Title: Chromium Browsers Allow Data Exfiltration via Bookmark Syncing
Date Published: August 1, 2022
https://www.darkreading.com/cloud/chromium-browsers-data-exfiltration-bookmark-syncing
Excerpt: “Bookmark synchronization has become a standard feature in modern browsers: It gives Internet users a way to ensure that the changes they make to bookmarks on a single device take effect simultaneously across all their devices. However, it turns out that this same helpful browser functionality also gives cybercriminals a handy attack path. To wit: Bookmarks can be abused to siphon out reams of stolen data from an enterprise environment, or to sneak in attack tools and malicious payloads, with little risk of being detected. David Prefer, an academic researcher at the SANS Technology Institute, made the discovery as part of broader research into how attackers can abuse browser functionality to smuggle data out from a compromised environment and carry out other malicious functionality. In a recent technical paper, Prefer described the process as “bruggling” — a portmanteau of browser and smuggling. It’s a novel data exfiltration vector that he demonstrated with a proof-of-concept (PoC) PowerShell script called “Brugglemark” that he developed for the purpose.”
Title: Gootkit AaaS Malware Is Still Active and Uses Updated Tactics
Date Published: August 2, 2022
https://securityaffairs.co/wordpress/133918/malware/gootkit-is-still-active.html
Excerpt: “Gootkit runs on an access-a-as-a-service model, it is used by different groups to drop additional malicious payloads on the compromised systems. Gootkit has been known to use fileless techniques to deliver threats such as the SunCrypt, and REvil (Sodinokibi) ransomware, Kronos trojans, and Cobalt Strike. In the past, Gootkit distributed malware masquerading as freeware installers, now it uses legal documents to trick users into downloading these files. The attack chain starts with a user searching for specific information in a search engine. Attackers use black SEO technique to display a website compromised by Gootkit operators among the results. Upon visiting the website, the victim will notice that it is presented as an online forum directly answering his query. This forum hosted a ZIP archive that contains the malicious .js file, which is used to establish persistence and drop a Cobalt Strike binary in the memory of the infected system.”
Title: Alphv/Blackcat Ransomware Gang Claims to Have Stolen Data From Creos Luxembourg S.a.
Date Published: August 1, 2022
Excerpt: “The ALPHV/BlackCat ransomware gang claims to have hacked the European gas pipeline Creos Luxembourg S.A. Creos Luxembourg S.A. owns and manages electricity networks and natural gas pipelines in the Grand Duchy of Luxembourg. In this capacity, the company plans, constructs and maintains high, medium and low-voltage electricity networks and high, medium and low-pressure natural gas pipelines, which it owns or which it is responsible for managing. The ALPHV/BlackCat ransomware group claims to have stolen more than 150 GB from the company, a total of 180.000 files. Stolen data include contracts, agreements, passports, bills, and emails.”
Title: Australian Man Charged With Creating and Selling the Imminent Monitor Spyware
Date Published: August 1, 2022
Excerpt: “The 24-year-old Australian national Jacob Wayne John Keen has been charged for his alleged role in the development and sale of spyware known as Imminent Monitor (IM). The Australian Federal Police (AFP) launched an investigation into the case, codenamed Cepheus, in 2017 after it received information about a “suspicious RAT” from cybersecurity firm Palo Alto Networks and the U.S. FBI. The man created the malicious code, a remote access trojan (RAT), when he was 15 years old, and maintained its infrastructure from 2013 to 2019. In November 2019, Europol announced to have dismantled the global organized cybercrime ring behind the Imminent Monitor RAT.”
Title: “Parsethru” Vulnerability Allows Unauthorized Access to Cloud-Native Applications
Date Published: August 2, 2022
https://www.helpnetsecurity.com/2022/08/02/parsethru-vulnerability/
Excerpt: “A new vulnerability found in GoLang-based applications allows a threat actor to bypass validations under certain conditions and gain unauthorized access to cloud-native applications, Oxeye researchers have found. The source of “ParseThru” – as the newly discovered vulnerability has been dubbed – is the use of unsafe URL parsing methods built in the language.”
Title: EU Missile Maker Mbda Confirms Data Theft Extortion, Denies Breach
Date Published: August 2, 2022
Excerpt: “MBDA, one of the largest missile developers and manufacturers in Europe, has responded to rumors about a cyberattack on its infrastructure saying that claims of a breach of its systems are false. A statement from the company clarifies that it was the target of a criminal group who spread the false news of hacking its information systems in an attempt to blackmail the organization into paying a ransom. The extortionists had acquired MBDA data from an external drive used by the company’s Italian division and demanded a ransom to not leak or sell the files. The firm doesn’t provide any explanation about how the extortionists got their hands onto the external hard drive from MBDA Italy. MBDA also added that they will not yield to the blackmail and won’t pay the ransom to the criminals. Instead, they will work with law enforcement authorities in Italy and take all legal actions against the perpetrators.”
