Belarus, Not Russia, Is Behind Anti-NATO Information Ops Mandiant Says
Facebook took down Pakistan hacking group, Hackers compromised Middle East Eye website, Android banking trojan SharkBot can hijack users' phones, Intel is fixing flaw that can defeat security, more
Researchers at Mandiant say that a group of hackers behind anti-NATO information operations known as Ghostwriter are, in fact, Belarusian, and not, as cybersecurity researchers concluded, Russian.
Since last year's election, 16 of 19 Ghostwriter disinformation operations focused on narratives that disparage the Lithuanian and Polish governments, neighbors of Belarus. Two focused negatively on NATO, and one criticized the EU. (Lily Hay Newman / Wired)
Facebook researchers said that hackers from Pakistan used Facebook to target people in Afghanistan with connections to the previous government during the Taliban's takeover.
Facebook said the group, known as SideCopy, shared links to websites hosting malware that could surveil people's devices. Targets included people connected to the government, military, and law enforcement in Kabul. Facebook took down SideCopy from its platform in August. (Elizabeth Culliford / Reuters)
Researchers at ESET said that a group of hackers compromised a popular London-based news website, Middle East Eye, intending to hack its visitors.
In a hacking campaign from March 2020 until August of this year, the group compromised around 20 websites, including Middle East Eye, using watering hole attacks. ESET researchers say that the hackers also compromised several government websites in Iran, Syria, and Yemen and the sites of an Italian aerospace company and a South African government-owned defense conglomerate. The attacks were facilitated by Israeli spyware vendor Candiru, which has been sanctioned by the U.S. (Lorenzo Franceschi-Bicchierai / Motherboard)
Researchers at Sucuri say that hackers defaced hundreds of WordPress sites over the weekend with a message claiming they encrypted the sites’ data in what the researchers describe as “fake ransomware.”
The campaign hit at least 300 sites. The attack appears to be a form of “scareware” meant to frighten non-technical website owners into paying the ransom demand. It has failed thus far, perhaps because the ransom message only appears on a few selected pages of a site’s domain and not the entire website. (Catalin Cimpanu / The Record)
Researchers from mobile security firms Cleafy and Threat Fabric say they discovered a new Android banking trojan called SharkBot capable of hijacking users’ smartphones and emptying e-banking and cryptocurrency accounts.
SharkBot appears to rely on tricking users into downloading and manually installing (side-loading) the apps on their devices, a practice that Google has constantly warned against. (Catalin Cimpanu / The Record)
Intel is fixing a vulnerability that allows unauthorized people with physical access to install malicious firmware on the chip to defeat a variety of measures, including protections provided by Bitlocker, trusted platform modules, anti-copying restrictions, and others.
The vulnerability affects Pentium, Celeron, and Atom CPUs on the Apollo Lake, Gemini Lake, and Gemini Lake Refresh platforms. It allows skilled hackers with an affected chip to run it in debug testing modes used by firmware developers. The attack requires brief physical access to a vulnerable device but only requires ten minutes to complete. (Dan Goodin / Ars Technica)
The U.K.’s digital secretary, Nadine Dorries, told the Competition and Markets Authority (CMA) it should conduct a phase two investigation into chipmaker Nvidia’s planned $40 billion purchase of U.K.-based chip designer ARM to examine the competitive and national security implications of the deal.
The CMA’s phase one report recommended a deeper probe on competition grounds but did not decide on the national security issue. (Natasha Lomas / TechCrunch)
npm's parent company GitHub has disclosed two security flaws identified and resolved in the npm registry between October and this month. npm is the largest software registry of Node.js packages.
The first flaw concerns leak of names of private npm packages on the npmjs.com's 'replica' server, feeds from which are consumed by third-party services. The second flaw allows attackers to publish new versions of any existing npm package that they do not own or have rights to due to improper authorization checks. (Ax Sharma / Bleeping Computer)
Under President Biden’s executive order released in May, the Cybersecurity and Infrastructure Security Agency issued new playbooks to guide federal agencies’ response to cybersecurity incidents and software vulnerabilities.
