By the CyberWire staff
At a glance.
- China-aligned threat actor conducts cyberespionage in the South China Sea region.
- Transparent Tribe targets Indian defense entities.
- Courtroom recording software backdoored.
- Grandoreiro banking Trojan resurfaces following law enforcement disruption.
- Critical flaw affects Fluent Bit.
- New Linux backdoor targets South Korean organizations.
- Australian prescription processing company hit by ransomware.
- OmniVision discloses data breach.
China-aligned threat actor conducts cyberespionage in the South China Sea region.
Researchers at Bitdefender are tracking a newly discovered China-aligned threat actor they've dubbed "Unfading Sea Haze" that's targeting military and government targets associated with the South China Sea. The threat actor has been conducting cyberespionage in the region since at least 2018. Bitdefender explains that the threat actor's "custom malware arsenal, including the Gh0st RAT family and Ps2dllLoader, showcases a focus on flexibility and evasion techniques. The observed shift towards modularity, dynamic elements, and in-memory execution highlights their efforts to bypass traditional security measures. Attackers are constantly adapting their tactics, necessitating a layered security approach." The researchers add that "[t]he extended period of Unfading Sea Haze’s invisibility, exceeding five years for a likely nation-state actor, is particularly concerning."
Transparent Tribe targets Indian defense entities.
BlackBerry has published a report on a campaign by the Transparent Tribe threat actor that ran from late 2023 through at least April 2024. The threat actor, which has been linked to Pakistan, is targeting government, defense, and aerospace entities in India. The researchers believe that "Transparent Tribe has been carefully monitoring the efforts of the Indian defense forces as they strive to bolster and upgrade the country's aerospace defense capabilities." They add, "In recent months the group have been putting a heavy reliance on cross-platform programming languages such as Python, Golang, and Rust, as well as abusing popular web services such as Telegram, Discord, Slack, and Google Drive."
The State of Pentesting Report 2024: How AI Is Impacting The Cybersecurity Landscape
The growing emergence of artificial intelligence (AI) has upended conventional security, ushering in a transformative shift in both defensive and offensive strategies. In this report, we collected data from over 3,900 pentests. Here is what you will learn:
- Top vulnerabilities, security challenges, and pentesting trends
- How the adoption of AI is impacting organizations' security postures
- What security teams plan to outsource and/or deprioritize to better manage growing workloads
- How to prepare your team and environment for a productive and in-depth pentest
Download the report now and gain insights from the pioneers of Pentesting as a Service.
Courtroom recording software backdoored.
Rapid7 has found that courtroom recording software Justice AV Solutions (JAVS) was backdoored in a supply chain attack, allowing attackers to take full control of affected systems. Justice AV Solutions said in a statement, "Through ongoing monitoring and collaboration with cyber authorities, we identified attempts to replace our Viewer 8.3.7 software with a compromised file. We pulled all versions of Viewer 8.3.7 from the JAVS website, reset all passwords, and conducted a full internal audit of all JAVS systems. We confirmed all currently available files on the JAVS.com website are genuine and malware-free. We further verified that no JAVS Source code, certificates, systems, or other software releases were compromised in this incident." The company added that "[t]he file in question did not originate from JAVS or any 3rd party associated with JAVS."
Rapid7 states, "Completely re-imaging affected endpoints and resetting associated credentials is critical to ensure attackers have not persisted through backdoors or stolen credentials. Users should install the latest version of JAVS Viewer (8.3.8 or higher) after re-imaging affected systems."
Grandoreiro banking Trojan resurfaces following law enforcement disruption.
IBM X-Force warns that the Grandoreiro banking Trojan resurfaced in March with several large phishing campaigns targeting more than 1,500 banks in sixty countries. The malware-as-a-service operation was disrupted by law enforcement in January 2024.
The new version of the malware has received significant updates and has expanded its targeting, with a particular focus on Mexico, Argentina, and South Africa. The researchers note, "Although campaigns have traditionally been limited to Latin America, Spain, and Portugal, X-Force observed recent campaigns impersonating Mexico’s Tax Administration Service (SAT), Mexico’s Federal Electricity Commission (CFE), Mexico’s Secretary of Administration and Finance, the Revenue Service of Argentina, and notably the South African Revenue Service (SARS)."
Establish your brand as a thought leader in cybersecurity.
Launching a new product or service? Looking for alternative ways to recruit cyber talent? Want your company or leadership team members to be seen as an industry thought leader? Be heard by over 350,000 subscribers on the N2K CyberWire network. Whether through sponsored advertising, executive events, or exclusive interviews, we offer off-the-shelf and bespoke packages to help you reach your goals. Let’s work together.
Critical flaw affects Fluent Bit.
Researchers at Tenable have discovered a critical memory corruption vulnerability (CVE-2024-4323) affecting Fluent Bit, a logging and metrics tool used by all major cloud services. The flaw could lead to denial of service, information leakage, or remote code execution. The project's maintainers committed fixes for the vulnerability to Fluent Bit's main branch on May 15th.
Tenable states, "As for the remote code execution possibilities of this issue, exploitation is dependent on a variety of environmental factors such as host architecture and operating system. While heap buffer overflows such as this are known to be exploitable, creating a reliable exploit is not only difficult, but incredibly time intensive. The researchers believe that the most immediate and primary risks are those pertaining to the ease with which DoS and information leaks can be accomplished."
New Linux backdoor targets South Korean organizations.
