FBI IC3 Verizon DBIR Google MTrends reports are outâheres the conclusions
pIn other news Iran tries to hack EU official Lazarus Groups pulls off watering hole and zeroday attack WhatsApp adds new chat privacy featuresppThis newsletter is brought to you by Devicie You can subscribe to an audio version of this newsletter as a podcast by searching for Risky Business in your podcatcher or subscribing via this RSS feed ppThere are a handful of seminal reports in the cybersecurity industry and lo and behold three of them were released on WednesdayppMandiants team now part of Google Cloud released MTrends Verizon released its Data Breach Investigations Report aka DBIR and the FBI Internet Crime Complaint Center IC3 released its yearly Internet Crime Report PDFppBig day for chart loversppAll put together amount to an astounding 256 pages or the equivalent of a damn book But dont worry because we got you covered Below are extracts of the most important conclusions trends and talking points from each reportppGoogle Cloud MTrendsppThis report is based on Mandiant IR engagements so its results are highly representative of the upper echelons of IT networks Think of multinationals highly public incidents government agencies big crypto hacks and loads of Google cloudrelated incidentsppNaturally the initial vectors for these are different from momandpop shops These companies have loads of networking gear so exploits targeting these devices are a common source of problems along with your regular phishing attacksppProbably some reader But Catalin exploits dont refer to networking devices They also include OS exploitsppAs I was saying the same networkingenterprise gear from previous years continues to haunt these highend targetsppThis report became famous primarily because everyone kept citing its attacker dwell time statistic since it was one of the first reports to consistently feature it Now every infosec company has their own dwell time stat but I digress heres this years stat This is consistent with other reports published earlier this year which also saw dwell times go down again The reason here is that MDRs and NDRs are getting better so attackers cant set up tents and wait until they go through all victimsdata They either go YOLO and hack the hosts or they sell access to them before they get detected and booted offppNo particular big change here but some interesting statsppBackdoors including web shells are usually the first thing deployed so its normal theyre so prevalentppLong live Cobalt Strike However that number went down from 28 in 2021 to just 5 last yearppThreat actor distributionppSome interesting findings on ransomwarerelated initial entry vectors I know brute force is popular I just didnt expect it to be this commonppAs for the report it also warns of several rising trends These include the stillgrowing infostealer scene and the credentialsforsale market they created the threat posed by DPRK IT workers and Irans evergrowing hacking arsenalppVerizon DBIRppWhen it comes to Verizons report this one aggregates results from multiple industry partners This year the report included data from over 22000 security incidents from organizations all over the placeppWe start with the same initial entry vector but since were not looking at data from the best of the best initial entry vectors are more equalized here However Verizon mentions something that aligns with MTrends namely that vulnerability exploitation saw a big spike last yearppSome stats where words work better than a chartppAnd since were talking about AI it looks like someone has found a good use for it s I kid Its only rose from 5 to 10 Its not really that prevalentppThe Verizon team allocated some space to look at perimeter edge devicesppBut even if theyre patched theyre not patched fast enough with the median time being 32 days which is quite a lotppMaybe I was blind in previous years but this is the first time Ive noticed a phishing test statistic in DBIR After I noticed the numbers I wish I hadnt seen it thoughppI mentioned login credentials sold online earlier and I found a breakdown of that study Verizon was mentioningppThat same study of infostealer logs also looks if they play any role in ransomware attacks The study found that 54 of ransomware victims had credentials show up online but many appeared after they were ransomed while other credentials were available for sale for almost a year before their incidentâso I dont think this proves anythingppI mentioned in an earlier newsletter that Akamai was reporting that DDoS attacks are getting bigger Heres Verizons super nice chart to confirm it from their sideppFBI IC3 Internet Crime ReportppAnd finally we get to the granddaddy of all infosec reports the IC3 Internet Crime Report Heres the basic statsppWhile