Cyber Act

26/11/2025

14/01/2025

🔍 Did you know China is responsible for more cyber data theft than the rest of the world combined?

🔥 The FBI sounds the alarm, but is the world prepared for the next digital assault?
📢 Stay updated on the biggest threats in cybersecurity!

Source: AP News

31/12/2022

Tis the season for security and IT teams to send out that company-wide email: "No, our CEO does NOT want you to buy gift cards."

As much of the workforce signs off for the holidays, hackers are stepping up their game. We'll no doubt see an increase in activity as hackers continue to unleash e-commerce scams and holiday-themed phishing attacks. Hackers love to use these tactics to trick end users into compromising not only their personal data but also their organization's data.

But that doesn't mean you should spend the next couple of weeks in a constant state of anxiety.

Instead, use this moment as an opportunity to ensure that your incident response (IR) plan is rock solid.

Where to start?

First, make sure that your strategy follows the six steps to complete incident response.

Here's a refresher:

The 6 steps of a complete IR #
Preparation: This is the first phase and involves reviewing existing security measures and policies; performing risk assessments to find potential vulnerabilities; and establishing a communication plan that lays out protocols and alerts staff to potential security risks. During the holidays, the preparation stage of your IR plan is crucial as it gives you the opportunity to communicate holiday-specific threats and put the wheels in motion to address such threats as they are identified.
Identification: The identification stage is when an incident has been identified – either one that has occurred or is currently in progress. This can happen a number of ways: by an in-house team, a third-party consultant or managed service provider, or, worst case scenario, because the incident has resulted in a data breach or infiltration of your network. Because so many holiday cybersecurity hacks involve end-user credentials, it is worth dialing up safety mechanisms that monitor how your networks are being accessed.
Containment: The goal of the containment stage is to minimize damage done by a security incident. This step varies depending on the incident and can include protocols such as isolating a device, disabling email accounts, or disconnecting vulnerable systems from the main network. Because containment actions often have severe business implications, it is imperative that both short-term and long-term decisions are determined ahead of time so there is no last minute scrambling to address the security issue.
Eradication: Once you've contained the security incident, the next step is to make sure the threat has been completely removed. This may also involve investigative measures to find out who, what, when, where and why the incident occurred. Eradication may involve disk cleaning procedures, restoring systems to a clean backup version, or full disk reimaging. The eradication stage may also include deleting malicious files, modifying registry keys, and possibly re-installing operating systems.
Recovery: The recovery stage is the light at the end of the tunnel, allowing your organization to return to business as usual. Same as containment, recovery protocols are best established beforehand so appropriate measures are taken to ensure systems are safe.
Lessons learned: During the lessons learned phase, you will need to document what happened and note how your IR strategy worked at each step. This is a key time to consider details like how long it took to detect and contain the incident. Were there any signs of lingering malware or compromised systems post-eradication? Was it a scam connected to a holiday hacker scheme? And if so, what can you do to prevent it next year?
How lean security teams can stress less this holiday season #
Incorporating best practices into your IR strategy is one thing. But building and then implementing these best practices is easier said than done when you don't have the time or resources.

Leaders of smaller security teams face additional challenges triggered by these lack of resources. Bare-bones budgets compounded by not having enough staff to manage security operations is leaving many lean security teams feeling resigned to the idea that they will not be able to keep their organization safe from the onslaught of attacks we often see during the holiday season.

Fortunately, there are free resources for security teams in this exact predicament.

You can find everything from templates for reporting on an incident to webinars that do deep dives into IR strategy, along with intel on the most recent cybersecurity threats within Cynet's Incident Response hub. And to further help lean security teams should an incident occur, they are offering a free Accelerated Incident Response service.

If you want to check out these free resources, visit the Accelerated Incident Response hub here.

May your security team hold down the fort these next two weeks while enjoying the holidays anxiety free.

