Ransomware wrecks Paraguays largest telco
pThis newsletter is brought to you by Stairwell You can subscribe to an audio version of this newsletter as a podcast by searching for Risky Business News in your podcatcher or subscribing via this RSS feed On Apple Podcasts ppA ransomware attack has wreaked havoc inside the network of Tigo the largest mobile operator and internet service provider in ParaguayppThe incident took place last Thursday January 4 and impacted the telcos business branchppAround 300 servers in Tigos data center were encrypted according to Miguel Ángel Gaspar director of the Paraguay Ciberseguro FoundationppAt least 300 companies were impacted downstream The companies lost phone service and files hosted on Tigo serversppSome government organizations are believed to have been impacted The Paraguayan Armys cybersecurity team has urged public and private sector institutions to take steps to harden their networks in the incidents aftermathppThe Tigo attack has been attributed by local media to a ransomware group named BlackHunt According to Fortinet the BlackHunt group emerged at the end of 2022 and is known to breach victims via unsecured RDP connectionsppBesides encrypting data the group is also known to steal files for secondary extortion attempts although it does not operate a dark web data leak site like other ransomware crewsppAccording to a local radio station Tigo has not contacted the group to negotiate a ransomppThe company put out a statement calling all reports on its incident fake news which in turn led to the company being ridiculed on social media and with some customers announcing plans to switch to another providerppBit24 leak Iranian cryptocurrency exchange Bit23cash has leaked the personal information of more than 230000 customers The data leaked via an unsecured MinIO server that exposed the platforms AWS credentials The exposed data included photos of passports IDs and credit cards which customers uploaded on the site during the KYC process Additional coverage in CybernewsppInspiring Vacations leak Australian travel agency Inspiring Vacations has leaked customer data after leaving one of its databases exposed on the internet without a password The database leaked 268GB of data containing more than 112000 records such as highresolution passport images travel visas and itinerary tickets Additional coverage in The Age ht ScranticppLoanDepot cyberattack American mortgage provider LoanDepot has taken some of its IT infrastructure offline in the aftermath of a ransomware attack The company is the fourth major US mortgage and real estate insurance provider that was hit by a cyberattack over the past months Similar incidents have also affected Mr Cooper Fidelity National Financial and First American FinancialppWCC cyberattack The World Council of Churches got hit by a cybersecurity incident over the Christmas holiday The incident is believed to be a ransomware attack possibly carried out by the Rhysida gang Additional coverage in The RecordppUkraine repels attack on state payment system Ukraine says it repelled Russian cyberattacks against its state payment system for the second week in a row Officials say Russian hackers tried to destroy vital systems used for budget payments The operation comes after Russian hackers successfully wiped servers inside Kyivstar the countrys largest mobile operatorppAlfaBank leak Ukrainian hackers have dumped the data of 38 million customers of Alfa Bank one of Russias leading banks The data was dumped by KibOrg and NLB the groups that hacked the bank in October last year The bank initially denied getting hacked and later tried to downplay the size of the breachppM9 Telecom hack A Ukrainian hacktivist group named Blackjack has breached and leaked data from Russian internet service provider M9 Telecom The group claims it wiped more than 20 TB of the telcos data including internal servers and the companys official website Blackjack says the attack was only a warmup and they plan to target larger telcos as revenge for Russias attack on Kyivstar Additional coverage in UkrInform English coverage in the Kyiv IndependentppAuthy EOL Twillio will discontinue its Authy 2FA authenticator app for Linux macOS and Windows in August this year The company has told customers to switch to its mobile apps which will continue to be supportedppProject Mockingbird McAfee has unveiled Project Mockingbird a tool to detect AIgenerated audio deepfakesppNew Sentry ToS App performance monitoring service Sentry has updated its Terms of Service to give itself the right to use its customers data to train AI models No optout option will be includedppCopilot key Microsoft has announced plans to add a new key to its keyboards The new button will trigger the companys Copilot AI assistant and will sit next to the RightAlt and Space keys This marks the first new key added to Microsoft keyboards in nearly 30 years Additional coverage in Sky NewsppWindows hardening Below is a calendar with Microsofts major security and hardening dates for 2024 More details hereppOpenAI