Risky Biz News: Ukraine intelligence hacks and wipes Russia's tax agency

In other news: Leader of Kelvin Security hacking group arrested in Spain; Ukraine largest mobile operator goes down in apparent Russian hack; Hive ransomware member detained in Paris.

You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

The RiskyBiz crew behind our newsletters and podcasts is on hiatus between December 8 and January 8 for the winter holidays, but we put out this weekly edition with some of the past week's biggest infosec stories.

Happy holidays!


Breaches, hacks, and security incidents

Kyivstar cyberattack: Kyivstar, Ukraine's largest mobile operator, was hit by a powerful cyberattack that disrupted services to most of its customers this week. No ETA has been provided for services coming back online. Suspicions are, obviously, on Russia. [Additional coverage in Reuters/non-paywall/Grugq commentary]

UAE TV defacements: Hackers have hijacked set-top boxes across the UAE to broadcast graphic content from the ongoing Hamas-Israel war. Known affected devices include the HK1 RBOXX. [Additional coverage in Mashable]

Insomniac hack: Sony has confirmed that hackers breached Insomniac Games, the developer of the Spider-Man 2 video game. The attack has been claimed by the Rhysida gang, which claims to have acquired screenshots and character art for the studio's upcoming Wolverine video game. [Additional coverage in Kotaku]

General tech and privacy

TikTok in Taiwan: A French documentary examined how TikTok has been used to influence young voters away from the country's independence and to closer relations and possible annexation to China. [Additional coverage in TaiwanNews]

VMware licensing update: Broadcom is killing off VMware on-premises perpetual licenses and forcing existing customers to a subscription-based model by ending the sale of support licenses. [Additional coverage in The Stack]

WhatsApp expiring voice messages: WhatsApp has added support for one-time expiring voice messages. The app has had support for a similar feature for text and video messages since 2021.

Meta sues the FTC: Social media company Meta has sued the FTC and challenged the agency's constitutionality because all US corporations believe they have more rights than actual human beings and that an agency that protects consumer rights should not exist. I'm exaggerating. Maybe. [Additional coverage in The Record]

"Strap on your seat belt," said Vladeck, who is now faculty director at Georgetown Law School’s Center on Privacy and Technology. Meta has "made a strong argument that the agency's ability to litigate cases administratively within the confines of the FTC violates the Constitution."

Discord adds security keys: Discord has added support for security keys and passkeys.

Government, politics, and policy

AI Act: EU authorities have agreed on a first version of the AI Act, a law meant to regulate artificial intelligence development and tools across the EU.

UK sanctions Asian scammers: The UK government has sanctioned nine individuals and five entities for their involvement in trafficking people in Cambodia, Laos, and Myanmar and forcing victims to work in call centers specialized in cyber fraud (also known as "pig butchering scams"). These are the first-ever sanctions levied against online scam operations.

FBI SEC reporting rules: The FBI has published a guide on how companies that suffered a security breach should report their incidents to the SEC and other authorities. The guide comes after a ransomware gang tried to use the confusion around these new rules to put pressure on a victim as part of their ransom negotiations.

US SBOM guidance: Multiple US government agencies have released guidance on securing software supply chains. The guidance covers the use of SBOMs, the use of open-source software, and the proper ways of using and maintaining open-source repositories.

Harry Coker confirmation: The US Senate has confirmed Harry Coker as the new head of the White House National Cyber Director. [Additional coverage in Politico]

AFP's call to ransomware victims: The Australian Federal Police has called on victims to report their ransomware attacks "as soon as possible."

Iran-Russia cyber treaty: Iran and Russia have signed a cybersecurity cooperation treaty. [Additional coverage in Iran International]

Ukraine takes credit for FNS hack: Ukraine's Defence Intelligence Main Directorate (GUR) says it hacked Russia's Federal Taxation Service (FNS) and wiped more than 2,300 of the agency's databases. GUR says Russian officials have been trying to restore the systems for the past four days. This is the second time the GUR officially took credit for a hack of a Russian agency after it also hacked Russian civil aviation agency Rosaviatsiya.

Risky Business Podcasts

In this podcast, Patrick Grey and Tom Uren talk about whether election interference will take place in the Taiwanese, US, and Russian elections that are all taking place in 2024. They also look at a ChatGPT-powered online harassment campaign.

Cybercrime and threat intel

Kelvin Security arrest: Spanish police have arrested the leader of the Kelvin Security hacking group. The group and its members were known for exploiting vulnerabilities and selling access to the hacked systems.