31/12/2022

As we are nearing the end of 2022, looking at the most concerning threats of this turbulent year in terms of testing numbers offers a threat-based perspective on what triggers cybersecurity teams to check how vulnerable they are to specific threats. These are the threats that were most tested to validate resilience with the Cymulate security posture management platform between January 1st and December 1st, 2022.

Manjusaka #
Date published: August 2022 #
Reminiscent of Cobalt Strike and Sliver framework (both commercially produced and designed for red teams but misappropriated and misused by threat actors), this emerging attack framework holds the potential to be widely used by malicious actors. Written in Rust and Golang with a User Interface in Simple Chinese (see the workflow diagram below), this software is of Chinese origin.

Cyber Threats
Manjusaka carries Windows and Linux implants in Rust and makes a ready-made C2 server freely available, with the possibility of creating custom implants.

Geopolitical context #
Manjusaka was designed for criminal use from the get-go, and 2023 could be defined by increased criminal usage of it as it is freely distributed and would reduce criminal reliance on the misuse of commercially available simulation and emulation frameworks such as Cobalt Strike, Sliver, Ninja, Bruce Ratel C4, etc.

At the time of writing, there was no indication that the creators of Manjusaka are state-sponsored but, as clearly indicated below, China has not been resting this year.

PowerLess Backdoor #
Date published: February 2022 #
Powerless Backdoor is the most popular of this year Iran-related threats, designed to avoid PowerShell detection. Its capabilities include downloading a browser info stealer and a keylogger, encrypting and decrypting data, executing arbitrary commands, and activating a kill process.

Geopolitical context #
The number of immediate threats attributed to Iran has jumped from 8 to 17, more than double of the similar 2021 period. However, it has slowed considerably since the September 14th U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctions against Iranian cyber actors, trickling down to a single attack imputed to Iran since then.

The current political tensions within Iran will no doubt impact the frequency of attacks in 2023, but at this stage, it is difficult to evaluate whether those will increase or decrease.

APT 41 targeting U.S. State Governments #
Date published: March 2022 #
Already flagged as very active in 2021, APT41 is a Chinese state-sponsored attacker group activity that showed no sign of slowing down in 2022, and investigations into APT41 activity uncovered evidence of a deliberate campaign targeting U.S. state governments.

APT 41 uses reconnaissance tools, such as Acunetix, Nmap, SQLmap, OneForAll, subdomain3, subDomainsBrute, and Sublist3r. It also launches a large array of attack types, such as phishing, watering hole, and supply-chain attacks, and exploits various vulnerabilities to initially compromise their victims. More recently, they have been seen using the publicly available tool SQLmap as the initial attack vector to perform SQL injections on websites.

This November, a new subgroup, Earth Longhi, joined the already long list of monikers associated with APT 41 (ARIUM, Winnti, LEAD, WICKED SPIDER, WICKED PANDA, Blackfly, Suckfly, Winnti Umbrella, Double Dragon). Earth Longhi was spotted targeting multiple sectors across Taiwan, China, Thailand, Malaysia, Indonesia, Pakistan, and Ukraine.

Geopolitical context #
According to Microsoft digital Defense Report 2022, "Many of the attacks coming from China are powered by its ability to find and compile "zero-day vulnerabilities" – unique unpatched holes in software not previously known to the security community. China's collection of these vulnerabilities appears to have increased on the heels of a new law requiring entities in China to report vulnerabilities they discover to the government before sharing them with others."

LoLzarus Phishing Attack on DoD Industry #
Date published: February 2022 #
Dubbed LolZarus, a phishing campaign attempted to lure U.S. defense sector job applicants. This campaign was initially identified by Qualys Threat Research, which attributed it to the North-Korean threat actor Lazarus (AKA Dark Seoul, Labyrinth Chollima, Stardust Chollima, BlueNoroff, and APT 38). Affiliated with North Korea's Reconnaissance General Bureau, this group is both politically and financially motivated and were best known for the high profile attack on Sondy in 2016 and WannaCry ransomware attack in 2017.