a few years back we were kind of unaware of the reason why investment scams managed to overtake BEC as the primary source of losses we now know its because of the explosion of cyber scam compounds formerly referred to as pig butchering farms across Southeast AsiappAs things are going in the region and seeing that the UN is reporting that these scam compounds are spreading globally I dont see anyone knocking down investment scams from the top spot anytime soonppBelow are the five most important tables from the report Theyre raw numbers but they tell good storiesppTom Uren and Adam Boileau talk about how scam compound criminal syndicates are responding to strong government action by moving operations overseas Its good they are being affected but they are shifting into new countries that dont have the ability to counter industrialscale transnational organized crimeppStarCraft 2 hacked to play disturbing videos Players are hacking StarCraft 2 servers to show disturbing videos to other players Players reported seeing videos of mass shootings fascist symbols and videos designed to induce an epileptic seizure According to Reddit reports the hacks have been taking place for almost a year Blizzard says its already working on a fix Additional coverage in KotakuppBlue Shields Google Analytics leak The California branch of US healthcare provider Blue Shield misconfigured its Google Analytics script and sent sensitive health data to Google servers The leak lasted for three years until it was noticed in January 2024 Over 47 million users were affected Blue Shield says it cant determine what was leaked for each individual user but leaked data includes names home addresses and medical and insurance detailsppUIS DDoS attacks The IT Army of Ukraine has conducted a multidaylong DDoS attack on Russian telecommunications provider UIS Unique Intelligent Services The company is one of the largest IP telephony providers on the Russian market with over 15000 business customers UIS has confirmed the attacks in multiple Telegram posts According to VK social media posts customers were unable to make any calls during the attacksppð 72 hours of blackout
For 3 days Russian comms provider UISâused by 15000 businessesâwas crippled by DDoS Voice CRM analytics offline Clients panicked support silent
ð Respect to the plannersâand every volunteer who kept systems alive Thatâs real pressure
Resist Join âðºðppWhatsApp adds more chat privacy options Meta has added new security features to its WhatsApp messaging service to enhance the privacy of private chats The new features allow users to block chat participants from exporting sensitive chats or downloading shared images or videos to their devices Users will also be able to block content shared in these secure chats from being used to train AI models The new feature named Advanced Chat Privacy is currently rolling outppFacebook cracks down on spam Meta has updated Facebook systems to deprioritize spammy content that flood out real creatorsppUbisoft sued for forcing gamers to go online Privacy org noyb has sued Ubisoft for forcing all its users to connect to the internet before launching any of its games Noyb says the company does this even if the game does not have any online component only to be able to track customers at all times Ubisoft has over 37 million monthly active users and is behind popular gaming franchises like Assassins Creed Far Cry Watch Dogs and Prince of PersiappAFRINIC takeover attempt A South African news site was sued and disappeared off the face of the internet after it exposed a campaign from a ChineseSingaporean billionaire to take control of AFRINIC and its IPv4 address spaceppBlueSky restricts Turkish accounts BlueSky has restricted access to 72 accounts in Turkey at the request of the government at the start of the month The request came during massive antigovernment protests after Turkish officials detained President Erdogans main political rival The accounts are invisible to Turkish audiences but still live on the platform Ankara officials cited national security and public order for the block request This is the first time BlueSky has censored accounts at the request of a government Additional coverage in TechCrunchppIran targets the EUs delegation chair Iranian hacking group APT42 tried to hack German politician Hannah Neumann the head of the EUs Iran delegation The attacks took place in January and the group posed as an FBI agent They used phone calls and messages to pressure staff to open malicious emails and run malicious documents laced with malware The APT42 group was previously linked to Irans Revolutionary Guard Corps Additional coverage in Politico EuropeppEU fines Apple Meta The European Union has fined Apple and Meta â500 million and â200 million respectively