VM#006
Alicja Pawlowska
November 17, 2024
Hi Everyone,
Let's check last week's roundup of the latest cybersecurity news, reports, tools.
Cybersecurity News
Microsoft enhances email security with spoofing alerts: Microsoft Exchange now flags emails with spoofed addresses, addressing a vulnerability (CVE-2024-49040) in P2 FROM header verification. This update prevents attackers from exploiting the flaw to display forged sender information in email clients like Outlook. Find out more.
Romanian intelligence service says bot farms active ahead of presidential election: The SRI detects bot farm activities during the presidential elections but rules out foreign interference. Romania’s presidential election will be held on November 24, with a likely runoff scheduled for December 8. Find out more.
Vulnerabilities & Exploits & Hacks
Schneider Electric ransomware attack: HellCat ransomware demands $150,000 after compromising project tracking platforms. Find out more.
Snowflake hack of AT&T records: Hackers stole 50 billion records and extorted $2.5 million from victims. The US government has accused two individuals of breaching 10 major companies, stealing their sensitive data, and then either extorting the firms for money, or selling the stolen data on the dark web. Among the victims is, most likely, AT&T, the American telecommunications powerhouse. Find out more.
A while ago, I came across a tool called YetiHunter: an open-source solution for detecting and hunting suspicious activity in Snowflake.
Fake IP checkers on npm: Sonatype finds three malicious packages infecting developers with cryptocurrency stealers. Find out more.
Threat Hunting & Malware
Research on Kubernetes privileges: Reveals risks of exploitation to gain unauthorized cluster access. Find out more.
Doppelganger Investigation Reveals Links to Russian Ministry of Defense: The Russian disinformation campaign known as Doppelganger, which spread fake websites to promote propaganda, has largely been disrupted. An investigation by Qurium and Correctiv uncovered an OPSEC mistake in the campaign’s infrastructure, revealing ties to the Russian Ministry of Defense. Researchers traced login details to IPs managed by Voentelekom, a government-owned Russian ISP. The group also used the VexTrio cybercrime platform to redirect legitimate website visitors to their propaganda pages. Furthermore, Doppelganger had been using doppelganger domains—fake domains resembling legitimate ones, like spiegel.ltd (legit is the spiegel.de) —to deceive users. Find out more.
Other Notable Events
Acquisitions:
Snyk acquired AppSec testing company Problely.
Bitsight acquired threat intelligence provider Cybersixgill in a $115 million deal.
Malwarebytes acquired AzireVPN to enhance its VPN services.
📰 Reports
2025 Cybersecurity Forecast: Google Cloud Security has released its cybersecurity forecast for 2025. The report explores emerging threats and resilience strategies. Report.
FalconFeeds Q3 2024 Cyber Threat Report: Key threats in Q3 2024 included DDoS attacks, data breaches, and ransomware, significantly impacting government, technology, and education sectors. The report provides an in-depth analysis of attack patterns and ransomware group activity across Europe, the Middle East, and Asia. Report.
2023 Top Exploited Vulnerabilities: A joint report from the FBI, Australian Cyber Security Centre (ASD ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NCSC-NZ), CERT NZ, and the UK’s National Cyber Security Centre (NCSC-UK). The report emphasizes the ongoing threat posed by these vulnerabilities and underscores the importance of timely patching and proactive security measures. Report.
Espionage & Counterintelligence
Trump's Nomination of Tulsi Gabbard as Intelligence Chief Sparks Concerns: Trump's nomination of Tulsi Gabbard as intelligence chief sparks concern among security experts due to her perceived pro-Russia stance and lack of intelligence experience. Find out more.
Suspected Russian 'spy whale' found dead off Norway, possibly shot. Find out more.
Russian spy ship escorted away from area with critical cables in Irish Sea: The Royal Navy is actively monitoring the Russian spy ship Yantar, which has been loitering in the Irish Sea near critical subsea cables, prompting heightened surveillance from both British and Irish military forces. Find out more.
Russian consulate that was closed for espionage continues to work secretly in Bulgaria's Varna: A Russian consulate in the Bulgarian city of Varna, which was closed by the authorities for espionage in 2022, is still operating secretly at the premises of the pro-Russian Bulgarian Socialist Party (BSP). Dnevnik published an example of secret operations in Varna. A Facebook user asked on October 21 in a group of Russian-speaking citizens living in Varna a question on how to register online for getting documents by the Russian consulate. The user received a response from another user that the next day there would be a consular reception in Varna and left information for a contact person – Marina Nacheva, leader of the Russian Club in Varna. Another post provides the exact address where the consulate operates and information that this is the BSP’s building, as well as a WhatsApp channel for registration for consular services. Find out more.
Germany Arrests U.S. Citizen for Alleged Espionage: The suspect, who had worked for U.S. forces in Germany, is accused of attempting to share sensitive military information with Chinese state entities in 2024. Find out more.
AI
Meta Enables AI Innovation for U.S. Government: Meta is providing its open-source Llama AI models to U.S. government agencies and contractors involved in national security, fostering the responsible use of AI. Meta partners include Accenture, Amazon, IBM, Lockheed Martin, and others. Find out more.
