Cyber Security Headlines: Daixin Team, PoCs host malware, Iranian nuclear agency hacked

CISA warns of Daixin Team 

The Cybersecurity and Infrastructure Security Agency released a joint warning with the FBI on the Daixin ransomware group. The warning states the group began actively targeting US businesses in the Healthcare and Public Health Sector as of June 2022. CISA blames the group for multiple incidents at healthcare organizations, encrypting services and exfiltrating personally identifiable information on patients. Daixin primarily targets VPN services for initial access, using Remote Desktop Protocol to move laterally once inside. Its ransomware toolkit appears based on leaked Babuk Locker source code. 

(InfoSecurity Magazine)

Exploit POCs used to host malware

Security researchers frequently publish proof-of-concept code for software vulnerabilities on GitHub. These help the security community verify fixes or determine the scope of a bug. But as with any other content on GitHub, these represent unverified code that should approach with caution. According to a new technical paper from the Leiden Institute of Advanced Computer Science, some of these PoCs actually include malware themselves. Looking at over 47,000 repositories from 2017 to 2021, researchers found 4893 deemed malicious, delivering malware ranging from remote access trojans to Cobalt Strike. Malicious PoCs picked up rapidly in 2019, with the study finding over a 400% increase on the year. The authors contacted Bleeping Computer to show over 60 still live repositories hosting malware PoCs. 

(Bleeping Computer)

Iranian nuclear agency hacked

Iran’s Atomic Energy Organization claims that a group acting on behalf of a foreign country broke into a subsidiary network, obtaining access to its email system. The group “Black Reward” claims responsibility for the attack. It leaked 50 gigabytes of emails on its Telegram channel.The data dump supposedly includes facility blueprints, communications, and other logs. It’s unclear if this contained classified information. Iran did not name a country involved in the attack. It previously blamed recent cyber attacks on infrastructure on the US and Israel. 

(AP News)

How random is shuffling?

Security researcher Bruce Schneier highlighted academic work looking at randomness in card shuffling techniques used at casinos. These techniques deal with the physical realities of having to manipulate cards as physical objects. Mechanical shuffling needs to not go so fast as to damage the cards. But not so slow that it impedes play. Typical riffle shuffles appear to offer pseudorandomness, but if done perfectly, will put cards back in order after the eighth shuffle. Academic research found that machines offering to provide enough randomness in one pass of a complicated system actually were insufficiently random, with players able to guess over 9 cards out of a 52-card deck. The security takeaway: start withpassing your own tests, but after do testing by objective and independent sources. Cryptography and randomness are too important to be left to chance. 

(Naked Security, Schneier on Security)

Thanks to today’s episode sponsor, Votiro

UFOs are everywhere.They’re in your applications, cloud storage, endpoints, and emails.

That’s right – UFOs – Unidentified File Objects – are hiding in files across your organization. UFOs can contain malware that exfiltrates data or deploys ransomware. And 70% of UFOs can’t be detected by traditional scanning solutions like Anti-Virus and Sandboxing. That’s where Votiro comes in. Votiro prevents UFOs before they hitch a ride in on files – without detection, and without slowing down business.

Do you believe? Learn more at

RNC sues Google over spam

The Republican National Committee filed a lawsuit against Google in a US district court in California, alleging the company put its campaign emails in spam folders for Gmail users. The RNC says this became more acute at the end of the month, indicating it was politically motivated to curb fundraising. Google launched an opt-in pilot program to keep campaign emails out of spam folders in Gmail in September, which received approval from the Federal Election Commission. Axios’ sources say the RNC is not enrolled in this program.


The Wire retracts Meta story

Last week we covered Meta’s hard denial on a recent report from The Wire about the use of its XCheck system to censor content at the behest of an Indian politician. At the time, Meta said the report relied on fabricated evidence. Now The Wire retracted the story citing “certain discrepancies” in emails cited in the piece. The publication said, “We are still reviewing the entire matter, including the possibility that it was deliberately sought to misinform or deceive The Wire.”

(The Verge)

CNC machines vulnerable in cyberattacks

Researchers at Trend Micro demonstrated how CNC machines from global suppliers like Haas, Okuma, Heidenhain and Fanuc contain vulnerabilities for exploitation by cyber attacks. Some of the attacks demonstrated could do damage to the item being manufactured or the machine itself by altering the device’s geometry or the controller’s program. The exploits could also open the door for ransomware or data theft, with attackers stealing a program that it could easily reverse engineer, with production information useful for corporate espionage. While Trend Micro found numerous vulnerabilities, it began notifying impacted vendors last year to help identify and patch issues. 

(Security Week)

DHL receives the highest form of phishing flattery

According to Check Point’s Q2 Brand Phishing report, DHL knocked off LinkedIn for the brand most frequently imitated in phishing attempts, representing 22% of all attempted phishing in the three month period. LinkedIn actually fell to third, further knocked down the list by its parent company Microsoft, used in 16% of attempts. This came after LinkedIn represented a majority of observed phishing attempts in Q1. Among other notable brands on the list, Instagram appeared in the top ten most imitated brands for the first time, following a verified user phishing scam in September. 

(InfoSecurity Magazine)

Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.