• Twitter circle glitch leaks private, personal tweets to non-followers in April
• Midjourney and ChatGPT are impersonated by BatLoader in cyber-attacks
• FBI confirms BianLian ransomware now conducts only extortion attacks
• Beijing directs foreign embassies to remove politicized propaganda
• China’s sophisticated hackers breach US systems undetected

Iranian Agrius Hackers Target Critical Infrastructure: A New Cybersecurity Threat

A new ransomware variant named Moneybird is being used by the Iranian threat actor Agrius in assaults against Israeli organizations. Agrius, formerly known as Americium (now Pink Sandstorm), is infamous for conducting damaging data-wiping assaults against Israel while disguising them as ransomware infestations.

According to Microsoft, the Iranian Ministry of Intelligence and Security (MOIS), which also runs MuddyWater, is the source of the threat actor. It has reportedly been operational since at least December 2020.

In a similar development, Proofpoint disclosed that MuddyWater had targeted local managed service providers (MSPs) in Israel as part of a phishing campaign intended to start supply chain assaults on their downstream clients.

The corporate security company also emphasized the growing dangers that sophisticated attack organizations pose to small and medium-sized enterprises (SMBs), who have been seen using hacked SMB infrastructure for phishing campaigns and financial theft.

Read: https://thehackernews.com/2023/05/iranian-agrius-hackers-targeting.html

Israeli NSO group’s elite spyware detected in active war zone for the first time

In 2021, Varuzhan Geghamyan, an assistant professor at Yerevan State University in Armenia, received a notification that his iPhone had been compromised by Pegasus, a sophisticated spyware created by the Israeli NSO Group that has been used to spy on and repress journalists, activists, and civil society groups. At the time, Geghamyan was mainly speaking about the ongoing conflict in Nagorno-Karabakh, a disputed territory that is internationally recognized as part of Azerbaijan but has since sought independence with the backing of Armenia.

In a joint investigation by Access Now, Citizen Lab, Amnesty International, CyberHub-AM, and independent security researcher Ruben Muradyan, Geghamyan and 13 other Armenian public officials—including journalists, former government workers, and at least one United Nations official—have been targeted by the elite spyware. Amnesty’s research previously found that more than 1,000 Azerbaijanis were also included on a leaked list of potential Pegasus targets. Five of them were confirmed to have been hacked.

“It was the first time that we have spyware use documented in a war like this,” says Natalia Krapiva, tech-legal counsel at Access Now.

Nagorno-Karabakh has been the site of ongoing violent clashes between Armenia and Azerbaijan since the fall of the Soviet Union. But in September 2020, these escalated into an all-out war that lasted for about six weeks and left more than 5,000 people dead. Despite a ceasefire agreement, clashes continued into 2021.

NSO Group has historically said it only licenses its products to governments, particularly law enforcement and intelligence agencies. Previous reporting has found that Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, Togo, and the United Arab Emirates were all likely NSO Group customers.

A Pegasus infection is a “zero-click” attack, meaning the victim doesn’t need to open a suspicious email or click a bad link. “There is no behavior that would have protected these people from this spyware,” says John Scott-Railton, senior researcher at Citizen Lab.

Read: https://www.wired.com/story/pegasus-spyware-war-zone-first-time


North Korean Entities Training Expat IT Workers in Russia Face US Sanctions

The US Treasury Department stated that the Technical Reconnaissance Bureau, situated in the DPRK, “operates several departments, including those affiliated with the Lazarus Group, and leads the DPRK’s development of offensive cyber tactics and tools.”

One such Chinyong office representative, Kim Sang Man, a North Korean citizen residing in Vladivostok, Russia, “is believed to be involved in the sale and transfer of computer hardware for the North Korean regime and, as recently as 2021, received digital currency transfers from IT teams located in China and Russia which were appreciated at more than $2m.“

The workers in question usually conceal their identities, locations, and nationalities and use falsified documents to apply for jobs. They have clandestinely worked in various industries, such as business, health and fitness, social networking, sports, entertainment, and lifestyle.

Read: https://www.infosecurity-magazine.com/news/us-sanctions-north-korea-entities


LinkedIn censorship controversy: Vivek Ramaswamy’s account locked and restored

Vivek Ramaswamy, a well-known biotech entrepreneur who recently entered the political arena as a presidential candidate, faced a minor setback on Thursday when his LinkedIn account was unexpectedly locked due to a violation of the platform’s rules.

