Threat Briefing: November 17, 2023

Cyber threat actors are on a constant search to find new ways to identify and compromise victims, both on a personal and organizational level. Sometimes the mitigations put in place to prevent or better understand cyber attacks can be repurposed by a cyber threat actor for their own goals, as one article in this week’s newsletter highlights how a cyber threat actor reported their own attack.

The U.S. government is introducing several new programs and rules to better protect individuals from SIM swaps, which can be useful for threat actors looking to engage in cyber attacks. The U.S. government is also seeking to increase the defenses for public institutions like schools and libraries.

Rules to protect companies and individuals from cyber attacks can be viewed as an approach to defense-in-depth for cybersecurity. Practicing defense-in-depth requires your IT teams to not only focus on protecting and securing individual computers, but the network as a whole while also ensuring good cyber hygiene on a personal level in order to secure and protect your organization from a cyber attack.

Multiple Vulnerabilities Impacting Artificial Intelligence Infrastructure – The vulnerabilities impact platforms used for large language models such as Ray, MLflow, and ModelDB. Exploitation of the vulnerabilities could give cyber threat actors unauthorized access to AI models and potentially lead to further network compromise and theft of credentials. Dark Reading

Internet Activity from Bad Bots Estimated to Account for 73% of All Internet Traffic – The Bad Bots were linked to account takeovers, fake account creation, in-product abuse, and scraping. The Bad Bots were directed against financial services and e-commerce sites. The usage of Bad Bots was linked to an increased availability in artificial intelligence and growth of the crime-as-a-service ecosystem. When the Bad Bots were unsuccessful in carrying out malicious activity, fraud farms were used to carry out activity, with the majority of the fraud farms located in Russia, Vietnam, India, Brazil, and the Philippines. Security Week

Docker & MySQL Servers Targeted with Malware to Launch Distributed Denial-of-Service Attacks – In both cases, cyber threat actors scan for publicly-accessible Docker and MySQL services to identify targets. Docker hosts are infected with OracleIV malware used to support a DDoS attack. MySQL servers are infected with “Ddostf,” a Chinese originated malware after servers are compromised by exploiting known vulnerabilities or weak credentials. Security Week

Google Quiz Feature Exploited by Cyber Actors to Facilitate Bitcoin Scam – Cyber threat actors utilized the quiz to send a malicious email to victims which directs them to a malicious website claiming the victim can claim approximately $46,000 in cryptocurrency. Victims engaged with a live chat agent who collected victims’ personal information and made them pay $64 in exchange for releasing the bitcoin. The Record

Dual National of Russia and Moldova Pleads Guilty to Operating Botnet Service – Sergei Makinin, a Russian and Moldovan national, pled guilty for operating a botnet between 2019 and 2022, which was used to infect thousands of devices around the world. Makinin then sold the access for profit, making approximately $550,000. U.S. Attorney’s Office, District of Puerto Rico

Phishing-as-a-Service Provider BulletProofLink Disrupted by International Law Enforcement Operation – The operation provided phishing templates mimicking login pages of major banking and software brands. BulletProofLink launched operations in 2015 and operated on Telegram channels and multiple underground forums. The Hacker News

Federal Communications Commission Proposing New Cybersecurity Program to Support Libraries and K-12 Schools – The pilot program would provide $200 million in funding to support the development of new firewall services for schools and libraries. The pilot will also collect data from schools and libraries regarding cyber attacks. The Record

SEC Complaint Filed by Ransomware Actor Alphv Against IT Company For Not Disclosing Cyber Attack– The Alphv ransomware group conducted a ransomware attack against Meridian Link, a U.S.-based company in early November 2023. The company did not disclose the attack to the SEC, which recently announced companies must disclose attacks within four days of suffering an attack. Security Week

Federal Communications Commission Looking to Enforce New Rules to Combat SIM Swapping – The rules would help to reduce the capability of threat actors to engage in SIM swapping. The rules would require telephone carriers to have secure methods to authenticate users before a customer’s number is sent to a new device or provider. Additionally, carriers would be required to notify customers immediately when a SIM change or port-out request is initiated so they can take action to prevent fraudulent SIM swapping attempts. The Hacker News