Everything really important from the hacker and cybersecurity scene

Everything really important from the hacker and cybersecurity scene

Berlin, 9/16/2022

A hacker group known as GhostSec claims to have penetrated more than 55 Berghof programmable logic controllers. Programmable logic controllers (PLCs) are used in manufacturing and represent a crucial technological aspect of the production chain. The group claims it represents a politically motivated ideology.

GhostSec has been active since 2015 and recently stated publicly that it supports Ukraine against Russia. Against that, it said it had already launched several hacking campaigns.

GhostSec claims to have conducted another attack on Israel’s water systems. It had gained access and could have changed the chlorine and pH levels, but then decided against it to protect innocent citizens.

Israel has been the target of numerous cyberattacks this year. In early 2022, many government websites were attacked with DDoS attacks to overload their servers.

The U.S. has recently shared information with Israel on a number of cybersecurity-related events. The two countries are reportedly helping each other with information to prevent imminent cyberattacks that could come from foreign state-sponsored threat actors.

Twitter’s former chief security officer, Peiter Zatko, told Congress that the company’s executives were ignoring security risks for their own benefit.

Zatko was hired in 2020 to oversee cybersecurity at the company, but was fired shortly after due to a management decision.

Zatko has publicly criticized Twitter for ignoring security protocols and allegedly putting users at risk.

The programmer filed a 90-page whistleblower complaint after agreeing to a $7 million settlement with Twitter in June 2022.

Zatko, meanwhile, has testified before Congress, alleging that Twitter tolerated unlawful conduct by its employees, ignored security recommendations, and allowed data to be stolen by foreign authorities.

U.S. senators who heard the testimony said they will address this issue by creating legislation that matches the importance of this issue.

Elon Musk has used Zatko’s claims to bolster his arguments in his legal battle with Twitter, as the Tesla CEO has publicly stated that he intends to withdraw his takeover bid for the social media app.

A former Twitter employee has already been found guilty of espionage.

Cybersecurity company Celerium has acquired Dark Cubed. The latter provides

security threat detection through its SaaS platform for small and medium-sized businesses and U.S. government contractors.

The software can be used by customers within minutes, with no download or staff required to operate it.

Celerium acquired the company for an undisclosed amount.

With the acquisition, Celerium is shifting its focus from enabling cyber threat sharing to active cyber defense. The Dark Cubed solution will work with Celerium’s Cyber Defense Network suite to provide enhanced capabilities and features to Celerium’s customers and MSP partners working with Dark Cubed. In the coming months, Celerium will announce additional products, including planned enhancements to the Dark Cubed product and new active defense solutions.

Windows has released new security updates for its Windows 10 operating system. The updates fix more than 60 security vulnerabilities. The updates also include vulnerabilities that are affected by security risks but are not covered as security patches. These vulnerabilities are officially listed as KB5017308 and KB501731.

These updates affect versions 21H2, 21H1, 20H2 and 1809, but are not available for Windows 2004 or 10 1909. Some of the issues that this update addresses are:

The ability for IT administrators to remotely manage voice-related features on a Windows 10 device and improved protection against ransomware.

Microsoft vulnerabilities have been abused by threat actors several times this year. A few weeks ago, a Microsoft OneDrive vulnerability was exploited by a Russia-based threat actor to penetrate targets.

Over 280,000 WordPress websites are affected by a cyberattack. The websites are being attacked via a vulnerability in the WPGateway plugin. The vulnerability is listed as CVE-2022-3180 and has a CVSS score of 9.8.

WPGateway is used to manage WordPress plugins via a central dashboard.

Wordfence says it has stopped more than 4.6 million attacks against more than 280,000 websites in the past month.

A few days ago, a WordPress vulnerability called BackupBuddy was disclosed by researchers. The vulnerability has affected over 140,000 users so far.

Hackers have also attacked WordPress websites with password-stealing Trojans and malware using heavily loaded Javascript payloads that led to a DDoS attack.

CISA has ordered federal agencies to close recent vulnerabilities in Windows and iOS. The decision comes on the heels of Apple’s recent iOS update and Microsoft’s bug fixes.

While the number of bugs patched recently is high, CISA added two bugs to its list of vulnerabilities, CVE-2022-37969 and CVE-2022-32917.

The Windows bug was a zero-day flaw that would have allowed hackers to gain unauthorized system privileges by abusing the Windows Common Log File System driver.

For Apple, the flaw was the eighth it has had to fix this year, while the company has previously stated that CVE-2022-32917 may have been exploited in the wild.

CISA has uncovered more than 800 vulnerabilities in less than a year, a sign that hacking campaigns have increased since the start of the war in Ukraine.

The Russian hacking group Gamaredon is attacking the Ukrainian government. The group uses a specially developed malware variant as a threat vector to attack defense agencies and officials.

The group uses LNK files, PowerShell and VBScript to gain initial access, while other malware is deployed after initial access. Gamaredon is also known as Actinium, Armageddon, Primitive Bear, Shuckworm and Trident Ursa.

The LNK files that the group uses to lure its victims are Microsoft Word files, a practice that has been repeatedly noted by researchers in many different hacking campaigns.

Once the LNK file is opened, a PowerShell script is executed. This script takes a screenshot of the user’s activities and creates a copy of it.

Other information that the malware can steal are:

Name of the computer.

Serial number of the disk.

Base64-encoded screenshot.

This malware also contains a new variant of information theft that was not present in previous Gamaredon attacks. Researchers believe that this variant belongs to the Giddome backdoor family, but no official reports have been published yet.