Exposed Kubernetes secrets of hundreds of orgs and open-source projects allow access to sensitive environments

Researchers at Aqua Security have issued a warning about the critical issue of public exposure of Kubernetes configuration secrets. They found that hundreds of organizations, including Fortune 500 companies, are at risk. Out of 438 records with potentially valid credentials for registries, 46% contained credentials allowing access. Notably, 93 passwords were manually set, with nearly 50% considered weak, including commonly known weak passwords like “password,” “test123456,” “windows12,” “ChangeMe,” and “dockerhub.”

Researchers found a way to bypass Windows Hello fingerprint authentication

Researchers with hardware and software product security and offensive research company Blackwing Intelligence demonstrated a method to bypass Windows Hello authentication on popular laptops like Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X.

The new method relies on a USB man-in-the-middle attack and takes advantage of cryptographic implementation flaws in popular fingerprint sensors from Goodix, Synaptics, and ELAN.

Hackers exploit Apache ActiveMQ bug to install rootkits and crypto miners

Threat actors behind the Kinsing malware are actively exploiting a remote code execution in the Apache ActiveMQ open-source message broker to infect Linux systems with cryptocurrency miners. Tracked as CVE-2023-46604, the flaw affects the OpenWire protocol and allows a remote hacker to run arbitrary shell commands. The vulnerability was fixed in October 2023.

In addition to the Apache ActiveMQ bug, the Kinsing threat actors have been observed exploiting CVE-2023-4911 (aka Looney Tunables), a privilege escalation flaw in the GNU Glibc library.

A new North Korean supply chain attack spreads via malicious CyberLink app

A new supply chain attack was discovered that leverages a malicious variant of a popular photo and video editing application developed by Taiwanese software company CyberLink. Microsoft’s threat intelligence team has attributed the campaign to a North Korean threat actor they track as Diamond Fleet (previously Zinc).

The campaign involves a modified legitimate CyberLink application installer signed using a valid CyberLink certificate with malicious code that delivers a second-stage payload. It has impacted over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the US.

North Korean hackers target job seekers in new a malware campaign

Palo Alto Network’s Unit 42 uncovered two distinct cyber campaigns targeting job-seeking activities, linked to state-sponsored threat actors associated with North Korea. The first campaign, named “Contagious Interview,” involves threat actors posing as employers, often with vague or anonymous identities, enticing software developers into installing malware during the interview process.

The second campaign, dubbed "Wagemole," sees threat actors attempting to secure unauthorized employment with organizations in the US and other global regions, with motives ranging from financial gain to espionage. 

Russian cyberspies target Ukraine with a new USB worm

Russian cyber espionage group Gamaredon has launched a large-scale intelligence gathering operation targeting entities in Ukraine that uses a new self-propagating USB worm called LitterDrifter.

Written in VBS, the LitterDrifter worm comes with two main functionalities: automatic spreading over USB drives, and establishing a command-and-control (C2) channel to Gamaredon’s wide C2 infrastructure. The malware is believed to be the evolution of a PowerShell-based USB worm previously linked to Gamaredon.

Mirai-based botnet targets routers and video recorders via zero-day flaws

A new Mirai-based malware named 'InfectedSlurs' is exploiting two remote code execution zero-day vulnerabilities to ensnare routers and video recorder (NVR) devices into a distributed denial-of-service (DDoS) botnet. The new campaign was discovered by Akamai researchers who are keeping the technical details of two zero-days under wraps until vendors release security patches sometime in December 2023. Akamai also withheld information on affected brands and models.

The InfectedSlurs botnet primarily uses the older JenX Mirai malware variant discovered in January 2018. The researchers said they identified additional malware linked to the hailBot Mirai variant developed based on the Mirai source code.

ClearFake malware campaign targets Mac users via fake browser updates

A new malware campaign has been observed that is delivering the macOS information stealer known as Atomic Stealer or AMOS through a fake browser update chain tracked as “ClearFake.” Clicking on a malicious link in phishing emails or on social media posts leads unsuspecting Mac users to a webpage impersonating Apple’s official download portal for Safari or a fake portal for Google’s browser serving Atomic Stealer.

Stealthy WailingCrab malware misuses MQTT Messaging Protocol

IBM X-Force researchers released a report highlighting the developments of a sophisticated, multi-component malware called WailingCrab. WailingCrab was first observed in December 2022, and since then it has been used extensively in email campaigns to deliver the Gozi backdoor often against Italian targets.

A new DarkGate and PikaBot phishing campaign leverages QakBot’s tactics

Cofense researchers spotted a phishing campaign distributing the DarkGate and PikaBot malware that leverages evasive tactics and anti-analysis techniques previously seen in the QakBot campaigns.

