Cyber Security Headlines: Messaging malware update, China reclassifies cyberattacks, more cyberattacks don’t use malware

Messaging app update distributes malware

Researchers at ESET report that in January, an update for the popular messaging app Tencent QQ began distributing the MsgBot malware. The attack showed hallmarks of the China-linked APT Evasive Panda, which began using this malware in 2012. The update came from official Tencent URLs and IP addresses. ESET reports the malware seemed targeted at an international NGO operating in the provinces of Gansu, Guangdong, and Jiangsu. 

(Bleeping Computer)

China reclassifies cyberattacks

The Chinese government revised its 2014 counterespionage law to now apply to malicious actors targeting government bodies or critical infrastructure with cyberattacks. So hacking something attached to the Chinese state could get you charged with being a spy. The revised law also puts new responsibilities on government bodies, requiring them to report cyber incidents “to relevant departments” as soon as possible, in order to shore up the overall software supply chain. 

(The Record)

Malware-free cyberattacks on the rise

According to figures from Crowdstrike, threat actors performed 71% of all enterprise cyberattacks it observed in 2022 without malware. Instead attackers increasingly use legitimate tools to compromise networks. In a case study presented at RSA, Crowdstrike detailed the work of the “Spider” cybercrime group using this approach. This involved extensive social engineering to tailor a phishing email to obtain login credentials. Then the attackers used those credentials to set up an AnyDesk account. The attackers also used local hardware or services like DigitalOcean to avoid sending data to unusual domains. 

(Dark Reading)

Nvidia toolkit for safer language models

Nvidia released NeMo Guardrails, an open source toolkit to help make models like GPT-4 “accurate, appropriate, on topic and secure.” Guardrails sits between the user and the language model and can be scripted to prevent certain topics or double check answers for accuracy by asking another LLM.  It works with models that follow instructions and use the LangChain framework, with included code, examples and documentation. Any company can implement Guardrails, or pay Nvidia for a hosted version. Some companies already implemented Guardrails to improve chatbot output, with Nvidia citing Zapier as an example. 


And now a word from our sponsor, Tines

Ask anyone at RSA; security teams can’t operate in a silo. No SOAR solutions enable users to dynamically collect information outside their systems and use it at multiple points in an automated workflow – but Tines does! With Tines, users can exchange real-time information outside its platform and use it to drive automated workflows. Visit to learn more!

Hacking a ESA satellite

Security researchers from Thales and members of the European Space Agency plan to show an in-depth attack scenario against one of the agency’s satellites at the CYSAT conference in Paris. This comes in light of recent US intelligence  documents reported on by the Financial Times, which outlined how China began developing methods to mimic operator signals to satellites to potentially seize control of the hardware. The demonstration targets the ESA’s shoebox-sized OPS-SAT, first launched in 2019. The attack made it possible to “compromise the data sent back to Earth” including changing image files. This is believed to be the first ethical hacking demonstration against a satellite. 

(The Record)

PaperCut flaw exploited in the wild

The print management software company PaperCut claims to have over 100 million users across 70,000 organizations. That big attack surface was put at risk according to a new security advisory from the company. This alerted customers that it patched a critical vulnerability in its two print management products under active exploitation. While patched in March, those still vulnerable were at risk of remote code execution with no need for credentials. A separate, although less severe, vulnerability could allow attackers to access user information stored on print servers. Researchers at Huntress found roughly 1,800 exposed PaperCut servers online, with attackers users the flaws to install legitimate remote access software to gain a backdoor.  


Considering a dark web in the metaverse

At RSA Conference, researchers at Trend Micro detailed some of the issues about potentially emerging equivalents of the dark web on the emerging idea of the metaverse. Similar to existing unindexed sites, a metaverse equivalent could present additional difficulties for law enforcement to infiltrate. Researchers speculate that things like virtual spaces controlled by authentication tokens, combined with potential geofencing limitation, could make traditional law-enforcement approaches like sinkholing a server ineffective. The researchers recommend organizations be proactive with security as they begin expanding into the metaverse, and assume bad actors are already at work. 

(Dark Reading)

Google authenticator syncing isn’t end-to-end encrypted

The search giant recently updated its popular Authenticator app to support backup syncing to a Google account. While a welcome feature, security researcher Tommy Mysk discovered the network traffic syncing those codes isn’t end-to-end encrypted. This brings obvious security concerns, as the traffic contains the “seed” used to generate the codes. Anyone accessing that through a compromised server could use that to generate their own codes. Mysk also notes Google itself could view that data, raising privacy concerns as well. 


Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.