GDPR complaint Polish privacy expert Lukasz Olejnik has filed an official GDPR complaint against OpenAI for the companys data processing practicesppTwitter becomes a problem Verified Twitter users have pushed a wave of misinformation about the recent earthquake that hit Japan showing how the social network has devolved from a place where you could get your breaking news to a site that will now endanger peoples lives by pushing and promoting wrong information during a time of crisis Additional coverage in ViceppVolkswagen integrates ChatGPT German automaker Volkswagen announced plans to integrate the ChatGPT service into its vehicles And now you know what car you should never buy in the next 3401 yearsppBeijing lab breaks AirDrop The Chinese government says it detained several suspects who sent inappropriate messages using the Apple AirDrop feature The arrests come after a local Beijing tech lab named Wangshen Dongjian developed a tool to crack the AirDrop protocol and extract a senders phone number and email address AirDrop was widely used in China in 2022 and 2023 to anonymously share antigovernment posters and materials criticizing Chinas leader Xi Jinping Apple limited access to AirDrop in November of last year at the governments request Additional coverage in GlobalTimesppDNS4EU Oxford professor Roxana Radu looks at DNS4EU the EUs new DNS system designed to be used by EU agencies and member statesppIGIC report A report PDF from the Office of the Inspector General of the Intelligence Community has found that overclassification lack of guidance and tensions with cybersecurity companies have hampered the US governments efforts to boost cyber threat intelsharing efforts Additional coverage in CyberScoopppNSA and AI An NSA official admitted that the agency is using AI and ML technologies to detect malicious Chinese cyber activity Additional coverage in CyberScoopppChina to hunt down aviationtracking devices The Chinese government has announced a nationwide operation to identify and remove devices across China that track flights and share data with foreign entities Chinas Ministry of State Security says it seized some devices and penalized individuals who installed them Officials say the devices are a national security threat because they can also track military aircraft and not just public flights Additional coverage in SCMPppIn this Risky Business News sponsor interview Tom Uren talks to Chris St Myers Stairwells head of threat research about managing the risk from software you absolutely must useppSpamdot admins identified Infosec reporter Brian Krebs has identified the realworld identities of Salomon and Icamis the two administrators of the nowdefunct cybercrime forum Spamdot The two admins are named Alexander Grichishkin and Andrey Skvortsov Both are Russian nationals and have already been detained by US authorities for running a bulletproof hosting service for malware operations Both pleaded guilty and Grichishkin is scheduled to be released from jail in February 2024 after serving his sentence Skvortsov has yet to be sentencedppRansomware dev detained in the Netherlands Dutch Police have arrested an Amsterdam man for creating and operating the Babuk Tortilla ransomware strain Officials identified the suspect after receiving a tip from Ciscos Talos security team Following the arrest police officers obtained the ransomwares decryption keys which they shared with Avast and Cisco Talos The keys have been integrated into the Babuk ransomware decrypter available via the NoMoreRansom portalppMyanmar rebels take control of scam city A coalition of Myanmar rebels has taken control of Laukkaing a city that has been a hub for online scamming operations known as pig butchering The Three Brotherhood Alliance is now in control of the city and the surrounding Kokang region The rebel groups launched their offensive in October of last year with the explicit purpose of rooting out the cybercrime cartels which they claimed were operating under the military juntas protection Additional coverage in The RecordppCoinbase phisher detained The US Secret Service has arrested a 30yearold Indian national for his involvement in a phishing operation that targeted Coinbase users Authorities claim Chirag Tomar was part of a group that set up fake Coinbase login pages and then lured victims to the sites after emailing and calling victims The gang is believed to have stolen more than 20 million from at least 500 Coinbase accounts Additional coverage in 404 MediappMoney launderer sentenced A US judge sentenced a Nigerian national to 10 years and one month in prison for helping cybercriminals launder money obtained via internet fraud schemesppWater Curupira Trend Micro has published a profile on Water Curupira an affiliate of the Black Basta ransomware gang specializing in the distribution of the Pikabot malware via email phishing campaigns Trend Micro says systems infected with Pikabot have been used to drop backdoors and later the Black Basta ransomwareppRETURGENCE A financially motivated hacking group known