• Russia’s APT28 cyber-espionage group linked to ‘Nearest Neighbor Attack’
• Victim’s Wi-Fi network was protected, but its neighbor’s wasn’t
• Timing aligns with Russia’s invasion of Ukraine in 2022

Russian cyber-espionage group APT28, also known as Fancy Bear, was able to breach an American company’s network by leveraging a ‘Nearest Neighbor Attack’ exploiting nearby Wi-Fi networks.

First identified by cybersecurity firm Volexity in February 2022, the attack raises new concerns about vulnerabilities in corporate Wi-Fi system.

In this case, APT28, tracked by Volexity as ‘GruesomeLarch,’ targeted a US organization engaged in Ukrainian-related projects, hence the nation-state’s interest in the firm.

‘nearest neighbour attacks’

The attack on the unnamed US company – a customer of Volexity’s whose identity has been protected – started with password-spraying to acquire credentials for the victim’s enterprise Wi-Fi network. The firm’s multi-factor authentication protected its public-facing systems however the hackers then turned to a nearby organization to force entry.

Volexity explained: “The threat actor was halfway around the world and could not actually connect to [the victim’s] Enterprise Wi-Fi network. To overcome this hurdle, the threat actor worked to compromise other organizations who were in buildings within close proximity to [the victim’s] office. Their strategy was to breach another organization.”

APT28 exploited a device that was connected to both wired and wireless networks – it acted as a bridge to the target’s enterprise Wi-Fi, enabling lateral movement and data exfiltration.

Furthermore, the attackers used native Windows tools like Cipher.exe to erase evidence, making it hard to detect and trace the attack. They also exploited a zero-day vulnerability in the Windows Print Spooler service to escalate privileges within the victim’s network.

Given that the attack took place weeks before Russia’s invasion of Ukraine, its geopolitical significance aligns with its choice of target company.

Volexity is now advising all companies to monitor suspicious activity, create separate networking environments for Wi-Fi and Ethernet networks, and apply authentication and certificate-based solutions.

You might also like

• This devious Wi-Fi security flaw could let hackers eavesdrop on your network with ease
• These are the best small business routers around today
• We’ve listed all the best VPN services on offer

• Google crackdown identifies four PR firms infiltrating search results
• 'Glassbridge' firms spread Chinese propaganda
• Google removed 1,000 domains form the network

Google’s Threat Intelligence Group has revealed it has blocked over 1,000 sites belonging to a small number of PR firms that spread pro-China propaganda through inauthentic news sites.

The sites posed as local news networks, even publishing authentic localized content alongside state sponsored press releases to deceive readers.

The network, dubbed ‘Glassbridge’, was made up of four companies who bulk-created and operated hundreds of domains which posed as independent news sites. These sites published content which “emphasizes narratives aligned to the political interests of the People’s Republic of China”, said Google.

A new kind of influence campaign

The Glassbridge network used private PR firms to gain plausible deniability and obscured their role in the spreading of coordinated misinformation. The sites violated Google’s policies which prohibit deceptive behavior and require editorial transparency, and will no longer appear in Google News Features and Google Discover.

The four firms, Shanghai Haixun Technology, Times Newswire, Durinbridge, and Shenzhen Bowen media. The most prolific, Shanghai Haixun Technology, was found to be operating over 600 policy-violating domains, all of which have since been removed.

“By posing as independent, and often local news outlets, IO (information operations) actors are able to tailor their content to specific regional audiences and present their narratives as seemingly legitimate news and editorial content,” said Vanessa Molter.

Google believes this is an evolution of previously observed mass produced social media disinformation campaigns, which have targeted western states and US voters in particular, aiming to spread discourse and divide public opinion.

Most of us can spot the social media ‘bot’ accounts with relative ease, and most bots generate very little authentic engagement, which highlights the difficulties states like China, Russia, and Iran have had in producing convincing political content through social media.

Whilst it’s unlikely that foreign actors will abandon social media campaigns, its clear that new tactics are being adopted to try and sew distrust in western political systems and spread favorable narratives for Beijing.

