08-Aug-23: In Security News Today

LOLBAS in the Wild: 11 Living-Off-The-Land Binaries That Could Be Used for Malicious Purposes

Cybersecurity researchers have discovered 11 living-off-the-land binaries-and-scripts (LOLBAS) that could be used by threat actors for post-exploitation activities. These binaries and scripts, which are already part of the system, make it difficult for security teams to differentiate between legitimate and malicious activities. The Israeli cybersecurity company, Pentera, identified nine LOLBAS downloaders and three executors that enable adversaries to download and execute more robust malware on infected hosts.

Multiple Zero-Day Vulnerabilities Found in TETRA Industrial Communications Protocol

Researchers have discovered multiple zero-day vulnerabilities in the TETRA communications protocol used in industrial control systems. The vulnerabilities were found in a Motorola base station and system chip, which are required to run and decrypt the TETRA communications algorithm. The vulnerabilities could potentially expose sensitive information and allow attackers to extract encryption keys and decrypt communications flowing through the equipment.

The Dangers of Audio Recordings and Keystroke Recognition

Audio recordings can be easily made, either accidentally or intentionally, and can capture private conversations or sensitive information. Keystroke recognition techniques using sound recordings have improved, with a top-1 classification accuracy of 95% achieved on phone-recorded laptop keystrokes. To protect against these risks, it is recommended to learn touch-typing, mix character cases in passwords, use two-factor authentication, avoid typing passwords during meetings, and mute microphones when not speaking.

QakBot Malware Operators Expand C2 Network with 15 New Servers

The operators of the QakBot malware have recently set up 15 new command-and-control (C2) servers. The QakBot C2 network has a tiered architecture and communicates with upstream Tier 2 (T2) C2 nodes hosted on VPS providers in Russia. The number of existing C2s communicating with the T2 layer has significantly decreased, with only eight remaining, partly due to null-routing by Black Lotus Labs.

Dark Web Threat Actors Increasingly Targeting macOS, Says Accenture

Accenture’s Cyber Threat Intelligence unit has reported a tenfold increase in Dark Web threat actors targeting macOS since 2019. This rise in attacks on Macs is attributed to the growing economic incentive and the increased presence of Macs in the workforce. Macs in the enterprise are often more vulnerable due to the lack of the same security policies applied to Windows devices.

Hackers Abusing Cloudflare Tunnels for Covert Communications

Hackers are using Cloudflare Tunnels to establish covert communication channels and maintain persistent access on compromised hosts. Cloudflared, a command-line tool for Cloudflare Tunnel, allows threat actors to create secure connections between an origin web server and Cloudflare’s data center, hiding IP addresses and blocking DDoS attacks. Organizations are advised to implement logging mechanisms and block attempts to download the Cloudflared executable to detect and prevent unauthorized tunnels.

New Yashma Ransomware Variant Targets Multiple English-Speaking Countries

A new variant of the Yashma ransomware is being used by an unknown threat actor to target entities in English-speaking countries, Bulgaria, China, and Vietnam. The operation is attributed to an adversary of likely Vietnamese origin. The ransom note of this variant resembles the WannaCry ransomware, possibly confusing attribution efforts.

Downfall: Stealing Encryption Keys and Data from Intel Processors

Downfall is a newly discovered vulnerability that affects Intel Core processors from the 6th Skylake to the 11th Tiger Lake generation. It allows hackers to steal high-value credentials such as passwords and encryption keys, compromising the availability, integrity, and confidentiality of computers. The vulnerability has been present for at least nine years, and Intel is releasing a microcode update to mitigate the issue, although it may result in up to 50% overhead for some workloads.

RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale

RedHotel is a Chinese state-sponsored threat activity group that has been operating globally since 2021. The group targets various sectors including academia, aerospace, government, media, telecommunications, and research. RedHotel’s infrastructure points to administration in Chengdu, China, and its methods align with other contractor groups linked to China’s Ministry of State Security (MSS). The group’s activities include intelligence gathering, economic espionage, and targeting organizations involved in COVID-19 research and technology R&D.

Chinese Hackers Breach Japan’s Defense Networks, Prompting Concerns of Cybersecurity Vulnerabilities

Chinese military hackers breached Japan’s classified defense networks in 2020, gaining deep and persistent access to sensitive computer systems. The breach, one of the most damaging in Japan’s modern history, has raised concerns about cybersecurity vulnerabilities and the potential impact on intelligence-sharing between the US and Japan. The Japanese government has since taken steps to strengthen its networks, but the Chinese hackers remain a persistent threat.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.