Hello there!
It's Monday, April 15, 2024. Happy Monday! As we embark on a new week full of possibilities, let's harness the fresh energy and motivation that each new beginning (hopefully!) brings 😎
🥳Thank you for subscribing last week and welcome our 2 new subscribers! As always, I truly value your trust and sincerely hope you will remain by my side 💪
Share the Weekly Digest with industry professionals who could use the latest updates from last week and save time ⌛
Weekly Digest - Issue #7
➡️List of selected news
Activists in Western Sahara targeted by mobile malware.
German companies hit with Rhadamanthys Stealer.
D-Link devices' vulnerabilities are being exploited.
LG fixed TV security flaws to stop unauthorized access.
Medusa cybercrime gang claims another US municipal attack.
Chinese hackers use AI to fuel US social tensions.
The German air force intercepted a Russian intelligence plane.
➡️My book of the week
Psychology of Intelligence Analysis (FREE PDF)
➡️Learning corner
The cyber mystery game anyone can play (FREE)
🗞️NEWS
📵 Activists in Western Sahara targeted by mobile malware.
TL;DR
Cisco Talos and Yahoo's teams uncovered malware targeting Sahrawi Arab Democratic Republic (SADR) activists.
Malware distributed via spearphishing emails, disguised as a Sahara Press Service app for Android.
Attackers use the app to steal information and execute arbitrary code on victims' devices.
The malware campaign, named by Talos as "Starry Addax," started in January 2023.
Amnesty International accused Moroccan authorities of similar attacks using NSO Group spyware; however, the operators of this campaign remain unidentified.
In January 2023, security researchers from Cisco Talos and Yahoo discovered a mobile malware campaign, code-named "Starry Addax," aimed at human rights activists in Western Sahara. The malicious Android app masquerades as a news service to infiltrate devices, enabling the attackers to conduct information theft and control over the devices. This spying effort seems focused on individuals previously targeted by such methods, as alleged by Amnesty International, although no direct link to Moroccan authorities or the NSO Group has been established. With its custom design for stealth, the malware presents a challenge for detection and analysis, while victims remain largely in the dark about the origin and purpose of these attacks. The geopolitical backdrop involves the long-standing dispute over the Western Sahara territory, primarily between Morocco and the Polisario Front, representing the Sahrawi people.
Read more…
🇩🇪 German companies hit with Rhadamanthys Stealer.
TL;DR
TA547, a known cybercriminal group, has targeted numerous German organizations in an invoice-themed phishing campaign using the Rhadamanthys information stealer.
This is the first time TA547 was observed deploying Rhadamanthys, and their activities included using a PowerShell script suspected to be generated by a large language model.
The phishing emails impersonate the German company Metro AG and include a password-protected ZIP file that unleashes the malware upon being opened.
Researchers suggest the sophisticated scripting might have been derived from artificial intelligence or copied from a source using generative AI.
The campaign showcases both technical evolution in TA547's operations with the use of new malware, and broader trends in cybercrime arsenal expansion including techniques like geofencing and encrypted HTML content in phishing campaigns.
The threat actor TA547 has launched a phishing attack against German firms using an information stealer malware known as Rhadamanthys. Disguising the phishing emails as communications from the German company Metro AG, the emails contain malicious ZIP files which initiate the infection process. Experts from Proofpoint have noted the use of a sophisticated PowerShell script in the attack and suspect that it may have been generated by a large language model (LLM), indicating a potential use of AI technologies in cybercriminal methodologies. This campaign is a part of TA547's evolving strategy, which has previously included a variety of malware and ransomware delivery, and showcases the group's ongoing innovation to evade detection and successfully compromise targets.
Read more…
🚨 D-Link devices' vulnerabilities are being exploited.
TL;DR
CISA has added CVE-2024-3273 and CVE-2024-3272 to its Known Exploited Vulnerabilities list.
Federal agencies are urged to retire or replace affected D-Link devices by May 2.
Cybersecurity firms GreyNoise and ShadowServer report widespread attacks against older D-Link devices with storage capabilities.
Up to 92,000 devices may be at risk due to vulnerabilities in models DNS-320L, DNS-325, DNS-327L, and DNS-340L.
