VM#005

Author

Alicja Pawlowska
November 03, 2024

Hi Everyone,

I'm at an exciting point right now, wrapping up several projects that have been in the works for months. Just last week, I organized a city-wide outdoor game in Warsaw called “(In)visible,” which focused on women’s health (PinkOctober) and the exploration of femininity across various domains. We had an incredible turnout of 70 participants!

As you read this email, I’m likely out surfing or kitesurfing in the chilly Baltic Sea

The forecast looks fantastic, and just the day before, I helped organize the Polish Surfing Championships'24 with a great team. Watching our national team compete in a local sport is awesome.

Wishing you all a great Sunday!

Now, let’s recap what’s been happening in the cybersecurity world over the past few weeks.

Cybersecurity News

Vulnerabilities & Exploits & Hacks

  • SYS01 Malvertising Campaign: Bitdefender has identified a malvertising campaign targeting owners of Meta Business Pages with the SYS01 infostealer. Find out more.

  • Tax-Themed Phishing: CERT-UA has reported on a phishing campaign targeting accountants in Ukraine, themed around tax-related topics. Find out more.

  • Author Typosquatting: A new threat of author typosquatting has emerged, where attackers register profiles similar to well-known developers to exploit trust. Find out more.

  • Xiū Gǒu Phishing Kit: A new phishing kit, Xiū Gǒu, is rapidly spreading and has been detected on over 2,000 phishing pages, targeting government and banking credentials. Find out more.

Threat Hunting & Malware

  • DPRK APT Ransomware Deployment: The North Korean group Andariel (also known as Jumpy Pisces and Onyx Sleet) has been collaborating with ransomware gangs, now using the Play ransomware in their attacks after US charged some of its members in July for the Maui attacks. Find out more.

  • Midnight Blizzard Operations: A Russian nation-state actor continues to target sensitive organizations in the US and Europe using RDP for espionage. Find out more.

  • FakeCall Android Malware: An updated version of FakeCall malware has emerged, capable of intercepting outgoing calls to banks and conducting voice phishing. Find out more.

Other Notable Events

  • SharePoint Exploitation: Rapid7 reports active exploitation of a vulnerability in Microsoft SharePoint servers (CVE-2024-38094), which was patched in July. Find out more.

  • Microsoft Entra MFA Enforcement: Microsoft has announced that all new Entra accounts must enable MFA upon first login, eliminating the previous grace period. Find out more.

  • Linux Kernel: Eleven Russian developers have been removed from the list of official Linux kernel maintainers, prompting backlash and discussions about political influences on open-source development. Find out more. (.ru domain)

Insights from the Cybersecurity Community

  • Amazon's Threat Intelligence Unit: Amazon's once-secretive unit has revealed its successes against cyber threats, including disrupting Anonymous Sudan's activities and uncovering disinformation campaigns. Find out more.

Bugbounty

  • Apple Bug Bounty: Apple is offering up to $1 million for researchers who can successfully hack its intelligence servers. Find out more.

📰 Reports

  • Crowdstrike 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries. Report

  • ❗️The OSINT Strategy 2024–2028 from the United States Department of Defense. Report

Tech and Politics

  • Polymarket's Election Betting Under Scrutiny: The prediction site Polymarket currently gives Donald Trump a strong 66.1% chance of winning the U.S. presidential election, but its reliability is in question. New findings suggest that up to a third of Polymarket’s trades involve "wash trading," where manipulative practices inflate trading volume, casting doubt on the accuracy of its predictions. Find out more.

  • Vladimir Putin has Elon Musk by the ear: Reports reveal Elon Musk’s frequent communications with Vladimir Putin, allegedly including discussions that align with limitations on Starlink internet for Ukraine and potential ties to China's interests. This unusual connection between Musk and Putin is raising eyebrows in the U.S. government, particularly for national security officials. Find out more.

