Cyber Security Headlines: Rising infrastructure attacks, Sponsor backdoor, Sri Lanka loses data in attack

UK government sees record critical IT infrastructure attacks

The Record’s Alexander Martin reports that according to data obtained in a Freedom of Information Act request, in the first half of 2023, critical IT infrastructure service companies reported 13 cyber attack that significantly disrupted operations. This shows an increase from four such attacks in each of the last two years. IT companies must report disruptive cyber incidents to relevant authorities under the Network & Information Systems Regulations. Experts consulted by The Record suggest this increased reporting comes from a better understanding of regulatory requirements, rather than increased attack volume. 

(The Record)

Charming Kitten unleashes Sponsor backdoor

Security researchers at ESET identified a campaign by the Iranian-linked threat group, dating ba0ck to March 2021. This utilized the Sponsor backdoor malware, which resides in configuration files and deployed by batch scripts. Charming Kitten targeted government agencies, healthcare, financial services, and manufacturing organizations. Israel, Brazil, and the UAE saw the most attacks. These attacks uses an Exchange vulnerability for initial access, then installed the Sponsor backdoor. ESET said it found signs of a second version of Sponsor, but noted that all IP addresses used in the campaign are now offline. 

(Bleeping Computer)

Ransomware costs Sri Lankan government months of data

Sri Lanka’s Information and Communication Technology Agency, or ICTA confirmed its Lanka Government Cloud or LCA System suffered a massive ransomware attack. The attack began on August 26th, after government domain users reported receiving suspicious links. The ICTA estimates the attack impacted all gov[dot]lk email addresses. While IT workers restored systems within 12 hours of the attack, a lack of available backups resulted in data from May 17th through August 26, 2023 permanently lost. ICTA CEO Mahesh Perera said the attackers used vulnerabilities in Microsoft Exchange Version 2013 utilized by LCA.

(Infosecurity Magazine)

CISA warns to patch iPhones

The US Cybersecurity and Infrastructure Security Agency added a zero-click iMessage vulnerability to its  Known Exploited Vulnerabilities catalog. This flaw came from recent disclosure by Citizen Lab, which found the flaw used to compromise up-to-date iPhones used at a civil society organization. It dubbed the exploit chain BLASTPASS, which uses malicious images in PassKit attachments to infect devices, eventually allowing for remote code execution. Apple released patches for the exploits. CISA urged federal employees with a high likelihood of being targeted to turn on Lockdown mode on iOS as a further precaution. 

(Bleeping Computer)

Thanks to our sponsor, Conveyor

The team at Lucid software reduced the time spent answering customer security questionnaires by a whopping 91% with Conveyor’s security questionnaire automation software – powered by OpenAI.

Compared to the tools on the market, Conveyor’s AI auto-generates the most accurate answers to entire questionnaires so you can spend almost zero time on them.

That’s it. That’s the ad.

We’ll let you get back to the headlines, but if you want to take away the pain of questionnaires, try a free proof of concept at

Alibaba continues its cloud shuffle

Reuter’s source says Alibaba’s Daniel Zhang informed staff he will step down from his role as CEO of the company’s cloud unit. Zhang previously served as CEO of Alibaba since 2015, succeeding co-founder Jack Ma. Alibaba announced restructuring back in May, which saw Zhang shifting to take over the company’s highly profitable cloud unit. The company plans to spin out its cloud business with an IPO by May 2024. While stepping down from the role, Zhang will establish a technology fund with $1 billion in Alibaba investment. 


Anonymous Sudan launches Telegram DDoS

The threat group Anonymous Sudan has had a busy summer. In June it launched disruptive DDoS attacks against Microsoft 365 and Azure. It followed up with another DDoS against the microblogging service X in August. Now the threat intelligence firm SOCRadar reports it began a DDoS campaign against the messaging service Telegram. The group did not announce any pretext for the attacks, although SOCRadar believes it may be related to changes impacting bot accounts on X. Analysts previously noted that Anonymous Sudan does not appear to operate out of that country and seems to show ties to the Russian threat group KillNet. 

(Security Week)

New phishing attacks hit Facebook Messenger

Guardio Labs researchers published details on a new campaign on Messanger it dubbed MrTonyScam. The threat actors indicate an origin in Vietnam, and seeks to get victims to  click on an archive attachment. This deploys a dropper that pulls down a Python-based next stage malware. This operates as part of an account hijack scheme. Once the payload deploys, it steales on device cookies and deletes them locally. THis allows the attackers to log out legitimate users and seize account control. Researchers found that given it requires clickthrough, about 1 out of 250 potential victims became infected in the last 30 days. 

(The Hacker News)

MGM Resorts hit with cyber attack

The company announced on X that it “recently identified a cybersecurity issue” impacting its systems. In response, it shut down some systems as early as the evening of September 10th. Some guests at MGM properties report this may have impacted its ATM and credit card processing. MGM Resorts also shut down its main website, although reservations remain available by phone. Downed property websites invite anyone with information on the attack to contact the company through Signal. Bleeping Computer found the MGM Rewards app down, local news outlet Vital Vegas reported slot machines were impacted. No word on any specifics on the attack or who could be responsible.

(Bleeping Computer)

Wyze webcams showed other owners’ feeds

Late last week, some owners of Wyze security cameras reported seeing unrelated camera feeds from other users. This included access to raw camera feeds and all recorded events. This appeared to only occur on Wyze’s web viewer, not its app. Wyze informed its subreddit it took the page down for maintenance. It later told The Verge the issue came from a web caching issue and persisted for roughly 30 minutes. Wyze maintains a checkered past with unauthorized camera access. Last year, the security research firm Bitdefender reported Wyze knew about a vulnerability in its V1 cameras for three years that could allow for unauthorized access, but opted to discontinue the product rather than fix it.  

(The Verge)

Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.