AI Model Listens to Typing, Potentially Compromising Sensitive Data

By Habiba Rashid

Revolutionary AI Model Predicts Keystrokes Through Sound: A New Wave of Acoustic Attacks.

This is a post from HackRead.com Read the original post: AI Model Listens to Typing, Potentially Compromising Sensitive Data

A new sophisticated SkidMap variant targets unsecured Redis servers

A new campaign targets Redis servers, this time the malware employed in the attacks is a new variant of the SkidMap malware. Skidmap is a piece of crypto-miner detected by Trend Micro in September 2019 while it was targeting Linux machines. The malicious code used kernel-mode rootkits to evade detection, it differs from similar miners because […]

The post A new sophisticated SkidMap variant targets unsecured Redis servers appeared first on Security Affairs.

North Korean Hackers Targeted Russian Missile Developer

A sanctioned Russian missile maker appears to have been targeted by two important North Korean hacking groups.

The post North Korean Hackers Targeted Russian Missile Developer appeared first on SecurityWeek.

North Korean hackers 'ScarCruft' breached Russian missile maker

The North Korean state-sponsored hacking group ScarCruft has been linked to a cyberattack on the IT infrastructure and email server for NPO Mashinostroyeniya, a Russian space rocket designer and intercontinental ballistic missile engineering organization.

NPO Mashinostroyeniya is a Russian designer and manufacturer of orbital vehicles, spacecraft, and tactical defense and attack missiles used by the Russian and Indian armies. The U.S. Department of Treasury (OFAC) has sanctioned the company since 2014 for its contribution and role in the Russo-Ukrainian war.

Today, SentinelLabs reported that ScarCruft is behind a hack of NPO Mashinostroyeniya's email server and IT systems, where the threat actors planted a Windows backdoor named 'OpenCarrot' for remote access to the network.

While the main purpose of the attack is unclear, the ScarCruft (APT37) is a cyber espionage group known to surveil and steal data from organizations as part of their cyber campaigns.

Discovering the breach

The security analysts discovered the breach after analyzing an email leak from NPO Mashinostroyeniya that contained highly confidential communications, including a report from IT staff warning of a potential cybersecurity incident in mid-May 2022.

SentinelLabs leveraged the information in these emails to undertake an investigation, discovering a much more significant intrusion than the missile maker realized.

Unrelated sample from the leaked emails
Source: SentinelLabs

According to the leaked emails, IT staff at NPO Mashinostroyeniya discussed suspicious network communication between processes running on internal devices and external servers.

This ultimately led to the company finding a malicious DLL installed on internal systems, causing them to engage with their antivirus firm to determine how they had become infected.

After analyzing the IP addresses and other indicators of compromise (IOCs) found in the emails, SentinelLabs determined that the Russian organization was infected with the 'OpenCarrot' Windows backdoor.

A link to Lazarus

OpenCarrot is a feature-rich backdoor malware previously linked to another North Korean hacking group, the Lazarus Group.

While it is not clear if this was a joint operation between ScarCruft and Lazarus, it is not uncommon for North Korean hackers to utilize tools and tactics that overlap with other state-sponsored threat actors in the country.

The variant of OpenCarrot used in this particular attack was implemented as a DLL file, supports proxying communications through internal network hosts.

The backdoor supports a total of 25 commands, including:

• Reconnaissance: File and process attribute enumeration, scanning, and ICMP-pinging hosts in IP ranges for open TCP ports and availability.
• Filesystem and process manipulation: Process termination, DLL injection, file deletion, renaming, and timestamping.
• Reconfiguration and connectivity: Managing C2 communications, including terminating existing and establishing new comms channels, changing malware configuration data stored on the filesystem, and proxying network connections.

When legitimate users on the compromised devices become active, OpenCarrot automatically enters a sleep state and checks every 15 seconds for the insertion of new USB drives that can be laced and used for lateral movement.

Checking for new drives connected to a device
Source: SentinelLabs

Simultaneously, SentinelLabs saw evidence of suspicious traffic originating from the victim's Linux email server, which was beaconing outbound to ScarCruft infrastructure.

The analysts are still determining the intrusion method but mention the possibility of the threat actors using their signature RokRAT backdoor.

SentinelLabs suggests that the involvement of two state-supported hacking groups could indicate a deliberate strategy by the North Korean state that controls both.

By assigning multiple actors to infiltrate NPO Mashinostroyeniya, which they probably considered a significant target for espionage, the state may have sought to amplify the probability of a successful breach.