The LolZarus phishing campaign relied on at least two malicious documents, Lockheed_Martin_JobOpportunities.docx and salary_Lockheed_Martin_job_opportunities_confidential.doc, that abused macros with aliases to rename the API used and relied on ActiveX Frame1_Layout to automated the attack ex*****on. The macro then loaded the WMVCORE.DLL Windows Media dll file to help deliver the second stage shellcode payload aimed at hijacking control and connecting with the Command & Control server.

Geopolitical context #
Another two North Korean notorious attacks flagged by CISA this year include the use of Maui ransomware and activity in cryptocurrency theft. Lazarus subgroup BlueNoroff seems to have branched out of cryptocurrency specialization this year to also target cryptocurrency-connected SWIFT servers and banks. Cymulate associated seven immediate threats with Lazarus since January 1st, 2022.

Industroyer2 #
Date published: April 2022 #
Ukraine's high-alert state, due to the conflict with Russia, demonstrated its efficacy by thwarting an attempted cyber-physical attack targeting high-voltage electric substations. That attack was dubbed Industroyer2 in memory of the 2016's Industroyer cyber-attack, apparently targeting Ukraine power stations and minimally successful, cutting the power in part of Kyiv for about one hour.

The level of Industroyer2 customized targeting included statically specified executable file sets of unique parameters for specific substations.

Geopolitical context #
Ukraine's cyber-resilience in protecting its critical facilities is unfortunately powerless against kinetic attacks, and Russia appears to have now opted for more traditional military means to destroy power stations and other civilian facilities. According to ENISA, a side-effect of the Ukraine-Russia conflict is a recrudescence of cyber threats against governments, companies, and essential sectors such as energy, transport, banking, and digital infrastructure, in general.

In conclusion, as of the five most concerning threats this year, four have been directly linked with state-sponsored threat actors and the threat actors behind the fifth one are unknown, it appears that geopolitical tensions are at the root of the most burning threat concerns for cybersecurity teams.

As state-sponsored attackers typically have access to cyber resources unattainable by most companies, pre-emptive defense against complex attacks should concentrate on security validation and continuous processes focused on identifying and closing in-context security gaps.

Note: This article was written and contributed by David Klein, Cyber Evangelist at Cymulate.

30/12/2022

A security researcher was awarded a bug bounty of $107,500 for identifying security issues in Google Home smart speakers that could be exploited to install backdoors and turn them into wiretapping devices.
The flaws "allowed an attacker within wireless proximity to install a 'backdoor' account on the device, enabling them to send commands to it remotely over the internet, access its microphone feed, and make arbitrary HTTP requests within the victim's LAN," the researcher, who goes by the name Matt, disclosed in a technical write-up published this week.
The problem, in a nutshell, has to do with how the Google Home software architecture can be leveraged to add a rogue Google user account to a target's home automation device.
Taking things a notch higher, it also emerged that, by staging a Wi-Fi deauthentication attack to force a Google Home device to disconnect from the network, the appliance can be made to enter a "setup mode" and create its own open Wi-Fi network.
Google Home Smart Speakers
Regardless of the attack sequence employed, a successful link process enables the adversary to take advantage of Google Home routines to turn down the volume to zero and call a specific phone number at any given point in time to spy on the victim through the device's microphone.
Google Home Smart Speakers
"The only thing the victim may notice is that the device's LEDs turn solid blue, but they'd probably just assume it's updating the firmware or something," Matt said. "During a call, the LEDs do not pulse like they normally do when the device is listening, so there is no indication that the microphone is open."
Furthermore, the attack can be extended to make arbitrary HTTP requests within the victim's network and even read files or introduce malicious modifications on the linked device that would get applied after a reboot.
This is not the first time such attack methods have been devised to covertly snoop on potential targets through voice-activated devices.

30/12/2022

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two years-old security flaws impacting TIBCO Software's JasperReports product to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The flaws, tracked as CVE-2018-5430 (CVSS score: 7.7) and CVE-2018-18809 (CVSS score: 9.9), were addressed by TIBCO in April 2018 and March 2019, respectively.