Both DarkGate and PikaBot are advanced malware with loader capabilities and anti-analysis behavior. First spotted in 2018, DarkGate is capable of cryptocurrency mining, credential theft, ransomware, and remote access. The malware has multiple methods of avoiding detection and two distinct methods of escalating privileges. DarkGate makes use of legitimate AutoIT files and typically runs multiple AutoIT scripts.

Tor Project removed a large number of nodes linked to a high-risk, for-profit scheme

Tor network’s maintainers announced they removed a large number of relay servers linked to a cryptocurrency scheme that was run without Tor Project’s approval. The scheme promised cryptocurrency tokens for users who set up and run Tor relays. The maintainers didn’t name the crypto project in question but media reports suggest it may be ATOR, an initiative that claims its goal is to support Tor through rewards paid in ATOR cryptocurrency to Tor relay operators.

LockBit ransomware group introduces new negotiation rules

LockBit, one of the most prolific Ransomware-as-a-Service operations in the world, implemented new negotiation rules for its affiliates. The revised rules were imposed due to the LockBit leadership’s disappointment with lower-than-expected ransom payments. The new rules introduce a tiered percentage-based system for ransom payments and ban discounts greater than 50% of the initial ransom demand.

• companies with revenue up to $100 million pay from 3% to 10%

• companies with revenue up to $1 billion pay from 0.5% to 5%

• companies with revenue of more than $1 billion pay from 0.1% to 3%

This week, the US and Australian security agencies released a joint advisory highlighting IoCs (Indicators of Compromise), TTPs (tactics, techniques, and procedures), and detection methods associated with LockBit ransomware and multiple threat groups exploiting CitrixBleed.

US cybersecurity agency releases guidance for healthcare, public health orgs

The US Cybersecurity and Infrastructure Security Agency (CISA) released a security guidance for organizations in the healthcare and public health sectors, which provides defensive mitigation strategy recommendations and best practices to defend against cyber threats affecting the healthcare sector. It also identifies known vulnerabilities for organizations to assess their networks and minimize risks before intrusions occur.

A hacker-for-hire sentenced to 80 months in prison over worldwide spearphishing campaign

An owner of an Israeli intelligence firm was sentenced to 80 months in the US prison for his involvement in an extensive spearphishing campaign that targeted individuals and organizations across the globe. According to the court documents, Aviram Azari, 52, orchestrated intelligence gathering and spearphishing campaigns on behalf of his clients that targeted various groups of victims, including climate change activists, journalists and critics of the now-defunct German fintech group Wirecard.

According to the DoJ, over a nearly five-year period, Azari made more than $4.8 million by managing the intelligence gathering and spearphishing campaign.

Cybersecurity exec hacked hospitals to boost business

A US tech company's former cybersecurity executive has pleaded guilty to a 2018 incident in which he deliberately launched online attacks on two hospitals in order to drum up the company’s business. According to court documents, Vikas Singla, a former chief operating officer of Atlanta-based cybersecurity firm Securolytics, hacked two hospitals in Georgia, disrupting their phone and network printer services.

Singla has agreed to pay $818,000 in restitution to the medical center and its insurance company for costs associated with the incident. In exchange, prosecutors will recommend to the court that Singla be 57 months of probation, including home detention. His sentencing is scheduled for February 15, 2024.

The US seized nearly $9 million in cryptocurrency linked to a global pig butchering scam

US authorities seized nearly $9 million in cryptocurrency associated with a romance and investment fraud scheme that employed deceptive tactics known as “pig butchering.” The funds were tracked through cryptocurrency addresses believed to be connected to a cybercrime syndicate, which victimized more than 70 individuals.

Play ransomware is now available as Ransomware-as-a-Service

Cybersecurity researchers found evidence that operators behind the Play ransomware are now offering the malware under the Ransomware-as-a-Service business model. The research team said they have identified several PlayCrypt attacks targeting small and mid-sized businesses over the recent months that shared nearly identical tactics, techniques and procedures (TTPs).

All observed incidents involved the same tactics, techniques, and procedures (TTP) and followed the same order of steps, including the use of the public music folder (C:\...\public\music) to hide the malicious file, the same password to create high-privilege accounts, and the same commands.

Europol establishes OSINT task force to help war crimes investigations in Ukraine

Europol established a dedicated Operational Taskforce (OTF) aimed at aiding ongoing investigations of “core international crimes” committed following Russia’s invasion of Ukraine.

The primary objective of the task force is to identify suspects and determine their involvement in war crimes, crimes against humanity, or genocide. To achieve this, the OTF will leverage open source intelligence (OSINT) through the collection and analysis of data available online.