Weekly Cyber Threat Report, August 16-August 20

From the good news:

This week, we’ve learned about new patches for notorious vulnerabilities, new cybersecurity measures in Australia, a failure of a Black Kingdom ransomware actor, and more.

• The Australian Federal Police plans to upgrade its Law Enforcement Monitoring Facility enhancement program and add a new telecommunication interception and surveillance device monitoring and collection platform. It will combine data and metadata from sources such as surveillance devices and open-source intelligence with telecommunication interception products to “provide a more complete picture for intelligence and investigation teams.”
• A new unofficial patch for the Windows PetitPotam NTLM relay attack has been issued that fixes issues not addressed by Microsoft. The NTLM relay method allows the attacker to assume the identity of the domain controller and take over the Windows domain.
• Fortinet reported it would release a patch for the OS command-injection bug in FortiWeb’s web application firewall this week. The company initially announced the fix would be coming at the end of August.
• A Nigerian threat actor recruiting insiders for the deployment of Black Kingdom ransomware has mistakenly revealed his identity and turned out to be the CEO of a Lagos-based social networking startup, Sociogram.
• CISA released guidance for organizations, which includes best practices for mitigating the risk of ransomware attacks and data exfiltration.

From the bad news:

This week has brought news about three novel attack vectors, breaches at T-mobile and AT&T, a data leak from the Lukashenko regime, new ransomware attacks, and other important stories you can’t miss.

• Researchers have demonstrated a novel type of adversarial attack that can temper the ability of machine learning systems to correctly interpret what they see. For example, an attacker can interfere with a self-driving car’s ability to see mission-critical items such as road signs. In an OPtical ADversarial attack (OPAD), one can use structured illumination to alter the appearance of target objects as perceived by learning systems and requires only a commodity projector, a camera, and a computer.
• A social housing group in the US, managing ForHousing and Liberty companies, which maintain homes across the North West fell victims to a ransomware attack. The organizations confirmed that no data of tenants or staff were accessed, but a ‘small amount’ of data was compromised.
• A  LinkedIn feature allows anyone to create a job listing on the platform for any employer without being affiliated with the company. Attackers can abuse it to post bogus listings for malicious purposes.
• A forum user was selling the details of 30 million T-Mobile’s customers. T-Mobile confirmed that attackers had stolen various files containing the data of millions of customers. Later, the same hacker is now selling 70 million records of AT&T’s customers. AT&T denies it was breached.
• The Cyber Partisans hacktivist group has breached the systems of the Belarusian government and police and stole secret phone calls from supporters and opponents of the Lukashenko regime, the Passport Database, police database, and more which will likely provide discrediting information about the regime.
• The Mozi IoT botnet has gained new capabilities that enable it to persist in operation and target Netgear, Huawei, and ZTE Network gateways.
• The number of CAPTCHA-protected malicious URLs has sharply increased recently. Attackers use it to hide and malware, since security tools can’t scan content behind Captchas. In one campaign, attackers use a captcha to trick users into downloading the Gozi banking trojan. 
• Researchers demonstrated a novel spy technique that can be used to eavesdrop on conversations taking place in another room or even a building by reading the power fluctuations of a LED indicator of a speaker and deciphering them into human speech.
• WiFi modules from at least 65 vendors are affected by severe flaws in three software development kits (SDKs) that allow unauthenticated individuals to fully compromise a target device.
• A critical flaw affects millions of video and surveillance products globally that are connected to the Kalay IoT platform. Attackers can gain access to the live video and audio streams and take over the device.
• FluBot operators started to display new overlay screens that target banks in Germany and Poland, only days after the news that FluBot had begun to target Australian banks.
• A new HolesWarm cryptominer campaign has broken into over 1,000 cloud hosts since June by exploiting various known security weaknesses in unpatched Windows and Linux servers.
• The US Census Bureau revealed its systems were compromised on January 11, 2020, due to an unpatched vulnerability in the Citrix ADC servers.
• Liquid, a cryptocurrency exchange based in Japan, was hacked out of around $94 million worth of digital assets. “We are currently tracing the movement of the assets and working with other exchanges to freeze and recover funds,” it said.