By the CyberWire staff
At a glance.
- CISA issues advisory on Sisense breach.
- Apple warns individuals of mercenary spyware attacks.
- New ransomware group demands payment from Change Healthcare.
- Heritage Foundation discloses cyberattack.
- Muddled Libra targets SaaS apps and cloud environments.
- Starry Addax targets human rights activists in Africa.
- Malvertising targets system administrators.
- LastPass employee targeted by audio deepfake.
- Threat actor uses AI-generated malware loader.
CISA issues advisory on Sisense breach.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory concerning a breach at business intelligence company Sisense. CISA reiterates Sisense's advice that customers should reset all credentials and secrets used to access the company's services. The agency says customers should also "[i]nvestigate—and report to CISA—any suspicious activity involving credentials potentially exposed to, or used to access, Sisense services."
KrebsOnSecurity explains that independent researchers found that attackers gained access to Sisense’s Amazon S3 buckets and exfiltrated "several terabytes worth of Sisense customer data, which apparently included millions of access tokens, email account passwords, and even SSL certificates." The attackers may have gained initial access via a token or credential stored in Sisense's self-hosted Gitlab code repository.
Apple warns individuals of mercenary spyware attacks.
Apple on Wednesday notified individuals in 92 countries that they may have been targeted by mercenary spyware, TechCrunch reports. The company told the individuals, "Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple ID...This attack is likely targeting you specifically because of who you are or what you do. Although it’s never possible to achieve absolute certainty when detecting such attacks, Apple has high confidence in this warning — please take it seriously."
Apple added, "We are unable to provide more information about what caused us to send you this notification, as that may help mercenary spyware attackers adapt their behavior to evade detection in the future."
Scan Your Active Directory for Breached Passwords 24/7
More than 80% of confirmed breaches are related to stolen, weak, or reused passwords. With Specops Password Policy you can continuously monitor and block over 4 billion known breached passwords from our proprietary list which includes daily refreshed live attack data.
Plus, you can enforce compliance requirements and help users create stronger passwords in Active Directory with customizable rules and real-time client feedback. Test it out with a free trial of Specops Password Policy.
New ransomware group demands payment from Change Healthcare.
RansomHub, a ransomware group that surfaced in February 2024, claims to be in possession of four terabytes of data stolen during BlackCat/ALPHV's attack against UnitedHealth Group's Change Healthcare platform, SC Media reports. UnitedHealth Group subsidiary Optum allegedly paid ALPHV/BlackCat a $22 million ransom following the attack. ALPHV/BlackCat then pulled an apparent exit scam and disappeared without paying the affiliate who carried out the attack. RansomHub is now demanding its own ransom payment in exchange for keeping the data private.
Qualys Cyber Threat Director Ken Dunham told SC Media that "[It's] not uncommon for companies that give in to bad actors performing extortion, such as ransomware and DDoS payouts, to become ‘soft targets,’ quickly hit again with additional forms of extortion again and again."
Heritage Foundation discloses cyberattack.
The Heritage Foundation, a Washinton, DC-based think tank focused on conservative policy, sustained a cyberattack earlier this week, TechCrunch reports. A Heritage Foundation official told POLITICO that a nation-state actor was likely responsible, but the nature of the attack hasn't been disclosed. TechCrunch notes that nation-state actors frequently target tanks for cyberespionage purposes, and the Heritage Foundation itself was hit by a separate breach in 2015.
Muddled Libra targets SaaS apps and cloud environments.
Researchers at Palo Alto Networks' Unit 42 warn that the financially motivated threat actor Muddled Libra has begun targeting software-as-a-service applications and cloud service provider (CSP) environments. The researchers note, "Muddled Libra purposefully targets administrative users during their social engineering attacks since those users have elevated permissions within identity providers, SaaS applications, and organizations’ various CSP environments. After initial access, the group exploits identity providers to perform privilege escalation, by bypassing IAM restrictions and modifying permission sets associated with users to increase their scope of access."
Save 15% and level up your cyber skills.
Elevate your knowledge and skills with N2K's practice tests, designed to skill-check and help you conquer certifications like a pro. Whether you’re new IT or cyber, or ready to hone in on your technical or managerial skills, there's a certification to help. Check out N2K's catalog of practice tests and use promo code “NETWORK” to save 15% through 4/30/2024.
Starry Addax targets human rights activists in Africa.
Researchers at Cisco Talos are tracking a new threat actor they've dubbed "Starry Addax" that's targeting human rights activists associated with the Sahrawi Arab Democratic Republic in Morocco and the Western Sahara region. The threat actor attempts to trick targets into installing a malicious Android app that impersonates an app belonging to the Sahrawi News Agency. The malicious app installs a new strain of malware Talos tracks as "FlexStarling." The researchers note, "The use of FlexStarling with a Firebase-based C2 instead of commodity malware or commercially available spyware indicates the threat actor is making a conscious effort to evade detections and operate without being detected."
Malvertising targets system administrators.
Malwarebytes is tracking a malvertising campaign that's targeting sysadmins with phony ads for ads for popular system utilities. The researchers explain, "The malicious ads are displayed as sponsored results on Google’s search engine page and localized to North America. Victims are tricked into downloading and running the Nitrogen malware masquerading as a PuTTY or FileZilla installer. Nitrogen is used by threat actors to gain initial access to private networks, followed by data theft and the deployment of ransomware such as BlackCat/ALPHV."
LastPass employee targeted by audio deepfake.