for violations of the EU Digital Markets ActppUS State Department buries cyber office The US State Department is reorganizing its internal structure and has made changes to its cyber diplomacy offices The Bureau of Cyberspace and Digital Policy was moved lower in the structure under its economic affairs wing The Department also created a new Bureau for Emerging Threats under its armscontrol wing that will also have cybersecurity adjacent attributions According to CybersecurityDive the new org chart is a sign the US is deprioritizing global cyber diplomacy effortsppIn this Risky Bulletin sponsor interview Shane Harding CEO of Devicie talks to Tom Uren about trends in the enterprise software and security market that he thinks will have huge impacts Software is becoming smarter and aims to solve problems rather than simply provide capabilities and Microsoft has embarked on a big push into the SME security marketppDisney hacker gets three years A former Disney World employee who hacked the companys menu software was sentenced to three years in prison Michael Scheuer added profanity to the companys menus removed allergen information and changed wine regions to the locations of known mass shootings Scheuer was arrested last year and pleaded guilty in January The defacements were spotted after the menus were printed but before they were shipped to restaurantsppCourt hacker arrested Australian authorities have arrested a 38yearold Sydney man for allegedly hacking the New South Wales court system and stealing sensitive documents Additional coverage in ABCppToyMaker profile Cisco Talos has published a profile on ToyMaker a known initial access broker who compromises victims and sells access to data extortion groups Their most common customer appears to be the Cactus ransomware group They are also the developers of a backdoor known as LAGTOY or HOLERUNppPower Parasites campaign Silent Push looks at Power Parasites a campaign using deceptive websites social media groups and Telegram channels to target Asian users with job and investment scamsppM365 campaign Fortra analyzes a phishing campaign targeting the email accounts of Microsoft 365 orgsppDarcula PhaaS Netcraft has a profile on Darcula a PhaaS platform that has grown to become one of the largest phishing kits on the marketppMysterious DDoS botnet Qrator Labs says it spotted last month a massive botnet consisting of over 133 million devices used in DDoS attacks against online betting portals The company says this is the largest DDoS botnet it has ever seenppDslogdRAT Japans CERT looks at DslogdRAT a web shell deployed on hacked Ivanti Connect Secure devicesâtypically via CVE20250282 a zeroday that was patched earlier this year These initial attacks were linked to Chinese APT UNC5221 but its unclear if DslogdRAT is their malware or may belong to a different groupppNo race No pressure Just a better way forward to Windows 11 built for wherever youre at and wherever youre going Visit deviciecomwindows11ppAPTC27 Golden Rat Qihoo 360 has spotted new desktop malware attacks from APTC27 a Middle East APT with a history of attacking Syrian opposition parties and Turkish organizationsppVoid Dokkaebi Famous Chollima North Korean hackers are using a range of Russian IP addresses for offensive cyber operations Trend Micro says the IPs are registered to two Russian companies based in two cities near the North Korean border The IPs are used by rogue North Korean IT workers based out of China Russia and Pakistan They were also used by a North Korean APt named Void Dokkaebi in cyber attacks against the cryptocurrency sectorppLazarus Operation SyncHole North Korean hackers used a watering hole attack and a zeroday vulnerability to infect employees at major South Korean tech companies The attacks took place at the end of last year and exploited a zeroday in CrossEx a security tool used in South Korea to secure enterprise browser environments Targets were lured to a hacked website where they exploited the CrossEx zeroday to deploy malware on the victims systems Kaspersky attributed the attacks to North Korean APT the Lazarus GroupppActive Mail zeroday Threat actors are exploiting a zeroday CVE202542599 in Active Mail a popular Japanese email service provider The zeroday allows attackers to take over webmail servers using specially crafted requests The vendor patched the issue last week There are no details available about the attackerppSAP NetWeaver zeroday A threat actor is exploiting a zeroday in SAP NetWeaver servers to gain access to enterprise networks Security firm ReliaQuest first spotted the attacks earlier this week SAP has released a security advisory for customers but no official patch The attackers are exploiting a lack of authentication in a server component that allows them to