as RETURGENCE is targeting MSSQL databases to deploy the Mimic ransomware According to security firm Securonix the group gains initial access by bruteforcing the databases admin account The company says the group operates out of the Republic of TürkiyeppYouTube malware campaign Fortinet is tracking a threat actor using YouTube videos promoting cracked software to distribute apps infected with the Lumma infostealerppKEV update CISA has updated its KEV database with six new vulnerabilities currently actively exploited in the wild The list includes zerodays in ColdFusion Apple Apache Superset Joomla and DLink systemsppQ4 2023 DDoS trends Internet infrastructure company Cloudflare says it saw a massive 61839 surge in DDoS traffic that targeted environmental protection websites during the 28th United Nations Climate Change Conference COP 28ppNone in this editionppStairwells Mike Wiacek demonstrates Stairwells file analysis and threat detection platform to Risky Business host Patrick Gray Stairwell helps you monitor and analyze every executable file in your organization automatically collecting crucial intelligence and providing your security team with indepth visibility and detectionsppUAC0184 CERTUA has published IOCs and details about a spearphishing campaign conducted by a group the agency is tracking as UAC0184 The campaign was initially spotted by Trend Micro and its final payload is the Remcos RAT and the ReverseSSH shellppStuxnet saboteur Dutch journalists have revealed the name of the person who helped the US and Israel deploy the Stuxnet computer virus inside Irans nuclear program in 2008 Reporters say that a Dutch engineer named Erik van Sabben installed water pumps that contained the Stuxnet inside Irans uranium enrichment facility at Natanz in 2008 Van Sabben was allegedly recruited by the Dutch AIVD intelligence service although Dutch officials say they didnt know they were deploying a computer virus Van Sabben died in a motorbike accident two weeks later near his home in Dubai and Stuxnet exploded into a global malware epidemic two years later in 2010 Additional coverage in De Volkskrant English coverage in NLTimes 2019 article on the topicppZengo hacking challenge Cryptowallet maker Zengo launched a hacking challenge inviting anyone to hack one of its demo wallets and keep the 10 Bitcoin 420000 stored insideppLantronix vulnerabilities Pentagrid researchers have identified several vulnerabilities in Lantronix EDSMD IoT gateway devices Fixes are scheduled to go live on January 12 2024ppOFBiz exploitation Prion researchers analyze two recent Apache OFBiz vulnerabilities including one that is under active exploitationppBosch Rexroth vulnerabilities Nozomi researchers have found 23 vulnerabilities in Bosch Rexroth nutrunners pneumatic torque wrenches used in automotive industry production linesppControlM vulnerabilities Security engineer Guillaume Quéré has found four vulnerabilities that can be chained to take control of the web console of BMCs ControlM an application workflow orchestration solutionppCSGO attack surface Synacktiv researchers have published research looking at the attack surface of CounterStrike Global Offensive CSGO one of the internets most popular games over the past decade The research was published after Valve launched CounterStrike 20 last fall The found bugs were never fixed which is a very bad look for ValveppOverall code is legacy and does not implement indepth security protections Reporting the bug to Valve through HackerOne managed program was a long process as shown in the timeline available below The ticket was closed with the release of CounterStrike 2 and the impacted code is no longer present In fact to our knowledge no patch was released in the meantime despite multiple followupsppKyberSlash attack Security researcher Daniel J Bernstein has published details on KyberSlash a security flaw in libraries that support Kyber a quantumresistant key encapsulation mechanism Many libraries have yet to be patchedppZDI stats Trend Micro says its ZeroDay Initiative ZDI private bug bounty program has helped security researchers file and report 1913 bugs throughout 2023 The company says that nearly 3 of 4 of all reported vulnerabilities were rated CriticalHigh riskppPatch Tuesday Yesterday was the January 2024 Patch Tuesday We had security updates from Adobe Microsoft Cisco SAP Fortinet Zoom Splunk Joomla Firefox Intel Siemens and Schneider Electric The Android Project Chrome Atlassian Ivanti and QNAP released security updates last week as well This month Microsoft patched 53 vulnerabilities No zerodays this timeppAcquisition news Private equity firm the MC² Security Fund has acquired cybersecurity firm Trustwave from Singtel for 205 millionppNew toolYARA Toolkit Microsoft security researcher Thomas Roccia has released YARA Toolkit a web app for writing YARA rulesppIn this edition of Between Two Nerds Tom Uren and The Grugq talk with infosec and antivirus veteran Martijn Grooten about how the infosec industry has changed over the yearsppNo postsppReady for morep