🔴 January 13's Top Cyber News NOW! - Ep 281

Simply Cyber - Gerald Auger, PhD

7 chapters8 takeaways19 key terms7 questions

Overview

This cybersecurity news briefing covers several key incidents and trends. It details a security flaw in the Chromium browser that allowed for file siphoning, discusses a dispute over a large Twitter user data leak, and highlights an Iced ID malware attack that compromised an Active Directory domain rapidly. The episode also touches on GitHub disabling accounts for a pro-Russian hacktivist group, a data exposure incident at Trust and News, and a lawsuit against a fintech startup for fraudulent user inflation. Additionally, it explores a new app designed to detect AI-generated text, a trojanized Telegram app targeting Android users, and provides insights into career paths like SOC analyst versus IT auditor, and the value of certifications like CCNA.

How was this?

Save this permanently with flashcards, quizzes, and AI chat

Chapters

A vulnerability in Chromium-based browsers (CVE-2022-3656) allowed attackers to potentially steal confidential files.
The flaw exploited how the browser handled symbolic links (simlinks), failing to validate if the link pointed to an unintended, accessible location.
Google has patched this medium-severity issue in versions 107 and 108 of Chrome and Chromium.
The incident underscores the importance of keeping browsers updated and educating end-users on software patching.

This highlights that even widely used and well-funded software like Google Chrome can have vulnerabilities, emphasizing the ongoing need for vigilance and timely patching by both developers and users.

The vulnerability allowed a symlink to point to a file the user shouldn't access, and the browser, without proper validation, would grant access to that file.

A dataset containing information on over 200 million Twitter users was offered for sale online.
Twitter claims the data was not obtained through a breach of its systems and is likely from publicly available sources.
Cybercrime intelligence firms and researchers dispute Twitter's claim, confirming the authenticity of the leak.
The data, which includes usernames and email addresses but no passwords, is being used for social engineering and doxing.

This situation illustrates how aggregated public data can be repackaged and presented as a breach, potentially leading to extortion or misuse, and emphasizes the value of even seemingly non-sensitive user data for malicious purposes.

A threat actor bundled publicly available Twitter data, including usernames and emails, and attempted to extort Twitter for $200,000, which was later negotiated down from an initial $400 million demand.

The Iced ID (also known as BokBot) malware was used in an attack that compromised an Active Directory domain in under 24 hours.
The attack involved reconnaissance, credential theft, lateral movement using Windows protocols, and deployment of Cobalt Strike.
Iced ID, initially a banking Trojan, has evolved into a versatile malware dropper.
The rapid compromise highlights the effectiveness of modern malware in exploiting network protocols and post-exploitation tools like Cobalt Strike.

This case demonstrates the speed at which sophisticated malware can infiltrate and compromise critical network infrastructure like Active Directory, underscoring the need for robust endpoint detection and response, and network segmentation.

An attacker used Iced ID to gain initial access, steal credentials, move laterally across the network, and ultimately deploy Cobalt Strike on a compromised host to gain control of the Active Directory domain.

GitHub disabled accounts belonging to a pro-Russian hacktivist group, 'NoName057(16)'.
The group used GitHub to host its DDoS tools and code for attacks against entities in NATO countries.
The action was taken after researchers reported the group's activity to GitHub, citing violations of its acceptable use policy.
While the takedown is a positive step, it's unlikely to significantly slow down the group, as they can easily find alternative hosting.

This event shows how platforms are taking action against malicious use, but also illustrates the limitations of such actions in truly disrupting persistent threat actors who can quickly relocate their infrastructure.

The group hosted their DDoS weaponized software and website code on GitHub, which was then taken down after being reported by cybersecurity researchers.

Trust and News.com, a review and discount marketplace, exposed a database containing nearly half a million users' personal data for at least six months.
The exposed data included PII like names, phone numbers, and hashed passwords (using B-Crypt), increasing risks of phishing and account compromise.
JPMorgan Chase is suing Charlie Javice, founder of fintech startup Frank, for allegedly inflating its user base by over 4 million fake accounts to secure a $175 million acquisition.
These incidents highlight common issues of insecure data handling and outright fraud in the business world.