upload web shells on SAP NetWeaver instances The zeroday CVE202531324 has a CVSS severity rating of 10 due to its ease of exploitationppZyxel patches firewall RCE Taiwanese equipment vendor Zyxel has released a security update to fix a twobug combo that could be abused for remote code execution attacks The security updates are available for the companys USG FLEX H series firewalls one of the companys most successful enterprise products Zyxel credited Italian researchers Alessandro Sgreccia from HackerHood and Marco Ivaldi from HN Security with finding the bugsppCommvault RCE watchTowr Labs has found an RCE bug CVE202534028 in the Commvault enterprise backup solution The bug appears to affect only a cuttingedge release of the product and doesnt impact most of the userbaseppHardenRunner sudo bug Sysdig has published a technical report on a bug they found in HardenRunner a popular GitHub action The bug would have allowed attackers to evade the disablesudo security restriction and run commands with sudo privileges on a CICD pipelineppFastCGI bug writeup Synactiv has published a technical breakdown of a memory corruption bug CVE202523016 in the FastCGI web server interfaceppNew UAC bypass technique Security researcher RBC has published details on a new UAC bypass technique that abuses a folder created by the Intel graphics driverppNVBleed attack A team of academics has discovered a sidechannel attack named NVBleed that can leak data from NVIDIA NVLink a technology used to interconnect GPUs in multiGPU environments such as cloud systemsppAcquisition news DevSecOps company Socket Security has acquired AppSec company CoanappMITRE EMB3D 20 MITRE has released version 20 of EMB3D a threat model specifically designed for embedded devicesppNew toolâCloud Snitch Infinite Athlete CTO Chris Brown has released Cloud Snitch a tool inspired by the macOS Little Snitch tool and which tracks AWS account activity The tools source code is also available on GitHubppNew toolâNimhawk Security researcher Alejandro Parodi has released Nimhawk a command control framework written in NimppNew toolâCuring rootkit Security firm ARMO has released Curing a Linux rootkit that abuses the iouring IO interfaceppThreattrend reports FBI IC3 PDF Ghost Security Google Cloud GreyNoise Microsoft Palo Alto Networks Qrator Labs Radware Verizon VulnCheck and Wallarm have recently published reports and summaries covering various infosec trends and industry threatsppIn this edition of Between Two Nerds Tom Uren and The Grugq discuss whether cyber operations can be strategic and affect the fate of nationsppRisky Business is now on YouTube with video versions of our main podcasts Below is our latest weekly show with Pat and Adam at the helmppIn other news Germany seizes eXch cryptomixing service US dismantles Anyproxy botnet Chrome to use AI to fight tech support scamsppIn other news CrowdStrike lays off 5 of staff hacker dumps LockBit v4 backend database ransomware slows factory lines at medical device makerppYour weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray Its supported by Lawfare with help from the William and Flora Hewlett Foundation This weeks edition is sponsored by Stairwell
You can hear a podcast discussion of thisppIn other news US sanctions militia group leader for cyber scams Nomad Bridge hacker arrested in Israel NSA ordered to cut 8 of civilian staffpp
Risky Business publishes cybersecurity newsletters and podcasts for security professionals
ppp
For 3 days Russian comms provider UISâused by 15000 businessesâwas crippled by DDoS Voice CRM analytics offline Clients panicked support silent
ð Respect to the plannersâand every volunteer who kept systems alive Thatâs real pressure
Resist Join âðºðppWhatsApp adds more chat privacy options Meta has added new security features to its WhatsApp messaging service to enhance the privacy of private chats The new features allow users to block chat participants from exporting sensitive chats or downloading shared images or videos to their devices Users will also be able to block content shared in these secure chats from being used to train AI models The new feature named Advanced Chat Privacy is currently rolling outppFacebook cracks down on spam Meta has updated Facebook systems to deprioritize spammy content that flood out real creatorsppUbisoft sued for forcing gamers to go online Privacy org noyb has sued Ubisoft for forcing all its users to connect to the internet before launching any of its games Noyb says the company does this even if the game does not have any online component only to be able to track customers at all times Ubisoft has over 37 million monthly active users and is behind popular gaming franchises like Assassins Creed Far Cry Watch Dogs and Prince of PersiappAFRINIC takeover attempt A