13-Jul-23: In Security News Today

GitHub User Dupes Security Researchers with Malicious Linux PoCs

A GitHub user tricked security researchers by publishing malicious proofs-of-concept (PoCs) containing Linux backdoors. Researchers from Uptycs revealed that the user, now deactivated, had copied genuine PoCs for known vulnerabilities, republishing them with concealed Linux infostealing malware; these fraudulent PoCs had been forked multiple times. The incident underscores the necessity for cybersecurity professionals to exercise the same level of caution and preparedness they advocate for, by testing in secure environments, as the issue of PoC poisoning is not expected to cease in the future.

The Implications of the EU AI Act on Businesses and Cybersecurity

The draft AI Act by the European Union, which governs artificial intelligence (AI) technology, is set to impact businesses and cybersecurity globally. While the regulation may foster more robust, ethical, and secure AI applications, it could also potentially slow down innovation and make the EU less attractive to AI startups. Moreover, it will necessitate stringent data management, including transparency in AI decision-making, behavior documentation, and possibly external testing to address issues like bias, which will likely push companies to establish cohesive data and AI/ML operational practices.

Personalized Lures: The New Strategy of SolarWinds Attackers

The Russia-backed group known as Cloaked Ursa or Nobelium, infamously linked to the SolarWinds attack, has been targeting foreign diplomats in Ukraine using personal rather than traditional political lures to entice victims into clicking malicious links. The group created a fake flyer advertising a used BMW sedan for sale, which contained a malicious link that silently executes malware while displaying an image on the victim’s screen. This novel strategy is a significant pivot from job-related subject matter, aiming to increase the campaign’s success factor by extending its reach within the organization and diplomatic community.

Rockwell Automation PLCs Under Threat: Critical RCE Bug Exposes Industrial Infrastructure

Two serious vulnerabilities have been identified in the communication modules of Rockwell Automation’s industrial programmable logic controllers (PLCs), posing significant threats to critical infrastructure and industrial environments. The first, a critical bug (CVE-2023-3595) with a CVSS score of 9.8, enables threat actors to exploit firmware memory for remote code execution, data modification or denial, with potential impacts on equipment performance. The second (CVE-2023-3596) can induce a denial-of-service condition, rendering the device inoperable, with both vulnerabilities opening the possibility for undetected and persistent threats within PLCs; patches are urgently recommended.

AI-Driven Threats: WormGPT Tool Augments Cybercrime Sophistication

Cybercriminals are harnessing generative AI technology, including the black-hat tool WormGPT, to enhance business email compromise (BEC) attacks, phishing and malware creation. The tool, trained on malware-related data, is capable of creating highly convincing fraudulent emails and adapting content for more effective phishing attempts, underscoring the escalating threats posed by generative AI technologies. As AI-driven cyberattacks increase in sophistication, it is urged that security teams also utilize AI-enabled defenses to proactively detect, combat and block these emerging threats.

Persistent Threat Actor Targets Ukraine and Poland

Cisco Talos has identified a persistent threat actor, reportedly linked to the Belarusian government, conducting information-stealing campaigns against governmental, military, and civilian entities in Ukraine and Poland since April 2022. The multi-stage attacks typically start with a malicious Microsoft Office document lure, leading to a payload concealed within an image file for difficult detection, and ending with remote access trojans such as AgentTesla, Cobalt Strike beacons, and njRAT. The actor displays continuous adaptation and development in their methodologies, evidenced by the varying degrees of code obfuscation, changing decryption routines, and resilient delivery methods to ensure persistent remote access and evasion from detection.

Enhanced CVSS 4.0 Unveiled to Improve Cybersecurity Vulnerability Assessments

The Forum of Incident Response and Security Teams (FIRST) has introduced the Common Vulnerability Scoring System (CVSS) version 4.0 to augment the assessment of security vulnerabilities severity and improve vulnerability management. The new version, which is currently undergoing a public comment period, addresses issues from CVSS 3.1 like inadequate granularity, inapplicability to non-IT systems, high or critical vendor scores, ineffective temporal metrics, and complex threat metrics. New features include more precise metrics, a focus on OT/ICS/safety systems, and the addition of a Supplemental Metric Group for conveying extrinsic attributes of vulnerabilities, intending to equip cybersecurity professionals with an advanced tool against escalating cyber threats.

TeamTNT Botnet Resurfaces: Targets Cloud-Native Environments in New Campaign

The cybercriminal group, TeamTNT, has reemerged, running an extensive botnet campaign targeting cloud-native environments such as Docker, Kubernetes, Redis servers, and Postgres databases, among others. During their investigation, cybersecurity company Aqua Nautilus accessed TeamTNT’s Command and Control (C2) server, gathering crucial data on the campaign’s victims, targeted environments, and the tactics used, revealing the botnet scans the entire internet every hour. The investigation further revealed that TeamTNT has associated subdomains with AnonDNS and seems to be in the process of enhancing their campaign, pointing to a broader strategy to infect systems with their cloud worm.

Mandiant Unveils Evolving Tactics of Russia’s GRU in Cyber Attacks Against Ukraine

Cybersecurity firm Mandiant has revealed an operational playbook used by Russia’s GRU (military intelligence) against Ukraine, noting an evolution in the methods from previous cyber campaigns. The new approach emphasizes speed, scale, and intensity while minimizing detection, utilizing multifunctional, highly reusable malware tools and utilizing ‘hacktivist’ personas to misdirect attribution. These personas, active on platforms like Telegram, not only support the Russian regime but also exaggerate the impact of cyber-attacks and leak victim data, indicating a deliberate, centralized effort from the GRU to standardize operations for repeatable, consistent effects.

Addressing Supply Chain Cybersecurity: UK Government Seeks Industry Views
The UK’s Minister of State for Media, Data and Digital Infrastructure has called on industry leaders to contribute views on the risks posed by insecure software and supply chains. This initiative aims to address the complex interdependencies within the National Critical Infrastructure sectors and the growing threat of supply chain attacks, as evidenced by increasing incidents involving groups like Dragonfly. Future strategies may involve reducing the level of effort in onboarding vendors, enhancing knowledge about upstream suppliers’ security incidents, identifying critical vulnerabilities, and facilitating two-way information flow about risks and threats.

Small Group Behind Vast Majority of Global Email Extortion, Study Reveals

Research conducted by Barracuda Networks and Columbia University reveals that global email-based extortion scams are conducted by fewer than 100 fraudsters. By analyzing over 300,000 extortion emails, researchers found that the top 10 Bitcoin addresses used by scammers were present in about 30% of the emails, and the top 100 addresses accounted for roughly 80% of the emails. Given the scammers’ similarity in approach and limited numbers, researchers believe that tracking down even a small subset of these attackers could significantly disrupt this threat, and relatively simple detectors should be able to block a large percentage of these attacks.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.