Cyber Threat Intelligence 25 December 2024
-
Malware
- iProov Discovers Major Dark Web Identity Farming Operation
"iProov, the world's leading provider of science-based solutions for biometric identity verification, has uncovered a significant dark web operation focused entirely on KYC bypass methods, as detailed in its Quarterly Threat Intelligence News Update for Q4 2024. This discovery, which represents a sophisticated approach to compromising identity verification systems through the systematic collection of genuine identity documents and images, demonstrates the evolving nature of identity fraud threats."
https://finance.yahoo.com/news/iproov-discovers-major-dark-identity-101000616.html
https://www.infosecurity-magazine.com/news/major-biometric-data-farming/ - DigiEver Fix That IoT Thing!
"In mid-November 2024, the Akamai SIRT discovered an uptick in activity targeting the URI /cgi-bin/cgi_main.cgi in our global network of honeypots. This activity appears to be part of a recent ongoing Mirai-based malware campaign dating back to at least October 2024. The vulnerability does not have a CVE assignment at this time, but it appears to have originally been discovered and published by Ta-Lun Yen from TXOne Research. In this publication, he attributed this remote code execution (RCE) vulnerability to multiple DVR devices, including the DigiEver DS-2105 Pro model. Our analysts determined the exploit attempts we observed were in line with this published vulnerability research."
https://www.akamai.com/blog/security-research/digiever-fix-that-iot-thing
https://www.bleepingcomputer.com/news/security/new-botnet-exploits-vulnerabilities-in-nvrs-tp-link-routers/ - Cyble Sensors Detect Attacks On Ivanti, PHP, SAML, Network Devices, And More
"Cyble honeypot sensors detected dozens of vulnerabilities under attack in the threat intelligence leader’s most recent sensor intelligence report, including fresh attacks on an Ivanti vulnerability. Threat actors also targeted vulnerabilities affecting PHP and the Ruby SAML library. Cyble’s Dec. 19 report noted that unpatched networks and IoT devices remain popular targets for hackers looking to breach networks and add to botnets. The report also looked at Linux and Windows exploits, common brute-force attacks, and phishing campaigns."
https://cyble.com/blog/cyble-sensors-detect-attacks-on-ivanti-php-saml-network-devices-and-more/
Breaches/Hacks/Leaks
- European Space Agency's Official Store Hacked To Steal Payment Cards
"European Space Agency's official web shop was hacked as it started to load a piece of JavaScript code that generates a fake Stripe payment page at checkout. With a budget over 10 billion euros, the mission of the European Space Agency (ESA) is to extend the limits of space activities by training astronauts and building rockets and satellites for exploring the mysteries of the universe. The web store licensed to sell ESA merchandise is currently unavailable, showing a message that it is “temporarily out of orbit.”"
https://www.bleepingcomputer.com/news/security/european-space-agencys-official-store-hacked-to-steal-payment-cards/ - Clop Ransomware Is Now Extorting 66 Cleo Data-Theft Victims
"The Clop ransomware gang started to extort victims of its Cleo data theft attacks and announced on its dark web portal that 66 companies have 48 hours to respond to the demands. The cybercriminals announced that they are contacting those companies directly to provide links to a secure chat channel for conducting ransom payment negotiations. They also provided email addresses where victims can reach out themselves. In the notification on their leak site, Clop lists 66 partial names of companies that did not engage the hackers for negotiations. If these companies continue to ignore, Clop threatens to disclose their full name in 48 hours."
https://www.bleepingcomputer.com/news/security/clop-ransomware-is-now-extorting-66-cleo-data-theft-victims/
https://www.bankinfosecurity.com/online-extortion-gang-clop-threatens-cleo-hacking-victims-a-27146 - Today’s Insider Threat: Ardyss Edition
"DataBreaches was contacted yesterday by “0mid16B,” the same individual who was responsible for previously hacking The1 Card, Thailand’s most popular loyalty program. In their latest contact, they claim to have successfully attacked Ardyss[.]com and ArdyssLife[.]com, telling DataBreaches, “In December 2024, we breached and stole 596 GB of data from United States ArdyssLife[.]com and Ardyss[.]com server network. Ardyss International is a United States MLM company with annual revenue of > $958M.”"
https://databreaches.net/2024/12/24/todays-insider-threat-ardyss-edition/ - Postman Data Leaks: The Hidden Risks Lurking In Your Workspaces
"Sensitive data leaks in Postman workspaces pose significant risks, exposing API keys, credentials, and tokens that can lead to unauthorized access, data breaches, and reputational harm. A year-long investigation revealed over 30,000 publicly accessible workspaces leaking sensitive information, including business data and customer PII. Improper access controls, accidental sharing, and storing data in plaintext were major contributors to these vulnerabilities. Adopting best practices like using environment variables, limiting permissions, and implementing external secrets management is critical to mitigate these risks and secure collaborative development environments."
