Intelligence services in countries such as Russia, North Korea, and China have leveraged ad hoc relationships with cybercriminal groups within their borders for some time to shield their organizations from the repercussions of their actions. However, recent successes by authorities in the US and elsewhere have demonstrated that even this strategy does not put actors beyond the reach of law enforcement.

The UK Information Commissioner's Office (ICO) has issued a warning about the potential risks posed by data breaches that expose the Personally Identifiable Information (PII) of domestic abuse victims. The data privacy regulator urges organizations handling domestic abuse victims' PII to train their staff and implement appropriate systems to prevent such incidents. In the past 14 months, the ICO has reprimanded seven organizations for data breaches impacting victims of domestic abuse, including four instances in which organizations exposed victims' safe addresses.

A recent cyberattack on a Russian flight booking system caused delays at airports. A massive Distributed Denial-of-Service (DDoS) attack was launched against the Leonardo local airline booking system by "foreign hackers," according to one of the system's developers, the Russian state defense company Rostec. The incident lasted around an hour and disrupted the operations of several Leonardo customers, including Rossiya Airlines, Pobeda, and Aeroflot. IT Army, a Ukrainian hacktivist group, claimed responsibility for the shutdown of Leonardo.

Government and telecommunications organizations are facing new attacks by a threat actor linked to China, tracked as Budworm, which has been using an updated malware toolkit. The attacks against a Middle Eastern telecommunications company and an Asian government, occurred in August 2023, with the adversary using an updated version of its SysUpdate toolkit. Budworm, also known as APT27, Bronze Union, Emissary Panda, Iron Tiger, Lucky Mouse, and Red Phoenix, has been active since at least 2013, targeting various industry verticals in pursuit of its intelligence-gathering objectives.

Malicious npm and PyPI packages have been discovered stealing sensitive data from software developers. The campaign, which started on September 12, 2023, was first found by analysts at Sonatype, who discovered 14 malicious packages on npm. According to Phylum, following a brief operational hiatus on September 16 and 17, the attack continued and extended to the PyPI ecosystem. The attackers have uploaded 45 packages to npm (40) and PyPI (5) since the beginning of the campaign, with code variations suggesting a rapid evolution of the attack.

Johnson Controls International has recently suffered what is described as a massive ransomware attack that encrypted many of the company devices, including VMware ESXi servers, impacting the company's and its subsidiaries' operations.  Johnson Controls is a multinational conglomerate that develops and manufactures industrial control systems, security equipment, air conditioners, and fire safety equipment.  According to the company, the threat actors are demanding $51 million to provide a decryptor and to delete stolen data.

Selections by dgoff

​Pub Crawl summarizes, by hard problems, sets of publications that have been peer-reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers. Select the topic name to view the corresponding list of publications. Submissions and suggestions are welcome.

According to security researchers at Perception Point, Booking.com users have recently become the focus of a new, large-scale phishing campaign.  The campaign follows a methodical four-step process.  The researchers noted that to initiate their scheme, the attackers gain unauthorized access to hotel systems, effectively taking control of the hotel’s Booking.com account.  This initial breach sets the stage for their subsequent actions.  Once in control of the Booking.com account, the attackers extract the personal data of hotel guests.

According to Trend Micro, one in every six ransomware attacks against US government offices was linked to the LockBit ransomware group. Ransomware victims grew by 47 percent from the second half of 2022. Jon Clay, vice president of threat intelligence at Trend Micro, emphasized that threat actors continue to advance, target more victims, and cause financial and reputational harm. Trend Micro noted the shift in focus among ransomware threat actors from "big game" targets to smaller organizations that they believe are less well-defended.

The researchers who discovered two critical vulnerabilities in Microsoft SharePoint Server have disclosed details of an exploit they created that combines the vulnerabilities to enable Remote Code Execution (RCE) on impacted servers. Separately, another security researcher published proof-of-concept (POC) code for one of the SharePoint vulnerabilities on GitHub, demonstrating how an attacker could exploit the flaw to gain admin privileges on vulnerable systems. One of the vulnerabilities, tracked as CVE-2023-29357, is an elevation of privilege flaw in SharePoint Server 2019.