TIBCO JasperReports is a Java-based reporting and data analytics platform for creating, distributing, and managing reports and dashboards.

The first of the two issues, CVE-2018-5430, relates to an information disclosure bug in the server component that could enable an authenticated user to gain read-only access to arbitrary files, including key configurations.

JasperReports Vulnerabilities
"The impact includes the possible read-only access by authenticated users to web application configuration files that contain the credentials used by the server," TIBCO noted at the time. "Those credentials could then be used to affect external systems accessed by the JasperReports Server."

CVE-2018-18809, on the other hand, is a directory traversal vulnerability in the JasperReports Library that could permit web server users to access sensitive files on the host, potentially making it possible for an attacker to steal credentials and break into other systems.

CISA did not disclose any additional specifics about how the vulnerabilities are being weaponized in real-world attacks. Federal agencies in the U.S. are required to patch their systems by January 19, 2023.

29/12/2022

Thousands of Citrix Application Delivery Controller (ADC) and Gateway endpoints remain vulnerable to two critical security flaws disclosed by the company over the last few months.

The issues in question are CVE-2022-27510 and CVE-2022-27518 (CVSS scores: 9.8), which were addressed by the virtualization services provider on November 8 and December 13, 2022, respectively.

While CVE-2022-27510 relates to an authentication bypass that could be exploited to gain unauthorized access to Gateway user capabilities, CVE-2022-27518 concerns a remote code ex*****on bug that could enable the takeover of affected systems.

Citrix and the U.S. National Security Agency (NSA), earlier this month, warned that CVE-2022-27518 is being actively exploited in the wild by threat actors, including the China-linked APT5 state-sponsored group.

Citrix Servers
Citrix Servers
Now, according to a new analysis from NCC Group's Fox-IT research team, thousands of internet-facing Citrix servers are still unpatched, making them an attractive target for hacking crews.

This includes over 3,500 Citrix ADC and Gateway servers running version 12.1-65.21 that are susceptible to CVE-2022-27518, as well as more than 500 servers running 12.1-63.22 that are vulnerable to both flaws.

A majority of the servers, amounting to no less than 5,000, are running 13.0-88.14, a version that's immune to CVE-2022-27510 and CVE-2022-27518.

A country-wise breakdown shows that more than 40% of servers located in Denmark, the Netherlands, Austria, Germany, France, Singapore, Australia, the U.K., and the U.S. have been updated, with China faring the worst, where only 20% of nearly 550 servers have been patched.

Fox-IT said it was able to deduce the version information from an MD5-like hash value present in the HTTP response of login URL (i.e., "ns_gui/vpn/index.html") and mapping it to their respective versions.

29/12/2022

Decentralized multi-chain crypto wallet BitKeep on Wednesday confirmed a cyberattack that allowed threat actors to distribute fraudulent versions of its Android app with the goal of stealing users' digital currencies.

"With maliciously implanted code, the altered APK led to the leak of user's private keys and enabled the hacker to move funds," BitKeep CEO Kevin Como said, describing it as a "large-scale hacking incident."

According to blockchain security company PeckShield and multi-chain blockchain explorer OKLink, an estimated $9.9 million worth of assets have been plundered so far.

"Funds stolen are on BNB Chain, Ethereum, TRON and Polygon," BitKeep further noted in a series of tweets. "More than 200 addresses on the other three chains were used in the heist, and all funds were transferred to 2 main addresses in the end."

The incident is said to have taken place on December 26, 2022, with the threat actor exploiting and hijacking version 7.2.9 of the Android app package (.APK) file hosted on its website to distribute the trojanized variant.

That said, the digital break-in doesn't impact BitKeep apps downloaded via Google Play, Apple App Store, or the Google Chrome Web Store.