You might also like

• Take a look at our pick of the best social media management tool
• WhatsApp will soon help you spot misinformation – here's how
• The role of deepfakes in the year of democracy, disinformation, and distrust

• NoName057 continue DDoS attacks against Taiwanese targets
• Multiple sectors and critical infrastructure were hit by the attacks
• No significant disruption was noted, and many services were restored

In an apparent escalation of recent cyber warfare, Taiwan’s government and major corporations have been targeted by a second wave of Distributed Denial of Service (DDoS) attacks by the pro-Russian hacker group NoName057.

These attacks, which began in early September 2024 and surged again in early October, have affected a wide range of companies including several high-tech firms and critical infrastructure organizations.

The most recent wave of attacks occurred from October 5 to 6, affecting several major companies such as Formosa Plastics, Wistron, and United Microelectronics, all of whom reported their websites were targeted by DDoS attacks, but were quick to restore services and resume normal operations.

Widespread targets

This second wave of DDoS attacks appears to be a continuation of earlier cyber incidents that occurred in September 2024. NoName057 has aggressively targeted Taiwan, claiming responsibility for multiple cyber-attacks. These attacks have also expanded beyond the corporate sector to include essential public services and government entities.

According to NoName057, targets over the first weekend of October included municipal governments, public offices, judicial units, and airports such as Taoyuan International and Songshan Airports. Furthermore, the group claimed attacks on key government databases, including the National Legal Database, showcasing the hackers’ intent to disrupt critical infrastructure in Taiwan.

Although not all organizations have officially disclosed that they were targeted, there were clear signs of disruption. Companies and organizations such as IC design company Shichi, various judicial units and Shixin-KY were also hit by the attack. However, by the evening of October 7, Shixin-KY announced that its website was functioning normally again.

These attacks are not isolated incidents, as NoName057 has a long history of launching cyber-attacks against governments and enterprises across various countries, including Ukraine, France, Lithuania and Czechia.

Before its October attacks on Taiwan, the group targeted Austria and Israel, emphasizing the widespread nature of their malicious activities. Their attacks are usually aimed at disrupting essential services, including government websites, public utilities, and financial institutions.

In 2022, during the visit of U.S. House Speaker Nancy Pelosi to Taiwan, a similar wave of DDoS attacks hit government departments and private companies alike. Likewise, Taiwan’s hosting providers experienced substantial disruption in 2020 due to cyber-attacks, and in 2017, several brokerage websites faced significant downtime due to similar DDoS activities.

Via ITHome

You might also like

• New method for phishing discovered for Android and IPhone users
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Facebook has removed more than two million accounts from its platform
• The accounts were engaged in so-called "pig butchering" scams
• The majority of the victims were in Asian markets

In an effort to crack down on organized crime on its platform, Facebook and Instagram parent company Meta has taken down more than two million scam accounts.

The company revealed the news in a blog post, outlining how the bulk of these accounts were used in so-called “pig butchering” scams.

Pig butchering is a type of scam in which the scammer “stuffs the pig” and prepares it for “slaughter”. In this context, stuffing the pig means tricking the victim into giving away as much money as possible, for as long as possible, before the scam is revealed and the gig is up.

Asia-Pacific hotbed

Such scams are usually done via social engineering, on platforms such as Facebook. The scammers would create fake accounts of (mostly) young, attractive females, and engage in seemingly benign conversation with potential victims. At some point, the scammers would introduce an amazing investment opportunity or platform which, in reality, is not real and is maintained by the crooks.

They would invite the victim to “invest” together, in preparation of a new life spent together. The victim would give money through an app, and would be shown that investment growing over time. At this point, however, the money is already gone, and is nothing more than numbers on a screen. The scammer would try to keep the ruse going for as long as possible, getting the victim to spend as much as they can.

When, at some point, the victim tries to withdraw the money (or realizes something is amiss), they will see that it’s not possible.

