Security News

A U.S. senator revealed today that government agencies worldwide demand mobile push notification records from Apple and Google users to spy on their customers. Data collection through this method helps link devices to Apple or Google accounts and may also allow access to unencrypted notification content, including text displayed on the receiving smartphone.

Fancy Bear, the Kremlin's cyber-spy crew, has been exploiting two previously patched bugs for large-scale phishing campaigns against high-value targets - like government, defense, and aerospace agencies in the US and Europe - since March, according to Microsoft. The US and UK governments have linked this state-sponsored gang to Russia's military intelligence agency, the GRU. Its latest phishing expeditions look to exploit CVE-2023-23397, a Microsoft Outlook elevation of privilege flaw, and CVE-2023-38831, a WinRAR remote code execution flaw that allows arbitrary code execution.

The U.S. Cybersecurity and Infrastructure Security Agency is warning about hackers actively exploiting a critical vulnerability in Adobe ColdFusion identified as CVE-2023-26360 to gain initial access to government servers. The security issue allows executing arbitrary code on servers running Adobe ColdFusion 2018 Update 15 and older, and 2021 Update 5 and earlier.

Iran-linked cyber thugs have exploited Israeli-made programmable logic controllers used in "Multiple" water systems and other operational technology environments at facilities across the US, according to multiple law enforcement agencies. The gang did not need sophisticated tactics to run this attack: the joint advisory suggests Cyberav3ngers likely broke into US-based water facilities by using default passwords for internet-accessible PLCs. The alert was issued just days after CISA said it was investigating a cyberattack against a Pennsylvania water authority by the IRGC-backed crew, which forced operators to switch a pumping station to manual control.

Iran-affiliated attackers CyberAv3ngers continue to exploit vulnerable Unitronics programmable logic controllers, US and Israeli authorities have said in a joint cybersecurity advisory. CyberAv3ngers targeting Unitronics PLCs. CISA has recently confirmed that Iran-affiliated attackers took over a Unitronics Vision Series PLC at a water system facility in Pennsylvania, and urged other water authorities to promptly secure their Unitronics PLCs. The agency has advised them to change the default password and port used by the PLC, disconnect it from the open internet or secure remote access by using firewall, VPN and multi-factor authentication, create configuration backups, and update the PLC/HMI to the latest available version.

The U.S. Department of Health and Human Services warned hospitals this week to patch the critical 'Citrix Bleed' Netscaler vulnerability actively exploited in attacks. "The Citrix Bleed vulnerability is being actively exploited, and HC3 strongly urges organizations to upgrade to prevent further damage against the Healthcare and Public Health sector. This alert contains information on attack detection and mitigation of the vulnerability," HC3 warned.

A ransomware infection at a cloud IT provider has disrupted services for 60 or so credit unions across the US, all of which were relying on the attacked vendor. This is according to the National Credit Union Administration, which on Friday told The Register it is fire-fighting the situation with the credit unions downed this week by the intrusion.

A novel malware named 'Agent Raccoon' is being used in cyberattacks against organizations in the United States, the Middle East, and Africa. Agent Raccoon is a.NET malware disguised as a Google Update or Microsoft OneDrive Updater that leverages the DNS protocol to establish a covert communication channel with the attackers' C2 infrastructure.

Another member of the Trickbot malware crew now faces a lengthy prison sentence amid US law enforcement's ongoing search for its leading members. Russian national Vladimir Dunaev, 40, faces a maximum sentence of 35 years in prison for his involvement in the now-shuttered Trickbot malware, which was often used to deploy ransomware.

The Treasury Department's Office of Foreign Assets Control has sanctioned the North Korean-backed Kimsuky hacking group for stealing intelligence in support of the country's strategic goals. OFAC has also sanctioned eight North Korean agents for facilitating sanctions evasion and supporting their country's weapons of mass destruction programs.