Reader

Começando... Espero entender logo tudo!

A weekly shortlist of cyber security highlights. The short summaries are AI generated! If something is wrong, please let me know!

---

Highlight

💳 So stehlen Kriminelle mit gefälschten FinanzOnline-Benachrichtigungen Ihre Bankomatkarte cybercrime – Kriminelle nutzen gefälschte Onlinebanking-Seiten, um Bankdaten zu stehlen. Nutzer erhalten betrügerische Benachrichtigungen über Kartensperrungen und sollen ihre alte Karte zurücksenden. https://www.watchlist-internet.at/news/so-stehlen-kriminelle-kartenwechsel-scam/

---

News For All

🤖 Your robot vacuum cleaner might be spying on you privacy – A security flaw in Ecovacs robot vacuums allows remote access to cameras and microphones, exposing users to privacy risks. Updates are coming, but not soon enough for some customers. https://www.bitdefender.com/en-us/blog/hotforsecurity/your-robot-vacuum-cleaner-might-be-spying-on-you/

🤔 Cops often hush up use of facial recognition tools privacy – U.S. police frequently use facial recognition technology without disclosing it to suspects, leading to wrongful arrests. This raises concerns about privacy and accountability in law enforcement practices. https://www.theregister.com/2024/10/07/cops_love_facial_recognition_and/

🔒 Google brings better bricking to Androids, to curtail crims security news – Google is rolling out features to enhance Android security, making it harder for thieves to profit from stolen phones by requiring credentials for factory resets and biometric verification for sensitive actions. https://www.theregister.com/2024/10/08/google_android_security/

⚖️ Twitter Acts Fast on Nonconsensual Nudity If It Thinks It’s a Copyright Violation privacy – A study reveals Twitter removes nonconsensual nude images quickly if reported for copyright violations but delays action on similar reports for nonconsensual content, highlighting legal gaps. https://www.404media.co/twitter-acts-fast-on-nonconsensual-nudity-if-it-thinks-its-a-copyright-violation/

🔄 What Google’s U-Turn on Third-Party Cookies Means for Chrome Privacy privacy – Google paused its plans to eliminate third-party cookies in Chrome, citing backlash from various stakeholders. Critics argue this compromises user privacy while Google emphasizes user choice in tracking. https://www.wired.com/story/google-chrome-third-party-cookies-privacy-rollback/

🔍 Credit monitoring and supply chain risk company hacked data breach – CreditRiskMonitor reported a data breach where sensitive employee information was stolen, though customer data remained unaffected. The company is offering impacted individuals 24 months of free credit monitoring. https://cyberscoop.com/credit-risk-monitor-cyber-crmz-ransomware/

📱 Don’t use iPhone Mirroring at work, experts warn privacy – Experts warn against using iPhone Mirroring at work due to privacy risks, as it can expose personal app data to employers. Apple is aware and working on a fix. https://www.theregister.com/2024/10/08/iphone_mirroring_at_work/

📚 The Editors Protecting Wikipedia from AI Hoaxes security news – Wikipedia editors have launched WikiProject AI Cleanup to address the rise of unsourced, poorly-written AI-generated content on the platform, aiming to preserve the quality of information. https://www.404media.co/the-editors-protecting-wikipedia-from-ai-hoaxes/

💉 Trinity ransomware targets healthcare orgs cybercrime – Trinity ransomware has infected at least one U.S. healthcare provider, employing double extortion tactics. Experts warn healthcare organizations to enhance security measures against such attacks. https://www.theregister.com/2024/10/09/trinity_ransomware_targets_healthcare_orgs/

🔑 How to use Apple’s new Passwords app on iOS and macOS security news – Apple's new Passwords app replaces previous password management methods, allowing users to store and manage passwords, passkeys, and Wi-Fi credentials across devices. It offers autofill, sharing, and security alerts. https://www.theverge.com/24264400/passwords-apple-ios-macos-how-to

📉 National Public Data files for bankruptcy after info leak security news – National Public Data filed for bankruptcy after a massive data breach affecting potentially hundreds of millions. The company faces multiple lawsuits and regulatory challenges following the incident. https://www.theregister.com/2024/10/09/national_public_data_bankrupt/

🔒 The Internet Archive is under attack, with a breach revealing info for 31 million accounts data breach – The Internet Archive confirmed a breach exposing data for 31 million accounts, including email addresses and hashed passwords. The site also faced a DDoS attack following the incident. https://www.theverge.com/2024/10/9/24266419/internet-archive-ddos-attack-pop-up-message

📱 How Telegram Turbocharges Organised Crime cybercrime – A UN report highlights Telegram's role in facilitating organized crime, including cyber fraud, money laundering, and criminal marketplaces, emphasizing the need for stricter regulations to combat these activities. https://news.risky.biz/how-telegram-turbocharges-organised-crime/

⚠️ Mozilla issued an urgent Firefox update to fix actively exploited flaw vulnerability – Mozilla released an urgent update for Firefox to fix a critical use-after-free vulnerability (CVE-2024-9680) actively exploited in attacks, urging users to upgrade immediately. https://securityaffairs.com/169590/security/mozilla-firefox-actively-exploited-flaw.html

🛡️ Blue Team, Red Team, and Purple Team: An Overview security news – This article discusses the roles of Blue, Red, and Purple Teams in cybersecurity, highlighting defensive operations, adversarial simulations, and collaborative efforts to enhance security measures. https://www.blackhillsinfosec.com/red-blue-and-purple-teams/

😷 14,000 medical devices are online, unsecured and vulnerable security research – A report reveals over 14,000 exposed medical devices globally, with nearly half in the U.S. Many lack basic security measures, making them prime targets for cybercriminals amid increasing healthcare attacks. https://cyberscoop.com/medical-devices-online-health-censys/

🐖 Pig Butchering Scams Are Going High Tech cybercrime – The UNODC reports a surge in high-tech 'pig butchering' scams in Southeast Asia, utilizing generative AI and deepfakes to enhance fraud. These scams, alongside cryptocurrency drainers, are increasingly sophisticated and pose significant challenges for law enforcement. https://www.wired.com/story/pig-butchering-scams-go-high-tech/

⛓️‍💥 'Chat control': The EU's controversial CSAM-scanning legal proposal explained privacy – The EU's proposed legislation to combat child sexual abuse material (CSAM) threatens user privacy by mandating scanning of private communications on messaging apps, raising concerns about encryption and mass surveillance. https://techcrunch.com/2024/10/12/chat-control-the-eus-controversial-csam-scanning-legal-proposal-explained/

🔒 How to Stop Your Data From Being Used to Train AI privacy – As generative AI increasingly utilizes online data, users can take steps to opt out of having their content used for training. The article outlines various platforms and methods to help protect personal data from being scraped. https://www.wired.com/story/how-to-stop-your-data-from-being-used-to-train-ai/

⚠️ Magenta ID wurde deaktiviert: Vorsicht vor täuschend echter Phishing-Mail warning – Eine täuschend echte Phishing-Mail mit dem Betreff „Aktion erforderlich: Reaktivierung Ihrer Magenta ID“ fordert zur Aktivierung einer nicht existierenden ID auf. Drei Hinweise entlarven die Betrugsmasche. https://futurezone.at/digital-life/magenta-id-wurde-deaktiviert-mail-phishing-rechnung-hinweise-betrug-warnung/402960708

---

Some More, For the Curious

🎉 Kyiv's hackers launched an unprecedented cyber attack on Russian state media VGTRK on Putin's birthday security news – Ukrainian hackers reportedly disrupted VGTRK operations, wiping servers and backups on Putin's birthday, amid ongoing cyber conflict between Russia and Ukraine. https://securityaffairs.com/169486/cyber-warfare-2/kyivs-hackers-hit-russian-state-media.html

🧓 The 30-year-old internet backdoor law that came back to bite security news – Chinese hackers compromised U.S. telecom wiretap systems, highlighting risks of backdoor laws like CALEA, which mandate access to customer data but create vulnerabilities for abuse. https://techcrunch.com/2024/10/07/the-30-year-old-internet-backdoor-law-that-came-back-to-bite/

💰 MoneyGram says hackers stole customers' personal information and transaction data data breach – MoneyGram confirmed a cyberattack resulted in the theft of customers' personal and transaction data, affecting names, addresses, and some Social Security numbers. Investigation is ongoing. https://techcrunch.com/2024/10/07/moneygram-says-hackers-stole-customers-personal-information-and-transaction-data/

🗃️ ADT says hacker stole encrypted internal employee data after compromising business partner security news – ADT reported a breach where a hacker accessed its network through a compromised third-party partner, stealing encrypted employee data. No customer information was believed to be affected. https://therecord.media/adt-hacker-stole-encrypted-data-after-breaching-third-party

🛡️ Following the Trail of Flax Typhoon to Uncover Newly Discovered Vulnerabilities in Linear Emerge Access Control Devices security research – A vulnerability, CVE-2024-9441, affects Linear Emerge E3 series devices and is unpatched, raising concerns of imminent exploitation. Organizations are urged to isolate affected devices. https://vulncheck.com/blog/flax-typhoon-linear-merge

🔧 Zero Day Initiative — The October 2024 Security Update Review security news – Adobe and Microsoft released significant security updates in October 2024, addressing numerous vulnerabilities including critical code execution bugs. Users are urged to promptly apply patches to mitigate risks. https://www.thezdi.com/blog/2024/10/8/the-october-2024-security-update-review

🚫 Russia and Turkey ban Discord messaging app security news – Russia and Turkey have blocked Discord, citing non-compliance with local laws and misuse for illegal activities. The bans have sparked backlash, highlighting the platform's importance for communication. https://therecord.media/discord-messaging-app-banned-russia-turkey

🔍 Two never-before-seen tools, from same group, infect air-gapped devices security research – Researchers discovered two sophisticated toolsets used by a suspected Russian hacking group to compromise air-gapped devices for data theft, highlighting their evolving capabilities and modular design. https://arstechnica.com/security/2024/10/two-never-before-seen-tools-from-same-group-infect-air-gapped-devices/

⌨️ Hackers targeted Android users by exploiting zero-day bug in Qualcomm chips vulnerability – Qualcomm confirmed hackers exploited a zero-day vulnerability (CVE-2024-43047) in its chipsets used in Android devices, with indications of targeted exploitation. Fixes have been made available to device manufacturers. https://techcrunch.com/2024/10/09/hackers-were-targeting-android-users-with-qualcomm-zero-day/

🌐 OpenAI says it has disrupted 20-plus foreign influence networks in past year security news – OpenAI disrupted over 20 foreign influence operations using its AI tools to manipulate political sentiments and elections. The report highlights ongoing threats from nations like Russia and Iran. https://cyberscoop.com/openai-threat-report-foreign-influence-generative-ai/

🚔 Dutch cops reveal takedown of 'largest dark web market' cybercrime – Dutch police arrested the alleged administrators of Bohemia and Cannabia, the largest dark web marketplaces, which processed €12 million monthly. The operators attempted an exit scam after becoming aware of the investigation. https://www.theregister.com/2024/10/10/cannabia_bohemia_darkweb_market_investigation/

🪙 FBI created a crypto token so it could watch it being abused security news – The FBI developed its own cryptocurrency, NexFundAI, to monitor fraudulent activities in the crypto market, leading to arrests in three countries for alleged wash trading and manipulation schemes. https://www.theregister.com/2024/10/11/fbi_nexfundai_crypto_fraud_sting/

🔧 GitLab fixed a critical flaw that could allow arbitrary CI vulnerability – GitLab patched a critical vulnerability (CVE-2024-9164) that allowed unauthorized CI/CD pipeline execution. The update also addressed several high and medium severity issues in both Community and Enterprise Editions. https://securityaffairs.com/169671/security/gitlab-fixed-critical-flaw-cve-2024-9164.html

📦 Malicious packages in open-source repositories are surging security research – A report by Sonatype reveals a 150% increase in malicious packages in open-source repositories over the past year, highlighting security vulnerabilities and the slow response to patching them. https://cyberscoop.com/open-source-security-supply-chain-sonatype/

💻 Ransomware operators exploited Veeam Backup & Replication flaw CVE vulnerability – Ransomware operators are exploiting the critical CVE-2024-40711 vulnerability in Veeam Backup & Replication to deploy malware and create rogue accounts. Sophos warns of attacks leveraging compromised credentials and outdated VPNs. https://securityaffairs.com/169679/cyber-crime/ransomware-groups-exploit-veeam-backup-replication-bug.html

📁 File hosting services misused for identity phishing security research – Microsoft reports that ransomware operators are exploiting legitimate file hosting services to conduct phishing attacks, using tactics to evade detection and compromise user identities, leading to business email compromise (BEC) attacks. https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing/

---

CISA Corner

🚨 Avoid Scams After Disaster Strikes warning – CISA warns of increased cyber scams following natural disasters, urging caution with emails and social media related to hurricanes. Verify information from trusted sources before responding. https://www.cisa.gov/news-events/alerts/2024/10/08/avoid-scams-after-disaster-strikes

⚠️ CISA Adds Three Known Exploited Vulnerabilities to Catalog warning – CISA has included three vulnerabilities in its Known Exploited Vulnerabilities Catalog, highlighting risks from active exploitation. Agencies are required to remediate these vulnerabilities to protect federal networks. https://www.cisa.gov/news-events/alerts/2024/10/08/cisa-adds-three-known-exploited-vulnerabilities-catalog ⚠️ CISA Adds Three Known Exploited Vulnerabilities to Catalog warning – CISA has added three vulnerabilities to its Known Exploited Vulnerabilities Catalog, highlighting risks from active exploitation in Fortinet and Ivanti products. Federal agencies must remediate these vulnerabilities promptly. https://www.cisa.gov/news-events/alerts/2024/10/09/cisa-adds-three-known-exploited-vulnerabilities-catalog

---

While my intention is to pick news that everyone should know about, it still is what I think is significant, cool, fun... Most of the articles are in English, but some current warnings might be in German.

A weekly shortlist of cyber security highlights. The short summaries are AI generated! If something is wrong, please let me know!

