Skip to main content

2023.03.21.News You Should Know

Silicon Valley Bank collapsed this month causing credit ratings of major banks to drop and another to fail. While a multitude of information about this is available we find it most interesting because threat actors are using the collapse as pretext for scam emails. These emails are sent to trusted third-party businesses asking for updates to the accounts payable or EFT details to threat actor controlled accounts.
E.g.; “Our SVB account isn’t good anymore please use Threat Actor National Savings and Loan account 12345”

Breach forums owner “pompompurin” is arrested, turns out to be 19yo Conor Fitzpatrick of Peekskill New York.
Breach really made an impact after the rise and fall of RaidForums last year (when Raid caught the attention of the Fed after members breached Infraguard- the FBI/Civilian information sharing group)
While BreachForums was still active, another admin, “baphomet”, found that after the arrest, "pompompurin"s account was continuously used to access servers running the forum. Fearing a government takeover of the site the forum has been taken offline and the infrastructure decommissioned.

Russian-group Phoenix begins attacking India’s Healthcare Ministry website in retailiation for G-20’s Oil Price Cap and other sanctions. Phoenix is a direct affiliate of Killnet, previously known for attacking American healthcare systems, German airports, NATO Turkyie-Syrian earthquake relief efforts, etc…

Threat Actors exploit Telerik vulnerabilities on US Government servers over a period of 3 years as a 9.8 out of 10 CVE goes unpatched. CISA has indentified at least one Chinese state-actor infiltration and a secondary criminal threat actor accessing the servers. CISA notes that the breach could have been prevented had the organizations ran services with least privilege, patched regularly, and regularly validated security tool configurations.

SEC new cyber reporting requirements released. 60 day comment window is opened. This would bring to the table the previously discussed new breach rules including a 4 day reporting window AND cumulative breach review and reporting.

Speaking of SEC rulings, Blackbaud Inc will pay $3m to settle without admitting fault for failing to publicly disclose ransomware attacks in 2020 that placed unencrypted charitable donor’s banking details in threat actor hands. SEC noted that no rules were in place obligating disclosure of security incidents from the Incident Response team to the Executive board.

On the topic of unintended consequences, BianLian gang has ditched ransomware after Avast released a free-decryption tool. BianLian is now extorting companies outright and foregoing the encryption bit. Employees of companies who experience ransomware or extortion events may find themselves at risk of extortion as well. Threat actors will often mine email and IM conversations to discover illicit or extramarital relationships, substance abuse or behavioral or medical issues. Then threaten to expose these inidividuals if payment isn’t provided.

Sophos X-Ops group notes the return of Emotet. Emotet, one of the most used ransomware’s previously, is being found in malicious Word documents executing maliciou DLLs. Users should be cognizant of Word documents that require “Editing View” to open and any documents from an unexpected contact.

Google identifies 14 security vulnerabilities in Samsung’s Exynos cellular modem firmware effecting a majority of Android phones. The first CVE (CVE-2023-24033) showed that phones could be remotely compromised without user interaction or physical access. Other CVEs are awaiting number assignment. Users should install updates as soon as they’re available from Google, Samsung, or the Carrier. Note: Non-Samsung devices using the chipset are also effected.

Amazon announces the next iteration of Amazon Linux with multiple security enhancements. Notably, Amazon Linux will ship with selinux in permissive mode, openssl 3, and the most recent version of Instance Metadata Service V2, IMDSv2.

And finally, Microsoft patches Outlook Zero-day exploit that allows malicious code execution without User interaction. This exploit is an enhancement of previously reported Outlook attacks that required user interaction. Organizations should patch as quickly as possible or switch users to the uneffected Outlook web client at

Popular posts from this blog

LibWebP (CVE-2023-4863)

Here is a non-exhaustive list of possible mitigations to prevent the exploitation of CVE 2023-4863 in the LibWebP library. This library has a heap buffer overflow available across all operating systems, most browsers, an exceptional number of Electron framework applications. This CVE is rated a 10 after previously being rated 8.8. This was due to an original disclosure from Google stating that Chrome was the only effected application. After investigation, it was discovered that all instances of the LibWebP library were vulnerable across all platforms. A similar CVE ( 2023-5217 ) is pending analysis for the VP8 webstream video format (a sister library to libwep.) As working proof-of-concepts are generally available to the public and Google and Apple both acknowledge threat actors and spyware vendors making use of the vulnerability, it is essential that you begin reviewing and patching all business critical applications. Patch Browsers, All of them All major and minor browsers acr

Show And Tell

Once a week, our security team gathers everyone into a meeting and shares the last week’s worth of security related news and any new security initiatives. This one hour may be the most valuable meeting we attend and has the greatest impact on successful security outcomes. What is it? We call ours a Security Show & Tell. (You can call it whatever fun and exciting name fits your corporate culture.) Regardless of the name, the goal is to set aside an hour each week to share three kinds of security stories and our response to them. Stories that are in the news. Stories that impact our work. Stories that impact our lives. Author’s Note: There’s some helpful tips below on how to gather these stories.  Why you should do it There’s a lot of great reasons to do this, but I want to drive home a few really important ones. How many times has this happened to you? You wake up, open , and begin scrolling only to find out that $Vendor has a nasty zero-day and organiza

Savory Dutch Babies

Ingredients: 1/4 Stick butter 1/2C AP flour 3/4C room temp milk 3 room temp eggs Salt pepper mace nutmeg allspice etc if you want it Blend it or whisk it until homogeneous  Put a castiron in a cold oven at 425°.  Remove when preheat finishes and melt in a 1\4 stick of butter.   Pour in batter.  Top with parm and fresh herbs.  Cook 15m.