count related to that leak. In March 2024, as part of a plea deal, Shrink Locker Decryptor released. The cybersecurity firm bitdefender released the decryptor to help victims recover quickly from attacks. Researchers at Kaspersky first documented details on shrink locker in May 2024. The ransomware is written in VBScript and uses Windows native BitLocker utility to encrypt files, primarily targeting Indonesia, Jordan and Mexico. The researchers noted that Shrink Locker uses group policy objects and scheduled tasks to encrypt multiple systems within a network in as little as 10 minutes per device. The researchers recommend proactive monitoring of specific Windows event logs and configuring BitLocker to store recovery information in active Directory domain services as ways to reduce the risk of similar BitLocker based attacks. And now, thanks to today's episode sponsor ThreatLocker do zero day exploits and supply chain attacks keep you up at night. Worry no more. You can harden your security with Threat Locker. Threat Locker helps you take a proactive, default deny approach to cybersecurity and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operations are fully supported by their US based support team. To learn more about how ThreatLocker can help keep your organization running efficiently and protected from ransomware, visit threatlocker.com that's T H R E A T L O c k e r.com Hamas affiliated group targets the Middle East Researchers at check point documented activity by the Apt Wired, a group believed to be part of the Gaza cyber gang and active since August 2018. It's operating phishing campaigns against Israeli organizations and has also targeted the Palestinian Authority, Jordan, Iraq, Saudi Arabia and Egypt. These phishing attacks use a new version of the same coin wiper, which adds the ability to encrypt data on systems as well as overwriting files with random bytes. It also overwrites the system's background to display the name of the military wing of Hamas. The researchers say the group continues to iterate with multiple campaigns that shows a versatile infiltration and malware toolkit Amazon leaker claims to be an ethical hacker last week, 2.8 million lines of Amazon employee data was posted on a dark web forum by someone under the moniker Nameless. They claimed to have obtained information on dozens of companies through the moveit file transfer exploitation. Researchers at Hudson Rock verified this data, including organizations like Lenovo, Delta, HSBC and Charles Schwab. This includes names, organizational roles, contact information and department assignments so things that would primarily be used for social engineering. Nameless claimed they took this action as an ethical hacker, not obtaining the data with fake credentials and only scraping what was publicly available. They said they published the data to raise awareness of the need to encrypt PII at these organizations and not to hide behind blaming third parties for leaked data. They also told researchers that more data would be revealed in the coming days. Sheboygan hit up for a ransom the Wisconsin city has been experiencing network outages since late October. Over the weekend, it confirmed that this was caused by a threat actor gaining unauthorized access to the city's network. Officials also confirmed that the city received a ransom demand, saying, we are cooperating fully with law enforcement and incorporating their guidance into our response. Local news outlets report emergency services are seeing limited interruptions, but that all cloud based services are up and working for city employees. No group has taken credit for the attack, and city officials have been tight lipped with details. End of Life D Link NAS devices under attack Researchers at netsecfish discovered a command injection vulnerability on D Link NAS devices that allows an unauthorized attacker to use get requests to inject shell commands. This flaw has been under active exploitation since November 8. However, the impacted models, DNS320, 325 and 340L, are now end of Life, and D Link said it has no plans to release a patch. Researchers found over 41,000 unique IP addresses for vulnerable devices online. D Link advises customers to replace the devices or at the very least, restrict them from open Internet access. What is Success and failure for a Cybersecurity startup? The failure of a cybersecurity startup often looks like success from the outside, with most better off selling early. So why don't the typical startup rules apply in cybersecurity? And why are most traditional unicorns so rare? We try to answer that question in this week's episode of Defense In Depth. Look for the episode@csoseries.com or in your favorite podcast app. Reporting for the CISO series, I'm Rich Stroffolino, reminding you to have a super sparkly day. Cybersecurity headlines are available every weekday. Head to csoseries.com for the full stories behind the headlines.