New year, new cyber threats on the horizon. As we enter 2024, cybersecurity experts are warning more and more about the role of AI and large language models (LLMs). In particular, how malicious actors have started to integrate these technologies to develop more sophisticated malware and phishing attacks. This and a lot more of the infosec landscape in our threat report for January 2024.
Boris Goncharov, AMATAS strategic director, noted that, “For attackers, artificial intelligence has become another ‘super weapon’.”
In the past month, researchers also revealed more information about:
- a “supermassive” leak or the Mother of all Breaches (MOAB);
- a potential botnet, using Androxgh0st malware;
- the largest DDoS attack to date on Ukraine’s most popular online bank.
Our January 2024 newsletter also discusses the:
- nation-state-sponsored attacks on Microsoft and Hewlett-Packard;
- dissemination of false information on the Securities and Exchange Commission’s (SEC) X account;
- sanctions on the hacker, who attacked Australia’s largest health insurer, Medibank, in 2022.
Read on and remember to always stay alert when it comes to your cyber activities and security.
Cybercrime Breaking News
Cybernews and Bob Dyachenko, a cybersecurity researcher and owner of SecurityDiscovery.com, release information about a “supermassive” leak, they’ve called the Mother of all Breaches (MOAB), that compromises 12 terabytes of information. The dataset is said to contain a total of 26 billion records with over 3,800 folders – which also consists of 15 billion records from 2,500 past data breaches. The MOAB includes the data of Twitter, Dropbox, LinkedIn, Adobe, Canva, and Telegram users.
On January 12th, the Microsoft security team discovered an attack against their corporate systems. The attackers were identified as Midnight Blizzard or Nobelium, the Russian state-sponsored actors.
Hewlett Packard disclosed in a regulatory filing that a supposed nation-state actor (Midnight Blizzard or Cozy Bear that has Kremlin links) gained access to the organization’s cloud-based email environment to exfiltrate mailbox data.
The Securities and Exchange Commission’s (SEC) X, former Twitter, account was taken over and thus hackers made a fake post about Bitcoin. The social media platform claimed that the compromise wasn’t due to a breach in X’s systems. After an initial investigation, SEC revealed that the breach was due to a “SIM swap” attack.
The FBI and CISA released a joint advisory to warn how malicious actors have been spreading the Androxgh0st malware. The report revealed more details about the tactics used to deploy the malware, including the known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs). The hackers are ultimately trying to create a botnet to identify victims and exploit target networks.
Schneider Electric, an energy management and automation giant, was targeted by a ransomware attack, impacting its Resource Advisor and other division-specific systems. The Cactus ransomware has claimed responsibility for the attack.
Vulnerabilities tracker
- CISA warns about exploited vulnerabilities in VMware vCenter Server out-of-bounds (a write vulnerability), a confusion one in Apple multiple products, and an Atlassian confluence data center and server template injection one.
- Fortra issued an advisory about a new authentication bypass vulnerability in GoAnywhere MFT. Fortra representatives noted that the “Authentication bypass in Fortra’s GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.”
- Ivanti warned about two new high-severity vulnerabilities in its Connect Secure VPN and Policy Secure, one of which is said to be exploited by malicious actors.
- Hackers have been exploiting a vulnerability in Apache ActiveMQ hosts to deliver the Godzilla web shell on compromised hosts.
Mortgage giant, loanDepot, was hit by a cyberattack on its phone and processing services. The personal information of about 16.6 million customers may have been exposed.
Tietoevry’s cloud hosting service and data center (in Sweden) was targeted by a ransomware attack. The malicious actors used Akira ransomware-as-a-service tools and were able to gain partial access. “We understand that this situation is challenging for the impacted customers, and we are making every effort to ensure that they are kept up to date on the progress being made,” announced Venke Bordal, Head of Tietoevry Tech Services Sweden.
The personal data of an undisclosed number of Framework Computers (the upgradeable and modular laptops’ manufacturer) customers may have been exposed after the organization’s accounting service provider (Keating Consulting Group) fell victim to a phishing attack.
AerCap, an international aviation leasing company, responded to a ransomware attack that is said to have had a limited impact.
The non-profit organization, Water for People, was hit by a ransomware attack. Ransomware-as-a-service gang Medusa threatened to publish the stolen information unless a $300,000 extortion fee was paid.
Cyberwar between Russia and Ukraine: Updates
Monobank, Ukraine’s most popular online bank, faces its largest distributed denial-of-service (DDoS) attack to date, with 580 million service requests over three days.
Ukrainian security officers took offline two digital surveillance cameras that were said to have been hacked by Russia and used as instruments to spy on Kyiv’s critical infrastructures and air defense forces.
Ukraine’s security service announced that it has detained a suspected pro-Kremlin hacker, part of the Cyber Army of Russia.
The Russian security services (FSB) have detained an 18-year-old Russian student, who has allegedly helped Ukrainian hacker groups and is currently facing treason charges.