North Korean Hackers Targets Russian Missile Engineering Firm

Two different North Korean nation-state actors have been linked to a cyber intrusion against the major Russian missile engineering company NPO Mashinostroyeniya. Cybersecurity firm SentinelOne said it identified "two instances of North Korea related compromise of sensitive internal IT infrastructure," including a case of an email server compromise and the deployment of a Windows backdoor dubbed

New PaperCut Vulnerability Allows Remote Code Execution

A new vulnerability in the PaperCut MF/NG print management software can be exploited for unauthenticated, remote code execution.

The post New PaperCut Vulnerability Allows Remote Code Execution appeared first on SecurityWeek.

Selling Software to the US Government? Know Security Attestation First

Challenging new safety requirements are needed to improve security and work toward a more secure future.

Name That Edge Toon: How Now?

Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

Elite North Korean Hackers Breach Russian Missile Developer

By Waqas

North Korean hackers from OpenCarrot and Lazarus breached a major Russian missile developer, NPO Mashinostroyeniya, for at least five months.

This is a post from HackRead.com Read the original post: Elite North Korean Hackers Breach Russian Missile Developer

CISA Unveils Cybersecurity Strategic Plan for Next 3 Years

CISA has unveiled its Cybersecurity Strategic Plan for the next 3 years, focusing on addressing immediate threats, hardening the terrain, and driving security.

The post CISA Unveils Cybersecurity Strategic Plan for Next 3 Years appeared first on SecurityWeek.

Code leaks are causing an influx of new ransomware actors

Cisco Talos is seeing an increasing number of ransomware variants emerge, since 2021, leading to more frequent attacks and new challenges for cybersecurity professionals, particularly regarding actor attribution.

New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware

Cisco Talos discovered an unknown threat actor, seemingly of Vietnamese origin, conducting a ransomware operation that began at least as early as June 4, 2023 with customized Yashma ransomware.

Tenable Cyber Watch: SEC Issues New Cyber Disclosure Rules, MITRE’s Most Dangerous Software Weaknesses, and more

Wondering what you need to know about the SEC’s new rules on cybersecurity disclosures? Do you know which flaws topped the list of 25 most dangerous software weaknesses? Curious to know why cloud adoption by financial organizations is on the rise?

We’ve got you covered in this week’s edition of the Tenable Cyber Watch, our weekly video news digest highlighting three cybersecurity topics that matter right now.

Here’s what’s happening in cyber. Today, we’re talking:

• All about the new cybersecurity rules approved by the U.S. Securities and Exchange Commission.
• MITRE released its annual list of the 25 most dangerous software weaknesses.
• Cloud adoption by financial institutions continues to increase. What one study shows.

Every Monday at 9am ET, the Tenable Cyber Watch brings you cybersecurity news you can use. Watch this week’s episode below and subscribe to our playlist on YouTube.

Microsoft Signing Key Stolen by Chinese

A bunch of networks, including US Government networks, have been hacked by the Chinese. The hackers used forged authentication tokens to access user email, using a stolen Microsoft Azure account consumer signing key. Congress wants answers. The phrase “negligent security practices” is being tossed about—and with good reason. Master signing keys are not supposed to be left around, waiting to be stolen.

Actually, two things went badly wrong here. The first is that Azure accepted an expired signing key, implying a vulnerability in whatever is supposed to check key validity. The second is that this key was supposed to remain in the the system’s Hardware Security Module—and not be in software. This implies a really serious breach of good security practice. The fact that Microsoft has not been forthcoming about the details of what happened tell me that the details are really bad.

I believe this all traces back to SolarWinds. In addition to Russia inserting malware into a SolarWinds update, China used a different SolarWinds vulnerability to break into networks. We know that Russia accessed Microsoft source code in that attack. I have heard from informed government officials that China used their SolarWinds vulnerability to break into Microsoft and access source code, including Azure’s.

I think we are grossly underestimating the long-term results of the SolarWinds attacks. That backdoored update was downloaded by over 14,000 networks worldwide. Organizations patched their networks, but not before Russia—and others—used the vulnerability to enter those networks. And once someone is in a network, it’s really hard to be sure that you’ve kicked them out.

Sophisticated threat actors are realizing that stealing source code of infrastructure providers, and then combing that code for vulnerabilities, is an excellent way to break into organizations who use those infrastructure providers. Attackers like Russia and China—and presumably the US as well—are prioritizing going after those providers.