  • Fake Election Video Exposes Russian Disinformation: U.S. intelligence officials have attributed a fake video of a Haitian immigrant claiming to have voted multiple times for Kamala Harris to Russian disinformation efforts. Georgia Secretary of State Brad Raffensperger called the video "obviously fake," highlighting it as part of a broader Kremlin strategy to undermine the upcoming election on November 5. Researchers identified the Russian propaganda network Storm-1516 as a key player in disseminating misleading content aimed at creating voter division.

Espionage & Counterintelligence

  • SpaceX's Secret Spy Satellite Network: SpaceX is working with the U.S. National Reconnaissance Office on a $1.8 billion project to develop a network of spy satellites, significantly enhancing U.S. global surveillance capabilities. Find out more.

  • Chip Engineer Arrested in China on Espionage Charges: A South Korean chip engineer has been detained in China under expanded espionage laws, escalating tensions over intellectual property and technology security between the two nations. Find out more.

  • North Korean Soldiers Allegedly Spotted in Ukraine: South Korea's National Intelligence Service has reportedly identified North Korean soldiers on the Russian-Ukrainian front using AI facial recognition, suggesting North Korea’s involvement in missile support. Find out more. (.kr domain)

  • EU Pushes for Unified Intelligence Agency: Former Finnish President Sauli Niinistö calls for a centralized EU intelligence agency to counteract espionage and sabotage, aiming to strengthen the bloc’s defenses amid growing external threats. Find out more.

  • India Accused of Cyber Surveillance on Sikh Activists in Canada: Canada’s Communications Security Establishment warns that India is using cyber capabilities to track Sikh separatists abroad and has intensified cyber-attacks on Canadian government networks amid rising diplomatic tensions. Find out more.

  • Apple's Threat Notifications: Apple continues to issue notifications to users potentially targeted by mercenary spyware, indicating a growing sophistication in individual-targeted attacks. Find out more.

SOCMINT

  • Reddit has never been profitable — until now: Reddit reports its first profit at $29.9 million for Q3, with revenue reaching $348.4 million, a 68% year-over-year increase. Daily users grew to 97.2 million, aided by new advertising deals and data licensing. CEO Steve Huffman attributes Reddit's user growth to an AI-powered translation feature, which will expand to over 30 languages by 2025, enhancing accessibility and engagement.

  • Meta's Ad Challenges: Meta faces backlash for failing to block misleading political ads on Threads, which exploited users’ personal data through deceptive AI-generated content, raising concerns about its content moderation efforts.

  • Innovative App Concept: A proposal suggests combining Google Maps with Wikipedia to create an app that displays noteworthy Wikipedia entries based on users' locations, merging valuable resources for enhanced exploration.

  • Concerns Over Chinese Influence on Reddit:The ban of the subreddit “real_China_irl” has raised alarms about potential Chinese influence on Reddit, particularly given Tencent's significant ownership stake and its history of censorship in China.

  • Recently Threads reaches 275M, Now Cybercriminals Leak Credit Card Data on Threads: The leaked data includes names, card numbers, and addresses, while promoting scams that redirect users to Telegram. Despite Meta's efforts to remove such content, many malicious accounts remain active, raising concerns about identity theft and fraud.

  • Juicy OSINT investigation video by French newspaper Le Monde about #StravaLeaks, U.S. Secret Service agents are leaking sensitive security information about presidents via the app.

  • LinkedIn is Killing Off Those Celebratory Post Templates: The main reason behind this update is to streamline the user experience on LinkedIn. By retiring less-used templates, LinkedIn encourages more organic, personalized posts that better highlight meaningful professional moments. Users can still share team accomplishments, welcome new colleagues, or showcase skills, but with their own custom posts, images, and videos rather than using pre-set templates. LinkedIn has notified users who have previously posted with the soon-to-be-retired templates, informing them that these posts will be removed from their profiles within the next month.