South African news site was sued and disappeared off the face of the internet after it exposed a campaign from a ChineseSingaporean billionaire to take control of AFRINIC and its IPv4 address spaceppBlueSky restricts Turkish accounts BlueSky has restricted access to 72 accounts in Turkey at the request of the government at the start of the month The request came during massive antigovernment protests after Turkish officials detained President Erdogans main political rival The accounts are invisible to Turkish audiences but still live on the platform Ankara officials cited national security and public order for the block request This is the first time BlueSky has censored accounts at the request of a government Additional coverage in TechCrunchppIran targets the EUs delegation chair Iranian hacking group APT42 tried to hack German politician Hannah Neumann the head of the EUs Iran delegation The attacks took place in January and the group posed as an FBI agent They used phone calls and messages to pressure staff to open malicious emails and run malicious documents laced with malware The APT42 group was previously linked to Irans Revolutionary Guard Corps Additional coverage in Politico EuropeppEU fines Apple Meta The European Union has fined Apple and Meta â500 million and â200 million respectively for violations of the EU Digital Markets ActppUS State Department buries cyber office The US State Department is reorganizing its internal structure and has made changes to its cyber diplomacy offices The Bureau of Cyberspace and Digital Policy was moved lower in the structure under its economic affairs wing The Department also created a new Bureau for Emerging Threats under its armscontrol wing that will also have cybersecurity adjacent attributions According to CybersecurityDive the new org chart is a sign the US is deprioritizing global cyber diplomacy effortsppIn this Risky Bulletin sponsor interview Shane Harding CEO of Devicie talks to Tom Uren about trends in the enterprise software and security market that he thinks will have huge impacts Software is becoming smarter and aims to solve problems rather than simply provide capabilities and Microsoft has embarked on a big push into the SME security marketppDisney hacker gets three years A former Disney World employee who hacked the companys menu software was sentenced to three years in prison Michael Scheuer added profanity to the companys menus removed allergen information and changed wine regions to the locations of known mass shootings Scheuer was arrested last year and pleaded guilty in January The defacements were spotted after the menus were printed but before they were shipped to restaurantsppCourt hacker arrested Australian authorities have arrested a 38yearold Sydney man for allegedly hacking the New South Wales court system and stealing sensitive documents Additional coverage in ABCppToyMaker profile Cisco Talos has published a profile on ToyMaker a known initial access broker who compromises victims and sells access to data extortion groups Their most common customer appears to be the Cactus ransomware group They are also the developers of a backdoor known as LAGTOY or HOLERUNppPower Parasites campaign Silent Push looks at Power Parasites a campaign using deceptive websites social media groups and Telegram channels to target Asian users with job and investment scamsppM365 campaign Fortra analyzes a phishing campaign targeting the email accounts of Microsoft 365 orgsppDarcula PhaaS Netcraft has a profile on Darcula a PhaaS platform that has grown to become one of the largest phishing kits on the marketppMysterious DDoS botnet Qrator Labs says it spotted last month a massive botnet consisting of over 133 million devices used in DDoS attacks against online betting portals The company says this is the largest DDoS botnet it has ever seenppDslogdRAT Japans CERT looks at DslogdRAT a web shell deployed on hacked Ivanti Connect Secure devicesâtypically via CVE20250282 a zeroday that was patched earlier this year These initial attacks were linked to Chinese APT UNC5221 but its unclear if DslogdRAT is their malware or may belong to a different groupppNo race No pressure Just a better way forward to Windows 11 built for wherever youre at and wherever youre going Visit deviciecomwindows11ppAPTC27 Golden Rat Qihoo 360 has spotted new desktop malware attacks from APTC27 a Middle East APT with a history of attacking Syrian opposition parties and Turkish organizationsppVoid Dokkaebi Famous Chollima North Korean hackers are using a range of Russian IP addresses for offensive cyber operations Trend Micro says the IPs are registered to two Russian companies based in two cities near the North Korean border The IPs are used by rogue North Korean IT workers based out of China