Expert Insights Cybersecurity News Recap: November 19–26 2024

Welcome to the weekly Expert Insights cybersecurity news roundup.

💡In two weeks’ time, we’ll be in Philadelphia attending the 2024 CybersecurityMarketingCon. We would love to see you there!

Got a story to share with our team? Email [email protected].

1. Watch Out For Fake North Korean IT Workers Applying For Your Vacancies

North Korea has a global network of fake IT workers targeting businesses, reports CSO, SC Media, andSecurityWeek.

Hundreds of companies around the world have unknowingly hired fake IT workers from North Korea between 2020 and 2023, generating millions in revenue for the North Korean regime.

How it works: Groups from North Korea are stealing steal people’s identities and using AI tools to add their photos to stolen documents. They are also starting to use AI Deepfake and voice modulation software in job interviews, which is getting harder and harder to spot.

Hundreds of fake employee profiles and portfolios have been created on sites like GitHub. Microsoft have also found a public repository containing fake resumes, email accounts, playbooks, and images of involved individuals.

Once hired, the fraudulent workers are collecting salaries, but also exfiltrate data from the companies that employ them. This can then be sold to generate cash for the regime, reports SecurityWeek.

Evolving methodologies: New research from SentinelOne has revealed that in addition to impersonating individuals, North Korean hackers are beginning to create fictitious companies to secure fake contracts, reports SC Media. This can generate even greater financial returns.

More than 300 businesses have reportedly fallen victim to this scam to date, with one North Korean group alone successfully infiltrating over 11 companies with impersonation and phishing campaigns, reports CSO.

Zooming out: North Korea have used cyber-warfare to evade sanctions from the US and other governments for several years. In addition to fake workers, cryptocurrency theft is another common approach used by the DKPR regime.

2. Microsoft Shuts Down 240+ Phishing Kit Websites

Microsoft has seized 240 domains associated with ‘DIY’ phishing kits, reports Infosecurity Magazine, The Record, and BleepingComputer.

Microsoft and LF Projects, part of the Linux Foundation, have disrupted a global Phishing-as-a-Service (PhaaS) operation run by Egyptian cybercriminal Abanoub Nady. The operation involved 240 websites selling tools for launching phishing campaigns that targeted industries including financial services.

Nady and his team marketed their phishing kits through branded storefronts like the fraudulent “ONNX Store.” These kits, promoted and sold via Telegram, provided tools to create phishing campaigns that could bypass security measures such as Multi-Factor Authentication (MFA).

The Linux Foundation, the trademark owner of the legitimate ONNX machine learning tool, also collaborated in the effort. Together, Microsoft and LF Projects filed a lawsuit against Nady and four unnamed individuals.

Crack the QR-code: The group’s tools have been reportedly used to spread high-profile QR-code phishing scams. Microsoft has stated there has been a significant increase in QR-code based phishing attacks recently, reports The Record.

The big picture: Microsoft’s actions reflect a broader effort to combat the global phishing industry, where platforms like ONNX act as enablers for widespread cybercrime. While this disruption is significant, Microsoft warned that other providers may step in to fill the void, requiring ongoing vigilance to counter evolving threats.

3. Google Blocks Over 1,000 Fake News Sites Spreading Pro-China Propaganda

Google’s Threat Intelligence group revealed this week that it has blocked over 1,000 fake news websites run by a small number of pro-Chinese PR forms, reports TechRadar and TheHackerNews.

The campaign, dubbed ‘Glassbridge’, used deceptive news websites to publish content aligned with the political interests of the People’s Republic of China (PRC).

Making the news: The Glassbridge network created hundreds of fake news sites which were designed to look like legitimate local news outlets. These websites published authentic localized content alongside state-sponsored press releases to mislead readers.

The campaign represents an evolution in state-sponsored disinformation tactics, moving from social media influence to more sophisticated editorial-style operations aiming to influence public opinion.

Google’s Response: All 1,000+ domains have been removed, preventing their content from appearing in Google News Features or Google Discover, according to Google’s threat research team.

4. Finastra Investigates Data Breach Potentially Impacting Top Global Banks

Finastra, a London-based fintech provider serving many of the world’s largest banks is investigating a large scale data breach allegedly compromising 400GB private client and company data, reports Cybernews, CSO and TechCrunch.

The breach was disclosed after a hacker, using the alias “abyss0,” claimed on a dark web forum to have accessed data via IBM Aspera, a file transfer solution Finastra used to share large datasets.

In a statement, Finastra said the incident was limited to one platform used to send files to certain customers. Initial findings suggest the breach was caused by compromised credentials, and Finastra emphasized that there was no lateral movement beyond this system.

Scope of the Breach: The threat actor claimed the stolen data spans transactional records, operational data, and financial details, affecting some of Finastra’s 8,100 customers in over 130 countries.

Finastra alerted its customers on November 8 and is prioritizing transparency as it works to determine the specific clients and data affected. Finastra confirmed that this was not a ransomware attack and no malware was deployed. The company is analyzing the breach’s scope and ensuring unaffected customers are informed.

Zooming Out: Finastra’s breach underscores the heightened risk faced by financial institutions, which are frequent targets due to the sensitive nature of their data.

The situation is a reminder of the importance of robust security measures and rapid incident response to mitigate the impact of data breaches in the financial industry.

5. Critical Flaws in WordPress Anti-Spam Plugin Expose 200,000+ Sites to Remote Attacks

Two critical vulnerabilities in the popular CleanTalk Spam protection, Anti-Spam, and FireWall plugin for WordPress have put over 200,000 sites at risk of Remote Code Execution (RCE) and unauthorized actions, reports TheHackerNews.

The flaws, CVE-2024-10542 and CVE-2024-10781, are rated at a CVSS score of 9.8, indicating their high severity. The issues have been addressed in versions 6.44 and 6.45, released this month, and users are urged to update immediately.

Evolving Threats: The vulnerabilities underscore the growing risks of plugin-based attacks on WordPress, which remains a key target for cybercriminals due to its widespread use. Attackers increasingly leverage authorization bypasses to manipulate plugin behavior and inject malicious payloads.

That’s all for this week. 👋

We’re back on Thursday for our weekly cybersecurity vendor news roundup.

Expert Insights Cybersecurity Resources: