March 31, 2023
2 minute read
A Chinese hacking group that is likely state-sponsored and has been linked previously to attacks on U.S. state government computers is highly active and focusing on a broad range of targets that may be of strategic interest to China's government and security services. The hacking group, known as RedGolf, is thought to be affiliated with APT41 and BARIUM and has been identified by a cluster of domains and infrastructure that is characteristic of multiple campaigns run by the threat actors over the past two years. The report did not specify victims of RedGolf, but said it was able to track scanning and exploitation attempts targeting different sectors with a version of the KEYPLUG backdoor malware also used by APT41.
A Japanese multinational accidentally leaked access to its marketing tools, enabling attackers to launch phishing campaigns against its vast pool of customers in Italy. The company exposed credentials to the Salesforce Marketing Cloud, a provider of digital marketing automation and analytics software and services, and Mapbox API. Abusing the data, threat actors could abuse this information to access Toyota’s clients’ phone numbers and email addresses, customer tracking information, and email, SMS, and push-notification contents. These credentials could further be exploited to send bogus SMS messages and emails, edit and launch marketing campaigns, create automation scripts, edit content tied with the Salesforce Marketing Cloud, and even send push notifications to Toyota’s customers.
Microsoft has released an AI-powered security analysis tool called Microsoft Security Copilot, which uses OpenAI's newest GPT-4 model to automate incident response and threat hunting tasks. The tool will be trained on data from Microsoft's trove of telemetry signals from enterprise deployments and Windows endpoints. The chatbot can be used to identify an ongoing attack, assess its scale, and provide instructions for remediation based on real-world security incidents. It can also help determine an organization's susceptibility to known vulnerabilities and exploits by examining the environment one asset at a time. Additionally, the tool can summarize events, incidents, or threats in minutes and create a customizable report. It will integrate natively with Microsoft Sentinel, Microsoft Defender, and Microsoft Intune.
Part of the source code for social media site Twitter has been leaked via the source code repository GitHub, according to a DMCA takedown request. The DMCA request stated that the code leaked included “proprietary source code for Twitter's platform and internal tools”. Following the DMCA request, the code was taken down. The source code was leaked by a user with the screen name ‘FreeSpeechEnthusiast’. It is unclear how long the source code was available for; however, the account has been active since at least January 2023.
An unidentified whistleblower has provided several media organisations with access to leaked documents from NTC Vulkan, a Moscow IT consultancy, that allegedly show how the firm supports Russia's military and intelligence agencies with cyber warfare tools. The files, reportedly confirmed by five Western intelligence agencies, describe various Russian hacking tools implicated in major security incidents—such as a reported blackout in Ukraine, and the disruption of the Olympics in South Korea—and in the creation of the infamous NotPetya malware. They show links between NTC Vulkan and several Russian intelligence and military agencies, including the FSB, GRU, and SRV intelligence apparatus, and also include maps of US energy infrastructure.