Sysdig TRT uncovers massive cryptomining operation leveraging GitHub Actions
The Sysdig Threat Research Team (Sysdig TRT) recently uncovered an extensive and sophisticated active cryptomining operation in which a threat actor is using some of the largest cloud and continuous integration and deployment (CI/CD) service providers; including GitHub, Heroku, Buddy.works, and others to build, run, scale, and operate their massive cloud operation. Because no one has yet reported on this activity and its techniques, we are going to refer to this cluster of activity as PURPLEURCHIN. The activity observed is known as “freejacking,” which is the abuse of compute allocated for free trial accounts on CI/CD platforms.
Hackers hit cybersecurity conference
The Australian Institute of Company Directors (AIDC) had some solid names lending support to the launch of the institute’s new set of “cybersecurity governance principles” – a very hot topic in the wake of the Optus and Medibank Private hacks – including the federal minister in charge Clare O’Neil and Cyber Security Cooperative Research Centre CEO Rachael Falk. So it’s less than ideal when an online conference on Monday to launch the principles was – get this – hacked, leaving the institute’s boss Mark Rigotti and LinkedIn, the platform hosting the event with a bit of a PR problem.
Hackers Actively Exploiting Cisco AnyConnect and GIGABYTE Drivers Vulnerabilities
Cisco has warned of active exploitation attempts targeting a pair of two-year-old security flaws in the Cisco AnyConnect Secure Mobility Client for Windows. Tracked as CVE-2020-3153 (CVSS score: 6.5) and CVE-2020-3433 (CVSS score: 7.8), the vulnerabilities could enable local authenticated attackers to perform DLL hijacking and copy arbitrary files to system directories with elevated privileges. While CVE-2020-3153 was addressed by Cisco in February 2020, a fix for CVE-2020-3433 was shipped in August 2020.
Black Reward Hackers Steal Trove of Emails from Iran’s Atomic Energy Agency
A group of anti-Iranian government hackers have allegedly targeted Iran Atomic Energy Organization’s subsidiary’s network and managed to access its email server. The hacking group identified as Black Reward has claimed responsibility for the attack on the Iranian nuclear agency’s subsidiary, the Atomic Energy Production and Development Company located in Bushehr. The group claims they launched this attack to demand the release of political prisoners arrested during the countrywide protests. On the other hand, the agency has acknowledged that its email server was targeted by hackers and blamed a foreign country for this attack but didn’t name the country.
A 2.5 Years-Long Data Breach Discovered on See Tickets Website
See Tickets, the ticketing provider company, announced that they have discovered a long-lasting data breach on their website. Customers have been warned that cybercriminals might have stolen their credit card details. The data exfiltration has been made through a skimmer, a snippet of JavaScript code injected on the order checkout page. In the data breach notification issued by See Tickets, the company stated that the data breach was discovered in April 2021, and it was completely removed from the website only on January 8, 2022. During the investigation made with the support of a forensics firm, it was found that the infection happened on June 25, 2019, making the total duration of the exposure slightly more than 2.5 years.