---

News For All

🐖 The Pig Butchering Invasion Has Begun cybercrime – Global pig butchering scams, rooted in Southeast Asia, exploit vulnerable populations and net billions. Operations are expanding worldwide, raising serious human trafficking and financial crime concerns. https://www.wired.com/story/pig-butchering-scam-invasion/

🔍 Remote ID verification tech is often biased and wrong security news – A GSA study reveals remote identity verification technologies are biased, with significant error rates affecting marginalized groups. The tech’s reliability raises concerns for government and user equity. https://www.theregister.com/2024/09/30/remote_identity_verification_biased/

📚 Massive E-Learning Platform Udemy Gave Teachers a Gen AI 'Opt-Out Window'. It's Already Over. privacy – Udemy's brief opt-out period for teachers to exclude their content from generative AI training has passed, sparking backlash over perceived intellectual property theft and biased communication. https://www.404media.co/massive-e-learning-platform-udemy-gave-teachers-a-gen-ai-opt-out-window-its-already-over/

🎯 North Korea-linked APT Kimsuky targeted German defense firm Diehl Defence security news – North Korea's APT Kimsuky targeted German defense contractor Diehl Defence through a phishing campaign involving fake job offers, raising significant concerns due to the company's military manufacturing role. https://securityaffairs.com/169162/apt/kimsuky-apt-hit-diehl-defence.html

🫴 Paypal Opted You Into Sharing Data Without Your Knowledge privacy – PayPal has been criticized for automatically opting users into data sharing with third parties for personalized shopping, raising privacy concerns as users were unaware of this change. https://www.404media.co/paypal-personalized-shopping-opt-out/

📰 News agency AFP hit by cyberattack, client services impacted cybercrime – AFP confirmed a cyberattack affecting its IT systems and client services, prompting investigations with France’s cybersecurity agency. Global news coverage remains unaffected, but partners were warned about potential FTP credential compromises. https://securityaffairs.com/169175/hacking/news-agency-afp-hit-by-cyberattack-client-services-impacted.html

🚔 Multinational police effort hits sections of Lockbit ransomware operation security news – An international police effort led to arrests and seizures targeting the LockBit ransomware group, including a suspected developer in France and sanctions against affiliates linked to Evil Corp, amid ongoing efforts to disrupt cybercrime. https://cyberscoop.com/lockbit-arrests-ransomware-fbi-uk-nca-evil-corp/

🏥 UMC Health System diverted patients following a ransomware attack cybercrime – UMC Health System in Texas diverted patients after a ransomware attack caused a network outage. The hospital is investigating the breach and working to restore services while ensuring patient care. https://securityaffairs.com/169198/cyber-crime/umc-health-system-cyberattack.html

🕵️‍♀️ ICE Signs $2 Million Contract With Spyware Maker Paragon Solutions security news – ICE has contracted Israeli spyware vendor Paragon Solutions for $2 million amid ongoing scrutiny of commercial spyware. The contract raises questions about ethical surveillance practices and human rights implications. https://www.wired.com/story/ice-paragon-solutions-contract/

📊 Thunderbird für Android: Telemetrie-Daten werden bereits beim Start erfasst privacy – Die Beta-Version von Thunderbird für Android überträgt Telemetriedaten ohne Einwilligung an Mozilla. Dies verstößt gegen Datenschutzgesetze und enttäuscht Nutzer, die eine Opt-In-Lösung erwarten. https://www.kuketz-blog.de/thunderbird-fuer-android-telemetrie-daten-werden-bereits-beim-start-erfasst/

🪩 A Network of AI ‘Nudify’ Sites Are a Front for Notorious Russian Hackers cybercrime – Fake AI ‘nudify’ sites are revealed to be fronts for Fin7, a Russian hacking group, designed to steal credentials. The sites lure users with the promise of generating nonconsensual content. https://www.404media.co/a-network-of-ai-nudify-sites-are-a-front-for-notorious-russian-hackers-2/

🔍 Telegram has disclosed criminal data to authorities for years, Durov says security news – Telegram's founder, Pavel Durov, clarified that the platform has long disclosed user data to law enforcement upon legal request, emphasizing recent updates to privacy policies do not signify a major shift in practices. https://therecord.media/telegram-disclosing-criminal-data-law-enforcement-durov-statement

💰 Men Stole Over $1 Million From DoorDash Delivery Drivers By Impersonating Them to Customer Service cybercrime – Two men impersonated DoorDash drivers to steal over $1 million by hijacking accounts and redirecting payments. They used stolen personal information to bypass security and change account details. https://www.404media.co/men-stole-over-1-million-from-doordash-delivery-drivers-by-impersonating-them-to-customer-service/

🔐 The feds still can’t get into Eric Adams’ phone security news – NYC Mayor Eric Adams forgot the new passcode to his phone after changing it, complicating federal investigators' efforts to access it amid ongoing fraud and bribery charges against him. https://www.theverge.com/2024/10/2/24260626/fbi-eric-adams-locked-phone-forgotten-changed-password

📸 License Plate Readers Are Creating a US-Wide Database of More Than Just Cars privacy – License plate readers in the US are compiling extensive databases that capture political affiliations and personal beliefs, raising concerns about privacy and surveillance as they collect data beyond just vehicle information. https://www.wired.com/story/license-plate-readers-political-signs-bumper-stickers/

🔒 DOJ, Microsoft seize 107 domains used in Russian attacks security news – The DOJ and Microsoft seized 107 domains linked to Russia's Callisto Group, disrupting a phishing campaign targeting US government agencies and other organizations, aimed at stealing sensitive information. https://www.theregister.com/2024/10/03/russian_phishing_domains_seized/

👮‍♀️ Dutch police breached by a state actor data breach – A state actor has been blamed for hacking into the Dutch police system, exposing contact details of officers. The investigation is ongoing, with security measures implemented to protect affected personnel. https://securityaffairs.com/169328/hacking/dutch-police-breached-by-state-actor.html

👓 Harvard duo modifies Meta glasses to grab strangers' info security news – Harvard students developed 'I-XRAY,' a system using Meta smart glasses to identify individuals and compile personal information from publicly available sources, highlighting privacy concerns in the AI era. https://www.theregister.com/2024/10/04/harvard_engineer_meta_smart_glasses/

💼 Crook made millions by breaking into execs’ Office365 inboxes, feds say cybercrime – UK national Robert B. Westbrook has been charged with a hack-to-trade scheme, illegally accessing Office365 accounts of US executives to steal financial reports, earning approximately $3.75 million from insider trading. https://arstechnica.com/security/2024/10/crook-made-millions-by-breaking-into-execs-office365-inboxes-feds-say/

🎥 Meta’s new “Movie Gen” AI system can deepfake video from a single photo security news – Meta's Movie Gen AI can create realistic videos from a single photo, generating deepfakes and personalized content. While it offers innovative editing and sound synthesis features, it raises significant ethical concerns. https://arstechnica.com/ai/2024/10/metas-new-movie-gen-ai-system-can-deepfake-video-from-a-single-photo/

🔒 Apple iOS 18.0.1 and iPadOS 18.0.1 fix media session and passwords bugs security news – Apple's iOS 18.0.1 and iPadOS 18.0.1 updates address two vulnerabilities that could expose audio snippets and passwords. The flaws were fixed with improved validation checks, with no known active exploits reported. https://securityaffairs.com/169381/mobile-2/apple-ios-18-0-1.html

🛬 Ryanair faces GDPR turbulence over customer ID checks security news – Ireland's Data Protection Commission is investigating Ryanair's ID verification process for customers booking through third-party sites, focusing on compliance with GDPR regarding the use of biometric data. https://www.theregister.com/2024/10/05/irish_dpc_ryanair_probe/

---

Some More, For the Curious

🎒 Danger is Still Lurking in the NVD Backlog security news – The National Vulnerability Database still has a significant backlog of over 18,000 vulnerabilities, with 72.4% unanalyzed. Progress has been made, but many critical vulnerabilities remain unassessed. https://vulncheck.com/blog/nvd-backlog-exploitation-lurking

🔒 More frequent disruption operations needed to dent ransomware gangs, officials say security news – Officials urge for increased frequency of disruption operations against ransomware gangs, as current efforts have proven insufficient. New strategies and international cooperation are essential to combat the rising threat. https://cyberscoop.com/counter-ransomware-initiative-summit-white-house-odni/

🛠️ capa Explorer Web: A Web-Based Tool for Program Capability Analysis security research – Mandiant introduces capa Explorer Web, a browser-based tool for visualizing program capabilities identified by the capa reverse engineering tool, enhancing analysis with interactive features and integration with VirusTotal. https://cloud.google.com/blog/topics/threat-intelligence/capa-explorer-web-program-capability-analysis/

🕵️‍♂️ Notorious Evil Corp Hackers Targeted NATO Allies for Russian Intelligence cybercrime – Evil Corp has been linked to Russian intelligence agencies and tasked with espionage against NATO allies. The group, known for its Dridex malware and ransomware operations, has extorted over $300 million. https://www.wired.com/story/evil-corp-lockbit-russian-intelligence/

🛡️ Level Up Your Security Skills with the New Microsoft Sentinel Ninja Training! security news – Microsoft Sentinel Ninja Training has been revamped with interactive modules, hands-on labs, and real-world scenarios to enhance skills in threat detection and incident response, integrating with Defender XDR for streamlined operations. https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/level-up-your-security-skills-with-the-new-microsoft-sentinel/ba-p/4260106

🚨 Russian authorities arrest nearly 100 in raids tied to cybercriminal money laundering cybercrime – Russian authorities arrested nearly 100 individuals linked to the UAPS payment system and Cryptex exchanges in a money laundering investigation, handling over $1.2 billion in illicit funds for cybercriminals. https://cyberscoop.com/russian-cybercrime-raids-cryptex-uaps/

🔒 14 New DrayTek routers' flaws impacts over 700,000 devices in 168 countries vulnerability – Forescout identified 14 vulnerabilities in DrayTek routers, affecting over 704,000 devices globally. Two critical flaws could enable severe attacks, prompting urgent updates from DrayTek. https://securityaffairs.com/169267/security/draytek-routers-flaws-impacts-700000-devices.html

💻 Threat actor believed to be spreading new MedusaLocker variant since 2022 malware – Cisco Talos reports a financially motivated threat actor distributing a new MedusaLocker ransomware variant, 'BabyLockerKZ,' targeting organizations globally since 2022, with a shift from Europe to South America. https://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022/

📧 Weird Zimbra Vulnerability vulnerability – A Zimbra vulnerability allows hackers to execute remote commands via malformed emails. While exploitation is easy, large-scale infections are unlikely. Defenders should monitor for suspicious email patterns. https://www.schneier.com/blog/archives/2024/10/weird-zimbra-vulnerability.html

⚠️ The Silent Epidemic: Uncovering the Dangers of Alert Fatigue and How to Overcome It security news – Alert fatigue poses a significant threat to cybersecurity, overwhelming security teams and causing critical alerts to be overlooked. Organizations must adopt automation tools and education to mitigate these risks. https://www.cybereason.com/blog/the-silent-epidemic-uncovering-the-dangers-of-alert-fatigue-and-how-to-overcome-it

🛰️ Black Hills Information Security hacking write-up – The article discusses the history and future of satellite technology, highlighting vulnerabilities and notable attacks, including spoofing and jamming. It emphasizes the risks of cyberattacks on satellites and the need for robust security measures. https://www.blackhillsinfosec.com/satellite-hacking/

🐍 Thousands of Linux systems infected by stealthy malware since 2021 malware – A stealthy malware strain named Perfctl has infected thousands of Linux systems since 2021, exploiting over 20,000 misconfigurations and a critical vulnerability, allowing for cryptocurrency mining and unauthorized access. https://arstechnica.com/security/2024/10/persistent-stealthy-linux-malware-has-infected-thousands-since-2021/

📊 Introducing the Use Cases Mapper workbook cyber defense – The Use Case Mapper Workbook aids organizations in optimizing Microsoft Sentinel by mapping common security use cases to the MITRE ATT&CK framework, identifying gaps in security solutions, and facilitating updates. https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/introducing-the-use-cases-mapper-workbook/ba-p/4202058

---

CISA Corner

⚠️ CISA Adds Four Known Exploited Vulnerabilities to Catalog warning – CISA has added four actively exploited vulnerabilities to its catalog, including critical command injection issues in routers and a deserialization flaw in SAP, posing serious risks to federal networks. https://www.cisa.gov/news-events/alerts/2024/09/30/cisa-adds-four-known-exploited-vulnerabilities-catalog ⚠️ CISA Adds One Known Exploited Vulnerability to Catalog warning – CISA has added an Ivanti Endpoint Manager SQL Injection vulnerability to its Known Exploited Vulnerabilities Catalog, highlighting risks that malicious actors pose to federal networks. https://www.cisa.gov/news-events/alerts/2024/10/02/cisa-adds-one-known-exploited-vulnerability-catalog ⚠️ CISA Adds One Known Exploited Vulnerability to Catalog warning – CISA has included a new vulnerability, CVE-2024-45519, affecting Synacor Zimbra, in its Known Exploited Vulnerabilities Catalog due to evidence of active exploitation, posing risks to federal networks. https://www.cisa.gov/news-events/alerts/2024/10/03/cisa-adds-one-known-exploited-vulnerability-catalog

⚙️ CISA Releases Two Industrial Control Systems Advisories vulnerability – CISA issued two advisories on October 1, 2024, highlighting vulnerabilities in Optigo Networks and Mitsubishi Electric ICS. Users are urged to review the advisories for mitigation strategies. https://www.cisa.gov/news-events/alerts/2024/10/01/cisa-releases-two-industrial-control-systems-advisories ⚙️ CISA Releases Three Industrial Control Systems Advisories vulnerability – CISA issued three advisories on October 3, 2024, addressing vulnerabilities in TEM Opera Plus, Subnet Solutions, and Delta Electronics ICS. Users are urged to review for security details and mitigation strategies. https://www.cisa.gov/news-events/alerts/2024/10/03/cisa-releases-three-industrial-control-systems-advisories

🔐 ASD’s ACSC, CISA, FBI, NSA, and International Partners Release Guidance on Principles of OT Cybersecurity for Critical Infrastructure Organizations security news – The ASD’s ACSC, alongside CISA and international partners, released a guide outlining six principles for enhancing cybersecurity in operational technology environments to mitigate risks associated with business decisions. https://www.cisa.gov/news-events/alerts/2024/10/01/asds-acsc-cisa-fbi-nsa-and-international-partners-release-guidance-principles-ot-cybersecurity

---

While my intention is to pick news that everyone should know about, it still is what I think is significant, cool, fun... Most of the articles are in English, but some current warnings might be in German.

Please stand by for unimportant messages.

Tips for Getting the Best Car Loan Rates in British Columbia

Getting the best BC auto loan rate might improve your finances. With changing interest rates and loan possibilities, it's important to know how to receive the best terms. This detailed guide will help you negotiate BC automobile financing and get the best vehicle loan rates.

1. Knowing BC Car Finance

Before applying for a vehicle loan, you must understand BC auto financing. Knowing the sorts of vehicle loans, interest rate considerations, and competing financial institutions is necessary. British Columbia vehicle finance includes online, credit union, and bank loans. Each option has benefits and downsides, and rates depend on credit history, loan amount, and term.

2. Improve Credit Score

Credit score is crucial to getting a cheap vehicle loan rate. Lenders evaluate creditworthiness and interest rates based on credit scores. Lower interest rates are characteristic of better credit scores.

3. BC Auto Loan Rates Compare

Compare BC auto loan rates from several lenders to get the best deals. Different lenders and financial profiles charge different interest rates. Compare rates from banks, credit unions, and internet lenders using web tools. Ask lenders about their rates and any specials or reductions.

4. Get BC Auto Loan Pre-Approval

Pre-approval for a BC auto loans may speed up car buying. Your financial information is reviewed by a lender to establish your maximum loan amount and interest rate before you start car shopping. Pre-approval defines your budget and attracts dealerships. It demonstrates you're serious and can acquire financing, providing you negotiation leverage.

5. Consider Loan Term

The period of your auto loan affects your monthly payments and total interest. Longer loan periods may cut monthly payments but increase interest payments. Consider your budget and financial objectives when choosing a loan term. If you can afford larger monthly payments, a shorter loan period may save you money. If you require lower payments, a longer term may be easier but cost more.