These stories serve as stark reminders of the consequences of poor data security practices and the prevalence of fraud, emphasizing the need for robust due diligence and secure data management.

Frank, a student loan application platform, allegedly created fake user profiles for 4.2 million students to deceive JPMorgan Chase into acquiring the company for $175 million.

The StrongPity APT group is distributing a trojanized Android app disguised as a Telegram client for the Shagle random video chat platform.
This fake app contains a backdoor that allows attackers to spy on users, monitor calls, collect SMS messages, and steal contact lists.
A Princeton student developed GPTZero, an app designed to detect text written by AI chatbots like ChatGPT, aiming to combat academic plagiarism.
These examples show how malicious actors exploit user desires for connection or convenience, while legitimate developers create tools to counter emerging threats.

These incidents highlight two sides of the digital coin: how attackers exploit human psychology and desire for connection, and how innovators are developing tools to maintain integrity in areas like education.

A fake Shagle app, impersonating the legitimate web platform, tricks users into downloading a malicious Android application that steals their personal data and monitors communications.

The CCNA certification is valuable for network engineers but less critical for cybersecurity practitioners compared to understanding networking fundamentals.
Skills like analyzing network traffic (PCAP), understanding OSI model, and correlating logs in a SIEM are more directly applicable to cybersecurity roles.
SOC analyst roles can provide intense, practical experience, offering a strong foundation for future GRC roles.
Understanding Linux and practical application of skills, rather than just certifications like Linux+, is more valuable for job prospects.

This segment provides practical advice for individuals navigating cybersecurity career paths, emphasizing the importance of foundational knowledge and hands-on experience over specific, niche certifications for entry-level roles.

Instead of focusing solely on CCNA, a cybersecurity professional might gain more value from learning Wireshark to analyze network traffic or setting up a Linux lab to understand operating system fundamentals.

Key takeaways

1Always keep your software, including browsers, updated to patch known vulnerabilities.
2Be wary of data aggregators and marketplaces, as they can become targets for significant data breaches.
3Rapid compromise of Active Directory domains is a growing threat, requiring advanced detection and response capabilities.
4Platform providers like GitHub are taking steps against malicious actors, but these actions often only cause temporary disruptions.
5Fraudulent inflation of user numbers or business metrics is a serious offense with severe legal consequences.
6Be cautious of unofficial mobile apps, especially those promising social interactions, as they can be vectors for malware.
7Focus on foundational cybersecurity skills and practical application rather than solely relying on specific certifications for career advancement.
8AI detection tools are emerging to combat academic dishonesty, reflecting the dual nature of AI's impact.

Key terms

ChromiumSymbolic Link (Simlink)CVEIced ID (BokBot)Active DirectoryCobalt StrikeDDoSPII (Personally Identifiable Information)Hashed PasswordsB-CryptFintechAPT (Advanced Persistent Threat)TrojanBackdoorChatGPTGPTZeroCCNASOC AnalystGRC (Governance, Risk, and Compliance)

Test your understanding

1How did the Chromium browser vulnerability allow for the theft of confidential data, and what is the primary mitigation strategy?
2What is the core dispute regarding the Twitter data leak, and why is even aggregated public data valuable to attackers?
3Describe the typical attack chain involving Iced ID malware, and why is rapid Active Directory compromise a significant concern?
4Why might taking down a hacktivist group's tools on GitHub not significantly hinder their operations in the long term?
5What are the potential consequences for a company like Frank that allegedly inflates its user numbers to entice acquisition?
6How can a fake mobile application, like the one disguised as a Telegram client, be used for espionage?
7What networking concepts are more crucial for entry-level cybersecurity roles than the specifics of Cisco's CCNA certification?