SAN MATEO, CA, April 29, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
DragonForce ransomware strain developed uses leaked LockBit builder
Cyber intelligence firm Cyble has revealed that a new ransomware strain called DragonForce uses a leaked builder of LockBit ransomware. According to Cyble, “the discovery of DragonForce ransomware and its links to the leaked builder of LockBit Black ransomware underscores the growing threat posed by the abuse of leaked malware-building tools in cyberattacks. The accessibility of such tools enables threat actors to customize and deploy ransomware payloads with ease, amplifying the risk landscape for organizations globally.” It is unclear who is behind this new ransomware strain, as unusual overlaps between LockBit and DragonForce’s claimed victims have muddied the waters. A Malaysian hacktivist group called DragonForce was also present in 2021 and 2022, but it is unknown if they have any connection to this new variant. Read more.
New Brokewall Android banking trojan captures every event on the infected device
Researchers at ThreatFabric have discovered a new malware called Brokewell that can capture every event on infected devices from the information displayed on screens and the applications used via a user’s touch data. A banking trojan, Brokewell’s primary function is to steal data and allow attackers to control an infected device remotely. Baron Samedit developed the malware and has been selling tools for checking stolen accounts for the last two years. The malware is spread via a fake Google Chrome update and continues to be under active development. To avoid being infected, users are urged to avoid downloading apps or updates from outside the Google Play store. Read more.
Russian hackers claim credit for attack on Indiana water treatment facility
A cyberattack against a Tipton, Indiana, water treatment plant on April 19 has been claimed by the “People’s Cyber Army of Russia” on social media. A statement issued by the facility states that “the Indiana Department of Environmental Management was notified of a possible cybersecurity breach at the Tipton West Wastewater Treatment Plant. The facility’s staff noticed irregular activity through standard process monitoring of plant operations. Facility staff quickly transitioned operations to manual control during the event.” The attack resulted in minimal disruption, and CISA is investigating the incident. The attack follows a recent warning from the White House indicating that water treatment plants, due to outdated technology and understaffing, are particularly vulnerable to cyberattacks. Read more.
Iranian hackers infiltrate US contractors and government agencies in years-long campaign
A recently unsealed US Justice Department indictment revealed that, from 2016 to 2021, hundreds of thousands of employee accounts at US companies and government agencies had been infiltrated by an elite group of state-sponsored Iranian hackers. Four Iranian nationals have been indicted for the campaign, which had the goal of obtaining military secrets and involved social engineering efforts such as posing as an Iranian company able to provide “cybersecurity services” as well as posing as women interested in romantic relationships. Victims clicked a malicious link delivered via email that resulted in the execution of custom malware. The State Department is offering a $10 million reward for information that leads to the perpetrators, who remain at large. Read more.
TikTok ban bill passed in US Congress heads to the desk of President Biden
The official ban of TikTok, at least in its current form, has passed via a bill in the US Congress and is now ready to be sent to the desk of President Biden, who had already stated that he would sign it if it made its way to him. The bill gives Chinese company ByteDance a year to either remove TikTok from the US market or sell its US business to an American company or one based in an ally country. The app has come under fire due to its alleged association with the Chinese government and concerns that it could be used to gather data on US citizens and launch influence campaigns designed to undermine the US government and the electoral process. TikTok’s head of public policy for the Americas has vowed to fight the legislation in court, claiming that the ban is a violation of First Amendment rights. Read more.
UnitedHealth says it paid ransomware attackers to prevent data leak
It’s been a tumultuous period for the UnitedHealth Group, first succumbing to a cyber attack from ALPHV, which cost them a $22 million ransom. Then, a second one from a group called RansomHub after a threat actor called Notchy claimed that the ALPHV gang made off with the victim’s funds but left them still in possession of a trove of data. UnitedHealth is now reporting that they seem to have given in to RansomHub and Notchy’s demands as part of their commitment to “do all it could to protect patient data from disclosure.” UnitedHealth assures customers that only 22 screenshots of stolen files were ever posted on the dark web due to the attacks. Two years of credit monitoring and a dedicated call center have been set up for affected customers. Read more.
NSA publishes new AI secure deployment guidance
The US National Security Agency’s (NSA) Artificial Intelligence Security Center (AISC) has published its first guidance document on the secure deployment of AI systems. Developed in collaboration with the Five Eyes international alliance, the guide offers a list of best practices divided into three categories: Secure the deployment environment, Continuously protect the AI system, and Secure AI operation and maintenance. The documentation breaks these categories into further recommendations designed to mitigate the risks associated with the emerging technology. “In the end, securing an AI system involves an ongoing process of identifying risks, implementing appropriate mitigations, and monitoring for issues,” says the report. Read more.
Victims far less likely to pay ransomware demands in Q1 2024
In what will hopefully be a continuing trend, a report from cybersecurity firm Coveware shows that companies infected with ransomware are far less likely to give in to threat actor demands than at any other point in time. According to their findings, only 28% of companies hit with an attack ended up paying the criminals responsible in the first quarter of 2024. The downturn is attributed to a combination of factors, including better cybersecurity protection and increased pressure not to pay ransoms, not least because criminals often do not hold up their end of the bargain after payment is received. However, the monetary amount of ransoms paid has increased. Read more.
Chinese hackers poised to devastate US infrastructure
FBI Director Christopher Wray, at a Vanderbilt University-hosted summit on emerging threats, issued a dramatic warning about Chinese state-sponsored threat actors and their ability to “wreak havoc” on the US at “just the right moment.” Wray said that China’s “plan is to land low blows against civilian infrastructure to try to induce panic and break America’s will to resist.” The FBI has mobilized efforts around the globe in response to these activities, working in tandem with US Cyber Command, the CIA, and foreign law enforcement to disrupt the operations. However, Wray also mentioned that Chinese hackers outnumber FBI personnel by at least 50 to 1 and have targeted a wide range of sectors in their efforts to dig in and maintain a persistent presence. Read more.
North Korean hackers use AI to streamline cyber espionage
Microsoft has warned that threat actors linked to the North Korean government have been using AI to “make their operations more efficient and effective.” Specifically, the report calls out a threat group called Emerald Sleet for their apparent use of LLMs to enhance spear-phishing campaigns that target Korean Peninsula experts. An additional report, courtesy of enterprise security firm Proofpoint, says that the group “engages in benign conversation starter campaigns to establish contact with targets for long-term exchanges of information on topics of strategic importance to the North Korean regime.” All this is occurring while state-sponsored North Korean hackers continue to engage in crypto-stealing campaigns designed to funnel revenue into the country’s weapons programs. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles brought to you by NetworkTigers