Much of the guidance focuses on the preparation required from federal departments in anticipation of future cyberattacks. The playbooks also call for civilian agencies with advanced defensive capabilities and staff to establish active defense capabilities. (John Hewitt Jones / Fedscoop)
Security researcher Bob Diachenko discovered that one of the internet’s top 5 adult cam sites, StripChat, suffered a security breach that leaked the personal data of millions of users and adult models.
Diachenko said the exposed servers leaked a treasure trove of highly-sensitive information, including data of 65 million users registered on the site, 421,000 models broadcasting on the site, 134 million transactions, and 719,000 chat messages saved in a moderation database. (Catalin Cimpanu / The Record)
The UK’s National Cyber Security Centre (NCSC) said it tackled a record number of cyber incidents in the UK over the last year, an unprecedented 777 incidents, up 7.5% from the 723 incidents the previous year. NCSC said that ransomware attacks originating from Russia dominated its activities.
The health sector and, in particular, the vaccine rollout was a significant focus for the NCSC over the past year. (Dan Sabbagh / The Guardian)
BBC reporter Joe Tidy went to Russia to track down Russian cybercriminals indicted by the U.S. Justice Department, including Maksim Yakubets and Igor Turashev. With other members of the cybercrime gang Evil Corp., they are accused of stealing or extorting more than $100m in hacks affecting 40 different countries.
Indictments prevent the hackers from traveling abroad, while sanctions freeze any assets they have in the West and ban them from doing business with Western firms. Tidy did manage to reach Yakubets’ father who claimed he hadn’t had any contact with his son since the U.S. indictment. Yakubets’ father says he and his family live in fear due to a $5 million reward for information leading to his son's arrest. (Joe Tidy / BBC News)
Joe Tidy @joetidyEvil Corp: 'My hunt for the world's most wanted hackers'. Many people on the FBI's Cyber Most Wanted list are Russian. If they left Russia they'd be arrested but at home they appear to be given free rein. Me and @skazal_on went to try to find them https://t.co/EQcdHlzEdh
The recent hack at app-based investment platform Robinhood also impacted thousands of phone numbers, the company confirmed.
A copy of the stolen phone numbers from a source who presented themselves as a proxy for the hackers revealed that the stolen data includes 4,400 phone numbers. Initially, Robinhood said that the breach included the email addresses of 5 million customers, the full names of 2 million customers, and other data from a smaller group of users. (Joseph Cox / Motherboard)
According to security researcher Tommy Mysk, the Mail Privacy Protection features introduced in iOS 15, which help prevent an email sender from gaining any information about a recipient's activity within the Mail app, don't apply to the Mail app within the Apple Watch.
In a test, Mysk showed that both the Mail app itself and the notification preview on the Apple Watch downloads remote content included in an email using the device's IP address, allowing for tracking to occur. It is unknown if the problem is a bug within watchOS or if it Apple has simply not enabled it. (Malcolm Owen / Apple Insider)
Extended detection and response startup Stellar Cyber raised $38 million in a Series B Venture Funding Round.
Highland Capital Partners led the round with full participation from all existing investors, including Valley Capital Partners, SIG, Northern Light Venture Capital, and new strategic investor Samsung. (Duncan Riley / SiliconANGLE)
Threat hunting startup SnapAttack raised $8 million in a Series A venture funding round following its spinoff from IT consulting firm Booz Allen Hamilton.
Volition Capital led the round with participation from Strategic Cyber Ventures (SCV) and Booz Allen Hamilton. (Carly Page / TechCrunch)
DefenseStorm, which provides cloud-based cybersecurity, cyber compliance, and cyberfraud management to regional and community banks and credit unions, raised $5 million from Curql Collective through its Strategic Investment Fund.
The DefenseStorm GRID is a co-managed, cloud-based, and compliance-automated solution of its kind, operating as a technology system and as a service supported by experts in FI security and compliance. (Business Wire)
External threat hunting firm Team Cymru has acquired threat surface management firm Amplicy.
Team Cymru CEO Rabbi Rob said that “By combining our unique visibility to the attack surface management problem that Amplicy solves with its real-time Internet asset discovery, we will deliver the first real-time, comprehensive third-party infrastructure analysis to eliminate attack surface blind spots and improve our clients’ ability to make cyber risk-based decisions.” (Kevin Townsend / Security Week)