https://www.cloudsek.com/blog/postman-data-leaks-the-hidden-risks-lurking-in-your-workspaces
https://hackread.com/postman-workspaces-leak-api-keys-sensitive-tokens/ - American Addiction Centers Data Breach Impacts 422,000 People
"American Addiction Centers is notifying more than 422,000 people that their personal information was stolen in a recent data breach. The Brentwood, Tennessee-based organization provides inpatient and outpatient substance abuse treatment services through a network of rehabilitation facilities across multiple states. It employs over 2,700 people. The incident was identified on September 26, but the attackers had access to the organization’s servers for at least several days prior and stole certain data during that time."
https://www.securityweek.com/american-addiction-centers-data-breach-impacts-422000-people/
General News
- 2025 Is Going To Be a Bumpy Year For IoT
"In the Internet of Things (IoT) sector, 2025 is shaping up to be a politically charged year. Major global jurisdictions are set to implement device security regulations, coinciding with potential tariffs, shifting production dynamics, and rising geopolitical tensions. My advice for companies involved in manufacturing or using IoT devices? Prepare for the worst, but hope for the best."
https://www.helpnetsecurity.com/2024/12/24/iot-2025-security/ - AI-Driven Scams Are About To Get a Lot More Convincing
"McAfee’s predictions for 2025 highlight emerging threats that consumers may encounter as cybercriminals exploit advanced AI technology. From hyper-realistic deepfakes and live video scams to AI-driven phishing, smishing, and malware attacks, these predictions reveal how cybercriminals are using AI-powered tools to craft increasingly sophisticated and personalized cyber scams."
https://www.helpnetsecurity.com/2024/12/24/cybercriminals-ai-scams/ - How CISOs Can Make Smarter Risk Decisions
"In this Help Net Security interview, Gavin Reid, CISO at HUMAN Security, talks about the latest cybersecurity threats and how attackers are becoming more sophisticated. He explains the difficulties organizations encounter in detecting fraud and malicious bots while keeping the user experience intact. Reid also offers advice for CISOs on how to strike a balance between security and business innovation."
https://www.helpnetsecurity.com/2024/12/24/gavin-reid-human-security-ciso-cybersecurity-threats/ - 14 Million People Don’t Know How To Erase Their Data From An Old Device
"New figures reveal that three in 10 UK adults (29%) don’t know how to wipe their personal information from an old device or tech product. With the festive period looming, over a quarter (27%) of UK adults are planning to treat themselves to a new device this Christmas. However, our latest poll found that the average Brit has three unused devices sitting at home. Three-quarters (75%) of people have held onto at least one old device, with a fifth (20%) having done so because they are worried about their personal information."
https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2024/12/14-million-people-don-t-know-how-to-erase-their-data-from-an-old-device/
https://www.theregister.com/2024/12/24/uk_device_data_deletion/ - FBI Links North Korean Hackers To $308 Million Crypto Heist
"The North Korean hacker group ‘TraderTraitor’ stole $308 million worth of cryptocurrency in the attack on the Japanese exchange DMM Bitcoin in May. In a short post, the FBI attributed the attack to the state-affiliated threat actor TraderTraitor, also tracked as Jade Sleet, UNC4899, and Slow Pisces. The crypto heist occurred in May 2024 and forced the platform to restrict account registration, cryptocurrency withdrawals, and trading until the completion of the investigations."
https://www.bleepingcomputer.com/news/security/fbi-links-north-korean-hackers-to-308-million-crypto-heist/
https://www.fbi.gov/news/press-releases/fbi-dc3-and-npa-identification-of-north-korean-cyber-actors-tracked-as-tradertraitor-responsible-for-theft-of-308-million-from-bitcoindmmcom
https://thehackernews.com/2024/12/north-korean-hackers-pull-off-308m.html
https://www.infosecurity-magazine.com/news/us-japan-north-korea-crypto-heist/
https://www.securityweek.com/fbi-blames-north-korea-for-308m-cryptocurrency-hack-as-losses-surge-in-2024/ - Too Much 'Trust,' Not Enough 'Verify'
"Despite never-ending data breaches and ransomware attacks, too many companies still rely on the outdated "trust but verify" cybersecurity strategy. This approach assumes that any user or device inside a company's network can be trusted once it has been verified. The approach has clear weaknesses: Many businesses are putting themselves at additional risk by verifying once, then trusting forever."
https://www.darkreading.com/cyberattacks-data-breaches/too-much-trust-not-enough-verify - DNSSEC Denial-Of-Service Attacks Show Technology's Fragility
"A pair of attacks revealed by researchers this year underscored the fragility of the Domain Name System (DNS) and the security extensions (DNSSEC) that were adopted to help secure the world's internet infrastructure. For the past year, Internet infrastructure firms and software makers have worked to patch DNS servers for a critical set of flaws in DNSSEC. Originally discovered more than a year ago by four researchers at Goethe-Universität Frankfurt and Technische Universität Darmstadt, the so-called KeyTrap denial-of-service (DoS) attack could trick DNS servers into spending hours attempting to validate signatures on specially created DNSSEC packets, according to their presentation at the Black Hat Europe 2024 conference earlier this month."
https://www.darkreading.com/cloud-security/dnssec-denial-of-service-attacks-show-fragility - 2024 Trends: Were They Accurate?
"The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity. Here are five trends that were often predicted for 2024."
https://securityintelligence.com/articles/2024-trends-were-they-accurate/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - iProov Discovers Major Dark Web Identity Farming Operation