Cyber Security Headlines: Lancefly hits Asia, Meta record EU fine, Phishing TLDs

Cyber Security Headlines 05-28-23

Lancefly group hits Asia

Symantec released a report on a state-backed threat group known as “Lancefly.” It monitored the group using a custom-made malware in attacks across Asia, impacting governments, telcos, and other large organizations. Symantec previously tied the Lancefly group to several attacks in 2020. The group uses the Merdoor backdoor, first spotted back in 2018, in a highly targeted fashion, seemingly for intelligence gathering. Symantec did not name the country linked to the group, but other tools used by Lancefly have been used previously by Chinese threat actors.  

(The Record)

Meta facing record EU privacy fine

Politico’s sources say Meta will likely face a record privacy fine next week from Ireland’s Data Protection Commission. No word on the exact fine, other than sources expect it to exceed the €746 million fine levied against Amazon in 2021. The fine involves Meta’s data transfers of EU citizens to the US. The EU invalided several data transfer frameworks on the grounds that the US does not implement sufficient check to safeguard European personal data. The report from the Irish DPC will reportedly require Meta to stop using standard contact clauses as the method to transfer data to the US. 


New TLDs a vector for phishing

The Top Level Domains .Zip and .Mov have been around since 2014, but only became generally available to the public earlier this month. Bleeping Computer’s Lawrence Abrams notes that some platforms, including Twitter, automatically converted file names with .zip or .mov extensions into URLs, opening the door for malicious actors to squat on these now active URLs and send users to malicious sites. This means that references to files could become clickable links a user didn’t mean to share. This isn’t a theoretical exploit either. Silent Push Labs already discovered someone attempting to do this with the URL microsoft-office[.]zip. Others have registered domains for common ZIP archives. However in many of these cases the links point users to information on the risks in these domain names, or in some cases a classic Rick Roll.

(Bleeping Computer)

Social engineering in Microsoft Teams

Security researchers at Proofpoint published new social engineering techniques used against Microsoft Teams. One involves attackers remaining browser tabs to spoofed Teams pages. Once on the faked tab, attackers impersonate a Teams page in an attempt to load malware. Another approach involves manipulating meeting invites with Teams API calls, replacing links with malicious ones. Another involves changing the underlying URL to messages for Teams, whereby the URL remains legitimate, but the link when clicked is malicious. None of these represent any flaw in Teams itself. Rather it speaks to the growing popularity, and threat surface, of the service. Proofpoint found that “60% of Microsoft 365 tenants suffered at least one successful account takeover incident in 2022.” 

(InfoSecurity Magazine)

And now a word from our sponsor, Hunters

There is nothing worse than relying on a legacy SIEM that your security team has out-grown, especially when it impacts your ability to detect real incidents. Hunters’ SOC Platform offers built-in, always up-to-date detection rules and automatic correlation that allow SOC analysts to focus on higher-value tasks that impact your organization. It’s time to move to a platform that reduces risk, complexity & cost for the SOC. Visit to learn how you can Move Beyond SIEM and let them know you heard about Hunters on the CISO Series.

China cracks down on counterfeit news

The Cyberspace Administration of China launched a campaign to remove news organizations it claims spoof state-controlled media. The regulator said its initial enforcement actions took down over 100,000 online accounts over the past months, under the rationale that these accounts misrepresented state media. The CAC also said it took down 107,000 accounts of faked news sites and 835,000 pieces of misinformation in that time as well. The CAC said many of these accounts used AI to create imitations of media anchors to give their content added veracity. 


VSCode Marketplace targeted with malware

A new report from Check Point analysts found three malicious extensions on Microsoft’s VSCode Marketplace. Windows devs downloaded these over 46,000 times before being removed on May 14th. One theme extensions stole information on a developer’s system, things like hostname and other system information. Another extension acted as a C# shell injector to execute code, while a third stole saved credentials and tokens. These all posed with legitimate sound names, but code analysis quickly showed they lacked the implied functionality. 

(Bleeping Computer)

Wemo flaw to remain unpatched

Security researchers at Sternum disclosed a flaw in the Wemo Mini Smart Plug v2. This could allow  someone to trigger a buffer overflow by passing on a device name longer than 30-characters using a third party tool. This overflow could then be used for a code injection attack. To make this even more significant, attacks can exploit the flaw remotely if the plug connects to the internet. Belkin said it would not patch the flaw as the unit reached end of life status. Sternum disclosed the breach after notifying Belkin and waiting ninety days. 

(Ars Technica)

Impersonating ChatGPT

We’ve covered data leaks as the result of ChatGPT. So far, these seem mostly self-inflicted, with organizations not realizing how that data will be processed. But now we’re seeing threat actors take advantage of that. Researchers at eSentire detailed a threat actor known at BatLoader, using search ads to deliver imposter sites claiming to offer access to ChatGPT or Midjourney. Instead of access to these cutting edge tools, the pages attempt to use MSIX Windows App Installer files to deploy the Redline Stealer malware. Domain registrations indicate the group began this campaign as far back as February. The researchers say that while it may seem less concerning given these tools are now readily available, it’s warns that employees may turn to these types of links for alternative access if an organization outright bans their legitimate pages. 

(InfoSecurity Magazine)

Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.