SOCMINT
Is TikTok Banned in the USA Starting Jan 19, 2025? In the past few days, there’s been a lot of buzz about whether TikTok is getting banned next year. The proposed law targets TikTok and its hosting companies, not individual users. Although accessing TikTok may become more difficult, users will not face penalties. The law is set to take effect on January 19, 2025, but it allows for a one-time 90-day extension if ByteDance (ByteDance Valued Itself at $300 Billion) demonstrates progress toward divestment. Civil fines will be imposed through actions pursued by the Attorney General in civil courts. While the law is scheduled to take effect on this date, TikTok is challenging it in the Court of Appeals, and a judge could delay enforcement depending on the resolution of constitutional issues. For more details, see the court case.
🦋Bluesky with the rapid increase in Bluesky users this week, I’ve compiled a Linkedin post with advanced search tips and OSINT tools to help users navigate the app more effectively. By September, the platform had already reached 10 million users globally, and after the U.S. election week, it surged to over 14.5 million, with 1.25 million new users in just one week.
How to Search for WhatsApp Groups via Google I use this dork, and it works great for finding WhatsApp groups.
To find WhatsApp groups through Google, use the dork:site:google.com + {keyword} + "chat.whatsapp.com". Replacegoogle.comwith any website like facebook.com, and specify keywords for targeted searches, especially for illicit groups. You can also refine searches with time filters, such as the last 24 hours.
OSINT
In the past few weeks, I have been mainly working with Telegram, so this time we will focus on the tools that help speed up my work.
Tools
Chinese Telegram Index: I found interesting groups with illicit information through it. check it here.
Wayback Machine Telegram Search: You can search over 630 million Telegram web pages using the Wayback Machine’s Telegram Web Archive Collection. It’s built from anchor text, file names, URLs, MIME types, HTTP status codes, and full page text. Start searching here.
GetChatListBot: Telegram Group Finder: GetChatListBot is a free Telegram bot that helps you find groups linked to a specific username.
Telemetry: Telegram Search and Analytics
Telemetry allows users to search public Telegram messages, channels, and groups using multiple keywords and Boolean logic. It also provides channel and group analyticsTGStat: Largest Telegram Channels & Groups Catalog
TGStat offers the largest catalog of over 1.9 million Telegram channels and groups, classified by country, language, and category. It provides real-time updates on the latest posts.Webinar: Extracting Data from Signal with Paliscope
Last Friday, my friend Valdemar hosted a webinar demonstrating how to extract and analyze data from Signal using Paliscope Explore. The Paliscope tool has also a CE free versions.Topics included decrypting local chat data, importing it into Paliscope, and investigating Signal groups for detailed insights like phone numbers, names, and aliases, time & date. If you missed it, request the video via by visiting Paliscope' s website. It will be out very soon.
Google Updates
"Web" Filter on Google Search: The filter focuses on text-based link results, filtering out multimedia content to provide more relevant information, such as technical details, code, or security vulnerabilities, enhancing search specificity. How to find it:
Political Ad Ban in the EU: Google announced it will cease serving political ads in the EU starting next year due to compliance challenges with the bloc's transparency regulations.
Google Translate Expands: Last June, Google announced 110 new languages for Google Translate, which are now fully available.
Google Privacy Sandbox Concerns: The UK's CMA released an assessment of Google’s Privacy Sandbox, citing ongoing competition concerns.
Google Index Tips for Investigation: Use advanced search techniques like
filetype:log site:yourtarget websiteto find technical details for investigative purposes.
Other Notable Event
Date: November 16, 2024, Mr. Hamza Targets Interpol's WebsiteAccording to their Telegram channel (@blackopmrhamza), it is likely a Moroccan group, Mr. Hamza, claimed responsibility for a DDoS attack on the Interpol website (interpol.int). The Telegram channel was created a month ago. In previous days, websites were attacked:
German Federal Intelligence Service (Bundesnachrichtendienst - BND)
Croatian Security and Intelligence Agency (Sigurnosno-obavještajna agencija - SOA)
Danish Security and Intelligence Service (Politiets Efterretningstjeneste - PET)
Czech Security and Intelligence Service (Bezpečnostní informační služba - BIS)
Swedish Security Agency (Säkerhetspolisen)
French General Directorate for External Security (DGSE)
Italian Carabinieri and Italian Ministry of Defense
US Air Force (USAF)
Upcoming CyberSec Event
Free
Upcoming Webinars:
Snapchat Law Enforcement Summit: Free training for the active U.S. law enforcement on supporting investigations. Join here.
On-Demand Event:
SANS Holiday Hack Challenge 2024: Engage in a series of fun, immersive cybersecurity challenges from Nov 7 to Dec 2. Choose between easy and hard modes for skill development. Explore here.
🤑 Black Friday Deals
Explore these regularly updated lists for InfoSec/OSINT training and tools discounts:
🙃Bonus
I recently took part in my favorite CTF organized by the Japanese community. The level is always super high. When I first joined 5 years ago, I couldn't solve any challenges, but each year I’ve been solving more and more. This is my yearly checkpoint—it's a chance for me to see how much my skills have improved and figure out where I still need to get better.
The challenge below was one of the lower-scoring ones, and I solved it in a few seconds. I know it might be easy for some of you, but for others, it could be more difficult. I’m curious how you’d approach it and what the correct answer is.
What is gov.ru's tax payer ID?
Share your thoughts, and I’ll include the answers in the next newsletter so we can all learn from each other!