6. Negotiate Car Loan Terms

Never be scared to negotiate your BC auto finance. Many lenders may provide better rates if you have strong credit and are pre-approved. Interest rate, loan period, and fees are negotiable. Being proactive and talking to lenders may get you a better rate or loan terms.

7. Can I Extend My Car Loan?

If you want a car loan extension, then you should examine the advantages and downsides first. Extended terms may lower monthly payments but increase interest charges throughout the loan's life. Discuss loan term extensions with your lender to determine their influence on loan expenses. Make sure the new terms fit your financial objectives and don't cause debt.

8. Read Your Loan Agreement Carefully

Before signing a vehicle loan, read the terms. Consider the interest rate, loan length, payment plan, and fees and penalties. Understanding your loan agreement helps you prevent surprises and hidden fees. Ask your lender for clarification if needed.

Conclusion

The finest car loan rates in British Columbia need preparation and thought. Understanding for BC auto loan approved, boosting your credit score, comparing rates, and negotiating conditions may improve your loan prospects. Check the loan term and agreement to make sure it fits your financial objectives. You can better understand the vehicle loan process and locate the best financing plan with these advices.

A weekly shortlist of cyber security highlights. The short summaries are AI generated! If something is wrong, please let me know!

---

News For All

🎮 Be Internet Awesome World: A fun new game to learn about online safety security news – Google's new game, Be Internet Awesome World, teaches kids online safety through interactive lessons on scams, passwords, and personal information sharing. https://blog.google/technology/safety-security/be-internet-awesome-roblox/

🚨 Staying a Step Ahead: Mitigating the DPRK IT Worker Threat security research – Mandiant reports on DPRK IT workers posing as non-North Koreans to infiltrate global companies, generating revenue for the regime and posing cybersecurity risks; awareness and vigilance are crucial. https://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat/

🚴‍♂️ Hacking the “Bike Angels” System for Moving Bikeshares security news – New York City's bikeshare system, Bike Angels, is being exploited by users creating artificial shortages to maximize rewards, prompting a need for system modifications to prevent such hacks. https://www.schneier.com/blog/archives/2024/09/hacking-the-bike-angels-system-for-moving-bikeshares.html

🚗 White House proposes rule to ban Chinese, Russian parts for networked vehicles security news – The White House proposes banning Chinese and Russian components in connected vehicles to address national security threats, targeting parts for connectivity systems amid rising surveillance and hacking concerns. https://cyberscoop.com/us-government-ban-china-russia-connected-cars/

☑️ Privacy Service Optery Faces Backlash After Plan to Send OpenAI User Data privacy – Optery faced criticism for defaulting to transferring user data to OpenAI, leading to a backlash from privacy advocates and a subsequent shift to an opt-in model for data sharing. https://www.404media.co/privacy-service-optery-faces-backlash-after-plan-to-send-openai-user-data/

🧻 Telegram will now hand over your phone number and IP if you’re a criminal suspect security news – Telegram will disclose users' phone numbers and IP addresses to authorities upon valid requests for criminal suspects, reflecting a shift in its privacy policy amid concerns over illegal activities on the platform. https://www.theverge.com/2024/9/23/24252276/telegram-disclose-user-data-legal-requests-criminal-activity

⛰️ Pro-Russia hackers aim DDoS campaign at Austrian websites ahead of elections security news – Pro-Russia hacker groups, including NoName057(16) and OverFlame, have launched DDoS attacks on over 40 Austrian websites ahead of the upcoming elections, causing temporary outages but no lasting damage. https://therecord.media/austria-websites-ddos-incidents-pro-russia-hacktivists

📸 New twist on sextortion scam includes pictures of people's homes cybercrime – A new sextortion scam involves emails with photos of victims' homes, threatening to reveal their online activity unless they pay a ransom, leveraging personal data for intimidation. https://therecord.media/new-twist-on-sextortion-scam-pictures-of-peoples-homes

🍰 Iranian-linked election interference operation shows signs of recent access security news – An alleged Iranian hacking effort targeting Trump’s campaign continues, sharing materials with journalists, suggesting ongoing access to campaign documents, with U.S. officials linking the activity to the Iranian government. https://cyberscoop.com/trump-campaign-hack-new-material-ongoing-access/

🛤️ Who is tracking web behavior the most? Google, obviously privacy – Kaspersky's report reveals Google as the top tracker of online behavior, with its systems like Google Analytics and YouTube Analytics leading the way in data collection across various regions. https://www.theregister.com/2024/09/24/google_online_tracker/

🚙 Study finds many European car resellers fail to delete driver data privacy – A study reveals that 80% of resold cars in Europe contain previous owners' personal data, violating data privacy laws; dealerships are urged to implement structured data deletion processes to avoid legal consequences. https://therecord.media/study-finds-european-car-resellers-fail-to-delete-data

💳 New Android banking trojan Octo2 targets European banks malware – The Octo2 banking trojan has emerged, enhancing remote takeover capabilities and targeting European banks. Its advanced features and leaked source code could expand its use among cybercriminals. https://securityaffairs.com/168857/malware/octo2-android-banking-trojan.html

🪤 New Windows Malware Locks Computer in Kiosk Mode malware – A new malware campaign locks users in their browser's kiosk mode on Google's login page, coercing them to enter their credentials, which are then stolen by information-stealing malware. https://www.schneier.com/blog/archives/2024/09/new-windows-malware-locks-computer-in-kiosk-mode.html

🦊 Data privacy watchdog files complaint against Mozilla for new ad tracking feature privacy – The advocacy group noyb has filed a complaint against Mozilla for implementing a new ad tracking feature in Firefox without user consent, claiming it undermines data privacy rights. https://therecord.media/noyb-europe-complaint-mozilla-firefox-privacy-preserving-attribution

🏎️ Millions of Vehicles Could Be Hacked and Tracked Thanks to a Simple Website Bug vulnerability – Researchers discovered a flaw in Kia's web portal that allowed them to track and control millions of vehicles, highlighting serious security vulnerabilities in the automotive industry’s web-based systems. https://www.wired.com/story/kia-web-vulnerability-vehicle-hack-track/

📰 When UK rail stations Wi-Fi was defaced by hackers the only casualty was the truth security news – Hackers defaced public Wi-Fi at 19 UK rail stations with a hate-filled message, but the incident was downplayed as a minor cybersecurity breach rather than a major attack, contradicting sensational media coverage. https://www.bitdefender.com/blog/hotforsecurity/when-uk-rail-stations-wi-fi-was-defaced-by-hackers-the-only-casualty-was-the-truth/

💷 UK data watchdog confirms it's investigating MoneyGram data breach data breach – The UK's ICO is investigating MoneyGram following a reported data breach that caused significant operational downtime, affecting customer transactions and partnerships; details on the breach remain unclear. https://techcrunch.com/2024/09/27/uk-data-watchdog-confirms-investigating-moneygram-data-breach/

🖨️ CUPS flaws allow remote code execution on Linux systems under certain conditions vulnerability – A critical vulnerability in the CUPS printing system allows unauthenticated remote code execution on Linux systems. Researchers disclosed multiple flaws, urging users to disable the affected service as a temporary mitigation. https://securityaffairs.com/169001/hacking/cups-flaws-allow-rce-on-linux-systems.html

🤑 Irish Data Protection Commission fines Meta €91 million for passwords stored in plaintext privacy – The Irish Data Protection Commission fined Meta €91 million for violating GDPR by storing users' passwords in plaintext, following a 2019 investigation where Meta disclosed the issue to regulators. https://cyberscoop.com/meta-fined-passwords-plaintext-ireland-millions-users/

📷 Microsoft details security/privacy overhaul for Windows Recall ahead of relaunch security news – Microsoft is revamping its Recall feature for Windows after security concerns, making it opt-in, enhancing encryption, and requiring user re-authentication to access stored data. https://arstechnica.com/?p=2052960

---

Some More, For the Curious

🤔 The Cyber Resilience Act, an Accidental European Alien Torts Statute? security news – The Cyber Resilience Act may allow the EU to restrict tech sales based on fundamental rights violations, blending cybersecurity with accountability for international actions. https://www.lawfaremedia.org/article/the-cyber-resilience-act--an-accidental-european-alien-torts-statute

🚒 Insecurity through Censorship: Vulnerabilities Caused by The Great Firewall security research – China's Great Firewall manipulates DNS responses, creating vulnerabilities for domains routed through Chinese infrastructure, risking attacks like subdomain takeovers and XSS. https://www.assetnote.io/resources/research/insecurity-through-censorship-vulnerabilities-caused-by-the-great-firewall

🐀 Move over, Cobalt Strike, there's a new post-exploit tool security research – Attackers are now using Splinter, a new post-exploitation tool capable of executing commands and stealing data, raising concerns for organizations despite being less advanced than Cobalt Strike. https://www.theregister.com/2024/09/23/splinter_red_team_tool/

💀 Necro Trojan infiltrates Google Play and Spotify and WhatsApp mods malware – The Necro Trojan has re-emerged, infecting popular apps on Google Play and modified versions of Spotify and WhatsApp, using techniques like steganography to evade detection and execute malicious activities. https://securelist.com/necro-trojan-is-back-on-google-play/113881/

🔂 Microsoft’s largest ever security transformation detailed in new report security news – Microsoft reveals its largest security overhaul, emphasizing a cultural shift towards security, with 34,000 engineers involved and new governance structures, following criticism of its previous security practices. https://www.theverge.com/2024/9/23/24251945/microsoft-security-report-secure-future-initiative

🤖 A generative artificial intelligence malware used in phishing attacks malware – HP researchers found malware generated by AI in a phishing attack that delivered AsyncRAT, highlighting how generative AI is making it easier for cybercriminals to create sophisticated threats. https://securityaffairs.com/168840/malware/generative-artificial-intelligence-malware.html

🤡 CrowdStrike exec apologizes in front of Congress over huge global IT outage security news – A CrowdStrike executive apologized to Congress for a faulty update that caused a massive IT outage affecting 8.5 million systems, outlining new measures to prevent future incidents. https://cyberscoop.com/crowdstrike-exec-apologizes-congressional-hearing-it-outage/

🎯 China-linked APT group Salt Typhoon compromised some U.S. internet service providers (ISPs) security news – The China-linked APT group Salt Typhoon has compromised several U.S. ISPs, aiming for intelligence gathering and potential cyberattacks, raising concerns about security in critical infrastructure. https://securityaffairs.com/168941/apt/salt-typhoon-china-linked-threat-actors-breached-us-isp.html

🏥 Senate bill eyes minimum cybersecurity standards for health care industry security news – Senators Wyden and Warner introduced the Health Infrastructure Security and Accountability Act to enforce mandatory cybersecurity standards in the health care sector following a ransomware attack on Change Healthcare. https://cyberscoop.com/minimum-cybersecurity-standards-health-care-wyden-warner-bill/

🔒 HPE patches three critical security holes in Aruba PAPI vulnerability – HPE has released urgent patches for three critical vulnerabilities in Aruba access points that allow unauthenticated attackers to execute code remotely, urging upgrades to affected systems. https://www.theregister.com/2024/09/26/hpe_aruba_patch_papi/

📏 NIST Recommends Some Common-Sense Password Rules security news – NIST's draft guidelines propose sensible password rules, including a minimum length of 8-15 characters, no mandatory complexity requirements, and no periodic changes unless compromised. https://www.schneier.com/blog/archives/2024/09/nist-recommends-some-common-sense-password-rules.html

⚠️ Critical Nvidia bug allows container escape, host takeover vulnerability – A critical vulnerability in Nvidia's Container Toolkit (CVE-2024-0132) allows attackers to escape containers and gain control of the host system, affecting 33% of cloud environments; fixes have been issued. https://www.theregister.com/2024/09/26/critical_nvidia_bug_container_escape/

⚖️ The Data Breach Disclosure Conundrum security news – The article discusses the complexities of data breach disclosure, emphasizing the legal and ethical obligations organizations have to notify affected individuals and the potential backlash from non-disclosure, highlighting examples like Deezer and Uber. https://www.troyhunt.com/the-data-breach-disclosure-conundrum/

---

CISA Corner

🛡️ Threat Actors Continue to Exploit OT/ICS through Unsophisticated Means securnty news – CISA warns that cyber threat actors exploit vulnerable OT/ICS devices using basic methods like default credentials and brute force attacks, urging operators to enhance their security measures. https://www.cisa.gov/news-events/alerts/2024/09/25/threat-actors-continue-exploit-otics-through-unsophisticated-means

📜 ASD’s ACSC, CISA, and US and International Partners Release Guidance on Detecting and Mitigating Active Directory Compromises security news – A joint guide by ASD ACSC and CISA offers strategies for organizations to detect and mitigate Active Directory compromises, crucial for securing enterprise IT networks against malicious actors. https://www.cisa.gov/news-events/alerts/2024/09/26/asds-acsc-cisa-and-us-and-international-partners-release-guidance-detecting-and-mitigating-active

🛠️ CISA Releases Eight Industrial Control Systems Advisories vulnerability – CISA has issued eight advisories highlighting vulnerabilities in various Industrial Control Systems, urging users to review them for important security updates and mitigations. https://www.cisa.gov/news-events/alerts/2024/09/24/cisa-releases-eight-industrial-control-systems-advisories 🛠️ CISA Releases Five Industrial Control Systems Advisories vulnerability – CISA has published five advisories addressing vulnerabilities in various Industrial Control Systems, urging users to review them for essential security updates and mitigations. https://www.cisa.gov/news-events/alerts/2024/09/26/cisa-releases-five-industrial-control-systems-advisories

⚠️ CISA Adds One Known Exploited Vulnerability to Catalog vulnerability – CISA has included CVE-2024-7593, an authentication bypass vulnerability in Ivanti Virtual Traffic Manager, in its Known Exploited Vulnerabilities Catalog due to active exploitation. https://www.cisa.gov/news-events/alerts/2024/09/24/cisa-adds-one-known-exploited-vulnerability-catalog

🔧 Citrix Releases Security Updates for XenServer and Citrix Hypervisor vulnerability – Citrix has issued security updates for XenServer and Citrix Hypervisor to fix vulnerabilities that could lead to denial of service attacks; users are urged to apply these updates. https://www.cisa.gov/news-events/alerts/2024/09/25/citrix-releases-security-updates-xenserver-and-citrix-hypervisor 🔒 Cisco Releases Security Updates for IOS and IOS XE Software vulnerability – Cisco's September 2024 advisory addresses vulnerabilities in IOS and IOS XE software that could allow cyber actors to take control of affected systems; users are advised to apply updates. https://www.cisa.gov/news-events/alerts/2024/09/26/cisco-releases-security-updates-ios-and-ios-xe-software

---

While my intention is to pick news that everyone should know about, it still is what I think is significant, cool, fun... Most of the articles are in English, but some current warnings might be in German.

