This week there was news about a number of domestic listed companies being hacked. First of all, on the 20th, Lion Travel and Sinopec announced that they had been attacked by hackers. Two incidents in one day were particularly eye-catching. On the 23rd, their product "Promeo" was linked to Malware was found in the installation program of the company, and North Korean hacker Lazarus launched a supply chain attack. Last week we reported that Dajiang Biomedical was listed as a victim of a ransomware organization. The company issued a major announcement on the 24th confirming that it had encountered a network security incident.
Among the vulnerability news this week, there are two major vulnerability fixes that need attention, including Johnson Controls' patching of major vulnerabilities in its industrial refrigeration system, Fortinet's patching of major vulnerabilities in its FortiSIEM, and video surveillance and image recording equipment (NVR) and routers were discovered by hackers with new zero-day vulnerabilities and exploited to spreadMirThe serious threat of ai mutant virus JenX, Akamai, which is currently disclosing the matter, first warned and notified relevant manufacturers, and a new version of the patch is expected to be released in December.
In addition, we reported on the GNU C library buffer overflow vulnerability CVE-10-2023 (Looney Tunables) in early October. Recently, we found signs that attackers have begun to exploit this known vulnerability. This week's Information Security Daily news has not yet mentioned it. We'll make it up here.
Domestically, many information security incidents have become the focus, all related to listed companies. We have summarized them as follows:
(11) For the first time, two serious information security incidents occurred in one day: On November 20, the tourism industry "Lion" and the plastics industry "Sinopec" successively released major information security incidents, indicating that they had been attacked by hackers. . Among them, Lion mentioned an anti-fraud warning to remind passengers that customer data may have been leaked. This is the second time that the company has announced that it has been hacked in the past two years. Sinopec’s disclosure is quite limited, and it cannot provide joint defense between enterprises and organizations. Concrete and useful information.
(20) Dajiang Biomedical released major information about the information security incident, confirming that the information system suffered a cyber attack: When the last issue of the Information Security Weekly was released on the 15th, we were the first to report that the biotech industry "Dajiang" was suspected of being hacked by Hunters on the 22th. International ransomware organization was listed as a victim. Other media followed up and reported this news on the 11nd. We also called Dajiang again and still received no response. It was not until November 24 (Friday evening) that Dajiang finally announced them. Suffering from cyber attacks.
(XNUMX) CyberLink was revealed to have been hacked by Microsoft. North Korean hacker Lazarus launched a supply chain attack on the company, locking out new users of their Promeo products: On the same day this incident was exposed, CyberLink issued an announcement on its website stating that it Malicious software was found in the installation program of the product "Promeo". They have removed the problem and will update the software security certificate in the future.
In addition, this week, there were reports in the country that the registration system of the Central General Hospital was unavailable, appointment information disappeared, and it was suspected of being attacked by a network. The Judicial Yuan also issued a new explanation for the leakage of judgment data.
In terms of information security threats and incidents, ransomware threats and trends deserve the most attention. Four pieces of news have been revealed, which we have summarized as follows:
●Regarding the harm of Rhysida ransomware, the US CISA,FBI and MS-ISAC jointly issued a warning stating that its attacks mainly target education, medical, manufacturing, information industry and government sectors. This public information reveals the TTP and IoC used by the ransomware, allowing enterprises to understand its attack strategies and techniques, as well as various mitigation measures.
●Regarding the new trends of the ransomware BlackCat, some information security industry experts pointed out that the recentNewbieSection is inGoogleAdvertise under the guise of offering well-known applications such as Advanced IP Scanner, Slack, WinSCP), luring Internet users to connect to phishing websites and download software implanted with the malicious program Nitrogen.
●The ransomware Phobos has appeared again, and security researchers have revealed that they have recently targeted the security community VX-Underground.
●The threat from the ransomware hacker group Play may intensify. Recently, security personnel revealed that the organization is offering its tools for rent in an attempt to attract more thugs to join.
In terms of emerging attack methods and other important threat trends, we believe that the new method of the Lumma stealing software, which uses compressed files to launch attacks, is the most noteworthy.
● In order to avoid detection, the Lumma stealing software uses mouse trajectory measurement to identify real-person operations before executing the stealing software; another cybersecurity researcher even revealed that the Lumma developer claimed that he could restoreGoogleDuring the account connection stage, the victim's account is held hostage.