Title: Over 3,200 Apps Leak Twitter API Keys, Some Allowing Account Hijacks
Date Published: August 1, 2022
Excerpt: “Cybersecurity researchers have uncovered a set of 3,207 mobile apps that are exposing Twitter API keys to the public, potentially enabling a threat actor to take over users’ Twitter accounts that are associated with the app. The discovery belongs to cybersecurity firm CloudSEK, which scrutinized large app sets for potential data leaks and found 3,207 leaking a valid Consumer Key and Consumer Secret for the Twitter API. When integrating mobile apps with Twitter, developers will be given special authentication keys, or tokens, that allow their mobile apps to interact with the Twitter API. When a user associates their Twitter account with this mobile app, the keys also will enable the app to act on behalf of the user, such as logging them in via Twitter, creating tweets, sending DMs, etc. As having access to these authentication keys could allow anyone to perform actions as associated Twitter users, it is never recommended to store keys directly in a mobile app where threat actors can find them.”
Title: Microsoft Defender Experts for Hunting Now Generally Available
Date Published: August 1, 2022
Excerpt: “Microsoft Defender Experts for Hunting, a new managed security service for Microsoft 365 Defender customers, is now generally available. Announced in May, Defender Experts for Hunting provides businesses that already have Security Operation Centers (SOCs) but are also willing to pay for additional help to hunt threats across endpoints, Office 365, cloud apps, and identity. Microsoft’s security experts will use Defender data for threat investigation and to provide customers with remediation instructions, as well as help deploy threat hunting across all Microsoft 365 Defender products within hours, according to Redmond.”
Title: Steam, PayPal Blocked as Indonesia Enforces New Internet Regulation
Date Published: August 1, 2022
Excerpt: “The Indonesian Ministry of Communication and Information Technology, Kominfo, is now blocking access to internet service and content providers who had not registered on the country’s new licensing platform by July 27th, 2022, as the country begins to restrict access to online content providers and services. The first blocks began Friday, a day before the June 26th deadline, and according to internet access monitoring org NetBlocks, some of the service providers include Yahoo, Steam, and PayPal. Other Indonesian sources also report not being able to access Battlenet, Epic Games, and other gaming portals used by millions of players in the country. The blocks appear to result from a coordinated action between Kominfo and all major ISPs (internet service providers) in the country. However, some smaller ones still stray from the new regulations. According to multiple user reports, VPNs can bypass the imposed blocks for now, but when using them with electronic payment services or gaming portals, there might be problems with network speed and account fingerprint mismatches. Due to the blocks, many PayPal users in Indonesia have been locked out of their accounts and funds. However, a spokesperson stated that the government might temporarily unblock payment platforms this week to allow withdrawals.”
Title: Blackcat Ransomware Claims Attack on European Gas Pipeline
Date Published: August 1, 2022
Excerpt: “The ALPHV ransomware gang, aka BlackCat, claimed responsibility for a cyberattack against Creos Luxembourg S.A. last week, a natural gas pipeline and electricity network operator in the central European country. Creos’ owner, Encevo, who operates as an energy supplier in five EU countries, announced on July 25 that they had suffered a cyberattack the previous weekend, between July 22 and 23. While the cyberattack had resulted in the customer portals of Encevo and Creos becoming unavailable, there was no interruption in the provided services. On July 28, the company posted an update on the cyberattack, with the initial results of their investigation indicating that the network intruders had exfiltrated “a certain amount of data” from the accessed systems. At that time, Encevo wasn’t in a position to estimate the scope of the impact and kindly asked customers to be patient until the investigations were concluded, at which time everyone would receive a personalized notice. Since no further updates have been posted on Encevo’s media portal, this procedure is likely still underway. Encevo says that when more information becomes available, it will be posted on a dedicated webpage for the cyberattack. For now, all customers are recommended to reset their online account credentials, which they used for interacting with Encevo and Creos services. Furthermore, if those passwords are the same at other sites, customers should change their passwords on those sites as well. Bleeping Computer has contacted Creos to request more information about the impact of the cyberattack, but a spokesperson of the firm declined to give any comment at this stage.”