Attacks amidst anniversaries.

Hackers target Russia’s court information system. Patch Tuesday rundown. GoldenJackal targets government and diplomatic entities in Europe, the Middle East, and South Asia.Cybercriminals are exploiting Florida’s disaster relief efforts. Australia introduced its first standalone cybersecurity law. CISA and the FBI issue guidance against Iranian threat actors. Mamba 2FA targets Microsoft 365 accounts. Casio reports a data breach. On our Solution Spotlight, Simone Petrella speaks with Andy Woolnough from ISC2's about their 2024 Cybersecurity Workforce Study. Keeping the AI slop off Wikipedia. 

Today is Wednesday October 9th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Hackers target Russia’s court information system. 

Russia experienced significant digital disruptions for a second day following a cyberattack on its court information system, reportedly by a hacker group called “BO Team.” The group claimed to have wiped court documents, timing the attack to coincide with President Vladimir Putin’s 72nd birthday. This follows another large-scale attack on Russian state media channels on Monday, which disrupted multiple television and radio stations. The VGTRK media company resumed online broadcasting, but court websites remained offline.

Cyberattacks have become a frequent tactic in the ongoing Ukraine-Russia conflict. Russian intelligence attributed the media attack to a Ukrainian-linked hacker group. Although Russia has ramped up its cyberattacks on Ukraine, the effectiveness has diminished as Ukraine bolsters its cybersecurity defenses. Recent reports also reveal Russia’s GRU military intelligence has targeted NATO and European countries. Meanwhile, Putin’s birthday saw celebratory messages from Russian officials and nationalist figures, highlighting his continued influence despite the digital chaos.

Patch Tuesday rundown. 

Yesterday was patch Tuesday, and Microsoft released security updates to address 117 vulnerabilities across Windows and other software, including two zero-day flaws already being exploited. One of these, CVE-2024-43573, is a vulnerability in MSHTML, the engine behind Internet Explorer, which allows attackers to trick users into interacting with malicious content through phishing attacks. Despite Internet Explorer being retired, its underlying technology remains in use, posing risks to certain systems. The more serious zero-day, CVE-2024-43572, is a code execution flaw in Microsoft Management Console (MMC), which could allow attackers to gain unauthorized control. Microsoft has patched this issue to prevent untrusted files from being opened. Meanwhile, Apple fixed a macOS 15 “Sequoia” bug that affected various security tools, and Adobe released updates for 52 vulnerabilities across its product range. Users are encouraged to back up data before applying updates to avoid potential compatibility issues.

GoldenJackal targets government and diplomatic entities in Europe, the Middle East, and South Asia.

GoldenJackal, an Advanced Persistent Threat (APT) group active since at least 2019, has garnered attention for successfully breaching air-gapped systems—networks isolated from the internet—targeting government and diplomatic entities in Europe, the Middle East, and South Asia. This level of sophistication is typically seen only in nation-state actors. Researchers from ESET revealed GoldenJackal’s use of two distinct toolsets for these breaches. The first toolset, used in a South Asian embassy, includes GoldenDealer (which delivers executables via USB), GoldenHowl (a modular backdoor), and GoldenRobo (a drive-accessing component). A second toolset was deployed in attacks on a European Union governmental organization, allowing data collection and exfiltration. GoldenJackal’s ability to breach air-gapped systems with tailored tools within five years is unprecedented, but researchers note that their methods, while sophisticated, contain flaws that defenders can observe and counter.

Cybercriminals are exploiting Florida’s disaster relief efforts. 

Cybercriminals are exploiting Florida’s disaster relief efforts amid recovery from Hurricane Helene and preparations for Hurricane Milton, a Category 5 storm. Scammers are targeting vulnerable individuals and organizations with phishing campaigns, fake FEMA claims, and malware disguised as legitimate FEMA documents. Cybersecurity firm Veriti uncovered scams involving fraudulent FEMA claims and phishing websites masquerading as hurricane relief resources. These fake sites trick victims into providing sensitive information, such as Social Security numbers, by creating a sense of urgency. Additionally, cybercriminals are disguising malware in PDF files  which appear legitimate but contain harmful code. While no active infections have been reported, these threats highlight the dangers of cyberattacks during disasters.

Australia introduced its first standalone cybersecurity law. 

