Welcome to CyberIntelMag’s weekly roundup! A place where you can find the most important stories in the cybersecurity world from the past week.
From the good news:
This week, we’ve learned about a leak of Conti’s internal documents and tools, a new initiative from CISA, a free decryptor for the Prometheus, and more.
- UK National Cyber Security Centre recommended using three-word passwords instead of complex variations of letters, numbers, and symbols – the current standard – because they are more secure and easier to remember. Its research showed that complex one-word passwords can often be guessed by criminals using specialist software.
- An unhappy Conti affiliate has leaked the ransomware group’s internal tools and materials. Among the leaked information, there were IP addresses for Cobalt Strike C2 servers and an archive containing various tools and training materials.
- CISA joined forces with Google, Microsoft, Amazon, Verizon, AT&T to launch a new initiative, Joint Cyber Defense Collaborative (JCDC), which is a collaborative effort between various US public and private sectors to better protect against cyberattacks against critical infrastructures, such as ransomware and cloud threats.
- Google has unveiled a set of standard interfaces called Google Identity Services to let developers integrate Google’s One Tap for faster user sign-ups and sign-in, and make it easier for businesses to onboard new users.
- The US NSA has released its first hardening guidance for organizations relying on Kubernetes to help organizations protect their infrastructure from unauthorized access and exploitation.
- A Taiwanese cybersecurity company has issued a free decryptor to help victims of the Prometheus ransomware gang to recover and decrypt their files. The decryptor is available on GitHub.
- The UK National Centre of Excellence has awarded grants to several universities to study and improve the security surrounding the Internet of Things and smart home devices as part of the PrivIoT project.
- Researchers have found they can register fake beacons and send fake tasks to attacker-controlled Cobalt Strike to cause a denial of service (DoS) and neutralize them. This also allows blocking attackers’ beacon command-and-control (C2) communication channels and new deployments.
From the bad news:
This week has brought news details about Solarwinds attacks, new malware Webdav-O, GhostEmperor, and DeadRinger, a new type of social engineering malware, and other important stories you can’t miss.
- Researchers discovered a new type of attack against databases that can lead to information theft and data loss. The attack is called DBREACH (Database Reconnaissance and Exfiltration via Adaptive Compression Heuristics), and belongs to a class of vulnerabilities known as side-channel attacks.
- The US DoJ revealed said Solarwinds attackers gained much broader access to its Microsoft Office 365 (O365) email systems. It said the APT group gained access to the O365 email accounts of at least 80% of employees in some districts.
- A hacker attack hit a portal for COVID-19 vaccinations in Italy’s Lazio province. The attack blocked almost all the files in the data center and caused delays in vaccinations.
- Chinese APTs collectively called DeadRinger were observed targeting major telecommunications companies and believed to be working for the Chinese state interests.
- Microsoft warned Office 365 users about phishing emails with spoofed addresses that are particularly tricky. The active campaign tricks users into clicking on a link and entering their credentials.
- The hackers who attacked Electronic Arts last month have dumped the source code of the latest version of the FIFA 21 soccer game and some tools on a hacker forum after they could not extort the company nor sell the data.
- Group-IB published research into malware known as Webdav-O which was used by Chinese hackers to carry out a series of targeted attacks against Russian authorities in 2020 and cited similarities between Webdav-O and Albaniiutas and a Trojan called BlueTraveller.
- Researchers observed a new type of social engineering malware was discovered that automates credential theft to secretly extract one-time passwords (OTPs) for services and banks accounts from Telegram users. Any novice cybercriminal can get into social engineering attacks by renting the tool.
- Kaspersky detailed a new Chinese-speaking threat actor GhostEmperor that’s targeting Microsoft Exchange flaws. The actor is focusing on high-profile victims.
- A new threat actor with ties to China performed a series of attacks carried out by suspected Chinese hackers between January till July 2021 that targeted various countries, including Russia, Belarus, China, and the U.S.
- A Linux encryptor was found that targets VMware’s ESXi virtual machine platform and presumably belongs to the BlackMatter gang.
- RansomEXX ransomware operation has hit a Taiwanese motherboard maker Gigabyte and threatened to publish 112 GB of stolen data unless a ransom was paid.