In some cases, the fraudsters would take it a bit further, impersonating “tech support” from the “investment platform”, and telling the victim to pay a withdrawal fee, or something similar - a final attempt at extracting as much value from the victim as they can.

Meta says that the majority of the scam centers were located in Asia-Pacific, particularly Cambodia, Laos, Myanmar, and more recently, the UAE. The victims, however, are scattered all over the globe. The campaign to crack down on these scams is a joint effort, which included many major cryptocurrency exchanges, tech companies such as OpenAI, and law enforcement organizations.

"Every day, criminals target people across the world through text messaging, dating apps, social media and email in so-called ‘pig-butchering’ and other schemes that try to con them into scam investments," the company's blog psot noted.

"We hope that sharing our insights will help inform our industry’s defenses so we can collectively help protect people from criminal scammers."

You might also like

• These are the most damaging scams around, according to Google — so be on your guard
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• The Microsoft Digital Crimes Unit has seized 240 fraudulent sites
• The sites were used by ONNX to sell phishing templates
• Phishing attacks target millions of users per month

Millions of phishing emails targeting victims every day use ‘do it yourself’ phishing kits developed by Egypt-based ONNX - but the Microsoft Digital Crimes Unit has now seriously disrupted this operation, seizing 240 fraudulent websites used to help sell Phishing-as-a-Service (PaaS) kits.

Phishing poses a real threat to individuals and organizations alike, with successful phishing attacks delivering devastating financial and data loss. Cybercriminals have taken this further by developing ‘kits’ to sell to other criminals to help develop widespread phishing campaigns and bypass security measures by intercepting MFA requests.

The attacks that originate from the ‘do it yourself’ kits represent a significant portion of the tens of millions of phishing attacks Microsoft accounts receive each month. The ONNX operation is one of the top five phish kit providers by email volume in 2024, according to Microsoft’s digital defense reports, so the disruption is significant.

Name and shame

Microsoft has decided to publicly name the individual behind the storefront, Abanoub Nady (known online as “MRxC0DER”), who has been tied to the operation as far back as 2017, and is well established in the PaaS sphere.

ONNX offers a tiered subscription service, with basic, professional, and enterprise plans - which are promoted, sold, and configured through Telegram, and they even provide ‘how to’ videos for criminals to properly implement the phishing kits.

Many of the kits used a technique called ‘quishing’, or QR code phishing, which prompts users to scan codes where they are redirected to malicious fake websites to enter personal or payment information.

“As we’ve said before, no disruption is complete in one action. Effectively combatting cybercrime requires persistence and ongoing vigilance to disrupt new malicious infrastructure,” said Assistant General Counsel, Microsoft’s Digital Crimes Unit, Steven Masada.

“While today’s legal action will substantially hamper the fraudulent ONNX’s operations, other providers will fill the void, and we expect threat actors will adapt their techniques in response.”

You might also like

• Take a look at our pick of the best antivirus software around
• Phishing attacks surge as cybercriminals adopt AI tools and multi-channel tactics
• Check out our choices for best malware removal software

• ESET discovers a new piece of malware called WolfsBane
• This malware features a dropper, a launcher, and a backdoor
• It is being used by a group known as Gelsemium

Chinese hackers have built new all-in-one malware to target Linux devices, a new report from cybersecurity researchers ESET, have said.

The WolfsBane malware features a dropper, launcher, a backdoor, and a modified open-source rootkit for detection evasion. While not completely outlandish, the approach is rather unconventional, since most hacking groups will develop just one of these features, and use other people’s solutions for the rest.

That being said, WolfsBane’s key ability is to grant its operators total control over the compromised system. It can execute commands coming in from the C2 server, exfiltrate data, and ultimately - manipulate the system.

Gelsemium is active

ESET doesn’t know for certain how the attackers accessed the target systems to deploy the malware in the first place, but assesses “with medium confidence” that the group exploited an unknown web application vulnerability.

The group, in this instance, is called Gelsemium, suggesting that it has at least one herbalist in its ranks. Itis a relatively known Chinese group, active since at least 2014. It mostly targets government institutions, educational organizations, electronics manufacturers, and religious institutions. The majority of its victims are located in East Asia and the Middle Easts.

