Cyber Security Headlines – MFA a long haul for Feds, Emotet hits Google Chrome, Follina use grows

MFA could be long haul for some federal agencies says CISA official

Numerous agencies have not yet met a November deadline on multifactor authentication laid out as part of President Biden’s ambitions executive order of last year. At the 2022 RSA Conference, Eric Goldstein, executive assistant director for cybersecurity at CISA pointed out the significant number of federal systems that are running on legacy infrastructure, which means that it’s not just as simple as deploying a modern authentication stack on top of a modernized infrastructure. The Biden administration is currently seeking $300 million for the Technology Modernization Fund in fiscal 2023, a fund that dedicates dollars to agencies for upgrading aging IT systems.

(Cyberscoop)

New Emotet variant stealing users’ credit card information from Google Chrome

The notorious Emotet malware has turned to deploy a new module designed to siphon credit card information stored in the Chrome web browser. The credit card stealer, which exclusively singles out Chrome, has the ability to exfiltrate the collected information to different remote command-and-control (C2) servers, according to enterprise security company Proofpoint, which observed the component on June 6. The development comes amid a spike in Emotet activity since it was resurrected late last year following a 10-month-long hiatus in the wake of a law enforcement operation that took down its attack infrastructure in January 2021.

(The Hacker News)

Symantec: More malware operators moving in to exploit Follina

While enterprises are still waiting for Microsoft to issue a fix for the critical “Follina” vulnerability in Windows, yet more malware operators are moving in to exploit it. Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available. In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint’s Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users. Then, this week, Proofpoint researchers detected another phishing campaign run by a group connected to the Qbot data-stealing and backdoor botnet that was using Follina to infect systems with its malware.

(The Register)

Thousands of Mobike user IDs exposed online

Security researcher Bob Diachenko found a trove of more than 120,000 passports, drivers licenses and identity documents, including selfies and signatures in an unprotected Amazon-hosted storage bucket on February 11 and passed details to TechCrunch in an effort to get the data secured. The bucket’s name suggests it belonged to Mobike, a once-promising bike-sharing operator founded in China. Anyone who knew the easily guessable bucket name could browse the trove of passports and identity documents, dating back to 2017, from their web browser. Almost all of the identity documents were for users in Latin America, including Argentina and Brazil. But none of the data was encrypted. Mobike was founded in 2015 in Beijing, and was later acquired by Chinese on-demand services giant Meituan in 2018.

(TechCrunch)

Thanks to today’s episode sponsor, PlexTrac

PlexTrac is the platform that empowers your offensive security team to spend more time hacking and less time reporting. Build better reports in half the time, centralize your data, maximize your reusable content, and become more efficient and effective. PlexTrac clients report a “5X ROI in 1 year,” a “30% increase in efficiency,” have “cut their reporting cycle by 65%,” and experienced a “18 to 22% time savings per engagement.” 

Check out PlexTrac.com/CISOSeries to learn how PlexTrac can help your team deliver results.

Hackers using stealthy Linux backdoor Symbiote to steal credentials

Researchers have come across a stealthy Linux backdoor that uses sophisticated techniques to hide itself on compromised servers and steal credentials. Dubbed Symbiote because it injects itself into existing processes, the threat has been in development since at least November 2021 and seems to have been used against the financial sector in Latin America. Researchers from BlackBerry describe the malware as highly evasive. In addition to hiding itself, Symbiote is designed to hide the presence of other malware programs that attackers might deliver or files that are used to store stolen credentials.

(CSOOnline)

UK Ministry of Defense acquires government’s first quantum computer

Stephen Till, of the MoD’s Defence Science and Technology Laboratory (DSTL), called it a “milestone moment” as the British MoD starts work with London based Orca Computing to explore applications for quantum technology in defense. The MoD will work with Orca’s small PT-1 quantum computer, which the company says is the first of its kind to be able to operate at room temperature, rather than require sub-zero surroundings to keep heat-sensitive qubits cool. Orca’s system uses photons, or single units of light, to optimise machine learning tasks like image analysis and decision-making.

(BBC News)

Chinese hacking group Aoqin Dragon quietly spied orgs for a decade

A previously unknown Chinese-speaking threat actor has been discovered by threat analysts SentinelLabs who were able to link it to malicious activity going as far back as 2013. Named Aoqin Dragon, the hacking group is focused on cyber-espionage, targeting government, education, and telecommunication organizations based in Singapore, Hong Kong, Vietnam, Cambodia, and Australia. From 2018 until now, Aoqin Dragon has turned to using a removable disk shortcut file that, when clicked, performs DLL hijacking and loads an encrypted backdoor payload. The malware runs under the name “Evernote Tray Application” and executes upon system start. If the loader detects removable devices, it also copies the payload to infect other devices on the target’s network.

(Bleeping Computer)

Paying ransomware paints bigger bullseye on target’s back

New ransomware numbers Cybereason’s April ransomware survey of 1,456 cybersecurity professionals shows that eighty percent of ransomware victims that paid their attackers were hit a second time. According to the report, in addition to being hit again, the data encrypted by criminals often became unusable during the decryption process because of corruption issues. 

(Threatpost)

Steve Prentice
Author, speaker, expert in the area where people and technology crash into each other, viewed from the organizational psychology perspective. Host of many podcasts, voice actor and narrator for corporate media and audiobooks. Ghost-writer for busy executives.