📊 2023 OpenText Cybersecurity Threat Report
News, Announcements, Tech Discussions
September 20, 2023 By Dennis Fisher A previously unknown attack group has been targeting telecommunications providers in Middle Eastern countries with a custom backdoor that in some cases is disguised as a legitimate security application.The new threat group appears to have been operating for several years at least and researchers with Cisco Talos have named the group ShroudedSnooper. The group uses at least two separate implants, known as HTTPSnoop and PipeSnoop, and likely is gaining initial access to its targets by compromising Internet-facing servers. Telcos have been a prime target for many APT groups for some time as they can give attackers a key leverage point from which to steal sensitive information and gather intelligence on a wide range of organizations. In many countries telcos are government-operated entities, which makes them even more attractive targets. >> Full Article <<
Atos Unify product vulnerabilities could be exploited to cause disruption and reconfigure or backdoor the targeted system. September 20, 2023 By Eduard Kovacs Two vulnerabilities discovered earlier this year in Atos Unify products could allow malicious actors to cause disruption and even backdoor the targeted system.The flaws were found in the unified communications and collaboration solution by researchers at SEC Consult, an Austria-based cybersecurity consulting firm that is part of the Atos Group’s Eviden business.The vulnerabilities affect the Atos Unify Session Border Controller (SBC), which provides security for unified communications, the Unify OpenScape Branch product for remote offices, and Border Control Function (BCF), which is designed for emergency services. >> Full Article <<
September 20, 2023 By Pieter Arntz The German police in cooperation with the US Secret Service have executed search warrants against suspected members of the DoppelPaymer ransomware group in Germany and Ukraine.In March of 2023, we reported how the German Regional Police and the Ukrainian National Police, with support from Europol, the Dutch Police, and the United States Federal Bureau of Investigations (FBI), apprehended two suspects and seized computer equipment.Since then, cybercrime group specialists from the North Rhine-Westphalia State Criminal Police Office (LKA NRW), together with the Cybercrime Central and Contact Point (ZAC NRW), carried out another targeted strike against people associated with the criminal network. >> Full Article <<
September 20, 2023 By Pierluigi Paganini Finnish police announced the takedown of the dark web marketplace PIILOPUOTI which focuses on the sale of illegal narcotics.Finnish Customs announced the seizure of the dark web marketplace Piilopuoti as part of an international law enforcement operation. The dark web marketplace PIILOPUOTI has been active since May 18, 2022.“The site operated as a hidden service in the encrypted Tor network. The site has been used in anonymous criminal activities such as narcotics trade. As a rule, the narcotics sold on the site were smuggled to Finland from abroad.” reads the press release published by Finnish Customs. “During the preliminary investigation into the case, Finnish Customs has conducted extensive cooperation with German and Lithuanian authorities, as well as Europol, the European Union Agency for Criminal Justice Cooperation (Eurojust), authorities of other countries, and various police units in Finland.” >> Full Article <<
Following a cyberattack in early August, the threat actors behind the Ragnar Locker ransomware group have published a 1TB data trove belonging to Mayanei Hayeshua hospital in Israel. On their leak site, the threat actors confirmed they only stole data from the hospital and chose to not encrypt the impacted systems as they did not want to disrupt any life-saving equipment or other medical instruments. It is believed that the stolen data includes health and prescription records, administrative documentation, and other sensitive information.Cyberattack shuts down MGM ResortsAt the start of the week, MGM Resorts officials discovered a cybersecurity incident affecting some of their internal computer networks. After shutting down several of their systems to isolate the incident, they were forced to take many of their casino games offline and were unable to access customer-facing websites and their reservation systems. Further investigation has revealed that unidentified threat actors may hav
2023 was the LARGEST Black Hat yet! The crowds were very large at every keynote and in the expo hall. Compared to last year - we are definitely back and beating pre-Covid numbers. I’m just going to say that Artificial Intelligence was the buzzword of the conference and you couldn’t attend a single briefing or visit a booth without hearing it. It’s definitely not going anywhere 🤖 Another long post coming so get that scroll wheel ready 🤠 Weather was typical Vegas HOT at the Mandalay Bay (102f), but not as hot as it had been the week before we all arrived - which was a scorching 113f🔥 Thankfully there was no flash flooding like last year. REGISTRATION I’m happy to report that Black Hat finally have registration down and can handle the massive amount of crowds. Even if you don’t have the handy QR code, you can still get a speedy process with just your email. This is a welcome change from previous years and I no longer dread registration - THANK YOU! This looks almost identical to las
Wed 20 Sep 2023 // 13:29 UTC Part of network of crims who used 'trickery and threats' to target elderly, says US Attorney Two Indian nationals each received 41-month prison sentences for their involvement in $1.2 million worth of robocall scams targeting the elderly, according to the district of New Jersey’s attorney's office on Tuesday.Plantiffs Arushobike Mitra and Garbita Mitra (no relation, just coincidence) both previously pleaded guilty to one count of conspiracy to commit wire fraud before receiving their sentences in Newark federal court.In addition to time in the clink, they were ordered to pay $835,324 in restitution and undergo three years of supervised release.The duo were US residents and allegedly part of a larger network in which India-based call centers used automated robocalls to contact US residents. After establishing contact, criminal coworkers would trick victims into sending large sums of cash via physical shipments or wire transfers to members of the network. Som