D-Link has announced that the affected devices are no longer supported and should be replaced, with no patch expected.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding certain D-Link devices that are subject to exploitation due to vulnerabilities identified as CVE-2024-3273 and CVE-2024-3272. CISA's announcement on Thursday compels federal agencies to eliminate the use of vulnerable devices by May 2. Cybersecurity organizations such as GreyNoise and ShadowServer have observed extensive attacks targeting these network-attached storage devices since April 4, following D-Link's advisory. An estimated 92,000 devices including models DNS-320L, DNS-325, DNS-327L, and DNS-340L are potentially susceptible to these security flaws. D-Link notified its customers that the affected models have reached their end-of-life and emphasized the need to retire and replace them, as ongoing use poses a threat to connected devices. With available exploit scripts and POC code, no current fix is available, leaving the outdated equipment vulnerable.
Read more…
📺 LG fixed TV security flaws to stop unauthorized access.
TL;DR
Four new vulnerabilities were found in LG TVs affecting WebOS versions 4 to 7.
The bugs carry a severity rating of 9.1 out of 10 and allow for unauthorized user addition and device takeover.
CVE-2023-6317 and CVE-2023-6318 are critical bugs enabling the creation of privileged user profiles and full device control, respectively.
CVE-2023-6319 and CVE-2023-6320 could let attackers deploy malware and infiltrate smart home networks.
LG released patches on March 22 after initially being notified by Bitdefender on November 1.
Bitdefender has discovered four vulnerabilities in LG TVs using WebOS versions 4 through 7, with three rated at a severe 9.1 out of 10. These vulnerabilities could allow hackers to add users, escalate privileges, and deploy malware. LG addressed these issues and released updates on March 22. Initial scans revealed over 91,000 exposed devices worldwide, with notable numbers in South Korea, Finland, Sweden, the U.S., and Hong Kong. After the patch, the number of vulnerable devices dropped to approximately 87,500, highlighting a persistent risk to LG TV users.
Read more…
🇺🇸 Medusa cybercrime gang claims another US municipal attack.
TL;DR
Medusa ransomware gang claims responsibility for an attack on the Tarrant County Appraisal District in Fort Worth, Texas.
The group threatens to release 218 gigabytes of data unless a $100,000 ransom is paid within six days.
300 individuals' personal data may have been compromised according to a warning from county officials.
Jon Don Bobbitt, chief appraiser, confirmed the attack and stated that the FBI and the Texas Department of Information Resources have been alerted.
The Medusa gang has a track record of targeting organizations worldwide, including a recent attack on an Illinois county government and entities in Italy, Minnesota, France, Tonga, the Philippines, Canada, and a nonprofit organization.
The Medusa cybercrime gang has claimed credit for a ransomware attack on March 21, 2024, targeting the Tarrant County Appraisal District in Texas, which assesses property values in the Fort Worth area. They demand a ransom of $100,000 in exchange for not releasing the 218 gigabytes of stolen data. County officials have warned that personal data of nearly 300 people has been accessed. Jon Don Bobbitt, the district's chief appraiser, stated that comprehensive measures are being taken to secure the network and restore operations while cooperating with the FBI and the Texas Department of Information Resources. This event is the latest in a series of attacks by Medusa, which has previously targeted various organizations and government bodies across the globe, including in Italy, France, Tonga, the Philippines, and Canada, as well as a major nonprofit group.
Read more…
🇨🇳 Chinese hackers use AI to fuel US social tensions.
TL;DR
Microsoft's report reveals Beijing-linked hackers using AI to intensify social strife in the U.S. and influence foreign elections.
AI technologies were employed to fabricate visual and audio content, including AI-generated news anchors and inflammatory social media posts.
The misinformation campaign utilized 175 websites in 58+ languages, often delivering narratives detrimental to the U.S. image.
Google also issued alerts on China's growing use of AI in crafting disinformation operations aimed at the U.S.
North Korea's cyberactivities, including the use of AI to enhance attacks on crypto firms, were also documented, with Microsoft and OpenAI disrupting the operations of the North Korean group Emerald Sleet.
A recent Microsoft report reveals that Chinese hackers have been leveraging AI technology to escalate social tensions in the United States and sway voter sentiment, particularly ahead of elections. The technology was used for generating provocative visual content and audio clips, such as those featuring a Taiwanese presidential candidate to influence Taiwanese voters. Microsoft Threat Intelligence witnessed for the first time the use of AI-generated content by a nation state in election interference.
The propaganda spread through a vast network of websites and fake social media accounts impersonated the U.S. voters, exacerbating issues like drug use, immigration, and racial tension. Controversy-courting claims included a U.S. government weapon starting Hawaii wildfires and Japan disposing of nuclear wastewater.
Google corroborated this tactic, observing China's turn to AI in disinformation operations. Meanwhile, North Korea continues its malicious cyber endeavours, now enhanced by AI, targeting primarily cryptocurrency exchanges and software chains. Microsoft, in partnership with OpenAI, acted against a North Korean group known as Emerald Sleet, which used AI for a range of activities from vulnerability research to spear-phishing campaign design.