●You need to pay attention to the use of compressed files to spread malice. There have been three related incidents this week. First of all, embassy personnel should pay attention. Russian hacker APT29 targeted many European embassy network attacks and launched WinRARVulnerability attacks, followed by cryptocurrency users should pay attention. The hacker organization DarkCasino launched attacks against these users using the WinRAR vulnerability. There is also the new theft software Agent Tesla using the ZPAQ format to compress large files of 1 GB into only 6 KB compressed files, probably to evade antivirus scans.
●Python developers should also pay attention. A cybersecurity industry insider revealed that in the past six months, hackers have uploaded 27 PyPI packages that imitate well-known packages, and also used PNG images to hide their attack intentions.
Finally, there are two revelations of state-level hacking trends that are worthalert, including: Chinese hacker organization Mustang Panda targeted military units in Southeast Asian countries. The hackers pretended to provide Solid PDF Creator,IndonesiaThe anti-virus software Smadav uses these applications to sideload malware; and the Russian hacker Gamaredon targets Ukrainian organizations and distributes the USB worm LitterDrifter.
[November 11] Hackers have distributed more than 20 malicious PyPI packages in the past six months, using PNG images to hide attack intentions. Developers have been victimized in the United States, China, and France.
Attacks against developers have been quite frequent recently, and increasingly sophisticated methods have emerged. For example, the attack code is buried in a specific module of the malicious package. Once the developer installs the package according to the instructions, the malicious code will not immediately Execution, but wait until the specific function is called before it is loaded together.
Similar methods have recently emerged in other new methods, such as the malicious PyPI suite attack disclosed by the security company Checkmarx. The attackers try to bury the malicious code in external PNG images, making the PyPI package itself appear harmless.
[November 11] Chinese hacker organization Mustang Panda targeted Southeast Asia and launched several phishing attacks. The cause was suspected to be related to the military conflict in the Philippines in August.
In the first half of this year, there were frequent attacks by the Chinese hacker organization Mustang Panda. The targets of these hackers were related to the war in Ukraine, and most of them targeted European countries that had assisted the country.
But in the second half of the year, these hackers began to change their targets and once again focused their attacks on Southeast Asian countries that they had previously targeted. For example, the attacks that occurred in August targeted Southeast Asian countries. Researchers speculated that this wave of attacks was mainly related to the conflict in the Philippines.
[November 11] The ransomware Phobos used the name of the information security community to target Windows computers and launch attacks, claiming that the victims needed to recover files from the community.
Ransomware attacks occur frequently. In today's news, there are three such security incidents. Among them, the most noteworthy part is that the hacker claimed to be a well-known security organization. Obviously In order to discredit them, they intend to provoke and divide the entire community and weaken the overall defense force.
It is worth noting that when committing crimes, these hackers not only stole the name of the organization, but also ridiculed them through extortion messages, and even asked the victims to buy books written by the security organization.
[November 11] CyberLink suffered a supply chain attack by North Korean hackers. The hackers deployed malware on the company’s update servers. Victims appeared in Taiwan and many countries.
Regarding the supply chain attacks of Taiwanese manufacturers, the Asus update server hacking incident four years ago attracted great attention. Supply chain attacks have become an information security threat that Taiwanese IT manufacturers cannot ignore. Recently, other software suppliers have suffered Similar to attacks, hackers use it to update infrastructure and spread malicious programs.
Microsoft's threat intelligence team disclosed an attack targeting Taiwanese multimedia application developer CyberLink since the end of October. Hackers tampered with the company's software installation files and uploaded them to CyberLink's update server. As for the attacker's purpose, It remains to be further clarified.
[11 month 24 day]MirAI botnet variants infected routers and NVR network video surveillance devices. The zero-day vulnerability exploited by the attackers may involve the default weak passwords.
BotnetMirThere are frequent reports of AI-targeted attacks on Internet of Things (IoT) devices, but the security incident recently disclosed by researchers is quite eye-catching because they did not disclose the device models targeted by hackers, only that the types were network video surveillance devices (NVRs) and small routers.
It is worth noting that the above-mentioned devices all have zero-day vulnerabilities, and researchers revealed that the malicious code used by the attackers included the default account names and passwords of these devices. These signs also show that attackers may use these channels to gain control.