Country: People's Republic of China Organization: N/A Objective: Espionage (Page Last Updated: October 12, 2024)

Aliases:

• Earth Estries (Trend Micro)
• FamousSparrow (ESET, Fortinet)
• GhostEmperor (Kaspersky, Malpedia, Rapid7)
• Salt Typhoon Microsoft)
• UNC2286 (Mandiant)

Links to other groups

• DRBControl (PDF, Source: ESET)
• SparklingGoblin (subset of “Winnti” Source: ESET)
• Tropic Trooper (Source: Kaspersky)
  • Tropic Trooper (ETDA, Kaspersky, MITRE, Unit 42)
  • KeyBoy (Citizen Lab, Rapid7, formerly used by PwC)
  • Pirate Panda (Anomali, CrowdStrike)
• UNC4841 (Mandiant)

Vulnerabilities Exploited

• ProxyLogon (Sources: ESET, Kaspersky, Sygnia):
  • CVE-2021-26855 (9.8 critical, in CISA's KEV Catalog) Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-26857 (7.8 high, in CISA's KEV Catalog) Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-26858 (7.8 high, in CISA's KEV Catalog) Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-27065 (7.8 high, in CISA's KEV Catalog)
• unidentified Microsoft SharePoint and Oracle Opera business software vulnerabilities (Source: ESET)
• CVE-2017-11882 (7.8 high, in CISA's KEV Catalog. Note: associated with alias Tropic Trooper) Microsoft Office Memory Corruption Vulnerability Source: Trend Micro
• CVE-2012-0158 (8.8 high, in CISA's KEV Catalog. Note: associated with alias Tropic Trooper, KeyBoy) Microsoft MSCOMCTL.OCX Remote Code Execution Vulnerability Sources: Unit 42, Citizen Lab
• CVE-2017-0199 (7.8 high, in CISA's KEV Catalog. Note: associated with alias Tropic Trooper) Microsoft Office and WordPad Remote Code Execution Vulnerability Source: Citizen Lab
• CVE-2015-1641 (7.8 high, in CISA's KEV Catalog. Note: associated with alias KeyBoy) Microsoft Office Memory Corruption Vulnerability Source: Citizen Lab

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

• October 11, 2024 – Washington Post: White House forms emergency team to deal with China espionage hack (news article)
• October 04, 2024 – Wall Street Journal: U.S. Wiretap Systems Targeted in China-Linked Hack (news article)
• September 25, 2024 – Wall Street Journal: China-Linked Hackers Breach U.S. Internet Providers in New 'Salt Typhoon' Cyberattack (news article)
• September 05, 2024 – Kaspersky: Tropic Trooper spies on government entities in the Middle East
• July 17, 2024 – Sygnia: The Return of Ghost Emperor's Demodex

2023

• August 30, 2023 – Trend Micro: Earth Estries Targets Government, Tech for Cyberespionage

2022

• February 28, 2022 – NCSC-UK: Malware Analysis Report: SparrowDoor (PDF)

2021

• December 14, 2021 – Trend Micro: Collecting In the Dark: Tropic Trooper Targets Transportation and Government (archive of dead link)
• September 30, 2021 – Kaspersky: GhostEmperor: From ProxyLogon to kernel mode
• September 23, 2021 – ESET: FamousSparrow: A suspicious hotel guest

2020

• May 12, 2020 – Trend Micro: Tropic Trooper's Back: USBferry Attack Targets Air-gapped Environments (archive of dead link)
• April 30, 2020 – Anomali: Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center

2018

• August 08, 2018 – Citizen Lab: Familiar Feeling: A Malware Campaign Targeting the Tibetan Diaspora Resurfaces
• March 14, 2018 – Trend Micro: Tropic Trooper’s New Strategy

2017

• November 16, 2017 – Lookout: Tropic Trooper Goes Mobile With Titan Surveillanceware
• February 11, 2017 – PwC: The KeyBoys are back in town (archive of dead link)

2016

• November 22, 2016 – Unit 42: Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy
• November 17, 2016 – Citizen Lab: It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community

2015

• May 14, 2015 – Trend Micro: Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers (PDF)

2013

• June 13, 2013 – Cisco: Scope of 'KeyBoy' Targeted Malware Attacks
• June 07, 2013 – Rapid7: KeyBoy, Targeted Attacks against Vietnam and India (archive of dead link)

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat

Country: People's Republic of China Organization: Integrity Technology Group Objective: Espionage, Information theft (Page last updated: October 13, 2024)

Aliases (sorted alphabetically):

• Ethereal Panda (CrowdStrike)
• Flax Typhoon (CFR, ETDA, FBI, Microsoft, Malpedia, NSA, NCSC-UK)
• RedJuliett (Recorded Future)
• Storm-0919 (previously used by Microsoft)

Associated Company

Integrity Technology Group (Integrity Tech) (Source: FBI (PDF)) aka Yongxin Zhicheng, 永信至诚

Vulnerabilities Exploited

Source: FBI

• CVE-2024-5217 (KEV)
• CVE-2024-4577 (KEV)
• CVE-2024-29973
• CVE-2024-29269
• CVE-2024-21762 (KEV)
• CVE-2023-50386
• CVE-2023-47218
• CVE-2023-46747 (KEV)
• CVE-2023-46604 (KEV)
• CVE-2023-43478
• CVE-2023-4166
• CVE-2023-38646
• CVE-2023-3852
• CVE-2023-38035 (KEV)
• CVE-2023-37582
• CVE-2023-36844 (KEV)
• CVE-2023-36542
• CVE-2023-35885
• CVE-2023-35843
• CVE-2023-3519 (KEV)
• CVE-2023-35081 (KEV)
• CVE-2023-34960
• CVE-2023-34598
• CVE-2023-3368
• CVE-2023-33510
• CVE-2023-30799
• CVE-2023-28771 (KEV)
• CVE-2023-28365
• CVE-2023-27997 (KEV)
• CVE-2023-27524 (KEV)
• CVE-2023-26469
• CVE-2023-25690
• CVE-2023-24229
• CVE-2023-23333
• CVE-2023-22527 (KEV)
• CVE-2023-22515 (KEV)
• CVE-2023-42475 (KEV)
• CVE-2022-40881
• CVE-2022-3590
• CVE-2022-31814
• CVE-2022-30525 (KEV)
• CVE-2022-26134 (KEV)
• CVE-2022-20707
• CVE-2022-1388 (KEV)
• CVE-2021-46422
• CVE-2021-45511
• CVE-2021-44228 (KEV)
• CVE-2021-36260 (KEV)
• CVE-2021-28799 (KEV)
• CVE-2021-20090 (KEV)
• CVE-2021-1473
• CVE-2021-1472
• CVE-2020-8515 (KEV)
• CVE-2020-4450
• CVE-2020-35391
• CVE-2020-3452 (KEV)
• CVE-2020-3451
• CVE-2020-15415
• CVE-2019-7256 (KEV)
• CVE-2019-19824
• CVE-2019-17621 (KEV)
• CVE-2019-12168
• CVE-2019-11829
• CVE-2018-18852
• CVE-2017-7876
• CVE-2015-7450 (KEV)

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

• October 09, 2024: Natto Thoughts: Business Priorities of Chinese Cyber Range Providers Go Hand in Hand with State Cyber Capability Development
• September 25, 2024: Natto Thoughts: Flax Typhoon-Linked Company Integrity Technology: a Competitor, Business Partner and Client of i-SOON
• September 18, 2024: (ATTRIBUTION)
  • FBI: People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations (PDF)
  • NSA: NSA and Allies Issue Advisory about PRC-Linked Actors and Botnet Operations
  • U.S. Department of Justice: Court-Authorized Operation Disrupts Worldwide Botnet Used by People’s Republic of China State-Sponsored Hackers
  • ASD ACSC: People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations (available as PDF)
  • NCSC-UK: NCSC and partners issue advice to counter China-linked campaign targeting thousands of devices
  • The Record: Company listed on Shanghai stock exchange accused of aiding Chinese cyberattacks (background information on Integrity Technology Group)
• June 24, 2024 – Recorded Future: Chinese State-Sponsored RedJuliett Intensifies Taiwanese Cyber Espionage via Network Perimeter Exploitation (available as PDF)
• April 04, 2024 – Microsoft: Same targets, new playbooks: East Asia threat actors employ unique methods (brief mention, no IOC)

2023

• September 23, 2023??? – SecurityScorecard: SecurityScorecard Identifies Possible Flax Typhoon Infrastructure
• August 24, 2023 – Microsoft: Flax Typhoon using legitimate software to quietly access Taiwanese organizations
• March 03, 2023 – CrowdStrike: 2023 Global Threat Report (PDF, page 29)

2022

• September 26, 2022 – Center for Security and Emerging Technology: Downrange: A Survey of China’s Cyber Ranges (PDF, page 8)

2020

• May 20, 2020?? – PRC Ministry of State Security: 前沿 | 网络靶场，未来安全的基础设施 (web archive of a MSS-run periodical reprinted on IntegrityTech's website, English translation: “Frontier | Cyber ​​Range, the secure infrastructure of the future”)

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat

A weekly shortlist of cyber security highlights. The short summaries are AI generated! If something is wrong, please let me know.

---

Highlight

🚨 Akute Welle an DDoS-Angriffen gegen österreichische Unternehmen und Organisationen security news – Austrian organizations face DDoS attacks, likely linked to hacktivism. Companies should review their defenses and maintain offline contact info for emergencies. https://www.cert.at/de/aktuelles/2024/9/ddos-angriffe-september-2024

---

News For All

🗳️ Germany’s CDU still struggling with cyberattack fallout security news – Germany's CDU party is facing challenges restoring member data after a June cyberattack, risking its election processes. The restoration deadline has been pushed to November. https://www.theregister.com/2024/09/16/nein_luck_for_germanys_cdu/

🚫 Meta blocks RT and other Russian state media; Kremlin says it's 'unacceptable' security news – Meta bans Russian state media accounts, including RT, citing deceptive influence operations. The Kremlin calls this decision 'unacceptable' and complicates relations with the company. https://therecord.media/meta-bans-russian-state-owned-media-facebook-instagram

🔑 Google’s passkey syncing makes it easier to move on from passwords security news – Google enhances passkey support in Chrome, allowing users to sync passkeys across devices using a Password Manager PIN instead of QR codes, ensuring secure access with end-to-end encryption. https://www.theverge.com/2024/9/19/24248820/google-chrome-passkey-logins-device-sync-password-manager-pin

🐦‍🔥 No way? Big Tech's 'lucrative surveillance' of everyone is terrible for privacy, freedom privacy – The FTC's report reveals that major tech firms inadequately handle vast amounts of user data, particularly concerning children's privacy, and calls for comprehensive federal privacy regulations to address ongoing data extraction issues. https://www.theregister.com/2024/09/19/social_media_data_harvesting_handling_ftc/

🤔 Ever wonder how crooks get the credentials to unlock stolen phones? cybercrime – Law enforcement shut down iServer, a phishing-as-a-service platform that helped unlock over 1.2 million stolen phones by obtaining user credentials through phishing attacks, leading to multiple arrests. https://arstechnica.com/?p=2051165

🤳 Snapchat Reserves the Right to Use AI-Generated Images of Your Face in Ads privacy – Snapchat's 'My Selfie' feature can use users' likenesses in ads by default, unless opted out. The 'See My Selfie in Ads' option is enabled automatically. https://www.404media.co/snapchat-reserves-the-right-to-use-ai-generated-images-of-your-face-in-ads/

🔒 Discord launches end-to-end encrypted voice and video chats privacy – Discord introduces end-to-end encryption for voice and video calls, enhancing user privacy while maintaining content moderation for messages, which remain unencrypted. https://techcrunch.com/2024/09/17/discord-launches-end-to-end-encrypted-voice-and-video-chats/

🖼️ Instagram to bolster privacy and safety features for millions of teen users privacy – Instagram plans to enhance privacy for teen users by making accounts private, limiting content exposure, and implementing features to reduce social media addiction, amid growing regulatory pressure. https://therecord.media/instagram-bolster-privacy-security-teens-children-social-media

⚰️ Scam ‘Funeral Streaming’ Groups Thrive on Facebook cybercrime – Scammers exploit Facebook by creating fake funeral streaming groups, tricking users into providing credit card info. The scheme has expanded to various events, with ties to a group in Bangladesh. https://krebsonsecurity.com/2024/09/scam-funeral-streaming-groups-thrive-on-facebook/

💥 The Mystery of Hezbollah’s Deadly Exploding Pagers security news – Exploding pagers used by Hezbollah have killed 11 and injured nearly 2,800 in Lebanon. Experts suggest a supply chain compromise, not a cyberattack, may be responsible for the blasts. https://www.wired.com/story/pager-explosion-hezbollah/

💣 Walkie-Talkies Explode in New Attack on Hezbollah security news – Exploding two-way radios targeted Hezbollah members in Lebanon, causing multiple deaths and injuries, following a previous attack involving detonating pagers. Experts suspect deep supply chain infiltration by attackers. https://www.wired.com/story/walkie-talkie-explosions-hezbollah/

📱 Your Phone Won’t Be the Next Exploding Pager security news – Recent attacks using booby-trapped pagers and walkie-talkies against Hezbollah have raised concerns about supply chain security. However, modern smartphones are unlikely to be weaponized similarly due to manufacturing complexities. https://www.wired.com/story/exploding-pagers-hezbollah-phones/

📩 U.S. agencies say Iranian hackers tried to pass ‘non-public’ Trump campaign docs to Biden’s campaign security news – U.S. authorities revealed that Iranian hackers sent emails containing stolen Trump campaign information to Biden campaign associates, aiming to influence the 2024 election and stoke political discord. https://cyberscoop.com/iran-hackers-trump-campaign-emails-biden/

🛑 Project Analyzing Human Language Usage Shuts Down Because ‘Generative AI Has Polluted the Data’ security news – The Wordfreq project, which tracked language usage across various media, has been discontinued due to generative AI spam corrupting data quality, rendering the tool ineffective. https://www.404media.co/project-analyzing-human-language-usage-shuts-down-because-generative-ai-has-polluted-the-data/

🔐 D-Link addressed three critical RCE in wireless router models vulnerability – D-Link fixed three critical remote code execution vulnerabilities in WiFi 6 routers, allowing unauthorized access and control. Users are urged to update their firmware to mitigate risks. https://securityaffairs.com/168471/security/d-link-rce-wireless-router-models.html

👨‍💻 Ticketmaster boss who repeatedly hacked rival firm sentenced cybercrime – Stephen Mead, former Ticketmaster boss, was sentenced for hacking rival CrowdSurge, stealing sensitive data, and sharing credentials with colleagues. He faces a year of supervised release and fines. https://www.bitdefender.com/blog/hotforsecurity/ticketmaster-boss-who-repeatedly-hacked-rival-firm-sentenced/

🕵️‍♂️ US government expands sanctions against spyware maker Intellexa cybercrime – The U.S. imposes new sanctions on Intellexa executives linked to the spyware Predator, used to surveil targets including U.S. officials. This action continues efforts against the spyware industry. https://techcrunch.com/2024/09/16/us-government-expands-sanctions-against-spyware-maker-intellexa/

💼 Python Developers Targeted with Malware During Fake Job Interviews malware – The Lazarus Group targets Python developers with fake job interviews to install malware disguised as coding tests. This new tactic complements an ongoing campaign against the Python community. https://www.schneier.com/blog/archives/2024/09/python-developers-targeted-with-malware-during-fake-job-interviews.html

