Menu Close

Cyber Monitoring #9 (March 2023)

African Union Systems disrupted by cyber attack 

Beginning with March 3, The African Union (AU) experienced a massive cyberattack, resulting in the suspension of its systems and affecting over 200 devices. The attack, which began on March 3, 2023, led to an emergency shutdown of the entire campus network. While cloud-based data remains secure, staff have been unable to access it. Based on the latest information, AU management and stakeholders are still collaborating to restore all services, with some applications already being operational. The cause of the incident, whether an external attack or an internal breakdown, remains unclear.

US Cyber Command concludes its deployment in Albania in regard to countering Iranian cyber attacks 

In response to the Iranian cyberattacks against Albania last year, the U.S. Cyber Command recently concluded a three-month mission to help the country assess the damaged cyberinfrastructure and strengthen Albanian cybersecurity. This first-of-its-kind collaboration between the U.S. and Albania offered valuable insights to both nations in improving their cyber defences.  Following the attacks, the U.S. government has further sanctioned Iran and has vowed to continue supporting Albania in boosting its cyber security capabilities.

Despite growing bug bounty programs, commercial exploit markets continue trading spyware

2022 marks another consecutive year that Google has been stepping up its bug bounty programs, or Vulnerability Reward Programs (VRPs). Thanks to these programs, security researchers who discover a vulnerability in a Google product (such as Android or Chrome) can report them directly to Google in order to receive a bounty. These may range from a few thousand to hundreds of thousands of dollars. While rewarding hackers for legally reporting the vulnerabilities is a useful way of turning them away from dark web markets, the latter continue to attract many. In this commercial spyware industry, 0-day and n-day exploits are being traded for large amounts of money, yet potentially to malicious actors, using them to spy on political opposition, repress activists, etc. Among recent campaigns monitored by Google Threat Analysis Group (TAG) are spyware exploit chains against Samsung Internet Browser, and iOS and Android exploit chains delivered via links sent over SMS.

Cybercrime forum suspected leader arrested 

The FBI recently arrested a New York man on suspicion of running the notorious BreachForums (or Breached), a popular English-language cybercrime forum widely considered a reincarnation of RaidForums, which was infiltrated and dismantled in 2022 by the FBI. The forum’s administrator “Pompompurin” has been a thorn in the side of the FBI for years. Shortly after his arrest, another user named “Baphomet” offered to take over and administer the forum but rapidly gave up after discovering one of Breached’s CDN servers had been accessed by law enforcement. The forum is now offline, even though it is expected a new alternative will resurface under a different name. Indeed, these kind of underground forums and marketplace provide an outlet for threat actors to coordinate, exchange information, data leaks, and trade off-the-shelves malware and tools.

A North Korean threat actor APT43 finally exposed
North Korea 

After over four years of monitoring its activity, Mandiant uncovered a North Korean hacking group named APT43. The CTI firm “assesses with moderate confidence” that the threat actor is related to the North Korean intelligence agency RGB, showing proof of subordination to a higher chain of command and links to other North Korean APTs such as the Lazarus Group. Its main field of action is cyberespionage, notably against US government, diplomatic and think tank entities. Financially-driven cybercrime is used to fund these activities, notably through cryptocurrency theft.

27 zero-day vulnerabilities discoverd in a bug bounty contest where hackers won over $1 million in total prizes 

A bug bounty competition, Pwn2Own Vancouver 2023 has enabled hacker contestants to win more than 1 million dollars (and a Tesla). The contestants were able to escalate privileges and found 27 zero-day vulnerabilities on mainstream softwares such as Windows 11, Microsoft Teams, Oracle VirtualBox or macOS. The companies then have 90 days to release security fixes before a public disclosure.

The White House released an Executive Order that restricts the use and the export of commercial spyware 

The White House issued an Executive Order that restricts the use and export of commercial spyware. The United States is fighting against digital authoritarianism by reducing the risk that these disruptive technologies will be used for malicious purposesThe EO did not hamper the ability of the American agencie to take advantage of these tools, but it prohibited their use when foreign manufacturers were involved in cases of human rights violations or targeted surveillance.