U.S., UK, and Australian Security Authorities Warn of Malicious Cyber Activity by Iran

Lacework raised $1.3 billion in the biggest cybersecurity venture funding round ever, RedCurl hacking group carries on despite 2020 exposure, Evil maid attack almost hit Israel's defense chief, more

Check out my latest CSO column, which recaps the Cyberwarcon event, noting this year’s theme of “it’s not always Russia (or China).”

CISA, the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) warned in a joint Cybersecurity Advisory of malicious cyber activity associated with the government of Iran.

The hackers, which have gone by the alias “Elie” on victim systems at times, have targeted a U.S.-based children’s hospital and a municipal government and are eyeing attacks in the transportation sector and against other public health organizations. In addition, according to a report issued by Microsoft earlier this week, Iranian hacking gangs have been reaching out to targets with fake “interview requests,” only to try stealing their passwords to run the ransomware attacks later.

The FBI, CISA, ACSC, and NCSC urge critical infrastructure organizations to apply the recommendations listed in the Mitigations section of its advisory to mitigate the risk of compromise from Iranian government-sponsored cyber actors. (Shannon Vavra / The Daily Beast)

Related: Cyber.gov.au, The Record, The Sun, CNN.com, The Hacker News, Threatpost, Security Week, Bleeping Computer, US-CERT Current Activity, TechCrunch, Radio Free Europe / Radio Liberty, The Persian Pasdaran, CIO News, ETTelecom.com, Security Affairs, Tech Times

According to a new report from security firm Group-IB, the RedCurl hacking group has continued to carry out new intrusions. It has breached at least four companies this year despite the exposure of its operations in August 2020.

RedCurl consists of Russian-speaking members who have primarily engaged in corporate espionage, targeting companies worldwide to steal documents containing commercial secrets and employee personal data. (Catalin Cimpanu / The Record)

Related: Cyberscoop, Group-IB

According to a new report by Flashpoint, high-ranking users and administrators of the Russian-speaking RAMP forum are now actively attempting to communicate with new forum members in machine-translated Chinese.

The most likely reason for this shift is that Russian ransomware gangs seek to build alliances with Chinese actors to launch cyber-attacks against U.S. targets, trade vulnerabilities, or even recruit new talent for their Ransomware-as-a-Service (RaaS) operations. The forum has reportedly had at least thirty new user registrations that appear to come from China.

Related: Infosecurity Magazine, Fudzilla, Flashpoint

A house cleaner, Omri Goren Gorochovsky, employed by Israeli Defense Minister Benny Gantz, was arrested on suspicion of attempting to contact the Iran-linked Black Shadow hacking group to provide them with sensitive information on the security chief.

Goren, who has five convictions and 14 charges between 2002-2013, including two bank robberies, burglary, theft, and more on his record, offered to install a virus on the defense chief's personal computer. He also took pictures inside Gantz's home of his work desk, computers, phone, personal tablet, a box imprinted with IDF-related numerals, a router, IP address, and his property tax receipts.

Israel’s internal security service Shin Bet said that while the suspect posed a potential danger to national security, he "was not exposed to classified material and subsequently none was passed on from him to the elements with whom he made contact.” (Yoav Zitun, Elisha Ben Kimon / Ynet News)

Related: Haaretz.com, Times of Israel

Netgear patched the fifth set of dangerous remote code execution bugs impacting its small office and small home (SOHO) routers this year.

According to GRIMM principal security researcher Adam Nichols, who discovered the issue in September, the vulnerability resides in the Universal Plug-and-Play (UPnP) function. GRIMM found that a total of 61 router models were impacted. (Catalin Cimpanu / The Record)

Related: The Hacker News

According to records requests by the Brennan Center for Justice the Los Angeles Police Department (LAPD) in 2019 trialed social media surveillance software from the analytics company Voyager Labs. The Department’s trial with Voyager ended in November 2019. However, after that, it continued to access some of the technology and spent more than a year trying to finalize a formal contract.

Voyager Labs’ software allows law enforcement to collect and analyze large troves of social media data to investigate crimes or monitor potential threats. In its pitch to the LAPD, Voyager said it could collect data on a suspect’s online network and surveil the accounts of thousands of the suspect’s “friends.” The company also said its artificial intelligence could discern people’s motives and beliefs and identify social media users who are most “engaged in their hearts” about their ideologies. Moreover, Voyager Labs said its tools could allow agencies to monitor undercover using fake social media profiles. (Sam Levin and Johana Bhuiyan / The Guardian)

Researchers at Cisco Talos discovered a malicious campaign using a technique called domain fronting to hide command-and-control traffic. The technique was used against a legitimate domain owned by the Myanmar government to route communications to an attacker-controlled server to evade detection.

The attack, observed in September 2021, deployed Cobalt Strike payloads as a stepping stone for launching further attacks. The adversary used a domain associated with the Myanmar Digital News network, a state-owned digital newspaper, as a front for their beacons. Cobalt Strike is a popular red team software used by penetration testers to emulate threat actor activity in a network. (Ravie Lakshmanan / The Hacker News)

Related: Cisco Talos

A study by researchers from Stony Brook University and Palo Alto Networks found at least 1,220 Man-in-the-Middle (MitM) phishing websites are targeting popular online services like Instagram, Google, PayPal, Apple, Twitter, and LinkedIn with the goal of hijacking users' credentials and carrying out further follow-on attacks.

The researchers developed a new fingerprinting technique called PHOCA that makes it possible to identify MitM phishing kits in the wild by leveraging their intrinsic network-level properties, effectively automating the discovery and analysis of phishing websites. The MitM phishing kits discovered by the researchers were scattered primarily across the U.S. and Europe and relied on Amazon, DigitalOcean, Microsoft, and Google hosting services. The most targeted brands include Instagram, Google, Facebook, Microsoft Outlook, PayPal, Apple, Twitter, Coinbase, Yahoo, and LinkedIn. (Ravie Lakshmanan / The Hacker News)

Related: Catching Transparent Phish, Github

Cloud security giant Lacework announced it had raised $1.3 billion in a Series D round, marking the largest funding round in cybersecurity history.

Sutter Hill Ventures, Altimeter Capital, D1 Capital Partners, and Tiger Global Management led the round with participation from new investors, including Counterpoint Global (Morgan Stanley), Durable Capital, Franklin Templeton, General Catalyst, and XN. Coatue, Dragoneer, Liberty Global Ventures, Snowflake Ventures, and all existing investors also participated. (Kyle Wiggers / Venture Beat)

Related: ZDNet, Reuters, Lacework

Photo by mostafa meraji on Unsplash