News articles.

New 'Deep Learning Attack' Deciphers Laptop Keystrokes with 95% Accuracy

A group of academics has devised a "deep learning-based acoustic side-channel attack" that can be used to classify laptop keystrokes that are recorded using a nearby phone with 95% accuracy. "When trained on keystrokes recorded using the video conferencing software Zoom, an accuracy of 93% was achieved, a new best for the medium," researchers Joshua Harrison, Ehsan Toreini, and Maryam Mehrnezhad

Enhancing Security Operations Using Wazuh: Open Source XDR and SIEM

In today's interconnected world, evolving security solutions to meet growing demand is more critical than ever. Collaboration across multiple solutions for intelligence gathering and information sharing is indispensable. The idea of multiple-source intelligence gathering stems from the concept that threats are rarely isolated. Hence, their detection and prevention require a comprehensive

New SkidMap Redis Malware Variant Targeting Vulnerable Redis Servers

Vulnerable Redis services have been targeted by a "new, improved, dangerous" variant of a malware called SkidMap that's engineered to target a wide range of Linux distributions. "The malicious nature of this malware is to adapt to the system on which it is executed," Trustwave security researcher Radoslaw Zdonczyk said in an analysis published last week. Some of the Linux distribution SkidMap

Premier League Wins 2-Year Pirate IPTV Blocking Order as Sky Targets Identified

Following a report last week that UK broadcaster Sky had obtained a High Court piracy-blocking order, it transpires that the Premier League obtained a similar order just days later. The orders are yet to appear in public, but we're informed that the Premier League will be able to block pirate IPTV services during the 2023/2024 and 2024/2025 seasons. Interestingly, the Sky order seems to cover a much shorter period but does identify six pirate IPTV services by name.

From: TF, for the latest news on copyright battles, piracy and more.

grove: A Software as a Service (SaaS) log collection framework

Grove Grove is a Software as a Service (SaaS) log collection framework, designed to support the collection of logs from services which do not natively support log streaming. Grove enables teams to collect security-related...

The post grove: A Software as a Service (SaaS) log collection framework appeared first on Penetration Testing.

Colorado Department of Higher Education Discloses Ransomware Attack, Data Breach

Colorado Department of Higher Education targeted in a ransomware attack that resulted in a data breach impacting many students and teachers.

The post Colorado Department of Higher Education Discloses Ransomware Attack, Data Breach appeared first on SecurityWeek.

FBI warns of crooks posing as NFT developers in fraudulent schema

The FBI is warning about cyber criminals masquerading as NFT developers to steal cryptocurrency and other digital assets. The U.S. Federal Bureau of Investigation (FBI) is warning about cyber criminals posing as legitimate NFT developers in fraud schemes designed to target active users within the NFT community. The end goal is to steal cryptocurrency and […]

The post FBI warns of crooks posing as NFT developers in fraudulent schema appeared first on Security Affairs.

The number of ransomware attacks targeting Finland increased fourfold since it started the process to join NATO

Senior official reports a quadruple increase in ransomware attacks against Finland since it started the process to join NATO. The number of ransomware attacks targeting Finland has increased fourfold since the country began the process of joining NATO in 2023. The news was reported by Recorded Future News which interviewed Sauli Pahlman, the deputy director […]

The post The number of ransomware attacks targeting Finland increased fourfold since it started the process to join NATO appeared first on Security Affairs.

FBI Alert: Crypto Scammers are Masquerading as NFT Developers

The U.S. Federal Bureau of Investigation (FBI) is warning about cyber crooks masquerading as legitimate non-fungible token (NFT) developers to steal cryptocurrency and other digital assets from unsuspecting users. In these fraudulent schemes, criminals either obtain direct access to NFT developer social media accounts or create look-alike accounts to promote "exclusive" new NFT releases, often

The Dark Web Is Expanding (As Is the Value of Monitoring It)

Rising cybercrime threats heighten risks. Dark Web monitoring offers early alerts and helps lessen exposures.

Hacking Tesla’s MCU-Z: A Breakdown of New AMD-Based Vulnerabilities

Tesla’s electric vehicles, through their MCU (Multimedia Control Unit), have utilized all three major tech components, starting from the earliest NVIDIA Tegra, to Intel Atom, and then to the latest AMD-based infotainment systems (MCU-Z)....

The post Hacking Tesla’s MCU-Z: A Breakdown of New AMD-Based Vulnerabilities appeared first on Penetration Testing.