Charming Kitten APT uses a new BellaCiao malware
Bitdefender has uncovered a new campaign targeting users in the U.S., Europe, the Middle East and India, operated by the Iran-linked Charming Kitten group, (aka APT35, Phosphorus, Newscaster, and Ajax Security Team). The campaign uses new custom malware, dubbed BellaCiao, each customized to target a specific victim and including hardcoded information such as company name, specially crafted subdomains, or associated public IP address. It is used to deliver malicious payloads via a Microsoft Exchange exploit chain (like ProxyShell, ProxyNotShell, OWASSRF) or similar software vulnerability.
Microsoft blames Clop affiliate for PaperCut attacks
In the ongoing PaperCut story, Microsoft is suggesting that recent attacks exploiting two vulnerabilities in the PaperCut print management software are probably due to a Clop ransomware affiliate. Microsoft Threat Intelligence on Wednesday attributed recent attacks that exploited the bugs to “Lace Tempest,” a threat actor that is affiliated with FIN11 and TA505. FIN11 is connected to both the Clop ransomware gang and the Accellion FTA campaign, while TA505 is allegedly linked to the Dridex banking Trojan and Locky ransomware.
Tech crackdown on horizon as EU, UK prepare new rules
The biggest of the big names, TikTok, Twitter, Facebook, Google, and Amazon are looking at new rules and pressures from European authorities as lawmakers in London and Brussels push for new regulations to curb their power. In total, 19 of the biggest online platforms and search engines will have to meet extra obligations for “cleaning up illegal content and disinformation and keeping users safe under the 27-nation bloc’s landmark digital rules that take effect later this year.” In an online briefing, Commissioner Thierry Breton said, “TikTok will allow European Commission officials to carry out a ‘stress test’ of its systems to ensure they comply with the Digital Services Act.”
Pro-Russia hacking group attacked Canadian gas pipeline
A Canadian gas pipeline that suffered a cyber security incident on February 25 is now being attributed to the Russian hacking group Zarya. The New York Times reported that the cybersecurity incident was revealed in leaked U.S. intelligence documents. Canada’s prime minister Justin Trudeau confirmed the cyber attack against the gas pipeline but pointed out that there was no physical damage to any Canadian energy infrastructure. The leaked document states that the attack was not aimed at causing “loss of life” but economic damage.
Thanks to this week’s episode sponsor,
RTM Locker’s first Linux ransomware strain targes NAS and ESXi hosts
A ransomware strain capable of targeting Linux machines, has been attributed to threat group RTM Locker, its first attempt on this operating system. “Its locker ransomware infects Linux, NAS, and ESXi hosts and appears to be inspired by Babuk ransomware’s leaked source code,” Uptycs said in a new report published Wednesday. “It uses a combination of asymmetric encryption and symmetric encryption.” RTM Locker was first identified by Trellix earlier this month, describing the group as a private ransomware-as-a-service (RaaS) provider. It has its roots in a cybercrime group called Read The Manual (RTM) that’s known to be active since at least 2015.
South Korea and US agree to cooperate on cybersecurity and North Korean threats
A joint statement released following the visit of South Korean President Yoon Suk Yeol to the White House, states that the two countries would establish a “Strategic Cybersecurity Cooperation Framework” to “deter ‘cyber adversaries,’ to secure critical infrastructure, combat cybercrime, ‘and secure cryptocurrency and blockchain applications.'” Yoon and U.S. President Joe Biden talked about North Korea’s “illicit cyber activities that “fund its unlawful [weapons] and ballistic missile programs” and made commitments to “block its cyber-enabled revenue generation,” the statement said.
Atomic macOS Stealer available for $1,000 per month
Researchers at threat intelligence firmCyble have analyzed a sample of the Atomic macOS Stealer’ Malware also named AMOS that had been uploaded to VirusTotal. According to Cyble, the malware, which had been advertised on a Telegram channel, was being offered for $1,000 per month. According to Security Week, “its author claims it can steal all passwords from the Keychain, full system information, and files from the compromised computer,” and “can also allegedly steal passwords, cookies, cryptocurrency wallets and payment card data from browsers such as Chrome, Firefox, Brave, Edge, Vivaldi, Yandex and Opera. Furthermore, it can steal cryptocurrency wallets outside the web browser and from browser extensions.”
Brace yourself for the 2024 deepfake election
A feature article in Wired by Thor Bensen warns of the danger of deepfakes being used during the 18-month run-up to the 2024 election, in which candidates saying something disqualifying could come out, with most people never knowing they were AI-generated. Bensen quotes Henry Ajder, an independent AI expert, who says, “Convincing deepfake videos are still difficult to produce, but that might not be the case within 12 months or so. Video is really the next frontier in generative AI.” Potential solutions to this problem currently include C2PA, which cryptographically signs content created by a device such as a phone or video camera, as well as fingerprinting, which involves taking hashes from content.