ESET also suggests that the group decided to target Linux since Windows’ defenses have been getting better lately.

"The trend of APT groups focusing on Linux malware is becoming more noticeable,” ESET said.

“We believe this shift is due to improvements in Windows email and endpoint security, such as the widespread use of endpoint detection and response (EDR) tools and Microsoft's decision to disable Visual Basic for Applications (VBA) macros by default. Consequently, threat actors are exploring new attack avenues, with a growing focus on exploiting vulnerabilities in internet-facing systems, most of which run on Linux."

Via BleepingComputer

You might also like

• Linux systems are being hit by a wide-ranging and dangerous new malware
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• CISA updates advisory on BianLian, originally published in May 2024
• Agency claims the group is moving away from deploying the encryptor
• Instead, BianLian exfiltrates sensitive data and threatens to release it

The infamous BianLian ransomware group has stopped deploying an encryptor on victim devices, and now focuses exclusively on data exfiltration, an updated security advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), and partner agencies has warned.

CISA, alongside the FBI and Australian Cyber Security Centre, first published an in-depth report on BianLian in May 2024 as part of its #StopRansomware effort, detailing the group’s techniques, tactics, and procedures, but this has now been updated with new information, including the changes to the group’s modus operandi.

As it turns out, BianLian no longer encrypts the information on the endpoints of its victims. Rather, it just steals the data, and then demands payment in exchange for not leaking it to the public.

BianLian following the trends

This is a change that the cybersecurity community has been warning about for quite some time now, and BianLian is hardly the only group that is no longer deploying the encryptor.

As it turns out, developing, maintaining, and deploying the encryption software is too tedious, too cumbersome, and too expensive. In terms of money extortion, simple data exfiltration yields the same results, anc crooks are taking notice.

The agencies also say BianLian is a Russian actor, based in the country, and with Russian affiliates. If the name threw you off, and made you think the group is likely Chinese (or elsewhere in the far East, for that) - that is intentional.

“The reporting agencies are aware of multiple ransomware groups, like BianLian, that seek to misattribute location and nationality by choosing foreign-language names, almost certainly to complicate attribution efforts,” the report claims.

In the past, the group was observed targeting organizations in the US critical infrastructure sector, and private enterprises in Australia.

You might also like

• Linux systems are being hit by a wide-ranging and dangerous new malware
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Earlier this week, EnergyWeaponUser shares a database, claiming it was stolen from Ford
• Ford responds by launching an investigation
• The investigation concluded that the data belonged to a third party, Ford said

Ford has denied suffering a data breach frecently, saying the information circulating around the web belongs to a third party and is, for the most part, publicly available.

A known leaker with the alias EnergyWeaponUser recently posted a new thread on BreachForums, claiming to be sharing Ford’s data for free. “Today, I have uploaded the Ford Motor Company internal database for you to download, thanks for reading and enjoy!,” the hacker said at the time.

“In November 2024, Ford Motor Company, an American multinational automobile company suffered a data breach,” the post further added. “It exposes 44k records of customer names, physical locations, bought product.”

No breach

A small sample was shared, in which hackers could find people’s names, postal addresses, country codes, customer type codes, city information, sales types, account codes, last update timestamps, and other records.

After the thread surfaced, the company confirmed looking into the allegations of data theft.

"Ford is aware and is actively investigating the allegations there has been a breach of Ford data," spokesperson Richard Binhammer told the press at the time. "Our investigation is active and ongoing."

Now, a few days later, Ford told the media that its data was secure. In a statement to BleepingComputer, the company said: “Ford’s investigation has determined that there was no breach of Ford’s systems or customer data. The matter involved a third-party supplier and a small batch of publicly available dealers’ business addresses. It is our understanding that the matter has now been resolved.”

We now wait to see EnergyWeaponUser’s response. However, given the fact that they were willing to give away such a database, lends credence to Ford’s claims. After all, all registered BreachForums members could grab the archives for eight forum credits, which is roughly two dollars.