Release DateSeptember 20, 2023Alert CodeAA23-263A Actions to take today to mitigate malicious cyber activity:Secure and closely monitor Remote Desktop Protocol (RDP). Maintain offline backups of data. Enable and enforce phishing-resistant multifactor authentication (MFA). SUMMARYNote: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known ransomware IOCs and
ReleasedSep 18, 2023Document IDSB23-261 The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:High: vulnerabilities with a CVSS base score of 7.0–10.0 Medium: vulnerabilities with a CVSS base score of 4.0–6.9 Low: vulnerabilities with a CVSS base score of 0.0–3.9Entries may include additional information provided by o
September 19, 2023 By Christopher Boyd A recently released report from New York University claims that the Metaverse, an all-in-one virtual online space, poses a potentially major risk to user privacy. This is because headsets and other similar devices can collect an incredible amount of personal, physical and biometric information. The user isn’t always aware of the collection, or how it could be used in ways they don’t expect.It’s worth asking at this point: what is the Metaverse?Most folks would think of Mark Zuckerberg and Meta, with a virtual reality headset thrown in for good measure. Others may associate it with “game hub” style online places to meet others taking place on their computer screens only. For some, mobile devices making use of augmented or mixed reality will be their first association. >> Full Article <<
Trend Micro has patched CVE-2023-41179, an Apex One zero-day code execution vulnerability that has been exploited in attacks. September 19, 2023 By Eduard Kovacs Trend Micro on Tuesday released an advisory to warn customers that a critical vulnerability affecting Apex One and other endpoint security products has been exploited in the wild.The zero-day flaw, tracked as CVE-2023-41179, impacts Apex One, Apex One SaaS, and Worry-Free Business Security products. The vulnerability, related to the products’ ability to uninstall third-party security software, can be exploited for arbitrary code execution. >> Full Article <<
September 19, 2023 By Bill Toulas New malware named HTTPSnoop and PipeSnoop are used in cyberattacks on telecommunication service providers in the Middle East, allowing threat actors to remotely execute commands on infected devices.The HTTPSnoop malware interfaces with Windows HTTP kernel drivers and devices to execute content on the infected endpoint based on specific HTTP(S) URLs, and the PipeSnoop accepts and executes arbitrary shellcode from a named pipe.According to a report by Cisco Talos, the two implants belong to the same intrusion set named 'ShroudedSnooper' but serve different operational goals in terms of the level of infiltration.Both implants are masqueraded as security components of the Palo Alto Networks Cortex XDR product to evade detection.Fake Cortex XDR information (Cisco) >> Full Article <<
The International Criminal Court was hit by what it called “anomalous activity” regarding its IT systems and that it was currently responding to this “cybersecurity incident.” September 19, 2023 By AFP The International Criminal Court said Tuesday it had been affected by what it called “anomalous activity” regarding its IT systems and that it was currently responding to this “cybersecurity incident.”The ICC, which among other things is investigating war crimes in Ukraine, declined to provide further details and said its priority was on ensuring it was able to continue its work.“At the end of last week, the International Criminal Court’s services detected anomalous activity affecting its information systems,” the court said in a statement.“Immediate measures were adopted to respond to this cybersecurity incident and to mitigate its impact,” it said. >> Full Article <<
Pakistani threat group Transparent Tribe targets military and diplomatic personnel in India and Pakistan with romance-themed lures in the latest spyware campaign. September 19, 2023 By Elizabeth Montalbano A known Pakistan-linked threat actor is dangling romance-based content lures to spread Android-based spyware that mimics YouTube to hijack Android devices. In this way, threat actors gain almost total control over victims' mobile phones for cyber-espionage and surveillance activity.Researchers from SentinelLabs have identified three Android application packages (APKs) linked to CapraRAT (a remote access Trojan) from Transparent Tribe, they revealed in a blog post published Sept. 18.Two of the packages aim to trick users into downloading what they think is the legitimate YouTube app, and a third uses romance-based social engineering by reaching out to a YouTube channel belonging to a persona called "Piya Sharma," which includes uploads of several short clips of a woman in various lo
September 19, 2023 By Bill Toulas GitLab has released security updates to address a critical severity vulnerability that allows attackers to run pipelines as other users via scheduled security scan policies.GitLab is a popular web-based open-source software project management and work tracking platform, offering a free and commercial version.The flaw was assigned CVE-2023-4998 (CVSS v3.1 score: 9.6) and impacts GitLab Community Edition (CE) and Enterprise Edition (EE) versions 13.12 through 16.2.7 and versions 16.3 through 16.3.4.The issue was discovered by security researcher and bug hunter Johan Carlsson, who GitLab said is a bypass of a medium-severity problem tracked as CVE-2023-3932 that was fixed in August. >> Full Article <<
September 18, 2023 By Brian Krebs The victim shaming website operated by the cybercriminals behind 8Base — currently one of the more active ransomware groups — was until earlier today leaking quite a bit of information that the crime group probably did not intend to be made public. The leaked data suggests that at least some of website’s code was written by a 36-year-old programmer residing in the capital city of Moldova.The 8Base ransomware group’s victim shaming website on the darknet.8Base maintains a darknet website that is only reachable via Tor, a freely available global anonymity network. The site lists hundreds of victim organizations and companies — all allegedly hacking victims that refused to pay a ransom to keep their stolen data from being published.The 8Base darknet site also has a built-in chat feature, presumably so that 8Base victims can communicate and negotiate with their extortionists. This chat feature, which runs on the Laravel web application framework, works fin
