MITRE releases 2023 CWE Top 25

MITRE unveiled its annual list of the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses for the year 2023. Top of the updated list is out-of-bounds write, followed by cross-site scripting, SQL injection, use-after-free, and OS command injection.

NSA, CISA share guidance to secure CI/CD environments

The US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released a set of recommendations and best practices to help organizations defend Continuous Integration/Continuous Delivery (CI/CD) environments against malicious attacks.

In related news, the Massachusetts Institute of Technology (MIT) published a framework called “Metior” designed to help engineers and scientists better understand the effectiveness of different obfuscation schemes.

TSMC hit with a Lockbit ransomware attack

Taiwan Semiconductor Manufacturing Company (TSMC), the world’s largest chip manufacturer, has reportedly suffered a Lockbit ransomware attack, with hackers demanding a whopping $70 million ransom.

The chip maker said in a statement that one of its IT hardware suppliers was breached and information related to initial server setup and configuration was compromised. The incident didn’t impact TSMC’s business operations, nor did it compromise any TSMC’s customer information, the company said.

The affected third-party supplier, Kinmax Technologies, said the attackers breached its internal specific testing environment and stole some information. The leaked content “mainly consisted of system installation preparation that the company provided to our customers,” Kinmax said.

A Trickbot member sentenced in the US to more than 2 years in prison

Alla Witte, a Latvian woman involved in the notorious TrickBot cyber operation, has pleaded guilty in federal court in Cleveland to conspiracy to commit computer fraud. She has been sentenced to two years and eight months in prison. Witte (aka Max) became the first person in the United States to be convicted and sentenced for being part of one of the world’s most prolific hacker groups that deployed the Trickbot malware, which infected millions of victim computers worldwide.

2020 EncroChat shutdown led to over 6,500 arrests, seizure of €900M in illicit funds

Europol revealed that in the three years after an international police operation dismantled the encrypted phone network EncroChat heavily used by organized crime groups, law enforcement authorities arrested more than 6,500 suspects worldwide and seized or froze €900 million in illicit funds.

New Anatsa campaign is hitting banks in the US, UK and DACH countries

Cyber fraud analysts at ThreatFabric spotted a new wave of Google Play Store dropper attacks delivering the Anatsa banking trojan. The attacks are focused on financial institutions from the US, UK, and DACH region. Once the device is infected, Anatsa can collect sensitive data like credentials, credit card details, balance and payment information via overlay attacks and keylogging.

Widespread Petro-Canada outages were caused by a cyberattack on its parent company Suncor

Canadian oil giant Suncor confirmed that a cyberattack was the cause of technical problems at Petro-Canada gas stations across Canada owned by Suncor. Multiple customers reported problems logging into the app and website and employees at gas stations could only accept cash. Eventually, Petro-Canada acknowledged the issue and said they were working to address it.

US sanctions two FSB officers accused of elections interference, influence campaigns

The US authorities imposed sanctions on two Russian intelligence officers, Yegor Popov and Aleksei Sukhodolov, involved in the Kremlin’s attempts to conduct global influence operations, including efforts to interfere in a local US election.

Briton sentenced to 5 years in prison for the 2020 Twitter hack

A British man was sentenced to five years in prison for his involvement in the 2020 Twitter hack, one of the biggest hacks in social media history. Compromised numerous accounts of celebrities and politicians, including former US President Barack Obama and Microsoft’s Bill Gates were compromised in the breach.

Joseph James O'Connor, known as PlugwalkJoe, was extradited to the US from Spain on April 26, 2023. He pleaded guilty in a US court on May 9, 2023.

Mockingjay process injection technique allows bypassing security controls

Researchers detailed a new process injection technique called “Mockingjay” that could be used by threat actors to bypass Endpoint detection and response (EDR) solutions to execute malicious code on compromised systems.

Mockingjay leverages dynamic link libraries (DLLs) with default read, write, and execute (RWX) permissions to push code into the address space of a running process. The uniqueness of this technique is that it requires a vulnerable DLL and copying code to the right section. It also differs from other approaches in that that it doesn’t use commonly exploited Windows APIs.

Android stalkerware app LetMeSpy hacked, data released online

Polish developer behind the LetMeSpy phone monitoring app has been breached, with the hackers stealing sensitive data collected by the app, including text messages, call logs and locations. A review of the leaked database showed it included years of victims’ call logs and text messages dating back to 2013.

The database contained current records on at least 13,000 compromised devices, although not all of them were sharing data with LetMeSpy, as well as over 13,400 location data points for several thousand victims, with the majority of them located in the US, India and Western Africa.

Iran-linked MuddyWater APT updates its arsenal with new C&C framework

Researchers at Deep Instinct Threat Lab published a technical deep dive into a new command-and-control framework called ‘PhonyC2’ observed in an attack on Israeli research institute Technion conducted by an Iran-linked cyber-espionage group known as MuddyWater or Mango Sandstorm (Mercury).

PhonyC2 is said to be a successor to MuddyC3 and POWERSTATS. It is a post-exploitation framework used to generate various payloads that connect back to the C2 and wait for instructions from the operator to conduct the final step of the 'intrusion kill chain.'