Via BleepingComputer

You might also like

• Ford says it is investigating claims thousands of workers have had data leaked online
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Palo Alto Networks releases patch for two serious flaws impacting its firewalls
• The flaws were being abused in the wild to drop malware
• CISA added them to its KEV catalog

Palo Alto Networks has revealed it fixed two major vulnerabilities plaguing its firewalls.

The bugs are an authentication bypass in the PAN-OS management web interface (CVE-2024-0012), and a privilege escalation flaw in PAN-OS (CVE-2024-9474). The former has a severity score of 9.3 (critical), and grants crooks the ability to gain admin privileges on the target endpoint, and the latter has a lower score, 6.9 (medium), but helps run commands on the firewall.

Cybercriminals were chaining the flaws to gain admin privileges and run commands on exposed endpoints, it confirmed. Therefore, users are advised to apply the patches as soon as possible.

Added to CISA's KEV

Palo Alto said it was looking into ongoing attacks in which the two bugs were chained to strike “a limited number of device management web interfaces” with malware and arbitrary commands.

"This original activity reported on Nov. 18, 2024 primarily originated from IP addresses known to proxy/tunnel traffic for anonymous VPN services," the company said in an advisory. "At this time, Unit 42 assesses with moderate to high confidence that a functional exploit chaining CVE-2024-0012 and CVE-2024-9474 is publicly available, which will enable broader threat activity."

Both vulnerabilities have since been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, confirming in-the-wild abuse. Federal agencies have until December 9 to patch the bugs, or stop using the affected firewalls altogether.

Palo Alto said that only a “very small number” of firewalls is being targeted. However, citing data from the threat monitoring platform Shadowserver, BleepingComputer reported that there are more than 2,700 vulnerable PAN-OS instances.

Since a working exploit is already available, and evidence of abuse exists, Palo Alto “strongly” advises its customers to patch up, and restrict access to trusted accounts only.

"Risk of these issues are greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines," the company said.

Via BleepingComputer

You might also like

• Palo Alto Networks warns users of dangerous security threat affecting firewalls
• Here's a list of the best free antivirus tools around today
• These are the best endpoint protection tools right now

• 300,000 emails from EnamelPin, owner of gs-jj.com, exposed online
• Many originate from .gov or .mil sources, which are used by military or government workers
• The leak exposed the sites links to China

Researchers at Cybernews recently discovered over 300,000 emails from EnamelPin customers were exposed for months thanks to an open Elasticsearch instance.

EnamelPin Inc is the owner of popular gift site gs-jj.com, which sells medals, lapel pins, emblems, and more.

The leaked emails contained personal information such as full names and email addresses, around 2,500 were from .gov and .mil domains. The site is unsurprisingly popular amongst US government officials and military officers, who had ordered products such as coins, patches, and medals.

National Security Concerns

“The emails and attachments exposed sensitive information about high-ranking military officials. They could be used to determine their position in certain Army units, phone numbers, email addresses, and shipping addresses,” Cybernews researchers said.

Other security issues were discovered on the site, such as the exposure of hidden git repository configuration, folder, and file structure of the website.

The data was left exposed for months, according to researchers. The information was publicly accessible from April 22 until December 5, which left many customers at risk, particularly of identity theft.

Whilst EnamelPin Inc is registered in California and aimed at civilians, the leak exposed previous unknown links to China. Researchers found a publicly accessible Git configuration file which revealed the website’s source code repository is hosted on a Chinese server.

The company also has an ‘complete expert team in China’, long delivery times suggest overseas fulfilment, and the customer support team communicate in broken English.

“Due to the Chinese government’s broad powers to access data, it may be risky for US Government and Military officials to use Chinese services, especially in the official settings," Cybernews added.

“This leak raises OPSEC concerns, as ordering patches, emblems, and other items can inadvertently expose ranks, divisions, and personal information.”