BitKeep Confirms Cyber Attack
As many as five different counterfeit versions of the Android app with the following package names have been identified, suggesting that the apps were potentially distributed through phishing websites. The legitimate package name is "com.bitkeep.wallet."

com.bitkeep.app
com.bitkeep.w4
com.bitkeep.w5
com.bitkeep.wallet5
io.bitkeep.wallet
The Singapore-headquartered company, which was founded in 2018, said it has traced the wallet address used to carry out the theft and that some of the siphoned digital assets have been frozen.

Users who have downloaded the APK file for version 7.2.9 are advised to install the latest version (7.3.0) released today and transfer the funds to a newly generated wallet address.

This is not the first time BitKeep has been breached. On October 18, 2022, it disclosed another security incident targeting its BitKeep Swap service that led to losses of about $1 million.

28/12/2022

Microsoft's decision to block Visual Basic for Applications (VBA) macros by default for Office files downloaded from the internet has led many threat actors to improvise their attack chains in recent months.

Now according to Cisco Talos, advanced persistent threat (APT) actors and commodity malware families alike are increasingly using Excel add-in (.XLL) files as an initial intrusion vector.

Weaponized Office documents delivered via spear-phishing emails and other social engineering attacks have remained one of the widely used entry points for criminal groups looking to execute malicious code.

These documents traditionally prompt the victims to enable macros to view seemingly innocuous content, only to activate the ex*****on of malware stealthily in the background.

To counter this misuse, the Windows maker enacted a crucial change starting in July 2022 that blocks macros in Office files attached to email messages, effectively severing a crucial attack vector.

While this blockade only applies to new versions of Access, Excel, PowerPoint, Visio, and Word, bad actors have been experimenting with alternative infection routes to deploy malware.

One such method turns out to be XLL files, which is described by Microsoft as a "type of dynamic link library (DLL) file that can only be opened by Excel."

"XLL files can be sent by email, and even with the usual anti-malware scanning measures, users may be able to open them not knowing that they may contain malicious code," Cisco Talos researcher Vanja Svajcer said in an analysis published last week.

The cybersecurity firm said threat actors are employing a mix of native add-ins written in C++ as well as those developed using a free tool called Excel-DNA, a phenomenon that has witnessed a significant spike since mid-2021 and continued to this year.

That said, the first publicly documented malicious use of XLL is said to have occurred in 2017 when the China-linked APT10 (aka Stone Panda) actor utilized the technique to inject its backdoor payload into memory via process hollowing.

Initial Intrusion Vector
Other known adversarial collectives include TA410 (an actor with links to APT10), DoNot Team, FIN7, as well as commodity malware families such as Agent Tesla, Arkei, Buer, Dridex, Ducktail, Ekipa RAT, FormBook, IcedID, Vidar Stealer, and Warzone RAT.

The abuse of the XLL file format to distribute Agent Tesla and Dridex was previously highlighted by Palo Alto Networks Unit 42, noting that it "may indicate a new trend in the threat landscape."

"As more and more users adopt new versions of Microsoft Office, it is likely that threat actors will turn away from VBA-based malicious documents to other formats such as XLLs or rely on exploiting newly discovered vulnerabilities to launch malicious code in the process space of Office applications," Svajcer said.

Malicious Microsoft Publisher macros push Ekipa RAT #
Ekipa RAT, besides incorporating XLL Excel add-ins, has also received an update in November 2022 that allows it to take advantage of Microsoft Publisher macros to drop the remote access trojan and steal sensitive information.

"Just as with other Microsoft office products, like Excel or Word, Publisher files can contain macros that will execute upon the opening or closing [of] the file, which makes them interesting initial attack vectors from the threat actor's point of view," Trustwave noted.

It's worth noting that Microsoft's restrictions to impede macros from executing in files downloaded from the internet does not extend to Publisher files, making them a potential avenue for attacks.

"The Ekipa RAT is a great example of how threat actors are continuously changing their techniques to stay ahead of the defenders," Trustwave researcher Wojciech Cieslak said. "The creators of this malware are tracking changes in the security industry, like blocking macros from the internet by Microsoft, and shifting their tactics accordingly."

