The National Security Agency has published their 2023 Cybersecurity Year in Review!

In an effort to be more transparent, the National Security Agency publishes an annual year in review sharing information regarding cybersecurity efforts that better equipped U.S. defenses against high priority cyber threats. NSA’s efforts to help secure the nation’s most sensitive systems also help your cybersecurity because NSA cascades these solutions through public guidance and engages with key technology providers to help them bolster the security of their products and services.

Brazil's Federal Police recently announced the arrest of a hacker whose description matches that of the notorious leaker known as USDoD.  USDoD, aka EquationCorp, has leaked significant amounts of information stolen from major organizations.  His targets include the FBI's InfraGard portal, Airbus, TransUnion, National Public Data (NPD), and CrowdStrike. In August, CrowdStrike and others independently determined that USDoD is a 33-year-old man identified as Luan B.G. and Luan G from the Brazilian state of Minas Gerais.

Cisco recently announced patches for eight vulnerabilities in the firmware of ATA 190 series analog telephone adapters, including two high-severity flaws leading to configuration changes and cross-site request forgery (CSRF) attacks.  The first high-severity flaw, CVE-2024-20458, impacts the web-based management interface of the firmware and exists because specific HTTP endpoints lack authentication, allowing remote, unauthenticated attackers to browse to a specific URL and view or delete configurations or modify the firmware.

According to Netskope Threat Labs, most of the attributable malware used in attacks on their customers over the past year is linked to state-backed groups.  The SASE provider based its findings on 12 months of data collected from customer environments, claiming the largest share of malware attacks came from North Korean groups, followed by China and Russia.  The Netskope findings would seem to validate warnings from the security services that state-backed cyber threats are spiraling out of control.

The National Security Agency (NSA), together with the Federal Bureau of Investigation (FBI), the US Cybersecurity and Infrastructure Security Agency (CISA), and others, has released a Cybersecurity Advisory (CSA) titled "Iranian Cyber Actors' Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations." The new CSA warns network defenders about malicious activity that can allow persistent access to sensitive systems.

The US Department of Justice (DoJ) has announced charges against two Sudanese nationals for their participation in Distributed Denial-of-Service (DDoS) attacks conducted by the hacker group named "Anonymous Sudan." Anonymous Sudan has targeted critical infrastructure, government organizations, and more with highly disruptive DDoS attacks. The cybercriminals also offered DDoS attack services to take down websites and online services. This article continues to discuss the DoJ's announcement of charges against Anonymous Sudan members and the disruption of their DDoS attack services.

The North Korean threat actor "ScarCruft" exploited a Windows security flaw to infect devices with the "RokRAT" malware. The flaw is a memory corruption bug in the Scripting Engine that enables Remote Code Execution (RCE) when using the Edge browser in Internet Explorer Mode. To exploit it, an attacker must convince a user to click on a specially crafted URL to execute the malicious code. This article continues to discuss findings regarding ScarCruft's delivery of RokRAT malware.

According to security researchers at Symantec, RansomHub is now the number one ransomware operation in terms of claimed successful attacks.  Overall, threat actors claimed 1255 attacks in the third quarter, down slightly from 1325 in Q2.    The researchers noted that RansomHub only became active in February this year but claimed top spot in Q3 with 191 victims posted to leak sites, up 155% on Q2's haul.

In collaboration with top industry organizations, Princeton University researchers have closed a loophole in the world's website credential system, thus squashing a significant Internet security threat. For years, a potential disaster loomed in the Internet's encryption system, posing a threat to the security of organizations and individuals. In a collaborative effort, Princeton engineers have addressed that threat, turning their research into a universal security standard recently adopted by global organizations.

New variants of the Android banking trojan "TrickMo" have features for stealing a device's unlock pattern or PIN. According to Aazim Yaswant, a security researcher at Zimperium, these previously undocumented features allow the threat actor to operate on the device even when it is locked. TrickMo, first discovered in the wild in 2019, can grant remote control over infected devices, steal SMS-based One-Time Passwords (OTPs), and display overlay screens to capture credentials. This article continues to discuss findings regarding new TrickMo variants.