Russia and Pakistan They were also used by a North Korean APt named Void Dokkaebi in cyber attacks against the cryptocurrency sectorppLazarus Operation SyncHole North Korean hackers used a watering hole attack and a zeroday vulnerability to infect employees at major South Korean tech companies The attacks took place at the end of last year and exploited a zeroday in CrossEx a security tool used in South Korea to secure enterprise browser environments Targets were lured to a hacked website where they exploited the CrossEx zeroday to deploy malware on the victims systems Kaspersky attributed the attacks to North Korean APT the Lazarus GroupppActive Mail zeroday Threat actors are exploiting a zeroday CVE202542599 in Active Mail a popular Japanese email service provider The zeroday allows attackers to take over webmail servers using specially crafted requests The vendor patched the issue last week There are no details available about the attackerppSAP NetWeaver zeroday A threat actor is exploiting a zeroday in SAP NetWeaver servers to gain access to enterprise networks Security firm ReliaQuest first spotted the attacks earlier this week SAP has released a security advisory for customers but no official patch The attackers are exploiting a lack of authentication in a server component that allows them to upload web shells on SAP NetWeaver instances The zeroday CVE202531324 has a CVSS severity rating of 10 due to its ease of exploitationppZyxel patches firewall RCE Taiwanese equipment vendor Zyxel has released a security update to fix a twobug combo that could be abused for remote code execution attacks The security updates are available for the companys USG FLEX H series firewalls one of the companys most successful enterprise products Zyxel credited Italian researchers Alessandro Sgreccia from HackerHood and Marco Ivaldi from HN Security with finding the bugsppCommvault RCE watchTowr Labs has found an RCE bug CVE202534028 in the Commvault enterprise backup solution The bug appears to affect only a cuttingedge release of the product and doesnt impact most of the userbaseppHardenRunner sudo bug Sysdig has published a technical report on a bug they found in HardenRunner a popular GitHub action The bug would have allowed attackers to evade the disablesudo security restriction and run commands with sudo privileges on a CICD pipelineppFastCGI bug writeup Synactiv has published a technical breakdown of a memory corruption bug CVE202523016 in the FastCGI web server interfaceppNew UAC bypass technique Security researcher RBC has published details on a new UAC bypass technique that abuses a folder created by the Intel graphics driverppNVBleed attack A team of academics has discovered a sidechannel attack named NVBleed that can leak data from NVIDIA NVLink a technology used to interconnect GPUs in multiGPU environments such as cloud systemsppAcquisition news DevSecOps company Socket Security has acquired AppSec company CoanappMITRE EMB3D 20 MITRE has released version 20 of EMB3D a threat model specifically designed for embedded devicesppNew toolâCloud Snitch Infinite Athlete CTO Chris Brown has released Cloud Snitch a tool inspired by the macOS Little Snitch tool and which tracks AWS account activity The tools source code is also available on GitHubppNew toolâNimhawk Security researcher Alejandro Parodi has released Nimhawk a command control framework written in NimppNew toolâCuring rootkit Security firm ARMO has released Curing a Linux rootkit that abuses the iouring IO interfaceppThreattrend reports FBI IC3 PDF Ghost Security Google Cloud GreyNoise Microsoft Palo Alto Networks Qrator Labs Radware Verizon VulnCheck and Wallarm have recently published reports and summaries covering various infosec trends and industry threatsppIn this edition of Between Two Nerds Tom Uren and The Grugq discuss whether cyber operations can be strategic and affect the fate of nationsppRisky Business is now on YouTube with video versions of our main podcasts Below is our latest weekly show with Pat and Adam at the helmppIn other news Germany seizes eXch cryptomixing service US dismantles Anyproxy botnet Chrome to use AI to fight tech support scamsppIn other news CrowdStrike lays off 5 of staff hacker dumps LockBit v4 backend database ransomware slows factory lines at medical device makerppYour weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray Its supported by Lawfare with help from the William and Flora Hewlett Foundation This weeks edition is sponsored by Stairwell
You can hear a podcast discussion of thisppIn other news US sanctions militia group leader for cyber scams Nomad Bridge hacker arrested in Israel NSA ordered to cut 8 of civilian staffpp
Risky Business publishes cybersecurity newsletters and podcasts for security professionals
ppp