28/12/2022

BlueNoroff, a subcluster of the notorious Lazarus Group, has been observed adopting new techniques into its playbook that enable it to bypass Windows Mark of the Web (MotW) protections.

This includes the use of optical disk image (.ISO extension) and virtual hard disk (.VHD extension) file formats as part of a novel infection chain, Kaspersky disclosed in a report published today.

"BlueNoroff created numerous fake domains impersonating venture capital companies and banks," security researcher Seongsu Park said, adding the new attack procedure was flagged in its telemetry in September 2022.

Some of the bogus domains have been found to imitate ABF Capital, Angel Bridge, ANOBAKA, Bank of America, and Mitsubishi UFJ Financial Group, most of which are located in Japan, signalling a "keen interest" in the region.

It's worth pointing out that although MotW bypasses have been documented in the wild before, this is the first time they have been incorporated by BlueNoroff in its intrusions against the financial sector.

Also called by the names APT38, Nickel Gladstone, and Stardust Chollima, BlueNoroff is part of the larger Lazarus threat group that also comprises Andariel (aka Nickel Hyatt or Silent Chollima) and Labyrinth Chollima (aka Nickel Academy).

The threat actor's financial motivations as opposed to espionage has made it an unusual nation-state actor in the threat landscape, allowing for a "wider geographic spread" and enabling it to infiltrate organizations across North and South America, Europe, Africa, and Asia.

It has since been associated with high-profile cyber assaults aimed at the SWIFT banking network between 2015 and 2016, including the audacious Bangladesh Bank heist in February 2016 that led to the theft of $81 million.

Lazarus Group
Since at least 2018, BlueNoroff appears to have undergone a tactical shift, moving away from striking banks to solely focusing on cryptocurrency entities to generate illicit revenues.

To that end, Kaspersky earlier this year disclosed details of a campaign dubbed SnatchCrypto orchestrated by the adversarial collective to drain digital funds from victims' cryptocurrency wallets.

Another key activity attributed to the group is AppleJeus, in which fake cryptocurrency companies are set up to lure unwitting victims into installing benign-looking applications that eventually receive backdoored updates.

The latest activity identified by the Russian cybersecurity company introduces slight modifications to convey its final payload, swapping Microsoft Word document attachments for ISO files in spear-phishing emails to trigger the infection.

These optical image files, in turn, contain a Microsoft PowerPoint slide show (.PPSX) and a Visual Basic Script (VBScript) that's executed when the target clicks a link in the PowerPoint file.

SEKOIA
Image Source: SEKOIA
In an alternate method, a malware-laced Windows batch file is launched by exploiting a living-off-the-land binary (LOLBin) to retrieve a second-stage downloader that's used to fetch and execute a remote payload.

Also uncovered by Kaspersky is a .VHD sample that comes with a decoy job description PDF file that's weaponized to spawn an intermediate downloader that masquerades as antivirus software to fetch the next-stage payload, but not before disabling genuine EDR solutions by removing user-mode hooks.

While the exact implant delivered is not clear, it's assessed to be similar to a persistence backdoor utilized in the SnatchCrypto attacks.

Lazarus Group
The use of Japanese file names for one of the lure documents as well as the creation of fraudulent domains disguised as legitimate Japanese venture capital companies suggests that financial firms in the island country are likely a target of BlueNoroff.

Cyber warfare has been a major focus of North Korea in response to economic sanctions imposed by a number of countries and the United Nations over concerns about its nuclear programs. It has also emerged as a major source of income for the cash-strapped country.

Indeed, according to South Korea's National Intelligence Service (NIS), state-sponsored North Korean hackers are estimated to have stolen $1.2 billion in cryptocurrency and other digital assets from targets around the world over the last five years.

"This group has a strong financial motivation and actually succeeds in making profits from their cyberattacks," Park said. "This also suggests that attacks by this group are unlikely to decrease in the near future."

Note: The story has been revised to make it clear that the use of MotW bypass marks the first time such a method of malware delivery has been embraced by BlueNoroff.