Cyber Fraud Task Force: Weekly News Update
This is a joint cybersecurity monthly product from the Missouri Information Analysis Center, St. Louis Fusion Center, Kansas City Regional Fusion Center and the Missouri Office of Homeland Security.
A joint security advisory issued by multiple national cybersecurity authorities revealed today the top 10 attack vectors most exploited by threat actors for breaching networks. The advisory, jointly released by agencies from the United States, Canada, New Zealand, the Netherlands, and the United Kingdom, includes guidance to mitigate these routinely exploited weak security controls, poor security configurations, and bad practices.
In an unusual reversal, CISA has removed an item from its online “Known Exploited Vulnerability Catalog”. The patch’s vendor notified CISA that a bug flagged within CVE-2022-26925 could, in some instances, cause network authentication denials within domain controllers. The reversal is temporary to provide the vendor additional time to re-think/re-work the software patch.
The U.S. government is warning that the Democratic People’s Republic of Korea (DPRK) is dispatching its IT workers to get freelance jobs at companies across the world to obtain privileged access that is sometimes used to facilitate cyber intrusions. Thousands of North Korean “highly skilled IT workers,” at the direction of or forced by their government are targeting freelance jobs at organizations in wealthier nations. They used various methods to hide their North Korean origin to avoid sanctions from the U.S. and United Nations (UN) for individuals and organizations supporting the DPRK regime.
More than 200 Android apps masquerading as fitness, photo editing, and puzzle apps have been observed distributing spyware called Facestealer to siphon user credentials and other valuable information. “Similar to Joker, another piece of mobile malware, Facestealer changes its code frequently, thus spawning many variants,” Trend Micro analysts Cifer Fang, Ford Quin, and Zhengyu Dong said in a new report. “Since its discovery, the spyware has continuously beleaguered Google Play.” Facestealer, first documented by Doctor Web in July 2021, refers to a group of fraudulent apps that invade the official app marketplace for Android with the goal of plundering sensitive data such as Facebook login credentials.
The U.S. Drug Enforcement Administration (DEA) says it is investigating reports that hackers gained unauthorized access to an agency portal that taps into 16 different federal law enforcement databases. KrebsOnSecurity has learned the alleged compromise is tied to a cybercrime and online harassment community that routinely impersonates police and government officials to harvest personal information on their targets. On May 8, KrebsOnSecurity received a tip that hackers obtained a username and password for an authorized user of esp.usdoj.gov, which is the Law Enforcement Inquiry and Alerts (LEIA) system managed by the DEA. KrebsOnSecurity shared information about the allegedly hijacked account with the DEA, the Federal Bureau of Investigation (FBI), and the Department of Justice, which houses both agencies. The DEA declined to comment on the validity of the claims, issuing only a brief statement in response. “DEA takes cyber security and information of intrusions seriously and investigates all such reports to the fullest extent,” the agency said in a statement shared via email.
Netskope published research which found that phishing downloads saw a sharp increase of 450% over the past 12 months, fueled by attackers using search engine optimization (SEO) techniques to improve the ranking of malicious PDF files on popular search engines, including Google and Bing. The top web referrer categories contained some categories traditionally associated with malware, particularly shareware/freeware, but were dominated by more unconventional categories. The ascension of the use of search engines to deliver malware over the past 12 months provides insight into how adept some attackers have become at SEO. Malware downloads referred by search engines were predominantly malicious PDF files, including many malicious fake CAPTCHAs that redirected users to phishing, spam, scam, and malware websites.
A first-of-its-kind security analysis of iOS Find My function has identified a novel attack surface that makes it possible to tamper with the firmware and load malware onto a Bluetooth chip that’s executed while an iPhone is “off.” The mechanism takes advantage of the fact that wireless chips related to Bluetooth, Near-field communication (NFC), and ultra-wideband (UWB) continue to operate while iOS is shut down when entering a “power reserve” Low Power Mode (LPM). While this is done so as to enable features like Find My and facilitate Express Card transactions, all the three wireless chips have direct access to the secure element, academics from the Secure Mobile Networking Lab (SEEMOO) at the Technical University of Darmstadt said in a paper entitled “Evil Never Sleeps.”
Millions of U.S. government employees and contractors have been issued a secure smart ID card that enables physical access to buildings and controlled spaces, and provides access to government computer networks and systems at the cardholder’s appropriate security level. But many government employees aren’t issued an approved card reader device that lets them use these cards at home or remotely, and so turn to low-cost readers they find online. What could go wrong?
Ahead of the Anti-Ransomware Day, we summarized the tendencies that characterize ransomware landscape in 2022. This year, ransomware is no less active than before: cybercriminals continue to threaten nationwide retailers and enterprises, old variants of malware return while the new ones develop. Watching and assessing these tendencies not only provides us with threat intelligence to fight cybercrime today, but also helps us deduce what trends may see in the months to come and prepare for them better.
The Conti ransomware group infiltrated the Costa Rican government’s network last month – and they’ve dramatically escalated their rhetoric. Not only has the Russian-linked group doubled its ransom to $20 million, their leadership has boldly announced its intention is to take down the country’s government. The group released a message which claimed it has individuals inside the Costa Rican government that is aiding their efforts – and their ultimate goal is to overthrow the government by means of a cyber-attack. Conti has now infiltrated 27 Costa Rican networks with their malware.
The US Department of Justice today said that Moises Luis Zagala Gonzalez (Zagala), a 55-year-old cardiologist with French and Venezuelan citizenship residing in Ciudad Bolivar, Venezuela, created and rented Jigsaw and Thanos ransomware to cybercriminals. Zagala (aka Nosophoros, Aesculapius, and Nebuchadnezzar) also offered support to cybercriminals who bought the malware and shared profits earned after ransoming victims worldwide.
All information in this product is open-source and may be shared without further permission. If any member of the public has pertinent information regarding the subject material contained within this Public Awareness Bulletin, they should contact the agency listed above directly. Any unauthorized alteration of any portion of this Public Awareness Bulletin is considered a violation and subject to legal prosecution
Recent news posts
Holiday Weekend Leaves Many Vulnerable to Cyber Attacks
Costa Rica Ransomware Attack Continues to Plague Citizens
What the Crypto Crash Means for Cyber Crime
Scaling, Improving and Automating Your GRC Strategy
CISA Issues Emergency Directive 22-03, Encourages VMware Updates
Attend an Event!
Connect and collaborate with fellow security innovators at our Virtual Cybersecurity Summits.