LinkedIn, the professional networking platform owned by Microsoft, initially stated that Ramaswamy’s account had been restricted because he shared content that contained misleading or inaccurate information. The cause of the account lockdown was attributed to three specific video posts by the entrepreneur. The first video, uploaded in February, discussed the Biden administration’s approach to China and drew attention for its statement, “the CCP is playing the Biden administration like a Chinese mandolin,” leading to its flagging. Another video from February faced scrutiny for a comment suggesting concerns about shifting oil production from the United States to countries like Russia and China, which triggered its flagging. Lastly, a video from May was flagged for claiming, “The climate agenda is a lie: fossil fuels are essential for human prosperity.”

Despite this temporary censorship, Ramaswamy, known for his willingness to engage in controversial discussions, remained undeterred. He expressed confidence that the matter would be addressed promptly, leveraging his status as a US presidential candidate and his ability to connect with influential individuals to regain access to his LinkedIn account. Furthermore, Ramaswamy emphasized that his primary concern was not his own situation but rather the broader implications. He argued that if LinkedIn could enforce such measures against him, it raised concerns about potential censorship targeting individuals who present factual statements about the climate change movement and express opinions based on those facts, especially when commenting on President Biden’s China policies.

Later in the day, Ramaswamy’s account was reactivated after a LinkedIn spokesperson clarified that his account had been “restricted in error.”

Read: https://reclaimthenet.org/linkedin-locks-out-vivek-ramaswamy


IRS’ Criminal Investigation Unit to launch international cyber attaché program to fight cybercrime

The Internal Revenue Service’s (IRS) Criminal Investigation (CI) unit will launch a pilot program in June in which cyber attachés will be sent across four continents to combat cybercrime, the agency announced on May 18. The initiative aims to crack down on tax and financial crimes involving cryptocurrency, decentralized finance, peer-to-peer payments, and mixing services. It signals the IRS’s commitment to staying one step ahead of cybercriminals in the digital landscape.

The program will run from June to September 2023, during which cyber attachés will be stationed in strategic locations worldwide. Cities chosen for deployment include Sydney, Singapore, Bogota, and Frankfurt, covering the regions of Australia, Asia, South America, and Europe, respectively.

Jim Lee, Chief of the CI, emphasized the importance of empowering international partners with similar proficiency levels and resources to those in the United States. “In order to effectively combat cybercrime, we need to ensure that our foreign counterparts have access to the same tools and expertise we have here in the United States,” Lee said in a statement.

As the world becomes more digitized, U.S. authorities have recently intensified their crackdown on cybercriminals leveraging cryptocurrencies to carry out illegal activities and steal assets. In March, the Department of Justice said it dismantled a darknet cryptocurrency mixer for enabling cybercriminals to launder more than $3 billion in cryptocurrency. Law enforcement seized two domains that directed users to the mixing service known as ChipMixer. The agency added that ChipMixer was also involved in other illicit activities, including ransomware, fraud, cryptocurrency heists, and other hacking schemes.

Read: https://www.infosecurity-magazine.com/news/lazarus-group-microsoft-servers/

Elsewhere Online:

Twitter circle glitch leaks private, personal tweets to non-followers in april
Read: https://www.cpomagazine.com/data-privacy/twitter-circle-exposed-private-tweets-to-non-followers-in-april/

Midjourney and ChatGPT are impersonated by BatLoader in cyber-attacks
Read: https://www.infosecurity-magazine.com/news/batloader-impersonates-chatgpt/

FBI confirms BianLian ransomware now conducts only extortion attacks
Read: https://www.bleepingcomputer.com/news/security/fbi-confirms-bianlian-ransomware-switch-to-extortion-only-attacks/

Beijing directs foreign embassies to remove politicized propaganda
Read: https://www.theguardian.com/world/2023/may/17/beijing-tells-foreign-embassies-to-remove-politicised-propaganda

China’s sophisticated hackers breach US systems undetected
Read: https://thehackernews.com/2023/05/chinas-stealthy-hackers-infiltrate-us.html roup-microsoft-servers/

Previously on #AxisOfEasy