Plus: Apple offers $1 million to hack its AI cloud infrastructure, Iranian hackers successfully peddle stolen Trump campaign docs, Russia hacks the nation of Georgia, and a “cyberattack” that wasn’t.

The Chinese spy operation adds to the growing sense of a melee of foreign digital interference in the election, which has already included Iranian hackers’ attempt to hack and leak emails from the Trump campaign—with limited success—and Russia-linked disinformation efforts across social media.

**Apple Releases Security Research Tools for Private Cloud Compute**

Ahead of the full launch next week of Apple’s AI platform, Apple Intelligence, the company debuted tools this week for security researchers to evaluate its cloud infrastructure known as Private Cloud Compute. Apple has gone to great lengths to engineer a secure and private AI cloud platform, and this week’s release includes extensive detailed technical documentation of its security features as well as a research environment that is already available in the macOS Sequoia 15.1 beta release. The testing features allow researchers (or anyone) to download and evaluate the actual version of PCC software that Apple is running in the cloud at a given time. The company tells WIRED that the only modifications to the software relate to optimizing it to run in the virtual machine for the research environment. Apple also released the PCC source code and said that as part of its bug bounty program, vulnerabilities that researchers discover in PCC will be eligible for a maximum bounty payout of up to $1 million.

**Iranian Hackers Found Takers for Their Stolen Trump Emails**

Over the summer, Politico, The New York Times, and The Washington Post each revealed that they’d been approached by a source offering hacked Trump campaign emails—a source whom the US Justice Department says was working on behalf of the Iranian government. The news outlets all refused to publish or report on those stolen materials. Now it appears that Iran’s hackers did eventually find outlets outside the mainstream media that were willing to release those emails. American Muckrakers, a PAC run by a Democratic operative, did publish the documents after soliciting them in a public post on X, writing, “Send it to us and we'll get it out.”

American Muckrakers then published internal Trump campaign communications about North Carolina Republican gubernatorial candidate Mark Robinson and Florida Republican representative Anna Paulina Luna, as well as material that seemed to suggest a financial arrangement between Donald Trump and Robert F. Kennedy Jr., the third-party candidate who dropped out of the race and endorsed Trump. Independent journalist Ken Klippenstein also received and published some of the hacked material, including a research profile on Trump running mate and US senator J.D. Vance that the campaign assembled when assessing him for the role. Klippenstein subsequently received a visit from the FBI, he’s said, warning him that the documents were shared as part of a foreign influence campaign. Klippenstein has defended his position, arguing that the media should not serve as "gatekeeper of what the public should know.”

**Russian Cyberspies Hacked the Entire Nation of Georgia**

As Russia has both waged war and cyberwar against Ukraine, it’s also carried out a vast campaign of hacking against another neighbor to the West with whom it’s long had a fraught relationship: Georgia. Bloomberg this week revealed ahead of the Georgian election how Russia systematically penetrated the smaller country’s infrastructure and government in a yearslong series of digital intrusion operations. From 2017 to 2020, for instance, Russia’s military intelligence agency, the GRU, hacked Georgia’s Central Election Commission (just as it did in Ukraine in 2014), multiple media organizations, and IT systems at the country’s national railway company—all in addition to the attack on Georgian TV stations that the NSA pinned on the GRU’s Sandworm unit in 2020. Meanwhile, hackers known as Turla, working for the Kremlin’s KGB successor the FSB, broke into Georgia’s Foreign Ministry and stole gigabytes of officials’ emails over months. According to Bloomberg, Russia’s hacking efforts weren’t limited to espionage, but also appeared to include preparing for disruption of Georgian infrastructure like the electric grid and oil companies in the event of an escalating conflict.