Hive gang member arrested: A Russian national suspected of being a member of the Hive ransomware group was detained in Paris this week. His home in Cyprus was also raided following the arrest. The suspect allegedly helped the gang launder its ransoms. [Additional coverage in LeFigaro/non-paywall]

Platypus case: French prosecutors are appealing a French court's case to release two suspects for hacking the Platypus cryptocurrency exchange. [Additional coverage in ZDNet France]

BOFH sentenced: A US judge sentenced a former cloud engineer to two years in prison for hacking and damaging his former employer's cloud network, a US bank.

KillMilk retires: KillMilk, the leader of the KillNet hacktivist group, has announced his retirement and appointed a new head honcho, an individual known as Deanon Club. KillMilk retired days after a Russian newspaper published his real-world identity as a 30-year-old Russian national named Nikolai Serafimov. [Additional coverage in The Record]

Amazon sues REKK group: Amazon has filed a lawsuit against REKK, a criminal group specializing in refund fraud. [Additional coverage in The Verge]

No AlphV takedown confirmation: There's been no official confirmation that law enforcement seized the server infrastructure of the AlphV ransomware gang. In the meantime, some AlphV servers started coming back online, but without their content. AlphV admins claim they just lost the hard drives.

TA4557/FIN6: Proofpoint says that since October, a threat actor known as TA4557 (links to FIN6) has been targeting job recruiters posing as possible candidates.

UTG-Q-003: Chinese security firm QiAnXin has published a report on UTG-Q-003, a threat actor the company says has uploaded a malicious app on the official Microsoft Windows Store that tried to pass as a Russian language version of the 7Zip file-archiving app. The final payload was the Lumma infostealer. The app was live in the store since mid-March and downloads spiked in August.

Scattered Spider: SilentPush researchers have published new TTPs used by Scattered Spider, the group behind recent hacks at Okta, Twilio, and MGM.

FTC QR code alert: The FTC has published a consumer threat alert, warning Americans that scammers are now using QR codes as part of their operations, redirecting users to malicious sites.

Europol security advisory: Europol says criminal gangs are increasingly using Bluetooth tracking devices for geolocalization, either victims or illegal materials.

Scam centers expand to LATAM: Interpol says that the trend of cyber fraud scam centers using kidnapped and human-trafficked operators is expanding from Southeast Asia to Latin America.

IP cloaking technique: SANS ISC is seeing threat actors map IPv4 addresses to IPv6 as a way to cloak their attacks and evade detection.

Log4j stats: Two years after security researchers discovered the Log4Shell vulnerability, roughly 38% of applications still use a vulnerable version of the Apache Log4j library.

PyPI malware: ESET has discovered 116 malicious packages uploaded to PyPI. Most of the libraries contained a version of the W4SP Stealer.

npm malware: Phylum has discovered a cluster of npm packages containing encrypted code that (when decrypted) tried to exfiltrate local user credentials to a Microsoft Teams account. The packages targeted a "major financial institution."

NCC yearly report: NCC Group has published its year-in-review research report.

Cloudflare yearly report: Cloudflare has published its year-in-review report. The most interesting tidbit is that 1.7% of TLS 1.3 traffic is now using post-quantum encryption.

OAuth app attacks: Microsoft has put out a report reviewing recent attacks that have used OAuth apps for escalating intrusions.

Malware technical reports

Kinsing: Sekoia has observed the Kinsing crypto-mining botnet exploit a recent Apache ActiveMQ zero-day tracked as CVE-2023-46604.

ATMZOW: GoDaddy's Sucuri has seen new domains deployed by the ATMZOW card skimming gang.

Rhysida ransomware: ShadowStackRE has published an analysis of Rhysida, the ransomware gang behind the recent breach at Insomniac Games, the maker of the Spider-Man games.

AsyncRAT: Trend Micro has published a report looking at AsyncRAT's new code injection technique.

"The strategic use of multiple obfuscated scripts that incorporate "living off the land" techniques grant malicious actors flexibility, enabling them to evade detection. Coupled with code injection into legitimate files like aspnet_compiler.exe, this technique significantly increases the challenge of detecting these threats."

DarkGate: Zscaler researchers look at the DarkGate malware, which saw a spike in September and October this year. Similar reports are also available from PulseDive, Sekoia, and Trellix.

GuLoader: Elastic's security team has looked at recent versions of GuLoader, an old MaaS.

