CyberSecurity Newsletter, 23rd November 2024
In this week’s news: Lazarus hackers target nuclear power sector, LockBit might be back with a new RaaS, CISA urges mobile users to move away from encrypted text messages, alleged developer of LockBit RaaS has been arrested, and Experts uncovered a botnet of 190,000 Android devices infected by BadBox.
Threat actors associated with the notorious North Korean hacking outfit Lazarus Group are now setting their sites on targets in the nuclear power sector, according to researchers with Kaspersky. The cybersecurity vendor reports that the hacking group has been seeking to compromise nuclear organizations as part of an effort to step up its game and infect high-value targets. The researchers say that the infections are part of a complex and sophisticated effort by the North Korean hackers to infiltrate companies that operate in highly secure sectors such as defense, aerospace, and cryptocurrency. It seems the threat actors are now adding nuclear industry organizations to their list of targets.:
https://www.scworld.com/news/north-korean-hackers-targeting-workers-in-nuclear-power-sector
The LockBit ransomware group could be making a comeback after months of struggling to maintain its criminal activity following its takedown in February 2024. On December 19, LockBitSupp, the persona allegedly run by the ransom-as-s-service (RaaS) group admins, announced on its website the group would launch a new version of its ransomware, LockBit 4.0:
https://www.infosecurity-magazine.com/news/lockbit-admins-tease-a-new/
Mobile users in the US should swiftly move away from using unencrypted SMS and adopt phishing-resistant multifactor authentication (MFA), the latest guidance from the US Cybersecurity and Infrastructure Security Agency (CISA) has urged. The guidance was prompted by the threat posed by Chinese-affiliated threat groups, including Salt Typhoon. This advanced persistent threat (APT) group recently targeted at least eight US telecommunications firms in a massive cyber espionage campaign:
https://www.infosecurity-magazine.com/news/cisa-e2e-messaging-salt-typhoon/
How a ransomware investigation linked Russian money laundering and street-level drug dealing:
https://therecord.media/operation-destabilise-money-laundering-investigation-uk-nca
Cybersecurity incident reports among public companies have increased by 60% since the Securities and Exchange Commission adopted new cyber disclosure rules last year, with over three-quarters of disclosures submitted within eight days of incident discovery. However, growing hesitancy and challenges in conducting immediate intrusion assessments necessary to avoid penalties from the SEC have led to materiality being detailed in only a tenth of incident disclosures this year:
https://www.scworld.com/brief/cyber-incident-disclosures-to-sec-spike
A dual Russian and Israeli national has been charged in the United States for allegedly being the developer of the now-defunct LockBit ransomware-as-a-service (RaaS) operation since its inception in or around 2019 through at least February 2024. Rostislav Panev, 51, was arrested in Israel earlier this August and is currently awaiting extradition, the U.S. Department of Justice (DoJ) said in a statement. Based on fund transfers to a cryptocurrency wallet owned by Panev, he allegedly earned approximately $230,000 between June 2022 and February 2024.:
https://thehackernews.com/2024/12/lockbit-developer-rostislav-panev.html
Sophos has addressed three vulnerabilities in its Sophos Firewall product that could allow remote unauthenticated threat actors to perform SQL injection, remote code execution, and gain privileged SSH access to devices. The vulnerabilities affect Sophos Firewall version 21.0 GA (21.0.0) and older, with the company already releasing hotfixes that are installed by default and permanent fixes through new firmware updates:
https://www.bleepingcomputer.com/news/security/sophos-discloses-critical-firewall-remote-code-execution-flaw/
Romanian national Daniel Christian Hulea, 30, was sentenced to 20 years in prison for his role in NetWalker ransomware attacks. Hulea pleaded guilty to computer fraud conspiracy and wire fraud conspiracy on June 20 for his role in the NetWalker ransomware attacks against organizations worldwide, including healthcare during COVID-19. The man admitted to extorting 1,595 bitcoin (~$21.5M) in ransom payments:
https://securityaffairs.com/172182/cyber-crime/romanian-national-was-sentenced-to-20-years-netwalker-attacks.html
A new Microsoft 365 phishing-as-a-service platform called "FlowerStorm" is growing in popularity, filling the void left behind by the sudden shutdown of the Rockstar2FA cybercrime service. First documented by Trustwave in late November 2024, Rockstar2FA operated as a PhaaS platform facilitating large-scale adversary-in-the-middle (AiTM) attacks targeting Microsoft 365 credentials. The service offered advanced evasion mechanisms, a user-friendly panel, and numerous phishing options, selling cybercriminals access for $200/two weeks:
https://www.bleepingcomputer.com/news/security/new-flowerstorm-microsoft-phishing-service-fills-void-left-by-rockstar2fa/
North Korean hackers have stolen $1.34 billion worth of cryptocurrency across 47 cyberattacks that occurred in 2024, according to a new report by blockchain analysis company Chainalysis. This amount represents 61% of the total stolen funds for the year, marking a year-over-year increase of 21%:
https://www.bleepingcomputer.com/news/security/north-korean-hackers-stole-13-billion-worth-of-crypto-this-year/
Experts uncovered a botnet of 190,000 Android devices infected by BadBox bot, primarily Yandex smart TVs and Hisense smartphones.:
https://securityaffairs.com/172191/malware/190000-android-devices-infected-by-badbox.html