**This May Be the Worst-Ever Headline About a “Cyberattack”**

For years, cybersecurity professionals have argued about what constitutes a cyberattack. An intrusion designed to destroy data, cause disruption, or sabotage infrastructure? Yes, that’s a cyberattack. A hacker breach to steal data? No. A hack-and-leak operation or an espionage mission with a disruptive clean-up phase? Probably not, but there’s room for debate. The Jerusalem Post this week, however, achieved perhaps the clearest-cut example of calling something a cyberattack—in a headline no less—that is very clearly not: disinformation on social media. The so-called “Hezbollah cyberattack” that the news outlet reported was a collection of photos of Israeli hospitals posted by “hackers” identifying as Hezbollah supporters that suggested weapons and cash were stored underneath them and that they should be attacked. The posts seemingly came in response to the Israeli Defense Forces’ repeating similar claims about hospitals in Gaza that the IDF has bombed, as well as another more recently in Lebanon’s capital city of Beirut.

“These are NOT CYBERATTACKS,” security researcher Lukasz Olejnik, the author of the books _The Philosophy of Cybersecurity_ and _Propaganda_, wrote next to a screenshot of the Jerusalem Post headline on X. “Posting images to social media is not hacking. Such a bad take.”

Chinese Hackers Target Trump Campaign via Verizon Breach

The infamous cryptojacking group known as TeamTNT appears to be readying for a new large-scale campaign targeting cloud-native environments for mining cryptocurrencies and renting out breached servers to third-parties.
"The group is currently targeting exposed Docker daemons to deploy Sliver malware, a cyber worm, and cryptominers, using compromised servers and Docker Hub as the infrastructure

Cloud Security / Cryptocurrency

The infamous cryptojacking group known as TeamTNT appears to be readying for a new large-scale campaign targeting cloud-native environments for mining cryptocurrencies and renting out breached servers to third-parties.

"The group is currently targeting exposed Docker daemons to deploy Sliver malware, a cyber worm, and cryptominers, using compromised servers and Docker Hub as the infrastructure to spread their malware," Assaf Morag, director of threat intelligence at cloud security firm Aqua, said in a report published Friday.

The attack activity is once again a testament to the threat actor's persistence and its ability to evolve its tactics and mounting multi-stage assaults with the goal of compromising Docker environments and enlisting them into a Docker Swarm.

Besides using Docker Hub to host and distribute their malicious payloads, TeamTNT has been observed offering the victims' computational power to other parties for illicit cryptocurrency mining, diversifying its monetization strategy.

Rumblings of the attack campaign emerged earlier this month when Datadog disclosed malicious attempts to corral infected Docker instances into a Docker Swarm, alluding it could be the work of TeamTNT, while also stopping short of making a formal attribution. But the full extent of the operation hasn't been clear, until now.

Morag told The Hacker News that Datadog "found the infrastructure in a very early stage" and that their discovery "forced the threat actor to change the campaign a bit."

The attacks entail identifying unauthenticated and exposed Docker API endpoints using masscan and ZGrab and using them for cryptominer deployment and selling the compromised infrastructure to others on a mining rental platform called Mining Rig Rentals, effectively offloading the job of having to manage them themselves, a sign of the maturation of the illicit business model.

Specifically, this is carried out by means of an attack script that scans for Docker daemons on ports 2375, 2376, 4243, and 4244 across nearly 16.7 million IP addresses. It subsequently deploys a container running an Alpine Linux image with malicious commands.

The image, retrieved from a compromised Docker Hub account ("nmlm99") under their control, also executes an initial shell script named the Docker Gatling Gun ("TDGGinit.sh") to launch post-exploitation activities.

One notable change observed by Aqua is the shift away from the Tsunami backdoor to the open-source Sliver command-and-control (C2) framework for remotely commandeering the infected servers.

"Additionally, TeamTNT continues to use their established naming conventions, such as Chimaera, TDGG, and bioset (for C2 operations), which reinforces the idea that this is a classic TeamTNT campaign," Morag said.

"In this campaign TeamTNT is also using anondns (AnonDNS or Anonymous DNS is a concept or service designed to provide anonymity and privacy when resolving DNS queries), in order to point to their web server."