---

Some More, For the Curious

🩹 Recently patched Windows flaw CVE-2024-43461 was actively exploited as a zero-day before July 2024 security news – CVE-2024-43461, a recently patched Windows flaw, was exploited as a zero-day, allowing attackers to execute arbitrary code via malicious files. Users are urged to apply the latest updates. https://securityaffairs.com/168467/hacking/windows-cve-2024-43461-actively-exploited-before-july-2024.html

🔑 Secure Boot-neutering PKfail debacle is more prevalent than anyone knew security research – A supply chain failure involving non-production keys compromises Secure Boot protections across various devices, including ATMs and voting machines. The issue affects nearly 1,000 models and highlights significant security risks. https://arstechnica.com/?p=2050182

⚓ Rhysida ships off Port of Seattle data for $6M cybercrime – The Rhysida ransomware group claims to have stolen over 3 TB of data from the Port of Seattle, offering it for 100 Bitcoin. The Port confirmed the attack but refused to pay the ransom. https://www.theregister.com/2024/09/17/rhysida_port_of_seattle/

💸 AT&T agrees to $13 million fine for third-party cloud breach data breach – AT&T settles with the FCC for $13 million over a January 2023 breach affecting 8.9 million customers due to lapses by a third-party vendor, leading to enhanced data protection measures. https://cyberscoop.com/att-agrees-to-13-million-dollar-fcc-fine/

⛓️‍💥 US government 'took control' of a botnet run by Chinese government hackers, says FBI director security news – The FBI seized a botnet of 260,000 devices operated by the Chinese hacking group Flax Typhoon, targeting critical infrastructure in the U.S. and abroad. Malware was removed from compromised devices. https://techcrunch.com/2024/09/18/u-s-government-took-control-of-a-botnet-run-by-chinese-government-hackers-says-fbi-director/

🧅 Tor insists its safe after cops convict CSAM site admin privacy – The Tor Project defends its anonymity after reports of German police using timing analysis to identify users, asserting that vulnerabilities in outdated software, not flaws in Tor, were exploited. https://www.theregister.com/2024/09/19/tor_police_germany/

🧘 SIEM for Small and Medium-Sized Enterprises: What you need to know cyber defense – SMEs are frequent cybercrime targets, with 73% experiencing attacks in 2023. SIEM solutions can enhance their security posture affordably, providing threat detection, compliance, and automated incident response. https://securityaffairs.com/168584/security/siem-sbms-enterprises.html

👻 International law enforcement operation dismantled criminal communication platform Ghost cybercrime – A global law enforcement operation infiltrated the encrypted messaging app Ghost, leading to numerous arrests, including its alleged administrator, and disrupting serious organized crime activities. https://securityaffairs.com/168575/cyber-crime/police-dismantled-criminal-communication-platform-ghost.html

🐡 This Windows PowerShell Phish Has Scary Potential – Krebs on Security security news – A new phishing email targeting GitHub users tricks victims into executing malware via PowerShell by posing as a security alert. The scam poses a significant risk to less tech-savvy Windows users. https://krebsonsecurity.com/2024/09/this-windows-powershell-phish-has-scary-potential/

🔄 UnitedHealth Group CISO: We had to ‘start over’ after Change Healthcare attack security news – Following a ransomware attack on Change Healthcare, UnitedHealth Group's CISO revealed they had to completely overhaul their IT systems. The recovery involved long hours and focused communication with stakeholders. https://cyberscoop.com/unitedhealth-group-steven-martin-ciso-ransomware-attack-recovery/

🔘 Germany shuts down 47 cryptocurrency exchange services used by cybercriminals cybercrime – German law enforcement has shut down 47 unregistered cryptocurrency exchange services used for money laundering by cybercriminals, seizing extensive user and transaction data to aid investigations. https://therecord.media/germany-cryptocurrency-exchanges-shut-down-money-laundering

🧮 Secret calculator hack brings ChatGPT to the TI-84, enabling easy cheating hacking write-up – A YouTuber modified a TI-84 calculator to access ChatGPT via the internet, allowing students to cheat by receiving answers during tests. The hack includes a custom circuit and software for various cheating tools. https://arstechnica.com/?p=2051342

💻 Hacker behind Snowflake customer data breaches remains active cybercrime – The hacker known as 'Judische' remains active, targeting SaaS providers following the April Snowflake data breach affecting 165 customers. He has reportedly extorted up to $2.7 million. https://cyberscoop.com/snowflake-hacker-judische-labscon-2024/

---

CISA Corner

⚠️ CISA Adds Two Known Exploited Vulnerabilities to Catalog vulnerability – CISA identifies two actively exploited vulnerabilities in Microsoft Windows and Progress WhatsUp Gold, urging federal agencies to address these risks promptly to enhance security. https://www.cisa.gov/news-events/alerts/2024/09/16/cisa-adds-two-known-exploited-vulnerabilities-catalog ⚠️ CISA Adds Four Known Exploited Vulnerabilities to Catalog vulnerability – CISA includes four Adobe Flash Player vulnerabilities in its catalog, highlighting their active exploitation and urging federal agencies to remediate them to mitigate risks. https://www.cisa.gov/news-events/alerts/2024/09/17/cisa-adds-four-known-exploited-vulnerabilities-catalog ⚠️ CISA Adds Five Known Exploited Vulnerabilities to Catalog vulnerability – CISA adds five vulnerabilities, including issues in Apache, Microsoft, and Oracle products, to its catalog, warning of their exploitation and urging federal agencies to act swiftly. https://www.cisa.gov/news-events/alerts/2024/09/18/cisa-adds-five-known-exploited-vulnerabilities-catalog ⚠️ CISA Adds One Known Exploited Vulnerability to Catalog vulnerability – CISA adds Ivanti's path traversal vulnerability to its catalog, highlighting its active exploitation and urging federal agencies to address this significant security risk promptly. https://www.cisa.gov/news-events/alerts/2024/09/19/cisa-adds-one-known-exploited-vulnerability-catalog

🛠️ CISA Releases Three Industrial Control Systems Advisories warning – CISA issues advisories for Siemens, Millbeck, and Yokogawa ICS, highlighting vulnerabilities and urging users to review for technical details and mitigation strategies. https://www.cisa.gov/news-events/alerts/2024/09/17/cisa-releases-three-industrial-control-systems-advisories 🛠️ CISA Releases Six Industrial Control Systems Advisories warning – CISA issues six advisories on vulnerabilities in various ICS products, urging users to review the details and implement necessary mitigations to enhance security. https://www.cisa.gov/news-events/alerts/2024/09/19/cisa-releases-six-industrial-control-systems-advisories

🍏 Apple Releases Security Updates for Multiple Products security news – Apple's latest security updates fix vulnerabilities that could allow cyber attackers to take control of devices. Users are urged to review and apply these updates promptly. https://www.cisa.gov/news-events/alerts/2024/09/18/apple-releases-security-updates-multiple-products ☁️ VMware Releases Security Advisory for VMware Cloud Foundation and vCenter Server security news – VMware's advisory highlights vulnerabilities in Cloud Foundation and vCenter Server that could allow attackers to gain control. Users are advised to review and apply updates immediately. https://www.cisa.gov/news-events/alerts/2024/09/19/vmware-releases-security-advisory-vmware-cloud-foundation-and-vcenter-server 🔒 Ivanti Releases Admin Bypass Security Update for Cloud Services Appliance security news – Ivanti addresses an admin bypass vulnerability in its Cloud Services Appliance, urging users to upgrade to the latest version due to confirmed limited exploitation risks. https://www.cisa.gov/news-events/alerts/2024/09/19/ivanti-releases-admin-bypass-security-update-cloud-services-appliance 🔍 Versa Networks Releases Advisory for a Vulnerability in Versa Director, CVE-2024-45229 security news – Versa Networks warns of a vulnerability in Versa Director that allows unauthorized access to REST APIs. Organizations are urged to update systems and monitor for malicious activity. https://www.cisa.gov/news-events/alerts/2024/09/20/versa-networks-releases-advisory-vulnerability-versa-director-cve-2024-45229

---

While my intention is to pick news that everyone should know about, it still is what I think is significant, cool, fun... Most of the articles are in English, but some current warnings might be in German.

• Salt's GoFundMe: https://www.gofundme.com/f/cgcgn5-camp-fundraiser
• Anti-SAlt Posters: https://drive.proton.me/urls/55JRBZ0BBW#JuYQblTc5jab
• De-recruitment handout: https://docs.google.com/document/d/1WD-lbyFWccThT4SSSztWp7yV2gvGtrgMZFzHEuv4rag/edit
• General explainer: https://docs.google.com/document/d/1L8EFM4XRMSxH0Lpn_Zwtc91x41kjUWksdxguhPvEm3s/edit
• QUT and UQU deregistration petition: https://www.change.org/p/protect-students-from-socialist-alternative-s-abusive-practices

Para quem inicia no Mastodon aqui vão algumas explicações sobre a importância que as hashtags possuem.

A hashtag é uma palavra ou frase que, uma vez precedida pelo símbolo de cerquilha (#), sem espaços, transforma-se em uma etiqueta ou rótulo, na forma de um hiperlink que leva para uma página com outras publicações relacionadas ao mesmo tema.

No Mastodon, bem como em toda federação ActivityPub, a compreensão de suas funcionalidades é essencial, inclusive por questões de acessibilidade.

Barra de pesquisa do Mastodon

Por motivos técnicos de privacidade o Mastodon foi inicialmente desenhado para permitir apenas as seguintes formas de busca:

1. Por hashtags (#exemplo);
2. Pessoas (@nomedousuário@domínio);
3. URL (links) de perfis e de posts;

Atualmente o mastodon permite a busca por texto simples, mas para que as postagens dos usuários se tornem visíveis é necessário que optem por isso (então se você quer que o texto de suas postagens públicas sejam vistos na busca, acesse as configurações de sua conta e marque para permitir essa opção).

A pesquisa por hashtags é precisa e abrange todas as pessoas de instâncias federadas à sua, independentemente de você seguir a pessoa ou não, e sem a influência de qualquer algoritmo.

Note também que você pode seguir uma hashtag, caso seja um assunto do seu interesse, clicando no botão destacado acima. Quando você segue uma hashtag, todas as postagens das pessoas pertencentes à sua instância ou das instâncias federadas à sua, independentemente ou não de você segui-las, que contenham essa hashtag, serão exibidas na sua página inicial.

Usando Hashtags e Noções de Respeito

As hashtags, portanto, devem ter um # no início e não podem ter alguns caracteres especiais no início e no meio (ponto, espaço, arroba, asterisco, etc.).

O sistema de hashtags atualmente não diferencia a acentuação e alguns caracteres especiais que são permitidos, como o (ç), por exemplo, de modo que as hashtags #política e #politica (sem acento no i) ou #paçoca e #pacoca, são unificadas pela busca da plataforma.

Se você deseja pesquisar uma frase, digite tudo como uma palavra, como #CatsOfMastodon.

Se você deseja que sua postagem seja encontrada com mais facilidade nas pesquisas, inclua muitas hashtags relevantes. Não há problema em usar muitas dessas etiquetas, as pessoas entendem que são necessárias nesse tipo de sistema de busca.

Ademais, o uso das Hashtags devem respeitar uma relevante questão de acessibilidade. Existem muitos usuários cegos no Mastodon e no Fediverso que usam leitores de tela para converter texto em áudio.

Portanto, ao postar hashtags, existe uma formatação correta, que consiste no uso do método chamado de CamelCase (onde cada palavra começa com uma letra maiúscula), por exemplo #CatsOfMastodon em vez de #catsofmastodon. As letras maiúsculas permitem que os aplicativos de leitura de tela separem as palavras corretamente e leiam a hashtag em voz alta corretamente.

Aliás, é importante mencionar uma hashtag super relevante do universo Mastodon, a famosa #Alt4Me.

Quando uma imagem de uma postagem não possui descrição e há a hashtag #Alt4Me adicionada a ela pela pessoa que a postou, isso pode significar que o autor da postagem não consegue adicionar uma descrição (por exemplo, devido a uma deficiência), mas esteja ciente de que é necessário, então ele adicionou a etiqueta preventivamente.

A hashtag #Alt4Me geralmente significa que uma pessoa cega quer que você escreva uma descrição da imagem. Responda à postagem com a hashtag e forneça a descrição.

Note que a sistemática de hashtags não faz distinção se as palavras estão em caixa alta ou caixa baixa, portanto, #CatsOfMastodon ou #catsofmastodon são exatamente a mesma coisa para fins de pesquisa, de modo que o único diferencial em seguir o “CamelCase” está em propiciar um ambiente mais acessível às pessoas cegas, que deve ser respeitado.

Hashtags e filtros

Outra funcionalidade importante das hashtags é que elas permitem às pessoas que não querem ver postagens relacionadas a determinado assunto ou tema, que utilizem um filtro cuja função é tornar esses posts invisíveis, sem a necessidade de silenciar, bloquear ou deixar de seguir um usuário.

Ao utilizar o Mastodon é muito importante que você compreenda que se trata de uma rede social que recebe e acolhe pessoas que vieram de outras redes sociais, de propriedade capitalista, buscando um ambiente menos tóxico.

Sendo assim, existem temas que devem ser rotulados pelas hashtags não só para facilitar que pessoas interessadas os encontrem, mas também para permitir que pessoas que se incomodam com eles os filtrem.

Vamos usar como exemplo o caso do futebol. Eu adoro o esporte, tenho meu time de coração (Flamengo) mas convenhamos que há pessoas que não veem a menor graça e, ademais, existe uma “cultura do futebol” em nosso País, que é extremamente problemática, incluindo violência entre torcidas, machismo, homofobia e racismo.

Não custa nada, portanto, incluir a hashtag #futebol em suas postagens sobre o tema, ou outras em temas sensíveis, como #PolíticaPartidária.

Evidentemente você também tem a ferramenta dos avisos de conteúdo, mas acho a hashtag mais eficiente, pelo fato de permitir que os interessados encontrem a postagem, bem como os desinteressados a tornem completamente invisível sem sequer a necessidade de ler o aviso de conteúdo sobre o tema.

Aqui explico, portanto, como filtrar as hashtags.

No menu lateral vá em Preferências > Filtros e depois clique em Adicionar Filtro. Abrirá a seguinte tela:

O título do filtro, indicado pela seta vermelha, como o nome diz, é apenas um título, para te ajudar a encontrar o filtro em sua lista de filtros.

A seta verde indica o tempo de validade do filtro (que pode ser permanente, como visto no exemplo). Às vezes você não se importa em visualizar algo sobre futebol ou política, mas durante os jogos ou durante o período eleitoral, você não quer ser inundado de postagens sobre o tema, de modo que pode criar um filtro com duração provisória.

Em “Contextos do filtro” (retângulo rosa) você escolhe onde o filtro vai exercer sua função de ocultar mensagens, no exemplo dado marquei a opção de ocultar as postagens da página inicial e das linhas públicas, mas você pode fazer uma filtragem mais severa, se preferir, filtrando perfis de usuário e conversas.