Despite these revelations, Microsoft faces scrutiny for its handling of a previous Chinese cyberattack, which compromised the email accounts of notable U.S. figures, revealing a lapse in cybersecurity awareness and responsiveness.
Read more…
🛫 The German air force intercepted a Russian intelligence plane.
TL;DR
German Eurofighter jets intercepted a Russian Il-20 aircraft over the Baltic Sea.
The Russian plane was flying without a transponder, making it difficult to track and identify.
The incident occurred after Sweden joined NATO, increasing the alliance's presence around the Baltic Sea.
NATO has scrambled jets over 300 times in the past year to intercept Russian military aircraft near allied airspace.
The increased military activity is in response to heightened security concerns due to the ongoing war in Ukraine.
Germany's Luftwaffe deployed Eurofighter jets to intercept a Russian Il-20 aircraft flying over the Baltic Sea without a transponder. The interception highlights the tense aerial encounters in the region, which have become more frequent as NATO scrambles jets in response to Russian military flights near its airspace. This comes amid heightened security measures following the war in Ukraine, with over 300 such intercepts reported by NATO over the past year, primarily over the Baltic Sea. The recent induction of Sweden into NATO adds to the alliance's defensive posture around the Baltic region.
Read more…
📖MY BOOK OF THE WEEK
Psychology of Intelligence Analysis
(Richards J. Heuer, Jr.)
"Psychology of Intelligence Analysis" by Richards J. Heuer, Jr. is a must-read for anyone looking to sharpen their critical thinking and decision-making skills, as it provides deep insights into overcoming inherent cognitive biases and improving information analysis.
This book is especially valuable for professionals in analysis-heavy fields (so not only CTI/OSINT folks), offering practical techniques to refine accuracy and judgment in interpreting complex data.
And it’s completely free to download from the CIA side (link below)
Here are some key highlights of the book:
Cognitive Biases in Intelligence Analysis: Heuer identifies the prevalence of cognitive biases such as confirmation bias, anchoring, and representativeness. He discusses how these biases can distort an analyst's judgement and lead to flawed conclusions.
Importance of Self-Awareness: Emphasizing the necessity for analysts to be aware of their own thought processes and biases, Heuer advocates for self-reflection and intellectual humility in the intelligence community.
Structured Analytical Techniques: The book highlights the value of using structured analytical methods, such as the Analysis of Competing Hypotheses (ACH), to systematically evaluate different scenarios and avoid jumping to conclusions based on limited or misleading information.
Perceptual and Cognitive Limits: Heuer explores how perception and memory can influence and sometimes hinder an analyst’s ability to interpret data accurately. He explains that awareness of these limitations is crucial for effective analysis.
Collaborative Efforts: Encouraging collaboration among analysts, Heuer points out that diverse viewpoints can help counteract individual biases and lead to more comprehensive and objective analysis.
Training and Education: The book underscores the importance of ongoing education and training in cognitive psychology and critical thinking skills to enhance analysts' abilities to perform their duties effectively.
Feedback Mechanisms: Heuer suggests implementing regular feedback loops and after-action reviews to help analysts learn from past experiences and continuously improve their analytical skills.
🧠LEARNING CORNER
1. KC7 Cyber (FREE)
Now let me introduce the KC7 Cyber project. Probably the best finding of this year (kudos to my friend Tomasz - @KozlowskiTomasz is his X account)
KC7 is a new way to learn cybersecurity that’s hands-on, fun, and engaging.
With KC7, you’ll learn key cybersecurity skills while getting practical experience that feels just like the real job. Perfect for beginners and puzzle enthusiasts alike, KC7 demystifies data analysis and cybersecurity principles, making them accessible and exciting for everyone – no technical background required!
2. HackTheBox Academy
🚀 Boost Your Cybersecurity Skills with HackTheBox Academy! 🚀
Dive into the exciting world of cybersecurity with HackTheBox Academy and transform your passion into expertise! 🛡️💻
Why HackTheBox Academy?
✅ Comprehensive Courses: From basics to advanced, designed for all skill levels.
✅ Practical Labs: Hands-on experience in a safe, virtual environment.
✅ Flexible Learning: Access courses anytime, anywhere.
✅ Community & Networking: Join a global community of cybersecurity enthusiasts.
✅ Career Opportunities: Enhance your resume with HTB certifications.
Join Now & Secure Your Future in Cybersecurity! 🔐🚀