The Australian government introduced its first standalone cybersecurity law, the Cyber Security Bill 2024, to better protect citizens and organizations amid rising cyber threats. The bill mandates minimum cybersecurity standards for IoT devices, such as secure settings and regular updates. It also introduces mandatory ransomware reporting for critical infrastructure organizations, requiring them to notify the Australian Signals Directorate within 72 hours of making a payment. Additionally, the bill establishes a Cyber Incident Review Board to assess significant cyber incidents and implements reforms to the Security of Critical Infrastructure (SOCI) Act. These reforms aim to simplify information sharing between industries and the government, improving responses to all-hazard incidents. The legislation is part of Australia’s 2023-2030 Cyber Security Strategy and provides a comprehensive framework to address whole-of-economy cybersecurity challenges.

CISA and the FBI issue guidance against Iranian threat actors. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and FBI issued new guidance to combat escalating cyber threats from Iranian actors targeting national political organizations. The guidance warns that cyber actors linked to Iran’s Islamic Revolutionary Guard Corps are using social engineering tactics, such as impersonating contacts and directing victims to fake login pages, to compromise accounts of senior officials, activists, and journalists. CISA recommends using phishing-resistant multifactor authentication, password managers, and vigilance against unsolicited communications to help mitigate these threats, which aim to undermine confidence in democratic institutions.

Mamba 2FA targets Microsoft 365 accounts. 

Mamba 2FA is an emerging phishing-as-a-service (PhaaS) platform targeting Microsoft 365 accounts using adversary-in-the-middle (AiTM) techniques to bypass multi-factor authentication (MFA). Priced at $250/month, it allows cybercriminals to capture authentication tokens, enabling unauthorized access to victims’ accounts. First tracked in May 2024, Mamba 2FA has supported phishing campaigns since November 2023, evolving its infrastructure to avoid detection. Recent updates include the use of proxy servers from IPRoyal to mask IP addresses and rotating phishing domains weekly. Mamba 2FA provides phishing templates for Microsoft 365 services and dynamically mimics organizational branding for a more convincing attack. Stolen credentials are delivered to attackers via a Telegram bot, enabling immediate access. To defend against such attacks, organizations should adopt security measures like hardware keys, certificate-based authentication, and token lifespan management.

Casio reports a data breach. 

On October 5, Casio experienced a cyberattack that caused system failures, leaving some customer services unavailable. The Japanese tech company is investigating the breach, along with external specialists, to determine whether personal or sensitive data was leaked. Casio has not specified which customer systems were affected, whether it was a ransomware attack, or if the hackers identified themselves. The attack follows a 2022 breach where information from Casio’s ClassPad.net education platform was compromised, impacting customers in 148 countries. In this recent breach, over 120,000 pieces of information, including customer names, email addresses, and order details, were exposed, though credit card information was not affected. The company reported the breach to authorities and implemented security measures, including restricting external access to its network.

 

On our Solution Spotlight today, our guest is Andy Woolnough, ISC2's Executive Vice President Corporate Affairs Executive Vice President Corporate Affairs talking with N2K’s Simone Petrella. Andy shares a first look at ISC2's 2024 Cybersecurity Workforce Study. We’ll be right back

Welcome back. We have links to what Simone and Andy discussed in our show notes. You can catch their full conversation on Monday, October 14th in our CyberWire Daily feed.  

Keeping the AI slop off Wikipedia. 

And finally, 404 Media highlights a group of dedicated Wikipedia editors, dubbed WikiProject AI Cleanup, has taken up the noble (and no-doubt frustrating) task of battling AI-generated content that’s sneaking its way onto the platform. Their mission: protect one of the world’s largest information sources from falling victim to the same AI misinformation plaguing Google and Amazon. According to founding member Ilyas Lebleu, the group identified AI-generated content by spotting unnatural phrasing and suspicious catchphrases, leading to the discovery of some shocking cases—like a detailed, well-cited article on a fortress that never existed.

Their work doesn’t stop at fake text; AI-generated images have also slipped through the cracks, like one depicting people with mangled hands and seven-toed feet. The editors aren’t just deleting AI content for being AI-generated, though. If it’s relevant it stays.

Despite their efforts, Lebleu and his teammates acknowledge the challenge: AI detection tools aren’t foolproof, and they often rely on human volunteers to catch errors. While Wikipedia has fared better than big platforms, the editors know there’s still much work to do in keeping AI-generated “slop” at bay.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.