Em “Filter action” você pode escolher se a postagem filtrada vai ser indicada para você com um aviso ou se ela desaparecerá completamente sem qualquer notificação, como se a postagem jamais tivesse existido.

Em “Palavra-chave ou frase”, indicado pela seta amarela na parte de baixo, você digita a hashtag que quer filtrar.

Após Salvar Novo Filtro, conforme o botão indicado pela seta azul, você não irá visualizar qualquer postagem em sua linha do tempo ou nas linhas públicas que contenham a hashtag selecionada (no caso do nosso exemplo: #futebol).

Você pode adicionar quantos filtros desejar.

Essas eram as minhas considerações a respeito das hashtags. Espero que aproveitem bastante e criem muitas hashtags interessantes no universo brasileiro do Mastodon.

#Hashtag #MastoDicas #Mastodon #Tutorial

A weekly shortlist of cyber security highlights. The short summaries are AI generated! If something is wrong, please let me know.

---

News For All

🕸️ Google’s dark web monitoring service will soon be free for all users privacy – Google is making its dark web monitoring service available for all users, enhancing privacy protection by alerting individuals to potential leaks of their personal information. https://www.theverge.com/2024/7/9/24194970/google-one-free-dark-web-monitoring

🧞‍♀️ What You Need to Know About Grok AI and Your Privacy privacy – Grok AI, integrated with X, raises privacy concerns by automatically using user data for training. Users can opt out, but awareness of data sharing settings is crucial for protecting privacy. https://www.wired.com/story/grok-ai-privacy-opt-out/

🚗 Thousands of Avis car rental customers had personal data stolen in cyberattack data breach – Avis has reported a cyberattack affecting nearly 300,000 customers, with stolen data including names, addresses, and driver’s license numbers. The breach raises concerns about data security practices. https://techcrunch.com/2024/09/09/thousands-of-avis-car-rental-customers-had-personal-data-stolen-in-cyberattack/

💳 1.7M potentially pwned by payment services provider breach data breach – Slim CD has notified around 1.7 million customers of a data breach affecting credit card information and personal details, detected nearly a year after the initial intrusion. https://www.theregister.com/2024/09/09/slim_cd_breach/

📢 Ford seeks patent for tech that listens to driver conversations to serve ads privacy – Ford is pursuing a patent for technology that tailors in-car ads by listening to conversations and analyzing vehicle data, raising privacy concerns over data protection measures. https://therecord.media/ford-patent-application-in-vehicle-listening-advertising

1️⃣ WhatsApp 'View Once' could be 'View Whenever' due to a flaw security news – A flaw in WhatsApp's 'View Once' feature allows recipients to bypass privacy controls, enabling media to be saved and shared despite intended restrictions. A fix is reportedly in progress. https://www.theregister.com/2024/09/09/whatsapp_view_once_flaw/

💸 Crypto scams rake in $5.6B a year for lowlifes, FBI says cybercrime – The FBI reports that crypto-related scams cost Americans over $5.6 billion in 2023, with a sharp rise in investment scams targeting older individuals. Victims often lose money to fraudulent schemes and recovery scams. https://www.theregister.com/2024/09/10/crypto_scams_rake_in_56/

🚫 In Wake of Durov Arrest, Some Cybercriminals Ditch Telegram cybercrime – Following the arrest of Telegram's founder, many cybercriminals are abandoning the platform over fears that user data may be shared with authorities, impacting their operations. https://www.404media.co/in-wake-of-durov-arrest-some-cybercriminals-ditch-telegram/

💔 You paid the ransom, and now the decryptor doesn't work security news – Organizations paying ransoms for Hazard ransomware found that the provided decryptor failed to work, highlighting the risks of relying on criminals for data recovery post-breach. https://www.theregister.com/2024/09/11/ransomware_decryptor_not_working/

💵 TD Bank fined $28 million for sharing inaccurate and negative data on customers privacy – TD Bank has been fined $28 million by the CFPB for sharing incorrect negative data about customers, harming their ability to obtain credit and employment. Nearly $8 million will go to affected consumers. https://therecord.media/td-bank-fined-28-million-cfpb-data-sharing

🚨 Stalker Allegedly Created AI Chatbot on NSFW Platform to Dox and Harass Woman cybercrime – A Massachusetts man, James Florence Jr., was arrested for stalking and harassing a professor for seven years, using AI to create fake nudes and chatbots that shared her personal information online. https://www.404media.co/stalker-allegedly-created-ai-chatbot-on-nsfw-platform-to-dox-and-harass-woman/

🏥 Healthcare giant settles patient data theft lawsuit for $65M data breach – Lehigh Valley Health Network will pay $65 million to settle a lawsuit after a ransomware attack by the ALPHV gang exposed sensitive data, including nude photographs of patients. https://www.theregister.com/2024/09/12/lvhn_lawsuit_ransom/

🚔 British teen arrested over cyberattack on London transportation agency security news – A 17-year-old was arrested for a cyberattack on Transport for London, which compromised customer data including names and bank details. The agency continues to address the ongoing security incident. https://cyberscoop.com/british-teen-arrested-over-cyberattack-on-london-transportation-agency/

📺 Vo1d malware infected 1.3M Android malware – The Vo1d malware has infected 1.3 million Android TV boxes across 197 countries, acting as a backdoor to allow secret software installations, primarily targeting devices with outdated OS versions. https://securityaffairs.com/168342/malware/vo1d-android-malware-tv-boxes.html

🚸 Tennessee school district loses $3.4 million to a fake curriculum vendor cybercrime – A Tennessee school district lost $3.36 million after an employee was tricked by a fraudulent email impersonating Pearson, leading to unauthorized wire transfers for online curriculum materials. https://therecord.media/tennessee-school-district-loses-3-million-bec-scam

💰 23andMe agrees to pay $30 million to settle lawsuit over massive data breach data breach – 23andMe will pay $30 million to settle a class-action lawsuit stemming from a 2023 data breach that exposed over 6.9 million customers, particularly targeting users with specific heritage. https://www.theverge.com/2024/9/13/24243986/23andme-settlement-dna-data-breach-lawsuit

🔍 Yubikey Key Vulnerability – How It Affects You vulnerability – Yubico's new vulnerability may allow key extraction but requires physical access and a PIN. Most users are safe, though high-security organizations should reconsider attestation trust. https://fy.blackhats.net.au/blog/2024-09-09-yubikey-key-vulnerability/

---

Some More, For the Curious

🦁 Predator spyware operation is back with a new infrastructure cybercrime – Researchers report a resurgence of Predator spyware, utilizing new infrastructure to evade detection after U.S. sanctions against its developers. The spyware poses significant risks to high-profile targets. https://securityaffairs.com/168222/intelligence/predator-spyware-new-infrastructure.html

📡 Gap Computers by Spelling Covert Radio Signals from Computer RAM security research – This research reveals how malware can leak sensitive data from air-gapped computers by emitting covert radio signals. https://arxiv.org/abs/2409.02292

🔧 Zero Day Initiative — The September 2024 Security Update Review security news – September updates from Adobe and Microsoft address multiple critical vulnerabilities across various products, including code execution and security feature bypasses, highlighting urgent patching needs. https://www.thezdi.com/blog/2024/9/10/the-september-2024-security-update-review

🛡️ Taking steps that drive resiliency and security for Windows customers security news – At a recent summit, Microsoft and security vendors discussed enhancing Windows endpoint security and resilience, emphasizing collaboration and transparency to combat modern threats effectively. https://blogs.windows.com/windowsexperience/2024/09/12/taking-steps-that-drive-resiliency-and-security-for-windows-customers/

📊 CISA Releases Analysis of FY23 Risk and Vulnerability Assessments security research – CISA's latest analysis reveals insights from 143 Risk and Vulnerability Assessments, illustrating attack paths and mapping threat actor behaviors to the MITRE ATT&CK® framework. https://www.cisa.gov/news-events/alerts/2024/09/13/cisa-releases-analysis-fy23-risk-and-vulnerability-assessments

©️ New Chrome Zero-Day vulnerability – Microsoft researchers report that North Korean hackers are exploiting a Chrome zero-day vulnerability to steal cryptocurrency, highlighting ongoing security risks. https://www.schneier.com/blog/archives/2024/09/new-chrome-zero-day.html

📍 Rogue WHOIS server gives researcher superpowers no one should ever have security research – Security researcher Benjamin Harris exploited a defunct WHOIS server, gaining the ability to issue counterfeit HTTPS certificates and track emails, raising concerns about misplaced trust in the WHOIS system. https://arstechnica.com/?p=2048683

🔑 As quantum computing threats loom, Microsoft updates its core crypto library security news – Microsoft has updated its SymCrypt library with two new encryption algorithms designed to resist quantum computing attacks, marking the beginning of a major overhaul to enhance cryptographic security. https://arstechnica.com/?p=2049244

🔮 Mastercard buys Recorded Future for $2.65 billion security news – Mastercard has announced its acquisition of cybersecurity firm Recorded Future for $2.65 billion, aiming to enhance its cybersecurity services and threat intelligence capabilities. https://cyberscoop.com/mastercard-buys-recorded-future/

👺 Monitoring High Risk Azure Logins cyber defense – After a potential business email compromise, the SOC investigated high-risk logins via Azure AD Identity Protection, focusing on user behavior and multi-factor authentication to detect compromised accounts. https://www.blackhillsinfosec.com/monitoring-high-risk-azure-logins/

🗣️ Microsoft is building new Windows security features to prevent another CrowdStrike incident security news – Microsoft plans to enhance Windows security features following a CrowdStrike incident that affected millions of systems, aiming to move security vendors out of the Windows kernel for better reliability. https://www.theverge.com/2024/9/12/24242947/microsoft-windows-security-kernel-access-features-crowdstrike

🧱 Fortinet confirms customer data breach data breach – Fortinet has confirmed a data breach affecting less than 0.3% of its customers, with files accessed from a third-party cloud drive, potentially impacting around 1,500 corporate clients. https://techcrunch.com/2024/09/13/fortinet-confirms-customer-data-breach/

⚖️ ‘Terrorgram’ Charges Show US Has Had Tools to Crack Down on Far-Right Terrorism All Along security news – The indictment of two members of the Terrorgram Collective reveals a shift in U.S. law enforcement's approach to far-right terrorism, utilizing a rarely applied legal strategy to address violent extremism and inspire future attacks. https://www.wired.com/story/terrorgram-collective-indictments/

👉 US accuses RT, others of covert arms dealing, global influence operations security news – The U.S. has sanctioned RT for operating a crowdfunding site that allegedly funneled weapons to Russian soldiers, revealing ties to Russian intelligence and efforts to influence global elections. https://cyberscoop.com/rt-arms-dealing-global-influence-operations/

⚓ Port of Seattle refuses to pay Rhysida ransom, warns of data leak cybercrime – The Port of Seattle declined to pay a ransom to the Rhysida ransomware group, which caused disruptions at the airport and seaport, warning of potential data leaks while restoring affected systems. https://therecord.media/seattle-port-rhysida-ransom-refused

💣 A Creative Trick Makes ChatGPT Spit Out Bomb-Making Instructions security research – An artist tricked ChatGPT into providing bomb-making instructions by framing the request within a science-fiction narrative, exploiting the AI's storytelling context to bypass safety restrictions. https://www.wired.com/story/chatgpt-jailbreak-homemade-bomb-instructions/

---

CISA Corner

⚠️ CISA Adds Three Known Exploited Vulnerabilities to Catalog vulnerability – CISA has added three vulnerabilities to its catalog, highlighting risks to federal networks due to active exploitation. Agencies must address these threats to enhance cybersecurity. https://www.cisa.gov/news-events/alerts/2024/09/09/cisa-adds-three-known-exploited-vulnerabilities-catalog ⚠️ CISA Adds Four Known Exploited Vulnerabilities to Catalog vulnerability – CISA has added four new Microsoft vulnerabilities to its catalog, highlighting serious risks due to active exploitation and urging federal agencies to address them promptly. https://www.cisa.gov/news-events/alerts/2024/09/10/cisa-adds-four-known-exploited-vulnerabilities-catalog ⚠️ CISA Adds One Known Exploited Vulnerability to Catalog vulnerability – CISA has included a new Ivanti vulnerability in its catalog, emphasizing the significant risks it poses to federal networks due to active exploitation. https://www.cisa.gov/news-events/alerts/2024/09/13/cisa-adds-one-known-exploited-vulnerability-catalog

🏭 CISA Releases Four Industrial Control Systems Advisories warning – CISA has issued four advisories addressing vulnerabilities in Industrial Control Systems, urging users to review them for crucial security information and mitigation strategies. https://www.cisa.gov/news-events/alerts/2024/09/10/cisa-releases-four-industrial-control-systems-advisories

🆙 Citrix Releases Security Updates for Citrix Workspace App for Windows vulnerability – Citrix has issued security updates for its Workspace App for Windows to fix multiple vulnerabilities that could allow attackers to take control of affected systems. https://www.cisa.gov/news-events/alerts/2024/09/10/citrix-releases-security-updates-citrix-workspace-app-windows 🆙 Ivanti Releases Security Updates for Endpoint Manager, Cloud Service Application, and Workspace Control vulnerability – Ivanti has released updates to fix multiple vulnerabilities in its Endpoint Manager and Cloud Service Application, which could potentially allow attackers to take control of affected systems. https://www.cisa.gov/news-events/alerts/2024/09/10/ivanti-releases-security-updates-endpoint-manager-cloud-service-application-and-workspace-control

---

While my intention is to pick news that everyone should know about, it still is what I think is significant, cool, fun... Most of the articles are in English, but some current warnings might be in German.

