Cyber Risk Update 18 AUG 2023

This is a selection of this week's events. For more news and advisories check out our discord server.

Local Government Cyber Watch discord server. This server is focused on cybersecurity collaboration with local government stakeholders. (TLP Clear Only) Invite: https://discord.gg/PGz3NDKb5V

Resources

Locking Down Cybersecurity: Unmasking the Power of Phishing-Resistant MFA https://www.learnsecurity.org/single-post/locking-down-cybersecurity-unmasking-the-power-of-phishing-resistant-mfa
Online learning is here to stay. Many K-12 schools will probably use some blend of fully online learning and in-person teaching for the foreseeable future. https://staysafeonline.org/online-safety-privacy-basics/k-12-online-learning/

Incident

'You are going to be attacked' | Expert weighs in on recent cybersecurity thefts in Connecticut. On Thursday, New Haven officials announced an investigation into a cyber-attack that resulted in hackers stealing $6 million from the city's school district. https://www.fox61.com/article/tech/you-are-going-attacked-expert-weighs-recent-cybersecurity-attacks-connecticut/520-c3f0d64a-86a4-4bb7-a3a6-8d52407b1578
The Record: Tennessee school hit with ransomware as gangs ramp up attacks ahead of new academic year (08/17) https://therecord.media/tennessee-school-hit-with-ransomware-as-hackers-ramp-up-attacks

Critical Alert

CISA Says Citrix ShareFile Flaw Is Being Actively Exploited (08/17) https://www.webpronews.com/cisa-says-citrix-sharefile-flaw-is-being-actively-exploited/

TTP and Malware

XWorm, Remcos RAT Evade EDRs to Infect Critical Infrastructure. Disguised as harmless PDF documents, LNK files trigger a PowerShell script, initiating a Rust-based injector called Freeze[.]rs and a host of malware infections. https://www.darkreading.com/ics-ot/xworm-remcos-rat-evade-edrs-infect-critical-infrastructure

Governance

What's New in the NIST Cybersecurity Framework 2.0. Update to the NIST framework adds new "govern" function for cybersecurity. https://www.darkreading.com/operations/whats-new-in-nist-cybersecurity-framework-2-0

Payment Card

How Innovation Accelerators Are at Work on the Dark Side. Digital commerce remains the richest target for cybercriminals, yet physical payment threats remain strong. https://www.darkreading.com/vulnerabilities-threats/how-innovation-accelerators-are-at-work-on-the-dark-side

AI

Cyber Defenders Lead the AI Arms Race for Now Cyberattackers are slow to implement AI in their attack chains, according to Mandiant's analysis. https://www.darkreading.com/vulnerabilities-threats/cyber-defenders-lead-the-ai-arms

Phishing

Novel phishing ploy uses QR codes, Bing URL redirects, fake Microsoft security alerts. Researchers warn of escalating phishing campaigns using QR codes that are likely test runs for a larger wave of attacks targeting Microsoft credentials. https://www.scmagazine.com/news/novel-phishing-qr-codes-bing-url-microsoft-security
You've probably never heard of "16Shop," but there's a good chance someone using it has tried to phish you. Last week, the international police organization INTERPOL said it had shuttered the notorious 16Shop, a popular phishing-as-a-service platform launched in 2017 that made it simple for even complete novices to conduct complex and convincing phishing scams. INTERPOL said authorities in Indonesia arrested the 21-year-old proprietor and one of his alleged facilitators, and that a third suspect was apprehended in Japan. https://krebsonsecurity.com/2023/08/karma-catches-up-to-global-phishing-service-16shop/

Banned

New York City Banning TikTok From City-Owned Devices. NYC Cyber Command found that TikTok “posed a security threat to the city’s technical networks.” The city is banning the app from city-owned devices and requiring agencies to delete it within the next 30 days. City employees are immediately barred from downloading or using the app and from accessing TikTok’s website on any city-owned devices. A number of states, including New York, already banned TikTok on government-owned devices, citing risks that ByteDance, which owns the app, can use it to spy on residents. https://www.theverge.com/2023/8/16/23834579/nyc-tiktok-ban-new-york-china-surveillance-spy
The Software Freedom Conservancy, a not-for-profit enterprise that supports open-source projects, is asking developers not to use Zoom, citing the videoconferencing company's stance of allowing its data to be used for machine learning models. From the Conservancy's statement: "Zoom has abused their household name for profit, knowing that users will not be able to understand the change of terms of service or have an option to use any other software." https://techcrunch.com/2023/08/16/open-source-developers-urged-to-ditch-zoom-over-user-data-controversy/

In Other News

CISA Unveils Plan to Slow the Hacker Abuse of RMM Tools (08/17) https://securityboulevard.com/2023/08/cisa-unveils-plan-to-slow-the-hacker-abuse-of-rmm-tools/
Researchers Trick an iPhone Into Faking Airplane Mode How mobile attackers could gaslight iPhone users, allowing the perfect cover for post-exploitation malicious activity. https://www.darkreading.com/endpoint/researchers-trick-iphone-faking-airplane-mode
Security Researchers Face Threats From Hacking Groups. Cybersecurity researchers are facing physical threats over their work exposing hackers. Robert M. Lee, CEO of cybersecurity company Dragos, was threatened and told to pay a ransom after hackers claimed to access the company’s network, and then found the passport of Lee’s son, school and telephone number to escalate their threats. A Ukrainian hacker sent a gram of heroin to the home of security researcher Brian Krebs. Some analysts warn that the situation has gotten worse because of western companies’ involvement in providing security services to Ukraine. https://www.ft.com/content/88560ffa-bb5f-428a-894e-d791a0ee342c