The findings come as Trend Micro shed light on a new campaign that involved a targeted brute-force attack against an unnamed customer to deliver the Prometei crypto mining botnet.

"Prometei spreads in the system by exploiting vulnerabilities in Remote Desktop Protocol (RDP) and Server Message Block (SMB)," the company said, highlighting the threat actor's efforts on setting up persistence, evading security tools, and gaining deeper access to an organization's network through credential dumping and lateral movement.

"The affected machines connect to a mining pool server which can be used to mine cryptocurrencies (Monero) on compromised machines without the victim's knowledge."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Notorious Hacker Group TeamTNT Launches New Cloud Attacks for Crypto Mining

Four members of the now-defunct REvil ransomware operation have been sentenced to several years in prison in Russia, marking one of the rare instances where cybercriminals from the country have been convicted of hacking and money laundering charges.
Russian news publication Kommersant reported that a court in St. Petersburg found Artem Zaets, Alexei Malozemov, Daniil Puzyrevsky, and Ruslan

Four members of the now-defunct REvil ransomware operation have been sentenced to several years in prison in Russia, marking one of the rare instances where cybercriminals from the country have been convicted of hacking and money laundering charges.

Russian news publication Kommersant reported that a court in St. Petersburg found Artem Zaets, Alexei Malozemov, Daniil Puzyrevsky, and Ruslan Khansvyarov guilty of illegal circulation of means of payment. Puzyrevsky and Khansvyarov have also been found guilty of using and distributing malware.

To that end, Zaets and Malozemov were sentenced to 4.5 and 5 years in prison. Khansvyarov and Puzyrevsky received a jail term of 5.5 and 6 years, respectively.

The four individuals are part of a group of 14 people who were initially detained in connection with the case. As reported by TASS back in January 2022, eight of them were charged by the court for their malicious activities.

The remaining four members, Andrei Bessonov, Mikhail Golovachuk, Roman Muromsky, and Dmitry Korotaev, are being prosecuted under a new criminal case related to unlawful access to computer information, Kommersant added.

REvil, which was once one of the most prolific ransomware groups, was dismantled after Russia's Federal Security Service (FSB) announced arrests against several members in an unprecedented takedown.

Earlier this year, a 24-year-old Ukrainian national named Yaroslav Vasinskyi was sentenced to 13 years in prison in the U.S. and ordered to pay $16 million in restitution for carrying out more than 2,500 REvil ransomware attacks and demanding ransom payments to the tune of more than $700 million.

The sentencing of REvil members in Russia also comes a month after authorities in the country opened an investigation into Cryptex and UAPS, both of which were sanctioned by the U.S. for offering money laundering services to cybercriminals.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Four REvil Ransomware Members Sentenced in Rare Russian Cybercrime Convictions

The Computer Emergency Response Team of Ukraine (CERT-UA) has detailed a new malicious email campaign targeting government agencies, enterprises, and military entities.
"The messages exploit the appeal of integrating popular services like Amazon or Microsoft and implementing a zero-trust architecture," CERT-UA said. "These emails contain attachments in the form of Remote Desktop Protocol ('.rdp'

Cyber Attack / Threat Intelligence

The Computer Emergency Response Team of Ukraine (CERT-UA) has detailed a new malicious email campaign targeting government agencies, enterprises, and military entities.

"The messages exploit the appeal of integrating popular services like Amazon or Microsoft and implementing a zero-trust architecture," CERT-UA said. "These emails contain attachments in the form of Remote Desktop Protocol ('.rdp') configuration files."

Once executed, the RDP files establish a connection with a remote server, enabling the threat actors to gain remote access to the compromised hosts, steal data, and plant additional malware for follow-on attacks.

Infrastructure preparation for the activity is believed to have been underway since at least August 2024, with the agency stating that it's likely to spill out of Ukraine to target other countries.