MrAnon Stealer: Fortinet looks at MrAnon Stealer, a new stealer advertised via Telegram.

In this product demo, Senior Sales Engineer Ali Cheikh demonstrates the runZero platform to Risky Business host Patrick Gray.

APTs, cyber-espionage, and info-ops

Chinese hacking in the US: A Washington Post article [non-paywall] claims that Chinese military hackers have ramped up efforts to breach and backdoor critical infrastructure in the US. Sources claim the goal is to prepare ways to disrupt US operations in the case of a war in Taiwan and the Pacific. Victims include a water utility in Hawaii, a West Coast port, and at least one oil and gas pipeline operator.

PlugX: Cisco's Splunk has published a report on PlugX, a malware strain used by almost all Chinese APTs (and their dogs).

Sandman APT: In a joint report between SentinelOne, PWC, and Microsft, the three companies link the Sandman APT, which it discovered back in September, to a cluster of suspected Chinese activity.

Mustang Panda: Lab52 looks at a recent Mustang Panda campaign employing the PlugX malware.

Lazarus adopts D: According to a Cisco Talos report, North Korean group Lazarus has been using a piece of novel malware written in the D programming language.

Kimsuky: AhnLab has published a report on new Kimsuky campaigns delivering the Amadey and RftRAT malware.

ITG05/APT28: IBM X-Force looks at an ITG05/APT28 operation leveraging the Israel-Hamas war to deliver its custom-made Headlace backdoor.

Indian info-op: A Washington Post investigation [non-paywall] has exposed that a social media research organization named Disinfo Lab (not to be confused with the real EU Disinfo Lab) is secretly an Indian intelligence operation meant to discredit Narendra Modi's critics. The organization has been active since 2020 and mixing facts with claims that Indian government critics are part of a conspiracy led by global Islamic groups and billionaire George Soros to undermine India.

Vulnerabilities, security research, and bug bounty

Patch Tuesday: Yesterday was the December 2023 Patch Tuesday. We had security updates from Adobe, Apple, Microsoft, Chrome, SAP, Fortinet, Sophos, Zoom, Schneider Electric, and Siemens. The Android Project, Cisco, Atlassian, VMWare, Zyxel, QNAP, Apache CouchDB, Apache Struts, WordPress, Joomla, and Drupal released security updates last week as well. The Apple updates fix two zero-days, while the Sophos update includes new patches for a zero-day initially patched back in September 2022. Quiet Patch Tuesday from Microsoft this month, only 41 bug fixes.

Struts RCE: Of all these PT bugs, one of the worst is the new Struts RCE. See these two breakdowns for more information.

pfSense vulnerabilities: SonarSource has discovered three vulnerabilities (two XSS, one command injection) in pfSense, an open-source firewall solution.

Silverpeas vulnerabilities: Rhino Security has discovered eight vulnerabilities in the Silverpeas Core open-source project business and team collaboration project.

CS2 bug: A bug is being exploited in the wild to deface CounterStrike 2 games and obtain users' IP addresses.

WP shortcode vulnerability: Wordfence has found more than 100 WordPress plugins on the official WP repository that are vulnerable to XSS attacks via their shortcode functionality. More than 6 million WordPress sites are believed to be affected.

Timing side-channel attack: Mozilla has patched a timing side-channel attack in the Firefox NSS codebase. Details about the attack will be published in January.

5Ghoul attack: A team of academics has discovered 14 vulnerabilities in 5G modems from Qualcomm and MediaTek. Referred to as 5Ghoul, the vulnerabilities impact more than 710 modern smartphone models.

Infosec industry

New tool—Swagger Jacker: Security firm BishopFix has open-sourced a new tool named Swagger Jacker for auditing OpenAPI definition files.

"This enables offensive security professionals to identify potential vulnerabilities or misconfigurations in the API routes defined within the definition document."

New tool—ScubaGoggles: CISA has open-sourced a new tool named ScubaGoggles, a baseline assessment tool for Google Workspace environments.

PHDays recap: Margin Research has published a recap of PHDays 2023, Russia's largest cybersecurity conference, and how the cybersecurity market has changed two years into Russia's invasion of Ukraine.

Trend Micro move: Trend Micro has closed down its Chinese R&D division and plans to open a new center in Canada. [Additional coverage in Radio Free Asia]

Risky Business Podcasts

In this edition of Between Two Nerds, Tom Uren and The Grugq talk about recent hints that the Ukrainian government has figured out how to make use of the IT Army.