LockBit’s website is back
The NCA, FBI, and Europol are having a bit of fun with the LockBit ransomware gang’s former website. The agencies, which seized the site back in February, have replaced the original content with their own press releases, and are now planning to release new information about the hackers. On Monday, the site had a countdown to some of the teasable posts, including “Who is LockbitSupp?” and “More LBhackers exposed.” Here’s the good news: if you are reading this after 9 a.m. ET on Tuesday, May 7th, 2024, the posts should already be live.
(TechCrunch) , (Bleeping Computer)
Germany takes action amid alleged Russian attack
The German ambassador to Russia headed back to the homeland, following alleged Moscow-backed cyberattacks on German defense, aerospace, IT sectors, and the Social Democratic Party. The German government has also accused the Kremlin of launching cyberattacks on critical infrastructure across multiple NATO countries through hacker group APT28, linked to Russia. In response, the Russian embassy denied any involvement, dismissing the claims as baseless and detrimental to Russian-German relations. The tension has escalated as various allied nations, including the Czech Republic, report similar cyber intrusions attributed to APT28 exploiting vulnerabilities in software like Microsoft Outlook.
Chinese-linked ArcaneDoor targets global network infrastructure
A new cyber espionage campaign named ArcaneDoor, potentially linked to Chinese actors, has targeted network devices from vendors like Cisco, starting in July 2023 with the first attack detected in January 2024, according Censys. The attacks involved custom malware, Line Runner and Line Dancer, and exploited patched vulnerabilities in Cisco Adaptive Security Appliances. The findings indicate the involvement of a China-based threat actor, given that key infrastructure used SSL certificates linked to Chinese networks and hosted services related to anti-censorship tools.
Employee attempts to extort former employer for $1.5 million
Talk about a disgruntled employee: Following his termination from a multinational IT infrastructure service company, former cybersecurity consultant Vincent Cannady attempted to extort $1.5 million as a ‘settlement’ for his termination. According to The Register, Cannady was fired in June 2023 for sub-par performance. Before he was fired though, he allegedly used a company laptop to illegally download confidential data, including server maps, trade secrets, and unremediated security vulnerabilities, to his personal cloud storage. Cannady now faces charges of Hobbs Act extortion, which could result in a maximum prison sentence of 20 years.
Huge thanks to our sponsor, Vanta
With the largest network of Trust Centers, Vanta can help you streamline security reviews to win customer trust, save time, and close deals fast.
Proactively demonstrate security by showcasing key resources like your SOC 2 or ISO 27001 and provide real-time evidence for passing controls. And when a security questionnaire is required, Vanta takes the first pass for you.
Visit vanta.com/ciso to take a tour.
Iranian APT42 group expands cyber espionage tactics
A newly released Mandiant report reveals the Iranian state-sponsored cyber espionage group APT42 is targeting intergovernmental organizations, governments, media organizations, and NGOs with two new backdoors. The group, which is believed to be operated on behalf of the Islamic Revolutionary Guard Corps (IRGC), has recently been deploying Nicecurl and Tamecat custom backdoors to attack their targets. In two specific instances, APT42 impersonated a Middle East institute and a U.S. think tank to distribute the backdoors. Historically, the group has relied on social engineering schemes to ultimately harvest victims’ credentials and gain access to cloud environments.
Critical Tinyproxy Flaw Exposes Thousands
A critical Tinyproxy flaw, tracked as CVE-2023-49606 with a severity score of 9.8, has exposed over 50,000 hosts to remote code execution risks, according to Cisco Talos. This vulnerability exploits a use-after-free bug that allows attackers to execute remote code via a specially crafted HTTP request. The majority of affected hosts are located in the U.S., South Korea, China, France, and Germany. Despite the severity, there was a communication issue, as the Tinyproxy maintainers received the vulnerability report from Talos via an outdated email address, only becoming aware of the problem when alerted by a Debian package maintainer this week.
Largest city in Kansas paralyzed by ransomware attack
Another city government faces the implications of a ransomware attack. The city of Wichita, Kansas was forced to shut down portions of its network over the weekend after its IT systems were encrypted with ransomware. Bleeping Computer reports: payment systems for city water, court citations, and tickets are down. There is no additional information regarding whether any information was compromised or which ransomware group has claimed responsibility for the attack.
CISA urges software industry to address traversal vulnerabilities
CISA has issued a warning to the software industry about the enduring risks of directory traversal vulnerabilities, urging the adoption of secure-by-design practices to eliminate these 20-year-old bugs. While this warning may not necessarily be new, the agency highlights the seriousness of these vulnerabilities, which allows users to manipulate inputs to access and potentially modify sensitive data. The agency criticizes technology manufacturers for not treating user-supplied content as potentially malicious, which they say contributes to the continued success of these exploits.