OSINT

Tools

  • JustDeleteMe is a straightforward yet incredibly useful tool that provides direct links and instructions to help you delete your online accounts.

  • Vulnhuntr: Introducing a powerful tool for identifying remotely exploitable vulnerabilities through LLMs and static code analysis—featuring the world’s first autonomous AI-discovered zero-day vulnerabilities.

  • Annual Scrapped Ships Report: The yearly report on scrapped ships compiles data from a variety of sources, cross-checked and made publicly available. Readers can refer to the glossary for detailed explanations of figures and methodology used.

Google Updates

  • Malicious Chrome Extension Discovered
    The popular "Hide YouTube Shorts" Chrome extension, with over 100,000 installs, has turned malicious, engaging in affiliate fraud and collecting users' browsing history after being transferred to a new developer.

  • New SAIF Risk Assessment Tool
    Google has launched an interactive tool called the SAIF Risk Assessment, designed to help users evaluate and manage their security risks.

  • Vulnerability Discovered in Chromium
    Security researcher ading2210 identified vulnerabilities in the Chromium web browser that enabled a sandbox escape via a browser extension, earning a $20,000 reward from Google for the report.

Darknet

In recent days,🇵🇪 Peru has been targeted by multiple data leak allegations, reportedly by a single threat actor known as Gatito_FBI_NZ:

  • Claro Peru: Gatito_FBI_NZ claims to have leaked data for 15 million Claro Peru users, impacting claro.com.pe. Allegedly, the breach exposed cell phone records. More details on BreachForums.

  • SIDPOL System, National Police of Peru (PNP): The same threat actor is linked to a reported breach in SIDPOL, a database within Peru’s National Police, exposing law enforcement data. More details on BreachForums.

  • RENIEC (National Registry of Identification and Civil Status): Data on 32 million citizens was reportedly leaked, including personal information such as names, birthdates, and addresses. The breach allegedly affects reniec.gob.pe. More details on BreachForums.

  • Banco de Crédito del Perú (BCP): Limited information is available on this breach; however, it;s likely a possible connection to the same threat actor.

  • Interbank Data Breach Confirmed: Peru’s Interbank has reported a data breach after a hacker leaked customer information online. Following the failed extortion attempt, Interbank reassured clients that deposit security remains intact and most services are restored. The leaked data, reportedly sold online by the hacker “kzoldyck,” includes customer personal details, account information, and credit card data.

  • Europol Shuts Down Ghost Platform: In September, the Ukrainian police and security officers from nine countries dismantled the Ghost platform, an encrypted communication service used by criminals for drug trafficking and money laundering. The operation, ongoing since March 2022, resulted in 51 arrests and the seizure of €1 million, weapons, and a drug lab in Australia. It's believed that administrator Jay Je Yoon Jung launched the criminal enterprise nine years ago, amassing millions in illegitimate profits before being apprehended at his home in Narwee.

Upcoming CyberSec / OSINT Events

Free Webinars

  • How to Write a Killer Intelligence Report Join Grey Dynamics on November 6th at 5:00 PM UTC. Learn to create decision-driven reports, present assessments confidently, and utilize visual tools to clarify complex data.

  • Threat Hunting: Tools and Techniques for 2025
    Mark your calendar for a live webcast on December 3rd at 12:00 PM ET, focusing on advanced threat hunting strategies for 2025. Discover the latest trends, detection techniques, best practices, and innovative solutions to enhance your cybersecurity defenses.

🙃Bonus

Bailey Marshall (another Switchfires) is launching a FREE course titled Outsmart Phishers: Understanding Email Headers! Don’t miss out on this opportunity—get on the waitlist now:Join the Waitlist.

What You’ll Learn:

  • Understand different types of phishing scams and how to avoid them.

  • Spot phishing attempts through email analysis, language cues, and more.

  • Analyze email headers and metadata with TWO BONUS lessons on:

    • Using forensic tools to investigate phishing incidents

    • Analyzing malicious links and attachments