You might also like

• Take a look at our pick of the best antivirus software around
• These are the most damaging scams around, according to Google — so be on your guard
• Check out our choices for best malware removal software

• Security researchers from Netskope found an upgraded version of Python NodeStealer
• This dangerous infostealer can also now target Facebook Ads Manager accounts
• It can steal credit card information, data stored in browsers, and more

Python NodeStealer, an infamous infostealer that targeted Facebook Business accounts, has been upgraded with new and dangerous features to make it capable of targeting Facebook Ads Manager accounts as well, steal more data, and thus open the gateway to more destructive malware campaigns.

Cybersecurity researchers Netskope Threat Labs have published a new, in-depth analysis of NodeStealer, noting it can now pilfer credit card information, in addition to stealing credentials stored in the browser.

The process is done by copying the “Web Data” of all targeted browsers, they explained. Web Data is a SQLite database storing sensitive data such as autofill information and saved payment methods.

Abusing Windows Restart Manager

“With these, the infostealer can now collect the victim’s credit card information which includes the cardholder’s name, card expiration date, and card number," the researchers noted.

It uses Python’s SQLite3 library to run a query on the stolen database, looking for specific strings (credit card information).

Furthermore, Python NodeStealer now uses Windows Restart Manager to unlock database files. This library cuts down on the number of reboots needed after software updates, by simply restarting the processes that lock updated files, but in this instance, it is being abused in data theft.

First, the infostealer extracts the information by copying browser database files into a temp folder. But since the files are usually locked by another operation, they cannot be used, which is where Windows Restart Manager is used. Finally, the files are exfiltrated via a Telegram bot.

Python NodeStealer is most likely being developed by a threat actor located in Vietnam. Their main goal is to compromise Facebook Business and now - Facebook Ads Manager accounts, which they can later abuse in malvertising campaigns.

Facebook is usually rigorous when it comes to purchasing ads on its platform, and only vetted, verified accounts are allowed to do so. Crooks rarely make it past the platform’s scanners, and resort to stealing verified accounts to run their campaigns, instead.

Via The Hacker News

You might also like

• Windows PCs targeted by new malware hitting a vulnerable driver
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Google's OSS-Fuzz finds more than two dozen vulnerabilities in different open-source projects
• Among them is a vulnerability in OpenSSL that could result in RCE
• Google sees this as a major milestone in automated bug discovery

Google has found 26 vulnerabilities in different open source code repositories, including a medium-severity flaw in “the critical OpenSSL library that underpins much of internet infrastructure.”

This wouldn’t be much of a news (Google helped find thousands of bugs throughout the years), if the method by which the flaws were discovered wasn’t “artificial”, as the bugs were revealed using its AI-powered fuzzing tool, OSS-Fuzz.

"These particular vulnerabilities represent a milestone for automated vulnerability finding: each was found with AI, using AI-generated and enhanced fuzz targets," Google explained in a blog post.

Major improvements with LLMs

Among these 26 flaws is an OpenSSL bug tracked as CVE-2024-9143. It has a severity score of 4.3 and is described as an out-of-bounds memory write bug that can crash an app, or allow crooks to mount remote code execution (RCE) malware attacks. OpenSSL has since been upgraded to versions 3.3.3, 3.2.4, 3.1.8, 3.0.16, 1.1.1zb, and 1.0.2zl, to address the flaw.

To make matters even more interesting, Google said the vulnerability was most likely present for two decades, “and wouldn’t have been discoverable with existing fuzz targets written by humans.”

The bug discovery came as a result of two major improvements, the company further explained. The first one is the ability to automatically generate more relevant context in the prompts, which makes the LLM “less likely to hallucinate the missing details in its response.” The second one revolves around the LLM’s ability to emulate a typical developer’s entire workflow, including writing, testing, and iterating on the fuzz target, as well as triaging the crashes found.

“Thanks to this, it was possible to further automate more parts of the fuzzing workflow. This additional iterative feedback in turn also resulted in higher quality and greater number of correct fuzz targets.”

Via The Hacker News

You might also like

• One of Google's "big AI" projects uncovered some serious security threats seemingly all on its own
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now