Cybersecurity Justice
The Justice Department charged 19 individuals from across the globe for their perceived role in the now defunct xDedic Marketplace. This dark website illegally sold credentials and personal information of US residents to servers around the globe, offering over 700,000 compromised servers for sale.
Australia, the UK, and the US imposed sanctions against an alleged Russian hacker, believed to be behind the 2022 ransomware attack on Medibank, the country’s largest health insurer. During the attack, the personal information of 9.7million was stolen. The supposed sanctions include “up to 10 years’ imprisonment and heavy fines”.
The U.S. Department of Justice sentenced the Russian developer of Trickbot, the malicious software that targeted American hospitals and other businesses, to five years and four months in prison.
The U.S. Office of Foreign Assets Control (OFAC) sanctioned two Islamic State of Iraq and Syria (ISIS)-affiliated cybersecurity experts for carrying out cybersecurity training for ISIS, as well as “enabling their use of virtual currency and supporting the terrorist group’s recruitment”.
A Northern California District judge rejected NSO Group’s appeal to dismiss Apple’s lawsuit against the company’s Pegasus tool. Apple alleged that the powerful “spyware” enables users “to remotely and covertly extract valuable intelligence from virtually any mobile device.” Dismissing the appeal, the judge has validated Apple’s arguments that NSO has violated the Computer Fraud and Abuse Act (CFAA) and various other laws.
The US District Court sentenced ‘ShinyHunters’ member to three years in prison and over $5 million for “conspiracy to commit wire fraud and aggravated identity theft”.
BreachForums’ administrator violated his parole and was thus arrested on January 2. He is believed to have used a computer and VPN services without having enabled the prescribed monitoring software.
The Justice Department sentenced a foreigner for “conspiring to launder money derived from internet fraud schemes” and sentenced him to over 10 years in prison and a fine of over $1.46 million.
Canadian court sentences the perpetrator behind ransomware and malware attacks on over 1,100 private citizens, businesses, and government agencies to two years in prison.
FinTech Updates
More than $81 million in cryptocurrency was stolen from Orbit Chain on New Year’s Eve. The cryptocurrency platform is currently investigating the attacks, alongside the Korean National Police Agency and the Korea Internet & Security Agency (KISA).
About $112 million was stolen from the co-founder of the blockchain company Ripple.
Researchers disclose how yet another Mirai-based botnet is used by mature cybercriminals to secretly distribute illicit cryptocurrency mining software.
BlackBerry researchers warn that threat actors have been targeting Mexican banks and cryptocurrency trading platforms with AllaKore RAT – an open-source remote access tool.
Brazilian police arrest criminals said to have used banking malware Grandoreiro to steal about $3.9 million from victims. The criminal group has been active since 2019.
Ukrainian police arrested an alleged perpetrator said to have infected the servers of a popular cloud provider, mining over $2 million in cryptocurrency during the last two years.
Cybersecurity News Across The Globe
- Researchers suspect that Myanmar’s Ministry of Defence and Foreign Affairs was targeted (between November 2023 and January 2024) by Mustang Panda – a China-based threat actor.
- Orange España, one of Spain’s biggest mobile carriers, suffered from a cyberattack that is said to have caused a three-hour service outage, affecting some customers.
- Some of the Parkovy facility’s (a Ukrainian data center that serves the country’s national postal service, railway, a large energy company, and other state-owned companies) operations were disturbed by a cyberattack.
- Taiwanese semiconductor manufacturer, Foxsemicon, was targeted by a ransomware attack, supposedly perpetrated by the LockBit ransomware gang.
- A UN report reveals how Southeast Asia’s casinos have become “foundational pieces of the banking architecture used by organized crime” to move and launder cryptocurrencies.
Find out more about the expected trends to shape the 2024 cybersecurity landscape.
AMATAS NEWS
Register for AMATAS and ConnectWise joint webinar and get a free risk assessment!
Our upcoming webinar Unlocking Security Excellence: The Benefits of SOC as a Service will take place on 5th March at 10:00 CET.
The online event aims to encourage discussion and to shed light on the transformative impact of Security Operations Center (SOC) as a service. Whether you’re exploring the idea of establishing a SOC for the first time or considering a switch from your current SOC provider, this session promises valuable insights into how SOC as a service can enhance your organization’s security posture and help you deal with the human resource challenges that it poses.
Our cybersecurity experts Miroslav Naydenov and Andre Lynch will delve into the myriad benefits of adopting SOC as a service, including scalable security solutions, access to cutting-edge technologies, and the expertise of seasoned security professionals. We’ll also cover the main business perspective – how SOC as a service can provide a more flexible and cost-effective approach to cybersecurity, enabling organizations to focus on their core activities while ensuring robust security measures are in place. As both AMATAS and ConnectWise are vendors believing in privacy and information security as a human right, we will be providing each of our attendees the opportunity to get a full risk assessment free of charge!
AMATAS will continue to monitor this space and deliver salient information regularly.
Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing office@amatas.com.
As always – be vigilant, stay alert, and think twice.