CERT-UA has attributed the campaign to a threat actor it tracks as UAC-0215. Amazon Web Service (AWS), in an advisory of its own, linked it to the Russian nation-state hacking group known as APT29.

"Some of the domain names they used tried to trick the targets into believing the domains were AWS domains (they were not), but Amazon wasn't the target, nor was the group after AWS customer credentials," CJ Moses, Amazon's chief information security officer, said. "Rather, APT29 sought its targets' Windows credentials through Microsoft Remote Desktop."

The tech giant said it also seized the domains the adversary was using to impersonate AWS in order to neutralize the operation. Some of the domains used by APT29 are listed below -

*   ca-west-1.mfa-gov\[.\]cloud
*   central-2-aws.ua-aws\[.\]army
*   us-east-2-aws.ua-gov\[.\]cloud
*   aws-ukraine.cloud
*   aws-data.cloud
*   aws-s3.cloud
*   aws-il.cloud
*   aws-join.cloud
*   aws-meet.cloud
*   aws-meetings.cloud
*   aws-online.cloud
*   aws-secure.cloud
*   s3-aws\[.\]cloud
*   s3-fbi\[.\]cloud
*   s3-nsa\[.\]cloud, and
*   s3-proofpoint\[.\]cloud

The development comes as CERT-UA also warned of a large-scale cyber attack aimed at stealing confidential information of Ukrainian users. The threat has been cataloged under the moniker UAC-0218.

The starting point of the attack is a phishing email containing a link to a booby-trapped RAR archive that purports to be either bills or payment details.

Present within the archive is a Visual Basic Script-based malware dubbed HOMESTEEL that's designed to exfiltrate files matching certain extensions ("xls," "xlsx," "doc," "docx," "pdf," "txt," "csv," "rtf," "ods," "odt," "eml," "pst," "rar," and "zip") to an attacker-controlled server.

"This way criminals can gain access to personal, financial and other sensitive data and use it for blackmail or theft," CERT-UA said.

Furthermore, CERT-UA has alerted of a ClickFix\-style campaign that's designed to trick users into malicious links embedded in email messages to drop a PowerShell script that's capable of establishing an SSH tunnel, stealing data from web browsers, and downloading and launching the Metasploit penetration testing framework.

Users who click the link are directed to a fake reCAPTCHA verification page that prompts them to verify their identity by clicking on a button. This action copies the malicious PowerShell script ("Browser.ps1") to the user's clipboard and displays a popup window with instructions to execute it using the Run dialog box in Windows.

CERT-UA said it has an "average level of confidence" that the campaign is the work of another Russian advanced persistent threat actor known as APT28 (aka UAC-0001).

The cyber offensives against Ukraine come amidst a report from Bloomberg that detailed how Russia's military intelligence agency and Federal Security Service (FSB) systematically targeted Georgia's infrastructure and government as part of a series of digital intrusions between 2017 to 2020. Some of the attacks have been pinned on Turla.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

CERT-UA Identifies Malicious RDP Files in Latest Attack on Ukrainian Entities

An issue was found in funadmin 5.0.2. The selectfiles method in `\backend\controller\sys\Attachh.php` directly stores the passed parameters and values into the param parameter without filtering, resulting in Cross Site Scripting (XSS).

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-j9wp-x5q5-xh2f: Funadmin Cross-site Scripting vulnerability

funadmin 5.0.2 is vulnerable to SQL Injection via the parentField parameter in the index method of \backend\controller\auth\Auth.php.

**SQL injection in funadmin**

High severity GitHub Reviewed Published Oct 25, 2024 to the GitHub Advisory Database • Updated Oct 25, 2024

GHSA-2mv8-jjm5-f3hr: SQL injection in funadmin

funadmin 5.0.2 has a SQL injection vulnerability in the Curd one click command mode plugin.

GHSA-h345-r48x-g68f: SQL injection in funadmin

Funadmin v5.0.2 has an arbitrary file read vulnerability in /curd/index/editfile.

Latest News