December 2023 in the cybersecurity world was marked by a series of significant developments, reflecting the ever-evolving nature of cyber threats and the continuous efforts to counteract them. This month witnessed a range of events, from Microsoft’s strategic response to malware threats to groundbreaking legislative advancements in the EU, emphasizing the multifaceted challenges in AI and cybersecurity, but let’s quickly go over some of the key topics that happened.
Microsoft Disables MSIX App Installer Protocol Exploited Widely in Malware Attacks
Microsoft has made a significant security update by disabling a feature known as the ms-appinstaller protocol handler in its App Installer. This decision was taken because cybercriminals were exploiting this feature to spread malware, which could lead to ransomware attacks. The ms-appinstaller protocol handler was initially designed to make installing apps easier, but attackers found a way to use it for harmful purposes. They created malicious app packages, which appeared legitimate, and distributed them through various channels like Microsoft Teams and deceptive online advertisements. These advertisements often mimicked popular software, luring users to download harmful content.
To combat this threat, Microsoft has updated the App Installer to a newer version (1.21.3421.0 or higher), where the ms-appinstaller protocol handler is turned off by default. This change aims to close the loophole that attackers were exploiting and is a proactive step by Microsoft to enhance the security of its users by preventing the distribution of malware through this method.
Operation Triangulation Targets Apple iOS Devices
In a recent revelation, a highly complex and sophisticated type of spyware attack, known as “Operation Triangulation,” has been identified targeting Apple’s iOS devices. This attack is particularly alarming because it managed to bypass the robust hardware-based security features that Apple is known for. Discovered by the Russian cybersecurity firm Kaspersky, which itself was one of the targets, this attack chain is considered the most intricate and advanced they’ve ever seen. Active since 2019, this campaign took advantage of unique vulnerabilities within Apple’s system that had not been exploited before.
The attack begins with a seemingly harmless iMessage that contains a malicious attachment. This is a “zero-click” attack, meaning it doesn’t require any action from the user, like clicking a link, to activate. The spyware then silently works to gain extensive control over the device, bypassing security measures to gather sensitive information. It achieves this by chaining together four previously unknown flaws (zero-day flaws) in iOS, allowing the attackers to deeply infiltrate and plant spyware in devices up to iOS version 16.2. This level of access and the method of execution make it a particularly dangerous and stealthy form of cyber espionage.
Carbanak Banking Malware Resurfaces
Carbanak, a notorious banking malware, has recently made a comeback with a twist in its operations. Previously known for targeting banks, Carbanak has now been spotted in ransomware attacks. This change in strategy was noted in the November 2023 ransomware attacks analyzed by the cybersecurity firm NCC Group. They observed that Carbanak has evolved, now incorporating new methods and techniques to enhance its effectiveness in cyberattacks.
What’s new with Carbanak is how it’s being spread. The malware has been distributed through compromised websites, cleverly disguised as various business-related software programs. It mimics popular tools like HubSpot, Veeam, and Xero, tricking users into downloading it. Carbanak, active since at least 2014, is known for its abilities to steal data and remotely control infected systems. Originally a banking malware, it has been associated with the FIN7 cybercrime syndicate, a group known for targeting financial institutions. This shift to ransomware tactics marks a significant evolution in its use, making it more threatening to a broader range of targets.
EU Negotiators Come To Agreement on EU AI Act
The European Union has made a significant step forward with the agreement on the EU Artificial Intelligence (AI) Act. This act is a comprehensive set of rules to manage the development and use of AI within the EU. A key aspect of this agreement is the distinction between different types of AI models, categorized into two types: high impact and low impact. High impact models, due to their potential significant influence or risk, are subject to strict regulations.
These regulations include the requirement to conduct thorough evaluations of the models, assess and reduce systemic risks, perform adversarial testing, report serious incidents to the European Commission, ensure robust cybersecurity measures for the data used by these models, and also report on the energy efficiency of the models. The enforcement of the AI Act will not start immediately; it is expected to begin two years after the act is officially passed, which is projected to be around 2026.
Interpol Says Trafficking For Cyber Scams Is Expanding Globally
Interpol recently conducted its first major operation specifically targeting a growing global issue: human trafficking being used to fuel online fraud schemes. During this operation, which took place over four days in mid-October, Interpol carried out over 270,000 inspections across 450 locations known for human and migrant trafficking activities. The troubling trend they’re addressing involves human trafficking victims being deceived with false promises of high-paying jobs in foreign countries. Once these individuals arrive, they are forced by traffickers to engage in online scams.
This issue has been particularly prevalent in Southeast Asia, where Chinese criminal organizations have expanded into countries like Cambodia and Myanmar. These groups use a mix of corruption and violence to operate their scamming activities, largely beyond the reach of law enforcement. However, Interpol’s recent findings indicate that this practice is not confined to Southeast Asia. The operation revealed the spread of these criminal activities to other regions, such as Peru, where over forty Malaysian victims of human trafficking were rescued from being compelled to commit online fraud. This expansion highlights the global scale of the problem and the need for continued international efforts to combat these criminal networks.
ALPHV Blackcat Emplys New Ransomware Tactics
ALPHV Blackcat, a notable ransomware group, has evolved its tactics in carrying out cyber attacks. Instead of just using ransomware, they now also engage in phishing and compromising accounts to steal data and extort money from their victims, without necessarily deploying ransomware. This means they can gain control over a victim’s data and then demand money for not releasing or misusing it.
Recently, ALPHV Blackcat released an updated version of their ransomware, dubbed “ALPHV Blackcat Ransomware 2.0 Sphynx.” This new version comes with enhanced capabilities like better evasion of security defenses and additional tools for the affiliates who carry out the attacks. It’s capable of targeting both Windows and Linux devices, as well as VMWare instances. The FBI reports that ALPHV Blackcat affiliates have attacked over 1,000 entities worldwide, with about 75% of these attacks occurring in the United States. The group has demanded over $500 million in ransoms and has received nearly $300 million in payments. This widespread impact underlines the serious threat posed by this ransomware group. For more detailed information, you can read the full advisory on the Cybersecurity & Infrastructure Security Agency (CISA) website here.
2023 Is A Record Year for Ransomware
2023 has been a record-breaking year in terms of ransomware attacks, highlighting a growing cybersecurity threat worldwide. According to research by NCC Group, by the end of November 2023, there were 4,276 ransomware attacks globally, which is more than double the number from the previous year. And this count doesn’t even include the data for December.
In addition to the increase in ransomware attacks, there’s also a significant number of new vulnerabilities discovered this year – over 26,000, as per Qualys researchers. However, only a small fraction of these vulnerabilities, around 7,000, were considered high risk, and even fewer, 206, had weaponized code available. These particular vulnerabilities are of special concern to information security professionals because they are more likely to be exploited. Notably, over 32% of these critical vulnerabilities were related to network infrastructure or web applications, areas that require urgent patching or mitigation. The average time to exploit vulnerabilities this year was 44 days, but some were exploited the same day they became public.
As we conclude the events, December 2023 serves as a reminder of the dynamic and challenging cybersecurity environment we navigate. It stresses the importance of continuous learning, adaptation, and collaboration among cybersecurity professionals, organizations, and governments to protect digital assets and maintain trust in our technology-driven world.