Country: Islamic Republic of Iran Organization: Ministry of Intelligence and Security (MOIS) Objective: Espionage, Sabotage (Page last updated October 12, 2024)

Aliases (sorted alphabetically):

• APT34 (Check Point Research, FireEye, Intezer, NSA, NSFOCUS, Trend Micro)
• CHRYSENE (Dragos)
• Cobalt Gypsy (Secureworks) (primary)
• Cobalt Lyceum (Secureworks)
• Crambus (Symantec)
• Earth Simnavaz (Trend Micro)
• Europium (previously used by Microsoft)
• Greenbug (ClearSky, Symantec)
• Hazel Sandstorm (Microsoft)
• Helix Kitten (CrowdStrike, Wikipedia)
• HEXANE (Dragos) (linked to Lyceum by Kaspersky)
• ITG13 (IBM)
• Lyceum (Kaspersky, Secureworks)
• OilRig (ClearSky, Cyble, EDTA, ESET, Kaspersky, Malpedia, MITRE, Unit 42)
• TA452 (Proofpoint)
• TG-2889 (formerly used by Secureworks)
• Yellow Maero (PwC

Sub-group:

• DEV-0842 (Microsoft) / Void Manticore (Check Point Research)
• DEV-0861 (Microsoft) / Scarred Manticore (Check Point Research) / UNC1860 (Mandiant)
• DEV-0166 (Microsoft) / IntrudingDivisor (Unit 42)
• DEV-0133 (Microsoft)

Known Associates

• Mojtaba Mostafavi. Source: U.S. Treasury (linked by PwC, via Lab Dookhtegan leaks)
• Farzin Karimi Mazlganchai: PwC

Vulnerabilities Exploited

• CVE-2024-30088, (CVSS3v1: 7.0 high) Windows Kernel Elevation of Privilege Vulnerability Source: Trend Micro
• CVE-2019-0604 (CVE, NVD. CVSSv3.1: 9.8 critical, in CISA's KEV Catalog) Microsoft SharePoint Remote Code Execution Vulnerability Source: Microsoft
• CVE-2017-11882 (CVE, NVD. CVSSv3.1: 7.8 high, in CISA's KEV Catalog) Microsoft Office Memory Corruption Vulnerability Source: Mandiant
• CVE-2017-0199 (CVE, NVD, CVSS3v1: 7.8 high, in CISA's KEV Catalog) Microsoft Office and WordPad Remote Code Execution Vulnerability Source: Unit 42

Tactics, Techniques, and Procedures (TTPs)

• Enterprise TTPs mapped to MITRE ATT&CK Navigator Layers
• Industrial Control System (ICS) TTPs mapped to MITRE ATT&CK Navigator Layers

Known Tools Used

As listed by MITRE

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

• October 11, 2024 – Trend Micro: Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against UAE and Gulf Regions
• September 19, 2024 – Mandiant: UNC1860 and the Temple of Oats: Iran's Hidden Hand in Middle Eastern Networks
• September 11, 2024 – Check Point Research: Targeted Iranian Attacks Against Iraqi Government Infrastructure
• May 20, 2024 – Check Point Research: Bad Karma, No Justice: Void Manticore Destructive Activities in Israel

2023

• December 20, 2023 – Security Scorecard: A detailed analysis of the Menorah malware used by APT34
• December 14, 2023 – ESET: OilRig’s persistent attacks using cloud service-powered downloaders
• October 31, 2023 – Check Point Research: From Albania to the Middle East: The Scarred Manticore is Listening (AFFILIATED WITH MOIS)
• October 19, 2023 – Symantec: Crambus: New Campaign Targets Middle Eastern Government
• September 29, 2023 – Trend Micro: APT34 Deploys Phishing Attack With New Malware
• September 21, 2023 – ESET: OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes
• August 30, 2023 – NSFOCUS: APT34 Unleashes New Wave of Phishing Attack with Variant of SideTwist Trojan
• May 09, 2023 – ESET: ESET APT Activity Report Q4 2022­–Q1 2023, specifically on page 8 in PDF (PDF)
• May 08, 2023 – Kaspersky: Kaspersky experts warn of increased IT supply chain attacks by OilRig APT in the Middle East and Turkiye
• February 02, 2023 – Trend Micro: New APT34 Malware Targets The Middle East

2022

• September 08, 2022 – Microsoft: Microsoft investigates Iranian attacks against the Albanian government (ATTRIBUTION TO MOIS)
• May 10, 2022 – Malwarebytes: APT34 targets Jordan Government using new Saitama backdoor

2021

• October 18, 2021 – Kaspersky: Lyceum group reborn
• April 08, 2021 – Check Point Research: Iran’s APT34 Returns with an Updated Arsenal

2020

• July 22, 2020 – Unit 42: OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory
• May 19, 2020 – Symantec: Sophisticated Espionage Group Turns Attention to Telecom Providers in South Asia
• March 02, 2020 – Telsy: APT34 (aka OilRig, aka Helix Kitten) attacks Lebanon government entities with MailDropper implants
• January 30, 2020 – Intezer: New Iranian Campaign Tailored to US Companies Utilizes an Updated Toolset

2019

• December 17, 2019 – Kaspersky: OilRig’s Poison Frog – old samples, same trick
• December 04, 2019 – IBM: New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East
• November 09, 2019 – NSFOCUS: APT34 Event Analysis Report
• October 21, 2019 – National Security Agency: Turla Group Exploits Iranian APT To Expand Coverage Of Victims (PDF)
• August 27, 2019 – Secureworks: LYCEUM Takes Center Stage in Middle East Campaign
• July 18, 2019 – FireEye: Hard Pass: Declining APT34's Invite to Join Their Professional Network
• July 16, 2019 – BGD e-GOV CIRT (Bangladesh): [DNSPIONAGE] – FOCUS ON INTERNAL ACTIONS
• May 15, 2019 – Proofpoint: Threat Actor Profile: TA542, From Banker to Malware Distribution Service
• May 06, 2019 – NSFOCUS: Analysis of File Disclosure by APT34
• April 30, 2019 – Unit 42: Behind the Scenes with OilRig
• April 16, 2019 – Unit 42: DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling

2018

• November 27, 2018 – Cisco Talos: DNSpionage Campaign Targets Middle East (attributed by FireEye on July 18, 2019)
• November 16, 2018 – Unit 42: Analyzing OilRig's Ops Tempo from Testing to Weaponization to Delivery
• September 12, 2018 – Unit 42: OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government
• September 04, 2018 – Unit 42: OilRig targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE
• July 25, 2018 – Unit 42: OilRig Targets Technology Service Provider and Government Agency with QUADAGENT
• February 23, 2018 – Unit 42: OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan
• February 23, 2018 – Booz Allen: Researchers Discover New variants of APT34 Malware
• January 25, 2018 – Unit 42: OilRig uses RGDoor IIS Backdoor on Targets in the Middle East

2017

• December 15, 2017 – Unit 42: Introducing the Adversary Playbook: First up, OilRig
• December 11, 2017 – Unit 42: OilRig Performs Tests on the TwoFace Webshell
• December 07, 2017 – FireEye: New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit
• November 08, 2017 – Unit 42: OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan
• October 24, 2017 – ClearSky: Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies
• October 09, 2017 – Unit 42: OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan
• September 26, 2017 – Unit 42: Striking Oil: A Closer Look at Adversary Infrastructure
• August 28, 2017 – ClearSky: Recent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug
• July 27, 2017 – Unit 42: OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group
• July 27, 2017 – Secureworks: The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets
• April 27, 2017 – Unit 42: OilRig Actors Provide a Glimpse into Development and Testing Efforts
• March 31, 2017 – LogRhythm Labs: OilRig Campaign Analysis (PDF, TLP:WHITE)
• February 15, 2017 – Secureworks: Iranian PupyRAT Bites Middle Eastern Organizations
• January 05, 2017 – ClearSky: Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford

2016

• October 04, 2016 – Unit 42: OilRig Malware Campaign Updates Toolset and Expands Targets
• May 26, 2016 – Unit 42: The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor

2015

• October 07, 2015 – Secureworks: Hacker Group Creates Network of Fake LinkedIn Profiles

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat

Country: People's Republic of China Organization: Loosely connected private contractors operating on behalf of China’s Ministry of State Security (MSS). Some have worked at Chengdu 404 Network Technology Objective: Espionage, Information theft, Financial crime (Page last updated: September 22, 2024)

Aliases (sorted alphabetically):

• APT41 (FBI, CISA, Cisco, EDTA, FireEye, Mandiant, Kaspersky, Malpedia, Unit 42, Zscaler)
• Axiom (Note: treated as a separate threat actor)
• BARIUM (formerly used by Microsoft)
• Blackfly (Symantec)
• Brass Typhoon (Microsoft)
• Bronze Atlas (SecureWorks)
• Double Dragon (Wikipedia)
• Earth Baku (Trend Micro)
• Grayfly (Symantec)
• Red Kelpie (PWC?)
• RedEcho (different threat actor from Recorded Future possible overlaps)
• Redfly (not used by Symantec, but linked via ShadowPad malware)
• RedGolf (officially used by Recorded Future)
• SparklingGoblin (ESET)
• TG-2633 (formerly used by SecureWorks)
• Wicked Panda (used by CrowdStrike to track espionage)
• Wicked Spider (used by CrowdStrike to track cybercrime)
• Winnti, Winnti Group (Kaspersky, ESET, Cybereason, PwC)

Subgroups

• Earth Longzhi (Trend Micro)
• Earth Freybug (Trend Micro)
• Lead (formerly used by Microsoft)
• Leopard Typhoon (Microsoft)
• Vanadinite (Dragos)

Identified Members

• Zhang Haoran (张浩然): FBI Most Wanted
• Tan Dailin (谭戴林): FBI Most Wanted
• Jiang Lizhi (蒋立志): FBI Most Wanted
• Qian Chuan (钱川): FBI Most Wanted
• Fu Qiang (付强): FBI Most Wanted

Associated Company

Chengdu Si Lingsi (404) Network Technology Company Ltd. (成都市肆零肆网络科技有限公司)

Vulnerabilities Exploited

• CVE-2018-0824 (7.5 high, in CISA's KEV Catalog) Microsoft COM for Windows Remote Code Execution Vulnerability Source: Cisco
• CVE-2017-0199 (7.8 high, in CISA's KEV Catalog) Microsoft Office and WordPad Remote Code Execution Vulnerability Sources: Clearsky, Fortinet, FireEye
• CVE-2019-3396 (9.8 critical, in CISA's KEV Catalog) Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability. Sources: FireEye, Fortinet
• CVE-2015-1641 (7.8 high, in CISA's KEV Catalog) Microsoft Office Memory Corruption Vulnerability Source: Fortinet
• CVE-2012-0158 (8.8 high, in CISA's KEV Catalog) Microsoft MSCOMCTL.OCX Remote Code Execution Vulnerability Sources: Fortinet, FireEye
• CVE-2017-11882 (7.8 high, in CISA's KEV Catalog) Microsoft Office Memory Corruption Vulnerability Source: FireEye

The following 7 vulnerabilities have the same source: U.S. DOJ

• CVE-2019-19781 (9.8 critical, in CISA's KEV Catalog) Citrix ADC, Gateway, and SD-WAN WANOP Appliance Code Execution Vulnerability Additional sources: FireEye, Fortinet
• CVE-2019-11510 (10.0 critical, in CISA's KEV Catalog) Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability
• CVE-2019-16920 (9.8 critical, in CISA's KEV Catalog) D-Link Multiple Routers Command Injection Vulnerability
• CVE-2019-16278 (9.8 critical) Nostromo 1.9.6 Directory Traversal/ Remote Command Execution Vulnerability
• CVE-2019-1652 (7.2 high, in CISA's KEV Catalog) Cisco Small Business Routers Improper Input Validation Vulnerability. Additional source: FireEye
• CVE-2019-1653 (7.5 high, in CISA's KEV Catalog) Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability. Additional source: FireEye
• CVE-2020-10189 (9.8 critical, in CISA's KEV Catalog) Zoho ManageEngine Desktop Central File Upload Vulnerability. Additional sources: FireEye, Fortinet

The following 2 vulnerabilities have the same source: Mandiant

• CVE-2021-44228 (10.0 critical, in CISA's KEV Catalog) Apache Log4j2 Remote Code Execution Vulnerability (aka Log4Shell).
• CVE-2021-44207 (8.1 high) Acclaim USAHERDS Hard-Coded Credentials Vulnerability

Tactics, Techniques, and Procedures

Mapped to MITRE ATT&CK Navigator Layers

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

• August 04, 2024 – Trend Micro: A Dive into Earth Baku’s Latest Campaign
• August 01, 2024 – Cisco Talos: APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike
• July 18, 2024 – Mandiant: APT41 Has Arisen From the DUST
• July 11, 2024 – Zscaler: MoonWalk: A deep dive into the updated arsenal of APT41 | Part 2
• July 10, 2024 – Zscaler: DodgeBox: A deep dive into the updated arsenal of APT41 | Part 1
• June 10, 2024 – Technical University of Zurich (ETH Zurich): From Vegas to Chengdu: Hacking Contests Bug Bounties, and China’s Offensive Cyber Ecosystem (research paper, PDF)
• May 29, 2024 – Natto Thoughts: APT41’s Reconnaissance Techniques and Toolkit: Nmap and What Else?
• May 22, 2024 – Natto Thoughts: Front Company or Real Business in China’s Cyber Operations
• April 02, 2024 – Trend Micro: Earth Freybug Uses UNAPIMON for Unhooking Critical APIs (APT41 subgroup)
• February 28, 2024 – Natto Thoughts: i-SOON: Kicking off the Year of the Dragon with Good Luck … or Not (more about association of i-SOON to Chengdu 404)

2023

• October 27, 2023 – Natto Thoughts: i-SOON: Another Company in the APT41 Network
• September 22, 2023 – Mandiant: Threat Trends: Unraveling WyrmSpy and DragonEgg Mobile Malware with Lookout
• September 12, 2023 – Symantec: Redfly: Espionage Actors Continue to Target Critical Infrastructure (tenuous link via ShadowPad trojan)
• July 19, 2023 – Lookout: Lookout Attributes Advanced Android Surveillanceware to Chinese Espionage Group APT41
• May 02, 2023 – Trend Micro: Attack on Security Titans: Earth Longzhi Returns With New Tricks (APT41 subgroup)
• April 01, 2023 – Google Cloud/Threat Analysis Group (TAG): April 2023 Threat Horizons Report (PDF, page 9: HOODOO Uses Public Tooling, Google Workspace to Target Taiwanese Media)
• March 30, 2023 – Recorded Future: With KEYPLUG, China’s RedGolf Spies On, Steals From Wide Field of Targets (PDF)
• February 28, 2023 – Symantec: Blackfly: Espionage Group Targets Materials Technology

2022

• November 09, 2022 – Trend Micro: Hack the Real Box: APT41’s New Subgroup Earth Longzhi (APT41 subgroup)
• October 18, 2022 – Symantec: Spyder Loader: Malware Seen in Recent Campaign Targeting Organizations in Hong Kong
• September 22, 2022 – U.S. Health and Human Services (HHS): APT41 and Recent Activity (PDF)
• September 14, 2022 – ESET: You never walk alone: The SideWalk backdoor gets a Linux variant
• August 22, 2022 – Mandiant: APT41 (Double Dragon): A Dual Espionage and Cyber Crime Operation (PDF)
• August 18, 2022 – Group-IB:
  • APT41 World Tour 2021 on a tight schedule
  • Inflexible schedule: Group-IB reveals malicious APT41 campaigns involving new tactics and tools
• July 24, 2022 – Intrusion Truth: Chinese APTs: Interlinked networks and side hustles
• July 23, 2022 – Intrusion Truth: The people behind Chengdu 404
• July 22, 2022 – Intrusion Truth: Chengdu 404
• July 21, 2022 – Intrusion Truth: The old school hackers behind APT41
• July 20, 2022 – Intrusion Truth: APT41: A Case Sudy [sic]
• May 02, 2022 – Cybereason:
  • Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation
  • Operation CuckooBees: A Winnti Malware Arsenal Deep-Dive
  • Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques
• March 08, 2022 – Mandiant: Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments
• February 15, 2022 – Secureworks: ShadowPad Malware Analysis
• January 20, 2022 – Kaspersky: MoonBounce: the dark side of UEFI firmware