Researchers at Symantec describe a new Linux backdoor developed by the North Korean threat actor Kimsuky (tracked by Symantec as "Springtail"). The malware is targeting entities in South Korea, and is delivered via Trojanized versions of legitimate software packages. Symantec states, "The backdoor (Linux.Gomir) appears to be a Linux version of the GoBear backdoor, which was used in a recent Springtail campaign that saw the attackers deliver malware via Trojanized software installation packages. Gomir is structurally almost identical to GoBear, with extensive sharing of code between malware variants."
Australian prescription processing company hit by ransomware.
Australian electronic prescription processing company MediSecure has disclosed a data breach affecting "personal and health information of individuals." The country's Minister for Cyber Security Clare O'Neil described the incident as "large-scale ransomware incident." MediSecure says "early indicators suggest the incident originated from one of our third-party vendors."
The ABC quotes Steve Robson, president of the Australian Medical Association, as saying, "It's not clear exactly what data have either been accessed stolen, blocked or whatever and these things can be complex. I think the scale of what's happened is going to take time to fully be revealed....[W]e would anticipate that many doctors and many patients around the country will have data in the database."
Establish your brand as a thought leader in cybersecurity.
Launching a new product or service? Looking for alternative ways to recruit cyber talent? Want your company or leadership team members to be seen as an industry thought leader? Be heard by over 350,000 subscribers on the N2K CyberWire network. Whether through sponsored advertising, executive events, or exclusive interviews, we offer off-the-shelf and bespoke packages to help you reach your goals. Let’s work together.
OmniVision discloses data breach.
Imaging sensors manufacturer OmniVision disclosed a data breach that occurred during a ransomware attack the company sustained in September 2023, BleepingComputer reports. OmniVision submitted a breach notification to the California Attorney General's Office stating that "an unauthorized party took some personal information from certain systems between September 4, 2023, and September 30, 2023." While the type of stolen information wasn't disclosed, BleepingComputer notes that the Cactus ransomware gang claimed at the time of the attack to have stolen passport scans, nondisclosure agreements, contracts, and other confidential documents. The group subsequently made the data available to download for free, but has since removed it from their leak site.
Hacktivist uses ransomware against Philippine government targets.
A hacktivist group called "Ikaruz Red Team" is using several strains of ransomware to launch disruptive attacks against government infrastructure in the Philippines, according to SentinelOne. The researchers note, "Within the hacktivist landscape, Ikaruz Red Team fits into a larger movement of threat actors committing unsophisticated yet damaging attacks targeting the Philippines region. There is indication that a broader cluster of these behaviors may be part of rising regional tensions with China and a desire to destabilize Philippine critical infrastructure."
Cryptojacking campaign disables endpoint security products.
Elastic Security Labs describes "REF4578," a cryptojacking campaign that delivers malware dubbed "GHOSTENGINE" to disable endpoint security products. GHOSTENGINE uses vulnerable drivers from Avast and IObit to gain access to the kernel and delete files used by the system's endpoint security agent. It then installs the XMRig miner. The researchers don't attribute the activity to any known group, but they note that the "campaign involved an uncommon amount of complexity to ensure both the installation and persistence of the XMRIG miner."
Secure your legacy apps at scale — with zero coding and zero hassle.
Modernize your identity infrastructure and get rid of technical debt without sacrificing your complex access policies. Use Strata to integrate non-standard apps with any identity service while using any vendor, standard, or app architecture. Or use it to migrate away from outdated identity providers and consolidate IDPs. It’s seamless, simple and code-free. Share your top identity security priorities, and receive a pair of complimentary AirPods Pro.
Cybercriminals target gift card departments.
Microsoft has published a report on a Morocco-based cybercriminal group called "Storm-0539" or "Atlas Lion" that's attempting to compromise organizations' gift card departments in order to issue fraudulent gift cards. In some cases, the threat actor has stolen up to $100,000 per day from certain companies.
Microsoft states, "What sets Storm-0539 apart is its deep understanding of cloud environments, which it exploits to conduct reconnaissance on organizations’ gift card issuance processes and employee access. Its approach to compromising cloud systems for far-reaching identity and access privileges mirrors the tradecraft and sophistication typically seen in nation-state-sponsored threat actors, except instead of gathering email or documents for espionage, Storm-0539 gains and uses persistent access to hijack accounts and create gift cards for malicious purposes and does not target consumers exclusively."
The US FBI issued a Private Industry Notification on this campaign earlier this month, noting that the crooks use smishing campaigns to gain initial access.
UK will propose mandatory reporting and licensing for ransomware attacks.
The United Kingdom will propose a law requiring all ransomware victims to report attacks and obtain licenses before paying a ransom, the Record reports. The law would also ban critical infrastructure organizations from making ransomware payments in order to remove incentives for ransomware gangs to target these entities. The proposed legislation is still in early stages and likely won't move forward until after the next general election later this year. The Record notes, however, "Even if the proposals are not immediately implemented, they mark a dramatic development in how governments around the world are responding to the ransomware crisis."
Crime and punishment.
A Taiwanese national, Rui-Siang Lin, was arrested in New York yesterday for his alleged operation and ownership of the dark web narcotics marketplace "Incognito Market." Assistant Director in Charge James Smith of the FBI New York Field Office stated in a press release, "For nearly four years, Rui-Siang Lin allegedly operated ‘Incognito Market,’ one of the largest online platforms for narcotics sales, conducting $100 million in illicit narcotics transactions and reaped millions of dollars in personal profits. Under the promise of anonymity, Lin’s alleged operation offered the purchase of lethal drugs and fraudulent prescription medication on a global scale."
