THN Cybersecurity Recap

Ever heard of a "pig butchering" scam? Or a DDoS attack so big it could melt your brain? This week's cybersecurity recap has it all – government showdowns, sneaky malware, and even a dash of app store shenanigans.

Get the scoop before it's too late!

⚡ Threat of the Week

Double Trouble: Evil Corp & LockBit Fall: A consortium of international law enforcement agencies took steps to arrest four people and take down nine servers linked to the LockBit (aka Bitwise Spider) ransomware operation. In tandem, authorities outed a Russian national named Aleksandr Ryzhenkov, who was one of the high-ranking members of the Evil Corp cybercrime group and also a LockBit affiliate. A total of 16 individuals who were part of Evil Corp have been sanctioned by the U.K.

🔔 Top News

  • DoJ & Microsoft Seize 100+ Russian Hacker Domains: The U.S. Department of Justice (DoJ) and Microsoft announced the seizure of 107 internet domains used by a Russian state-sponsored threat actor called COLDRIVER to orchestrate credential harvesting campaigns targeting NGOs and think tanks that support government employees and military and intelligence officials.
  • Record-Breaking 3.8 Tbps DDoS Attack: Cloudflare revealed that it thwarted a record-breaking distributed denial-of-service (DDoS) attack that peaked at 3.8 terabits per second (Tbps) and lasted 65 seconds. The attack is part of a broader wave of over a hundred hyper-volumetric L3/4 DDoS attacks that have been ongoing since early September 2024 targeting financial services, Internet, and telecommunication industries. The activity has not been attributed to any specific threat actor.
  • North Korean Hackers Deploy New VeilShell Trojan: A North Korea-linked threat actor called APT37 has been attributed as behind a stealthy campaign targeting Cambodia and likely other Southeast Asian countries that deliver a previously undocumented backdoor and remote access trojan (RAT) called VeilShell. The malware is suspected to be distributed via spear-phishing emails.
  • Fake Trading Apps on Apple and Google Stores: A large-scale fraud campaign leveraged fake trading apps published on the Apple App Store and Google Play Store, as well as phishing sites, to defraud victims as part of what's called a pig butchering scam. The apps are no longer available for download. The campaign has been found to target users across Asia-Pacific, Europe, Middle East, and Africa. In a related development, Gizmodo reported that Truth Social users have lost hundreds of thousands of dollars to pig butchering scams.
  • 700,000+ DrayTek Routers Vulnerable to Remote Attacks: As many as 14 security flaws, dubbed DRAY:BREAK, have been uncovered in residential and enterprise routers manufactured by DrayTek that could be exploited to take over susceptible devices. The vulnerabilities have been patched following responsible disclosure.

