CISA warns of Daixin Team
The Cybersecurity and Infrastructure Security Agency released a joint warning with the FBI on the Daixin ransomware group. The warning states the group began actively targeting US businesses in the Healthcare and Public Health Sector as of June 2022. CISA blames the group for multiple incidents at healthcare organizations, encrypting services and exfiltrating personally identifiable information on patients. Daixin primarily targets VPN services for initial access, using Remote Desktop Protocol to move laterally once inside. Its ransomware toolkit appears based on leaked Babuk Locker source code.
Exploit POCs used to host malware
Security researchers frequently publish proof-of-concept code for software vulnerabilities on GitHub. These help the security community verify fixes or determine the scope of a bug. But as with any other content on GitHub, these represent unverified code that should approach with caution. According to a new technical paper from the Leiden Institute of Advanced Computer Science, some of these PoCs actually include malware themselves. Looking at over 47,000 repositories from 2017 to 2021, researchers found 4893 deemed malicious, delivering malware ranging from remote access trojans to Cobalt Strike. Malicious PoCs picked up rapidly in 2019, with the study finding over a 400% increase on the year. The authors contacted Bleeping Computer to show over 60 still live repositories hosting malware PoCs.
Iranian nuclear agency hacked
Iran’s Atomic Energy Organization claims that a group acting on behalf of a foreign country broke into a subsidiary network, obtaining access to its email system. The group “Black Reward” claims responsibility for the attack. It leaked 50 gigabytes of emails on its Telegram channel.The data dump supposedly includes facility blueprints, communications, and other logs. It’s unclear if this contained classified information. Iran did not name a country involved in the attack. It previously blamed recent cyber attacks on infrastructure on the US and Israel.
(AP News)
How random is shuffling?
Security researcher Bruce Schneier highlighted academic work looking at randomness in card shuffling techniques used at casinos. These techniques deal with the physical realities of having to manipulate cards as physical objects. Mechanical shuffling needs to not go so fast as to damage the cards. But not so slow that it impedes play. Typical riffle shuffles appear to offer pseudorandomness, but if done perfectly, will put cards back in order after the eighth shuffle. Academic research found that machines offering to provide enough randomness in one pass of a complicated system actually were insufficiently random, with players able to guess over 9 cards out of a 52-card deck. The security takeaway: start withpassing your own tests, but after do testing by objective and independent sources. Cryptography and randomness are too important to be left to chance.
(Naked Security, Schneier on Security)
Thanks to today’s episode sponsor, Votiro
RNC sues Google over spam
The Republican National Committee filed a lawsuit against Google in a US district court in California, alleging the company put its campaign emails in spam folders for Gmail users. The RNC says this became more acute at the end of the month, indicating it was politically motivated to curb fundraising. Google launched an opt-in pilot program to keep campaign emails out of spam folders in Gmail in September, which received approval from the Federal Election Commission. Axios’ sources say the RNC is not enrolled in this program.
(Axios)
The Wire retracts Meta story
Last week we covered Meta’s hard denial on a recent report from The Wire about the use of its XCheck system to censor content at the behest of an Indian politician. At the time, Meta said the report relied on fabricated evidence. Now The Wire retracted the story citing “certain discrepancies” in emails cited in the piece. The publication said, “We are still reviewing the entire matter, including the possibility that it was deliberately sought to misinform or deceive The Wire.”
CNC machines vulnerable in cyberattacks
Researchers at Trend Micro demonstrated how CNC machines from global suppliers like Haas, Okuma, Heidenhain and Fanuc contain vulnerabilities for exploitation by cyber attacks. Some of the attacks demonstrated could do damage to the item being manufactured or the machine itself by altering the device’s geometry or the controller’s program. The exploits could also open the door for ransomware or data theft, with attackers stealing a program that it could easily reverse engineer, with production information useful for corporate espionage. While Trend Micro found numerous vulnerabilities, it began notifying impacted vendors last year to help identify and patch issues.
DHL receives the highest form of phishing flattery
According to Check Point’s Q2 Brand Phishing report, DHL knocked off LinkedIn for the brand most frequently imitated in phishing attempts, representing 22% of all attempted phishing in the three month period. LinkedIn actually fell to third, further knocked down the list by its parent company Microsoft, used in 16% of attempts. This came after LinkedIn represented a majority of observed phishing attempts in Q1. Among other notable brands on the list, Instagram appeared in the top ten most imitated brands for the first time, following a verified user phishing scam in September.