2021

• October 05, 2021 – BlackBerry: Drawing a Dragon: Connecting the Dots to Find APT41
• September 21, 2021 – Recorded Future: China-Linked Group TAG-28 Targets India’s “The Times Group” and UIDAI (Aadhaar) Government Agency With Winnti Malware, available as PDF (tenuous connection via Winnti malware)
• September 09, 2021 – Symantec: Grayfly: Chinese Threat Actor Uses Newly-discovered Sidewalk Malware
• August 24, 2021 – ESET: The SideWalk may be as dangerous as the CROSSWALK
• August 24, 2021 – Trend Micro: APT41 Resurfaces as Earth Baku With New Cyberespionage Campaign
  • Earth Baku: An APT Group Targeting Indo-Pacific Countries With New Stealth Loaders and Backdoor. (PDF, white paper)
• August 20, 2021 – CISA: Chinese State-Sponsored Cyber Operations: Observed TTPs (generalized Chinese threat activity)
• July 08, 2021 – Recorded Future: Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling (TAG-22 overlaps with Winnti, but is considered Aquatic Panda)
• July 01, 2021 – Avast: Backdoored Client from Mongolian CA MonPass
• June 10, 2021 – Group-IB: Big airline heist
• April 29, 2021 – NTT: The Operations of Winnti group (PDF)
• March 16, 2021 – Dragos: New ICS Threat Activity Group: VANADINITE (Winnti subgroup)
• March 10, 2021 – Intezer: New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor
• March 08, 2021 – Mazaher Kianpour: Socio-Technical Root Cause Analysis of Cyber-enabled Theft of the U.S. Intellectual Property — The Case of APT41 (PDF)
• February 28, 2021 – Recorded Future: China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions, majority in PDF
• January 14, 2021 – Positive Technologies: Higaisa or Winnti? APT41 backdoors, old and new

2020

• November 11, 2020 – Microsoft: Hunting for Barium using Azure Sentinel
• October 20, 2020 – CISA: Potential for China Cyber Response to Heightened U.S.–China Tensions (brief mention of APT41)
• September 29, 2020 – Positive Technologies: ShadowPad: new activity from the Winnti group
• September 18, 2020 – Trend Micro: U.S. Justice Department Charges APT41 Hackers over Global Cyberattacks
• September 17, 2020 – Symantec: APT41: Indictments Put Chinese Espionage Group in the Spotlight
• September 16, 2020 – U.S. Department of Justice: Seven International Cyber Defendants, Including “Apt41” Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally (ATTRIBUTION)
  • Indictment: United States of America v. Zhang Haoran, Tan Dailin (PDF)
• September 16, 2020 – FBI FLASH: Indictment of China-Based Cyber Actors Associated with APT 41 for Intrusion Activities (PDF)
• June 11, 2020 – Zscaler: The Return of the Higaisa APT (see Positive Technologies link from January 14, 2021)
• June 04, 2020 – Malwarebytes: New LNK attack tied to Higaisa APT discovered (see Positive Technologies link from January 14, 2021)
• May 21, 2020 – ESET: No “Game over” for the Winnti Group
• May 06, 2020 – Trend Micro: Targeted Ransomware Attack Hits Taiwan Organizations
• April 20, 2020 – QuoIntelligence: WINNTI GROUP: Insights From the Past
• April 13, 2020 – Unit 42: APT41 Using New Speculoos Backdoor to Target Organizations Globally
• March 25, 2020 – FireEye: This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits
• February ??, 2020 – PwC: Cyber Threats 2019: A Year in Retrospect (PDF, page 10)
• January 31, 2020 – ESET: Winnti Group targeting universities in Hong Kong
• January 31, 2020 – Tagesschau (German news): Deutsches Chemieunternehmen gehackt (German language, archive of dead link. English translated title: “German chemical company hacked”)

2019

• October 31, 2019 – FireEye: MESSAGETAP: Who’s Reading Your Text Messages?
• October 21, 2019 – ESET: Winnti Group's skip-2.0: A Microsoft SQL Server backdoor
• October 15, 2019 – FireEye: LOWKEY: Hunting for the Missing Volume Serial ID
• October 14, 2019 – ESET: Connecting the dots: Exposing the arsenal and methods of the Winnti Group, with whitepaper PDF
• September 14, 2019 – VMware: CB TAU Threat Intelligence Notification: Winnti Malware 4.0
• August 19, 2019 – FireEye: GAME OVER: Detecting and Stopping an APT41 Operation
• August 07, 2019 – FireEye: APT41: A Dual Espionage and Cyber Crime Operation, available as PDF
• July 24, 2019 – Bayerischer Rundfunk (BR): Winnti: Attacking the Heart of the German Industry
• May 29, 2019 – Intezer: HiddenWasp Malware Stings Targeted Linux Systems (link to Winnti malware)
• May 16, 2019 – Lab52: Winnti Group: Geostrategic and TTP (Tactics, Techniques and Procedures)
• May 15, 2019 – Chronicle: Winnti: More than just Windows and Gates
• April 23, 2019 – Kaspersky: Operation ShadowHammer: a high-profile supply chain attack
• March 25, 2019 – Kaspersky: Operation ShadowHammer
• March 11, 2019 – ESET: Gaming industry still in the scope of attackers in Asia

2018

• June 13, 2018 – Microsoft: Microsoft Corporation v. John Does 1-2 (PDF, Case 1:17-cv-01224-TSE-MSN. Proposed default judgment and order for permanent injunction)
• May 03, 2018 – 401 TRG: Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers

2017

• September 21, 2017 – ESET: CConsiderations on the CCleaner incident (later attributed to Winnti by ESET on May 20, 2020)
• August 15, 2017 – Kaspersky: ShadowPad in corporate networks (attributed to Winnti by PwC in 2019)
• July 18, 2017 – Clearsky: Recent Winnti Infrastructure and Samples
• April 19, 2017 – Trend Micro: Examining a Possible Member of the Winnti Group
• March 22, 2017 – Trend Micro: Winnti Abuses GitHub for C&C Communications

2016

• October 18, 2016 – BlackBerry: Digitally Signed Malware Targeting Gaming Companies (links PassCV APT to Winnti)

2015

• October 05, 2015 – VSEC: Initial Winnti analysis against Vietnam game company (archive of dead link)
• June 22, 2015 – Kaspersky: Games are over: Winnti is now targeting pharmaceutical companies (links Winnti to Axiom)
• April 07, 2015 – Novetta: Operation SMN – Winnti Update (archive of dead link), Winnti Analysis (PDF, archive of dead link)

2013

• April 15, 2013 – Kaspersky: Winnti returns with PlugX
• April 11, 2013 – Kaspersky:
  • Winnti. More than just a game, available as PDF (ORIGIN OF WINNTI NAME)
  • The Winnti honeypot – luring intruders

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat

Country: Russia Organization: Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) Objective: Espionage, Sabotage, Assassinations, Influence Operations (Page last updated: September 07, 2024)

Aliases:

• Bleeding Bear (superseded by Ember Bear)
• Cadet Blizzard (Microsoft)
• DEV-0586 (formerly used by Microsoft)
• Ember Bear (CrowdStrike, MITRE)
• FROZENVISTA (Google TAG)
• Lorec53 (NSFOCUS)
• Nascent Ursa (Unit 42?)
• Nodaria (Symantec)
• SaintBear ( Malpedia, ETDA)
• UNC2589 (Mandiant)
• UAC-0056 (CERT-UA, Unit 42)

Identified Members

• Amin Timovich Stigal (Амин Стигал), Russian civilian hacker:
  • FBI Most Wanted
  • Rewards for Justice
  • Transnational Organized Crime Rewards Program
• Yuriy Fedorovich Denisov (Юрий Денисов), Colonel and Commanding Officer of Cyber Operations for Unit 29155:
  • FBI Most Wanted
• Vladislav Yevgenyevich Borovkov (Владислав Боровков), lieutenant in Unit 29155:
  • FBI Most Wanted
• Denis Igorevich Denisenko (Денис Денисенко), lieutenant in Unit 29155:
  • FBI Most Wanted
• Dmitriy Yuryevich Goloshubov (Дима Голошубов), lieutenant in Unit 29155:
  • FBI Most Wanted
• Nikolay Aleksandrovich Korchagin (Николай Корчагин), lieutenant in Unit 29155:
  • FBI Most Wanted

Vulnerabilities Exploited

• CVE-2017-11882 (7.8 high, in CISA's KEV Catalog) Microsoft Office Memory Corruption Vulnerability Source: Unit 42

The following 5 vulnerabilities have the same source: CISA

• CVE-2021-33044 (9.8 critical, in CISA's KEV Catalog) Dahua IP Camera Authentication Bypass Vulnerability
• CVE-2021-33045 (9.8 critical, in CISA's KEV Catalog) Dahua IP Camera Authentication Bypass Vulnerability
• CVE-2022-26134 (9.8 critical, in CISA's KEV Catalog) Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability
• CVE-2022-26138 (9.8 critical, in CISA's KEV Catalog) Atlassian Questions For Confluence App Hard-coded Credentials Vulnerability
• CVE-2022-3236 (9.8 critical, in CISA's KEV Catalog) Sophos Firewall Code Injection Vulnerability

Exploitation Likely

CISA and co-authoring agencies warned on 06 September 2024 that Unit 29155 cyber actors have been observed obtaining the respective exploit scripts for the following 5 vulnerabilities:

• CVE-2020-1472 (9.8 critical, in CISA's KEV Catalog) Microsoft Netlogon Privilege Escalation Vulnerability
• CVE-2021-26084 (9.8 critical, in CISA's KEV Catalog) Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability
• CVE-2021-3156 (7.8 high, in CISA's KEV Catalog) Sudo Heap-Based Buffer Overflow Vulnerability
• CVE-2021-4034 (7.8 high, in CISA's KEV Catalog) Red Hat Polkit Out-of-Bounds Read and Write Vulnerability
• CVE-2022-27666 (7.8 high) Red Hat: IPSec ESP Local Privilege Escalation Vulnerability

Tactics, Techniques, and Procedures

Mapped to MITRE ATT&CK Navigator Layers

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

• September 06, 2024 – ASD ACSC: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure
• September 05, 2024 – CISA: Russian Military Cyber Actors Target US and Global Critical Infrastructure, available as PDF
• September 05, 2024 – U.S. Department of Justice:
  • Five Russian GRU Officers and One Civilian Charged for Conspiring to Hack Ukrainian Government
  • Indictment: United States of America v. Amin Stigal, Vladislav Borovkov, Denis Denisenko, Yuriy Denisov, Dmitriy Goloshubov, and Nikolay Korchagin
  • Assistant Attorney General Matthew G. Olsen Delivers Remarks Announcing Charges Against Russian Military Officers
• September 05, 2024 – NSA: NSA, FBI, CISA, and Allies Issue Advisory about Russian Military Cyber Actors
• September 05, 2024 – U.S. State Department: Up to $1 Million Reward Offer for Information Leading to Arrest and/or Conviction of Russian National Tim Vakhaevich Stigal
  • September 05, 2024 – Rewards for Justice: GRU Officers –Unit 29155
• September 05, 2024 – NCSC-UK: UK and Allies uncover Russian military unit carrying out cyber attacks and digital sabotage for the first time
• September 05, 2024 – BfV (Germany): Joint Cybersecurity Advisory on Russian Military Cyber Actors targeting U.S. and Global Critical Infrastructure
• September 05, 2024 – KAPO (Estonia): A GRU military unit launched cyberattacks against Estonian authorities
• September 05, 2024 – Estonia Prosecutor's Office: A GRU military unit launched cyberattacks against Estonian authorities
• September 05, 2024 – Estonia Ministry of Foreign Affairs (MFA): Estonia names Russia’s military intelligence in a first-ever attribution of cyberattacks
• September 05, 2024 – The Netherlands Military Intelligence and Security Service (MIVD): MIVD waarschuwt: Russen hebben het gemunt op westerse hulp aan Oekraïne (Dutch)
• September 05, 2024 – CCCS: Russian military cyber actors target U.S. and global critical infrastructure
• June 26, 2024 – U.S. Department of Justice: Russian National Charged For Conspiring With Russian Military Intelligence To Destroy Ukrainian Government Computer Systems And Data (Amin Stigal)

2023

• June 14, 2023 – Microsoft: Cadet Blizzard emerges as a novel and distinct Russian threat actor
• February 16, 2023 – Google TAG: Fog of war: how the Ukraine conflict transformed the cyber threat landscape (PDF)
• February 08, 2023 – Symantec: Graphiron: New Russian Information Stealing Malware Deployed Against Ukraine

2022

• December 05, 2022 – Elastic: Operation Bleeding Bear
• July 20, 2022 – USCYBERCOM: Cyber National Mission Force discloses IOCs from Ukrainian networks
• July 20, 2022 – Mandiant: Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities
• July 13, 2022 – Malwarebytes: Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign
• July 11, 2022 – CERT-UA: Attack by UAC-0056 group on state organizations of Ukraine using Cobalt Strike Beacon (CERT-UA#4941) (Ukrainian)
• July 06, 2022 – CERT-UA: Cyber ​​attack UAC-0056 on state organizations of Ukraine using Cobalt Strike Beacon (CERT-UA#4914) (Ukrainian)
• April 26, 2022 – CERT-UA: UAC-0056 group cyber attack using GraphSteel and GrimPlant malware and the topic of COVID-19 (CERT-UA#4545) (Ukrainian)
• April 25, 2022 – Bitdefender: Deep Dive into the Elephant Framework – A New Cyber Threat in Ukraine
• April 04, 2022 – Intezer: Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations
• April 04, 2022 – NioGuard: Russian SaintBear Group Attacked Ukrainian Government Agencies Using GraphSteel & GrimPlant malware
• April 01, 2022 – Malwarebytes: New UAC-0056 activity: There’s a Go Elephant in the room
• March 30, 2022 – CrowdStrike: Who is EMBER BEAR?
• March 28, 2022 – CERT-UA: Cyber ​​attack of the UAC-0056 group on the state bodies of Ukraine using GraphSteel and GrimPlant malware (CERT-UA#4293) (Ukrainian)
• March 15, 2022 – SentinelOne: Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software
• March 04, 2022 – Mandiant: Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation
• February 25, 2022 – Unit 42: Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot
• February 21, 2022 – NSFOCUS: APT Lorec53 group launched a series of cyber attacks against Ukraine
• February 08, 2022 – NSFOCUS: APT Retrospection: Lorec53, An Active Russian Hack Group Launched Phishing Attacks Against Georgian Government
• February 02, 2022 – CERT-UA: Cyber ​​attack of the UAC-0056 group on state organizations of Ukraine using SaintBot and OutSteel malware (CERT-UA#3799) (Ukrainian)
• January 20, 2022 – Unit 42: Threat Brief: Ongoing Russia and Ukraine Cyber Activity
• January 17, 2022 – Picus: TTPs used by DEV-0586 APT Group in WhisperGate Attack Targeting Ukraine
• January 16, 2022 – NCSCC-UA on Twitter: Operation #BleedingBear
• January 15, 2022 – Microsoft: Destructive malware targeting Ukrainian organizations

2021

• November 28, 2021 – NSFOCUS: 2021 Analysis Report on Lorec53 Group (PDF)
• April 06, 2021 – Malwarebytes: A deep dive into Saint Bot, a new downloader (origin of SaintBear?)