LastPass says one of its employees was targeted by a social engineering attack involving an audio deepfake on WhatsApp that impersonated the company's CEO, SecurityWeek reports. The employee recognized the messages as suspicious and notified LastPass's security team. LastPass stated, "To be clear, there was no impact to our company. However, we did want to share this incident to raise awareness that deepfakes are increasingly not only the purview of sophisticated nation-state threat actors and are increasingly being leveraged for executive impersonation fraud campaigns."
Establish your brand as a thought leader in cybersecurity.
Launching a new product or service? Looking for alternative ways to recruit cyber talent? Want your company or leadership team members to be seen as an industry thought leader? Be heard by over 350,000 subscribers on the N2K CyberWire network. Whether through sponsored advertising, executive events, or exclusive interviews, we offer off-the-shelf and bespoke packages to help you reach your goals. Let’s work together.
Threat actor uses AI-generated malware loader.
Proofpoint says the financially motivated threat actor TA547 is targeting German organizations with the Rhadamanthys information stealer. Notably, the threat actor is using a malicious PowerShell script that appears to have been crafted by a generative AI tool. The researchers note, "While it is difficult to confirm whether malicious content is created via LLMs – from malware scripts to social engineering lures – there are characteristics of such content that points to machine-generated rather than human-generated information. Regardless of whether it is human or machine-generated, the defense against such threats remains the same."
Raspberry Robin gets an upgrade.
HP Wolf Security says the Raspberry Robin Windows worm is now being delivered through highly obfuscated Windows Script Files. The worm was previously distributed via infected USB drives. The researchers note, "The script file acts as a downloader. Like the Raspberry Robin DLL, the script uses a variety of anti-analysis and virtual machine (VM) detection techniques. The final payload is only downloaded and executed when all these evaluation steps indicate that the malware is running on a real end user device, rather than in a sandbox." Raspberry Robin's Windows Script Files currently have a 0% detection rate on VirusTotal.
Israel's Justice Ministry investigates alleged breach.
Israel's Justice Ministry says it's investigating a hacktivist group's claims to have nearly three hundred gigabytes of data from the ministry's servers, Reuters reports. The ministry stated on Friday, "Since the morning hours, experts at the ministry and elsewhere have been looking into the incident and its implications. The scope of the materials is still under review and it will take time to examine the content and scope of the documents that were leaked and their sources."
EPA investigates claims of breach.
The US Environmental Protection Agency (EPA) is investigating a threat actor's claim to have breached the agency and stolen contact information belonging to critical infrastructure organizations around the globe, the Record reports. An EPA spokesperson told the Record that the data appears to be "business contact information available to the public to provide a comprehensive picture of environmental impacts."
Massive data breach affects El Salvador.
Personal information belonging to nearly every adult in El Salvador was publicly posted to the dark web on Saturday, Protos reports. The data include "full names, birthdays, phone numbers, residential addresses, email addresses, and social security number-equivalent DUI numbers." The dataset also includes "millions of high-definition, unwatermarked, and DUI-numbered headshot photos of Salvadorans." The data has been available to download for a price tag of $250 since August 2023, but the hacker has now released it for free.
RSA Conference™ 2024—Where the Cybersecurity Community Unites
Cybercrime knows no bounds, and a united front is our strongest defense. At RSA Conference™ 2024, May 6 – 9, we unite in San Francisco as a cybersecurity community, fostering learning, networking, idea exchange, and exploration of cutting-edge innovations. Join us as we face the future of cybersecurity head on. Learn more and register.
Earth Hundun deploys Waterbear malware.
Trend Micro is tracking a cyberespionage campaign by the Earth Hundun threat actor (also known as BlackTech) that's targeting "a number of organizations in various sectors such as technology, research, and government," mostly in the Asia-Pacific region. The threat actor is deploying the Waterbear malware in these attacks. Trend Micro explains, "Among the group’s arsenal of weapons, the Waterbear backdoor is one of the most complex, with a wide array of anti-debug, anti-sandbox, and general antivirus-hindering techniques. Moreover, the frequent updates from its developers have led to even more evasion tactics, including enhancements of its loader, downloader, and communication protocol."
Patch news.
Fortinet on Patch Tuesday issued fixes for twelve flaws, including a critical remote code execution vulnerability affecting FortiClientLinux, SecurityWeek reports. The flaw can be exploited by tricking a user into visiting a malicious website.
Johannes Ullrich at the SANS Internet Storm Center offers a summary of Microsoft's patches for 157 vulnerabilities, three of which are considered critical. The three critical flaws (CVE-2024-21322, CVE-2024-21323, CVE-2024-29053) affect Microsoft Defender for IoT and can lead to remote code execution.
Adobe has patched two dozen vulnerabilities affecting several of its products, KrebsOnSecurity reports.
Policies, procurements, and agency equities.
The US National Security Agency (NSA) has named Dave Luber as its new cybersecurity director, following Rob Joyce's retirement at the end of March, SecurityWeek reports. NSA stated, "Luber served for over 37 years in myriad roles to include NSA’s Deputy Director of Cybersecurity; Executive Director (EXDIR) for U.S. Cyber Command (USCYBERCOM), the highest-ranking-civilian and third-in-command at USCYBERCOM; Director of NSA Colorado; Program Director within the Office of the Under Secretary of Defense for Intelligence; and Chief of NSA’s Remote Operations Center, Tailored Access Operations, and Computer Network Operations."