📰 Around the Cyber World

  • Salt Typhoon Breached AT&T, Verizon, and Lumen Networks: A Chinese nation-state actor known as Salt Typhoon penetrated the networks of U.S. broadband providers, including AT&T, Verizon, and Lumen, and likely accessed "information from systems the federal government uses for court-authorized network wiretapping requests," The Wall Street Journal reported. "The hackers appear to have engaged in a vast collection of internet traffic from internet service providers that count businesses large and small, and millions of Americans, as their customers."
  • U.K. and U.S. Warn of Iranian Spear-Phishing Activity: Cyber actors working on behalf of the Iranian Government's Islamic Revolutionary Guard Corps (IRGC) have targeted individuals with a nexus to Iranian and Middle Eastern affairs to gain unauthorized access to their personal and business accounts using social engineering techniques, either via email or messaging platforms. "The actors often attempt to build rapport before soliciting victims to access a document via a hyperlink, which redirects victims to a false email account login page for the purpose of capturing credentials," the agencies said in an advisory. "Victims may be prompted to input two-factor authentication codes, provide them via a messaging application, or interact with phone notifications to permit access to the cyber actors."
  • NIST NVD Backlog Crisis - 18,000+ CVEs Unanalyzed: A new analysis has revealed that the National Institute of Standards and Technology (NIST), the U.S. government standards body, has still a long way to go in terms of analyzing newly published CVEs. As of September 21, 2024, 72.4% of CVEs (18,358 CVEs) in the NVD have yet to be analyzed, VulnCheck said, adding "46.7% of Known Exploited Vulnerabilities (KEVs) remain unanalyzed by the NVD (compared to 50.8% as of May 19, 2024)." It's worth noting that a total of 25,357 new vulnerabilities have been added to NVD since February 12, 2024, when NIST scaled back its processing and enrichment of new vulnerabilities.
  • Major RPKI Flaws Uncovered in BGP's Cryptographic Defense: A group of German researchers has found that current implementations of Resource Public Key Infrastructure (RPKI), which was introduced as a way to introduce a cryptographic layer to Border Gateway Protocol (BGP), "lack production-grade resilience and are plagued by software vulnerabilities, inconsistent specifications, and operational challenges." These vulnerabilities range from denial-of-service and authentication bypass to cache poisoning and remote code execution.
  • Telegram's Data Policy Shift Pushes Cybercriminals to Alternative Apps: Telegram's recent decision to give users' IP addresses and phone numbers to authorities in response to valid legal requests is prompting cybercrime groups to seek other alternatives to the messaging app, including Jabber, Tox, Matrix, Signal, and Session. The Bl00dy ransomware gang has declared that it's "quitting Telegram," while hacktivist groups like Al Ahad, Moroccan Cyber Aliens, and RipperSec have expressed an intent to move to Signal and Discord. That said, neither Signal nor Session support bot functionality or APIs like Telegram nor do they have extensive group messaging capabilities. Jabber and Tox, on the other hand, have already been used by adversaries operating on underground forums. "Telegram's expansive global user base still provides extensive reach, which is crucial for cybercriminal activities such as disseminating information, recruiting associates or selling illicit goods and services," Intel 471 said. Telegram CEO Pavel Durov, however, has downplayed the changes, stating "little has changed" and that it has been sharing data with law enforcement since 2018 in response to valid legal requests. "For example, in Brazil, we disclosed data for 75 legal requests in Q1 (January-March) 2024, 63 in Q2, and 65 in Q3. In India, our largest market, we satisfied 2461 legal requests in Q1, 2151 in Q2, and 2380 in Q3," Durov added.

🔥 Cybersecurity Resources & Insights

  • LIVE Webinars
  • Ask the Expert
    • Q: How can organizations reduce compliance costs while strengthening their security measures?
    • A: You can reduce compliance costs while strengthening security by smartly integrating modern tech and frameworks. Start by adopting unified security models like NIST CSF or ISO 27001 to cover multiple compliance needs, making audits easier. Focus on high-risk areas using methods like FAIR so your efforts tackle the most critical threats. Automate compliance checks with tools like Splunk or IBM QRadar, and use AI for faster threat detection. Consolidate your security tools into platforms like Microsoft 365 Defender to save on licenses and simplify management. Using cloud services with built-in compliance from providers like AWS or Azure can also cut infrastructure costs. Boost your team's security awareness with interactive training platforms to build a culture that avoids mistakes. Automate compliance reporting using ServiceNow GRC to make documentation easy. Implement Zero Trust strategies like micro-segmentation and continuous identity verification to strengthen defenses. Keep an eye on your systems with tools like Tenable.io to find and fix vulnerabilities early. By following these steps, you can save on compliance expenses while keeping your security strong.
  • Cybersecurity Tools
    • capa Explorer Web is a browser-based tool that lets you interactively explore program capabilities identified by capa. It provides an easy way to analyze and visualize capa's results in your web browser. capa is a free, open-source tool by the FLARE team that extracts capabilities from executable files, helping you triage unknown files, guide reverse engineering, and hunt for malware.
    • Ransomware Tool Matrix is an up-to-date list of tools used by ransomware and extortion gangs. Since these cybercriminals often reuse tools, we can use this info to hunt for threats, improve incident responses, spot patterns in their behavior, and simulate their tactics in security drills.

🔒 Tip of the Week

Keep an "Ingredients List" for Your Software: Your software is like a recipe made from various ingredients—third-party components and open-source libraries. By creating a Software Bill of Materials (SBOM), a detailed list of these components, you can quickly find and fix security issues when they arise. Regularly update this list, integrate it into your development process, watch for new vulnerabilities, and educate your team about these parts. This reduces hidden risks, speeds up problem-solving, meets regulations, and builds trust through transparency.

Conclusion

Wow, this week really showed us that cyber threats can pop up where we least expect them—even in apps and networks we trust. The big lesson? Stay alert and always question what's in front of you. Keep learning, stay curious, and let's outsmart the bad guys together. Until next time, stay safe out there!


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.